diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2014-05-22 13:03:54 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2014-05-22 13:06:04 +0000 |
| commit | 9693e42051fbaf1fea977ea0098f3818925f256e (patch) | |
| tree | 00945fa886e6cae4386e5bd8d12d9ddf1ac8c051 | |
| parent | db995463c3c65d4d9fb1802ff78d472cb2adc3d0 (diff) | |
| download | aports-9693e42051fbaf1fea977ea0098f3818925f256e.tar.bz2 aports-9693e42051fbaf1fea977ea0098f3818925f256e.tar.xz | |
main/libxml2: security fix for CVE-2014-0191
fixes #2930
| -rw-r--r-- | main/libxml2/APKBUILD | 12 | ||||
| -rw-r--r-- | main/libxml2/CVE-2014-0191.patch | 36 |
2 files changed, 44 insertions, 4 deletions
diff --git a/main/libxml2/APKBUILD b/main/libxml2/APKBUILD index 4121c44b2f..f840a0c29a 100644 --- a/main/libxml2/APKBUILD +++ b/main/libxml2/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Carlo Landmeter <clandmeter@gmail.com> pkgname=libxml2 pkgver=2.9.1 -pkgrel=0 +pkgrel=1 pkgdesc="XML parsing library, version 2" url="http://www.xmlsoft.org/" arch="all" @@ -12,6 +12,7 @@ depends_dev="zlib-dev python-dev" makedepends="zlib-dev python-dev" subpackages="$pkgname-doc $pkgname-dev py-$pkgname:py $pkgname-utils" source="ftp://ftp.xmlsoft.org/${pkgname}/${pkgname}-${pkgver}.tar.gz + CVE-2014-0191.patch " options="!strip" @@ -59,6 +60,9 @@ utils() { mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } -md5sums="9c0cfef285d5c4a5c80d00904ddab380 libxml2-2.9.1.tar.gz" -sha256sums="fd3c64cb66f2c4ea27e934d275904d92cec494a8e8405613780cbc8a71680fdb libxml2-2.9.1.tar.gz" -sha512sums="7b10de749485bc2eb2108063e97d89e70d6fbb78b1bf195ab5528c8c64e79483d55223a49d95934f4e00b00e906c18bdd34344703ffe158dcf08096905a44c1b libxml2-2.9.1.tar.gz" +md5sums="9c0cfef285d5c4a5c80d00904ddab380 libxml2-2.9.1.tar.gz +e6f432aea642badcb848e5791bcf6df7 CVE-2014-0191.patch" +sha256sums="fd3c64cb66f2c4ea27e934d275904d92cec494a8e8405613780cbc8a71680fdb libxml2-2.9.1.tar.gz +288a762e8b115cecc02d920e4b36ebfa5249b8a6713a1a948e344d881d094ea8 CVE-2014-0191.patch" +sha512sums="7b10de749485bc2eb2108063e97d89e70d6fbb78b1bf195ab5528c8c64e79483d55223a49d95934f4e00b00e906c18bdd34344703ffe158dcf08096905a44c1b libxml2-2.9.1.tar.gz +41b6737b5cfe6392e3d781ebde48db0bf221bde89701742408afe625a88a67f6f6aed5cf04c1983ba2e7e04c2d819a8011908d23060365225571691c5e61cf11 CVE-2014-0191.patch" diff --git a/main/libxml2/CVE-2014-0191.patch b/main/libxml2/CVE-2014-0191.patch new file mode 100644 index 0000000000..4d5fe1a7aa --- /dev/null +++ b/main/libxml2/CVE-2014-0191.patch @@ -0,0 +1,36 @@ +From 9cd1c3cfbd32655d60572c0a413e017260c854df Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Tue, 22 Apr 2014 15:30:56 +0800 +Subject: Do not fetch external parameter entities + +Unless explicitely asked for when validating or replacing entities +with their value. Problem pointed out by Daniel Berrange <berrange@redhat.com> + +diff --git a/parser.c b/parser.c +index 9347ac9..c0dea05 100644 +--- a/parser.c ++++ b/parser.c +@@ -2598,6 +2598,20 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) { + xmlCharEncoding enc; + + /* ++ * Note: external parsed entities will not be loaded, it is ++ * not required for a non-validating parser, unless the ++ * option of validating, or substituting entities were ++ * given. Doing so is far more secure as the parser will ++ * only process data coming from the document entity by ++ * default. ++ */ ++ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && ++ ((ctxt->options & XML_PARSE_NOENT) == 0) && ++ ((ctxt->options & XML_PARSE_DTDVALID) == 0) && ++ (ctxt->validate == 0)) ++ return; ++ ++ /* + * handle the extra spaces added before and after + * c.f. http://www.w3.org/TR/REC-xml#as-PE + * this is done independently. +-- +cgit v0.10.1 + |