aboutsummaryrefslogtreecommitdiffstats
path: root/main/expat
diff options
context:
space:
mode:
authorFrancesco Colista <fcolista@alpinelinux.org>2017-06-22 09:34:47 +0000
committerFrancesco Colista <fcolista@alpinelinux.org>2017-06-22 09:46:34 +0000
commit8b7042ffc84b240dbcc0d123473985982256a0f2 (patch)
tree09144e650778f7871152968b0a95c9ae5c4ac4db /main/expat
parent8f8bc2ac60811eed233940b5773f0c1db6fd9e8f (diff)
downloadaports-8b7042ffc84b240dbcc0d123473985982256a0f2.tar.bz2
aports-8b7042ffc84b240dbcc0d123473985982256a0f2.tar.xz
main/expat: security fixes (CVE-2017-9233)
Diffstat (limited to 'main/expat')
-rw-r--r--main/expat/APKBUILD13
-rw-r--r--main/expat/CVE-2017-9233.patch29
2 files changed, 37 insertions, 5 deletions
diff --git a/main/expat/APKBUILD b/main/expat/APKBUILD
index 62023e4afe..c2c4293784 100644
--- a/main/expat/APKBUILD
+++ b/main/expat/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
pkgname=expat
pkgver=2.2.0
-pkgrel=0
+pkgrel=1
pkgdesc="An XML Parser library written in C"
url="http://www.libexpat.org/"
arch="all"
@@ -9,7 +9,12 @@ license='MIT'
depends=
makedepends=
source="http://downloads.sourceforge.net/project/expat/expat/$pkgver/expat-$pkgver.tar.bz2
+ CVE-2017-9233.patch
"
+# secfixes:
+# 2.2.0-r1:
+# - CVE-2017-9233
+
subpackages="$pkgname-dev $pkgname-doc"
builddir="$srcdir/$pkgname-$pkgver"
@@ -29,7 +34,5 @@ package() {
cd "$builddir"
make DESTDIR="$pkgdir/" install || return 1
}
-
-md5sums="2f47841c829facb346eb6e3fab5212e2 expat-2.2.0.tar.bz2"
-sha256sums="d9e50ff2d19b3538bd2127902a89987474e1a4db8e43a66a4d1a712ab9a504ff expat-2.2.0.tar.bz2"
-sha512sums="2be1a6eea87b439374bfacb1fbb8e814fd8a085d5dfd3ca3be69d1af29b5dc93d36cbdec5f6843ca6d5910843c7ffbc498adc2a561b9dcece488edf3c6f8c7c8 expat-2.2.0.tar.bz2"
+sha512sums="2be1a6eea87b439374bfacb1fbb8e814fd8a085d5dfd3ca3be69d1af29b5dc93d36cbdec5f6843ca6d5910843c7ffbc498adc2a561b9dcece488edf3c6f8c7c8 expat-2.2.0.tar.bz2
+0c92dd7dbec845966fc1ff3d1d7b137c17b5045f06d092ff730eb19cfe5e9c6b76b89bf532d20329a0a74fd8eb100f08bbea1083d17e53b2b96e9db1786f1a68 CVE-2017-9233.patch"
diff --git a/main/expat/CVE-2017-9233.patch b/main/expat/CVE-2017-9233.patch
new file mode 100644
index 0000000000..1ddbc755d8
--- /dev/null
+++ b/main/expat/CVE-2017-9233.patch
@@ -0,0 +1,29 @@
+From c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f Mon Sep 17 00:00:00 2001
+From: Rhodri James <rhodri@kynesim.co.uk>
+Date: Wed, 14 Jun 2017 23:45:07 +0200
+Subject: [PATCH] xmlparse.c: Fix external entity infinite loop bug
+ (CVE-2017-9233)
+
+---
+ expat/lib/xmlparse.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 7818f8d..2114596 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -3981,6 +3981,14 @@ entityValueInitProcessor(XML_Parser parser,
+ *nextPtr = next;
+ return XML_ERROR_NONE;
+ }
++ /* If we get this token, we have the start of what might be a
++ normal tag, but not a declaration (i.e. it doesn't begin with
++ "<!"). In a DTD context, that isn't legal.
++ */
++ else if (tok == XML_TOK_INSTANCE_START) {
++ *nextPtr = next;
++ return XML_ERROR_SYNTAX;
++ }
+ start = next;
+ eventPtr = start;
+ }