diff options
| author | Francesco Colista <fcolista@alpinelinux.org> | 2017-06-22 09:34:47 +0000 |
|---|---|---|
| committer | Francesco Colista <fcolista@alpinelinux.org> | 2017-06-22 09:46:34 +0000 |
| commit | 8b7042ffc84b240dbcc0d123473985982256a0f2 (patch) | |
| tree | 09144e650778f7871152968b0a95c9ae5c4ac4db /main/expat | |
| parent | 8f8bc2ac60811eed233940b5773f0c1db6fd9e8f (diff) | |
| download | aports-8b7042ffc84b240dbcc0d123473985982256a0f2.tar.bz2 aports-8b7042ffc84b240dbcc0d123473985982256a0f2.tar.xz | |
main/expat: security fixes (CVE-2017-9233)
Diffstat (limited to 'main/expat')
| -rw-r--r-- | main/expat/APKBUILD | 13 | ||||
| -rw-r--r-- | main/expat/CVE-2017-9233.patch | 29 |
2 files changed, 37 insertions, 5 deletions
diff --git a/main/expat/APKBUILD b/main/expat/APKBUILD index 62023e4afe..c2c4293784 100644 --- a/main/expat/APKBUILD +++ b/main/expat/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Carlo Landmeter <clandmeter@gmail.com> pkgname=expat pkgver=2.2.0 -pkgrel=0 +pkgrel=1 pkgdesc="An XML Parser library written in C" url="http://www.libexpat.org/" arch="all" @@ -9,7 +9,12 @@ license='MIT' depends= makedepends= source="http://downloads.sourceforge.net/project/expat/expat/$pkgver/expat-$pkgver.tar.bz2 + CVE-2017-9233.patch " +# secfixes: +# 2.2.0-r1: +# - CVE-2017-9233 + subpackages="$pkgname-dev $pkgname-doc" builddir="$srcdir/$pkgname-$pkgver" @@ -29,7 +34,5 @@ package() { cd "$builddir" make DESTDIR="$pkgdir/" install || return 1 } - -md5sums="2f47841c829facb346eb6e3fab5212e2 expat-2.2.0.tar.bz2" -sha256sums="d9e50ff2d19b3538bd2127902a89987474e1a4db8e43a66a4d1a712ab9a504ff expat-2.2.0.tar.bz2" -sha512sums="2be1a6eea87b439374bfacb1fbb8e814fd8a085d5dfd3ca3be69d1af29b5dc93d36cbdec5f6843ca6d5910843c7ffbc498adc2a561b9dcece488edf3c6f8c7c8 expat-2.2.0.tar.bz2" +sha512sums="2be1a6eea87b439374bfacb1fbb8e814fd8a085d5dfd3ca3be69d1af29b5dc93d36cbdec5f6843ca6d5910843c7ffbc498adc2a561b9dcece488edf3c6f8c7c8 expat-2.2.0.tar.bz2 +0c92dd7dbec845966fc1ff3d1d7b137c17b5045f06d092ff730eb19cfe5e9c6b76b89bf532d20329a0a74fd8eb100f08bbea1083d17e53b2b96e9db1786f1a68 CVE-2017-9233.patch" diff --git a/main/expat/CVE-2017-9233.patch b/main/expat/CVE-2017-9233.patch new file mode 100644 index 0000000000..1ddbc755d8 --- /dev/null +++ b/main/expat/CVE-2017-9233.patch @@ -0,0 +1,29 @@ +From c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f Mon Sep 17 00:00:00 2001 +From: Rhodri James <rhodri@kynesim.co.uk> +Date: Wed, 14 Jun 2017 23:45:07 +0200 +Subject: [PATCH] xmlparse.c: Fix external entity infinite loop bug + (CVE-2017-9233) + +--- + expat/lib/xmlparse.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 7818f8d..2114596 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -3981,6 +3981,14 @@ entityValueInitProcessor(XML_Parser parser, + *nextPtr = next; + return XML_ERROR_NONE; + } ++ /* If we get this token, we have the start of what might be a ++ normal tag, but not a declaration (i.e. it doesn't begin with ++ "<!"). In a DTD context, that isn't legal. ++ */ ++ else if (tok == XML_TOK_INSTANCE_START) { ++ *nextPtr = next; ++ return XML_ERROR_SYNTAX; ++ } + start = next; + eventPtr = start; + } |