main/libxml2: fix CVE-2012-5134

fixes #1487
(cherry picked from commit a19dcca62117d3b62e98097b12ca9ba5311ca693)

2 files changed, 25 insertions, 2 deletions

diff --git a/main/libxml2/APKBUILD b/main/libxml2/APKBUILD
index 0da46a37d6..2dab74559b 100644
--- a/main/libxml2/APKBUILD
+++ b/main/libxml2/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Carlo Landmeter <clandmeter@gmail.com>
 pkgname=libxml2
 pkgver=2.9.0
-pkgrel=0
+pkgrel=1
 pkgdesc="XML parsing library, version 2"
 url="http://www.xmlsoft.org/"
 arch="all"
@@ -12,6 +12,7 @@ depends_dev="zlib-dev python-dev"
 makedepends="zlib-dev python-dev"
 subpackages="$pkgname-doc $pkgname-dev py-$pkgname:py $pkgname-utils"
 source="ftp://ftp.xmlsoft.org/${pkgname}/${pkgname}-${pkgver}.tar.gz
+	CVE-2012-5134.patch
 	"
 
 options="!strip"
@@ -59,4 +60,5 @@ utils() {
 	mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
 }
 
-md5sums="5b9bebf4f5d2200ae2c4efe8fa6103f7  libxml2-2.9.0.tar.gz"
+md5sums="5b9bebf4f5d2200ae2c4efe8fa6103f7  libxml2-2.9.0.tar.gz
+fe428448d74481d7547bc173cb40ef26  CVE-2012-5134.patch"
diff --git a/main/libxml2/CVE-2012-5134.patch b/main/libxml2/CVE-2012-5134.patch
new file mode 100644
index 0000000000..70905aaa75
--- /dev/null
+++ b/main/libxml2/CVE-2012-5134.patch
@@ -0,0 +1,21 @@
+From 6a36fbe3b3e001a8a840b5c1fdd81cefc9947f0d Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 29 Oct 2012 02:39:55 +0000
+Subject: Fix potential out of bound access
+
+---
+diff --git a/parser.c b/parser.c
+index 0d8d7f2..bd634e9 100644
+--- a/parser.c
++++ b/parser.c
+@@ -4076,7 +4076,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+         goto error;
+ 
+     if ((in_space) && (normalize)) {
+-        while (buf[len - 1] == 0x20) len--;
++        while ((len > 0) && (buf[len - 1] == 0x20)) len--;
+     }
+     buf[len] = 0;
+     if (RAW == '<') {
+--
+cgit v0.9.0.2