CVS commit: [pkgsrc-2016Q1] pkgsrc/textproc/expat

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: [pkgsrc-2016Q1] pkgsrc/textproc/expat
From: "Benny Siegert" <bsiegert%netbsd.org@localhost>
Date: Sat, 21 May 2016 19:13:45 +0000

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Sat May 21 19:13:45 UTC 2016

Modified Files:
        pkgsrc/textproc/expat [pkgsrc-2016Q1]: Makefile distinfo
Added Files:
        pkgsrc/textproc/expat/patches [pkgsrc-2016Q1]: patch-CVE-2016-0718-1
            patch-CVE-2016-0718-2 patch-CVE-2016-0718-3 patch-CVE-2016-0718-4

Log Message:
Pullup ticket #5026 - requested by drochner
textproc/expat: security fix

Revisions pulled up:
- textproc/expat/Makefile                                       1.32
- textproc/expat/distinfo                                       1.25
- textproc/expat/patches/patch-CVE-2016-0718-1                  1.1
- textproc/expat/patches/patch-CVE-2016-0718-2                  1.1
- textproc/expat/patches/patch-CVE-2016-0718-3                  1.1
- textproc/expat/patches/patch-CVE-2016-0718-4                  1.1

---
   Module Name:    pkgsrc
   Committed By:   drochner
   Date:           Tue May 17 19:15:01 UTC 2016

   Modified Files:
           pkgsrc/textproc/expat: Makefile distinfo
   Added Files:
           pkgsrc/textproc/expat/patches: patch-CVE-2016-0718-1
               patch-CVE-2016-0718-2 patch-CVE-2016-0718-3 patch-CVE-2016-0718-4

   Log Message:
   add patches from upstream to fix possible crashes and memory corruption
   on malformed input (CVE-2016-0718)
   Description: The Expat XML parser mishandles certain kinds of malformed
   input documents, resulting in buffer overflows during processing and
   error reporting. The overflows can manifest as a segmentation fault or
   as memory corruption during a parse operation. The bugs allow for a
   denial of service attack in many applications by an unauthenticated
   attacker, and could conceivably result in remote code execution.

   bump PKGREV

   also add an improvement to the fix for CVE-2015-1283 which was part
   of the 2.1.1 release -- don't rely on defined behaviour on overflows
   of signed integer operations, from upstream git:
   https://sourceforge.net/p/expat/code_git/ci/f0bec73b018caa07d3e75ec8dd967f3785d71bde/

   pkgsrc change: add a hint how to run the pkg's selftest (not enabled
   permanently because this would add a dependency on C++)


To generate a diff of this commit:
cvs rdiff -u -r1.31 -r1.31.2.1 pkgsrc/textproc/expat/Makefile
cvs rdiff -u -r1.24 -r1.24.2.1 pkgsrc/textproc/expat/distinfo
cvs rdiff -u -r0 -r1.1.2.2 \
    pkgsrc/textproc/expat/patches/patch-CVE-2016-0718-1 \
    pkgsrc/textproc/expat/patches/patch-CVE-2016-0718-2 \
    pkgsrc/textproc/expat/patches/patch-CVE-2016-0718-3 \
    pkgsrc/textproc/expat/patches/patch-CVE-2016-0718-4

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/x11/mate-screensaver
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/x11/mate-screensaver
Indexes:

Home | Main Index | Thread Index | Old Index