[pkgsrc/pkgsrc-2016Q3]: pkgsrc/textproc/libxml2 Pullup ticket #5168 - request...

[bsiegert <bsiegert%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/24c5dd315023
branches:  pkgsrc-2016Q3
changeset: 408826:24c5dd315023
user:      bsiegert <bsiegert%pkgsrc.org@localhost>
date:      Sun Dec 04 15:40:22 2016 +0000

description:
Pullup ticket #5168 - requested by sevan
textproc/libxml2: security fix

Revisions pulled up:
- textproc/libxml2/Makefile.common                              1.3
- textproc/libxml2/distinfo                                     1.113
- textproc/libxml2/patches/patch-parseInternals.c               1.1

---
   Module Name:    pkgsrc
   Committed By:   sevan
   Date:           Wed Nov 30 14:46:22 UTC 2016

   Modified Files:
           pkgsrc/textproc/libxml2: Makefile.common distinfo
   Added Files:
           pkgsrc/textproc/libxml2/patches: patch-parseInternals.c

   Log Message:
   Patch CVE-2016-9318 https://bugzilla.gnome.org/show_bug.cgi?id=772726
   Bump rev.

diffstat:

 textproc/libxml2/Makefile.common                |   3 ++-
 textproc/libxml2/distinfo                       |   3 ++-
 textproc/libxml2/patches/patch-parseInternals.c |  18 ++++++++++++++++++
 3 files changed, 22 insertions(+), 2 deletions(-)

diffs (54 lines):

diff -r c06487daef58 -r 24c5dd315023 textproc/libxml2/Makefile.common
--- a/textproc/libxml2/Makefile.common  Sun Dec 04 15:28:33 2016 +0000
+++ b/textproc/libxml2/Makefile.common  Sun Dec 04 15:40:22 2016 +0000
@@ -1,9 +1,10 @@
-# $NetBSD: Makefile.common,v 1.2 2016/05/28 06:47:51 wiz Exp $
+# $NetBSD: Makefile.common,v 1.2.4.1 2016/12/04 15:40:22 bsiegert Exp $
 #
 # used by textproc/libxml2/Makefile
 # used by textproc/py-libxml2/Makefile
 
 DISTNAME=      libxml2-2.9.4
+PKGREVISION=   1
 CATEGORIES=    textproc
 MASTER_SITES=  ftp://xmlsoft.org/libxml2/ \
                http://xmlsoft.org/sources/
diff -r c06487daef58 -r 24c5dd315023 textproc/libxml2/distinfo
--- a/textproc/libxml2/distinfo Sun Dec 04 15:28:33 2016 +0000
+++ b/textproc/libxml2/distinfo Sun Dec 04 15:40:22 2016 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.112 2016/05/25 07:16:36 he Exp $
+$NetBSD: distinfo,v 1.112.4.1 2016/12/04 15:40:22 bsiegert Exp $
 
 SHA1 (libxml2-2.9.4.tar.gz) = 958ae70baf186263a4bd801a81dd5d682aedd1db
 RMD160 (libxml2-2.9.4.tar.gz) = bb59656e0683d64a38a2f1a45ca9d918837e1e56
@@ -10,6 +10,7 @@
 SHA1 (patch-ad) = d65b7e3be9694147e96ce4bb70a1739e2279ba81
 SHA1 (patch-ae) = 4eede9719724f94402e850ee6d6043a74aaf62b2
 SHA1 (patch-encoding.c) = 6cf0a7d421828b9f40a4079ee85adb791c54d096
+SHA1 (patch-parseInternals.c) = dc58145943a4fb6368d848c0155d144b1f9b676c
 SHA1 (patch-runtest.c) = 759fcee959833b33d72e85108f7973859dcba1f6
 SHA1 (patch-testlimits.c) = 8cba18464b619469abbb8488fd950a32a567be7b
 SHA1 (patch-timsort.h) = e09118e7c99d53f71c28fe4d54269c4801244959
diff -r c06487daef58 -r 24c5dd315023 textproc/libxml2/patches/patch-parseInternals.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/textproc/libxml2/patches/patch-parseInternals.c   Sun Dec 04 15:40:22 2016 +0000
@@ -0,0 +1,18 @@
+$NetBSD: patch-parseInternals.c,v 1.1.2.2 2016/12/04 15:40:22 bsiegert Exp $
+
+CVE-2016-9318 https://bugzilla.gnome.org/show_bug.cgi?id=772726
+
+--- parserInternals.c.orig     2016-11-30 14:35:55.000000000 +0000
++++ parserInternals.c
+@@ -1438,6 +1438,11 @@ xmlNewEntityInputStream(xmlParserCtxtPtr
+                 break;
+             case XML_EXTERNAL_GENERAL_PARSED_ENTITY:
+             case XML_EXTERNAL_PARAMETER_ENTITY:
++              if (((ctxt->options & XML_PARSE_NOENT) == 0) &&
++                  ((ctxt->options & XML_PARSE_DTDVALID) == 0)) {
++                  xmlErrInternal(ctxt, "xmlNewEntityInputStream will not read content for external entity\n",
++                                  NULL);
++              }
+               return(xmlLoadExternalEntity((char *) entity->URI,
+                      (char *) entity->ExternalID, ctxt));
+             case XML_INTERNAL_GENERAL_ENTITY: