summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGilles Dartiguelongue <eva@gentoo.org>2009-08-11 21:44:34 +0000
committerGilles Dartiguelongue <eva@gentoo.org>2009-08-11 21:44:34 +0000
commit52e9a7fe5d5da97c245bd4ff019df2eace198b83 (patch)
tree3c469c145bf764a955938fe55752de8d168e5c56 /dev-libs
parent0.6.6 version bump and remove old. (diff)
downloadgentoo-2-52e9a7fe5d5da97c245bd4ff019df2eace198b83.tar.gz
gentoo-2-52e9a7fe5d5da97c245bd4ff019df2eace198b83.tar.bz2
gentoo-2-52e9a7fe5d5da97c245bd4ff019df2eace198b83.zip
Version bump. Fix CVE 2009-2414 and CVE 2009-2416, bug #280617.
(Portage version: 2.2_rc36/cvs/Linux x86_64)
Diffstat (limited to 'dev-libs')
-rw-r--r--dev-libs/libxml2/ChangeLog9
-rw-r--r--dev-libs/libxml2/files/libxml2-2.7.3-CVE-2009-2414-CVE-2009-2416.patch172
-rw-r--r--dev-libs/libxml2/libxml2-2.7.3-r2.ebuild151
3 files changed, 331 insertions, 1 deletions
diff --git a/dev-libs/libxml2/ChangeLog b/dev-libs/libxml2/ChangeLog
index e8d4af694c52..540e5e1570b8 100644
--- a/dev-libs/libxml2/ChangeLog
+++ b/dev-libs/libxml2/ChangeLog
@@ -1,6 +1,13 @@
# ChangeLog for dev-libs/libxml2
# Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/dev-libs/libxml2/ChangeLog,v 1.265 2009/05/31 17:37:14 eva Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-libs/libxml2/ChangeLog,v 1.266 2009/08/11 21:44:34 eva Exp $
+
+*libxml2-2.7.3-r2 (11 Aug 2009)
+
+ 11 Aug 2009; Gilles Dartiguelongue <eva@gentoo.org>
+ +libxml2-2.7.3-r2.ebuild,
+ +files/libxml2-2.7.3-CVE-2009-2414-CVE-2009-2416.patch:
+ Version bump. Fix CVE 2009-2414 and CVE 2009-2416, bug #280617.
31 May 2009; Gilles Dartiguelongue <eva@gentoo.org>
libxml2-2.7.3-r1.ebuild:
diff --git a/dev-libs/libxml2/files/libxml2-2.7.3-CVE-2009-2414-CVE-2009-2416.patch b/dev-libs/libxml2/files/libxml2-2.7.3-CVE-2009-2414-CVE-2009-2416.patch
new file mode 100644
index 000000000000..29c339f667ef
--- /dev/null
+++ b/dev-libs/libxml2/files/libxml2-2.7.3-CVE-2009-2414-CVE-2009-2416.patch
@@ -0,0 +1,172 @@
+From 489f9671e71cc44a97b23111b3126ac8a1e21a59 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 10 Aug 2009 16:49:30 +0200
+Subject: [PATCH 1/1] Fix a couple of problems in the parser
+
+* parser.c: a couple of nasty bugs CVE-2009-2414 and CVE-2009-2416
+---
+ parser.c | 79 ++++++++++++++++++++++++++++++++++++++++++++++++++++---------
+ 1 files changed, 67 insertions(+), 12 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index a476060..bd2be67 100644
+--- a/parser.c
++++ b/parser.c
+@@ -5323,7 +5323,8 @@ xmlParseNotationType(xmlParserCtxtPtr ctxt) {
+ if (name == NULL) {
+ xmlFatalErrMsg(ctxt, XML_ERR_NAME_REQUIRED,
+ "Name expected in NOTATION declaration\n");
+- return(ret);
++ xmlFreeEnumeration(ret);
++ return(NULL);
+ }
+ tmp = ret;
+ while (tmp != NULL) {
+@@ -5339,7 +5340,10 @@ xmlParseNotationType(xmlParserCtxtPtr ctxt) {
+ }
+ if (tmp == NULL) {
+ cur = xmlCreateEnumeration(name);
+- if (cur == NULL) return(ret);
++ if (cur == NULL) {
++ xmlFreeEnumeration(ret);
++ return(NULL);
++ }
+ if (last == NULL) ret = last = cur;
+ else {
+ last->next = cur;
+@@ -5350,9 +5354,8 @@ xmlParseNotationType(xmlParserCtxtPtr ctxt) {
+ } while (RAW == '|');
+ if (RAW != ')') {
+ xmlFatalErr(ctxt, XML_ERR_NOTATION_NOT_FINISHED, NULL);
+- if ((last != NULL) && (last != ret))
+- xmlFreeEnumeration(last);
+- return(ret);
++ xmlFreeEnumeration(ret);
++ return(NULL);
+ }
+ NEXT;
+ return(ret);
+@@ -5407,7 +5410,10 @@ xmlParseEnumerationType(xmlParserCtxtPtr ctxt) {
+ cur = xmlCreateEnumeration(name);
+ if (!xmlDictOwns(ctxt->dict, name))
+ xmlFree(name);
+- if (cur == NULL) return(ret);
++ if (cur == NULL) {
++ xmlFreeEnumeration(ret);
++ return(NULL);
++ }
+ if (last == NULL) ret = last = cur;
+ else {
+ last->next = cur;
+@@ -5775,9 +5781,10 @@ xmlParseElementMixedContentDecl(xmlParserCtxtPtr ctxt, int inputchk) {
+ }
+
+ /**
+- * xmlParseElementChildrenContentDecl:
++ * xmlParseElementChildrenContentDeclPriv:
+ * @ctxt: an XML parser context
+ * @inputchk: the input used for the current entity, needed for boundary checks
++ * @depth: the level of recursion
+ *
+ * parse the declaration for a Mixed Element content
+ * The leading '(' and spaces have been skipped in xmlParseElementContentDecl
+@@ -5805,12 +5812,20 @@ xmlParseElementMixedContentDecl(xmlParserCtxtPtr ctxt, int inputchk) {
+ * Returns the tree of xmlElementContentPtr describing the element
+ * hierarchy.
+ */
+-xmlElementContentPtr
+-xmlParseElementChildrenContentDecl (xmlParserCtxtPtr ctxt, int inputchk) {
++static xmlElementContentPtr
++xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
++ int depth) {
+ xmlElementContentPtr ret = NULL, cur = NULL, last = NULL, op = NULL;
+ const xmlChar *elem;
+ xmlChar type = 0;
+
++ if (((depth > 128) && ((ctxt->options & XML_PARSE_HUGE) == 0)) ||
++ (depth > 2048)) {
++ xmlFatalErrMsgInt(ctxt, XML_ERR_ELEMCONTENT_NOT_FINISHED,
++"xmlParseElementChildrenContentDecl : depth %d too deep, use XML_PARSE_HUGE\n",
++ depth);
++ return(NULL);
++ }
+ SKIP_BLANKS;
+ GROW;
+ if (RAW == '(') {
+@@ -5819,7 +5834,8 @@ xmlParseElementChildrenContentDecl (xmlParserCtxtPtr ctxt, int inputchk) {
+ /* Recurse on first child */
+ NEXT;
+ SKIP_BLANKS;
+- cur = ret = xmlParseElementChildrenContentDecl(ctxt, inputid);
++ cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
++ depth + 1);
+ SKIP_BLANKS;
+ GROW;
+ } else {
+@@ -5951,7 +5967,8 @@ xmlParseElementChildrenContentDecl (xmlParserCtxtPtr ctxt, int inputchk) {
+ /* Recurse on second child */
+ NEXT;
+ SKIP_BLANKS;
+- last = xmlParseElementChildrenContentDecl(ctxt, inputid);
++ last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
++ depth + 1);
+ SKIP_BLANKS;
+ } else {
+ elem = xmlParseName(ctxt);
+@@ -6062,6 +6079,44 @@ xmlParseElementChildrenContentDecl (xmlParserCtxtPtr ctxt, int inputchk) {
+ }
+
+ /**
++ *
++ * xmlParseElementChildrenContentDecl:
++ * @ctxt: an XML parser context
++ * @inputchk: the input used for the current entity, needed for boundary checks
++ * @depth: the level of recursion
++ *
++ * parse the declaration for a Mixed Element content
++ * The leading '(' and spaces have been skipped in xmlParseElementContentDecl
++ *
++ * [47] children ::= (choice | seq) ('?' | '*' | '+')?
++ *
++ * [48] cp ::= (Name | choice | seq) ('?' | '*' | '+')?
++ *
++ * [49] choice ::= '(' S? cp ( S? '|' S? cp )* S? ')'
++ *
++ * [50] seq ::= '(' S? cp ( S? ',' S? cp )* S? ')'
++ *
++ * [ VC: Proper Group/PE Nesting ] applies to [49] and [50]
++ * TODO Parameter-entity replacement text must be properly nested
++ * with parenthesized groups. That is to say, if either of the
++ * opening or closing parentheses in a choice, seq, or Mixed
++ * construct is contained in the replacement text for a parameter
++ * entity, both must be contained in the same replacement text. For
++ * interoperability, if a parameter-entity reference appears in a
++ * choice, seq, or Mixed construct, its replacement text should not
++ * be empty, and neither the first nor last non-blank character of
++ * the replacement text should be a connector (| or ,).
++ *
++ * Returns the tree of xmlElementContentPtr describing the element
++ * hierarchy.
++ */
++xmlElementContentPtr
++xmlParseElementChildrenContentDecl(xmlParserCtxtPtr ctxt, int inputchk) {
++ /* stub left for API/ABI compat */
++ return(xmlParseElementChildrenContentDeclPriv(ctxt, inputchk, 1));
++}
++
++/**
+ * xmlParseElementContentDecl:
+ * @ctxt: an XML parser context
+ * @name: the name of the element being defined.
+@@ -6097,7 +6152,7 @@ xmlParseElementContentDecl(xmlParserCtxtPtr ctxt, const xmlChar *name,
+ tree = xmlParseElementMixedContentDecl(ctxt, inputid);
+ res = XML_ELEMENT_TYPE_MIXED;
+ } else {
+- tree = xmlParseElementChildrenContentDecl(ctxt, inputid);
++ tree = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, 1);
+ res = XML_ELEMENT_TYPE_ELEMENT;
+ }
+ SKIP_BLANKS;
+--
+1.6.4
+
diff --git a/dev-libs/libxml2/libxml2-2.7.3-r2.ebuild b/dev-libs/libxml2/libxml2-2.7.3-r2.ebuild
new file mode 100644
index 000000000000..2c6e506119c5
--- /dev/null
+++ b/dev-libs/libxml2/libxml2-2.7.3-r2.ebuild
@@ -0,0 +1,151 @@
+# Copyright 1999-2009 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/dev-libs/libxml2/libxml2-2.7.3-r2.ebuild,v 1.1 2009/08/11 21:44:34 eva Exp $
+
+inherit libtool flag-o-matic eutils python
+
+DESCRIPTION="Version 2 of the library to manipulate XML files"
+HOMEPAGE="http://www.xmlsoft.org/"
+
+LICENSE="MIT"
+SLOT="2"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~sparc-fbsd ~x86 ~x86-fbsd"
+IUSE="debug doc examples ipv6 python readline test"
+
+XSTS_HOME="http://www.w3.org/XML/2004/xml-schema-test-suite"
+XSTS_NAME_1="xmlschema2002-01-16"
+XSTS_NAME_2="xmlschema2004-01-14"
+XSTS_TARBALL_1="xsts-2002-01-16.tar.gz"
+XSTS_TARBALL_2="xsts-2004-01-14.tar.gz"
+
+SRC_URI="ftp://xmlsoft.org/${PN}/${P}.tar.gz
+ test? (
+ ${XSTS_HOME}/${XSTS_NAME_1}/${XSTS_TARBALL_1}
+ ${XSTS_HOME}/${XSTS_NAME_2}/${XSTS_TARBALL_2} )"
+
+RDEPEND="sys-libs/zlib
+ python? ( dev-lang/python )
+ readline? ( sys-libs/readline )"
+
+DEPEND="${RDEPEND}
+ hppa? ( >=sys-devel/binutils-2.15.92.0.2 )"
+
+src_unpack() {
+ # ${A} isn't used to avoid unpacking of test tarballs into $WORKDIR,
+ # as they are needed as tarballs in ${S}/xstc instead and not unpacked
+ unpack ${P}.tar.gz
+ cd "${S}"
+
+ if use test; then
+ cp "${DISTDIR}/${XSTS_TARBALL_1}" \
+ "${DISTDIR}/${XSTS_TARBALL_2}" \
+ "${S}"/xstc/ \
+ || die "Failed to install test tarballs"
+ fi
+
+ # Fix macro conflict with wxGTK, bug #266653
+ epatch "${FILESDIR}/${P}-printf-rename.patch"
+
+ # Fix multiple use-after-free, bug #280617
+ epatch "${FILESDIR}/${P}-CVE-2009-2414-CVE-2009-2416.patch"
+
+ epunt_cxx
+}
+
+src_compile() {
+ # USE zlib support breaks gnome2
+ # (libgnomeprint for instance fails to compile with
+ # fresh install, and existing) - <azarah@gentoo.org> (22 Dec 2002).
+
+ # The meaning of the 'debug' USE flag does not apply to the --with-debug
+ # switch (enabling the libxml2 debug module). See bug #100898.
+
+ # --with-mem-debug causes unusual segmentation faults (bug #105120).
+
+ local myconf="--with-zlib \
+ --with-html-subdir=${PF}/html \
+ --docdir=/usr/share/doc/${PF} \
+ $(use_with debug run-debug) \
+ $(use_with python) \
+ $(use_with readline) \
+ $(use_with readline history) \
+ $(use_enable ipv6)"
+
+ # Please do not remove, as else we get references to PORTAGE_TMPDIR
+ # in /usr/lib/python?.?/site-packages/libxml2mod.la among things.
+ elibtoolize
+
+ # filter seemingly problematic CFLAGS (#26320)
+ filter-flags -fprefetch-loop-arrays -funroll-loops
+
+ econf $myconf
+
+ # Patching the Makefiles to respect get_libdir
+ # Fixes BUG #86766, please keep this.
+ # Danny van Dyk <kugelfang@gentoo.org> 2005/03/26
+ for x in $(find "${S}" -name "Makefile") ; do
+ sed \
+ -e "s|^\(PYTHON_SITE_PACKAGES\ =\ \/usr\/\).*\(\/python.*\)|\1$(get_libdir)\2|g" \
+ -i ${x} \
+ || die "sed failed"
+ done
+
+ emake || die "Compilation failed"
+}
+
+src_install() {
+ emake DESTDIR="${D}" \
+ EXAMPLES_DIR=/usr/share/doc/${PF}/examples \
+ docsdir=/usr/share/doc/${PF}/python \
+ exampledir=/usr/share/doc/${PF}/python/examples \
+ install || die "Installation failed"
+
+ dodoc AUTHORS ChangeLog Copyright NEWS README* TODO* || die "dodoc failed"
+ rm "${D}"/usr/share/doc/${P}/Copyright
+ rm -rf "${D}"/usr/share/doc/${P}
+
+ if ! use python; then
+ rm -rf "${D}"/usr/share/doc/${PF}/python
+ rm -rf "${D}"/usr/share/doc/${PN}-python-${PV}
+ fi
+
+ if ! use doc; then
+ rm -rf "${D}"/usr/share/gtk-doc
+ rm -rf "${D}"/usr/share/doc/${PF}/html
+ fi
+
+ if ! use examples; then
+ rm -rf "${D}/usr/share/doc/${PF}/examples"
+ rm -rf "${D}/usr/share/doc/${PF}/python/examples"
+ fi
+}
+
+pkg_postinst() {
+ if use python; then
+ python_need_rebuild
+ python_mod_optimize $(python_get_sitedir)
+ fi
+
+ # We don't want to do the xmlcatalog during stage1, as xmlcatalog will not
+ # be in / and stage1 builds to ROOT=/tmp/stage1root. This fixes bug #208887.
+ if [ "${ROOT}" != "/" ]
+ then
+ elog "Skipping XML catalog creation for stage building (bug #208887)."
+ else
+ # need an XML catalog, so no-one writes to a non-existent one
+ CATALOG="${ROOT}etc/xml/catalog"
+
+ # we dont want to clobber an existing catalog though,
+ # only ensure that one is there
+ # <obz@gentoo.org>
+ if [ ! -e ${CATALOG} ]; then
+ [ -d "${ROOT}etc/xml" ] || mkdir -p "${ROOT}etc/xml"
+ /usr/bin/xmlcatalog --create > ${CATALOG}
+ einfo "Created XML catalog in ${CATALOG}"
+ fi
+ fi
+}
+
+pkg_postrm() {
+ python_mod_cleanup /usr/$(get_libdir)/python*/site-packages
+}