From 52e9a7fe5d5da97c245bd4ff019df2eace198b83 Mon Sep 17 00:00:00 2001
From: Gilles Dartiguelongue <eva@gentoo.org>
Date: Tue, 11 Aug 2009 21:44:34 +0000
Subject: Version bump. Fix CVE 2009-2414 and CVE 2009-2416, bug #280617.
 (Portage version: 2.2_rc36/cvs/Linux x86_64)

---
 ...libxml2-2.7.3-CVE-2009-2414-CVE-2009-2416.patch | 172 +++++++++++++++++++++
 1 file changed, 172 insertions(+)
 create mode 100644 dev-libs/libxml2/files/libxml2-2.7.3-CVE-2009-2414-CVE-2009-2416.patch

(limited to 'dev-libs/libxml2/files')

diff --git a/dev-libs/libxml2/files/libxml2-2.7.3-CVE-2009-2414-CVE-2009-2416.patch b/dev-libs/libxml2/files/libxml2-2.7.3-CVE-2009-2414-CVE-2009-2416.patch
new file mode 100644
index 000000000000..29c339f667ef
--- /dev/null
+++ b/dev-libs/libxml2/files/libxml2-2.7.3-CVE-2009-2414-CVE-2009-2416.patch
@@ -0,0 +1,172 @@
+From 489f9671e71cc44a97b23111b3126ac8a1e21a59 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 10 Aug 2009 16:49:30 +0200
+Subject: [PATCH 1/1] Fix a couple of problems in the parser
+
+* parser.c: a couple of nasty bugs CVE-2009-2414 and CVE-2009-2416
+---
+ parser.c |   79 ++++++++++++++++++++++++++++++++++++++++++++++++++++---------
+ 1 files changed, 67 insertions(+), 12 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index a476060..bd2be67 100644
+--- a/parser.c
++++ b/parser.c
+@@ -5323,7 +5323,8 @@ xmlParseNotationType(xmlParserCtxtPtr ctxt) {
+ 	if (name == NULL) {
+ 	    xmlFatalErrMsg(ctxt, XML_ERR_NAME_REQUIRED,
+ 			   "Name expected in NOTATION declaration\n");
+-	    return(ret);
++            xmlFreeEnumeration(ret);
++	    return(NULL);
+ 	}
+ 	tmp = ret;
+ 	while (tmp != NULL) {
+@@ -5339,7 +5340,10 @@ xmlParseNotationType(xmlParserCtxtPtr ctxt) {
+ 	}
+ 	if (tmp == NULL) {
+ 	    cur = xmlCreateEnumeration(name);
+-	    if (cur == NULL) return(ret);
++	    if (cur == NULL) {
++                xmlFreeEnumeration(ret);
++                return(NULL);
++            }
+ 	    if (last == NULL) ret = last = cur;
+ 	    else {
+ 		last->next = cur;
+@@ -5350,9 +5354,8 @@ xmlParseNotationType(xmlParserCtxtPtr ctxt) {
+     } while (RAW == '|');
+     if (RAW != ')') {
+ 	xmlFatalErr(ctxt, XML_ERR_NOTATION_NOT_FINISHED, NULL);
+-	if ((last != NULL) && (last != ret))
+-	    xmlFreeEnumeration(last);
+-	return(ret);
++        xmlFreeEnumeration(ret);
++	return(NULL);
+     }
+     NEXT;
+     return(ret);
+@@ -5407,7 +5410,10 @@ xmlParseEnumerationType(xmlParserCtxtPtr ctxt) {
+ 	    cur = xmlCreateEnumeration(name);
+ 	    if (!xmlDictOwns(ctxt->dict, name))
+ 		xmlFree(name);
+-	    if (cur == NULL) return(ret);
++	    if (cur == NULL) {
++                xmlFreeEnumeration(ret);
++                return(NULL);
++            }
+ 	    if (last == NULL) ret = last = cur;
+ 	    else {
+ 		last->next = cur;
+@@ -5775,9 +5781,10 @@ xmlParseElementMixedContentDecl(xmlParserCtxtPtr ctxt, int inputchk) {
+ }
+ 
+ /**
+- * xmlParseElementChildrenContentDecl:
++ * xmlParseElementChildrenContentDeclPriv:
+  * @ctxt:  an XML parser context
+  * @inputchk:  the input used for the current entity, needed for boundary checks
++ * @depth: the level of recursion
+  *
+  * parse the declaration for a Mixed Element content
+  * The leading '(' and spaces have been skipped in xmlParseElementContentDecl
+@@ -5805,12 +5812,20 @@ xmlParseElementMixedContentDecl(xmlParserCtxtPtr ctxt, int inputchk) {
+  * Returns the tree of xmlElementContentPtr describing the element 
+  *          hierarchy.
+  */
+-xmlElementContentPtr
+-xmlParseElementChildrenContentDecl (xmlParserCtxtPtr ctxt, int inputchk) {
++static xmlElementContentPtr
++xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
++                                       int depth) {
+     xmlElementContentPtr ret = NULL, cur = NULL, last = NULL, op = NULL;
+     const xmlChar *elem;
+     xmlChar type = 0;
+ 
++    if (((depth > 128) && ((ctxt->options & XML_PARSE_HUGE) == 0)) ||
++        (depth >  2048)) {
++        xmlFatalErrMsgInt(ctxt, XML_ERR_ELEMCONTENT_NOT_FINISHED,
++"xmlParseElementChildrenContentDecl : depth %d too deep, use XML_PARSE_HUGE\n",
++                          depth);
++	return(NULL);
++    }
+     SKIP_BLANKS;
+     GROW;
+     if (RAW == '(') {
+@@ -5819,7 +5834,8 @@ xmlParseElementChildrenContentDecl (xmlParserCtxtPtr ctxt, int inputchk) {
+         /* Recurse on first child */
+ 	NEXT;
+ 	SKIP_BLANKS;
+-        cur = ret = xmlParseElementChildrenContentDecl(ctxt, inputid);
++        cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
++                                                           depth + 1);
+ 	SKIP_BLANKS;
+ 	GROW;
+     } else {
+@@ -5951,7 +5967,8 @@ xmlParseElementChildrenContentDecl (xmlParserCtxtPtr ctxt, int inputchk) {
+ 	    /* Recurse on second child */
+ 	    NEXT;
+ 	    SKIP_BLANKS;
+-	    last = xmlParseElementChildrenContentDecl(ctxt, inputid);
++	    last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
++                                                          depth + 1);
+ 	    SKIP_BLANKS;
+ 	} else {
+ 	    elem = xmlParseName(ctxt);
+@@ -6062,6 +6079,44 @@ xmlParseElementChildrenContentDecl (xmlParserCtxtPtr ctxt, int inputchk) {
+ }
+ 
+ /**
++ *
++ * xmlParseElementChildrenContentDecl:
++ * @ctxt:  an XML parser context
++ * @inputchk:  the input used for the current entity, needed for boundary checks
++ * @depth: the level of recursion
++ *
++ * parse the declaration for a Mixed Element content
++ * The leading '(' and spaces have been skipped in xmlParseElementContentDecl
++ *
++ * [47] children ::= (choice | seq) ('?' | '*' | '+')?
++ *
++ * [48] cp ::= (Name | choice | seq) ('?' | '*' | '+')?
++ *
++ * [49] choice ::= '(' S? cp ( S? '|' S? cp )* S? ')'
++ *
++ * [50] seq ::= '(' S? cp ( S? ',' S? cp )* S? ')'
++ *
++ * [ VC: Proper Group/PE Nesting ] applies to [49] and [50]
++ * TODO Parameter-entity replacement text must be properly nested
++ *	with parenthesized groups. That is to say, if either of the
++ *	opening or closing parentheses in a choice, seq, or Mixed
++ *	construct is contained in the replacement text for a parameter
++ *	entity, both must be contained in the same replacement text. For
++ *	interoperability, if a parameter-entity reference appears in a
++ *	choice, seq, or Mixed construct, its replacement text should not
++ *	be empty, and neither the first nor last non-blank character of
++ *	the replacement text should be a connector (| or ,).
++ *
++ * Returns the tree of xmlElementContentPtr describing the element
++ *          hierarchy.
++ */
++xmlElementContentPtr
++xmlParseElementChildrenContentDecl(xmlParserCtxtPtr ctxt, int inputchk) {
++    /* stub left for API/ABI compat */
++    return(xmlParseElementChildrenContentDeclPriv(ctxt, inputchk, 1));
++}
++
++/**
+  * xmlParseElementContentDecl:
+  * @ctxt:  an XML parser context
+  * @name:  the name of the element being defined.
+@@ -6097,7 +6152,7 @@ xmlParseElementContentDecl(xmlParserCtxtPtr ctxt, const xmlChar *name,
+         tree = xmlParseElementMixedContentDecl(ctxt, inputid);
+ 	res = XML_ELEMENT_TYPE_MIXED;
+     } else {
+-        tree = xmlParseElementChildrenContentDecl(ctxt, inputid);
++        tree = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, 1);
+ 	res = XML_ELEMENT_TYPE_ELEMENT;
+     }
+     SKIP_BLANKS;
+-- 
+1.6.4
+
-- 
cgit v1.2.3-65-gdbad