[Bug 256094] textproc/libxml2: Add upstream patch to fix CVE-2021-3541

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 256094] textproc/libxml2: Update to 2.9.12"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 23 May 2021 14:33:18 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256094

--- Comment #4 from commit-hook@FreeBSD.org ---
A commit in branch main references this bug:

URL:
https://cgit.FreeBSD.org/ports/commit/?id=83889bd6875d128b44342dd3cd58fe6027b98542

commit 83889bd6875d128b44342dd3cd58fe6027b98542
Author:     Yasuhiro Kimura <yasu@utahime.org>
AuthorDate: 2021-05-23 14:27:31 +0000
Commit:     Tobias C. Berner <tcberner@FreeBSD.org>
CommitDate: 2021-05-23 14:31:54 +0000

    textproc/libxml2: add upstream fix for CVE-2021-3541

    This is relapted to parameter entities expansion and following
    the line of the billion laugh attack. Somehow in that path the
    counting of parameters was missed and the normal algorithm based
    on entities "density" was useless.

    PR:             256094
    Obtained from: 
https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e
    Security:       CVE-2021-3541

 textproc/libxml2/Makefile                        |  2 +-
 textproc/libxml2/files/patch-CVE-2021-3541 (new) | 67 ++++++++++++++++++++++++
 2 files changed, 68 insertions(+), 1 deletion(-)

-- 
You are receiving this mail because:
You are the assignee for the bug.