From nobody Sun May 23 14:36:19 2021 X-Original-To: desktop@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 7AA8FA7B1A5 for ; Sun, 23 May 2021 14:36:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Fp2w32ssyz3Q6t for ; Sun, 23 May 2021 14:36:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4405E19043 for ; Sun, 23 May 2021 14:36:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 14NEaJmi040012 for ; Sun, 23 May 2021 14:36:19 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 14NEaJPh040011 for desktop@FreeBSD.org; Sun, 23 May 2021 14:36:19 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: desktop@FreeBSD.org Subject: [Bug 256094] textproc/libxml2: Add upstream patch to fix CVE-2021-3541 Date: Sun, 23 May 2021 14:36:19 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: commit-hook@FreeBSD.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: desktop@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? merge-quarterly? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Using and improving FreeBSD on the desktop List-Archive: https://lists.freebsd.org/archives/freebsd-desktop List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-desktop@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D256094 --- Comment #5 from commit-hook@FreeBSD.org --- A commit in branch 2021Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=3Dd1aa619eee6b57face171474c3166f4= 112447f26 commit d1aa619eee6b57face171474c3166f4112447f26 Author: Yasuhiro Kimura AuthorDate: 2021-05-23 14:27:31 +0000 Commit: Tobias C. Berner CommitDate: 2021-05-23 14:35:28 +0000 textproc/libxml2: add upstream fix for CVE-2021-3541 This is relapted to parameter entities expansion and following the line of the billion laugh attack. Somehow in that path the counting of parameters was missed and the normal algorithm based on entities "density" was useless. PR: 256094 Obtained from:=20 https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97= 744ff4e428f8e Security: CVE-2021-3541 (cherry picked from commit 83889bd6875d128b44342dd3cd58fe6027b98542) textproc/libxml2/Makefile | 2 +- textproc/libxml2/files/patch-CVE-2021-3541 (new) | 67 ++++++++++++++++++++= ++++ 2 files changed, 68 insertions(+), 1 deletion(-) --=20 You are receiving this mail because: You are the assignee for the bug.=