Created attachment 225186 [details] Patch file Update to 2.9.12. Changes: https://gitlab.gnome.org/GNOME/libxml2/-/commits/v2.9.12 Security: CVE-2021-3541 Bug #256093 describes vulnerability fixed with this update. So please commit it together.
I found bug #256078 also updates this port to 2.9.12. But it also changes build tool from GNU autotools to CMake. And submitter says it is still WIP. On the other hands, Update to 2.9.12 includes fix of CVE-2021-3541. So my patch should be committed ASAP rather than waiting for working of bug #256078 will be finished.
Created attachment 225187 [details] Updated patch file Stop updating to newer version and only add upstream patch to fix CVE-2021-3541 instead. It it found build of textproc/libxslt is fails with 2.9.12. So stop updating to newer version and only add upstream patch to fix CVE-2021-3541 instead.
Since updated patch only fixes CVE-2021-3541, I withdraw exp-run request.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=83889bd6875d128b44342dd3cd58fe6027b98542 commit 83889bd6875d128b44342dd3cd58fe6027b98542 Author: Yasuhiro Kimura <yasu@utahime.org> AuthorDate: 2021-05-23 14:27:31 +0000 Commit: Tobias C. Berner <tcberner@FreeBSD.org> CommitDate: 2021-05-23 14:31:54 +0000 textproc/libxml2: add upstream fix for CVE-2021-3541 This is relapted to parameter entities expansion and following the line of the billion laugh attack. Somehow in that path the counting of parameters was missed and the normal algorithm based on entities "density" was useless. PR: 256094 Obtained from: https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e Security: CVE-2021-3541 textproc/libxml2/Makefile | 2 +- textproc/libxml2/files/patch-CVE-2021-3541 (new) | 67 ++++++++++++++++++++++++ 2 files changed, 68 insertions(+), 1 deletion(-)
A commit in branch 2021Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=d1aa619eee6b57face171474c3166f4112447f26 commit d1aa619eee6b57face171474c3166f4112447f26 Author: Yasuhiro Kimura <yasu@utahime.org> AuthorDate: 2021-05-23 14:27:31 +0000 Commit: Tobias C. Berner <tcberner@FreeBSD.org> CommitDate: 2021-05-23 14:35:28 +0000 textproc/libxml2: add upstream fix for CVE-2021-3541 This is relapted to parameter entities expansion and following the line of the billion laugh attack. Somehow in that path the counting of parameters was missed and the normal algorithm based on entities "density" was useless. PR: 256094 Obtained from: https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e Security: CVE-2021-3541 (cherry picked from commit 83889bd6875d128b44342dd3cd58fe6027b98542) textproc/libxml2/Makefile | 2 +- textproc/libxml2/files/patch-CVE-2021-3541 (new) | 67 ++++++++++++++++++++++++ 2 files changed, 68 insertions(+), 1 deletion(-)
Committed, and MFH-ed -- thanks a lot :) mfg Tobias