Date: Sun, 23 May 2021 14:33:18 +0000 From: bugzilla-noreply@freebsd.org To: desktop@FreeBSD.org Subject: [Bug 256094] textproc/libxml2: Add upstream patch to fix CVE-2021-3541 Message-ID: <bug-256094-39348-1ddukUN2rU@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-256094-39348@https.bugs.freebsd.org/bugzilla/> References: <bug-256094-39348@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D256094 --- Comment #4 from commit-hook@FreeBSD.org --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=3D83889bd6875d128b44342dd3cd58fe6= 027b98542 commit 83889bd6875d128b44342dd3cd58fe6027b98542 Author: Yasuhiro Kimura <yasu@utahime.org> AuthorDate: 2021-05-23 14:27:31 +0000 Commit: Tobias C. Berner <tcberner@FreeBSD.org> CommitDate: 2021-05-23 14:31:54 +0000 textproc/libxml2: add upstream fix for CVE-2021-3541 This is relapted to parameter entities expansion and following the line of the billion laugh attack. Somehow in that path the counting of parameters was missed and the normal algorithm based on entities "density" was useless. PR: 256094 Obtained from:=20 https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97= 744ff4e428f8e Security: CVE-2021-3541 textproc/libxml2/Makefile | 2 +- textproc/libxml2/files/patch-CVE-2021-3541 (new) | 67 ++++++++++++++++++++= ++++ 2 files changed, 68 insertions(+), 1 deletion(-) --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-256094-39348-1ddukUN2rU>