Dear prots@, There is a new CVE for libxml2: https://nvd.nist.gov/vuln/detail/CVE-2020-7595
The diff is available here: https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c89076 make test passes without errors. The diff is attached. There is a CVE list supposed to be in devel/quirks but I don't exactly know what key-value pair to add. It might be useful to add a comment to the patch. Diff attached mbuhl Index: textproc/libxml/Makefile =================================================================== RCS file: /cvs/ports/textproc/libxml/Makefile,v retrieving revision 1.179 diff -u -p -r1.179 Makefile --- textproc/libxml/Makefile 1 Nov 2019 15:37:45 -0000 1.179 +++ textproc/libxml/Makefile 28 Jan 2020 18:59:15 -0000 @@ -13,6 +13,8 @@ MASTER_SITES= ftp://xmlsoft.org/libxml/ HOMEPAGE= http://xmlsoft.org/ +REVISION = 0 + # BSD-like PERMIT_PACKAGE= Yes Index: textproc/libxml/patches/patch-parser_c =================================================================== RCS file: textproc/libxml/patches/patch-parser_c diff -N textproc/libxml/patches/patch-parser_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ textproc/libxml/patches/patch-parser_c 28 Jan 2020 18:48:00 -0000 @@ -0,0 +1,13 @@ +--- parser.c.orig ++++ parser.c +@@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + else + c = 0; + while ((c != 0) && (c != end) && /* non input consuming loop */ +- (c != end2) && (c != end3)) { ++ (c != end2) && (c != end3) && ++ (ctxt->instate != XML_PARSER_EOF)) { + + if (c == 0) break; + if ((c == '&') && (str[1] == '#')) { +
