--- a/usr/src/lib/libxml2/Makefile.sfw Wed May 16 12:16:46 2012 +0100
+++ b/usr/src/lib/libxml2/Makefile.sfw Tue May 22 19:59:29 2012 +0100
@@ -129,6 +129,7 @@
(cd $(VER); gpatch -p 1 < ../Patches/CVE-2011-3905.patch)
(cd $(VER); gpatch -p 1 < ../Patches/CVE-2011-3919.patch)
(cd $(VER); gpatch -p 1 < ../Patches/CVE-2012-0841.patch)
+ (cd $(VER); gpatch -p 1 < ../Patches/CVE-2011-3102.patch)
touch $(VER)/configure
$(VER64)/configure: $(VER).tar.gz
@@ -149,6 +150,7 @@
(cd $(VER64); gpatch -p 1 < ../Patches/CVE-2011-3905.patch)
(cd $(VER64); gpatch -p 1 < ../Patches/CVE-2011-3919.patch)
(cd $(VER64); gpatch -p 1 < ../Patches/CVE-2012-0841.patch)
+ (cd $(VER64); gpatch -p 1 < ../Patches/CVE-2011-3102.patch)
touch $(VER64)/configure
clean:
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/usr/src/lib/libxml2/Patches/CVE-2011-3102.patch Tue May 22 19:59:29 2012 +0100
@@ -0,0 +1,39 @@
+From d8e1faeaa99c7a7c07af01c1c72de352eb590a3e Mon Sep 17 00:00:00 2001
+From: Jüri Aedla <[email protected]>
+Date: Mon, 07 May 2012 07:06:56 +0000
+Subject: Fix an off by one pointer access
+
+getting out of the range of memory allocated for xpointer decoding
+---
+diff --git a/xpointer.c b/xpointer.c
+index 37afa3a..0b463dd 100644
+--- a/xpointer.c
++++ b/xpointer.c
+@@ -1007,21 +1007,14 @@ xmlXPtrEvalXPtrPart(xmlXPathParserContextPtr ctxt, xmlChar *name) {
+ NEXT;
+ break;
+ }
+- *cur++ = CUR;
+ } else if (CUR == '(') {
+ level++;
+- *cur++ = CUR;
+ } else if (CUR == '^') {
+- NEXT;
+- if ((CUR == ')') || (CUR == '(') || (CUR == '^')) {
+- *cur++ = CUR;
+- } else {
+- *cur++ = '^';
+- *cur++ = CUR;
+- }
+- } else {
+- *cur++ = CUR;
++ if ((NXT(1) == ')') || (NXT(1) == '(') || (NXT(1) == '^')) {
++ NEXT;
++ }
+ }
++ *cur++ = CUR;
+ NEXT;
+ }
+ *cur = 0;
+--
+cgit v0.9.0.2