Hi, ok to fix CVE-2021-3537 ?
Unfortunately libxml2 does not make security releases so we have to pick the patches from their repository. bluhm Index: textproc/libxml/Makefile =================================================================== RCS file: /data/mirror/openbsd/cvs/ports/textproc/libxml/Makefile,v retrieving revision 1.186 diff -u -p -r1.186 Makefile --- textproc/libxml/Makefile 27 Apr 2021 11:16:48 -0000 1.186 +++ textproc/libxml/Makefile 7 May 2021 17:39:34 -0000 @@ -4,8 +4,8 @@ COMMENT-main= XML parsing library COMMENT-python= Python bindings for libxml VERSION= 2.9.10 -REVISION-main= 3 -REVISION-python= 3 +REVISION-main= 4 +REVISION-python= 4 DISTNAME= libxml2-${VERSION} PKGNAME-main= libxml-${VERSION} PKGNAME-python= py3-libxml-${VERSION} Index: textproc/libxml/patches/patch-parser_c =================================================================== RCS file: /data/mirror/openbsd/cvs/ports/textproc/libxml/patches/patch-parser_c,v retrieving revision 1.20 diff -u -p -r1.20 patch-parser_c --- textproc/libxml/patches/patch-parser_c 1 Feb 2020 20:35:32 -0000 1.20 +++ textproc/libxml/patches/patch-parser_c 7 May 2021 17:31:33 -0000 @@ -3,6 +3,10 @@ $OpenBSD: patch-parser_c,v 1.20 2020/02/ https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c89076 CVE-2020-7595 +https://bugzilla.redhat.com/show_bug.cgi?id=1956522 +https://gitlab.gnome.org/GNOME/libxml2/commit/babe75030c7f64a37826bb3342317134568bef61 +CVE-2021-3537 + Index: parser.c --- parser.c.orig +++ parser.c @@ -16,3 +20,24 @@ Index: parser.c if (c == 0) break; if ((c == '&') && (str[1] == '#')) { +@@ -6194,6 +6195,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPt + SKIP_BLANKS; + cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, + depth + 1); ++ if (cur == NULL) ++ return(NULL); + SKIP_BLANKS; + GROW; + } else { +@@ -6327,6 +6330,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPt + SKIP_BLANKS; + last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, + depth + 1); ++ if (last == NULL) { ++ if (ret != NULL) ++ xmlFreeDocElementContent(ctxt->myDoc, ret); ++ return(NULL); ++ } + SKIP_BLANKS; + } else { + elem = xmlParseName(ctxt);