summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'dev-libs')
-rw-r--r--dev-libs/libxml2/files/libxml2-2.9.4-CVE-2016-9318.patch202
-rw-r--r--dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-5969.patch63
-rw-r--r--dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7375.patch35
-rw-r--r--dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9047-9048.patch116
-rw-r--r--dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9049-9050.patch316
-rw-r--r--dev-libs/libxml2/files/libxml2-2.9.4-heap-buffer-overflow.patch32
-rw-r--r--dev-libs/libxml2/files/libxml2-2.9.4-osd-validation.patch66
-rw-r--r--dev-libs/libxml2/libxml2-2.9.4-r2.ebuild231
8 files changed, 1061 insertions, 0 deletions
diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2016-9318.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2016-9318.patch
new file mode 100644
index 000000000000..5d1adb014a0e
--- /dev/null
+++ b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2016-9318.patch
@@ -0,0 +1,202 @@
+From 292be65a52ab9e0eb3a53b4e0be5a57bc6de59d3 Mon Sep 17 00:00:00 2001
+From: Doran Moppert <dmoppert@redhat.com>
+Date: Fri, 7 Apr 2017 16:45:56 +0200
+Subject: [PATCH 6/7] Add an XML_PARSE_NOXXE flag to block all entities loading
+ even local
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=772726
+
+* include/libxml/parser.h: Add a new parser flag XML_PARSE_NOXXE
+* elfgcchack.h, xmlIO.h, xmlIO.c: associated loading routine
+* include/libxml/xmlerror.h: new error raised
+* xmllint.c: adds --noxxe flag to activate the option
+---
+ elfgcchack.h | 10 ++++++++++
+ include/libxml/parser.h | 3 ++-
+ include/libxml/xmlIO.h | 8 ++++++++
+ include/libxml/xmlerror.h | 1 +
+ parser.c | 4 ++++
+ xmlIO.c | 40 +++++++++++++++++++++++++++++++++++-----
+ xmllint.c | 5 +++++
+ 7 files changed, 65 insertions(+), 6 deletions(-)
+
+diff --git a/elfgcchack.h b/elfgcchack.h
+index 8c52884a..1b81dcde 100644
+--- a/elfgcchack.h
++++ b/elfgcchack.h
+@@ -6547,6 +6547,16 @@ extern __typeof (xmlNoNetExternalEntityLoader) xmlNoNetExternalEntityLoader__int
+ #endif
+ #endif
+
++#ifdef bottom_xmlIO
++#undef xmlNoXxeExternalEntityLoader
++extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader __attribute((alias("xmlNoXxeExternalEntityLoader__internal_alias")));
++#else
++#ifndef xmlNoXxeExternalEntityLoader
++extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader__internal_alias __attribute((visibility("hidden")));
++#define xmlNoXxeExternalEntityLoader xmlNoXxeExternalEntityLoader__internal_alias
++#endif
++#endif
++
+ #ifdef bottom_tree
+ #undef xmlNodeAddContent
+ extern __typeof (xmlNodeAddContent) xmlNodeAddContent __attribute((alias("xmlNodeAddContent__internal_alias")));
+diff --git a/include/libxml/parser.h b/include/libxml/parser.h
+index 47fbec03..63ca1b97 100644
+--- a/include/libxml/parser.h
++++ b/include/libxml/parser.h
+@@ -1111,7 +1111,8 @@ typedef enum {
+ XML_PARSE_HUGE = 1<<19,/* relax any hardcoded limit from the parser */
+ XML_PARSE_OLDSAX = 1<<20,/* parse using SAX2 interface before 2.7.0 */
+ XML_PARSE_IGNORE_ENC= 1<<21,/* ignore internal document encoding hint */
+- XML_PARSE_BIG_LINES = 1<<22 /* Store big lines numbers in text PSVI field */
++ XML_PARSE_BIG_LINES = 1<<22,/* Store big lines numbers in text PSVI field */
++ XML_PARSE_NOXXE = 1<<23 /* Forbid any external entity loading */
+ } xmlParserOption;
+
+ XMLPUBFUN void XMLCALL
+diff --git a/include/libxml/xmlIO.h b/include/libxml/xmlIO.h
+index 3e41744d..8d3fdef5 100644
+--- a/include/libxml/xmlIO.h
++++ b/include/libxml/xmlIO.h
+@@ -299,6 +299,14 @@ XMLPUBFUN xmlParserInputPtr XMLCALL
+ const char *ID,
+ xmlParserCtxtPtr ctxt);
+
++/*
++ * A predefined entity loader external entity expansion
++ */
++XMLPUBFUN xmlParserInputPtr XMLCALL
++ xmlNoXxeExternalEntityLoader (const char *URL,
++ const char *ID,
++ xmlParserCtxtPtr ctxt);
++
+ /*
+ * xmlNormalizeWindowsPath is obsolete, don't use it.
+ * Check xmlCanonicPath in uri.h for a better alternative.
+diff --git a/include/libxml/xmlerror.h b/include/libxml/xmlerror.h
+index 037c16d5..3036062d 100644
+--- a/include/libxml/xmlerror.h
++++ b/include/libxml/xmlerror.h
+@@ -470,6 +470,7 @@ typedef enum {
+ XML_IO_EADDRINUSE, /* 1554 */
+ XML_IO_EALREADY, /* 1555 */
+ XML_IO_EAFNOSUPPORT, /* 1556 */
++ XML_IO_ILLEGAL_XXE, /* 1557 */
+ XML_XINCLUDE_RECURSION=1600,
+ XML_XINCLUDE_PARSE_VALUE, /* 1601 */
+ XML_XINCLUDE_ENTITY_DEF_MISMATCH, /* 1602 */
+diff --git a/parser.c b/parser.c
+index b832406a..8e11c127 100644
+--- a/parser.c
++++ b/parser.c
+@@ -15352,6 +15352,10 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi
+ ctxt->options |= XML_PARSE_NONET;
+ options -= XML_PARSE_NONET;
+ }
++ if (options & XML_PARSE_NOXXE) {
++ ctxt->options |= XML_PARSE_NOXXE;
++ options -= XML_PARSE_NOXXE;
++ }
+ if (options & XML_PARSE_COMPACT) {
+ ctxt->options |= XML_PARSE_COMPACT;
+ options -= XML_PARSE_COMPACT;
+diff --git a/xmlIO.c b/xmlIO.c
+index 6e61f45a..34881461 100644
+--- a/xmlIO.c
++++ b/xmlIO.c
+@@ -212,6 +212,7 @@ static const char *IOerr[] = {
+ "adddress in use", /* EADDRINUSE */
+ "already in use", /* EALREADY */
+ "unknown address familly", /* EAFNOSUPPORT */
++ "Attempt to load external entity %s", /* XML_IO_ILLEGAL_XXE */
+ };
+
+ #if defined(_WIN32) || defined (__DJGPP__) && !defined (__CYGWIN__)
+@@ -4057,13 +4058,22 @@ xmlDefaultExternalEntityLoader(const char *URL, const char *ID,
+ xmlGenericError(xmlGenericErrorContext,
+ "xmlDefaultExternalEntityLoader(%s, xxx)\n", URL);
+ #endif
+- if ((ctxt != NULL) && (ctxt->options & XML_PARSE_NONET)) {
++ if (ctxt != NULL) {
+ int options = ctxt->options;
+
+- ctxt->options -= XML_PARSE_NONET;
+- ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt);
+- ctxt->options = options;
+- return(ret);
++ if (options & XML_PARSE_NOXXE) {
++ ctxt->options -= XML_PARSE_NOXXE;
++ ret = xmlNoXxeExternalEntityLoader(URL, ID, ctxt);
++ ctxt->options = options;
++ return(ret);
++ }
++
++ if (options & XML_PARSE_NONET) {
++ ctxt->options -= XML_PARSE_NONET;
++ ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt);
++ ctxt->options = options;
++ return(ret);
++ }
+ }
+ #ifdef LIBXML_CATALOG_ENABLED
+ resource = xmlResolveResourceFromCatalog(URL, ID, ctxt);
+@@ -4164,6 +4174,13 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID,
+ xmlParserInputPtr input = NULL;
+ xmlChar *resource = NULL;
+
++ if (ctxt == NULL) {
++ return(NULL);
++ }
++ if (ctxt->input_id == 1) {
++ return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt);
++ }
++
+ #ifdef LIBXML_CATALOG_ENABLED
+ resource = xmlResolveResourceFromCatalog(URL, ID, ctxt);
+ #endif
+@@ -4186,5 +4203,18 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID,
+ return(input);
+ }
+
++xmlParserInputPtr
++xmlNoXxeExternalEntityLoader(const char *URL, const char *ID,
++ xmlParserCtxtPtr ctxt) {
++ if (ctxt == NULL) {
++ return(NULL);
++ }
++ if (ctxt->input_id == 1) {
++ return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt);
++ }
++ xmlIOErr(XML_IO_ILLEGAL_XXE, (const char *) URL);
++ return(NULL);
++}
++
+ #define bottom_xmlIO
+ #include "elfgcchack.h"
+diff --git a/xmllint.c b/xmllint.c
+index f8eb7ec4..8f304cda 100644
+--- a/xmllint.c
++++ b/xmllint.c
+@@ -3019,6 +3019,7 @@ static void usage(const char *name) {
+ printf("\t--path 'paths': provide a set of paths for resources\n");
+ printf("\t--load-trace : print trace of all external entities loaded\n");
+ printf("\t--nonet : refuse to fetch DTDs or entities over network\n");
++ printf("\t--noxxe : forbid any external entity loading\n");
+ printf("\t--nocompact : do not generate compact text nodes\n");
+ printf("\t--htmlout : output results as HTML\n");
+ printf("\t--nowrap : do not put HTML doc wrapper\n");
+@@ -3461,6 +3462,10 @@ main(int argc, char **argv) {
+ (!strcmp(argv[i], "--nonet"))) {
+ options |= XML_PARSE_NONET;
+ xmlSetExternalEntityLoader(xmlNoNetExternalEntityLoader);
++ } else if ((!strcmp(argv[i], "-noxxe")) ||
++ (!strcmp(argv[i], "--noxxe"))) {
++ options |= XML_PARSE_NOXXE;
++ xmlSetExternalEntityLoader(xmlNoXxeExternalEntityLoader);
+ } else if ((!strcmp(argv[i], "-nocompact")) ||
+ (!strcmp(argv[i], "--nocompact"))) {
+ options &= ~XML_PARSE_COMPACT;
+--
+2.14.1
+
diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-5969.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-5969.patch
new file mode 100644
index 000000000000..4d1362f2f934
--- /dev/null
+++ b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-5969.patch
@@ -0,0 +1,63 @@
+From 8952ce48a5fa1d3de1f087f10e8b6e47bb59f4e3 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Wed, 7 Jun 2017 16:47:36 +0200
+Subject: [PATCH 1/7] Fix NULL pointer deref in xmlDumpElementContent
+
+Can only be triggered in recovery mode.
+
+Fixes bug 758422 (CVE-2017-5969).
+---
+ valid.c | 24 ++++++++++++++----------
+ 1 file changed, 14 insertions(+), 10 deletions(-)
+
+diff --git a/valid.c b/valid.c
+index 19f84b82..0a8e58ab 100644
+--- a/valid.c
++++ b/valid.c
+@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob)
+ xmlBufferWriteCHAR(buf, content->name);
+ break;
+ case XML_ELEMENT_CONTENT_SEQ:
+- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
++ if ((content->c1 != NULL) &&
++ ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
++ (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
+ xmlDumpElementContent(buf, content->c1, 1);
+ else
+ xmlDumpElementContent(buf, content->c1, 0);
+ xmlBufferWriteChar(buf, " , ");
+- if ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
+- ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
+- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
++ if ((content->c2 != NULL) &&
++ ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
++ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
++ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
+ xmlDumpElementContent(buf, content->c2, 1);
+ else
+ xmlDumpElementContent(buf, content->c2, 0);
+ break;
+ case XML_ELEMENT_CONTENT_OR:
+- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
++ if ((content->c1 != NULL) &&
++ ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
++ (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
+ xmlDumpElementContent(buf, content->c1, 1);
+ else
+ xmlDumpElementContent(buf, content->c1, 0);
+ xmlBufferWriteChar(buf, " | ");
+- if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
+- ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
+- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
++ if ((content->c2 != NULL) &&
++ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
++ ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
++ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
+ xmlDumpElementContent(buf, content->c2, 1);
+ else
+ xmlDumpElementContent(buf, content->c2, 0);
+--
+2.14.1
+
diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7375.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7375.patch
new file mode 100644
index 000000000000..db9d597ad73e
--- /dev/null
+++ b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7375.patch
@@ -0,0 +1,35 @@
+From 9ea49a06b9421b6a3a9c243fb1ec23b19bd6b049 Mon Sep 17 00:00:00 2001
+From: Neel Mehta <nmehta@google.com>
+Date: Fri, 7 Apr 2017 17:43:02 +0200
+Subject: [PATCH 7/7] Prevent unwanted external entity reference
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=780691
+
+* parser.c: add a specific check to avoid PE reference
+---
+ parser.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index 8e11c127..e8e962bb 100644
+--- a/parser.c
++++ b/parser.c
+@@ -8125,6 +8125,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+ if (xmlPushInput(ctxt, input) < 0)
+ return;
+ } else {
++ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
++ ((ctxt->options & XML_PARSE_NOENT) == 0) &&
++ ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
++ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) &&
++ ((ctxt->options & XML_PARSE_DTDATTR) == 0) &&
++ (ctxt->replaceEntities == 0) &&
++ (ctxt->validate == 0))
++ return;
++
+ /*
+ * TODO !!!
+ * handle the extra spaces added before and after
+--
+2.14.1
+
diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9047-9048.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9047-9048.patch
new file mode 100644
index 000000000000..f7c48cd877d7
--- /dev/null
+++ b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9047-9048.patch
@@ -0,0 +1,116 @@
+From 839b89e678b5265a0e6b0477410e64fac669d578 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 3 Jun 2017 02:01:29 +0200
+Subject: [PATCH 4/7] Fix buffer size checks in xmlSnprintfElementContent
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+xmlSnprintfElementContent failed to correctly check the available
+buffer space in two locations.
+
+Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048).
+
+Thanks to Marcel Böhme and Thuan Pham for the report.
+---
+ result/valid/781333.xml | 5 +++++
+ result/valid/781333.xml.err | 3 +++
+ result/valid/781333.xml.err.rdr | 6 ++++++
+ test/valid/781333.xml | 4 ++++
+ valid.c | 20 +++++++++++---------
+ 5 files changed, 29 insertions(+), 9 deletions(-)
+ create mode 100644 result/valid/781333.xml
+ create mode 100644 result/valid/781333.xml.err
+ create mode 100644 result/valid/781333.xml.err.rdr
+ create mode 100644 test/valid/781333.xml
+
+diff --git a/result/valid/781333.xml b/result/valid/781333.xml
+new file mode 100644
+index 00000000..45dc451d
+--- /dev/null
++++ b/result/valid/781333.xml
+@@ -0,0 +1,5 @@
++<?xml version="1.0"?>
++<!DOCTYPE a [
++<!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll)>
++]>
++<a/>
+diff --git a/result/valid/781333.xml.err b/result/valid/781333.xml.err
+new file mode 100644
+index 00000000..b401b49a
+--- /dev/null
++++ b/result/valid/781333.xml.err
+@@ -0,0 +1,3 @@
++./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got
++<a/>
++ ^
+diff --git a/result/valid/781333.xml.err.rdr b/result/valid/781333.xml.err.rdr
+new file mode 100644
+index 00000000..5ff56992
+--- /dev/null
++++ b/result/valid/781333.xml.err.rdr
+@@ -0,0 +1,6 @@
++./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got
++<a/>
++ ^
++./test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more child
++
++^
+diff --git a/test/valid/781333.xml b/test/valid/781333.xml
+new file mode 100644
+index 00000000..b29e5a68
+--- /dev/null
++++ b/test/valid/781333.xml
+@@ -0,0 +1,4 @@
++<!DOCTYPE a [
++ <!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll)>
++]>
++<a/>
+diff --git a/valid.c b/valid.c
+index 0a8e58ab..8075d3a0 100644
+--- a/valid.c
++++ b/valid.c
+@@ -1266,22 +1266,23 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int
+ case XML_ELEMENT_CONTENT_PCDATA:
+ strcat(buf, "#PCDATA");
+ break;
+- case XML_ELEMENT_CONTENT_ELEMENT:
++ case XML_ELEMENT_CONTENT_ELEMENT: {
++ int qnameLen = xmlStrlen(content->name);
++
++ if (content->prefix != NULL)
++ qnameLen += xmlStrlen(content->prefix) + 1;
++ if (size - len < qnameLen + 10) {
++ strcat(buf, " ...");
++ return;
++ }
+ if (content->prefix != NULL) {
+- if (size - len < xmlStrlen(content->prefix) + 10) {
+- strcat(buf, " ...");
+- return;
+- }
+ strcat(buf, (char *) content->prefix);
+ strcat(buf, ":");
+ }
+- if (size - len < xmlStrlen(content->name) + 10) {
+- strcat(buf, " ...");
+- return;
+- }
+ if (content->name != NULL)
+ strcat(buf, (char *) content->name);
+ break;
++ }
+ case XML_ELEMENT_CONTENT_SEQ:
+ if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
+@@ -1323,6 +1324,7 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int
+ xmlSnprintfElementContent(buf, size, content->c2, 0);
+ break;
+ }
++ if (size - strlen(buf) <= 2) return;
+ if (englob)
+ strcat(buf, ")");
+ switch (content->ocur) {
+--
+2.14.1
+
diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9049-9050.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9049-9050.patch
new file mode 100644
index 000000000000..abf43ef9815d
--- /dev/null
+++ b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9049-9050.patch
@@ -0,0 +1,316 @@
+From 9c95d1b7f3951efe09df66ec41d7b19d6283084d Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 5 Jun 2017 15:37:17 +0200
+Subject: [PATCH 3/7] Fix handling of parameter-entity references
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+There were two bugs where parameter-entity references could lead to an
+unexpected change of the input buffer in xmlParseNameComplex and
+xmlDictLookup being called with an invalid pointer.
+
+Percent sign in DTD Names
+=========================
+
+The NEXTL macro used to call xmlParserHandlePEReference. When parsing
+"complex" names inside the DTD, this could result in entity expansion
+which created a new input buffer. The fix is to simply remove the call
+to xmlParserHandlePEReference from the NEXTL macro. This is safe because
+no users of the macro require expansion of parameter entities.
+
+- xmlParseNameComplex
+- xmlParseNCNameComplex
+- xmlParseNmtoken
+
+The percent sign is not allowed in names, which are grammatical tokens.
+
+- xmlParseEntityValue
+
+Parameter-entity references in entity values are expanded but this
+happens in a separate step in this function.
+
+- xmlParseSystemLiteral
+
+Parameter-entity references are ignored in the system literal.
+
+- xmlParseAttValueComplex
+- xmlParseCharDataComplex
+- xmlParseCommentComplex
+- xmlParsePI
+- xmlParseCDSect
+
+Parameter-entity references are ignored outside the DTD.
+
+- xmlLoadEntityContent
+
+This function is only called from xmlStringLenDecodeEntities and
+entities are replaced in a separate step immediately after the function
+call.
+
+This bug could also be triggered with an internal subset and double
+entity expansion.
+
+This fixes bug 766956 initially reported by Wei Lei and independently by
+Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone
+involved.
+
+xmlParseNameComplex with XML_PARSE_OLD10
+========================================
+
+When parsing Names inside an expanded parameter entity with the
+XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the
+GROW macro if the input buffer was exhausted. At the end of the
+parameter entity's replacement text, this function would then call
+xmlPopInput which invalidated the input buffer.
+
+There should be no need to invoke GROW in this situation because the
+buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and,
+at least for UTF-8, in xmlCurrentChar. This also matches the code path
+executed when XML_PARSE_OLD10 is not set.
+
+This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).
+Thanks to Marcel Böhme and Thuan Pham for the report.
+
+Additional hardening
+====================
+
+A separate check was added in xmlParseNameComplex to validate the
+buffer size.
+---
+ Makefile.am | 18 ++++++++++++++++++
+ parser.c | 18 ++++++++++--------
+ result/errors10/781205.xml | 0
+ result/errors10/781205.xml.err | 21 +++++++++++++++++++++
+ result/errors10/781361.xml | 0
+ result/errors10/781361.xml.err | 13 +++++++++++++
+ result/valid/766956.xml | 0
+ result/valid/766956.xml.err | 9 +++++++++
+ result/valid/766956.xml.err.rdr | 10 ++++++++++
+ runtest.c | 3 +++
+ test/errors10/781205.xml | 3 +++
+ test/errors10/781361.xml | 3 +++
+ test/valid/766956.xml | 2 ++
+ test/valid/dtds/766956.dtd | 2 ++
+ 14 files changed, 94 insertions(+), 8 deletions(-)
+ create mode 100644 result/errors10/781205.xml
+ create mode 100644 result/errors10/781205.xml.err
+ create mode 100644 result/errors10/781361.xml
+ create mode 100644 result/errors10/781361.xml.err
+ create mode 100644 result/valid/766956.xml
+ create mode 100644 result/valid/766956.xml.err
+ create mode 100644 result/valid/766956.xml.err.rdr
+ create mode 100644 test/errors10/781205.xml
+ create mode 100644 test/errors10/781361.xml
+ create mode 100644 test/valid/766956.xml
+ create mode 100644 test/valid/dtds/766956.dtd
+
+diff --git a/Makefile.am b/Makefile.am
+index 3b52bae7..bf20124e 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -422,6 +422,24 @@ Errtests : xmllint$(EXEEXT)
+ if [ -n "$$log" ] ; then echo $$name result ; echo $$log ; fi ; \
+ rm result.$$name error.$$name ; \
+ fi ; fi ; done)
++ @echo "## Error cases regression tests (old 1.0)"
++ -@(for i in $(srcdir)/test/errors10/*.xml ; do \
++ name=`basename $$i`; \
++ if [ ! -d $$i ] ; then \
++ if [ ! -f $(srcdir)/result/errors10/$$name ] ; then \
++ echo New test file $$name ; \
++ $(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i \
++ 2> $(srcdir)/result/errors10/$$name.err \
++ > $(srcdir)/result/errors10/$$name ; \
++ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \
++ else \
++ log=`$(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i 2> error.$$name > result.$$name ; \
++ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \
++ diff $(srcdir)/result/errors10/$$name result.$$name ; \
++ diff $(srcdir)/result/errors10/$$name.err error.$$name` ; \
++ if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \
++ rm result.$$name error.$$name ; \
++ fi ; fi ; done)
+ @echo "## Error cases stream regression tests"
+ -@(for i in $(srcdir)/test/errors/*.xml ; do \
+ name=`basename $$i`; \
+diff --git a/parser.c b/parser.c
+index 53a6b7f0..b832406a 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2115,7 +2115,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
+ ctxt->input->line++; ctxt->input->col = 1; \
+ } else ctxt->input->col++; \
+ ctxt->input->cur += l; \
+- if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt); \
+ } while (0)
+
+ #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l)
+@@ -3406,13 +3405,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+ len += l;
+ NEXTL(l);
+ c = CUR_CHAR(l);
+- if (c == 0) {
+- count = 0;
+- GROW;
+- if (ctxt->instate == XML_PARSER_EOF)
+- return(NULL);
+- c = CUR_CHAR(l);
+- }
+ }
+ }
+ if ((len > XML_MAX_NAME_LENGTH) &&
+@@ -3420,6 +3412,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
+ return(NULL);
+ }
++ if (ctxt->input->cur - ctxt->input->base < len) {
++ /*
++ * There were a couple of bugs where PERefs lead to to a change
++ * of the buffer. Check the buffer size to avoid passing an invalid
++ * pointer to xmlDictLookup.
++ */
++ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
++ "unexpected change of input buffer");
++ return (NULL);
++ }
+ if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r'))
+ return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len));
+ return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
+diff --git a/result/errors10/781205.xml b/result/errors10/781205.xml
+new file mode 100644
+index 00000000..e69de29b
+diff --git a/result/errors10/781205.xml.err b/result/errors10/781205.xml.err
+new file mode 100644
+index 00000000..da15c3f7
+--- /dev/null
++++ b/result/errors10/781205.xml.err
+@@ -0,0 +1,21 @@
++Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
++
++ %a;
++ ^
++Entity: line 1:
++<:0000
++^
++Entity: line 1: parser error : DOCTYPE improperly terminated
++ %a;
++ ^
++Entity: line 1:
++<:0000
++^
++namespace error : Failed to parse QName ':0000'
++ %a;
++ ^
++<:0000
++ ^
++./test/errors10/781205.xml:4: parser error : Couldn't find end of Start Tag :0000 line 1
++
++^
+diff --git a/result/errors10/781361.xml b/result/errors10/781361.xml
+new file mode 100644
+index 00000000..e69de29b
+diff --git a/result/errors10/781361.xml.err b/result/errors10/781361.xml.err
+new file mode 100644
+index 00000000..655f41a2
+--- /dev/null
++++ b/result/errors10/781361.xml.err
+@@ -0,0 +1,13 @@
++./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY', 'ANY' or '(' expected
++
++^
++./test/errors10/781361.xml:4: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
++
++
++^
++./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated
++
++^
++./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not found
++
++^
+diff --git a/result/valid/766956.xml b/result/valid/766956.xml
+new file mode 100644
+index 00000000..e69de29b
+diff --git a/result/valid/766956.xml.err b/result/valid/766956.xml.err
+new file mode 100644
+index 00000000..34b1dae6
+--- /dev/null
++++ b/result/valid/766956.xml.err
+@@ -0,0 +1,9 @@
++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
++%ä%ent;
++ ^
++Entity: line 1: parser error : Content error in the external subset
++ %ent;
++ ^
++Entity: line 1:
++value
++^
+diff --git a/result/valid/766956.xml.err.rdr b/result/valid/766956.xml.err.rdr
+new file mode 100644
+index 00000000..77603462
+--- /dev/null
++++ b/result/valid/766956.xml.err.rdr
+@@ -0,0 +1,10 @@
++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
++%ä%ent;
++ ^
++Entity: line 1: parser error : Content error in the external subset
++ %ent;
++ ^
++Entity: line 1:
++value
++^
++./test/valid/766956.xml : failed to parse
+diff --git a/runtest.c b/runtest.c
+index 7d030bdc..cd233da9 100644
+--- a/runtest.c
++++ b/runtest.c
+@@ -4202,6 +4202,9 @@ testDesc testDescriptions[] = {
+ { "Error cases regression tests",
+ errParseTest, "./test/errors/*.xml", "result/errors/", "", ".err",
+ 0 },
++ { "Error cases regression tests (old 1.0)",
++ errParseTest, "./test/errors10/*.xml", "result/errors10/", "", ".err",
++ XML_PARSE_OLD10 },
+ #ifdef LIBXML_READER_ENABLED
+ { "Error cases stream regression tests",
+ streamParseTest, "./test/errors/*.xml", "result/errors/", NULL, ".str",
+diff --git a/test/errors10/781205.xml b/test/errors10/781205.xml
+new file mode 100644
+index 00000000..d9e9e839
+--- /dev/null
++++ b/test/errors10/781205.xml
+@@ -0,0 +1,3 @@
++<!DOCTYPE D [
++ <!ENTITY % a "<:0000">
++ %a;
+diff --git a/test/errors10/781361.xml b/test/errors10/781361.xml
+new file mode 100644
+index 00000000..67476bcb
+--- /dev/null
++++ b/test/errors10/781361.xml
+@@ -0,0 +1,3 @@
++<!DOCTYPE doc [
++ <!ENTITY % elem "<!ELEMENT e0000000000">
++ %elem;
+diff --git a/test/valid/766956.xml b/test/valid/766956.xml
+new file mode 100644
+index 00000000..19a95a0e
+--- /dev/null
++++ b/test/valid/766956.xml
+@@ -0,0 +1,2 @@
++<!DOCTYPE test SYSTEM "dtds/766956.dtd">
++<test/>
+diff --git a/test/valid/dtds/766956.dtd b/test/valid/dtds/766956.dtd
+new file mode 100644
+index 00000000..dddde68b
+--- /dev/null
++++ b/test/valid/dtds/766956.dtd
+@@ -0,0 +1,2 @@
++<!ENTITY % ent "value">
++%ä%ent;
+--
+2.14.1
+
diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-heap-buffer-overflow.patch b/dev-libs/libxml2/files/libxml2-2.9.4-heap-buffer-overflow.patch
new file mode 100644
index 000000000000..770a1832b190
--- /dev/null
+++ b/dev-libs/libxml2/files/libxml2-2.9.4-heap-buffer-overflow.patch
@@ -0,0 +1,32 @@
+From df4f9bdc7a37908ded8bd1fec4f75509eaa156de Mon Sep 17 00:00:00 2001
+From: David Kilzer <ddkilzer@apple.com>
+Date: Tue, 4 Jul 2017 18:38:03 +0200
+Subject: [PATCH 5/7] Heap-buffer-overflow read of size 1 in
+ xmlFAParsePosCharGroup
+
+Credit to OSS-Fuzz.
+
+Add a check to xmlFAParseCharRange() for the end of the buffer
+to prevent reading past the end of it.
+
+This fixes Bug 784017.
+---
+ xmlregexp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xmlregexp.c b/xmlregexp.c
+index ca3b4f46..6676c2a8 100644
+--- a/xmlregexp.c
++++ b/xmlregexp.c
+@@ -5051,7 +5051,7 @@ xmlFAParseCharRange(xmlRegParserCtxtPtr ctxt) {
+ return;
+ }
+ len = 1;
+- } else if ((cur != 0x5B) && (cur != 0x5D)) {
++ } else if ((cur != '\0') && (cur != 0x5B) && (cur != 0x5D)) {
+ end = CUR_SCHAR(ctxt->cur, len);
+ } else {
+ ERROR("Expecting the end of a char range");
+--
+2.14.1
+
diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-osd-validation.patch b/dev-libs/libxml2/files/libxml2-2.9.4-osd-validation.patch
new file mode 100644
index 000000000000..9d1a03346f67
--- /dev/null
+++ b/dev-libs/libxml2/files/libxml2-2.9.4-osd-validation.patch
@@ -0,0 +1,66 @@
+From 8bc6baccc7da291c2338b8d95953ea487b0b3ca1 Mon Sep 17 00:00:00 2001
+From: Alex Henrie <alexhenrie24@gmail.com>
+Date: Thu, 26 May 2016 17:38:35 -0600
+Subject: [PATCH 2/7] Fix attribute decoding during XML schema validation
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=766834
+
+vctxt->parserCtxt is always NULL in xmlSchemaSAXHandleStartElementNs,
+so this function can't call xmlStringLenDecodeEntities to decode the
+entities.
+---
+ xmlschemas.c | 30 +++++++++++++++++++++++++-----
+ 1 file changed, 25 insertions(+), 5 deletions(-)
+
+diff --git a/xmlschemas.c b/xmlschemas.c
+index e1b3a4f0..59535e5c 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -27391,6 +27391,7 @@ xmlSchemaSAXHandleStartElementNs(void *ctx,
+ * attributes yet.
+ */
+ if (nb_attributes != 0) {
++ int valueLen, k, l;
+ xmlChar *value;
+
+ for (j = 0, i = 0; i < nb_attributes; i++, j += 5) {
+@@ -27400,12 +27401,31 @@ xmlSchemaSAXHandleStartElementNs(void *ctx,
+ * libxml2 differs from normal SAX here in that it escapes all ampersands
+ * as &#38; instead of delivering the raw converted string. Changing the
+ * behavior at this point would break applications that use this API, so
+- * we are forced to work around it. There is no danger of accidentally
+- * decoding some entity other than &#38; in this step because without
+- * unescaped ampersands there can be no other entities in the string.
++ * we are forced to work around it.
+ */
+- value = xmlStringLenDecodeEntities(vctxt->parserCtxt, attributes[j+3],
+- attributes[j+4] - attributes[j+3], XML_SUBSTITUTE_REF, 0, 0, 0);
++ valueLen = attributes[j+4] - attributes[j+3];
++ value = xmlMallocAtomic(valueLen + 1);
++ if (value == NULL) {
++ xmlSchemaVErrMemory(vctxt,
++ "allocating string for decoded attribute",
++ NULL);
++ goto internal_error;
++ }
++ for (k = 0, l = 0; k < valueLen; l++) {
++ if (k < valueLen - 4 &&
++ attributes[j+3][k+0] == '&' &&
++ attributes[j+3][k+1] == '#' &&
++ attributes[j+3][k+2] == '3' &&
++ attributes[j+3][k+3] == '8' &&
++ attributes[j+3][k+4] == ';') {
++ value[l] = '&';
++ k += 5;
++ } else {
++ value[l] = attributes[j+3][k];
++ k++;
++ }
++ }
++ value[l] = '\0';
+ /*
+ * TODO: Set the node line.
+ */
+--
+2.14.1
+
diff --git a/dev-libs/libxml2/libxml2-2.9.4-r2.ebuild b/dev-libs/libxml2/libxml2-2.9.4-r2.ebuild
new file mode 100644
index 000000000000..22b6dec79b0c
--- /dev/null
+++ b/dev-libs/libxml2/libxml2-2.9.4-r2.ebuild
@@ -0,0 +1,231 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+PYTHON_COMPAT=( python2_7 python3_{4,5,6} )
+PYTHON_REQ_USE="xml"
+
+inherit libtool flag-o-matic ltprune python-r1 autotools prefix multilib-minimal
+
+DESCRIPTION="Version 2 of the library to manipulate XML files"
+HOMEPAGE="http://www.xmlsoft.org/"
+
+LICENSE="MIT"
+SLOT="2"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"
+IUSE="debug examples icu ipv6 lzma python readline static-libs test"
+REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
+
+XSTS_HOME="http://www.w3.org/XML/2004/xml-schema-test-suite"
+XSTS_NAME_1="xmlschema2002-01-16"
+XSTS_NAME_2="xmlschema2004-01-14"
+XSTS_TARBALL_1="xsts-2002-01-16.tar.gz"
+XSTS_TARBALL_2="xsts-2004-01-14.tar.gz"
+XMLCONF_TARBALL="xmlts20080827.tar.gz"
+
+SRC_URI="ftp://xmlsoft.org/${PN}/${PN}-${PV/_rc/-rc}.tar.gz
+ test? (
+ ${XSTS_HOME}/${XSTS_NAME_1}/${XSTS_TARBALL_1}
+ ${XSTS_HOME}/${XSTS_NAME_2}/${XSTS_TARBALL_2}
+ http://www.w3.org/XML/Test/${XMLCONF_TARBALL} )"
+
+RDEPEND="
+ >=sys-libs/zlib-1.2.8-r1:=[${MULTILIB_USEDEP}]
+ icu? ( >=dev-libs/icu-51.2-r1:=[${MULTILIB_USEDEP}] )
+ lzma? ( >=app-arch/xz-utils-5.0.5-r1:=[${MULTILIB_USEDEP}] )
+ python? ( ${PYTHON_DEPS} )
+ readline? ( sys-libs/readline:= )
+"
+DEPEND="${EDEPEND}
+ dev-util/gtk-doc-am
+ virtual/pkgconfig
+ hppa? ( >=sys-devel/binutils-2.15.92.0.2 )
+"
+
+S="${WORKDIR}/${PN}-${PV%_rc*}"
+
+MULTILIB_CHOST_TOOLS=(
+ /usr/bin/xml2-config
+)
+
+src_unpack() {
+ # ${A} isn't used to avoid unpacking of test tarballs into $WORKDIR,
+ # as they are needed as tarballs in ${S}/xstc instead and not unpacked
+ unpack ${P/_rc/-rc}.tar.gz
+ cd "${S}" || die
+
+ if use test; then
+ cp "${DISTDIR}/${XSTS_TARBALL_1}" \
+ "${DISTDIR}/${XSTS_TARBALL_2}" \
+ "${S}"/xstc/ \
+ || die "Failed to install test tarballs"
+ unpack ${XMLCONF_TARBALL}
+ fi
+}
+
+src_prepare() {
+ default
+
+ DOCS=( AUTHORS ChangeLog NEWS README* TODO* )
+
+ # Patches needed for prefix support
+ eapply "${FILESDIR}"/${PN}-2.7.1-catalog_path.patch
+
+ eprefixify catalog.c xmlcatalog.c runtest.c xmllint.c
+
+ # Fix build for Windows platform
+ # https://bugzilla.gnome.org/show_bug.cgi?id=760456
+ eapply "${FILESDIR}"/${PN}-2.8.0_rc1-winnt.patch
+
+ # Disable programs that we don't actually install.
+ # https://bugzilla.gnome.org/show_bug.cgi?id=760457
+ eapply "${FILESDIR}"/${PN}-2.9.2-disable-tests.patch
+
+ # Fix python detection, bug #567066
+ # https://bugzilla.gnome.org/show_bug.cgi?id=760458
+ eapply "${FILESDIR}"/${PN}-2.9.2-python-ABIFLAG.patch
+
+ # Apply round of security patches wrt bugs
+ # 589816, 597112, 597114, 597116. This will be included
+ # in the next upstream release
+ eapply "${FILESDIR}"/${PN}-2.9.4-CVE-2016-4658.patch
+ eapply "${FILESDIR}"/${PN}-2.9.4-CVE-2016-5131.patch
+ eapply "${FILESDIR}"/${PN}-2.9.4-nullptrderef.patch
+ eapply "${FILESDIR}"/${PN}-2.9.4-nullptrderef2.patch
+
+ # Apply round of security patches wrt bugs:
+ # 599192, 586886, 618604, 622914, 605208, 623206
+ # This will be included in the next upstream release
+ eapply "${FILESDIR}"/${P}-CVE-2017-5969.patch
+ eapply "${FILESDIR}"/${P}-osd-validation.patch
+ eapply "${FILESDIR}"/${P}-CVE-2017-9049-9050.patch
+ eapply "${FILESDIR}"/${P}-CVE-2017-9047-9048.patch
+ eapply "${FILESDIR}"/${P}-heap-buffer-overflow.patch
+ eapply "${FILESDIR}"/${P}-CVE-2016-9318.patch
+ eapply "${FILESDIR}"/${P}-CVE-2017-7375.patch
+
+ # Avoid final linking arguments for python modules
+ if [[ ${CHOST} == *-darwin* ]] ; then
+ sed -i -e '/PYTHON_LIBS/s/ldflags/libs/' configure.ac || die
+ fi
+
+ # Please do not remove, as else we get references to PORTAGE_TMPDIR
+ # in /usr/lib/python?.?/site-packages/libxml2mod.la among things.
+ # We now need to run eautoreconf at the end to prevent maintainer mode.
+# elibtoolize
+# epunt_cxx # if we don't eautoreconf
+
+ eautoreconf
+}
+
+multilib_src_configure() {
+ # filter seemingly problematic CFLAGS (#26320)
+ filter-flags -fprefetch-loop-arrays -funroll-loops
+
+ # USE zlib support breaks gnome2
+ # (libgnomeprint for instance fails to compile with
+ # fresh install, and existing) - <azarah@gentoo.org> (22 Dec 2002).
+
+ # The meaning of the 'debug' USE flag does not apply to the --with-debug
+ # switch (enabling the libxml2 debug module). See bug #100898.
+
+ # --with-mem-debug causes unusual segmentation faults (bug #105120).
+
+ libxml2_configure() {
+ ECONF_SOURCE="${S}" econf \
+ --with-html-subdir=${PF}/html \
+ $(use_with debug run-debug) \
+ $(use_with icu) \
+ $(use_with lzma) \
+ $(use_enable ipv6) \
+ $(use_enable static-libs static) \
+ $(multilib_native_use_with readline) \
+ $(multilib_native_use_with readline history) \
+ "$@"
+ }
+
+ libxml2_py_configure() {
+ mkdir -p "${BUILD_DIR}" || die # ensure python build dirs exist
+ run_in_build_dir libxml2_configure "--with-python=${ROOT%/}${PYTHON}" # odd build system, also see bug #582130
+ }
+
+ libxml2_configure --without-python # build python bindings separately
+
+ if multilib_is_native_abi && use python; then
+ python_foreach_impl libxml2_py_configure
+ fi
+}
+
+multilib_src_compile() {
+ default
+ if multilib_is_native_abi && use python; then
+ local native_builddir=${BUILD_DIR}
+ python_foreach_impl libxml2_py_emake top_builddir="${native_builddir}" all
+ fi
+}
+
+multilib_src_test() {
+ default
+ multilib_is_native_abi && use python && python_foreach_impl libxml2_py_emake test
+}
+
+multilib_src_install() {
+ emake DESTDIR="${D}" \
+ EXAMPLES_DIR="${EPREFIX}"/usr/share/doc/${PF}/examples install
+
+ if multilib_is_native_abi && use python; then
+ python_foreach_impl libxml2_py_emake \
+ DESTDIR="${D}" \
+ docsdir="${EPREFIX}"/usr/share/doc/${PF}/python \
+ exampledir="${EPREFIX}"/usr/share/doc/${PF}/python/examples \
+ install
+ python_foreach_impl python_optimize
+ fi
+}
+
+multilib_src_install_all() {
+ # on windows, xmllint is installed by interix libxml2 in parent prefix.
+ # this is the version to use. the native winnt version does not support
+ # symlinks, which makes repoman fail if the portage tree is linked in
+ # from another location (which is my default). -- mduft
+ if [[ ${CHOST} == *-winnt* ]]; then
+ rm -rf "${ED}"/usr/bin/xmllint
+ rm -rf "${ED}"/usr/bin/xmlcatalog
+ fi
+
+ rm -rf "${ED}"/usr/share/doc/${P}
+ einstalldocs
+
+ if ! use examples; then
+ rm -rf "${ED}"/usr/share/doc/${PF}/examples
+ rm -rf "${ED}"/usr/share/doc/${PF}/python/examples
+ fi
+
+ prune_libtool_files --modules
+}
+
+pkg_postinst() {
+ # We don't want to do the xmlcatalog during stage1, as xmlcatalog will not
+ # be in / and stage1 builds to ROOT=/tmp/stage1root. This fixes bug #208887.
+ if [[ "${ROOT}" != "/" ]]; then
+ elog "Skipping XML catalog creation for stage building (bug #208887)."
+ else
+ # need an XML catalog, so no-one writes to a non-existent one
+ CATALOG="${EROOT}etc/xml/catalog"
+
+ # we dont want to clobber an existing catalog though,
+ # only ensure that one is there
+ # <obz@gentoo.org>
+ if [[ ! -e ${CATALOG} ]]; then
+ [[ -d "${EROOT}etc/xml" ]] || mkdir -p "${EROOT}etc/xml"
+ "${EPREFIX}"/usr/bin/xmlcatalog --create > "${CATALOG}"
+ einfo "Created XML catalog in ${CATALOG}"
+ fi
+ fi
+}
+
+libxml2_py_emake() {
+ pushd "${BUILD_DIR}/python" > /dev/null || die
+ emake "$@"
+ popd > /dev/null
+}