Security fix for CVE-2012-2921,

feedparser DOCTYPE and ENTITY XML Declaration Denial of Service Vulnerability

textproc/py-feedparser/Makefile

@@ -1,11 +1,11 @@
-# $OpenBSD: Makefile,v 1.12 2011/09/16 11:41:41 espie Exp $
+# $OpenBSD: Makefile,v 1.13 2012/05/25 12:27:33 jasper Exp $
 
 COMMENT=	RSS and Atom feeds parser written in Python
 
 V=		5.0.1
 DISTNAME=	feedparser-${V}
 PKGNAME=	py-${DISTNAME}
-REVISION=	1
+REVISION=	2
 CATEGORIES=	textproc
 
 HOMEPAGE=	http://www.feedparser.org/

textproc/py-feedparser/patches/patch-feedparser_feedparser_py

@@ -0,0 +1,30 @@
+$OpenBSD: patch-feedparser_feedparser_py,v 1.1 2012/05/25 12:27:33 jasper Exp $
+
+Security fix for CVE-2012-2921,
+feedparser DOCTYPE and ENTITY XML Declaration Denial of Service Vulnerability
+
+Patch from upstream:
+https://code.google.com/p/feedparser/source/detail?r=703&path=/trunk/feedparser/feedparser.py
+
+--- feedparser/feedparser.py.orig	Fri May 25 14:24:41 2012
++++ feedparser/feedparser.py	Fri May 25 14:25:48 2012
+@@ -3703,9 +3703,6 @@ def parse(url_file_stream_or_string, etag=None, modifi
+         result['bozo'] = 1
+         result['bozo_exception'] = NonXMLContentType(bozo_message)
+ 
+-    if data is not None:
+-        result['version'], data, entities = _stripDoctype(data)
+-
+     # ensure that baseuri is an absolute uri using an acceptable URI scheme
+     contentloc = http_headers.get('content-location', http_headers.get('Content-Location', ''))
+     href = result.get('href', '')
+@@ -3790,6 +3787,9 @@ def parse(url_file_stream_or_string, etag=None, modifi
+             'document declared as %s, but parsed as %s' % \
+             (result['encoding'], proposed_encoding))
+         result['encoding'] = proposed_encoding
++
++    if data is not None:
++        result['version'], data, entities = _stripDoctype(data)
+ 
+     if not _XML_AVAILABLE:
+         use_strict_parser = 0