diff options
author | tez <tez@pkgsrc.org> | 2013-03-08 23:59:31 +0000 |
---|---|---|
committer | tez <tez@pkgsrc.org> | 2013-03-08 23:59:31 +0000 |
commit | 54288a165ba6ec6b0e70b1f211d80298da530cec (patch) | |
tree | a4a48ae8a66bf7601cf87fd064519857da2cd226 | |
parent | 2c34fab3152fecd28e54d8909bf51ac149cb1cc9 (diff) | |
download | pkgsrc-54288a165ba6ec6b0e70b1f211d80298da530cec.tar.gz |
Fix for CVE-2013-0338 & CVE-2013-0339
from https://git.gnome.org/browse/libxml2/commit/?id=23f05e0c33987d6605387b300c4be5da2120a7ab
bump PKGREVISION
-rw-r--r-- | textproc/libxml2/Makefile | 4 | ||||
-rw-r--r-- | textproc/libxml2/distinfo | 3 | ||||
-rw-r--r-- | textproc/libxml2/patches/patch-CVE-2013-0338-CVE-2013-0339 | 151 |
3 files changed, 155 insertions, 3 deletions
diff --git a/textproc/libxml2/Makefile b/textproc/libxml2/Makefile index 2fa24a11816..bc38270350e 100644 --- a/textproc/libxml2/Makefile +++ b/textproc/libxml2/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.122 2012/12/15 12:39:24 drochner Exp $ +# $NetBSD: Makefile,v 1.123 2013/03/08 23:59:31 tez Exp $ DISTNAME= libxml2-2.9.0 -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= textproc MASTER_SITES= ftp://xmlsoft.org/libxml2/ \ http://xmlsoft.org/sources/ diff --git a/textproc/libxml2/distinfo b/textproc/libxml2/distinfo index fe4c2de9bf5..eeacb3976be 100644 --- a/textproc/libxml2/distinfo +++ b/textproc/libxml2/distinfo @@ -1,9 +1,10 @@ -$NetBSD: distinfo,v 1.97 2013/01/15 15:31:57 joerg Exp $ +$NetBSD: distinfo,v 1.98 2013/03/08 23:59:31 tez Exp $ SHA1 (libxml2-2.9.0.tar.gz) = a43d7c0a8e463ac5a7846254f2a732a9af146fab RMD160 (libxml2-2.9.0.tar.gz) = d025639320bb34adbc45a43f46354190f6bbb7b5 Size (libxml2-2.9.0.tar.gz) = 5161069 bytes SHA1 (patch-CVE-2012-5134) = 22caaed2b03334d42253b2b1c5a43473e6c8b4dc +SHA1 (patch-CVE-2013-0338-CVE-2013-0339) = d9eb3fe147dff5afd6920d818e5f982505e0663f SHA1 (patch-aa) = 6fcfb2e1ac374a7a047ee188a61ef218106ee54a SHA1 (patch-ab) = 8a7a5ae0c9d129826485c74f29cf4de3199212e7 SHA1 (patch-ac) = 101cd554fd22e8e9817e21591240eb784b1219b5 diff --git a/textproc/libxml2/patches/patch-CVE-2013-0338-CVE-2013-0339 b/textproc/libxml2/patches/patch-CVE-2013-0338-CVE-2013-0339 new file mode 100644 index 00000000000..83aaef4ade9 --- /dev/null +++ b/textproc/libxml2/patches/patch-CVE-2013-0338-CVE-2013-0339 @@ -0,0 +1,151 @@ +$NetBSD: patch-CVE-2013-0338-CVE-2013-0339,v 1.1 2013/03/08 23:59:31 tez Exp $ + +Fix for CVE-2013-0338 & CVE-2013-0339 + +From 23f05e0c33987d6605387b300c4be5da2120a7ab Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Tue, 19 Feb 2013 02:21:49 +0000 +Subject: Detect excessive entities expansion upon replacement + +If entities expansion in the XML parser is asked for, +it is possble to craft relatively small input document leading +to excessive on-the-fly content generation. +This patch accounts for those replacement and stop parsing +after a given threshold. it can be bypassed as usual with the +HUGE parser option. + + +--- include/libxml/parser.h ++++ include/libxml/parser.h +@@ -310,6 +310,7 @@ struct _xmlParserCtxt { + xmlParserNodeInfo *nodeInfoTab; /* array of nodeInfos */ + + int input_id; /* we need to label inputs */ ++ unsigned long sizeentcopy; /* volume of entity copy */ + }; + + /** + + +--- parser.c ++++ parser.c +@@ -122,7 +122,7 @@ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID, + */ + static int + xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, +- xmlEntityPtr ent) ++ xmlEntityPtr ent, size_t replacement) + { + size_t consumed = 0; + +@@ -130,7 +130,24 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + return (0); + if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) + return (1); +- if (size != 0) { ++ if (replacement != 0) { ++ if (replacement < XML_MAX_TEXT_LENGTH) ++ return(0); ++ ++ /* ++ * If the volume of entity copy reaches 10 times the ++ * amount of parsed data and over the large text threshold ++ * then that's very likely to be an abuse. ++ */ ++ if (ctxt->input != NULL) { ++ consumed = ctxt->input->consumed + ++ (ctxt->input->cur - ctxt->input->base); ++ } ++ consumed += ctxt->sizeentities; ++ ++ if (replacement < XML_PARSER_NON_LINEAR * consumed) ++ return(0); ++ } else if (size != 0) { + /* + * Do the check based on the replacement size of the entity + */ +@@ -176,7 +193,6 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + */ + return (0); + } +- + xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); + return (1); + } +@@ -2743,7 +2759,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + while (*current != 0) { /* non input consuming loop */ + buffer[nbchars++] = *current++; + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { +- if (xmlParserEntityCheck(ctxt, nbchars, ent)) ++ if (xmlParserEntityCheck(ctxt, nbchars, ent, 0)) + goto int_error; + growBuffer(buffer, XML_PARSER_BUFFER_SIZE); + } +@@ -2785,7 +2801,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + while (*current != 0) { /* non input consuming loop */ + buffer[nbchars++] = *current++; + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { +- if (xmlParserEntityCheck(ctxt, nbchars, ent)) ++ if (xmlParserEntityCheck(ctxt, nbchars, ent, 0)) + goto int_error; + growBuffer(buffer, XML_PARSER_BUFFER_SIZE); + } +@@ -7203,7 +7219,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { + xmlFreeNodeList(list); + return; + } +- if (xmlParserEntityCheck(ctxt, 0, ent)) { ++ if (xmlParserEntityCheck(ctxt, 0, ent, 0)) { + xmlFreeNodeList(list); + return; + } +@@ -7361,6 +7377,13 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { + xmlNodePtr nw = NULL, cur, firstChild = NULL; + + /* ++ * We are copying here, make sure there is no abuse ++ */ ++ ctxt->sizeentcopy += ent->length; ++ if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) ++ return; ++ ++ /* + * when operating on a reader, the entities definitions + * are always owning the entities subtree. + if (ctxt->parseMode == XML_PARSE_READER) +@@ -7400,6 +7423,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { + } else if ((list == NULL) || (ctxt->inputNr > 0)) { + xmlNodePtr nw = NULL, cur, next, last, + firstChild = NULL; ++ ++ /* ++ * We are copying here, make sure there is no abuse ++ */ ++ ctxt->sizeentcopy += ent->length; ++ if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) ++ return; ++ + /* + * Copy the entity child list and make it the new + * entity child list. The goal is to make sure any +@@ -14767,6 +14798,7 @@ xmlCtxtReset(xmlParserCtxtPtr ctxt) + ctxt->catalogs = NULL; + ctxt->nbentities = 0; + ctxt->sizeentities = 0; ++ ctxt->sizeentcopy = 0; + xmlInitNodeInfoSeq(&ctxt->node_seq); + + if (ctxt->attsDefault != NULL) { + + +--- parserInternals.c ++++ parserInternals.c +@@ -1719,6 +1719,8 @@ xmlInitParserCtxt(xmlParserCtxtPtr ctxt) + ctxt->charset = XML_CHAR_ENCODING_UTF8; + ctxt->catalogs = NULL; + ctxt->nbentities = 0; ++ ctxt->sizeentities = 0; ++ ctxt->sizeentcopy = 0; + ctxt->input_id = 1; + xmlInitNodeInfoSeq(&ctxt->node_seq); + return(0); |