Add fixes for security vulnerabilities reported in CVE-2008-4225 and

CVE-2008-4226 from "libxml2" SVN repository. Bump package revision.
author: tron <tron> 2008-11-24 13:59:16 +0000
committer: tron <tron> 2008-11-24 13:59:16 +0000
commit: 945006ba500f8a5a7e26d3aac2ce4165fb85d5a0 (patch)
tree: 9d44bef84d72483b4004287969fa694520eb96d1 /textproc/libxml2
parent: 11ff77419896160be84787a0a8d58363673bdafe (diff)
download: pkgsrc-945006ba500f8a5a7e26d3aac2ce4165fb85d5a0.tar.gz
5 files changed, 98 insertions, 3 deletions
diff --git a/textproc/libxml2/Makefile b/textproc/libxml2/Makefile
index 06ec4e28476..56da207a06d 100644
--- a/textproc/libxml2/Makefile
+++ b/textproc/libxml2/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.98 2008/10/17 16:06:04 drochner Exp $
+# $NetBSD: Makefile,v 1.99 2008/11/24 13:59:16 tron Exp $
 
 DISTNAME=	libxml2-2.7.2
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	textproc
 MASTER_SITES=	ftp://xmlsoft.org/libxml2/ \
 		http://xmlsoft.org/sources/
diff --git a/textproc/libxml2/distinfo b/textproc/libxml2/distinfo
index 0c4fca6a4a0..61d47ff4c57 100644
--- a/textproc/libxml2/distinfo
+++ b/textproc/libxml2/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.69 2008/10/16 13:31:57 drochner Exp $
+$NetBSD: distinfo,v 1.70 2008/11/24 13:59:16 tron Exp $
 
 SHA1 (libxml2-2.7.2.tar.gz) = 750b2bcd4ee3bf8595baf97e1881f1a57b1ef363
 RMD160 (libxml2-2.7.2.tar.gz) = 2b14531007a705679c7814618dc15baed62bc574
@@ -8,3 +8,6 @@ SHA1 (patch-ab) = a8dc745539528db69bf1ccb8977a69c24fa818e3
 SHA1 (patch-ac) = 264c75cf9fff5319105b971c122cdf5fc103c04e
 SHA1 (patch-ad) = cd45da492b02cce9983c46762839f68b8b1e0177
 SHA1 (patch-ae) = b9176919edbf3582cb24aff53f7c4f291e2b78c8
+SHA1 (patch-af) = 7d748c002fc8c7c2a80c28790c2ae719ab05aa5e
+SHA1 (patch-ag) = 91b8fb441d997fc6a0ecf622e96eb3690f2d27fb
+SHA1 (patch-ah) = 33996d6f8e9eeffa8d0b813ffc7721436c46eb21
diff --git a/textproc/libxml2/patches/patch-af b/textproc/libxml2/patches/patch-af
new file mode 100644
index 00000000000..421027e1c44
--- /dev/null
+++ b/textproc/libxml2/patches/patch-af
@@ -0,0 +1,40 @@
+$NetBSD: patch-af,v 1.3 2008/11/24 13:59:16 tron Exp $
+
+--- SAX2.c.orig	2008-08-25 10:02:32.000000000 +0100
++++ SAX2.c	2008-11-24 13:25:21.000000000 +0000
+@@ -11,6 +11,7 @@
+ #include "libxml.h"
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+ #include <libxml/xmlmemory.h>
+ #include <libxml/tree.h>
+ #include <libxml/parser.h>
+@@ -26,6 +27,11 @@
+ #include <libxml/HTMLtree.h>
+ #include <libxml/globals.h>
+ 
++/* Define SIZE_T_MAX unless defined through <limits.h>. */
++#ifndef SIZE_T_MAX
++# define SIZE_T_MAX     ((size_t)-1)
++#endif /* !SIZE_T_MAX */
++
+ /* #define DEBUG_SAX2 */
+ /* #define DEBUG_SAX2_TREE */
+ 
+@@ -2455,9 +2461,14 @@
+ 	               (xmlDictOwns(ctxt->dict, lastChild->content))) {
+ 		lastChild->content = xmlStrdup(lastChild->content);
+ 	    }
++	    if ((size_t)ctxt->nodelen > SIZE_T_MAX - (size_t)len || 
++	        (size_t)ctxt->nodemem + (size_t)len > SIZE_T_MAX / 2) {
++	            xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented");
++	            return;
++	    }
+ 	    if (ctxt->nodelen + len >= ctxt->nodemem) {
+ 		xmlChar *newbuf;
+-		int size;
++		size_t size;
+ 
+ 		size = ctxt->nodemem + len;
+ 		size *= 2;
diff --git a/textproc/libxml2/patches/patch-ag b/textproc/libxml2/patches/patch-ag
new file mode 100644
index 00000000000..ef643ddff18
--- /dev/null
+++ b/textproc/libxml2/patches/patch-ag
@@ -0,0 +1,24 @@
+$NetBSD: patch-ag,v 1.5 2008/11/24 13:59:16 tron Exp $
+
+--- parser.c.orig	2008-10-03 08:40:37.000000000 +0100
++++ parser.c	2008-11-24 13:26:17.000000000 +0000
+@@ -4142,6 +4142,9 @@
+                     line = ctxt->input->line;
+                     col = ctxt->input->col;
+ 		}
++                /* something really bad happened in the SAX callback */
++                if (ctxt->instate != XML_PARSER_CONTENT)
++                    return;
+ 	    }
+ 	    ctxt->input->cur = in;
+ 	    if (*in == 0xD) {
+@@ -4222,6 +4225,9 @@
+ 		}
+ 	    }
+ 	    nbchar = 0;
++            /* something really bad happened in the SAX callback */
++            if (ctxt->instate != XML_PARSER_CONTENT)
++                return;
+ 	}
+ 	count++;
+ 	if (count > 50) {
diff --git a/textproc/libxml2/patches/patch-ah b/textproc/libxml2/patches/patch-ah
new file mode 100644
index 00000000000..9a6c74b3c69
--- /dev/null
+++ b/textproc/libxml2/patches/patch-ah
@@ -0,0 +1,28 @@
+$NetBSD: patch-ah,v 1.3 2008/11/24 13:59:16 tron Exp $
+
+--- tree.c.orig	2008-09-01 08:17:20.000000000 +0100
++++ tree.c	2008-11-24 13:27:08.000000000 +0000
+@@ -14,7 +14,7 @@
+ #include "libxml.h"
+ 
+ #include <string.h> /* for memset() only ! */
+-
++#include <limits.h>
+ #ifdef HAVE_CTYPE_H
+ #include <ctype.h>
+ #endif
+@@ -6996,7 +6996,13 @@
+ 	case XML_BUFFER_ALLOC_DOUBLEIT:
+ 	    /*take care of empty case*/
+ 	    newSize = (buf->size ? buf->size*2 : size + 10);
+-	    while (size > newSize) newSize *= 2;
++	    while (size > newSize) {
++	        if (newSize > UINT_MAX / 2) {
++	            xmlTreeErrMemory("growing buffer");
++	            return 0;
++	        }
++	        newSize *= 2;
++	    }
+ 	    break;
+ 	case XML_BUFFER_ALLOC_EXACT:
+ 	    newSize = size+10;
author	tron <tron>	2008-11-24 13:59:16 +0000
committer	tron <tron>	2008-11-24 13:59:16 +0000
commit	945006ba500f8a5a7e26d3aac2ce4165fb85d5a0 (patch)
tree	9d44bef84d72483b4004287969fa694520eb96d1 /textproc/libxml2
parent	11ff77419896160be84787a0a8d58363673bdafe (diff)
download	pkgsrc-945006ba500f8a5a7e26d3aac2ce4165fb85d5a0.tar.gz