diff options
author | tez <tez@pkgsrc.org> | 2017-06-21 00:23:23 +0000 |
---|---|---|
committer | tez <tez@pkgsrc.org> | 2017-06-21 00:23:23 +0000 |
commit | e30c7c081c35c9807ba3d85e1bfc86a90587bf50 (patch) | |
tree | 36bf1c8c52b99ecf2581a5a1ebfa6215ea29af87 /textproc/libxml2 | |
parent | d242fdbe8c7cf7efbda91a6d4bda7cbc652ab073 (diff) | |
download | pkgsrc-e30c7c081c35c9807ba3d85e1bfc86a90587bf50.tar.gz |
xmlSnprintfElementContent failed to correctly check the available
buffer space in two locations.
Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048).
From: https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74
There were two bugs where parameter-entity references could lead to an
unexpected change of the input buffer in xmlParseNameComplex and
xmlDictLookup being called with an invalid pointer.
Percent sign in DTD Names
=========================
This fixes bug 766956 initially reported by Wei Lei and independently by
Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone
involved.
xmlParseNameComplex with XML_PARSE_OLD10
========================================
This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).
Thanks to Marcel Böhme and Thuan Pham for the report.
Additional hardening
====================
A separate check was added in xmlParseNameComplex to validate the
buffer size.
From: https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3
Diffstat (limited to 'textproc/libxml2')
-rw-r--r-- | textproc/libxml2/Makefile | 4 | ||||
-rw-r--r-- | textproc/libxml2/distinfo | 5 | ||||
-rw-r--r-- | textproc/libxml2/patches/patch-parser.c | 69 | ||||
-rw-r--r-- | textproc/libxml2/patches/patch-valid.c | 53 |
4 files changed, 124 insertions, 7 deletions
diff --git a/textproc/libxml2/Makefile b/textproc/libxml2/Makefile index e0a7b47d0d0..75d1a58eba8 100644 --- a/textproc/libxml2/Makefile +++ b/textproc/libxml2/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.144 2017/06/11 04:40:53 maya Exp $ +# $NetBSD: Makefile,v 1.145 2017/06/21 00:23:23 tez Exp $ .include "../../textproc/libxml2/Makefile.common" -PKGREVISION= 3 +PKGREVISION= 4 COMMENT= XML parser library from the GNOME project LICENSE= modified-bsd diff --git a/textproc/libxml2/distinfo b/textproc/libxml2/distinfo index 5fcd2e272f9..1f8a9d5fcd1 100644 --- a/textproc/libxml2/distinfo +++ b/textproc/libxml2/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.115 2017/06/11 04:40:53 maya Exp $ +$NetBSD: distinfo,v 1.116 2017/06/21 00:23:23 tez Exp $ SHA1 (libxml2-2.9.4.tar.gz) = 958ae70baf186263a4bd801a81dd5d682aedd1db RMD160 (libxml2-2.9.4.tar.gz) = bb59656e0683d64a38a2f1a45ca9d918837e1e56 @@ -11,12 +11,13 @@ SHA1 (patch-ad) = d65b7e3be9694147e96ce4bb70a1739e2279ba81 SHA1 (patch-ae) = 4eede9719724f94402e850ee6d6043a74aaf62b2 SHA1 (patch-encoding.c) = 6cf0a7d421828b9f40a4079ee85adb791c54d096 SHA1 (patch-parseInternals.c) = dc58145943a4fb6368d848c0155d144b1f9b676c +SHA1 (patch-parser.c) = 23e39127bf65e721dd76d80b389c1ccacf8e5746 SHA1 (patch-result_XPath_xptr_vidbase) = f0ef1ac593cb25f96b7ffef93e0f214aa8fc6103 SHA1 (patch-runtest.c) = 759fcee959833b33d72e85108f7973859dcba1f6 SHA1 (patch-test_XPath_xptr_vidbase) = a9b497505f914924388145c6266aa517152f9da3 SHA1 (patch-testlimits.c) = 8cba18464b619469abbb8488fd950a32a567be7b SHA1 (patch-timsort.h) = e09118e7c99d53f71c28fe4d54269c4801244959 -SHA1 (patch-valid.c) = e6ff3a9aed6b985fcc69d214efa953a90a055d6b +SHA1 (patch-valid.c) = 9eda3633b3ea5269e0ef33fa0508de18e7a76def SHA1 (patch-xmlIO.c) = 5efcc5e43a8b3139832ab69af6b5ab94e5a6ad59 SHA1 (patch-xpath.c) = ec94ab2116f99a08f51630dee6b9e7e25d2b5c00 SHA1 (patch-xpointer.c) = 8ca75f64b89369106c0d088ff7fd36b38005e032 diff --git a/textproc/libxml2/patches/patch-parser.c b/textproc/libxml2/patches/patch-parser.c new file mode 100644 index 00000000000..88b70f85411 --- /dev/null +++ b/textproc/libxml2/patches/patch-parser.c @@ -0,0 +1,69 @@ +$NetBSD: patch-parser.c,v 1.3 2017/06/21 00:23:24 tez Exp $ + +There were two bugs where parameter-entity references could lead to an +unexpected change of the input buffer in xmlParseNameComplex and +xmlDictLookup being called with an invalid pointer. + +Percent sign in DTD Names +========================= + +This fixes bug 766956 initially reported by Wei Lei and independently by +Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone +involved. + +xmlParseNameComplex with XML_PARSE_OLD10 +======================================== + +This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050). +Thanks to Marcel Böhme and Thuan Pham for the report. + +Additional hardening +==================== + +A separate check was added in xmlParseNameComplex to validate the +buffer size. + +From: https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3 + + +--- parser.c.orig ++++ parser.c +@@ -2121,7 +2121,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) { + ctxt->input->line++; ctxt->input->col = 1; \ + } else ctxt->input->col++; \ + ctxt->input->cur += l; \ +- if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt); \ + } while (0) + + #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l) +@@ -3412,13 +3411,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { + len += l; + NEXTL(l); + c = CUR_CHAR(l); +- if (c == 0) { +- count = 0; +- GROW; +- if (ctxt->instate == XML_PARSER_EOF) +- return(NULL); +- c = CUR_CHAR(l); +- } + } + } + if ((len > XML_MAX_NAME_LENGTH) && +@@ -3426,6 +3418,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); + return(NULL); + } ++ if (ctxt->input->cur - ctxt->input->base < len) { ++ /* ++ * There were a couple of bugs where PERefs lead to to a change ++ * of the buffer. Check the buffer size to avoid passing an invalid ++ * pointer to xmlDictLookup. ++ */ ++ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, ++ "unexpected change of input buffer"); ++ return (NULL); ++ } + if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r')) + return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len)); + return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); diff --git a/textproc/libxml2/patches/patch-valid.c b/textproc/libxml2/patches/patch-valid.c index d7a04e4778a..0096999861b 100644 --- a/textproc/libxml2/patches/patch-valid.c +++ b/textproc/libxml2/patches/patch-valid.c @@ -1,4 +1,4 @@ -$NetBSD: patch-valid.c,v 1.1 2017/06/11 04:40:53 maya Exp $ +$NetBSD: patch-valid.c,v 1.2 2017/06/21 00:23:24 tez Exp $ Upstream commit by Daniel Veillard @@ -7,9 +7,15 @@ Can only be triggered in recovery mode. Fixes bug 758422 (CVE-2017-5969). ---- valid.c.orig 2016-05-23 07:25:25.000000000 +0000 +xmlSnprintfElementContent failed to correctly check the available +buffer space in two locations. +Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048). +From: https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74 + + +--- valid.c.orig 2017-06-21 00:07:08.204619100 +0000 +++ valid.c -@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, +@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlBufferWriteCHAR(buf, content->name); break; case XML_ELEMENT_CONTENT_SEQ: @@ -53,3 +59,44 @@ Fixes bug 758422 (CVE-2017-5969). xmlDumpElementContent(buf, content->c2, 1); else xmlDumpElementContent(buf, content->c2, 0); +@@ -1262,22 +1266,23 @@ xmlSnprintfElementContent(char *buf, int + case XML_ELEMENT_CONTENT_PCDATA: + strcat(buf, "#PCDATA"); + break; +- case XML_ELEMENT_CONTENT_ELEMENT: ++ case XML_ELEMENT_CONTENT_ELEMENT: { ++ int qnameLen = xmlStrlen(content->name); ++ ++ if (content->prefix != NULL) ++ qnameLen += xmlStrlen(content->prefix) + 1; ++ if (size - len < qnameLen + 10) { ++ strcat(buf, " ..."); ++ return; ++ } + if (content->prefix != NULL) { +- if (size - len < xmlStrlen(content->prefix) + 10) { +- strcat(buf, " ..."); +- return; +- } + strcat(buf, (char *) content->prefix); + strcat(buf, ":"); + } +- if (size - len < xmlStrlen(content->name) + 10) { +- strcat(buf, " ..."); +- return; +- } + if (content->name != NULL) + strcat(buf, (char *) content->name); + break; ++ } + case XML_ELEMENT_CONTENT_SEQ: + if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || + (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) +@@ -1319,6 +1324,7 @@ xmlSnprintfElementContent(char *buf, int + xmlSnprintfElementContent(buf, size, content->c2, 0); + break; + } ++ if (size - strlen(buf) <= 2) return; + if (englob) + strcat(buf, ")"); + switch (content->ocur) { |