diff options
author | drochner <drochner@pkgsrc.org> | 2012-03-09 12:12:27 +0000 |
---|---|---|
committer | drochner <drochner@pkgsrc.org> | 2012-03-09 12:12:27 +0000 |
commit | fe72b789870356ae35ce019005f31a96cc04ddbd (patch) | |
tree | c56a5d615d25ad2f69ed232e7323e68d621d1943 /textproc/libxml2 | |
parent | e7ccfa6b405157e248cab4369c15b2c98b34b42e (diff) | |
download | pkgsrc-fe72b789870356ae35ce019005f31a96cc04ddbd.tar.gz |
Add patch from upstream to add hash randomization.
Without that, (untrusted) input can fill hash buckets uneven, causing
high CPU load. (CVE-2012-0841)
To get a patch which is simple enough to get pulled up to the stable
pkgsrc branch, I've not touched "configure" but just assumed that
the POSIX functions rand(), srand() and time() are present.
bump PKGREV
Diffstat (limited to 'textproc/libxml2')
-rw-r--r-- | textproc/libxml2/Makefile | 4 | ||||
-rw-r--r-- | textproc/libxml2/distinfo | 5 | ||||
-rw-r--r-- | textproc/libxml2/patches/patch-CVE-2012-0841-aa | 176 | ||||
-rw-r--r-- | textproc/libxml2/patches/patch-CVE-2012-0841-ab | 93 | ||||
-rw-r--r-- | textproc/libxml2/patches/patch-CVE-2012-0841-ac | 15 |
5 files changed, 290 insertions, 3 deletions
diff --git a/textproc/libxml2/Makefile b/textproc/libxml2/Makefile index bf540856825..1c2a2d46b03 100644 --- a/textproc/libxml2/Makefile +++ b/textproc/libxml2/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.113 2012/02/22 11:10:17 drochner Exp $ +# $NetBSD: Makefile,v 1.114 2012/03/09 12:12:27 drochner Exp $ DISTNAME= libxml2-2.7.8 -PKGREVISION= 7 +PKGREVISION= 8 CATEGORIES= textproc MASTER_SITES= ftp://xmlsoft.org/libxml2/ \ http://xmlsoft.org/sources/ diff --git a/textproc/libxml2/distinfo b/textproc/libxml2/distinfo index 4ae277638e4..ff118c570f9 100644 --- a/textproc/libxml2/distinfo +++ b/textproc/libxml2/distinfo @@ -1,8 +1,11 @@ -$NetBSD: distinfo,v 1.88 2012/02/22 11:10:17 drochner Exp $ +$NetBSD: distinfo,v 1.89 2012/03/09 12:12:27 drochner Exp $ SHA1 (libxml2-2.7.8.tar.gz) = 859dd535edbb851cc15b64740ee06551a7a17d40 RMD160 (libxml2-2.7.8.tar.gz) = 30709622cfe3e2175e73d6701b7e19a25ab5ac47 Size (libxml2-2.7.8.tar.gz) = 4881808 bytes +SHA1 (patch-CVE-2012-0841-aa) = b5fcb53c69ab808aafbaa81e9a4bef3f69057ff8 +SHA1 (patch-CVE-2012-0841-ab) = 2fd0d1a610bc517c4062f5ba30ec546d153eb5a1 +SHA1 (patch-CVE-2012-0841-ac) = 3ee79a6ecaf498ae0db4f64a10e22cc3e515e1e3 SHA1 (patch-aa) = 965bfc2226828b5161a4541cf73f5b5ef9a7e88e SHA1 (patch-ab) = d8dfd5bd9632d32c7e32e35e4d4735e510fc438f SHA1 (patch-ac) = 264c75cf9fff5319105b971c122cdf5fc103c04e diff --git a/textproc/libxml2/patches/patch-CVE-2012-0841-aa b/textproc/libxml2/patches/patch-CVE-2012-0841-aa new file mode 100644 index 00000000000..ec77331faac --- /dev/null +++ b/textproc/libxml2/patches/patch-CVE-2012-0841-aa @@ -0,0 +1,176 @@ +$NetBSD: patch-CVE-2012-0841-aa,v 1.1 2012/03/09 12:12:28 drochner Exp $ + +patch 8973d58b7498fa5100a876815476b81fd1a2412a + +--- dict.c.orig 2010-10-12 06:25:31.000000000 +0000 ++++ dict.c +@@ -2,7 +2,7 @@ + * dict.c: dictionary of reusable strings, just used to avoid allocation + * and freeing operations. + * +- * Copyright (C) 2003 Daniel Veillard. ++ * Copyright (C) 2003-2012 Daniel Veillard. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above +@@ -19,6 +19,28 @@ + #define IN_LIBXML + #include "libxml.h" + ++#ifdef HAVE_STDLIB_H ++#include <stdlib.h> ++#endif ++#ifdef HAVE_TIME_H ++#include <time.h> ++#endif ++ ++/* ++ * Following http://www.ocert.org/advisories/ocert-2011-003.html ++ * it seems that having hash randomization might be a good idea ++ * when using XML with untrusted data ++ * Note1: that it works correctly only if compiled with WITH_BIG_KEY ++ * which is the default. ++ * Note2: the fast function used for a small dict won't protect very ++ * well but since the attack is based on growing a very big hash ++ * list we will use the BigKey algo as soon as the hash size grows ++ * over MIN_DICT_SIZE so this actually works ++ */ ++#if defined(HAVE_RAND) && defined(HAVE_SRAND) && defined(HAVE_TIME) ++#define DICT_RANDOMIZATION ++#endif ++ + #include <string.h> + #ifdef HAVE_STDINT_H + #include <stdint.h> +@@ -44,23 +66,23 @@ typedef unsigned __int32 uint32_t; + #define WITH_BIG_KEY + + #ifdef WITH_BIG_KEY +-#define xmlDictComputeKey(dict, name, len) \ +- (((dict)->size == MIN_DICT_SIZE) ? \ +- xmlDictComputeFastKey(name, len) : \ +- xmlDictComputeBigKey(name, len)) +- +-#define xmlDictComputeQKey(dict, prefix, plen, name, len) \ +- (((prefix) == NULL) ? \ +- (xmlDictComputeKey(dict, name, len)) : \ +- (((dict)->size == MIN_DICT_SIZE) ? \ +- xmlDictComputeFastQKey(prefix, plen, name, len) : \ +- xmlDictComputeBigQKey(prefix, plen, name, len))) ++#define xmlDictComputeKey(dict, name, len) \ ++ (((dict)->size == MIN_DICT_SIZE) ? \ ++ xmlDictComputeFastKey(name, len, (dict)->seed) : \ ++ xmlDictComputeBigKey(name, len, (dict)->seed)) ++ ++#define xmlDictComputeQKey(dict, prefix, plen, name, len) \ ++ (((prefix) == NULL) ? \ ++ (xmlDictComputeKey(dict, name, len)) : \ ++ (((dict)->size == MIN_DICT_SIZE) ? \ ++ xmlDictComputeFastQKey(prefix, plen, name, len, (dict)->seed) : \ ++ xmlDictComputeBigQKey(prefix, plen, name, len, (dict)->seed))) + + #else /* !WITH_BIG_KEY */ +-#define xmlDictComputeKey(dict, name, len) \ +- xmlDictComputeFastKey(name, len) +-#define xmlDictComputeQKey(dict, prefix, plen, name, len) \ +- xmlDictComputeFastQKey(prefix, plen, name, len) ++#define xmlDictComputeKey(dict, name, len) \ ++ xmlDictComputeFastKey(name, len, (dict)->seed) ++#define xmlDictComputeQKey(dict, prefix, plen, name, len) \ ++ xmlDictComputeFastQKey(prefix, plen, name, len, (dict)->seed) + #endif /* WITH_BIG_KEY */ + + /* +@@ -98,6 +120,8 @@ struct _xmlDict { + xmlDictStringsPtr strings; + + struct _xmlDict *subdict; ++ /* used for randomization */ ++ int seed; + }; + + /* +@@ -125,6 +149,9 @@ static int xmlInitializeDict(void) { + if ((xmlDictMutex = xmlNewRMutex()) == NULL) + return(0); + ++#ifdef DICT_RANDOMIZATION ++ srand(time(NULL)); ++#endif + xmlDictInitialized = 1; + return(1); + } +@@ -277,13 +304,13 @@ found_pool: + */ + + static uint32_t +-xmlDictComputeBigKey(const xmlChar* data, int namelen) { ++xmlDictComputeBigKey(const xmlChar* data, int namelen, int seed) { + uint32_t hash; + int i; + + if (namelen <= 0 || data == NULL) return(0); + +- hash = 0; ++ hash = seed; + + for (i = 0;i < namelen; i++) { + hash += data[i]; +@@ -310,12 +337,12 @@ xmlDictComputeBigKey(const xmlChar* data + */ + static unsigned long + xmlDictComputeBigQKey(const xmlChar *prefix, int plen, +- const xmlChar *name, int len) ++ const xmlChar *name, int len, int seed) + { + uint32_t hash; + int i; + +- hash = 0; ++ hash = seed; + + for (i = 0;i < plen; i++) { + hash += prefix[i]; +@@ -346,8 +373,8 @@ xmlDictComputeBigQKey(const xmlChar *pre + * for low hash table fill. + */ + static unsigned long +-xmlDictComputeFastKey(const xmlChar *name, int namelen) { +- unsigned long value = 0L; ++xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) { ++ unsigned long value = seed; + + if (name == NULL) return(0); + value = *name; +@@ -381,9 +408,9 @@ xmlDictComputeFastKey(const xmlChar *nam + */ + static unsigned long + xmlDictComputeFastQKey(const xmlChar *prefix, int plen, +- const xmlChar *name, int len) ++ const xmlChar *name, int len, int seed) + { +- unsigned long value = 0L; ++ unsigned long value = (unsigned long) seed; + + if (plen == 0) + value += 30 * (unsigned long) ':'; +@@ -460,6 +487,11 @@ xmlDictCreate(void) { + dict->subdict = NULL; + if (dict->dict) { + memset(dict->dict, 0, MIN_DICT_SIZE * sizeof(xmlDictEntry)); ++#ifdef DICT_RANDOMIZATION ++ dict->seed = rand(); ++#else ++ dict->seed = 0; ++#endif + return(dict); + } + xmlFree(dict); +@@ -486,6 +518,7 @@ xmlDictCreateSub(xmlDictPtr sub) { + #ifdef DICT_DEBUG_PATTERNS + fprintf(stderr, "R"); + #endif ++ dict->seed = sub->seed; + dict->subdict = sub; + xmlDictReference(dict->subdict); + } diff --git a/textproc/libxml2/patches/patch-CVE-2012-0841-ab b/textproc/libxml2/patches/patch-CVE-2012-0841-ab new file mode 100644 index 00000000000..548c9242dfc --- /dev/null +++ b/textproc/libxml2/patches/patch-CVE-2012-0841-ab @@ -0,0 +1,93 @@ +$NetBSD: patch-CVE-2012-0841-ab,v 1.1 2012/03/09 12:12:28 drochner Exp $ + +patch 8973d58b7498fa5100a876815476b81fd1a2412a + +--- hash.c.orig 2010-10-12 06:25:32.000000000 +0000 ++++ hash.c +@@ -3,7 +3,7 @@ + * + * Reference: Your favorite introductory book on algorithms + * +- * Copyright (C) 2000 Bjorn Reese and Daniel Veillard. ++ * Copyright (C) 2000,2012 Bjorn Reese and Daniel Veillard. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above +@@ -21,6 +21,22 @@ + #include "libxml.h" + + #include <string.h> ++#ifdef HAVE_STDLIB_H ++#include <stdlib.h> ++#endif ++#ifdef HAVE_TIME_H ++#include <time.h> ++#endif ++ ++/* ++ * Following http://www.ocert.org/advisories/ocert-2011-003.html ++ * it seems that having hash randomization might be a good idea ++ * when using XML with untrusted data ++ */ ++#if defined(HAVE_RAND) && defined(HAVE_SRAND) && defined(HAVE_TIME) ++#define HASH_RANDOMIZATION ++#endif ++ + #include <libxml/parser.h> + #include <libxml/hash.h> + #include <libxml/xmlmemory.h> +@@ -31,6 +47,10 @@ + + /* #define DEBUG_GROW */ + ++#ifdef HASH_RANDOMIZATION ++static int hash_initialized = 0; ++#endif ++ + /* + * A single entry in the hash table + */ +@@ -53,6 +73,9 @@ struct _xmlHashTable { + int size; + int nbElems; + xmlDictPtr dict; ++#ifdef HASH_RANDOMIZATION ++ int random_seed; ++#endif + }; + + /* +@@ -65,6 +88,9 @@ xmlHashComputeKey(xmlHashTablePtr table, + unsigned long value = 0L; + char ch; + ++#ifdef HASH_RANDOMIZATION ++ value = table->random_seed; ++#endif + if (name != NULL) { + value += 30 * (*name); + while ((ch = *name++) != 0) { +@@ -92,6 +118,9 @@ xmlHashComputeQKey(xmlHashTablePtr table + unsigned long value = 0L; + char ch; + ++#ifdef HASH_RANDOMIZATION ++ value = table->random_seed; ++#endif + if (prefix != NULL) + value += 30 * (*prefix); + else +@@ -156,6 +185,13 @@ xmlHashCreate(int size) { + table->table = xmlMalloc(size * sizeof(xmlHashEntry)); + if (table->table) { + memset(table->table, 0, size * sizeof(xmlHashEntry)); ++#ifdef HASH_RANDOMIZATION ++ if (!hash_initialized) { ++ srand(time(NULL)); ++ hash_initialized = 1; ++ } ++ table->random_seed = rand(); ++#endif + return(table); + } + xmlFree(table); diff --git a/textproc/libxml2/patches/patch-CVE-2012-0841-ac b/textproc/libxml2/patches/patch-CVE-2012-0841-ac new file mode 100644 index 00000000000..324dfb0c7d8 --- /dev/null +++ b/textproc/libxml2/patches/patch-CVE-2012-0841-ac @@ -0,0 +1,15 @@ +$NetBSD: patch-CVE-2012-0841-ac,v 1.1 2012/03/09 12:12:28 drochner Exp $ + +avoid to modify "configure", to keep the patch simple + +--- config.h.in.orig 2010-11-04 17:28:15.000000000 +0000 ++++ config.h.in +@@ -309,3 +309,8 @@ + + /* Win32 Std C name mangling work-around */ + #undef vsnprintf ++ ++/* XXX assume that POSIX functions are present */ ++#define HAVE_RAND 1 ++#define HAVE_SRAND 1 ++#define HAVE_TIME 1 |