From e46f5d039c41d63133c70bdb73315013c32f7e2a Mon Sep 17 00:00:00 2001 From: sevan Date: Tue, 27 Dec 2016 02:34:33 +0000 Subject: Patch for CVE-2016-4658 & CVE-2016-5131 Bump rev --- textproc/libxml2/Makefile.common | 4 +- textproc/libxml2/distinfo | 6 +- .../patches/patch-result_XPath_xptr_vidbase | 24 +++++ .../libxml2/patches/patch-test_XPath_xptr_vidbase | 11 +++ textproc/libxml2/patches/patch-xpath.c | 27 ++++++ textproc/libxml2/patches/patch-xpointer.c | 102 +++++++++++++++++++++ 6 files changed, 171 insertions(+), 3 deletions(-) create mode 100644 textproc/libxml2/patches/patch-result_XPath_xptr_vidbase create mode 100644 textproc/libxml2/patches/patch-test_XPath_xptr_vidbase create mode 100644 textproc/libxml2/patches/patch-xpath.c create mode 100644 textproc/libxml2/patches/patch-xpointer.c diff --git a/textproc/libxml2/Makefile.common b/textproc/libxml2/Makefile.common index af287081af7..fc251616e2b 100644 --- a/textproc/libxml2/Makefile.common +++ b/textproc/libxml2/Makefile.common @@ -1,10 +1,10 @@ -# $NetBSD: Makefile.common,v 1.3 2016/11/30 14:46:22 sevan Exp $ +# $NetBSD: Makefile.common,v 1.4 2016/12/27 02:34:33 sevan Exp $ # # used by textproc/libxml2/Makefile # used by textproc/py-libxml2/Makefile DISTNAME= libxml2-2.9.4 -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= textproc MASTER_SITES= ftp://xmlsoft.org/libxml2/ \ http://xmlsoft.org/sources/ diff --git a/textproc/libxml2/distinfo b/textproc/libxml2/distinfo index 9e85ad43f49..e3861c06363 100644 --- a/textproc/libxml2/distinfo +++ b/textproc/libxml2/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.113 2016/11/30 14:46:22 sevan Exp $ +$NetBSD: distinfo,v 1.114 2016/12/27 02:34:33 sevan Exp $ SHA1 (libxml2-2.9.4.tar.gz) = 958ae70baf186263a4bd801a81dd5d682aedd1db RMD160 (libxml2-2.9.4.tar.gz) = bb59656e0683d64a38a2f1a45ca9d918837e1e56 @@ -11,7 +11,11 @@ SHA1 (patch-ad) = d65b7e3be9694147e96ce4bb70a1739e2279ba81 SHA1 (patch-ae) = 4eede9719724f94402e850ee6d6043a74aaf62b2 SHA1 (patch-encoding.c) = 6cf0a7d421828b9f40a4079ee85adb791c54d096 SHA1 (patch-parseInternals.c) = dc58145943a4fb6368d848c0155d144b1f9b676c +SHA1 (patch-result_XPath_xptr_vidbase) = f0ef1ac593cb25f96b7ffef93e0f214aa8fc6103 SHA1 (patch-runtest.c) = 759fcee959833b33d72e85108f7973859dcba1f6 +SHA1 (patch-test_XPath_xptr_vidbase) = a9b497505f914924388145c6266aa517152f9da3 SHA1 (patch-testlimits.c) = 8cba18464b619469abbb8488fd950a32a567be7b SHA1 (patch-timsort.h) = e09118e7c99d53f71c28fe4d54269c4801244959 SHA1 (patch-xmlIO.c) = 5efcc5e43a8b3139832ab69af6b5ab94e5a6ad59 +SHA1 (patch-xpath.c) = ec94ab2116f99a08f51630dee6b9e7e25d2b5c00 +SHA1 (patch-xpointer.c) = 8ca75f64b89369106c0d088ff7fd36b38005e032 diff --git a/textproc/libxml2/patches/patch-result_XPath_xptr_vidbase b/textproc/libxml2/patches/patch-result_XPath_xptr_vidbase new file mode 100644 index 00000000000..54fa4259464 --- /dev/null +++ b/textproc/libxml2/patches/patch-result_XPath_xptr_vidbase @@ -0,0 +1,24 @@ +$NetBSD: patch-result_XPath_xptr_vidbase,v 1.1 2016/12/27 02:34:34 sevan Exp $ + +CVE-2016-5131 +https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e + +--- result/XPath/xptr/vidbase.orig 2016-12-27 02:22:25.000000000 +0000 ++++ result/XPath/xptr/vidbase +@@ -17,3 +17,16 @@ Object is a Location Set: + To node + ELEMENT p + ++ ++======================== ++Expression: xpointer(range-to(id('chapter2'))) ++Object is a Location Set: ++1 : Object is a range : ++ From node ++ / ++ To node ++ ELEMENT chapter ++ ATTRIBUTE id ++ TEXT ++ content=chapter2 ++ diff --git a/textproc/libxml2/patches/patch-test_XPath_xptr_vidbase b/textproc/libxml2/patches/patch-test_XPath_xptr_vidbase new file mode 100644 index 00000000000..19f060fb828 --- /dev/null +++ b/textproc/libxml2/patches/patch-test_XPath_xptr_vidbase @@ -0,0 +1,11 @@ +$NetBSD: patch-test_XPath_xptr_vidbase,v 1.1 2016/12/27 02:34:34 sevan Exp $ + +CVE-2016-5131 +https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e + +--- test/XPath/xptr/vidbase.orig 2016-12-27 02:22:06.000000000 +0000 ++++ test/XPath/xptr/vidbase +@@ -1,2 +1,3 @@ + xpointer(id('chapter1')/p) + xpointer(id('chapter1')/p[1]/range-to(following-sibling::p[2])) ++xpointer(range-to(id('chapter2'))) diff --git a/textproc/libxml2/patches/patch-xpath.c b/textproc/libxml2/patches/patch-xpath.c new file mode 100644 index 00000000000..2089e4abf72 --- /dev/null +++ b/textproc/libxml2/patches/patch-xpath.c @@ -0,0 +1,27 @@ +$NetBSD: patch-xpath.c,v 1.1 2016/12/27 02:34:34 sevan Exp $ + +CVE-2016-5131 +https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e + +--- xpath.c.orig 2016-12-27 02:21:53.000000000 +0000 ++++ xpath.c +@@ -10691,13 +10691,18 @@ xmlXPathCompPathExpr(xmlXPathParserConte + lc = 1; + break; + } else if ((NXT(len) == '(')) { +- /* Note Type or Function */ ++ /* Node Type or Function */ + if (xmlXPathIsNodeType(name)) { + #ifdef DEBUG_STEP + xmlGenericError(xmlGenericErrorContext, + "PathExpr: Type search\n"); + #endif + lc = 1; ++#ifdef LIBXML_XPTR_ENABLED ++ } else if (ctxt->xptr && ++ xmlStrEqual(name, BAD_CAST "range-to")) { ++ lc = 1; ++#endif + } else { + #ifdef DEBUG_STEP + xmlGenericError(xmlGenericErrorContext, diff --git a/textproc/libxml2/patches/patch-xpointer.c b/textproc/libxml2/patches/patch-xpointer.c new file mode 100644 index 00000000000..4da030f286e --- /dev/null +++ b/textproc/libxml2/patches/patch-xpointer.c @@ -0,0 +1,102 @@ +$NetBSD: patch-xpointer.c,v 1.4 2016/12/27 02:34:34 sevan Exp $ + +CVE-2016-4658 +https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b + +CVE-2016-5131 +https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e + +--- xpointer.c.orig 2016-12-27 02:19:03.000000000 +0000 ++++ xpointer.c +@@ -1295,8 +1295,6 @@ xmlXPtrNewContext(xmlDocPtr doc, xmlNode + ret->here = here; + ret->origin = origin; + +- xmlXPathRegisterFunc(ret, (xmlChar *)"range-to", +- xmlXPtrRangeToFunction); + xmlXPathRegisterFunc(ret, (xmlChar *)"range", + xmlXPtrRangeFunction); + xmlXPathRegisterFunc(ret, (xmlChar *)"range-inside", +@@ -2206,76 +2204,14 @@ xmlXPtrRangeInsideFunction(xmlXPathParse + * @nargs: the number of args + * + * Implement the range-to() XPointer function ++ * ++ * Obsolete. range-to is not a real function but a special type of location ++ * step which is handled in xpath.c. + */ + void +-xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, int nargs) { +- xmlXPathObjectPtr range; +- const xmlChar *cur; +- xmlXPathObjectPtr res, obj; +- xmlXPathObjectPtr tmp; +- xmlLocationSetPtr newset = NULL; +- xmlNodeSetPtr oldset; +- int i; +- +- if (ctxt == NULL) return; +- CHECK_ARITY(1); +- /* +- * Save the expression pointer since we will have to evaluate +- * it multiple times. Initialize the new set. +- */ +- CHECK_TYPE(XPATH_NODESET); +- obj = valuePop(ctxt); +- oldset = obj->nodesetval; +- ctxt->context->node = NULL; +- +- cur = ctxt->cur; +- newset = xmlXPtrLocationSetCreate(NULL); +- +- for (i = 0; i < oldset->nodeNr; i++) { +- ctxt->cur = cur; +- +- /* +- * Run the evaluation with a node list made of a single item +- * in the nodeset. +- */ +- ctxt->context->node = oldset->nodeTab[i]; +- tmp = xmlXPathNewNodeSet(ctxt->context->node); +- valuePush(ctxt, tmp); +- +- xmlXPathEvalExpr(ctxt); +- CHECK_ERROR; +- +- /* +- * The result of the evaluation need to be tested to +- * decided whether the filter succeeded or not +- */ +- res = valuePop(ctxt); +- range = xmlXPtrNewRangeNodeObject(oldset->nodeTab[i], res); +- if (range != NULL) { +- xmlXPtrLocationSetAdd(newset, range); +- } +- +- /* +- * Cleanup +- */ +- if (res != NULL) +- xmlXPathFreeObject(res); +- if (ctxt->value == tmp) { +- res = valuePop(ctxt); +- xmlXPathFreeObject(res); +- } +- +- ctxt->context->node = NULL; +- } +- +- /* +- * The result is used as the new evaluation set. +- */ +- xmlXPathFreeObject(obj); +- ctxt->context->node = NULL; +- ctxt->context->contextSize = -1; +- ctxt->context->proximityPosition = -1; +- valuePush(ctxt, xmlXPtrWrapLocationSet(newset)); ++xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, ++ int nargs ATTRIBUTE_UNUSED) { ++ XP_ERROR(XPATH_EXPR_ERROR); + } + + /** -- cgit v1.2.3