From 8821820fc7530ee2e1708193f296dad9e48654ce Mon Sep 17 00:00:00 2001 From: spz Date: Fri, 24 Apr 2015 11:32:29 +0000 Subject: patch for CVE-2015-1819 Enforce the reader to run in constant memory from https://git.gnome.org/browse/libxml2/commit/?id=213f1fe0d76d30eaed6e5853057defc43e6df2c9 +general patch refresh --- textproc/libxml2/Makefile | 4 +- textproc/libxml2/distinfo | 21 ++--- textproc/libxml2/patches/patch-aa | 6 +- textproc/libxml2/patches/patch-ab | 18 ++--- textproc/libxml2/patches/patch-ac | 4 +- textproc/libxml2/patches/patch-ad | 4 +- textproc/libxml2/patches/patch-ae | 6 +- textproc/libxml2/patches/patch-ag | 4 +- textproc/libxml2/patches/patch-aj | 4 +- textproc/libxml2/patches/patch-buf.c | 94 ++++++++++++++++++++++ .../libxml2/patches/patch-include_libxml_tree.h | 18 +++++ textproc/libxml2/patches/patch-threads.c | 4 +- textproc/libxml2/patches/patch-xmlreader.c | 59 ++++++++++++++ 13 files changed, 210 insertions(+), 36 deletions(-) create mode 100644 textproc/libxml2/patches/patch-buf.c create mode 100644 textproc/libxml2/patches/patch-include_libxml_tree.h create mode 100644 textproc/libxml2/patches/patch-xmlreader.c (limited to 'textproc/libxml2') diff --git a/textproc/libxml2/Makefile b/textproc/libxml2/Makefile index bf0ec12b3e6..cf738dd7b97 100644 --- a/textproc/libxml2/Makefile +++ b/textproc/libxml2/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.136 2015/03/22 05:53:12 tnn Exp $ +# $NetBSD: Makefile,v 1.137 2015/04/24 11:32:29 spz Exp $ DISTNAME= libxml2-2.9.2 -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= textproc MASTER_SITES= ftp://xmlsoft.org/libxml2/ \ http://xmlsoft.org/sources/ diff --git a/textproc/libxml2/distinfo b/textproc/libxml2/distinfo index dbfa9851ca7..6c166d1787f 100644 --- a/textproc/libxml2/distinfo +++ b/textproc/libxml2/distinfo @@ -1,14 +1,17 @@ -$NetBSD: distinfo,v 1.105 2014/10/28 18:55:56 drochner Exp $ +$NetBSD: distinfo,v 1.106 2015/04/24 11:32:29 spz Exp $ SHA1 (libxml2-2.9.2.tar.gz) = f46a37ea6d869f702e03f393c376760f3cbee673 RMD160 (libxml2-2.9.2.tar.gz) = 969b4ed8782f455fd4a6ca1c1b4ffa7651090070 Size (libxml2-2.9.2.tar.gz) = 5444991 bytes -SHA1 (patch-aa) = 589a279df1a5fac8b1b2dbd0018a1bbf0c5ab169 -SHA1 (patch-ab) = 11567fe9a3fde42f3901fd4ab4620bf845fe634b -SHA1 (patch-ac) = 101cd554fd22e8e9817e21591240eb784b1219b5 -SHA1 (patch-ad) = cd45da492b02cce9983c46762839f68b8b1e0177 -SHA1 (patch-ae) = 2823276343f65c7d244d22e548faa6a517445819 -SHA1 (patch-ag) = 19afd69713298ecbd247ba733a7c0c13464ae572 -SHA1 (patch-aj) = 988c30b4b09a1cbaf9e7db02bb8981da0f1beaa7 +SHA1 (patch-aa) = 7d1213079cc78c9a28476c49f1283ab1c6af3b34 +SHA1 (patch-ab) = bf8983fcde35edf0e450209bf07f0fa628f7bd9e +SHA1 (patch-ac) = 015a5903a86793bd770f16f251b94e5b2562b3f7 +SHA1 (patch-ad) = fe255e93f9aefd5403d646cd45d9fbdcbd100bd6 +SHA1 (patch-ae) = d479d5a0c8b906de3cbe1c30b100c6f8b1bb9c43 +SHA1 (patch-ag) = f037f13ccc4047d4bf824a2091e60ac89b172558 +SHA1 (patch-aj) = aab00bf2ba0168fa8f6070db985531c676b5c34d SHA1 (patch-ba) = 78097bb871cc614c8d95a53d825542d23e113192 -SHA1 (patch-threads.c) = 70bb0a779dff6611f755128d609f82360a492f9a +SHA1 (patch-buf.c) = 087a768a39441189b226cda500475014462ff8fd +SHA1 (patch-include_libxml_tree.h) = 9978e6a3ea2408a9aaf68fe1663df5f7dce12eee +SHA1 (patch-threads.c) = 425796881df8520356abbfff001f0e6191d9f186 +SHA1 (patch-xmlreader.c) = cb8710e4c0261a98a68e3e69388d3a4341629f22 diff --git a/textproc/libxml2/patches/patch-aa b/textproc/libxml2/patches/patch-aa index 822c133b332..871e2af38be 100644 --- a/textproc/libxml2/patches/patch-aa +++ b/textproc/libxml2/patches/patch-aa @@ -1,8 +1,8 @@ -$NetBSD: patch-aa,v 1.27 2013/05/26 09:22:14 adam Exp $ +$NetBSD: patch-aa,v 1.28 2015/04/24 11:32:29 spz Exp $ ---- Makefile.in.orig 2010-11-04 17:28:16.000000000 +0000 +--- Makefile.in.orig 2014-10-16 07:35:13.000000000 +0000 +++ Makefile.in -@@ -765,7 +765,7 @@ pkgconfig_DATA = libxml-2.0.pc +@@ -835,7 +835,7 @@ cmake_DATA = libxml2-config.cmake # BASE_DIR = $(datadir)/doc DOC_MODULE = libxml2-$(VERSION) diff --git a/textproc/libxml2/patches/patch-ab b/textproc/libxml2/patches/patch-ab index 19be1f61529..6f5ca6c3d4f 100644 --- a/textproc/libxml2/patches/patch-ab +++ b/textproc/libxml2/patches/patch-ab @@ -1,8 +1,8 @@ -$NetBSD: patch-ab,v 1.27 2013/05/26 09:22:14 adam Exp $ +$NetBSD: patch-ab,v 1.28 2015/04/24 11:32:29 spz Exp $ ---- configure.orig 2013-04-19 07:36:11.000000000 +0000 +--- configure.orig 2014-10-16 07:35:12.000000000 +0000 +++ configure -@@ -13948,7 +13948,7 @@ fi +@@ -14349,7 +14349,7 @@ fi fi @@ -11,7 +11,7 @@ $NetBSD: patch-ab,v 1.27 2013/05/26 09:22:14 adam Exp $ XML_INCLUDEDIR='-I${includedir}/libxml2' XML_CFLAGS="" -@@ -14417,13 +14417,13 @@ else +@@ -14822,13 +14822,13 @@ else if test "$with_threads" = "pthread" || test "$with_threads" = "" || test "$with_threads" = "yes" ; then ac_fn_c_check_header_mongrel "$LINENO" "pthread.h" "ac_cv_header_pthread_h" "$ac_includes_default" if test "x$ac_cv_header_pthread_h" = xyes; then : @@ -28,7 +28,7 @@ $NetBSD: patch-ab,v 1.27 2013/05/26 09:22:14 adam Exp $ cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -@@ -14455,7 +14455,7 @@ fi +@@ -14860,7 +14860,7 @@ fi $as_echo "$ac_cv_lib_pthread_pthread_join" >&6; } if test "x$ac_cv_lib_pthread_pthread_join" = xyes; then : @@ -37,7 +37,7 @@ $NetBSD: patch-ab,v 1.27 2013/05/26 09:22:14 adam Exp $ $as_echo "#define HAVE_LIBPTHREAD /**/" >>confdefs.h -@@ -14477,12 +14477,12 @@ fi +@@ -14882,12 +14882,12 @@ fi *beos*) WITH_THREADS="1" THREAD_CFLAGS="$THREAD_CFLAGS -DHAVE_BEOS_THREADS" ;; @@ -52,7 +52,7 @@ $NetBSD: patch-ab,v 1.27 2013/05/26 09:22:14 adam Exp $ if expr ${GCC_MEDIUM} \> 2 \& ${GCC_MAJOR} = 3 > /dev/null then THREAD_LIBS="" -@@ -14499,6 +14499,10 @@ fi +@@ -14904,6 +14904,10 @@ fi fi fi ;; @@ -63,7 +63,7 @@ $NetBSD: patch-ab,v 1.27 2013/05/26 09:22:14 adam Exp $ esac if test "$WITH_THREADS" = "1" ; then THREAD_CFLAGS="$THREAD_CFLAGS -D_REENTRANT" -@@ -14769,7 +14773,7 @@ else +@@ -15174,7 +15178,7 @@ else TEST_SAX=SAXtests fi @@ -72,7 +72,7 @@ $NetBSD: patch-ab,v 1.27 2013/05/26 09:22:14 adam Exp $ WITH_SAX1_SOURCES_TRUE= WITH_SAX1_SOURCES_FALSE='#' else -@@ -15191,10 +15195,6 @@ case "$host" in +@@ -15605,10 +15609,6 @@ case "$host" in $as_echo "#define _WINSOCKAPI_ 1" >>confdefs.h diff --git a/textproc/libxml2/patches/patch-ac b/textproc/libxml2/patches/patch-ac index 954d464257b..0af00c13f5f 100644 --- a/textproc/libxml2/patches/patch-ac +++ b/textproc/libxml2/patches/patch-ac @@ -1,6 +1,6 @@ -$NetBSD: patch-ac,v 1.7 2012/09/15 10:23:38 adam Exp $ +$NetBSD: patch-ac,v 1.8 2015/04/24 11:32:29 spz Exp $ ---- catalog.c.orig 2005-04-01 15:15:01.000000000 +0200 +--- catalog.c.orig 2014-10-03 11:28:05.000000000 +0000 +++ catalog.c @@ -70,10 +70,10 @@ #define XML_URN_PUBID "urn:publicid:" diff --git a/textproc/libxml2/patches/patch-ad b/textproc/libxml2/patches/patch-ad index 9dd6ca29a42..ad1ca8f88b7 100644 --- a/textproc/libxml2/patches/patch-ad +++ b/textproc/libxml2/patches/patch-ad @@ -1,6 +1,6 @@ -$NetBSD: patch-ad,v 1.17 2005/07/12 21:15:21 recht Exp $ +$NetBSD: patch-ad,v 1.18 2015/04/24 11:32:29 spz Exp $ ---- xmlcatalog.c.orig 2005-01-04 15:49:48.000000000 +0100 +--- xmlcatalog.c.orig 2014-10-03 11:28:06.000000000 +0000 +++ xmlcatalog.c @@ -43,7 +43,7 @@ static char *filename = NULL; diff --git a/textproc/libxml2/patches/patch-ae b/textproc/libxml2/patches/patch-ae index a6563afeefa..c9141e779c7 100644 --- a/textproc/libxml2/patches/patch-ae +++ b/textproc/libxml2/patches/patch-ae @@ -1,8 +1,8 @@ -$NetBSD: patch-ae,v 1.13 2013/05/26 09:22:14 adam Exp $ +$NetBSD: patch-ae,v 1.14 2015/04/24 11:32:29 spz Exp $ ---- doc/examples/Makefile.in.orig 2012-09-11 06:55:36.000000000 +0000 +--- doc/examples/Makefile.in.orig 2014-10-16 07:35:13.000000000 +0000 +++ doc/examples/Makefile.in -@@ -844,7 +844,7 @@ uninstall-am: +@@ -916,7 +916,7 @@ uninstall-am: install-data-local: $(MKDIR_P) $(DESTDIR)$(HTML_DIR) diff --git a/textproc/libxml2/patches/patch-ag b/textproc/libxml2/patches/patch-ag index 7a8e24a979b..d64050c8437 100644 --- a/textproc/libxml2/patches/patch-ag +++ b/textproc/libxml2/patches/patch-ag @@ -1,6 +1,6 @@ -$NetBSD: patch-ag,v 1.11 2012/09/15 10:23:38 adam Exp $ +$NetBSD: patch-ag,v 1.12 2015/04/24 11:32:29 spz Exp $ ---- encoding.c.orig 2009-09-24 17:31:59.000000000 +0200 +--- encoding.c.orig 2014-10-03 11:53:06.000000000 +0000 +++ encoding.c @@ -1433,6 +1433,9 @@ xmlInitCharEncodingHandlers(void) { xmlRegisterCharEncodingHandlersISO8859x (); diff --git a/textproc/libxml2/patches/patch-aj b/textproc/libxml2/patches/patch-aj index 5dfa9ea7e96..d3bac6f99ad 100644 --- a/textproc/libxml2/patches/patch-aj +++ b/textproc/libxml2/patches/patch-aj @@ -1,9 +1,9 @@ -$NetBSD: patch-aj,v 1.3 2012/09/15 10:23:38 adam Exp $ +$NetBSD: patch-aj,v 1.4 2015/04/24 11:32:29 spz Exp $ Inlucde resolv.h conditionally: https://bugzilla.gnome.org/show_bug.cgi?id=617053 ---- nanohttp.c.orig 2012-09-11 04:23:25.000000000 +0000 +--- nanohttp.c.orig 2014-10-03 11:28:05.000000000 +0000 +++ nanohttp.c @@ -43,8 +43,10 @@ #ifdef HAVE_ARPA_NAMESER_H diff --git a/textproc/libxml2/patches/patch-buf.c b/textproc/libxml2/patches/patch-buf.c new file mode 100644 index 00000000000..3f7cf8fb2bd --- /dev/null +++ b/textproc/libxml2/patches/patch-buf.c @@ -0,0 +1,94 @@ +$NetBSD: patch-buf.c,v 1.1 2015/04/24 11:32:29 spz Exp $ + +patch for CVE-2015-1819 Enforce the reader to run in constant memory +from https://git.gnome.org/browse/libxml2/commit/?id=213f1fe0d76d30eaed6e5853057defc43e6df2c9 +part 1 + +--- buf.c.orig 2014-10-13 08:01:31.000000000 +0000 ++++ buf.c +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include /* for XML_MAX_TEXT_LENGTH */ + #include "buf.h" + + #define WITH_BUFFER_COMPAT +@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf, + if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) || + (scheme == XML_BUFFER_ALLOC_EXACT) || + (scheme == XML_BUFFER_ALLOC_HYBRID) || +- (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) { ++ (scheme == XML_BUFFER_ALLOC_IMMUTABLE) || ++ (scheme == XML_BUFFER_ALLOC_BOUNDED)) { + buf->alloc = scheme; + if (buf->buffer) + buf->buffer->alloc = scheme; +@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t + size = buf->use + len + 100; + #endif + ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if ((buf->use + len >= XML_MAX_TEXT_LENGTH) || ++ (buf->size >= XML_MAX_TEXT_LENGTH)) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(0); ++ } ++ if (size >= XML_MAX_TEXT_LENGTH) ++ size = XML_MAX_TEXT_LENGTH; ++ } + if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) { + size_t start_buf = buf->content - buf->contentIO; + +@@ -738,7 +752,15 @@ xmlBufResize(xmlBufPtr buf, size_t size) + return(0); + CHECK_COMPAT(buf) + +- if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (size >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(0); ++ } ++ } + + /* Don't resize if we don't have to */ + if (size < buf->size) +@@ -867,6 +889,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar * + + needSize = buf->use + len + 2; + if (needSize > buf->size){ ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (needSize >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(-1); ++ } ++ } + if (!xmlBufResize(buf, needSize)){ + xmlBufMemoryError(buf, "growing buffer"); + return XML_ERR_NO_MEMORY; +@@ -938,6 +969,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlCh + } + needSize = buf->use + len + 2; + if (needSize > buf->size){ ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (needSize >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(-1); ++ } ++ } + if (!xmlBufResize(buf, needSize)){ + xmlBufMemoryError(buf, "growing buffer"); + return XML_ERR_NO_MEMORY; diff --git a/textproc/libxml2/patches/patch-include_libxml_tree.h b/textproc/libxml2/patches/patch-include_libxml_tree.h new file mode 100644 index 00000000000..4ca5b0261ca --- /dev/null +++ b/textproc/libxml2/patches/patch-include_libxml_tree.h @@ -0,0 +1,18 @@ +$NetBSD: patch-include_libxml_tree.h,v 1.1 2015/04/24 11:32:29 spz Exp $ + +patch for CVE-2015-1819 Enforce the reader to run in constant memory +from https://git.gnome.org/browse/libxml2/commit/?id=213f1fe0d76d30eaed6e5853057defc43e6df2c9 +part 2 + +--- include/libxml/tree.h.orig 2014-10-13 08:20:09.000000000 +0000 ++++ include/libxml/tree.h +@@ -76,7 +76,8 @@ typedef enum { + XML_BUFFER_ALLOC_EXACT, /* grow only to the minimal size */ + XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */ + XML_BUFFER_ALLOC_IO, /* special allocation scheme used for I/O */ +- XML_BUFFER_ALLOC_HYBRID /* exact up to a threshold, and doubleit thereafter */ ++ XML_BUFFER_ALLOC_HYBRID, /* exact up to a threshold, and doubleit thereafter */ ++ XML_BUFFER_ALLOC_BOUNDED /* limit the upper size of the buffer */ + } xmlBufferAllocationScheme; + + /** diff --git a/textproc/libxml2/patches/patch-threads.c b/textproc/libxml2/patches/patch-threads.c index 16c2ed343fc..6a19f102fd2 100644 --- a/textproc/libxml2/patches/patch-threads.c +++ b/textproc/libxml2/patches/patch-threads.c @@ -1,10 +1,10 @@ -$NetBSD: patch-threads.c,v 1.4 2013/05/26 09:22:14 adam Exp $ +$NetBSD: patch-threads.c,v 1.5 2015/04/24 11:32:29 spz Exp $ * Treat OpenBSD and MirBSD same as Linux to avoid linking with libpthread * NetBSD<4.99.36 and FreeBSD<7.0 lack pthread_equal() stub function in libc * pthread_once_t cast needed to avoid compilation error ---- threads.c.orig 2010-10-15 17:28:30.000000000 +0000 +--- threads.c.orig 2014-10-13 07:02:28.000000000 +0000 +++ threads.c @@ -42,13 +42,17 @@ #include diff --git a/textproc/libxml2/patches/patch-xmlreader.c b/textproc/libxml2/patches/patch-xmlreader.c new file mode 100644 index 00000000000..6ff602006aa --- /dev/null +++ b/textproc/libxml2/patches/patch-xmlreader.c @@ -0,0 +1,59 @@ +$NetBSD: patch-xmlreader.c,v 1.1 2015/04/24 11:32:29 spz Exp $ + +patch for CVE-2015-1819 Enforce the reader to run in constant memory +from https://git.gnome.org/browse/libxml2/commit/?id=213f1fe0d76d30eaed6e5853057defc43e6df2c9 +part 3 + +--- xmlreader.c.orig 2014-10-06 12:05:09.000000000 +0000 ++++ xmlreader.c +@@ -2091,6 +2091,9 @@ xmlNewTextReader(xmlParserInputBufferPtr + "xmlNewTextReader : malloc failed\n"); + return(NULL); + } ++ /* no operation on a reader should require a huge buffer */ ++ xmlBufSetAllocationScheme(ret->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); + ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); + if (ret->sax == NULL) { + xmlBufFree(ret->buffer); +@@ -3616,6 +3619,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr + return(((xmlNsPtr) node)->href); + case XML_ATTRIBUTE_NODE:{ + xmlAttrPtr attr = (xmlAttrPtr) node; ++ const xmlChar *ret; + + if ((attr->children != NULL) && + (attr->children->type == XML_TEXT_NODE) && +@@ -3629,10 +3633,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr + "xmlTextReaderSetup : malloc failed\n"); + return (NULL); + } ++ xmlBufSetAllocationScheme(reader->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); + } else + xmlBufEmpty(reader->buffer); + xmlBufGetNodeContent(reader->buffer, node); +- return(xmlBufContent(reader->buffer)); ++ ret = xmlBufContent(reader->buffer); ++ if (ret == NULL) { ++ /* error on the buffer best to reallocate */ ++ xmlBufFree(reader->buffer); ++ reader->buffer = xmlBufCreateSize(100); ++ xmlBufSetAllocationScheme(reader->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); ++ ret = BAD_CAST ""; ++ } ++ return(ret); + } + break; + } +@@ -5131,6 +5146,9 @@ xmlTextReaderSetup(xmlTextReaderPtr read + "xmlTextReaderSetup : malloc failed\n"); + return (-1); + } ++ /* no operation on a reader should require a huge buffer */ ++ xmlBufSetAllocationScheme(reader->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); + if (reader->sax == NULL) + reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); + if (reader->sax == NULL) { -- cgit v1.2.3