CVS commit: pkgsrc/textproc/libxml2

["Tim Zingelman" <tez%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   tez
Date:           Wed Jun 21 00:23:24 UTC 2017

Modified Files:
        pkgsrc/textproc/libxml2: Makefile distinfo
        pkgsrc/textproc/libxml2/patches: patch-valid.c
Added Files:
        pkgsrc/textproc/libxml2/patches: patch-parser.c

Log Message:
xmlSnprintfElementContent failed to correctly check the available
buffer space in two locations.
Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048).
From: https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74

There were two bugs where parameter-entity references could lead to an
unexpected change of the input buffer in xmlParseNameComplex and
xmlDictLookup being called with an invalid pointer.

Percent sign in DTD Names
=========================
This fixes bug 766956 initially reported by Wei Lei and independently by
Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone
involved.

xmlParseNameComplex with XML_PARSE_OLD10
========================================
This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).
Thanks to Marcel Böhme and Thuan Pham for the report.

Additional hardening
====================
A separate check was added in xmlParseNameComplex to validate the
buffer size.

From: https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3


To generate a diff of this commit:
cvs rdiff -u -r1.144 -r1.145 pkgsrc/textproc/libxml2/Makefile
cvs rdiff -u -r1.115 -r1.116 pkgsrc/textproc/libxml2/distinfo
cvs rdiff -u -r0 -r1.3 pkgsrc/textproc/libxml2/patches/patch-parser.c
cvs rdiff -u -r1.1 -r1.2 pkgsrc/textproc/libxml2/patches/patch-valid.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/textproc/libxml2/Makefile
diff -u pkgsrc/textproc/libxml2/Makefile:1.144 pkgsrc/textproc/libxml2/Makefile:1.145
--- pkgsrc/textproc/libxml2/Makefile:1.144      Sun Jun 11 04:40:53 2017
+++ pkgsrc/textproc/libxml2/Makefile    Wed Jun 21 00:23:23 2017
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.144 2017/06/11 04:40:53 maya Exp $
+# $NetBSD: Makefile,v 1.145 2017/06/21 00:23:23 tez Exp $
 
 .include "../../textproc/libxml2/Makefile.common"
 
-PKGREVISION=   3
+PKGREVISION=   4
 
 COMMENT=       XML parser library from the GNOME project
 LICENSE=       modified-bsd

Index: pkgsrc/textproc/libxml2/distinfo
diff -u pkgsrc/textproc/libxml2/distinfo:1.115 pkgsrc/textproc/libxml2/distinfo:1.116
--- pkgsrc/textproc/libxml2/distinfo:1.115      Sun Jun 11 04:40:53 2017
+++ pkgsrc/textproc/libxml2/distinfo    Wed Jun 21 00:23:23 2017
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.115 2017/06/11 04:40:53 maya Exp $
+$NetBSD: distinfo,v 1.116 2017/06/21 00:23:23 tez Exp $
 
 SHA1 (libxml2-2.9.4.tar.gz) = 958ae70baf186263a4bd801a81dd5d682aedd1db
 RMD160 (libxml2-2.9.4.tar.gz) = bb59656e0683d64a38a2f1a45ca9d918837e1e56
@@ -11,12 +11,13 @@ SHA1 (patch-ad) = d65b7e3be9694147e96ce4
 SHA1 (patch-ae) = 4eede9719724f94402e850ee6d6043a74aaf62b2
 SHA1 (patch-encoding.c) = 6cf0a7d421828b9f40a4079ee85adb791c54d096
 SHA1 (patch-parseInternals.c) = dc58145943a4fb6368d848c0155d144b1f9b676c
+SHA1 (patch-parser.c) = 23e39127bf65e721dd76d80b389c1ccacf8e5746
 SHA1 (patch-result_XPath_xptr_vidbase) = f0ef1ac593cb25f96b7ffef93e0f214aa8fc6103
 SHA1 (patch-runtest.c) = 759fcee959833b33d72e85108f7973859dcba1f6
 SHA1 (patch-test_XPath_xptr_vidbase) = a9b497505f914924388145c6266aa517152f9da3
 SHA1 (patch-testlimits.c) = 8cba18464b619469abbb8488fd950a32a567be7b
 SHA1 (patch-timsort.h) = e09118e7c99d53f71c28fe4d54269c4801244959
-SHA1 (patch-valid.c) = e6ff3a9aed6b985fcc69d214efa953a90a055d6b
+SHA1 (patch-valid.c) = 9eda3633b3ea5269e0ef33fa0508de18e7a76def
 SHA1 (patch-xmlIO.c) = 5efcc5e43a8b3139832ab69af6b5ab94e5a6ad59
 SHA1 (patch-xpath.c) = ec94ab2116f99a08f51630dee6b9e7e25d2b5c00
 SHA1 (patch-xpointer.c) = 8ca75f64b89369106c0d088ff7fd36b38005e032

Index: pkgsrc/textproc/libxml2/patches/patch-valid.c
diff -u pkgsrc/textproc/libxml2/patches/patch-valid.c:1.1 pkgsrc/textproc/libxml2/patches/patch-valid.c:1.2
--- pkgsrc/textproc/libxml2/patches/patch-valid.c:1.1   Sun Jun 11 04:40:53 2017
+++ pkgsrc/textproc/libxml2/patches/patch-valid.c       Wed Jun 21 00:23:24 2017
@@ -1,4 +1,4 @@
-$NetBSD: patch-valid.c,v 1.1 2017/06/11 04:40:53 maya Exp $
+$NetBSD: patch-valid.c,v 1.2 2017/06/21 00:23:24 tez Exp $
 
 Upstream commit by Daniel Veillard
 
@@ -7,9 +7,15 @@ Can only be triggered in recovery mode.
 Fixes bug 758422 (CVE-2017-5969).
 
 
---- valid.c.orig       2016-05-23 07:25:25.000000000 +0000
+xmlSnprintfElementContent failed to correctly check the available
+buffer space in two locations.
+Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048).
+From: https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74
+
+
+--- valid.c.orig       2017-06-21 00:07:08.204619100 +0000
 +++ valid.c
-@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, 
+@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf,
            xmlBufferWriteCHAR(buf, content->name);
            break;
        case XML_ELEMENT_CONTENT_SEQ:
@@ -53,3 +59,44 @@ Fixes bug 758422 (CVE-2017-5969).
                xmlDumpElementContent(buf, content->c2, 1);
            else
                xmlDumpElementContent(buf, content->c2, 0);
+@@ -1262,22 +1266,23 @@ xmlSnprintfElementContent(char *buf, int
+         case XML_ELEMENT_CONTENT_PCDATA:
+             strcat(buf, "#PCDATA");
+           break;
+-      case XML_ELEMENT_CONTENT_ELEMENT:
++      case XML_ELEMENT_CONTENT_ELEMENT: {
++            int qnameLen = xmlStrlen(content->name);
++
++          if (content->prefix != NULL)
++                qnameLen += xmlStrlen(content->prefix) + 1;
++          if (size - len < qnameLen + 10) {
++              strcat(buf, " ...");
++              return;
++          }
+           if (content->prefix != NULL) {
+-              if (size - len < xmlStrlen(content->prefix) + 10) {
+-                  strcat(buf, " ...");
+-                  return;
+-              }
+               strcat(buf, (char *) content->prefix);
+               strcat(buf, ":");
+           }
+-          if (size - len < xmlStrlen(content->name) + 10) {
+-              strcat(buf, " ...");
+-              return;
+-          }
+           if (content->name != NULL)
+               strcat(buf, (char *) content->name);
+           break;
++        }
+       case XML_ELEMENT_CONTENT_SEQ:
+           if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+               (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
+@@ -1319,6 +1324,7 @@ xmlSnprintfElementContent(char *buf, int
+               xmlSnprintfElementContent(buf, size, content->c2, 0);
+           break;
+     }
++    if (size - strlen(buf) <= 2) return;
+     if (englob)
+         strcat(buf, ")");
+     switch (content->ocur) {

Added files:

Index: pkgsrc/textproc/libxml2/patches/patch-parser.c
diff -u /dev/null pkgsrc/textproc/libxml2/patches/patch-parser.c:1.3
--- /dev/null   Wed Jun 21 00:23:24 2017
+++ pkgsrc/textproc/libxml2/patches/patch-parser.c      Wed Jun 21 00:23:24 2017
@@ -0,0 +1,69 @@
+$NetBSD: patch-parser.c,v 1.3 2017/06/21 00:23:24 tez Exp $
+
+There were two bugs where parameter-entity references could lead to an
+unexpected change of the input buffer in xmlParseNameComplex and
+xmlDictLookup being called with an invalid pointer.
+
+Percent sign in DTD Names
+=========================
+
+This fixes bug 766956 initially reported by Wei Lei and independently by
+Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone
+involved.
+
+xmlParseNameComplex with XML_PARSE_OLD10
+========================================
+
+This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).
+Thanks to Marcel Böhme and Thuan Pham for the report.
+
+Additional hardening
+====================
+
+A separate check was added in xmlParseNameComplex to validate the
+buffer size.
+
+From: https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3
+
+
+--- parser.c.orig
++++ parser.c
+@@ -2121,7 +2121,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
+       ctxt->input->line++; ctxt->input->col = 1;                      \
+     } else ctxt->input->col++;                                                \
+     ctxt->input->cur += l;                            \
+-    if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt);   \
+   } while (0)
+ 
+ #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l)
+@@ -3412,13 +3411,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+           len += l;
+           NEXTL(l);
+           c = CUR_CHAR(l);
+-          if (c == 0) {
+-              count = 0;
+-              GROW;
+-                if (ctxt->instate == XML_PARSER_EOF)
+-                    return(NULL);
+-              c = CUR_CHAR(l);
+-          }
+       }
+     }
+     if ((len > XML_MAX_NAME_LENGTH) &&
+@@ -3426,6 +3418,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+         xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
+         return(NULL);
+     }
++    if (ctxt->input->cur - ctxt->input->base < len) {
++        /*
++         * There were a couple of bugs where PERefs lead to to a change
++         * of the buffer. Check the buffer size to avoid passing an invalid
++         * pointer to xmlDictLookup.
++         */
++        xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
++                    "unexpected change of input buffer");
++        return (NULL);
++    }
+     if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r'))
+         return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len));
+     return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));