pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/textproc/libxml2 xmlSnprintfElementContent failed to c...
details: https://anonhg.NetBSD.org/pkgsrc/rev/ede29a4144e1
branches: trunk
changeset: 364100:ede29a4144e1
user: tez <tez%pkgsrc.org@localhost>
date: Wed Jun 21 00:23:23 2017 +0000
description:
xmlSnprintfElementContent failed to correctly check the available
buffer space in two locations.
Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048).
From: https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74
There were two bugs where parameter-entity references could lead to an
unexpected change of the input buffer in xmlParseNameComplex and
xmlDictLookup being called with an invalid pointer.
Percent sign in DTD Names
=========================
This fixes bug 766956 initially reported by Wei Lei and independently by
Chromium's ClusterFuzz, Hanno B?ck, and Marco Grassi. Thanks to everyone
involved.
xmlParseNameComplex with XML_PARSE_OLD10
========================================
This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).
Thanks to Marcel B?hme and Thuan Pham for the report.
Additional hardening
====================
A separate check was added in xmlParseNameComplex to validate the
buffer size.
From: https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3
diffstat:
textproc/libxml2/Makefile | 4 +-
textproc/libxml2/distinfo | 5 +-
textproc/libxml2/patches/patch-parser.c | 69 +++++++++++++++++++++++++++++++++
textproc/libxml2/patches/patch-valid.c | 53 +++++++++++++++++++++++-
4 files changed, 124 insertions(+), 7 deletions(-)
diffs (183 lines):
diff -r 91a41aa0574f -r ede29a4144e1 textproc/libxml2/Makefile
--- a/textproc/libxml2/Makefile Tue Jun 20 22:38:16 2017 +0000
+++ b/textproc/libxml2/Makefile Wed Jun 21 00:23:23 2017 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.144 2017/06/11 04:40:53 maya Exp $
+# $NetBSD: Makefile,v 1.145 2017/06/21 00:23:23 tez Exp $
.include "../../textproc/libxml2/Makefile.common"
-PKGREVISION= 3
+PKGREVISION= 4
COMMENT= XML parser library from the GNOME project
LICENSE= modified-bsd
diff -r 91a41aa0574f -r ede29a4144e1 textproc/libxml2/distinfo
--- a/textproc/libxml2/distinfo Tue Jun 20 22:38:16 2017 +0000
+++ b/textproc/libxml2/distinfo Wed Jun 21 00:23:23 2017 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.115 2017/06/11 04:40:53 maya Exp $
+$NetBSD: distinfo,v 1.116 2017/06/21 00:23:23 tez Exp $
SHA1 (libxml2-2.9.4.tar.gz) = 958ae70baf186263a4bd801a81dd5d682aedd1db
RMD160 (libxml2-2.9.4.tar.gz) = bb59656e0683d64a38a2f1a45ca9d918837e1e56
@@ -11,12 +11,13 @@
SHA1 (patch-ae) = 4eede9719724f94402e850ee6d6043a74aaf62b2
SHA1 (patch-encoding.c) = 6cf0a7d421828b9f40a4079ee85adb791c54d096
SHA1 (patch-parseInternals.c) = dc58145943a4fb6368d848c0155d144b1f9b676c
+SHA1 (patch-parser.c) = 23e39127bf65e721dd76d80b389c1ccacf8e5746
SHA1 (patch-result_XPath_xptr_vidbase) = f0ef1ac593cb25f96b7ffef93e0f214aa8fc6103
SHA1 (patch-runtest.c) = 759fcee959833b33d72e85108f7973859dcba1f6
SHA1 (patch-test_XPath_xptr_vidbase) = a9b497505f914924388145c6266aa517152f9da3
SHA1 (patch-testlimits.c) = 8cba18464b619469abbb8488fd950a32a567be7b
SHA1 (patch-timsort.h) = e09118e7c99d53f71c28fe4d54269c4801244959
-SHA1 (patch-valid.c) = e6ff3a9aed6b985fcc69d214efa953a90a055d6b
+SHA1 (patch-valid.c) = 9eda3633b3ea5269e0ef33fa0508de18e7a76def
SHA1 (patch-xmlIO.c) = 5efcc5e43a8b3139832ab69af6b5ab94e5a6ad59
SHA1 (patch-xpath.c) = ec94ab2116f99a08f51630dee6b9e7e25d2b5c00
SHA1 (patch-xpointer.c) = 8ca75f64b89369106c0d088ff7fd36b38005e032
diff -r 91a41aa0574f -r ede29a4144e1 textproc/libxml2/patches/patch-parser.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/textproc/libxml2/patches/patch-parser.c Wed Jun 21 00:23:23 2017 +0000
@@ -0,0 +1,69 @@
+$NetBSD: patch-parser.c,v 1.3 2017/06/21 00:23:24 tez Exp $
+
+There were two bugs where parameter-entity references could lead to an
+unexpected change of the input buffer in xmlParseNameComplex and
+xmlDictLookup being called with an invalid pointer.
+
+Percent sign in DTD Names
+=========================
+
+This fixes bug 766956 initially reported by Wei Lei and independently by
+Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone
+involved.
+
+xmlParseNameComplex with XML_PARSE_OLD10
+========================================
+
+This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).
+Thanks to Marcel Böhme and Thuan Pham for the report.
+
+Additional hardening
+====================
+
+A separate check was added in xmlParseNameComplex to validate the
+buffer size.
+
+From: https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3
+
+
+--- parser.c.orig
++++ parser.c
+@@ -2121,7 +2121,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
+ ctxt->input->line++; ctxt->input->col = 1; \
+ } else ctxt->input->col++; \
+ ctxt->input->cur += l; \
+- if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt); \
+ } while (0)
+
+ #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l)
+@@ -3412,13 +3411,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+ len += l;
+ NEXTL(l);
+ c = CUR_CHAR(l);
+- if (c == 0) {
+- count = 0;
+- GROW;
+- if (ctxt->instate == XML_PARSER_EOF)
+- return(NULL);
+- c = CUR_CHAR(l);
+- }
+ }
+ }
+ if ((len > XML_MAX_NAME_LENGTH) &&
+@@ -3426,6 +3418,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
+ return(NULL);
+ }
++ if (ctxt->input->cur - ctxt->input->base < len) {
++ /*
++ * There were a couple of bugs where PERefs lead to to a change
++ * of the buffer. Check the buffer size to avoid passing an invalid
++ * pointer to xmlDictLookup.
++ */
++ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
++ "unexpected change of input buffer");
++ return (NULL);
++ }
+ if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r'))
+ return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len));
+ return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
diff -r 91a41aa0574f -r ede29a4144e1 textproc/libxml2/patches/patch-valid.c
--- a/textproc/libxml2/patches/patch-valid.c Tue Jun 20 22:38:16 2017 +0000
+++ b/textproc/libxml2/patches/patch-valid.c Wed Jun 21 00:23:23 2017 +0000
@@ -1,4 +1,4 @@
-$NetBSD: patch-valid.c,v 1.1 2017/06/11 04:40:53 maya Exp $
+$NetBSD: patch-valid.c,v 1.2 2017/06/21 00:23:24 tez Exp $
Upstream commit by Daniel Veillard
@@ -7,9 +7,15 @@
Fixes bug 758422 (CVE-2017-5969).
---- valid.c.orig 2016-05-23 07:25:25.000000000 +0000
+xmlSnprintfElementContent failed to correctly check the available
+buffer space in two locations.
+Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048).
+From: https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74
+
+
+--- valid.c.orig 2017-06-21 00:07:08.204619100 +0000
+++ valid.c
-@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf,
+@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf,
xmlBufferWriteCHAR(buf, content->name);
break;
case XML_ELEMENT_CONTENT_SEQ:
@@ -53,3 +59,44 @@
xmlDumpElementContent(buf, content->c2, 1);
else
xmlDumpElementContent(buf, content->c2, 0);
+@@ -1262,22 +1266,23 @@ xmlSnprintfElementContent(char *buf, int
+ case XML_ELEMENT_CONTENT_PCDATA:
+ strcat(buf, "#PCDATA");
+ break;
+- case XML_ELEMENT_CONTENT_ELEMENT:
++ case XML_ELEMENT_CONTENT_ELEMENT: {
++ int qnameLen = xmlStrlen(content->name);
++
++ if (content->prefix != NULL)
++ qnameLen += xmlStrlen(content->prefix) + 1;
++ if (size - len < qnameLen + 10) {
++ strcat(buf, " ...");
++ return;
++ }
+ if (content->prefix != NULL) {
+- if (size - len < xmlStrlen(content->prefix) + 10) {
+- strcat(buf, " ...");
+- return;
+- }
+ strcat(buf, (char *) content->prefix);
+ strcat(buf, ":");
+ }
+- if (size - len < xmlStrlen(content->name) + 10) {
+- strcat(buf, " ...");
+- return;
+- }
+ if (content->name != NULL)
+ strcat(buf, (char *) content->name);
+ break;
++ }
+ case XML_ELEMENT_CONTENT_SEQ:
+ if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
+@@ -1319,6 +1324,7 @@ xmlSnprintfElementContent(char *buf, int
+ xmlSnprintfElementContent(buf, size, content->c2, 0);
+ break;
+ }
++ if (size - strlen(buf) <= 2) return;
+ if (englob)
+ strcat(buf, ")");
+ switch (content->ocur) {
Home |
Main Index |
Thread Index |
Old Index