pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/textproc/libxml2 xmlSnprintfElementContent failed to c...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/ede29a4144e1
branches:  trunk
changeset: 364100:ede29a4144e1
user:      tez <tez%pkgsrc.org@localhost>
date:      Wed Jun 21 00:23:23 2017 +0000

description:
xmlSnprintfElementContent failed to correctly check the available
buffer space in two locations.
Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048).
From: https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74


There were two bugs where parameter-entity references could lead to an
unexpected change of the input buffer in xmlParseNameComplex and
xmlDictLookup being called with an invalid pointer.

Percent sign in DTD Names
=========================
This fixes bug 766956 initially reported by Wei Lei and independently by
Chromium's ClusterFuzz, Hanno B?ck, and Marco Grassi. Thanks to everyone
involved.

xmlParseNameComplex with XML_PARSE_OLD10
========================================
This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).
Thanks to Marcel B?hme and Thuan Pham for the report.

Additional hardening
====================
A separate check was added in xmlParseNameComplex to validate the
buffer size.

From: https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3

diffstat:

 textproc/libxml2/Makefile               |   4 +-
 textproc/libxml2/distinfo               |   5 +-
 textproc/libxml2/patches/patch-parser.c |  69 +++++++++++++++++++++++++++++++++
 textproc/libxml2/patches/patch-valid.c  |  53 +++++++++++++++++++++++-
 4 files changed, 124 insertions(+), 7 deletions(-)

diffs (183 lines):

diff -r 91a41aa0574f -r ede29a4144e1 textproc/libxml2/Makefile
--- a/textproc/libxml2/Makefile Tue Jun 20 22:38:16 2017 +0000
+++ b/textproc/libxml2/Makefile Wed Jun 21 00:23:23 2017 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.144 2017/06/11 04:40:53 maya Exp $
+# $NetBSD: Makefile,v 1.145 2017/06/21 00:23:23 tez Exp $
 
 .include "../../textproc/libxml2/Makefile.common"
 
-PKGREVISION=   3
+PKGREVISION=   4
 
 COMMENT=       XML parser library from the GNOME project
 LICENSE=       modified-bsd
diff -r 91a41aa0574f -r ede29a4144e1 textproc/libxml2/distinfo
--- a/textproc/libxml2/distinfo Tue Jun 20 22:38:16 2017 +0000
+++ b/textproc/libxml2/distinfo Wed Jun 21 00:23:23 2017 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.115 2017/06/11 04:40:53 maya Exp $
+$NetBSD: distinfo,v 1.116 2017/06/21 00:23:23 tez Exp $
 
 SHA1 (libxml2-2.9.4.tar.gz) = 958ae70baf186263a4bd801a81dd5d682aedd1db
 RMD160 (libxml2-2.9.4.tar.gz) = bb59656e0683d64a38a2f1a45ca9d918837e1e56
@@ -11,12 +11,13 @@
 SHA1 (patch-ae) = 4eede9719724f94402e850ee6d6043a74aaf62b2
 SHA1 (patch-encoding.c) = 6cf0a7d421828b9f40a4079ee85adb791c54d096
 SHA1 (patch-parseInternals.c) = dc58145943a4fb6368d848c0155d144b1f9b676c
+SHA1 (patch-parser.c) = 23e39127bf65e721dd76d80b389c1ccacf8e5746
 SHA1 (patch-result_XPath_xptr_vidbase) = f0ef1ac593cb25f96b7ffef93e0f214aa8fc6103
 SHA1 (patch-runtest.c) = 759fcee959833b33d72e85108f7973859dcba1f6
 SHA1 (patch-test_XPath_xptr_vidbase) = a9b497505f914924388145c6266aa517152f9da3
 SHA1 (patch-testlimits.c) = 8cba18464b619469abbb8488fd950a32a567be7b
 SHA1 (patch-timsort.h) = e09118e7c99d53f71c28fe4d54269c4801244959
-SHA1 (patch-valid.c) = e6ff3a9aed6b985fcc69d214efa953a90a055d6b
+SHA1 (patch-valid.c) = 9eda3633b3ea5269e0ef33fa0508de18e7a76def
 SHA1 (patch-xmlIO.c) = 5efcc5e43a8b3139832ab69af6b5ab94e5a6ad59
 SHA1 (patch-xpath.c) = ec94ab2116f99a08f51630dee6b9e7e25d2b5c00
 SHA1 (patch-xpointer.c) = 8ca75f64b89369106c0d088ff7fd36b38005e032
diff -r 91a41aa0574f -r ede29a4144e1 textproc/libxml2/patches/patch-parser.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/textproc/libxml2/patches/patch-parser.c   Wed Jun 21 00:23:23 2017 +0000
@@ -0,0 +1,69 @@
+$NetBSD: patch-parser.c,v 1.3 2017/06/21 00:23:24 tez Exp $
+
+There were two bugs where parameter-entity references could lead to an
+unexpected change of the input buffer in xmlParseNameComplex and
+xmlDictLookup being called with an invalid pointer.
+
+Percent sign in DTD Names
+=========================
+
+This fixes bug 766956 initially reported by Wei Lei and independently by
+Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone
+involved.
+
+xmlParseNameComplex with XML_PARSE_OLD10
+========================================
+
+This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).
+Thanks to Marcel Böhme and Thuan Pham for the report.
+
+Additional hardening
+====================
+
+A separate check was added in xmlParseNameComplex to validate the
+buffer size.
+
+From: https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3
+
+
+--- parser.c.orig
++++ parser.c
+@@ -2121,7 +2121,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
+       ctxt->input->line++; ctxt->input->col = 1;                      \
+     } else ctxt->input->col++;                                                \
+     ctxt->input->cur += l;                            \
+-    if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt);   \
+   } while (0)
+ 
+ #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l)
+@@ -3412,13 +3411,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+           len += l;
+           NEXTL(l);
+           c = CUR_CHAR(l);
+-          if (c == 0) {
+-              count = 0;
+-              GROW;
+-                if (ctxt->instate == XML_PARSER_EOF)
+-                    return(NULL);
+-              c = CUR_CHAR(l);
+-          }
+       }
+     }
+     if ((len > XML_MAX_NAME_LENGTH) &&
+@@ -3426,6 +3418,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+         xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
+         return(NULL);
+     }
++    if (ctxt->input->cur - ctxt->input->base < len) {
++        /*
++         * There were a couple of bugs where PERefs lead to to a change
++         * of the buffer. Check the buffer size to avoid passing an invalid
++         * pointer to xmlDictLookup.
++         */
++        xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
++                    "unexpected change of input buffer");
++        return (NULL);
++    }
+     if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r'))
+         return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len));
+     return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
diff -r 91a41aa0574f -r ede29a4144e1 textproc/libxml2/patches/patch-valid.c
--- a/textproc/libxml2/patches/patch-valid.c    Tue Jun 20 22:38:16 2017 +0000
+++ b/textproc/libxml2/patches/patch-valid.c    Wed Jun 21 00:23:23 2017 +0000
@@ -1,4 +1,4 @@
-$NetBSD: patch-valid.c,v 1.1 2017/06/11 04:40:53 maya Exp $
+$NetBSD: patch-valid.c,v 1.2 2017/06/21 00:23:24 tez Exp $
 
 Upstream commit by Daniel Veillard
 
@@ -7,9 +7,15 @@
 Fixes bug 758422 (CVE-2017-5969).
 
 
---- valid.c.orig       2016-05-23 07:25:25.000000000 +0000
+xmlSnprintfElementContent failed to correctly check the available
+buffer space in two locations.
+Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048).
+From: https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74
+
+
+--- valid.c.orig       2017-06-21 00:07:08.204619100 +0000
 +++ valid.c
-@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, 
+@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf,
            xmlBufferWriteCHAR(buf, content->name);
            break;
        case XML_ELEMENT_CONTENT_SEQ:
@@ -53,3 +59,44 @@
                xmlDumpElementContent(buf, content->c2, 1);
            else
                xmlDumpElementContent(buf, content->c2, 0);
+@@ -1262,22 +1266,23 @@ xmlSnprintfElementContent(char *buf, int
+         case XML_ELEMENT_CONTENT_PCDATA:
+             strcat(buf, "#PCDATA");
+           break;
+-      case XML_ELEMENT_CONTENT_ELEMENT:
++      case XML_ELEMENT_CONTENT_ELEMENT: {
++            int qnameLen = xmlStrlen(content->name);
++
++          if (content->prefix != NULL)
++                qnameLen += xmlStrlen(content->prefix) + 1;
++          if (size - len < qnameLen + 10) {
++              strcat(buf, " ...");
++              return;
++          }
+           if (content->prefix != NULL) {
+-              if (size - len < xmlStrlen(content->prefix) + 10) {
+-                  strcat(buf, " ...");
+-                  return;
+-              }
+               strcat(buf, (char *) content->prefix);
+               strcat(buf, ":");
+           }
+-          if (size - len < xmlStrlen(content->name) + 10) {
+-              strcat(buf, " ...");
+-              return;
+-          }
+           if (content->name != NULL)
+               strcat(buf, (char *) content->name);
+           break;
++        }
+       case XML_ELEMENT_CONTENT_SEQ:
+           if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+               (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
+@@ -1319,6 +1324,7 @@ xmlSnprintfElementContent(char *buf, int
+               xmlSnprintfElementContent(buf, size, content->c2, 0);
+           break;
+     }
++    if (size - strlen(buf) <= 2) return;
+     if (englob)
+         strcat(buf, ")");
+     switch (content->ocur) {



Home | Main Index | Thread Index | Old Index