diff options
Diffstat (limited to 'gnu/packages/patches')
| -rw-r--r-- | gnu/packages/patches/libxml2-CVE-2016-3627.patch | 61 | ||||
| -rw-r--r-- | gnu/packages/patches/libxml2-CVE-2016-3705.patch | 68 |
2 files changed, 129 insertions, 0 deletions
diff --git a/gnu/packages/patches/libxml2-CVE-2016-3627.patch b/gnu/packages/patches/libxml2-CVE-2016-3627.patch new file mode 100644 index 0000000000..782c9270cf --- /dev/null +++ b/gnu/packages/patches/libxml2-CVE-2016-3627.patch @@ -0,0 +1,61 @@ +From <http://seclists.org/fulldisclosure/2016/May/10>. + +From e5269fd1e83743f7e62c89eca45000c2e84e6edc Mon Sep 17 00:00:00 2001 +From: Peter Simons <psimons () suse com> +Date: Thu, 14 Apr 2016 16:15:13 +0200 +Subject: [PATCH 1/2] xmlStringGetNodeList: limit the function to 1024 + recursions to avoid CVE-2016-3627 + +This patch prevents stack overflows like the one reported in +https://bugzilla.gnome.org/show_bug.cgi?id=762100. +--- + tree.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +Index: libxml2-2.9.3/tree.c +=================================================================== +--- libxml2-2.9.3.orig/tree.c ++++ libxml2-2.9.3/tree.c +@@ -1464,6 +1464,8 @@ out: + return(ret); + } + ++static xmlNodePtr xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel); ++ + /** + * xmlStringGetNodeList: + * @doc: the document +@@ -1475,6 +1477,12 @@ out: + */ + xmlNodePtr + xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) { ++ return xmlStringGetNodeListInternal(doc, value, 0); ++ } ++ ++xmlNodePtr ++xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel) { ++ + xmlNodePtr ret = NULL, last = NULL; + xmlNodePtr node; + xmlChar *val; +@@ -1483,6 +1491,8 @@ xmlStringGetNodeList(const xmlDoc *doc, + xmlEntityPtr ent; + xmlBufPtr buf; + ++ if (recursionLevel > 1024) return(NULL); ++ + if (value == NULL) return(NULL); + + buf = xmlBufCreateSize(0); +@@ -1593,8 +1603,9 @@ xmlStringGetNodeList(const xmlDoc *doc, + else if ((ent != NULL) && (ent->children == NULL)) { + xmlNodePtr temp; + +- ent->children = xmlStringGetNodeList(doc, +- (const xmlChar*)node->content); ++ ent->children = xmlStringGetNodeListInternal(doc, ++ (const xmlChar*)node->content, ++ recursionLevel+1); + ent->owner = 1; + temp = ent->children; + while (temp) { diff --git a/gnu/packages/patches/libxml2-CVE-2016-3705.patch b/gnu/packages/patches/libxml2-CVE-2016-3705.patch new file mode 100644 index 0000000000..e803630f3a --- /dev/null +++ b/gnu/packages/patches/libxml2-CVE-2016-3705.patch @@ -0,0 +1,68 @@ +From <http://seclists.org/fulldisclosure/2016/May/10>. + +From 6f0af3f6b9b1c5f82a2bb5ded65923437fee5d21 Mon Sep 17 00:00:00 2001 +From: Peter Simons <psimons () suse com> +Date: Fri, 15 Apr 2016 11:56:55 +0200 +Subject: [PATCH 2/2] Add missing increments of recursion depth counter to XML + parser. + +The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call +xmlStringDecodeEntities() in a recursive context without incrementing the +'depth' counter in the parser context. Because of that omission, the parser +failed to detect attribute recursions in certain documents before running out +of stack space. +--- + parser.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/parser.c b/parser.c +index 9604a72..4da151f 100644 +--- a/parser.c ++++ b/parser.c +@@ -144,8 +144,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + + ent->checked = 1; + ++ ++ctxt->depth; + rep = xmlStringDecodeEntities(ctxt, ent->content, + XML_SUBSTITUTE_REF, 0, 0, 0); ++ --ctxt->depth; + + ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; + if (rep != NULL) { +@@ -3966,8 +3968,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) { + * an entity declaration, it is bypassed and left as is. + * so XML_SUBSTITUTE_REF is not set here. + */ ++ ++ctxt->depth; + ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF, + 0, 0, 0); ++ --ctxt->depth; + if (orig != NULL) + *orig = buf; + else +@@ -4092,9 +4096,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + } else if ((ent != NULL) && + (ctxt->replaceEntities != 0)) { + if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) { ++ ++ctxt->depth; + rep = xmlStringDecodeEntities(ctxt, ent->content, + XML_SUBSTITUTE_REF, + 0, 0, 0); ++ --ctxt->depth; + if (rep != NULL) { + current = rep; + while (*current != 0) { /* non input consuming */ +@@ -4130,8 +4136,10 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + (ent->content != NULL) && (ent->checked == 0)) { + unsigned long oldnbent = ctxt->nbentities; + ++ ++ctxt->depth; + rep = xmlStringDecodeEntities(ctxt, ent->content, + XML_SUBSTITUTE_REF, 0, 0, 0); ++ --ctxt->depth; + + ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; + if (rep != NULL) { +-- +2.8.1 |