From 493e9a5a8f613764cfa396c33ee6cb381b0dbbef Mon Sep 17 00:00:00 2001
From: Ludovic Courtès <ludo@gnu.org>
Date: Tue, 24 May 2016 14:11:52 +0200
Subject: gnu: libxml2: Fix CVE-2016-3627 and CVE-2016-3705.

* gnu/packages/patches/libxml2-CVE-2016-3627.patch,
gnu/packages/patches/libxml2-CVE-2016-3705.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/xml.scm (libxml2)[replacement]: New field.
(libxml2/fixed): New variable.
---
 gnu/packages/patches/libxml2-CVE-2016-3627.patch | 61 ++++++++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 gnu/packages/patches/libxml2-CVE-2016-3627.patch

(limited to 'gnu/packages/patches/libxml2-CVE-2016-3627.patch')

diff --git a/gnu/packages/patches/libxml2-CVE-2016-3627.patch b/gnu/packages/patches/libxml2-CVE-2016-3627.patch
new file mode 100644
index 0000000000..782c9270cf
--- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2016-3627.patch
@@ -0,0 +1,61 @@
+From <http://seclists.org/fulldisclosure/2016/May/10>.
+
+From e5269fd1e83743f7e62c89eca45000c2e84e6edc Mon Sep 17 00:00:00 2001
+From: Peter Simons <psimons () suse com>
+Date: Thu, 14 Apr 2016 16:15:13 +0200
+Subject: [PATCH 1/2] xmlStringGetNodeList: limit the function to 1024
+ recursions to avoid CVE-2016-3627
+
+This patch prevents stack overflows like the one reported in
+https://bugzilla.gnome.org/show_bug.cgi?id=762100.
+---
+ tree.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+Index: libxml2-2.9.3/tree.c
+===================================================================
+--- libxml2-2.9.3.orig/tree.c
++++ libxml2-2.9.3/tree.c
+@@ -1464,6 +1464,8 @@ out:
+     return(ret);
+ }
+ 
++static xmlNodePtr xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel);
++
+ /**
+  * xmlStringGetNodeList:
+  * @doc:  the document
+@@ -1475,6 +1477,12 @@ out:
+  */
+ xmlNodePtr
+ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
++   return xmlStringGetNodeListInternal(doc, value, 0);
++ }
++
++xmlNodePtr
++xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel) {
++
+     xmlNodePtr ret = NULL, last = NULL;
+     xmlNodePtr node;
+     xmlChar *val;
+@@ -1483,6 +1491,8 @@ xmlStringGetNodeList(const xmlDoc *doc,
+     xmlEntityPtr ent;
+     xmlBufPtr buf;
+ 
++    if (recursionLevel > 1024) return(NULL);
++
+     if (value == NULL) return(NULL);
+ 
+     buf = xmlBufCreateSize(0);
+@@ -1593,8 +1603,9 @@ xmlStringGetNodeList(const xmlDoc *doc,
+ 			else if ((ent != NULL) && (ent->children == NULL)) {
+ 			    xmlNodePtr temp;
+ 
+-			    ent->children = xmlStringGetNodeList(doc,
+-				    (const xmlChar*)node->content);
++			    ent->children = xmlStringGetNodeListInternal(doc,
++				    (const xmlChar*)node->content,
++                                    recursionLevel+1);
+ 			    ent->owner = 1;
+ 			    temp = ent->children;
+ 			    while (temp) {
-- 
cgit v1.2.3