gnu: libxml2: Fix CVE-2016-3627 and CVE-2016-3705.
* gnu/packages/patches/libxml2-CVE-2016-3627.patch, gnu/packages/patches/libxml2-CVE-2016-3705.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/xml.scm (libxml2)[replacement]: New field. (libxml2/fixed): New variable.
This commit is contained in:
Ludovic Courtès
parent
c0d2e7b197
commit
493e9a5a8f
4 changed files with 141 additions and 1 deletions
|
|
@ -606,6 +606,8 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch \
|
||||
%D%/packages/patches/libwmf-CVE-2015-4695.patch \
|
||||
%D%/packages/patches/libwmf-CVE-2015-4696.patch \
|
||||
%D%/packages/patches/libxml2-CVE-2016-3627.patch \
|
||||
%D%/packages/patches/libxml2-CVE-2016-3705.patch \
|
||||
%D%/packages/patches/libxslt-CVE-2015-7995.patch \
|
||||
%D%/packages/patches/lirc-localstatedir.patch \
|
||||
%D%/packages/patches/libpthread-glibc-preparation.patch \
|
||||
|
|
|
|||
61
gnu/packages/patches/libxml2-CVE-2016-3627.patch
Normal file
61
gnu/packages/patches/libxml2-CVE-2016-3627.patch
Normal file
|
|
@ -0,0 +1,61 @@
|
|||
From <http://seclists.org/fulldisclosure/2016/May/10>.
|
||||
|
||||
From e5269fd1e83743f7e62c89eca45000c2e84e6edc Mon Sep 17 00:00:00 2001
|
||||
From: Peter Simons <psimons () suse com>
|
||||
Date: Thu, 14 Apr 2016 16:15:13 +0200
|
||||
Subject: [PATCH 1/2] xmlStringGetNodeList: limit the function to 1024
|
||||
recursions to avoid CVE-2016-3627
|
||||
|
||||
This patch prevents stack overflows like the one reported in
|
||||
https://bugzilla.gnome.org/show_bug.cgi?id=762100.
|
||||
---
|
||||
tree.c | 14 ++++++++++++--
|
||||
1 file changed, 12 insertions(+), 2 deletions(-)
|
||||
|
||||
Index: libxml2-2.9.3/tree.c
|
||||
===================================================================
|
||||
--- libxml2-2.9.3.orig/tree.c
|
||||
+++ libxml2-2.9.3/tree.c
|
||||
@@ -1464,6 +1464,8 @@ out:
|
||||
return(ret);
|
||||
}
|
||||
|
||||
+static xmlNodePtr xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel);
|
||||
+
|
||||
/**
|
||||
* xmlStringGetNodeList:
|
||||
* @doc: the document
|
||||
@@ -1475,6 +1477,12 @@ out:
|
||||
*/
|
||||
xmlNodePtr
|
||||
xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
|
||||
+ return xmlStringGetNodeListInternal(doc, value, 0);
|
||||
+ }
|
||||
+
|
||||
+xmlNodePtr
|
||||
+xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel) {
|
||||
+
|
||||
xmlNodePtr ret = NULL, last = NULL;
|
||||
xmlNodePtr node;
|
||||
xmlChar *val;
|
||||
@@ -1483,6 +1491,8 @@ xmlStringGetNodeList(const xmlDoc *doc,
|
||||
xmlEntityPtr ent;
|
||||
xmlBufPtr buf;
|
||||
|
||||
+ if (recursionLevel > 1024) return(NULL);
|
||||
+
|
||||
if (value == NULL) return(NULL);
|
||||
|
||||
buf = xmlBufCreateSize(0);
|
||||
@@ -1593,8 +1603,9 @@ xmlStringGetNodeList(const xmlDoc *doc,
|
||||
else if ((ent != NULL) && (ent->children == NULL)) {
|
||||
xmlNodePtr temp;
|
||||
|
||||
- ent->children = xmlStringGetNodeList(doc,
|
||||
- (const xmlChar*)node->content);
|
||||
+ ent->children = xmlStringGetNodeListInternal(doc,
|
||||
+ (const xmlChar*)node->content,
|
||||
+ recursionLevel+1);
|
||||
ent->owner = 1;
|
||||
temp = ent->children;
|
||||
while (temp) {
|
||||
68
gnu/packages/patches/libxml2-CVE-2016-3705.patch
Normal file
68
gnu/packages/patches/libxml2-CVE-2016-3705.patch
Normal file
|
|
@ -0,0 +1,68 @@
|
|||
From <http://seclists.org/fulldisclosure/2016/May/10>.
|
||||
|
||||
From 6f0af3f6b9b1c5f82a2bb5ded65923437fee5d21 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Simons <psimons () suse com>
|
||||
Date: Fri, 15 Apr 2016 11:56:55 +0200
|
||||
Subject: [PATCH 2/2] Add missing increments of recursion depth counter to XML
|
||||
parser.
|
||||
|
||||
The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call
|
||||
xmlStringDecodeEntities() in a recursive context without incrementing the
|
||||
'depth' counter in the parser context. Because of that omission, the parser
|
||||
failed to detect attribute recursions in certain documents before running out
|
||||
of stack space.
|
||||
---
|
||||
parser.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/parser.c b/parser.c
|
||||
index 9604a72..4da151f 100644
|
||||
--- a/parser.c
|
||||
+++ b/parser.c
|
||||
@@ -144,8 +144,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
|
||||
|
||||
ent->checked = 1;
|
||||
|
||||
+ ++ctxt->depth;
|
||||
rep = xmlStringDecodeEntities(ctxt, ent->content,
|
||||
XML_SUBSTITUTE_REF, 0, 0, 0);
|
||||
+ --ctxt->depth;
|
||||
|
||||
ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
|
||||
if (rep != NULL) {
|
||||
@@ -3966,8 +3968,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
|
||||
* an entity declaration, it is bypassed and left as is.
|
||||
* so XML_SUBSTITUTE_REF is not set here.
|
||||
*/
|
||||
+ ++ctxt->depth;
|
||||
ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF,
|
||||
0, 0, 0);
|
||||
+ --ctxt->depth;
|
||||
if (orig != NULL)
|
||||
*orig = buf;
|
||||
else
|
||||
@@ -4092,9 +4096,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
|
||||
} else if ((ent != NULL) &&
|
||||
(ctxt->replaceEntities != 0)) {
|
||||
if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) {
|
||||
+ ++ctxt->depth;
|
||||
rep = xmlStringDecodeEntities(ctxt, ent->content,
|
||||
XML_SUBSTITUTE_REF,
|
||||
0, 0, 0);
|
||||
+ --ctxt->depth;
|
||||
if (rep != NULL) {
|
||||
current = rep;
|
||||
while (*current != 0) { /* non input consuming */
|
||||
@@ -4130,8 +4136,10 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
|
||||
(ent->content != NULL) && (ent->checked == 0)) {
|
||||
unsigned long oldnbent = ctxt->nbentities;
|
||||
|
||||
+ ++ctxt->depth;
|
||||
rep = xmlStringDecodeEntities(ctxt, ent->content,
|
||||
XML_SUBSTITUTE_REF, 0, 0, 0);
|
||||
+ --ctxt->depth;
|
||||
|
||||
ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
|
||||
if (rep != NULL) {
|
||||
--
|
||||
2.8.1
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
;;; GNU Guix --- Functional package management for GNU
|
||||
;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
|
||||
;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
|
||||
;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
|
||||
;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org>
|
||||
;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
|
||||
|
|
@ -77,6 +77,7 @@ things the parser might find in the XML document (like start tags).")
|
|||
(package
|
||||
(name "libxml2")
|
||||
(version "2.9.3")
|
||||
(replacement libxml2/fixed) ;multiple CVEs
|
||||
(source (origin
|
||||
(method url-fetch)
|
||||
(uri (string-append "ftp://xmlsoft.org/libxml2/libxml2-"
|
||||
|
|
@ -103,6 +104,14 @@ things the parser might find in the XML document (like start tags).")
|
|||
project (but it is usable outside of the Gnome platform).")
|
||||
(license license:x11)))
|
||||
|
||||
(define libxml2/fixed
|
||||
(package
|
||||
(inherit libxml2)
|
||||
(source (origin
|
||||
(inherit (package-source libxml2))
|
||||
(patches (search-patches "libxml2-CVE-2016-3627.patch"
|
||||
"libxml2-CVE-2016-3705.patch"))))))
|
||||
|
||||
(define-public python-libxml2
|
||||
(package (inherit libxml2)
|
||||
(name "python-libxml2")
|
||||
|
|
|
|||
Reference in a new issue