mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-24 13:28:12 -05:00
gnu: libxml2: Update replacement to 2.9.4 [security fixes].
This fixes CVE-2016-{1762, 1833, 1834, 1835, 1836, 1837, 1838, 1839, 1840, 3627, 3705, 4483}. * gnu/packages/patches/libxml2-CVE-2016-3627.patch, gnu/packages/patches/libxml2-CVE-2016-3705.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them. * gnu/packages/xml.scm (libxml2/fixed): Update to 2.9.4. [source]: Remove patches.
This commit is contained in:
parent
c06f6db7a4
commit
df2dd07b88
4 changed files with 10 additions and 135 deletions
|
@ -616,8 +616,6 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch \
|
||||
%D%/packages/patches/libwmf-CVE-2015-4695.patch \
|
||||
%D%/packages/patches/libwmf-CVE-2015-4696.patch \
|
||||
%D%/packages/patches/libxml2-CVE-2016-3627.patch \
|
||||
%D%/packages/patches/libxml2-CVE-2016-3705.patch \
|
||||
%D%/packages/patches/libxslt-CVE-2015-7995.patch \
|
||||
%D%/packages/patches/lirc-localstatedir.patch \
|
||||
%D%/packages/patches/libpthread-glibc-preparation.patch \
|
||||
|
|
|
@ -1,61 +0,0 @@
|
|||
From <http://seclists.org/fulldisclosure/2016/May/10>.
|
||||
|
||||
From e5269fd1e83743f7e62c89eca45000c2e84e6edc Mon Sep 17 00:00:00 2001
|
||||
From: Peter Simons <psimons () suse com>
|
||||
Date: Thu, 14 Apr 2016 16:15:13 +0200
|
||||
Subject: [PATCH 1/2] xmlStringGetNodeList: limit the function to 1024
|
||||
recursions to avoid CVE-2016-3627
|
||||
|
||||
This patch prevents stack overflows like the one reported in
|
||||
https://bugzilla.gnome.org/show_bug.cgi?id=762100.
|
||||
---
|
||||
tree.c | 14 ++++++++++++--
|
||||
1 file changed, 12 insertions(+), 2 deletions(-)
|
||||
|
||||
Index: libxml2-2.9.3/tree.c
|
||||
===================================================================
|
||||
--- libxml2-2.9.3.orig/tree.c
|
||||
+++ libxml2-2.9.3/tree.c
|
||||
@@ -1464,6 +1464,8 @@ out:
|
||||
return(ret);
|
||||
}
|
||||
|
||||
+static xmlNodePtr xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel);
|
||||
+
|
||||
/**
|
||||
* xmlStringGetNodeList:
|
||||
* @doc: the document
|
||||
@@ -1475,6 +1477,12 @@ out:
|
||||
*/
|
||||
xmlNodePtr
|
||||
xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
|
||||
+ return xmlStringGetNodeListInternal(doc, value, 0);
|
||||
+ }
|
||||
+
|
||||
+xmlNodePtr
|
||||
+xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel) {
|
||||
+
|
||||
xmlNodePtr ret = NULL, last = NULL;
|
||||
xmlNodePtr node;
|
||||
xmlChar *val;
|
||||
@@ -1483,6 +1491,8 @@ xmlStringGetNodeList(const xmlDoc *doc,
|
||||
xmlEntityPtr ent;
|
||||
xmlBufPtr buf;
|
||||
|
||||
+ if (recursionLevel > 1024) return(NULL);
|
||||
+
|
||||
if (value == NULL) return(NULL);
|
||||
|
||||
buf = xmlBufCreateSize(0);
|
||||
@@ -1593,8 +1603,9 @@ xmlStringGetNodeList(const xmlDoc *doc,
|
||||
else if ((ent != NULL) && (ent->children == NULL)) {
|
||||
xmlNodePtr temp;
|
||||
|
||||
- ent->children = xmlStringGetNodeList(doc,
|
||||
- (const xmlChar*)node->content);
|
||||
+ ent->children = xmlStringGetNodeListInternal(doc,
|
||||
+ (const xmlChar*)node->content,
|
||||
+ recursionLevel+1);
|
||||
ent->owner = 1;
|
||||
temp = ent->children;
|
||||
while (temp) {
|
|
@ -1,68 +0,0 @@
|
|||
From <http://seclists.org/fulldisclosure/2016/May/10>.
|
||||
|
||||
From 6f0af3f6b9b1c5f82a2bb5ded65923437fee5d21 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Simons <psimons () suse com>
|
||||
Date: Fri, 15 Apr 2016 11:56:55 +0200
|
||||
Subject: [PATCH 2/2] Add missing increments of recursion depth counter to XML
|
||||
parser.
|
||||
|
||||
The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call
|
||||
xmlStringDecodeEntities() in a recursive context without incrementing the
|
||||
'depth' counter in the parser context. Because of that omission, the parser
|
||||
failed to detect attribute recursions in certain documents before running out
|
||||
of stack space.
|
||||
---
|
||||
parser.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/parser.c b/parser.c
|
||||
index 9604a72..4da151f 100644
|
||||
--- a/parser.c
|
||||
+++ b/parser.c
|
||||
@@ -144,8 +144,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
|
||||
|
||||
ent->checked = 1;
|
||||
|
||||
+ ++ctxt->depth;
|
||||
rep = xmlStringDecodeEntities(ctxt, ent->content,
|
||||
XML_SUBSTITUTE_REF, 0, 0, 0);
|
||||
+ --ctxt->depth;
|
||||
|
||||
ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
|
||||
if (rep != NULL) {
|
||||
@@ -3966,8 +3968,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
|
||||
* an entity declaration, it is bypassed and left as is.
|
||||
* so XML_SUBSTITUTE_REF is not set here.
|
||||
*/
|
||||
+ ++ctxt->depth;
|
||||
ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF,
|
||||
0, 0, 0);
|
||||
+ --ctxt->depth;
|
||||
if (orig != NULL)
|
||||
*orig = buf;
|
||||
else
|
||||
@@ -4092,9 +4096,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
|
||||
} else if ((ent != NULL) &&
|
||||
(ctxt->replaceEntities != 0)) {
|
||||
if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) {
|
||||
+ ++ctxt->depth;
|
||||
rep = xmlStringDecodeEntities(ctxt, ent->content,
|
||||
XML_SUBSTITUTE_REF,
|
||||
0, 0, 0);
|
||||
+ --ctxt->depth;
|
||||
if (rep != NULL) {
|
||||
current = rep;
|
||||
while (*current != 0) { /* non input consuming */
|
||||
@@ -4130,8 +4136,10 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
|
||||
(ent->content != NULL) && (ent->checked == 0)) {
|
||||
unsigned long oldnbent = ctxt->nbentities;
|
||||
|
||||
+ ++ctxt->depth;
|
||||
rep = xmlStringDecodeEntities(ctxt, ent->content,
|
||||
XML_SUBSTITUTE_REF, 0, 0, 0);
|
||||
+ --ctxt->depth;
|
||||
|
||||
ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
|
||||
if (rep != NULL) {
|
||||
--
|
||||
2.8.1
|
|
@ -107,10 +107,16 @@ (define-public libxml2
|
|||
(define libxml2/fixed
|
||||
(package
|
||||
(inherit libxml2)
|
||||
(source (origin
|
||||
(inherit (package-source libxml2))
|
||||
(patches (search-patches "libxml2-CVE-2016-3627.patch"
|
||||
"libxml2-CVE-2016-3705.patch"))))))
|
||||
(source
|
||||
(let ((name "libxml2")
|
||||
(version "2.9.4"))
|
||||
(origin
|
||||
(method url-fetch)
|
||||
(uri (string-append "ftp://xmlsoft.org/libxml2/libxml2-"
|
||||
version ".tar.gz"))
|
||||
(sha256
|
||||
(base32
|
||||
"0g336cr0bw6dax1q48bblphmchgihx9p1pjmxdnrd6sh3qci3fgz")))))))
|
||||
|
||||
(define-public python-libxml2
|
||||
(package (inherit libxml2)
|
||||
|
|
Loading…
Reference in a new issue