gnu: libxml2: Update replacement to 2.9.4 [security fixes].

This fixes CVE-2016-{1762, 1833, 1834, 1835, 1836, 1837, 1838, 1839,
1840, 3627, 3705, 4483}.

* gnu/packages/patches/libxml2-CVE-2016-3627.patch,
gnu/packages/patches/libxml2-CVE-2016-3705.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
* gnu/packages/xml.scm (libxml2/fixed): Update to 2.9.4.
[source]: Remove patches.
This commit is contained in:
Leo Famulari 2016-05-26 22:29:24 -04:00
parent c06f6db7a4
commit df2dd07b88
No known key found for this signature in database
GPG key ID: 2646FA30BACA7F08
4 changed files with 10 additions and 135 deletions

View file

@ -616,8 +616,6 @@ dist_patch_DATA = \
%D%/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch \ %D%/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch \
%D%/packages/patches/libwmf-CVE-2015-4695.patch \ %D%/packages/patches/libwmf-CVE-2015-4695.patch \
%D%/packages/patches/libwmf-CVE-2015-4696.patch \ %D%/packages/patches/libwmf-CVE-2015-4696.patch \
%D%/packages/patches/libxml2-CVE-2016-3627.patch \
%D%/packages/patches/libxml2-CVE-2016-3705.patch \
%D%/packages/patches/libxslt-CVE-2015-7995.patch \ %D%/packages/patches/libxslt-CVE-2015-7995.patch \
%D%/packages/patches/lirc-localstatedir.patch \ %D%/packages/patches/lirc-localstatedir.patch \
%D%/packages/patches/libpthread-glibc-preparation.patch \ %D%/packages/patches/libpthread-glibc-preparation.patch \

View file

@ -1,61 +0,0 @@
From <http://seclists.org/fulldisclosure/2016/May/10>.
From e5269fd1e83743f7e62c89eca45000c2e84e6edc Mon Sep 17 00:00:00 2001
From: Peter Simons <psimons () suse com>
Date: Thu, 14 Apr 2016 16:15:13 +0200
Subject: [PATCH 1/2] xmlStringGetNodeList: limit the function to 1024
recursions to avoid CVE-2016-3627
This patch prevents stack overflows like the one reported in
https://bugzilla.gnome.org/show_bug.cgi?id=762100.
---
tree.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
Index: libxml2-2.9.3/tree.c
===================================================================
--- libxml2-2.9.3.orig/tree.c
+++ libxml2-2.9.3/tree.c
@@ -1464,6 +1464,8 @@ out:
return(ret);
}
+static xmlNodePtr xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel);
+
/**
* xmlStringGetNodeList:
* @doc: the document
@@ -1475,6 +1477,12 @@ out:
*/
xmlNodePtr
xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
+ return xmlStringGetNodeListInternal(doc, value, 0);
+ }
+
+xmlNodePtr
+xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel) {
+
xmlNodePtr ret = NULL, last = NULL;
xmlNodePtr node;
xmlChar *val;
@@ -1483,6 +1491,8 @@ xmlStringGetNodeList(const xmlDoc *doc,
xmlEntityPtr ent;
xmlBufPtr buf;
+ if (recursionLevel > 1024) return(NULL);
+
if (value == NULL) return(NULL);
buf = xmlBufCreateSize(0);
@@ -1593,8 +1603,9 @@ xmlStringGetNodeList(const xmlDoc *doc,
else if ((ent != NULL) && (ent->children == NULL)) {
xmlNodePtr temp;
- ent->children = xmlStringGetNodeList(doc,
- (const xmlChar*)node->content);
+ ent->children = xmlStringGetNodeListInternal(doc,
+ (const xmlChar*)node->content,
+ recursionLevel+1);
ent->owner = 1;
temp = ent->children;
while (temp) {

View file

@ -1,68 +0,0 @@
From <http://seclists.org/fulldisclosure/2016/May/10>.
From 6f0af3f6b9b1c5f82a2bb5ded65923437fee5d21 Mon Sep 17 00:00:00 2001
From: Peter Simons <psimons () suse com>
Date: Fri, 15 Apr 2016 11:56:55 +0200
Subject: [PATCH 2/2] Add missing increments of recursion depth counter to XML
parser.
The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call
xmlStringDecodeEntities() in a recursive context without incrementing the
'depth' counter in the parser context. Because of that omission, the parser
failed to detect attribute recursions in certain documents before running out
of stack space.
---
parser.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/parser.c b/parser.c
index 9604a72..4da151f 100644
--- a/parser.c
+++ b/parser.c
@@ -144,8 +144,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
ent->checked = 1;
+ ++ctxt->depth;
rep = xmlStringDecodeEntities(ctxt, ent->content,
XML_SUBSTITUTE_REF, 0, 0, 0);
+ --ctxt->depth;
ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
if (rep != NULL) {
@@ -3966,8 +3968,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
* an entity declaration, it is bypassed and left as is.
* so XML_SUBSTITUTE_REF is not set here.
*/
+ ++ctxt->depth;
ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF,
0, 0, 0);
+ --ctxt->depth;
if (orig != NULL)
*orig = buf;
else
@@ -4092,9 +4096,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
} else if ((ent != NULL) &&
(ctxt->replaceEntities != 0)) {
if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) {
+ ++ctxt->depth;
rep = xmlStringDecodeEntities(ctxt, ent->content,
XML_SUBSTITUTE_REF,
0, 0, 0);
+ --ctxt->depth;
if (rep != NULL) {
current = rep;
while (*current != 0) { /* non input consuming */
@@ -4130,8 +4136,10 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
(ent->content != NULL) && (ent->checked == 0)) {
unsigned long oldnbent = ctxt->nbentities;
+ ++ctxt->depth;
rep = xmlStringDecodeEntities(ctxt, ent->content,
XML_SUBSTITUTE_REF, 0, 0, 0);
+ --ctxt->depth;
ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
if (rep != NULL) {
--
2.8.1

View file

@ -107,10 +107,16 @@ (define-public libxml2
(define libxml2/fixed (define libxml2/fixed
(package (package
(inherit libxml2) (inherit libxml2)
(source (origin (source
(inherit (package-source libxml2)) (let ((name "libxml2")
(patches (search-patches "libxml2-CVE-2016-3627.patch" (version "2.9.4"))
"libxml2-CVE-2016-3705.patch")))))) (origin
(method url-fetch)
(uri (string-append "ftp://xmlsoft.org/libxml2/libxml2-"
version ".tar.gz"))
(sha256
(base32
"0g336cr0bw6dax1q48bblphmchgihx9p1pjmxdnrd6sh3qci3fgz")))))))
(define-public python-libxml2 (define-public python-libxml2
(package (inherit libxml2) (package (inherit libxml2)