diff options
author | Alex Vong <alexvong1995@gmail.com> | 2017-08-30 21:21:21 +0800 |
---|---|---|
committer | Marius Bakke <mbakke@fastmail.com> | 2017-08-31 21:45:36 +0200 |
commit | 76fed2b3c4e3703d1ad81c4330edd94d551b6334 (patch) | |
tree | 3c337005cb2ba9fbe1469588f1221e1559289c08 /gnu/packages/patches | |
parent | ff54f194f335cd5b1deda8b8f269b146e9c34cf3 (diff) |
gnu: libxml2: Fix CVE-2017-{0663,7375,7376,9047,9048,9049,9050}.
* gnu/packages/patches/libxml2-CVE-2017-0663.patch,
gnu/packages/patches/libxml2-CVE-2017-7375.patch,
gnu/packages/patches/libxml2-CVE-2017-7376.patch,
gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch,
gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/xml.scm (libxml2)[replacement]: New field.
(libxml2/fixed): New variable.
Signed-off-by: Marius Bakke <mbakke@fastmail.com>
Diffstat (limited to 'gnu/packages/patches')
5 files changed, 588 insertions, 0 deletions
diff --git a/gnu/packages/patches/libxml2-CVE-2017-0663.patch b/gnu/packages/patches/libxml2-CVE-2017-0663.patch new file mode 100644 index 0000000000..b0277a2d23 --- /dev/null +++ b/gnu/packages/patches/libxml2-CVE-2017-0663.patch @@ -0,0 +1,53 @@ +Fix CVE-2017-0663: + +https://bugzilla.gnome.org/show_bug.cgi?id=780228 (not yet public) +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0663 +https://security-tracker.debian.org/tracker/CVE-2017-0663 + +Patch copied from upstream source repository: + +https://git.gnome.org/browse/libxml2/commit/?id=92b9e8c8b3787068565a1820ba575d042f9eec66 + +From 92b9e8c8b3787068565a1820ba575d042f9eec66 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Tue, 6 Jun 2017 12:56:28 +0200 +Subject: [PATCH] Fix type confusion in xmlValidateOneNamespace + +Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types on +namespace declarations make no practical sense anyway. + +Fixes bug 780228. + +Found with libFuzzer and ASan. +--- + valid.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/valid.c b/valid.c +index 8075d3a0..c51ea290 100644 +--- a/valid.c ++++ b/valid.c +@@ -4627,6 +4627,12 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) { + } + } + ++ /* ++ * Casting ns to xmlAttrPtr is wrong. We'd need separate functions ++ * xmlAddID and xmlAddRef for namespace declarations, but it makes ++ * no practical sense to use ID types anyway. ++ */ ++#if 0 + /* Validity Constraint: ID uniqueness */ + if (attrDecl->atype == XML_ATTRIBUTE_ID) { + if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL) +@@ -4638,6 +4644,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) { + if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL) + ret = 0; + } ++#endif + + /* Validity Constraint: Notation Attributes */ + if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) { +-- +2.14.1 + diff --git a/gnu/packages/patches/libxml2-CVE-2017-7375.patch b/gnu/packages/patches/libxml2-CVE-2017-7375.patch new file mode 100644 index 0000000000..32af1ff6ba --- /dev/null +++ b/gnu/packages/patches/libxml2-CVE-2017-7375.patch @@ -0,0 +1,45 @@ +Fix CVE-2017-7375: + +https://bugzilla.gnome.org/show_bug.cgi?id=780691 (not yet public) +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7375 +https://security-tracker.debian.org/tracker/CVE-2017-7375 + +Patch copied from upstream source repository: + +https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e + +From 90ccb58242866b0ba3edbef8fe44214a101c2b3e Mon Sep 17 00:00:00 2001 +From: Neel Mehta <nmehta@google.com> +Date: Fri, 7 Apr 2017 17:43:02 +0200 +Subject: [PATCH] Prevent unwanted external entity reference + +For https://bugzilla.gnome.org/show_bug.cgi?id=780691 + +* parser.c: add a specific check to avoid PE reference +--- + parser.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/parser.c b/parser.c +index 609a2703..c2c812de 100644 +--- a/parser.c ++++ b/parser.c +@@ -8123,6 +8123,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) + if (xmlPushInput(ctxt, input) < 0) + return; + } else { ++ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && ++ ((ctxt->options & XML_PARSE_NOENT) == 0) && ++ ((ctxt->options & XML_PARSE_DTDVALID) == 0) && ++ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) && ++ ((ctxt->options & XML_PARSE_DTDATTR) == 0) && ++ (ctxt->replaceEntities == 0) && ++ (ctxt->validate == 0)) ++ return; ++ + /* + * TODO !!! + * handle the extra spaces added before and after +-- +2.14.1 + diff --git a/gnu/packages/patches/libxml2-CVE-2017-7376.patch b/gnu/packages/patches/libxml2-CVE-2017-7376.patch new file mode 100644 index 0000000000..5b9e45bd83 --- /dev/null +++ b/gnu/packages/patches/libxml2-CVE-2017-7376.patch @@ -0,0 +1,41 @@ +Fix CVE-2017-7376: + +https://bugzilla.gnome.org/show_bug.cgi?id=780690 (not yet public) +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7376 +https://security-tracker.debian.org/tracker/CVE-2017-7376 + +Patch copied from upstream source repository: + +https://git.gnome.org/browse/libxml2/commit/?id=5dca9eea1bd4263bfa4d037ab2443de1cd730f7e + +From 5dca9eea1bd4263bfa4d037ab2443de1cd730f7e Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Fri, 7 Apr 2017 17:13:28 +0200 +Subject: [PATCH] Increase buffer space for port in HTTP redirect support + +For https://bugzilla.gnome.org/show_bug.cgi?id=780690 + +nanohttp.c: the code wrongly assumed a short int port value. +--- + nanohttp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/nanohttp.c b/nanohttp.c +index e109ad75..373425de 100644 +--- a/nanohttp.c ++++ b/nanohttp.c +@@ -1423,9 +1423,9 @@ retry: + if (ctxt->port != 80) { + /* reserve space for ':xxxxx', incl. potential proxy */ + if (proxy) +- blen += 12; ++ blen += 17; + else +- blen += 6; ++ blen += 11; + } + bp = (char*)xmlMallocAtomic(blen); + if ( bp == NULL ) { +-- +2.14.1 + diff --git a/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch b/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch new file mode 100644 index 0000000000..0a0e6d34cf --- /dev/null +++ b/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch @@ -0,0 +1,130 @@ +Fix CVE-2017-{9047,9048}: + +https://bugzilla.gnome.org/show_bug.cgi?id=781333 (not yet public) +https://bugzilla.gnome.org/show_bug.cgi?id=781701 (not yet public) +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9047 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9048 +http://www.openwall.com/lists/oss-security/2017/05/15/1 +https://security-tracker.debian.org/tracker/CVE-2017-9047 +https://security-tracker.debian.org/tracker/CVE-2017-9048 + +Patch copied from upstream source repository: + +https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74 + +From 932cc9896ab41475d4aa429c27d9afd175959d74 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Sat, 3 Jun 2017 02:01:29 +0200 +Subject: [PATCH] Fix buffer size checks in xmlSnprintfElementContent +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +xmlSnprintfElementContent failed to correctly check the available +buffer space in two locations. + +Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048). + +Thanks to Marcel Böhme and Thuan Pham for the report. +--- + result/valid/781333.xml | 5 +++++ + result/valid/781333.xml.err | 3 +++ + result/valid/781333.xml.err.rdr | 6 ++++++ + test/valid/781333.xml | 4 ++++ + valid.c | 20 +++++++++++--------- + 5 files changed, 29 insertions(+), 9 deletions(-) + create mode 100644 result/valid/781333.xml + create mode 100644 result/valid/781333.xml.err + create mode 100644 result/valid/781333.xml.err.rdr + create mode 100644 test/valid/781333.xml + +diff --git a/result/valid/781333.xml b/result/valid/781333.xml +new file mode 100644 +index 00000000..45dc451d +--- /dev/null ++++ b/result/valid/781333.xml +@@ -0,0 +1,5 @@ ++<?xml version="1.0"?> ++<!DOCTYPE a [ ++<!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll)> ++]> ++<a/> +diff --git a/result/valid/781333.xml.err b/result/valid/781333.xml.err +new file mode 100644 +index 00000000..b401b49a +--- /dev/null ++++ b/result/valid/781333.xml.err +@@ -0,0 +1,3 @@ ++./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got ++<a/> ++ ^ +diff --git a/result/valid/781333.xml.err.rdr b/result/valid/781333.xml.err.rdr +new file mode 100644 +index 00000000..5ff56992 +--- /dev/null ++++ b/result/valid/781333.xml.err.rdr +@@ -0,0 +1,6 @@ ++./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got ++<a/> ++ ^ ++./test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more child ++ ++^ +diff --git a/test/valid/781333.xml b/test/valid/781333.xml +new file mode 100644 +index 00000000..b29e5a68 +--- /dev/null ++++ b/test/valid/781333.xml +@@ -0,0 +1,4 @@ ++<!DOCTYPE a [ ++ <!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll)> ++]> ++<a/> +diff --git a/valid.c b/valid.c +index 19f84b82..9b2df56a 100644 +--- a/valid.c ++++ b/valid.c +@@ -1262,22 +1262,23 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int + case XML_ELEMENT_CONTENT_PCDATA: + strcat(buf, "#PCDATA"); + break; +- case XML_ELEMENT_CONTENT_ELEMENT: ++ case XML_ELEMENT_CONTENT_ELEMENT: { ++ int qnameLen = xmlStrlen(content->name); ++ ++ if (content->prefix != NULL) ++ qnameLen += xmlStrlen(content->prefix) + 1; ++ if (size - len < qnameLen + 10) { ++ strcat(buf, " ..."); ++ return; ++ } + if (content->prefix != NULL) { +- if (size - len < xmlStrlen(content->prefix) + 10) { +- strcat(buf, " ..."); +- return; +- } + strcat(buf, (char *) content->prefix); + strcat(buf, ":"); + } +- if (size - len < xmlStrlen(content->name) + 10) { +- strcat(buf, " ..."); +- return; +- } + if (content->name != NULL) + strcat(buf, (char *) content->name); + break; ++ } + case XML_ELEMENT_CONTENT_SEQ: + if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || + (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) +@@ -1319,6 +1320,7 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int + xmlSnprintfElementContent(buf, size, content->c2, 0); + break; + } ++ if (size - strlen(buf) <= 2) return; + if (englob) + strcat(buf, ")"); + switch (content->ocur) { +-- +2.14.1 + diff --git a/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch b/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch new file mode 100644 index 0000000000..890e9c2284 --- /dev/null +++ b/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch @@ -0,0 +1,319 @@ +Fix CVE-2017-{9049,9050}: + +https://bugzilla.gnome.org/show_bug.cgi?id=781205 (not yet public) +https://bugzilla.gnome.org/show_bug.cgi?id=781361 (not yet public) +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9049 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050 +http://www.openwall.com/lists/oss-security/2017/05/15/1 +https://security-tracker.debian.org/tracker/CVE-2017-9049 +https://security-tracker.debian.org/tracker/CVE-2017-9050 + +Patch copied from upstream source repository: + +https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3 + +Changes to 'runtest.c' are removed since they introduce test failure +when applying to libxml2 2.9.4 release tarball. + +From e26630548e7d138d2c560844c43820b6767251e3 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Mon, 5 Jun 2017 15:37:17 +0200 +Subject: [PATCH] Fix handling of parameter-entity references +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +There were two bugs where parameter-entity references could lead to an +unexpected change of the input buffer in xmlParseNameComplex and +xmlDictLookup being called with an invalid pointer. + +Percent sign in DTD Names +========================= + +The NEXTL macro used to call xmlParserHandlePEReference. When parsing +"complex" names inside the DTD, this could result in entity expansion +which created a new input buffer. The fix is to simply remove the call +to xmlParserHandlePEReference from the NEXTL macro. This is safe because +no users of the macro require expansion of parameter entities. + +- xmlParseNameComplex +- xmlParseNCNameComplex +- xmlParseNmtoken + +The percent sign is not allowed in names, which are grammatical tokens. + +- xmlParseEntityValue + +Parameter-entity references in entity values are expanded but this +happens in a separate step in this function. + +- xmlParseSystemLiteral + +Parameter-entity references are ignored in the system literal. + +- xmlParseAttValueComplex +- xmlParseCharDataComplex +- xmlParseCommentComplex +- xmlParsePI +- xmlParseCDSect + +Parameter-entity references are ignored outside the DTD. + +- xmlLoadEntityContent + +This function is only called from xmlStringLenDecodeEntities and +entities are replaced in a separate step immediately after the function +call. + +This bug could also be triggered with an internal subset and double +entity expansion. + +This fixes bug 766956 initially reported by Wei Lei and independently by +Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone +involved. + +xmlParseNameComplex with XML_PARSE_OLD10 +======================================== + +When parsing Names inside an expanded parameter entity with the +XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the +GROW macro if the input buffer was exhausted. At the end of the +parameter entity's replacement text, this function would then call +xmlPopInput which invalidated the input buffer. + +There should be no need to invoke GROW in this situation because the +buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and, +at least for UTF-8, in xmlCurrentChar. This also matches the code path +executed when XML_PARSE_OLD10 is not set. + +This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050). +Thanks to Marcel Böhme and Thuan Pham for the report. + +Additional hardening +==================== + +A separate check was added in xmlParseNameComplex to validate the +buffer size. +--- + Makefile.am | 18 ++++++++++++++++++ + parser.c | 18 ++++++++++-------- + result/errors10/781205.xml | 0 + result/errors10/781205.xml.err | 21 +++++++++++++++++++++ + result/errors10/781361.xml | 0 + result/errors10/781361.xml.err | 13 +++++++++++++ + result/valid/766956.xml | 0 + result/valid/766956.xml.err | 9 +++++++++ + result/valid/766956.xml.err.rdr | 10 ++++++++++ + runtest.c | 3 +++ + test/errors10/781205.xml | 3 +++ + test/errors10/781361.xml | 3 +++ + test/valid/766956.xml | 2 ++ + test/valid/dtds/766956.dtd | 2 ++ + 14 files changed, 94 insertions(+), 8 deletions(-) + create mode 100644 result/errors10/781205.xml + create mode 100644 result/errors10/781205.xml.err + create mode 100644 result/errors10/781361.xml + create mode 100644 result/errors10/781361.xml.err + create mode 100644 result/valid/766956.xml + create mode 100644 result/valid/766956.xml.err + create mode 100644 result/valid/766956.xml.err.rdr + create mode 100644 test/errors10/781205.xml + create mode 100644 test/errors10/781361.xml + create mode 100644 test/valid/766956.xml + create mode 100644 test/valid/dtds/766956.dtd + +diff --git a/Makefile.am b/Makefile.am +index 6fc8ffa9..10e716a5 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -427,6 +427,24 @@ Errtests : xmllint$(EXEEXT) + if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \ + rm result.$$name error.$$name ; \ + fi ; fi ; done) ++ @echo "## Error cases regression tests (old 1.0)" ++ -@(for i in $(srcdir)/test/errors10/*.xml ; do \ ++ name=`basename $$i`; \ ++ if [ ! -d $$i ] ; then \ ++ if [ ! -f $(srcdir)/result/errors10/$$name ] ; then \ ++ echo New test file $$name ; \ ++ $(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i \ ++ 2> $(srcdir)/result/errors10/$$name.err \ ++ > $(srcdir)/result/errors10/$$name ; \ ++ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \ ++ else \ ++ log=`$(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i 2> error.$$name > result.$$name ; \ ++ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \ ++ diff $(srcdir)/result/errors10/$$name result.$$name ; \ ++ diff $(srcdir)/result/errors10/$$name.err error.$$name` ; \ ++ if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \ ++ rm result.$$name error.$$name ; \ ++ fi ; fi ; done) + @echo "## Error cases stream regression tests" + -@(for i in $(srcdir)/test/errors/*.xml ; do \ + name=`basename $$i`; \ +diff --git a/parser.c b/parser.c +index df2efa55..a175ac4e 100644 +--- a/parser.c ++++ b/parser.c +@@ -2121,7 +2121,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) { + ctxt->input->line++; ctxt->input->col = 1; \ + } else ctxt->input->col++; \ + ctxt->input->cur += l; \ +- if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt); \ + } while (0) + + #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l) +@@ -3412,13 +3411,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { + len += l; + NEXTL(l); + c = CUR_CHAR(l); +- if (c == 0) { +- count = 0; +- GROW; +- if (ctxt->instate == XML_PARSER_EOF) +- return(NULL); +- c = CUR_CHAR(l); +- } + } + } + if ((len > XML_MAX_NAME_LENGTH) && +@@ -3426,6 +3418,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); + return(NULL); + } ++ if (ctxt->input->cur - ctxt->input->base < len) { ++ /* ++ * There were a couple of bugs where PERefs lead to to a change ++ * of the buffer. Check the buffer size to avoid passing an invalid ++ * pointer to xmlDictLookup. ++ */ ++ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, ++ "unexpected change of input buffer"); ++ return (NULL); ++ } + if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r')) + return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len)); + return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); +diff --git a/result/errors10/781205.xml b/result/errors10/781205.xml +new file mode 100644 +index 00000000..e69de29b +diff --git a/result/errors10/781205.xml.err b/result/errors10/781205.xml.err +new file mode 100644 +index 00000000..da15c3f7 +--- /dev/null ++++ b/result/errors10/781205.xml.err +@@ -0,0 +1,21 @@ ++Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration ++ ++ %a; ++ ^ ++Entity: line 1: ++<:0000 ++^ ++Entity: line 1: parser error : DOCTYPE improperly terminated ++ %a; ++ ^ ++Entity: line 1: ++<:0000 ++^ ++namespace error : Failed to parse QName ':0000' ++ %a; ++ ^ ++<:0000 ++ ^ ++./test/errors10/781205.xml:4: parser error : Couldn't find end of Start Tag :0000 line 1 ++ ++^ +diff --git a/result/errors10/781361.xml b/result/errors10/781361.xml +new file mode 100644 +index 00000000..e69de29b +diff --git a/result/errors10/781361.xml.err b/result/errors10/781361.xml.err +new file mode 100644 +index 00000000..655f41a2 +--- /dev/null ++++ b/result/errors10/781361.xml.err +@@ -0,0 +1,13 @@ ++./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY', 'ANY' or '(' expected ++ ++^ ++./test/errors10/781361.xml:4: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration ++ ++ ++^ ++./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated ++ ++^ ++./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not found ++ ++^ +diff --git a/result/valid/766956.xml b/result/valid/766956.xml +new file mode 100644 +index 00000000..e69de29b +diff --git a/result/valid/766956.xml.err b/result/valid/766956.xml.err +new file mode 100644 +index 00000000..34b1dae6 +--- /dev/null ++++ b/result/valid/766956.xml.err +@@ -0,0 +1,9 @@ ++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';' ++%ä%ent; ++ ^ ++Entity: line 1: parser error : Content error in the external subset ++ %ent; ++ ^ ++Entity: line 1: ++value ++^ +diff --git a/result/valid/766956.xml.err.rdr b/result/valid/766956.xml.err.rdr +new file mode 100644 +index 00000000..77603462 +--- /dev/null ++++ b/result/valid/766956.xml.err.rdr +@@ -0,0 +1,10 @@ ++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';' ++%ä%ent; ++ ^ ++Entity: line 1: parser error : Content error in the external subset ++ %ent; ++ ^ ++Entity: line 1: ++value ++^ ++./test/valid/766956.xml : failed to parse +diff --git a/test/errors10/781205.xml b/test/errors10/781205.xml +new file mode 100644 +index 00000000..d9e9e839 +--- /dev/null ++++ b/test/errors10/781205.xml +@@ -0,0 +1,3 @@ ++<!DOCTYPE D [ ++ <!ENTITY % a "<:0000"> ++ %a; +diff --git a/test/errors10/781361.xml b/test/errors10/781361.xml +new file mode 100644 +index 00000000..67476bcb +--- /dev/null ++++ b/test/errors10/781361.xml +@@ -0,0 +1,3 @@ ++<!DOCTYPE doc [ ++ <!ENTITY % elem "<!ELEMENT e0000000000"> ++ %elem; +diff --git a/test/valid/766956.xml b/test/valid/766956.xml +new file mode 100644 +index 00000000..19a95a0e +--- /dev/null ++++ b/test/valid/766956.xml +@@ -0,0 +1,2 @@ ++<!DOCTYPE test SYSTEM "dtds/766956.dtd"> ++<test/> +diff --git a/test/valid/dtds/766956.dtd b/test/valid/dtds/766956.dtd +new file mode 100644 +index 00000000..dddde68b +--- /dev/null ++++ b/test/valid/dtds/766956.dtd +@@ -0,0 +1,2 @@ ++<!ENTITY % ent "value"> ++%ä%ent; +-- +2.14.1 + |