ports/opt (2.7): [notify] libxml2: apply several security fixes
commit ee2b265f81f6ca45b5bfce8669c90173d9a03c63 Author: Juergen Daubert <jue@jue.li> Date: Tue Jan 31 12:31:34 2012 +0100 [notify] libxml2: apply several security fixes Fix for CVE-2010-4494, CVE-2011-{0216,2821,2834,3905,3919} diff --git a/libxml2/.md5sum b/libxml2/.md5sum index 4e904ff..a8c0688 100644 --- a/libxml2/.md5sum +++ b/libxml2/.md5sum @@ -1 +1,7 @@ +49eb3b20965fccbd251e890a6c60cb6c CVE-2010-4494.patch +a91e5ef10dcd5cf335f9d2c2ef48c712 CVE-2011-0216.patch +9027cbb76b112629cb5fa84ffcfc44bd CVE-2011-2821.patch +8bf2bd2422b9aab015fb7a8ca993eef3 CVE-2011-2834.patch +52a0f492014971c0733dfef3300725b5 CVE-2011-3905.patch +de02f584b928d3e25babc5c90aa800be CVE-2011-3919.patch 8127a65e8c3b08856093099b52599c86 libxml2-2.7.8.tar.gz diff --git a/libxml2/CVE-2010-4494.patch b/libxml2/CVE-2010-4494.patch new file mode 100644 index 0000000..fafd41f --- /dev/null +++ b/libxml2/CVE-2010-4494.patch @@ -0,0 +1,62 @@ +From df83c17e5a2646bd923f75e5e507bc80d73c9722 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Wed, 17 Nov 2010 13:12:14 +0000 +Subject: Fix a potential freeing error in XPath + +--- +diff --git a/xpath.c b/xpath.c +index 81e33f6..1447be5 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -11763,11 +11763,15 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt, + + if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) { + xmlXPathObjectPtr tmp; +- /* pop the result */ ++ /* pop the result if any */ + tmp = valuePop(ctxt); +- xmlXPathReleaseObject(xpctxt, tmp); +- /* then pop off contextObj, which will be freed later */ +- valuePop(ctxt); ++ if (tmp != contextObj) ++ /* ++ * Free up the result ++ * then pop off contextObj, which will be freed later ++ */ ++ xmlXPathReleaseObject(xpctxt, tmp); ++ valuePop(ctxt); + goto evaluation_error; + } + +-- +cgit v0.9.0.2 + + +From fec31bcd452e77c10579467ca87a785b41115de6 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Thu, 18 Nov 2010 10:07:24 +0000 +Subject: Small fix for previous commit + +--- +diff --git a/xpath.c b/xpath.c +index 1447be5..8b56189 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -11765,13 +11765,14 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt, + xmlXPathObjectPtr tmp; + /* pop the result if any */ + tmp = valuePop(ctxt); +- if (tmp != contextObj) ++ if (tmp != contextObj) { + /* + * Free up the result + * then pop off contextObj, which will be freed later + */ + xmlXPathReleaseObject(xpctxt, tmp); + valuePop(ctxt); ++ } + goto evaluation_error; + } + +-- +cgit v0.9.0.2 diff --git a/libxml2/CVE-2011-0216.patch b/libxml2/CVE-2011-0216.patch new file mode 100644 index 0000000..e349992 --- /dev/null +++ b/libxml2/CVE-2011-0216.patch @@ -0,0 +1,32 @@ +From 69f04562f75212bfcabecd190ea8b06ace28ece2 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Fri, 19 Aug 2011 03:05:04 +0000 +Subject: Fix an off by one error in encoding + +this off by one error doesn't seems to reproduce on linux +but the error is real. +--- +diff --git a/encoding.c b/encoding.c +index d1140bf..fb0c38a 100644 +--- a/encoding.c ++++ b/encoding.c +@@ -1928,7 +1928,7 @@ xmlCharEncFirstLineInt(xmlCharEncodingHandler *handler, xmlBufferPtr out, + if (in == NULL) return(-1); + + /* calculate space available */ +- written = out->size - out->use; ++ written = out->size - out->use - 1; /* count '\0' */ + toconv = in->use; + /* + * echo '<?xml version="1.0" encoding="UCS4"?>' | wc -c => 38 +@@ -2059,7 +2059,7 @@ xmlCharEncInFunc(xmlCharEncodingHandler * handler, xmlBufferPtr out, + toconv = in->use; + if (toconv == 0) + return (0); +- written = out->size - out->use; ++ written = out->size - out->use -1; /* count '\0' */ + if (toconv * 2 >= written) { + xmlBufferGrow(out, out->size + toconv * 2); + written = out->size - out->use - 1; +-- +cgit v0.9.0.2 diff --git a/libxml2/CVE-2011-2821.patch b/libxml2/CVE-2011-2821.patch new file mode 100644 index 0000000..8e699ec --- /dev/null +++ b/libxml2/CVE-2011-2821.patch @@ -0,0 +1,224 @@ +From f5048b3e71fc30ad096970b8df6e7af073bae4cb Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Thu, 18 Aug 2011 09:10:13 +0000 +Subject: Hardening of XPath evaluation + +Add a mechanism of frame for XPath evaluation when entering a function +or a scoped evaluation, also fix a potential problem in predicate +evaluation. +--- +diff --git a/include/libxml/xpath.h b/include/libxml/xpath.h +index 1a9e30e..ddd9dd8 100644 +--- a/include/libxml/xpath.h ++++ b/include/libxml/xpath.h +@@ -68,7 +68,8 @@ typedef enum { + XPATH_UNDEF_PREFIX_ERROR, + XPATH_ENCODING_ERROR, + XPATH_INVALID_CHAR_ERROR, +- XPATH_INVALID_CTXT ++ XPATH_INVALID_CTXT, ++ XPATH_STACK_ERROR + } xmlXPathError; + + /* +@@ -380,6 +381,8 @@ struct _xmlXPathParserContext { + xmlXPathCompExprPtr comp; /* the precompiled expression */ + int xptr; /* it this an XPointer expression */ + xmlNodePtr ancestor; /* used for walking preceding axis */ ++ ++ int valueFrame; /* used to limit Pop on the stack */ + }; + + /************************************************************************ +diff --git a/xpath.c b/xpath.c +index b59ac5a..bcee2ea 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -252,6 +252,7 @@ static const char *xmlXPathErrorMessages[] = { + "Encoding error\n", + "Char out of XML range\n", + "Invalid or incomplete context\n", ++ "Stack usage errror\n", + "?? Unknown error ??\n" /* Must be last in the list! */ + }; + #define MAXERRNO ((int)(sizeof(xmlXPathErrorMessages) / \ +@@ -2398,6 +2399,42 @@ xmlXPathCacheConvertNumber(xmlXPathContextPtr ctxt, xmlXPathObjectPtr val) { + ************************************************************************/ + + /** ++ * xmlXPathSetFrame: ++ * @ctxt: an XPath parser context ++ * ++ * Set the callee evaluation frame ++ * ++ * Returns the previous frame value to be restored once done ++ */ ++static int ++xmlXPathSetFrame(xmlXPathParserContextPtr ctxt) { ++ int ret; ++ ++ if (ctxt == NULL) ++ return(0); ++ ret = ctxt->valueFrame; ++ ctxt->valueFrame = ctxt->valueNr; ++ return(ret); ++} ++ ++/** ++ * xmlXPathPopFrame: ++ * @ctxt: an XPath parser context ++ * @frame: the previous frame value ++ * ++ * Remove the callee evaluation frame ++ */ ++static void ++xmlXPathPopFrame(xmlXPathParserContextPtr ctxt, int frame) { ++ if (ctxt == NULL) ++ return; ++ if (ctxt->valueNr < ctxt->valueFrame) { ++ xmlXPatherror(ctxt, __FILE__, __LINE__, XPATH_STACK_ERROR); ++ } ++ ctxt->valueFrame = frame; ++} ++ ++/** + * valuePop: + * @ctxt: an XPath evaluation context + * +@@ -2412,6 +2449,12 @@ valuePop(xmlXPathParserContextPtr ctxt) + + if ((ctxt == NULL) || (ctxt->valueNr <= 0)) + return (NULL); ++ ++ if (ctxt->valueNr <= ctxt->valueFrame) { ++ xmlXPatherror(ctxt, __FILE__, __LINE__, XPATH_STACK_ERROR); ++ return (NULL); ++ } ++ + ctxt->valueNr--; + if (ctxt->valueNr > 0) + ctxt->value = ctxt->valueTab[ctxt->valueNr - 1]; +@@ -6154,6 +6197,7 @@ xmlXPathCompParserContext(xmlXPathCompExprPtr comp, xmlXPathContextPtr ctxt) { + ret->valueNr = 0; + ret->valueMax = 10; + ret->value = NULL; ++ ret->valueFrame = 0; + + ret->context = ctxt; + ret->comp = comp; +@@ -11711,6 +11755,7 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt, + xmlXPathObjectPtr contextObj = NULL, exprRes = NULL; + xmlNodePtr oldContextNode, contextNode = NULL; + xmlXPathContextPtr xpctxt = ctxt->context; ++ int frame; + + #ifdef LIBXML_XPTR_ENABLED + /* +@@ -11730,6 +11775,8 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt, + */ + exprOp = &ctxt->comp->steps[op->ch2]; + for (i = 0; i < set->nodeNr; i++) { ++ xmlXPathObjectPtr tmp; ++ + if (set->nodeTab[i] == NULL) + continue; + +@@ -11757,23 +11804,25 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt, + xmlXPathNodeSetAddUnique(contextObj->nodesetval, + contextNode); + ++ frame = xmlXPathSetFrame(ctxt); + valuePush(ctxt, contextObj); + res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1); ++ tmp = valuePop(ctxt); ++ xmlXPathPopFrame(ctxt, frame); + + if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) { +- xmlXPathObjectPtr tmp; +- /* pop the result if any */ +- tmp = valuePop(ctxt); +- if (tmp != contextObj) { ++ while (tmp != contextObj) { + /* + * Free up the result + * then pop off contextObj, which will be freed later + */ + xmlXPathReleaseObject(xpctxt, tmp); +- valuePop(ctxt); ++ tmp = valuePop(ctxt); + } + goto evaluation_error; + } ++ /* push the result back onto the stack */ ++ valuePush(ctxt, tmp); + + if (res) + pos++; +@@ -13377,7 +13426,9 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + xmlXPathFunction func; + const xmlChar *oldFunc, *oldFuncURI; + int i; ++ int frame; + ++ frame = xmlXPathSetFrame(ctxt); + if (op->ch1 != -1) + total += + xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]); +@@ -13385,15 +13436,18 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + xmlGenericError(xmlGenericErrorContext, + "xmlXPathCompOpEval: parameter error\n"); + ctxt->error = XPATH_INVALID_OPERAND; ++ xmlXPathPopFrame(ctxt, frame); + return (total); + } +- for (i = 0; i < op->value; i++) ++ for (i = 0; i < op->value; i++) { + if (ctxt->valueTab[(ctxt->valueNr - 1) - i] == NULL) { + xmlGenericError(xmlGenericErrorContext, + "xmlXPathCompOpEval: parameter error\n"); + ctxt->error = XPATH_INVALID_OPERAND; ++ xmlXPathPopFrame(ctxt, frame); + return (total); + } ++ } + if (op->cache != NULL) + XML_CAST_FPTR(func) = op->cache; + else { +@@ -13409,6 +13463,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + xmlGenericError(xmlGenericErrorContext, + "xmlXPathCompOpEval: function %s bound to undefined prefix %s\n", + (char *)op->value4, (char *)op->value5); ++ xmlXPathPopFrame(ctxt, frame); + return (total); + } + func = xmlXPathFunctionLookupNS(ctxt->context, +@@ -13430,6 +13485,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + func(ctxt, op->value); + ctxt->context->function = oldFunc; + ctxt->context->functionURI = oldFuncURI; ++ xmlXPathPopFrame(ctxt, frame); + return (total); + } + case XPATH_OP_ARG: +@@ -14333,6 +14389,7 @@ xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool) + ctxt->valueNr = 0; + ctxt->valueMax = 10; + ctxt->value = NULL; ++ ctxt->valueFrame = 0; + } + #ifdef XPATH_STREAMING + if (ctxt->comp->stream) { +diff --git a/xpointer.c b/xpointer.c +index 7a42d02..37afa3a 100644 +--- a/xpointer.c ++++ b/xpointer.c +@@ -1269,6 +1269,7 @@ xmlXPtrEvalXPointer(xmlXPathParserContextPtr ctxt) { + ctxt->valueNr = 0; + ctxt->valueMax = 10; + ctxt->value = NULL; ++ ctxt->valueFrame = 0; + } + SKIP_BLANKS; + if (CUR == '/') { +-- +cgit v0.9.0.2 diff --git a/libxml2/CVE-2011-2834.patch b/libxml2/CVE-2011-2834.patch new file mode 100644 index 0000000..a12a050 --- /dev/null +++ b/libxml2/CVE-2011-2834.patch @@ -0,0 +1,62 @@ +From 1d4526f6f4ec8d18c40e2a09b387652a6c1aa2cd Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Tue, 11 Oct 2011 08:34:34 +0000 +Subject: Fix missing error status in XPath evaluation + +Started by Chris Evans, I added a few more place where the +error should have been set in the evaluation context. +--- +diff --git a/xpath.c b/xpath.c +index bcee2ea..d9d902c 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -2485,6 +2485,7 @@ valuePush(xmlXPathParserContextPtr ctxt, xmlXPathObjectPtr value) + sizeof(ctxt->valueTab[0])); + if (tmp == NULL) { + xmlGenericError(xmlGenericErrorContext, "realloc failed !\n"); ++ ctxt->error = XPATH_MEMORY_ERROR; + return (0); + } + ctxt->valueMax *= 2; +@@ -9340,6 +9341,7 @@ xmlXPathTranslateFunction(xmlXPathParserContextPtr ctxt, int nargs) { + if ( (ch & 0xc0) != 0xc0 ) { + xmlGenericError(xmlGenericErrorContext, + "xmlXPathTranslateFunction: Invalid UTF8 string\n"); ++ /* not asserting an XPath error is probably better */ + break; + } + /* then skip over remaining bytes for this char */ +@@ -9347,6 +9349,7 @@ xmlXPathTranslateFunction(xmlXPathParserContextPtr ctxt, int nargs) { + if ( (*cptr++ & 0xc0) != 0x80 ) { + xmlGenericError(xmlGenericErrorContext, + "xmlXPathTranslateFunction: Invalid UTF8 string\n"); ++ /* not asserting an XPath error is probably better */ + break; + } + if (ch & 0x80) /* must have had error encountered */ +@@ -13410,6 +13413,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + xmlGenericError(xmlGenericErrorContext, + "xmlXPathCompOpEval: variable %s bound to undefined prefix %s\n", + (char *) op->value4, (char *)op->value5); ++ ctxt->error = XPATH_UNDEF_PREFIX_ERROR; + return (total); + } + val = xmlXPathVariableLookupNS(ctxt->context, +@@ -13464,6 +13468,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + "xmlXPathCompOpEval: function %s bound to undefined prefix %s\n", + (char *)op->value4, (char *)op->value5); + xmlXPathPopFrame(ctxt, frame); ++ ctxt->error = XPATH_UNDEF_PREFIX_ERROR; + return (total); + } + func = xmlXPathFunctionLookupNS(ctxt->context, +@@ -14042,6 +14047,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + } + xmlGenericError(xmlGenericErrorContext, + "XPath: unknown precompiled operation %d\n", op->op); ++ ctxt->error = XPATH_INVALID_OPERAND; + return (total); + } + +-- +cgit v0.9.0.2 diff --git a/libxml2/CVE-2011-3905.patch b/libxml2/CVE-2011-3905.patch new file mode 100644 index 0000000..439f450 --- /dev/null +++ b/libxml2/CVE-2011-3905.patch @@ -0,0 +1,62 @@ +From 77404b8b69bc122d12231807abf1a837d121b551 Mon Sep 17 00:00:00 2001 +From: Chris Evans <scarybeasts@gmail.com> +Date: Wed, 14 Dec 2011 08:18:25 +0000 +Subject: Make sure the parser returns when getting a Stop order + +patch backported from chromiun bug fixes, assuming author is Chris +--- +diff --git a/parser.c b/parser.c +index 21d7aa3..4e5dcb9 100644 +--- a/parser.c ++++ b/parser.c +@@ -4949,7 +4949,8 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { + (ctxt->sax->processingInstruction != NULL)) + ctxt->sax->processingInstruction(ctxt->userData, + target, NULL); +- ctxt->instate = state; ++ if (ctxt->instate != XML_PARSER_EOF) ++ ctxt->instate = state; + return; + } + buf = (xmlChar *) xmlMallocAtomic(size * sizeof(xmlChar)); +@@ -5029,7 +5030,8 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { + } else { + xmlFatalErr(ctxt, XML_ERR_PI_NOT_STARTED, NULL); + } +- ctxt->instate = state; ++ if (ctxt->instate != XML_PARSER_EOF) ++ ctxt->instate = state; + } + } + +@@ -9589,6 +9591,8 @@ xmlParseElement(xmlParserCtxtPtr ctxt) { + else + name = xmlParseStartTag(ctxt); + #endif /* LIBXML_SAX1_ENABLED */ ++ if (ctxt->instate == XML_PARSER_EOF) ++ return; + if (name == NULL) { + spacePop(ctxt); + return; +@@ -10975,6 +10979,8 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) { + else + name = xmlParseStartTag(ctxt); + #endif /* LIBXML_SAX1_ENABLED */ ++ if (ctxt->instate == XML_PARSER_EOF) ++ goto done; + if (name == NULL) { + spacePop(ctxt); + ctxt->instate = XML_PARSER_EOF; +@@ -11161,7 +11167,9 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) { + else + xmlParseEndTag1(ctxt, 0); + #endif /* LIBXML_SAX1_ENABLED */ +- if (ctxt->nameNr == 0) { ++ if (ctxt->instate == XML_PARSER_EOF) { ++ /* Nothing */ ++ } else if (ctxt->nameNr == 0) { + ctxt->instate = XML_PARSER_EPILOG; + } else { + ctxt->instate = XML_PARSER_CONTENT; +-- +cgit v0.9.0.2 diff --git a/libxml2/CVE-2011-3919.patch b/libxml2/CVE-2011-3919.patch new file mode 100644 index 0000000..c0d9433 --- /dev/null +++ b/libxml2/CVE-2011-3919.patch @@ -0,0 +1,21 @@ +From 5bd3c061823a8499b27422aee04ea20aae24f03e Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Fri, 16 Dec 2011 10:53:35 +0000 +Subject: Fix an allocation error when copying entities + +--- +diff --git a/parser.c b/parser.c +index 4e5dcb9..c55e41d 100644 +--- a/parser.c ++++ b/parser.c +@@ -2709,7 +2709,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + + buffer[nbchars++] = '&'; + if (nbchars > buffer_size - i - XML_PARSER_BUFFER_SIZE) { +- growBuffer(buffer, XML_PARSER_BUFFER_SIZE); ++ growBuffer(buffer, i + XML_PARSER_BUFFER_SIZE); + } + for (;i > 0;i--) + buffer[nbchars++] = *cur++; +-- +cgit v0.9.0.2 diff --git a/libxml2/Pkgfile b/libxml2/Pkgfile index 05d97dc..63e5b52 100644 --- a/libxml2/Pkgfile +++ b/libxml2/Pkgfile @@ -6,12 +6,16 @@ name=libxml2 version=2.7.8 -release=1 -source=(ftp://xmlsoft.org/libxml2/$name-$version.tar.gz) +release=2 +source=(ftp://xmlsoft.org/libxml2/$name-$version.tar.gz + CVE-2010-4494.patch + CVE-2011-{0216,2821,2834,3905,3919}.patch) build () { cd $name-$version - + + cat $SRC/CVE-201?-*.patch | patch -p1 + # http://mail.gnome.org/archives/xml/2010-November/msg00016.html sed -i '/VERSION_SCRIPT_FLAGS/s/-z/-n/' configure
participants (1)
-
crux@crux.nu