guix-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

01/01: gnu: libxml2: Fix CVE-2016-3627 and CVE-2016-3705.


From: Ludovic Courtès
Subject: 01/01: gnu: libxml2: Fix CVE-2016-3627 and CVE-2016-3705.
Date: Tue, 24 May 2016 12:16:09 +0000 (UTC)

civodul pushed a commit to branch master
in repository guix.

commit 493e9a5a8f613764cfa396c33ee6cb381b0dbbef
Author: Ludovic Courtès <address@hidden>
Date:   Tue May 24 14:11:52 2016 +0200

    gnu: libxml2: Fix CVE-2016-3627 and CVE-2016-3705.
    
    * gnu/packages/patches/libxml2-CVE-2016-3627.patch,
    gnu/packages/patches/libxml2-CVE-2016-3705.patch: New files.
    * gnu/local.mk (dist_patch_DATA): Add them.
    * gnu/packages/xml.scm (libxml2)[replacement]: New field.
    (libxml2/fixed): New variable.
---
 gnu/local.mk                                     |    2 +
 gnu/packages/patches/libxml2-CVE-2016-3627.patch |   61 +++++++++++++++++++
 gnu/packages/patches/libxml2-CVE-2016-3705.patch |   68 ++++++++++++++++++++++
 gnu/packages/xml.scm                             |   11 +++-
 4 files changed, 141 insertions(+), 1 deletion(-)

diff --git a/gnu/local.mk b/gnu/local.mk
index 99e43e1..9cd9699 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -606,6 +606,8 @@ dist_patch_DATA =                                           
\
   %D%/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch        \
   %D%/packages/patches/libwmf-CVE-2015-4695.patch              \
   %D%/packages/patches/libwmf-CVE-2015-4696.patch              \
+  %D%/packages/patches/libxml2-CVE-2016-3627.patch             \
+  %D%/packages/patches/libxml2-CVE-2016-3705.patch             \
   %D%/packages/patches/libxslt-CVE-2015-7995.patch             \
   %D%/packages/patches/lirc-localstatedir.patch                        \
   %D%/packages/patches/libpthread-glibc-preparation.patch      \
diff --git a/gnu/packages/patches/libxml2-CVE-2016-3627.patch 
b/gnu/packages/patches/libxml2-CVE-2016-3627.patch
new file mode 100644
index 0000000..782c927
--- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2016-3627.patch
@@ -0,0 +1,61 @@
+From <http://seclists.org/fulldisclosure/2016/May/10>.
+
+From e5269fd1e83743f7e62c89eca45000c2e84e6edc Mon Sep 17 00:00:00 2001
+From: Peter Simons <psimons () suse com>
+Date: Thu, 14 Apr 2016 16:15:13 +0200
+Subject: [PATCH 1/2] xmlStringGetNodeList: limit the function to 1024
+ recursions to avoid CVE-2016-3627
+
+This patch prevents stack overflows like the one reported in
+https://bugzilla.gnome.org/show_bug.cgi?id=762100.
+---
+ tree.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+Index: libxml2-2.9.3/tree.c
+===================================================================
+--- libxml2-2.9.3.orig/tree.c
++++ libxml2-2.9.3/tree.c
+@@ -1464,6 +1464,8 @@ out:
+     return(ret);
+ }
+ 
++static xmlNodePtr xmlStringGetNodeListInternal(const xmlDoc *doc, const 
xmlChar *value, size_t recursionLevel);
++
+ /**
+  * xmlStringGetNodeList:
+  * @doc:  the document
+@@ -1475,6 +1477,12 @@ out:
+  */
+ xmlNodePtr
+ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
++   return xmlStringGetNodeListInternal(doc, value, 0);
++ }
++
++xmlNodePtr
++xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t 
recursionLevel) {
++
+     xmlNodePtr ret = NULL, last = NULL;
+     xmlNodePtr node;
+     xmlChar *val;
+@@ -1483,6 +1491,8 @@ xmlStringGetNodeList(const xmlDoc *doc,
+     xmlEntityPtr ent;
+     xmlBufPtr buf;
+ 
++    if (recursionLevel > 1024) return(NULL);
++
+     if (value == NULL) return(NULL);
+ 
+     buf = xmlBufCreateSize(0);
+@@ -1593,8 +1603,9 @@ xmlStringGetNodeList(const xmlDoc *doc,
+                       else if ((ent != NULL) && (ent->children == NULL)) {
+                           xmlNodePtr temp;
+ 
+-                          ent->children = xmlStringGetNodeList(doc,
+-                                  (const xmlChar*)node->content);
++                          ent->children = xmlStringGetNodeListInternal(doc,
++                                  (const xmlChar*)node->content,
++                                    recursionLevel+1);
+                           ent->owner = 1;
+                           temp = ent->children;
+                           while (temp) {
diff --git a/gnu/packages/patches/libxml2-CVE-2016-3705.patch 
b/gnu/packages/patches/libxml2-CVE-2016-3705.patch
new file mode 100644
index 0000000..e803630
--- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2016-3705.patch
@@ -0,0 +1,68 @@
+From <http://seclists.org/fulldisclosure/2016/May/10>.
+
+From 6f0af3f6b9b1c5f82a2bb5ded65923437fee5d21 Mon Sep 17 00:00:00 2001
+From: Peter Simons <psimons () suse com>
+Date: Fri, 15 Apr 2016 11:56:55 +0200
+Subject: [PATCH 2/2] Add missing increments of recursion depth counter to XML
+ parser.
+
+The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call
+xmlStringDecodeEntities() in a recursive context without incrementing the
+'depth' counter in the parser context. Because of that omission, the parser
+failed to detect attribute recursions in certain documents before running out
+of stack space.
+---
+ parser.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index 9604a72..4da151f 100644
+--- a/parser.c
++++ b/parser.c
+@@ -144,8 +144,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+ 
+       ent->checked = 1;
+ 
++        ++ctxt->depth;
+       rep = xmlStringDecodeEntities(ctxt, ent->content,
+                                 XML_SUBSTITUTE_REF, 0, 0, 0);
++        --ctxt->depth;
+ 
+       ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
+       if (rep != NULL) {
+@@ -3966,8 +3968,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar 
**orig) {
+        * an entity declaration, it is bypassed and left as is.
+        * so XML_SUBSTITUTE_REF is not set here.
+        */
++        ++ctxt->depth;
+       ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF,
+                                     0, 0, 0);
++        --ctxt->depth;
+       if (orig != NULL)
+           *orig = buf;
+       else
+@@ -4092,9 +4096,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int 
*attlen, int normalize) {
+               } else if ((ent != NULL) &&
+                          (ctxt->replaceEntities != 0)) {
+                   if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) {
++                      ++ctxt->depth;
+                       rep = xmlStringDecodeEntities(ctxt, ent->content,
+                                                     XML_SUBSTITUTE_REF,
+                                                     0, 0, 0);
++                      --ctxt->depth;
+                       if (rep != NULL) {
+                           current = rep;
+                           while (*current != 0) { /* non input consuming */
+@@ -4130,8 +4136,10 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int 
*attlen, int normalize) {
+                       (ent->content != NULL) && (ent->checked == 0)) {
+                       unsigned long oldnbent = ctxt->nbentities;
+ 
++                      ++ctxt->depth;
+                       rep = xmlStringDecodeEntities(ctxt, ent->content,
+                                                 XML_SUBSTITUTE_REF, 0, 0, 0);
++                      --ctxt->depth;
+ 
+                       ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
+                       if (rep != NULL) {
+-- 
+2.8.1
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 9eaf71a..96bb8b7 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <address@hidden>
+;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès <address@hidden>
 ;;; Copyright © 2013, 2015 Andreas Enge <address@hidden>
 ;;; Copyright © 2015 Eric Bavier <address@hidden>
 ;;; Copyright © 2015 Sou Bunnbu <address@hidden>
@@ -77,6 +77,7 @@ things the parser might find in the XML document (like start 
tags).")
   (package
     (name "libxml2")
     (version "2.9.3")
+    (replacement libxml2/fixed)                   ;multiple CVEs
     (source (origin
              (method url-fetch)
              (uri (string-append "ftp://xmlsoft.org/libxml2/libxml2-";
@@ -103,6 +104,14 @@ things the parser might find in the XML document (like 
start tags).")
 project (but it is usable outside of the Gnome platform).")
     (license license:x11)))
 
+(define libxml2/fixed
+  (package
+    (inherit libxml2)
+    (source (origin
+              (inherit (package-source libxml2))
+              (patches (search-patches "libxml2-CVE-2016-3627.patch"
+                                       "libxml2-CVE-2016-3705.patch"))))))
+
 (define-public python-libxml2
   (package (inherit libxml2)
     (name "python-libxml2")



reply via email to

[Prev in Thread] Current Thread [Next in Thread]