From nobody Thu Mar 28 21:38:46 2024 X-Original-To: alpine-aports@mail.alpinelinux.org Delivered-To: alpine-aports@mail.alpinelinux.org Received: from mail.alpinelinux.org (dallas-a1.alpinelinux.org [127.0.0.1]) by mail.alpinelinux.org (Postfix) with ESMTP id 0BEB2DC1549 for ; Sat, 28 Nov 2015 21:45:26 +0000 (UTC) Received: from mail-wm0-f53.google.com (mail-wm0-f53.google.com [74.125.82.53]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id 747BBDC146B for ; Sat, 28 Nov 2015 21:45:24 +0000 (UTC) Received: by wmww144 with SMTP id w144so94013878wmw.0 for ; Sat, 28 Nov 2015 13:45:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kampka-net.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=DBkISCb3tYum7zztoq318rYbTR/gLqYvJeqQ1uGevSE=; b=Epke9x892KuuQvd4TbK60KXZZBwm0J5StAHpk5PxNTF8JqsT/VHXAV8ZcI4XShE+sE ZS4h/z0DpXqdryRrFdZEOWtTU8Ci/qkuTmS3hKkcFGplMwVTjBeUi97oZokBLoE0yhBp z5t/Fzn034y5c7TjEKiUms2dyJNJfGh5m6FGhPrqTZHNK3tStTTElsShvSKAf40LDQ17 lUG0Jt0alxkkr2l+x7ijFrd/dSnbRKX4XIdmJJH+R66sSlOIKeex94tCOmnc/NcFPUZr g7/nQWmpB6tAxjgrDxzFIMIkvCD60/aWilYuto925wscDa9ClgI8fq05C3E2cItWCxzL sIqQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=DBkISCb3tYum7zztoq318rYbTR/gLqYvJeqQ1uGevSE=; b=M8ZNq+rTkQ4QIK3ngybA9YJ4w/xnuPSlsZ5t3DLAcIu0fnmpX0BQxdgSyRXsKtCOsh QafLXPUDooam8PI8POnjJBOvl9EavVqO7E9c5yThVrNAcKpVCv+mnQCuqG8Cz4oSBugv CtLYimKLWGwqvEfoB/I7XrOknPHKOd46QyuYNk309P0PD7I7nS9L9A+hFiiHveaw+AZO 5EbEg8HA/ZYao48ohjYC5uYRZslJLW/K3nf0mnNJ078Tyy43Lgluo0Rio7eQEENgErDO HbOIxyTKOFJqUtmcYlWfaUTO/GPeHPEQDyiauUdrHZwjlfaR8vUL2BNxG2TowARU9fQi D44w== X-Gm-Message-State: ALoCoQmG13sGx5pkOTvc5+JoGyj1KP7Mt3eZL3KOEP9gwp66F//ujoYEBe6IMAxvzB9FS5/5jggt X-Received: by 10.194.52.68 with SMTP id r4mr60384270wjo.8.1448747123337; Sat, 28 Nov 2015 13:45:23 -0800 (PST) Received: from localhost (pD95780D1.dip0.t-ipconnect.de. [217.87.128.209]) by smtp.gmail.com with ESMTPSA id w67sm13923254wmw.17.2015.11.28.13.45.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 28 Nov 2015 13:45:22 -0800 (PST) From: Christian Kampka To: alpine-aports@lists.alpinelinux.org Cc: Christian Kampka Subject: [alpine-aports] [PATCH] 3.2-stable/main/libxml: security fixes Date: Sat, 28 Nov 2015 22:45:20 +0100 Message-Id: <1448747120-3685-1-git-send-email-christian@kampka.net> X-Mailer: git-send-email 2.6.2 X-Virus-Scanned: ClamAV using ClamSMTP X-Mailinglist: alpine-aports Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: CVE-2015-8242 Buffer overead with HTML parser in push mode (Hugh Davenport) CVE-2015-7500 Fix memory access error due to incorrect entities boundaries (Daniel Veillard) CVE-2015-7499-2 Detect incoherency on GROW (Daniel Veillard) CVE-2015-7499-1 Add xmlHaltParser() to stop the parser (Daniel Veillard) CVE-2015-5312 Another entity expansion issue (David Drysdale) CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey (David Drysdale) CVE-2015-7498 Avoid processing entities after encoding conversion failures (Daniel Veillard) CVE-2015-8035 Fix XZ compression support loop (Daniel Veillard) CVE-2015-7942-2 Fix an error in previous Conditional section patch (Daniel Veillard) CVE-2015-7942 Another variation of overflow in Conditional sections (Daniel Veillard) CVE-2015-1819 Enforce the reader to run in constant memory (Daniel Veillard) CVE-2015-7941_2 Cleanup conditional section error handling (Daniel Veillard) CVE-2015-7941_1 Stop parsing on entities boundaries errors (Daniel Veillard) --- main/libxml2/APKBUILD | 62 +++++++++++-- main/libxml2/CVE-2015-1819.patch | 176 +++++++++++++++++++++++++++++++++++++ main/libxml2/CVE-2015-5312.patch | 32 +++++++ main/libxml2/CVE-2015-7497.patch | 32 +++++++ main/libxml2/CVE-2015-7498.patch | 82 +++++++++++++++++ main/libxml2/CVE-2015-7499-1.patch | 81 +++++++++++++++++ main/libxml2/CVE-2015-7499-2.patch | 36 ++++++++ main/libxml2/CVE-2015-7500.patch | 106 ++++++++++++++++++++++ main/libxml2/CVE-2015-7941_1.patch | 32 +++++++ main/libxml2/CVE-2015-7941_2.patch | 49 +++++++++++ main/libxml2/CVE-2015-7942-2.patch | 28 ++++++ main/libxml2/CVE-2015-7942.patch | 32 +++++++ main/libxml2/CVE-2015-8035.patch | 31 +++++++ main/libxml2/CVE-2015-8242.patch | 42 +++++++++ 14 files changed, 816 insertions(+), 5 deletions(-) create mode 100644 main/libxml2/CVE-2015-1819.patch create mode 100644 main/libxml2/CVE-2015-5312.patch create mode 100644 main/libxml2/CVE-2015-7497.patch create mode 100644 main/libxml2/CVE-2015-7498.patch create mode 100644 main/libxml2/CVE-2015-7499-1.patch create mode 100644 main/libxml2/CVE-2015-7499-2.patch create mode 100644 main/libxml2/CVE-2015-7500.patch create mode 100644 main/libxml2/CVE-2015-7941_1.patch create mode 100644 main/libxml2/CVE-2015-7941_2.patch create mode 100644 main/libxml2/CVE-2015-7942-2.patch create mode 100644 main/libxml2/CVE-2015-7942.patch create mode 100644 main/libxml2/CVE-2015-8035.patch create mode 100644 main/libxml2/CVE-2015-8242.patch diff --git a/main/libxml2/APKBUILD b/main/libxml2/APKBUILD index 0335089..00e1f39 100644 --- a/main/libxml2/APKBUILD +++ b/main/libxml2/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Carlo Landmeter pkgname=libxml2 pkgver=2.9.2 -pkgrel=0 +pkgrel=1 pkgdesc="XML parsing library, version 2" url="http://www.xmlsoft.org/" arch="all" @@ -14,6 +14,19 @@ subpackages="$pkgname-doc $pkgname-dev py-$pkgname:py $pkgname-utils" source="ftp://ftp.xmlsoft.org/${pkgname}/${pkgname}-${pkgver}.tar.gz libxml2-pthread.patch CVE-2014-0191.patch + CVE-2015-1819.patch + CVE-2015-5312.patch + CVE-2015-7497.patch + CVE-2015-7498.patch + CVE-2015-7499-1.patch + CVE-2015-7499-2.patch + CVE-2015-7500.patch + CVE-2015-7941_1.patch + CVE-2015-7941_2.patch + CVE-2015-7942.patch + CVE-2015-7942-2.patch + CVE-2015-8035.patch + CVE-2015-8242.patch " options="!strip" @@ -47,7 +60,7 @@ package() { rm "$pkgdir"/usr/lib/*.la \ "$pkgdir"/usr/lib/python*/site-packages/*.la \ || return 1 - + install -Dm644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING } @@ -67,10 +80,49 @@ utils() { md5sums="9e6a9aca9d155737868b3dc5fd82f788 libxml2-2.9.2.tar.gz cc0da520c5296e87407d24166480da73 libxml2-pthread.patch -e6f432aea642badcb848e5791bcf6df7 CVE-2014-0191.patch" +e6f432aea642badcb848e5791bcf6df7 CVE-2014-0191.patch +44b96e4a7c675f103628d7decfa56d37 CVE-2015-1819.patch +a6fdca7e058fe6fbaa248e8c0aae7424 CVE-2015-5312.patch +70b52327b3bbc473cfde89730f829aeb CVE-2015-7497.patch +5cfa24ef6c26ad780bcdd7dfad831fd1 CVE-2015-7498.patch +d876337f727521061309722c9d16ba9a CVE-2015-7499-1.patch +2852386b8844d628e6680e054fbbba4e CVE-2015-7499-2.patch +0be954db9ac4cf9055b95eed5077fb2e CVE-2015-7500.patch +286111441eed116f2edc489e9788d573 CVE-2015-7941_1.patch +44ad838bfb10784f016bf35ead4e1beb CVE-2015-7941_2.patch +7304667ea636d829feed9cc6747d5efb CVE-2015-7942.patch +ffdfbe9d5d7d334c5baca09060d56e78 CVE-2015-7942-2.patch +66f5aa382028e125202f6ac70f507c0a CVE-2015-8035.patch +f5dc37a7162905c53ec86d06e20cb9b3 CVE-2015-8242.patch" sha256sums="5178c30b151d044aefb1b08bf54c3003a0ac55c59c866763997529d60770d5bc libxml2-2.9.2.tar.gz 97d5e152580774483c47b28483282a4180c2c375bb7716a807ec859e59c3ec2f libxml2-pthread.patch -288a762e8b115cecc02d920e4b36ebfa5249b8a6713a1a948e344d881d094ea8 CVE-2014-0191.patch" +288a762e8b115cecc02d920e4b36ebfa5249b8a6713a1a948e344d881d094ea8 CVE-2014-0191.patch +18cc94e2d1917e6e7b959d1ad1a1b1a907cdbd6fc7cfd52bfd2a7aaec7816bf2 CVE-2015-1819.patch +8676498e81d8f973c02bb0c8d56486be593c0179a0cc9d0c6e9bcdfff068bb05 CVE-2015-5312.patch +b63be023398e8d89068b968bacb8c50d9cac0b32eeec29c972d4b9a54f7288cd CVE-2015-7497.patch +56bf3c58cd388bdabf3b47613cfb2d84be564954d86836e815679ad4151923dc CVE-2015-7498.patch +ad99f8442cc6dc5127cb67c8b6277995f301b739ec8a60a474746c846e360ece CVE-2015-7499-1.patch +4c44c22a5f3156aff40a029d656caca55cc095cf3cbaeeabc0b6e09b03fcf08c CVE-2015-7499-2.patch +a482436a040e0c94efc669ac71bfd42427efd33a9e7d755897a6b0ae8b42e41f CVE-2015-7500.patch +86d575ab1273f9a182a5c589db3e7a93b7c4bed63ca3588a8a99a84235b990be CVE-2015-7941_1.patch +53c2adf000f8716a9e96aef9018cd824bb4cd24169d62686c1631bbee6ec60c8 CVE-2015-7941_2.patch +9095165d17db7e66060307fea16872ce5be63bd9f52e858f05200d6f12391ee4 CVE-2015-7942.patch +bd98845e4fb4405ae45f4dbdac097ac40db4e8ac8d2ff7194ac0997404ca37bf CVE-2015-7942-2.patch +3b4d7e17929e8cb4ce078a7358450b308e15c9b9aa9d125a4d945ef6623e9bae CVE-2015-8035.patch +e4a1441afcd4379455ed683216dfbee49b7ef5480f57c449481fb3928190b41f CVE-2015-8242.patch" sha512sums="a4e3b20e2efceed39c20379b32b746d4a1cf65c0cf7719d26c9bf7483c1f04a4e5a442ae2f36dc4ae8a4d011b67cfb58d9f6d0be034fa3e897a49059c9289565 libxml2-2.9.2.tar.gz bda49c5e09605acc2bb36203521f750903d81345cc38af54b977e3ce71e288267fb3ab98f1813d846ab45461490482337f7af8b0f1a8a5e0b2c09e03bbadc7f7 libxml2-pthread.patch -41b6737b5cfe6392e3d781ebde48db0bf221bde89701742408afe625a88a67f6f6aed5cf04c1983ba2e7e04c2d819a8011908d23060365225571691c5e61cf11 CVE-2014-0191.patch" +41b6737b5cfe6392e3d781ebde48db0bf221bde89701742408afe625a88a67f6f6aed5cf04c1983ba2e7e04c2d819a8011908d23060365225571691c5e61cf11 CVE-2014-0191.patch +61c512e2f43bd0791e05a60c6bfa41a8a53bc95b2e45f983e6a87964246a6ab596955f9c9956d1f7ffd08fff774ab8d54222eeebb1e14cd5e54378e65ff677ce CVE-2015-1819.patch +3a1f95a681fed8ae26327246c767d332d863d401318e246cd97b79f63ac09aef7e9a82a6185e60e7de9d4489a9f21ed519d015ea9748da2ed065ab579c596b25 CVE-2015-5312.patch +50dcf87ddce80643d7bb0e622d3d67a095549571da5866c9b6f8867c28aa3b41fe43ae12e4c2aa2ddb4d084908dfb79cd84995089fead447c1f1db1bff6a0ca3 CVE-2015-7497.patch +6c3c7dbc23380f53d6a5122bd2d55cf2352822974d6cf7921dbe07f11b5396cdc5f1812263e10d53c41610989bbf7c5266f6751eb987c0fd93ff068e8f4348a2 CVE-2015-7498.patch +17c62e675e64366079a44753aaf460a026a0716b5a1bc7bace4156dc693639bf842c0be326877eebf4661943f93f43866967e1989603499233ae280f93c79d37 CVE-2015-7499-1.patch +9a51143edb520491653bf44c8cdce3a359d4ada33bb1352b2985a1e00bf6367941f7f41983b126fb1eca531811473966b20d03338873490ab328af6647a2d4e0 CVE-2015-7499-2.patch +1bddc8789cc37b015abee0659cafdb60936a38a4ec7d39e23ecc4c8ca0bf5fc73aefeb9a16f480749dc73bc9c752986dc5df6dc92d041d17677bce64b9d4588a CVE-2015-7500.patch +c86c62704b527e5b3e0834586a4a05e5acc059ececf80e45135bf9d00ed0531aa268366c9bdac1fb4f5fa98a03175f33d98e3edde4d351095b8aae456656579f CVE-2015-7941_1.patch +3711688706751455818ac29ecc49f221ce747173145ff076bc1a2223d8c00287362f0b5bfc6351583bc3edabe1f05546295d78633c0ccf9cfa4d48a5594e09d8 CVE-2015-7941_2.patch +bbf93ce9f9277f049ccac6644f72e4c2d42a7513762950c928bbdab3813a9a20123a3aef5c83b8448213026761150bc4ad5a2a89dd9eb770793b642a54ca3fd0 CVE-2015-7942.patch +40837e2cc46aa8972818aa4526926cffd213e4c5a689c66f4c4b864c339582588e03d98f4fcf5781977b3a71a2a0850de17540b0293e58755f07346471e76aa4 CVE-2015-7942-2.patch +071577d6d2f4fa2df1894fab3379ac461f79a785a3c54b04c729a1e06982d3ae0158526d213a4b375fa878fa7bb2a257cf9070092f8228ad5dc159f99ea71ea1 CVE-2015-8035.patch +98c83b942f718a765821771eb32aef70086edaedc44b83ecf291e8c65afdca63ec204b50d4dbfb87c13e6ded12cce3a7cfd3291449e9daa4d30d025525605e4d CVE-2015-8242.patch" diff --git a/main/libxml2/CVE-2015-1819.patch b/main/libxml2/CVE-2015-1819.patch new file mode 100644 index 0000000..e77202b --- /dev/null +++ b/main/libxml2/CVE-2015-1819.patch @@ -0,0 +1,176 @@ +From 213f1fe0d76d30eaed6e5853057defc43e6df2c9 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Tue, 14 Apr 2015 17:41:48 +0800 +Subject: CVE-2015-1819 Enforce the reader to run in constant memory + +One of the operation on the reader could resolve entities +leading to the classic expansion issue. Make sure the +buffer used for xmlreader operation is bounded. +Introduce a new allocation type for the buffers for this effect. +--- + buf.c | 43 ++++++++++++++++++++++++++++++++++++++++++- + include/libxml/tree.h | 3 ++- + xmlreader.c | 20 +++++++++++++++++++- + 3 files changed, 63 insertions(+), 3 deletions(-) + +diff --git a/buf.c b/buf.c +index 6efc7b6..07922ff 100644 +--- a/buf.c ++++ b/buf.c +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include /* for XML_MAX_TEXT_LENGTH */ + #include "buf.h" + + #define WITH_BUFFER_COMPAT +@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf, + if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) || + (scheme == XML_BUFFER_ALLOC_EXACT) || + (scheme == XML_BUFFER_ALLOC_HYBRID) || +- (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) { ++ (scheme == XML_BUFFER_ALLOC_IMMUTABLE) || ++ (scheme == XML_BUFFER_ALLOC_BOUNDED)) { + buf->alloc = scheme; + if (buf->buffer) + buf->buffer->alloc = scheme; +@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) { + size = buf->use + len + 100; + #endif + ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if ((buf->use + len >= XML_MAX_TEXT_LENGTH) || ++ (buf->size >= XML_MAX_TEXT_LENGTH)) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(0); ++ } ++ if (size >= XML_MAX_TEXT_LENGTH) ++ size = XML_MAX_TEXT_LENGTH; ++ } + if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) { + size_t start_buf = buf->content - buf->contentIO; + +@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size) + CHECK_COMPAT(buf) + + if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (size >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(0); ++ } ++ } + + /* Don't resize if we don't have to */ + if (size < buf->size) +@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) { + + needSize = buf->use + len + 2; + if (needSize > buf->size){ ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (needSize >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(-1); ++ } ++ } + if (!xmlBufResize(buf, needSize)){ + xmlBufMemoryError(buf, "growing buffer"); + return XML_ERR_NO_MEMORY; +@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) { + } + needSize = buf->use + len + 2; + if (needSize > buf->size){ ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (needSize >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(-1); ++ } ++ } + if (!xmlBufResize(buf, needSize)){ + xmlBufMemoryError(buf, "growing buffer"); + return XML_ERR_NO_MEMORY; +diff --git a/include/libxml/tree.h b/include/libxml/tree.h +index 2f90717..4a9b3bc 100644 +--- a/include/libxml/tree.h ++++ b/include/libxml/tree.h +@@ -76,7 +76,8 @@ typedef enum { + XML_BUFFER_ALLOC_EXACT, /* grow only to the minimal size */ + XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */ + XML_BUFFER_ALLOC_IO, /* special allocation scheme used for I/O */ +- XML_BUFFER_ALLOC_HYBRID /* exact up to a threshold, and doubleit thereafter */ ++ XML_BUFFER_ALLOC_HYBRID, /* exact up to a threshold, and doubleit thereafter */ ++ XML_BUFFER_ALLOC_BOUNDED /* limit the upper size of the buffer */ + } xmlBufferAllocationScheme; + + /** +diff --git a/xmlreader.c b/xmlreader.c +index f19e123..471e7e2 100644 +--- a/xmlreader.c ++++ b/xmlreader.c +@@ -2091,6 +2091,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) { + "xmlNewTextReader : malloc failed\n"); + return(NULL); + } ++ /* no operation on a reader should require a huge buffer */ ++ xmlBufSetAllocationScheme(ret->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); + ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); + if (ret->sax == NULL) { + xmlBufFree(ret->buffer); +@@ -3616,6 +3619,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) { + return(((xmlNsPtr) node)->href); + case XML_ATTRIBUTE_NODE:{ + xmlAttrPtr attr = (xmlAttrPtr) node; ++ const xmlChar *ret; + + if ((attr->children != NULL) && + (attr->children->type == XML_TEXT_NODE) && +@@ -3629,10 +3633,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) { + "xmlTextReaderSetup : malloc failed\n"); + return (NULL); + } ++ xmlBufSetAllocationScheme(reader->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); + } else + xmlBufEmpty(reader->buffer); + xmlBufGetNodeContent(reader->buffer, node); +- return(xmlBufContent(reader->buffer)); ++ ret = xmlBufContent(reader->buffer); ++ if (ret == NULL) { ++ /* error on the buffer best to reallocate */ ++ xmlBufFree(reader->buffer); ++ reader->buffer = xmlBufCreateSize(100); ++ xmlBufSetAllocationScheme(reader->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); ++ ret = BAD_CAST ""; ++ } ++ return(ret); + } + break; + } +@@ -5131,6 +5146,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader, + "xmlTextReaderSetup : malloc failed\n"); + return (-1); + } ++ /* no operation on a reader should require a huge buffer */ ++ xmlBufSetAllocationScheme(reader->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); + if (reader->sax == NULL) + reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); + if (reader->sax == NULL) { +-- +cgit v0.11.2 + diff --git a/main/libxml2/CVE-2015-5312.patch b/main/libxml2/CVE-2015-5312.patch new file mode 100644 index 0000000..ab9f31f --- /dev/null +++ b/main/libxml2/CVE-2015-5312.patch @@ -0,0 +1,32 @@ +From 69030714cde66d525a8884bda01b9e8f0abf8e1e Mon Sep 17 00:00:00 2001 +From: David Drysdale +Date: Fri, 20 Nov 2015 11:13:45 +0800 +Subject: CVE-2015-5312 Another entity expansion issue + +For https://bugzilla.gnome.org/show_bug.cgi?id=756733 +It is one case where the code in place to detect entities expansions +failed to exit when the situation was detected, leading to DoS +Problem reported by Kostya Serebryany @ Google +Patch provided by David Drysdale @ Google +--- + parser.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/parser.c b/parser.c +index b7b6668..da6e729 100644 +--- a/parser.c ++++ b/parser.c +@@ -2806,6 +2806,10 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + 0, 0, 0); + ctxt->depth--; + ++ if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) || ++ (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR)) ++ goto int_error; ++ + if (rep != NULL) { + current = rep; + while (*current != 0) { /* non input consuming loop */ +-- +cgit v0.11.2 + diff --git a/main/libxml2/CVE-2015-7497.patch b/main/libxml2/CVE-2015-7497.patch new file mode 100644 index 0000000..d734c60 --- /dev/null +++ b/main/libxml2/CVE-2015-7497.patch @@ -0,0 +1,32 @@ +From 6360a31a84efe69d155ed96306b9a931a40beab9 Mon Sep 17 00:00:00 2001 +From: David Drysdale +Date: Fri, 20 Nov 2015 10:47:12 +0800 +Subject: CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey + +For https://bugzilla.gnome.org/show_bug.cgi?id=756528 +It was possible to hit a negative offset in the name indexing +used to randomize the dictionary key generation +Reported and fix provided by David Drysdale @ Google +--- + dict.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/dict.c b/dict.c +index 5f71d55..8c8f931 100644 +--- a/dict.c ++++ b/dict.c +@@ -486,7 +486,10 @@ xmlDictComputeFastQKey(const xmlChar *prefix, int plen, + value += 30 * (*prefix); + + if (len > 10) { +- value += name[len - (plen + 1 + 1)]; ++ int offset = len - (plen + 1 + 1); ++ if (offset < 0) ++ offset = len - (10 + 1); ++ value += name[offset]; + len = 10; + if (plen > 10) + plen = 10; +-- +cgit v0.11.2 + diff --git a/main/libxml2/CVE-2015-7498.patch b/main/libxml2/CVE-2015-7498.patch new file mode 100644 index 0000000..9682926 --- /dev/null +++ b/main/libxml2/CVE-2015-7498.patch @@ -0,0 +1,82 @@ +From afd27c21f6b36e22682b7da20d726bce2dcb2f43 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Mon, 9 Nov 2015 18:07:18 +0800 +Subject: Avoid processing entities after encoding conversion failures + +For https://bugzilla.gnome.org/show_bug.cgi?id=756527 +and was also raised by Chromium team in the past + +When we hit a convwersion failure when switching encoding +it is bestter to stop parsing there, this was treated as a +fatal error but the parser was continuing to process to extract +more errors, unfortunately that makes little sense as the data +is obviously corrupt and can potentially lead to unexpected behaviour. +--- + parser.c | 7 +++++-- + parserInternals.c | 11 ++++++++++- + 2 files changed, 15 insertions(+), 3 deletions(-) + +diff --git a/parser.c b/parser.c +index 134afe7..c79b4e8 100644 +--- a/parser.c ++++ b/parser.c +@@ -10665,7 +10665,8 @@ xmlParseXMLDecl(xmlParserCtxtPtr ctxt) { + xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, "Blank needed here\n"); + } + xmlParseEncodingDecl(ctxt); +- if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) { ++ if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) || ++ (ctxt->instate == XML_PARSER_EOF)) { + /* + * The XML REC instructs us to stop parsing right here + */ +@@ -10789,6 +10790,7 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) { + + if (CUR == 0) { + xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL); ++ return(-1); + } + + /* +@@ -10806,7 +10808,8 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) { + * Note that we will switch encoding on the fly. + */ + xmlParseXMLDecl(ctxt); +- if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) { ++ if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) || ++ (ctxt->instate == XML_PARSER_EOF)) { + /* + * The XML REC instructs us to stop parsing right here + */ +diff --git a/parserInternals.c b/parserInternals.c +index df204fd..c8230c1 100644 +--- a/parserInternals.c ++++ b/parserInternals.c +@@ -937,6 +937,7 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc) + { + xmlCharEncodingHandlerPtr handler; + int len = -1; ++ int ret; + + if (ctxt == NULL) return(-1); + switch (enc) { +@@ -1097,7 +1098,15 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc) + if (handler == NULL) + return(-1); + ctxt->charset = XML_CHAR_ENCODING_UTF8; +- return(xmlSwitchToEncodingInt(ctxt, handler, len)); ++ ret = xmlSwitchToEncodingInt(ctxt, handler, len); ++ if ((ret < 0) || (ctxt->errNo == XML_I18N_CONV_FAILED)) { ++ /* ++ * on encoding conversion errors, stop the parser ++ */ ++ xmlStopParser(ctxt); ++ ctxt->errNo = XML_I18N_CONV_FAILED; ++ } ++ return(ret); + } + + /** +-- +cgit v0.11.2 + diff --git a/main/libxml2/CVE-2015-7499-1.patch b/main/libxml2/CVE-2015-7499-1.patch new file mode 100644 index 0000000..d3e95d8 --- /dev/null +++ b/main/libxml2/CVE-2015-7499-1.patch @@ -0,0 +1,81 @@ +From 28cd9cb747a94483f4aea7f0968d202c20bb4cfc Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 20 Nov 2015 14:55:30 +0800 +Subject: Add xmlHaltParser() to stop the parser + +The problem is doing it in a consistent and safe fashion +It's more complex than just setting ctxt->instate = XML_PARSER_EOF +Update the public function to reuse that new internal routine +--- + parser.c | 34 +++++++++++++++++++++++++++++----- + 1 file changed, 29 insertions(+), 5 deletions(-) + +diff --git a/parser.c b/parser.c +index da6e729..b6e99b1 100644 +--- a/parser.c ++++ b/parser.c +@@ -94,6 +94,8 @@ static xmlParserCtxtPtr + xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID, + const xmlChar *base, xmlParserCtxtPtr pctx); + ++static void xmlHaltParser(xmlParserCtxtPtr ctxt); ++ + /************************************************************************ + * * + * Arbitrary limits set in the parser. See XML_PARSE_HUGE * +@@ -12625,25 +12627,47 @@ xmlCreatePushParserCtxt(xmlSAXHandlerPtr sax, void *user_data, + #endif /* LIBXML_PUSH_ENABLED */ + + /** +- * xmlStopParser: ++ * xmlHaltParser: + * @ctxt: an XML parser context + * +- * Blocks further parser processing ++ * Blocks further parser processing don't override error ++ * for internal use + */ +-void +-xmlStopParser(xmlParserCtxtPtr ctxt) { ++static void ++xmlHaltParser(xmlParserCtxtPtr ctxt) { + if (ctxt == NULL) + return; + ctxt->instate = XML_PARSER_EOF; +- ctxt->errNo = XML_ERR_USER_STOP; + ctxt->disableSAX = 1; + if (ctxt->input != NULL) { ++ /* ++ * in case there was a specific allocation deallocate before ++ * overriding base ++ */ ++ if (ctxt->input->free != NULL) { ++ ctxt->input->free((xmlChar *) ctxt->input->base); ++ ctxt->input->free = NULL; ++ } + ctxt->input->cur = BAD_CAST""; + ctxt->input->base = ctxt->input->cur; + } + } + + /** ++ * xmlStopParser: ++ * @ctxt: an XML parser context ++ * ++ * Blocks further parser processing ++ */ ++void ++xmlStopParser(xmlParserCtxtPtr ctxt) { ++ if (ctxt == NULL) ++ return; ++ xmlHaltParser(ctxt); ++ ctxt->errNo = XML_ERR_USER_STOP; ++} ++ ++/** + * xmlCreateIOParserCtxt: + * @sax: a SAX handler + * @user_data: The user data returned on SAX callbacks +-- +cgit v0.11.2 + diff --git a/main/libxml2/CVE-2015-7499-2.patch b/main/libxml2/CVE-2015-7499-2.patch new file mode 100644 index 0000000..741b81b --- /dev/null +++ b/main/libxml2/CVE-2015-7499-2.patch @@ -0,0 +1,36 @@ +From 35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 20 Nov 2015 15:04:09 +0800 +Subject: Detect incoherency on GROW + +the current pointer to the input has to be between the base and end +if not stop everything we have an internal state error. +--- + parser.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index 1810f99..ab007aa 100644 +--- a/parser.c ++++ b/parser.c +@@ -2075,9 +2075,16 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) { + ((ctxt->input->buf) && (ctxt->input->buf->readcallback != (xmlInputReadCallback) xmlNop)) && + ((ctxt->options & XML_PARSE_HUGE) == 0)) { + xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup"); +- ctxt->instate = XML_PARSER_EOF; ++ xmlHaltParser(ctxt); ++ return; + } + xmlParserInputGrow(ctxt->input, INPUT_CHUNK); ++ if ((ctxt->input->cur > ctxt->input->end) || ++ (ctxt->input->cur < ctxt->input->base)) { ++ xmlHaltParser(ctxt); ++ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "cur index out of bound"); ++ return; ++ } + if ((ctxt->input->cur != NULL) && (*ctxt->input->cur == 0) && + (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0)) + xmlPopInput(ctxt); +-- +cgit v0.11.2 + diff --git a/main/libxml2/CVE-2015-7500.patch b/main/libxml2/CVE-2015-7500.patch new file mode 100644 index 0000000..1c031e2 --- /dev/null +++ b/main/libxml2/CVE-2015-7500.patch @@ -0,0 +1,106 @@ +From f1063fdbe7fa66332bbb76874101c2a7b51b519f Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 20 Nov 2015 16:06:59 +0800 +Subject: CVE-2015-7500 Fix memory access error due to incorrect entities + boundaries + +For https://bugzilla.gnome.org/show_bug.cgi?id=756525 +handle properly the case where we popped out of the current entity +while processing a start tag +Reported by Kostya Serebryany @ Google + +This slightly modifies the output of 754946 in regression tests +--- + parser.c | 28 ++++++++++++++++++++++------ + 1 files changed, 22 insertions(+), 6 deletions(-) + +diff --git a/parser.c b/parser.c +index c7e4574..c5741e3 100644 +--- a/parser.c ++++ b/parser.c +@@ -9348,7 +9348,7 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref, + const xmlChar **atts = ctxt->atts; + int maxatts = ctxt->maxatts; + int nratts, nbatts, nbdef; +- int i, j, nbNs, attval, oldline, oldcol; ++ int i, j, nbNs, attval, oldline, oldcol, inputNr; + const xmlChar *base; + unsigned long cur; + int nsNr = ctxt->nsNr; +@@ -9367,6 +9367,7 @@ reparse: + SHRINK; + base = ctxt->input->base; + cur = ctxt->input->cur - ctxt->input->base; ++ inputNr = ctxt->inputNr; + oldline = ctxt->input->line; + oldcol = ctxt->input->col; + nbatts = 0; +@@ -9392,7 +9393,8 @@ reparse: + */ + SKIP_BLANKS; + GROW; +- if (ctxt->input->base != base) goto base_changed; ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) ++ goto base_changed; + + while (((RAW != '>') && + ((RAW != '/') || (NXT(1) != '>')) && +@@ -9403,7 +9405,7 @@ reparse: + + attname = xmlParseAttribute2(ctxt, prefix, localname, + &aprefix, &attvalue, &len, &alloc); +- if (ctxt->input->base != base) { ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) { + if ((attvalue != NULL) && (alloc != 0)) + xmlFree(attvalue); + attvalue = NULL; +@@ -9552,7 +9554,8 @@ skip_ns: + break; + } + SKIP_BLANKS; +- if (ctxt->input->base != base) goto base_changed; ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) ++ goto base_changed; + continue; + } + +@@ -9589,7 +9592,8 @@ failed: + GROW + if (ctxt->instate == XML_PARSER_EOF) + break; +- if (ctxt->input->base != base) goto base_changed; ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) ++ goto base_changed; + if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>')))) + break; + if (!IS_BLANK_CH(RAW)) { +@@ -9605,7 +9609,8 @@ failed: + break; + } + GROW; +- if (ctxt->input->base != base) goto base_changed; ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) ++ goto base_changed; + } + + /* +@@ -9772,6 +9777,17 @@ base_changed: + if ((ctxt->attallocs[j] != 0) && (atts[i] != NULL)) + xmlFree((xmlChar *) atts[i]); + } ++ ++ /* ++ * We can't switch from one entity to another in the middle ++ * of a start tag ++ */ ++ if (inputNr != ctxt->inputNr) { ++ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, ++ "Start tag doesn't start and stop in the same entity\n"); ++ return(NULL); ++ } ++ + ctxt->input->cur = ctxt->input->base + cur; + ctxt->input->line = oldline; + ctxt->input->col = oldcol; +-- +cgit v0.11.2 diff --git a/main/libxml2/CVE-2015-7941_1.patch b/main/libxml2/CVE-2015-7941_1.patch new file mode 100644 index 0000000..d688149 --- /dev/null +++ b/main/libxml2/CVE-2015-7941_1.patch @@ -0,0 +1,32 @@ +From a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Mon, 23 Feb 2015 11:17:35 +0800 +Subject: Stop parsing on entities boundaries errors + +For https://bugzilla.gnome.org/show_bug.cgi?id=744980 + +There are times, like on unterminated entities that it's preferable to +stop parsing, even if that means less error reporting. Entities are +feeding the parser on further processing, and if they are ill defined +then it's possible to get the parser to bug. Also do the same on +Conditional Sections if the input is broken, as the structure of +the document can't be guessed. +--- + parser.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/parser.c b/parser.c +index a8d1b67..bbe97eb 100644 +--- a/parser.c ++++ b/parser.c +@@ -5658,6 +5658,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) { + if (RAW != '>') { + xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED, + "xmlParseEntityDecl: entity %s not terminated\n", name); ++ xmlStopParser(ctxt); + } else { + if (input != ctxt->input) { + xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, +-- +cgit v0.11.2 + diff --git a/main/libxml2/CVE-2015-7941_2.patch b/main/libxml2/CVE-2015-7941_2.patch new file mode 100644 index 0000000..36b43ba --- /dev/null +++ b/main/libxml2/CVE-2015-7941_2.patch @@ -0,0 +1,49 @@ +From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Mon, 23 Feb 2015 11:29:20 +0800 +Subject: Cleanup conditional section error handling + +For https://bugzilla.gnome.org/show_bug.cgi?id=744980 + +The error handling of Conditional Section also need to be +straightened as the structure of the document can't be +guessed on a failure there and it's better to stop parsing +as further errors are likely to be irrelevant. +--- + parser.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/parser.c b/parser.c +index bbe97eb..fe603ac 100644 +--- a/parser.c ++++ b/parser.c +@@ -6770,6 +6770,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + SKIP_BLANKS; + if (RAW != '[') { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); ++ xmlStopParser(ctxt); ++ return; + } else { + if (ctxt->input->id != id) { + xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, +@@ -6830,6 +6832,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + SKIP_BLANKS; + if (RAW != '[') { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); ++ xmlStopParser(ctxt); ++ return; + } else { + if (ctxt->input->id != id) { + xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, +@@ -6885,6 +6889,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + + } else { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL); ++ xmlStopParser(ctxt); ++ return; + } + + if (RAW == 0) +-- +cgit v0.11.2 + diff --git a/main/libxml2/CVE-2015-7942-2.patch b/main/libxml2/CVE-2015-7942-2.patch new file mode 100644 index 0000000..1a059fe --- /dev/null +++ b/main/libxml2/CVE-2015-7942-2.patch @@ -0,0 +1,28 @@ +From 41ac9049a27f52e7a1f3b341f8714149fc88d450 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Tue, 27 Oct 2015 10:53:44 +0800 +Subject: Fix an error in previous Conditional section patch + +an off by one mistake in the change, led to error on correct +document where the end of the included entity was exactly +the end of the conditional section, leading to regtest failure +--- + parser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index b9217ff..d67b300 100644 +--- a/parser.c ++++ b/parser.c +@@ -6916,7 +6916,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + NULL, NULL); + } + if ((ctxt-> instate != XML_PARSER_EOF) && +- ((ctxt->input->cur + 3) < ctxt->input->end)) ++ ((ctxt->input->cur + 3) <= ctxt->input->end)) + SKIP(3); + } + } +-- +cgit v0.11.2 + diff --git a/main/libxml2/CVE-2015-7942.patch b/main/libxml2/CVE-2015-7942.patch new file mode 100644 index 0000000..bb0766a --- /dev/null +++ b/main/libxml2/CVE-2015-7942.patch @@ -0,0 +1,32 @@ +From bd0526e66a56e75a18da8c15c4750db8f801c52d Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 23 Oct 2015 19:02:28 +0800 +Subject: Another variation of overflow in Conditional sections + +Which happen after the previous fix to +https://bugzilla.gnome.org/show_bug.cgi?id=756456 + +But stopping the parser and exiting we didn't pop the intermediary entities +and doing the SKIP there applies on an input which may be too small +--- + parser.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index a65e4cc..b9217ff 100644 +--- a/parser.c ++++ b/parser.c +@@ -6915,7 +6915,9 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + "All markup of the conditional section is not in the same entity\n", + NULL, NULL); + } +- SKIP(3); ++ if ((ctxt-> instate != XML_PARSER_EOF) && ++ ((ctxt->input->cur + 3) < ctxt->input->end)) ++ SKIP(3); + } + } + +-- +cgit v0.11.2 + diff --git a/main/libxml2/CVE-2015-8035.patch b/main/libxml2/CVE-2015-8035.patch new file mode 100644 index 0000000..92c26ca --- /dev/null +++ b/main/libxml2/CVE-2015-8035.patch @@ -0,0 +1,31 @@ +From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Tue, 3 Nov 2015 15:31:25 +0800 +Subject: CVE-2015-8035 Fix XZ compression support loop + +For https://bugzilla.gnome.org/show_bug.cgi?id=757466 +DoS when parsing specially crafted XML document if XZ support +is compiled in (which wasn't the case for 2.9.2 and master since +Nov 2013, fixed in next commit !) +--- + xzlib.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/xzlib.c b/xzlib.c +index 0dcb9f4..1fab546 100644 +--- a/xzlib.c ++++ b/xzlib.c +@@ -581,6 +581,10 @@ xz_decomp(xz_statep state) + xz_error(state, LZMA_DATA_ERROR, "compressed data error"); + return -1; + } ++ if (ret == LZMA_PROG_ERROR) { ++ xz_error(state, LZMA_PROG_ERROR, "compression error"); ++ return -1; ++ } + } while (strm->avail_out && ret != LZMA_STREAM_END); + + /* update available output and crc check value */ +-- +cgit v0.11.2 + diff --git a/main/libxml2/CVE-2015-8242.patch b/main/libxml2/CVE-2015-8242.patch new file mode 100644 index 0000000..b009ae1 --- /dev/null +++ b/main/libxml2/CVE-2015-8242.patch @@ -0,0 +1,42 @@ +From 8fb4a770075628d6441fb17a1e435100e2f3b1a2 Mon Sep 17 00:00:00 2001 +From: Hugh Davenport +Date: Fri, 20 Nov 2015 17:16:06 +0800 +Subject: CVE-2015-8242 Buffer overead with HTML parser in push mode + +For https://bugzilla.gnome.org/show_bug.cgi?id=756372 +Error in the code pointing to the codepoint in the stack for the +current char value instead of the pointer in the input that the SAX +callback expects +Reported and fixed by Hugh Davenport +--- + HTMLparser.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index bdf7807..b729197 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -5735,17 +5735,17 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) { + if (ctxt->keepBlanks) { + if (ctxt->sax->characters != NULL) + ctxt->sax->characters( +- ctxt->userData, &cur, 1); ++ ctxt->userData, &in->cur[0], 1); + } else { + if (ctxt->sax->ignorableWhitespace != NULL) + ctxt->sax->ignorableWhitespace( +- ctxt->userData, &cur, 1); ++ ctxt->userData, &in->cur[0], 1); + } + } else { + htmlCheckParagraph(ctxt); + if (ctxt->sax->characters != NULL) + ctxt->sax->characters( +- ctxt->userData, &cur, 1); ++ ctxt->userData, &in->cur[0], 1); + } + } + ctxt->token = 0; +-- +cgit v0.11.2 + -- 2.6.2 --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---