~alpine/aports

3.2-stable/main/libxml: security fixes v1 PROPOSED

Christian Kampka
Christian Kampka: 1
 3.2-stable/main/libxml: security fixes

 14 files changed, 816 insertions(+), 5 deletions(-)
Export patchset (mbox)
How do I use this?

Copy & paste the following snippet into your terminal to import this patchset into git:

curl -s https://lists.alpinelinux.org/~alpine/aports/patches/1517/mbox | git am -3
Learn more about email & git

[alpine-aports] [PATCH] 3.2-stable/main/libxml: security fixes Export this patch

Christian Kampka
CVE-2015-8242 Buffer overead with HTML parser in push mode (Hugh Davenport)
CVE-2015-7500 Fix memory access error due to incorrect entities boundaries (Daniel Veillard)
CVE-2015-7499-2 Detect incoherency on GROW (Daniel Veillard)
CVE-2015-7499-1 Add xmlHaltParser() to stop the parser (Daniel Veillard)
CVE-2015-5312 Another entity expansion issue (David Drysdale)
CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey (David Drysdale)
CVE-2015-7498 Avoid processing entities after encoding conversion failures (Daniel Veillard)
CVE-2015-8035 Fix XZ compression support loop (Daniel Veillard)
CVE-2015-7942-2 Fix an error in previous Conditional section patch (Daniel Veillard)
CVE-2015-7942 Another variation of overflow in Conditional sections (Daniel Veillard)
CVE-2015-1819 Enforce the reader to run in constant memory (Daniel Veillard)
CVE-2015-7941_2 Cleanup conditional section error handling (Daniel Veillard)
CVE-2015-7941_1 Stop parsing on entities boundaries errors (Daniel Veillard)
---
 main/libxml2/APKBUILD              |  62 +++++++++++--
 main/libxml2/CVE-2015-1819.patch   | 176 +++++++++++++++++++++++++++++++++++++
 main/libxml2/CVE-2015-5312.patch   |  32 +++++++
 main/libxml2/CVE-2015-7497.patch   |  32 +++++++
 main/libxml2/CVE-2015-7498.patch   |  82 +++++++++++++++++
 main/libxml2/CVE-2015-7499-1.patch |  81 +++++++++++++++++
 main/libxml2/CVE-2015-7499-2.patch |  36 ++++++++
 main/libxml2/CVE-2015-7500.patch   | 106 ++++++++++++++++++++++
 main/libxml2/CVE-2015-7941_1.patch |  32 +++++++
 main/libxml2/CVE-2015-7941_2.patch |  49 +++++++++++
 main/libxml2/CVE-2015-7942-2.patch |  28 ++++++
 main/libxml2/CVE-2015-7942.patch   |  32 +++++++
 main/libxml2/CVE-2015-8035.patch   |  31 +++++++
 main/libxml2/CVE-2015-8242.patch   |  42 +++++++++
 14 files changed, 816 insertions(+), 5 deletions(-)
 create mode 100644 main/libxml2/CVE-2015-1819.patch
 create mode 100644 main/libxml2/CVE-2015-5312.patch
 create mode 100644 main/libxml2/CVE-2015-7497.patch
 create mode 100644 main/libxml2/CVE-2015-7498.patch
 create mode 100644 main/libxml2/CVE-2015-7499-1.patch
 create mode 100644 main/libxml2/CVE-2015-7499-2.patch
 create mode 100644 main/libxml2/CVE-2015-7500.patch
 create mode 100644 main/libxml2/CVE-2015-7941_1.patch
 create mode 100644 main/libxml2/CVE-2015-7941_2.patch
 create mode 100644 main/libxml2/CVE-2015-7942-2.patch
 create mode 100644 main/libxml2/CVE-2015-7942.patch
 create mode 100644 main/libxml2/CVE-2015-8035.patch
 create mode 100644 main/libxml2/CVE-2015-8242.patch

diff --git a/main/libxml2/APKBUILD b/main/libxml2/APKBUILD
index 0335089..00e1f39 100644
--- a/main/libxml2/APKBUILD
+++ b/main/libxml2/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
pkgname=libxml2
pkgver=2.9.2
pkgrel=0
pkgrel=1
pkgdesc="XML parsing library, version 2"
url="http://www.xmlsoft.org/"
arch="all"
@@ -14,6 +14,19 @@ subpackages="$pkgname-doc $pkgname-dev py-$pkgname:py $pkgname-utils"
source="ftp://ftp.xmlsoft.org/${pkgname}/${pkgname}-${pkgver}.tar.gz
	libxml2-pthread.patch
	CVE-2014-0191.patch
	CVE-2015-1819.patch
	CVE-2015-5312.patch
	CVE-2015-7497.patch
	CVE-2015-7498.patch
	CVE-2015-7499-1.patch
	CVE-2015-7499-2.patch
	CVE-2015-7500.patch
	CVE-2015-7941_1.patch
	CVE-2015-7941_2.patch
	CVE-2015-7942.patch
	CVE-2015-7942-2.patch
	CVE-2015-8035.patch
	CVE-2015-8242.patch
	"

options="!strip"
@@ -47,7 +60,7 @@ package() {
	rm "$pkgdir"/usr/lib/*.la \
		"$pkgdir"/usr/lib/python*/site-packages/*.la \
		|| return 1
		

	install -Dm644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING
}

@@ -67,10 +80,49 @@ utils() {

md5sums="9e6a9aca9d155737868b3dc5fd82f788  libxml2-2.9.2.tar.gz
cc0da520c5296e87407d24166480da73  libxml2-pthread.patch
e6f432aea642badcb848e5791bcf6df7  CVE-2014-0191.patch"
e6f432aea642badcb848e5791bcf6df7  CVE-2014-0191.patch
44b96e4a7c675f103628d7decfa56d37  CVE-2015-1819.patch
a6fdca7e058fe6fbaa248e8c0aae7424  CVE-2015-5312.patch
70b52327b3bbc473cfde89730f829aeb  CVE-2015-7497.patch
5cfa24ef6c26ad780bcdd7dfad831fd1  CVE-2015-7498.patch
d876337f727521061309722c9d16ba9a  CVE-2015-7499-1.patch
2852386b8844d628e6680e054fbbba4e  CVE-2015-7499-2.patch
0be954db9ac4cf9055b95eed5077fb2e  CVE-2015-7500.patch
286111441eed116f2edc489e9788d573  CVE-2015-7941_1.patch
44ad838bfb10784f016bf35ead4e1beb  CVE-2015-7941_2.patch
7304667ea636d829feed9cc6747d5efb  CVE-2015-7942.patch
ffdfbe9d5d7d334c5baca09060d56e78  CVE-2015-7942-2.patch
66f5aa382028e125202f6ac70f507c0a  CVE-2015-8035.patch
f5dc37a7162905c53ec86d06e20cb9b3  CVE-2015-8242.patch"
sha256sums="5178c30b151d044aefb1b08bf54c3003a0ac55c59c866763997529d60770d5bc  libxml2-2.9.2.tar.gz
97d5e152580774483c47b28483282a4180c2c375bb7716a807ec859e59c3ec2f  libxml2-pthread.patch
288a762e8b115cecc02d920e4b36ebfa5249b8a6713a1a948e344d881d094ea8  CVE-2014-0191.patch"
288a762e8b115cecc02d920e4b36ebfa5249b8a6713a1a948e344d881d094ea8  CVE-2014-0191.patch
18cc94e2d1917e6e7b959d1ad1a1b1a907cdbd6fc7cfd52bfd2a7aaec7816bf2  CVE-2015-1819.patch
8676498e81d8f973c02bb0c8d56486be593c0179a0cc9d0c6e9bcdfff068bb05  CVE-2015-5312.patch
b63be023398e8d89068b968bacb8c50d9cac0b32eeec29c972d4b9a54f7288cd  CVE-2015-7497.patch
56bf3c58cd388bdabf3b47613cfb2d84be564954d86836e815679ad4151923dc  CVE-2015-7498.patch
ad99f8442cc6dc5127cb67c8b6277995f301b739ec8a60a474746c846e360ece  CVE-2015-7499-1.patch
4c44c22a5f3156aff40a029d656caca55cc095cf3cbaeeabc0b6e09b03fcf08c  CVE-2015-7499-2.patch
a482436a040e0c94efc669ac71bfd42427efd33a9e7d755897a6b0ae8b42e41f  CVE-2015-7500.patch
86d575ab1273f9a182a5c589db3e7a93b7c4bed63ca3588a8a99a84235b990be  CVE-2015-7941_1.patch
53c2adf000f8716a9e96aef9018cd824bb4cd24169d62686c1631bbee6ec60c8  CVE-2015-7941_2.patch
9095165d17db7e66060307fea16872ce5be63bd9f52e858f05200d6f12391ee4  CVE-2015-7942.patch
bd98845e4fb4405ae45f4dbdac097ac40db4e8ac8d2ff7194ac0997404ca37bf  CVE-2015-7942-2.patch
3b4d7e17929e8cb4ce078a7358450b308e15c9b9aa9d125a4d945ef6623e9bae  CVE-2015-8035.patch
e4a1441afcd4379455ed683216dfbee49b7ef5480f57c449481fb3928190b41f  CVE-2015-8242.patch"
sha512sums="a4e3b20e2efceed39c20379b32b746d4a1cf65c0cf7719d26c9bf7483c1f04a4e5a442ae2f36dc4ae8a4d011b67cfb58d9f6d0be034fa3e897a49059c9289565  libxml2-2.9.2.tar.gz
bda49c5e09605acc2bb36203521f750903d81345cc38af54b977e3ce71e288267fb3ab98f1813d846ab45461490482337f7af8b0f1a8a5e0b2c09e03bbadc7f7  libxml2-pthread.patch
41b6737b5cfe6392e3d781ebde48db0bf221bde89701742408afe625a88a67f6f6aed5cf04c1983ba2e7e04c2d819a8011908d23060365225571691c5e61cf11  CVE-2014-0191.patch"
41b6737b5cfe6392e3d781ebde48db0bf221bde89701742408afe625a88a67f6f6aed5cf04c1983ba2e7e04c2d819a8011908d23060365225571691c5e61cf11  CVE-2014-0191.patch
61c512e2f43bd0791e05a60c6bfa41a8a53bc95b2e45f983e6a87964246a6ab596955f9c9956d1f7ffd08fff774ab8d54222eeebb1e14cd5e54378e65ff677ce  CVE-2015-1819.patch
3a1f95a681fed8ae26327246c767d332d863d401318e246cd97b79f63ac09aef7e9a82a6185e60e7de9d4489a9f21ed519d015ea9748da2ed065ab579c596b25  CVE-2015-5312.patch
50dcf87ddce80643d7bb0e622d3d67a095549571da5866c9b6f8867c28aa3b41fe43ae12e4c2aa2ddb4d084908dfb79cd84995089fead447c1f1db1bff6a0ca3  CVE-2015-7497.patch
6c3c7dbc23380f53d6a5122bd2d55cf2352822974d6cf7921dbe07f11b5396cdc5f1812263e10d53c41610989bbf7c5266f6751eb987c0fd93ff068e8f4348a2  CVE-2015-7498.patch
17c62e675e64366079a44753aaf460a026a0716b5a1bc7bace4156dc693639bf842c0be326877eebf4661943f93f43866967e1989603499233ae280f93c79d37  CVE-2015-7499-1.patch
9a51143edb520491653bf44c8cdce3a359d4ada33bb1352b2985a1e00bf6367941f7f41983b126fb1eca531811473966b20d03338873490ab328af6647a2d4e0  CVE-2015-7499-2.patch
1bddc8789cc37b015abee0659cafdb60936a38a4ec7d39e23ecc4c8ca0bf5fc73aefeb9a16f480749dc73bc9c752986dc5df6dc92d041d17677bce64b9d4588a  CVE-2015-7500.patch
c86c62704b527e5b3e0834586a4a05e5acc059ececf80e45135bf9d00ed0531aa268366c9bdac1fb4f5fa98a03175f33d98e3edde4d351095b8aae456656579f  CVE-2015-7941_1.patch
3711688706751455818ac29ecc49f221ce747173145ff076bc1a2223d8c00287362f0b5bfc6351583bc3edabe1f05546295d78633c0ccf9cfa4d48a5594e09d8  CVE-2015-7941_2.patch
bbf93ce9f9277f049ccac6644f72e4c2d42a7513762950c928bbdab3813a9a20123a3aef5c83b8448213026761150bc4ad5a2a89dd9eb770793b642a54ca3fd0  CVE-2015-7942.patch
40837e2cc46aa8972818aa4526926cffd213e4c5a689c66f4c4b864c339582588e03d98f4fcf5781977b3a71a2a0850de17540b0293e58755f07346471e76aa4  CVE-2015-7942-2.patch
071577d6d2f4fa2df1894fab3379ac461f79a785a3c54b04c729a1e06982d3ae0158526d213a4b375fa878fa7bb2a257cf9070092f8228ad5dc159f99ea71ea1  CVE-2015-8035.patch
98c83b942f718a765821771eb32aef70086edaedc44b83ecf291e8c65afdca63ec204b50d4dbfb87c13e6ded12cce3a7cfd3291449e9daa4d30d025525605e4d  CVE-2015-8242.patch"
diff --git a/main/libxml2/CVE-2015-1819.patch b/main/libxml2/CVE-2015-1819.patch
new file mode 100644
index 0000000..e77202b
--- /dev/null
+++ b/main/libxml2/CVE-2015-1819.patch
@@ -0,0 +1,176 @@
From 213f1fe0d76d30eaed6e5853057defc43e6df2c9 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Tue, 14 Apr 2015 17:41:48 +0800
Subject: CVE-2015-1819 Enforce the reader to run in constant memory

One of the operation on the reader could resolve entities
leading to the classic expansion issue. Make sure the
buffer used for xmlreader operation is bounded.
Introduce a new allocation type for the buffers for this effect.
---
 buf.c                 | 43 ++++++++++++++++++++++++++++++++++++++++++-
 include/libxml/tree.h |  3 ++-
 xmlreader.c           | 20 +++++++++++++++++++-
 3 files changed, 63 insertions(+), 3 deletions(-)

diff --git a/buf.c b/buf.c
index 6efc7b6..07922ff 100644
--- a/buf.c
@@ -27,6 +27,7 @@
 #include <libxml/tree.h>
 #include <libxml/globals.h>
 #include <libxml/tree.h>
+#include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */
 #include "buf.h"
 
 #define WITH_BUFFER_COMPAT
@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf,
     if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) ||
         (scheme == XML_BUFFER_ALLOC_EXACT) ||
         (scheme == XML_BUFFER_ALLOC_HYBRID) ||
-        (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) {
+        (scheme == XML_BUFFER_ALLOC_IMMUTABLE) ||
+	(scheme == XML_BUFFER_ALLOC_BOUNDED)) {
 	buf->alloc = scheme;
         if (buf->buffer)
             buf->buffer->alloc = scheme;
@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) {
     size = buf->use + len + 100;
 #endif
 
+    if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+        /*
+	 * Used to provide parsing limits
+	 */
+        if ((buf->use + len >= XML_MAX_TEXT_LENGTH) ||
+	    (buf->size >= XML_MAX_TEXT_LENGTH)) {
+	    xmlBufMemoryError(buf, "buffer error: text too long\n");
+	    return(0);
+	}
+	if (size >= XML_MAX_TEXT_LENGTH)
+	    size = XML_MAX_TEXT_LENGTH;
+    }
     if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {
         size_t start_buf = buf->content - buf->contentIO;
 
@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size)
     CHECK_COMPAT(buf)
 
     if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
+    if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+        /*
+	 * Used to provide parsing limits
+	 */
+        if (size >= XML_MAX_TEXT_LENGTH) {
+	    xmlBufMemoryError(buf, "buffer error: text too long\n");
+	    return(0);
+	}
+    }
 
     /* Don't resize if we don't have to */
     if (size < buf->size)
@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
 
     needSize = buf->use + len + 2;
     if (needSize > buf->size){
+	if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+	    /*
+	     * Used to provide parsing limits
+	     */
+	    if (needSize >= XML_MAX_TEXT_LENGTH) {
+		xmlBufMemoryError(buf, "buffer error: text too long\n");
+		return(-1);
+	    }
+	}
         if (!xmlBufResize(buf, needSize)){
 	    xmlBufMemoryError(buf, "growing buffer");
             return XML_ERR_NO_MEMORY;
@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) {
     }
     needSize = buf->use + len + 2;
     if (needSize > buf->size){
+	if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+	    /*
+	     * Used to provide parsing limits
+	     */
+	    if (needSize >= XML_MAX_TEXT_LENGTH) {
+		xmlBufMemoryError(buf, "buffer error: text too long\n");
+		return(-1);
+	    }
+	}
         if (!xmlBufResize(buf, needSize)){
 	    xmlBufMemoryError(buf, "growing buffer");
             return XML_ERR_NO_MEMORY;
diff --git a/include/libxml/tree.h b/include/libxml/tree.h
index 2f90717..4a9b3bc 100644
--- a/include/libxml/tree.h
@@ -76,7 +76,8 @@ typedef enum {
     XML_BUFFER_ALLOC_EXACT,	/* grow only to the minimal size */
     XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */
     XML_BUFFER_ALLOC_IO,	/* special allocation scheme used for I/O */
-    XML_BUFFER_ALLOC_HYBRID	/* exact up to a threshold, and doubleit thereafter */
+    XML_BUFFER_ALLOC_HYBRID,	/* exact up to a threshold, and doubleit thereafter */
+    XML_BUFFER_ALLOC_BOUNDED	/* limit the upper size of the buffer */
 } xmlBufferAllocationScheme;
 
 /**
diff --git a/xmlreader.c b/xmlreader.c
index f19e123..471e7e2 100644
--- a/xmlreader.c
@@ -2091,6 +2091,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) {
 		"xmlNewTextReader : malloc failed\n");
 	return(NULL);
     }
+    /* no operation on a reader should require a huge buffer */
+    xmlBufSetAllocationScheme(ret->buffer,
+			      XML_BUFFER_ALLOC_BOUNDED);
     ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
     if (ret->sax == NULL) {
 	xmlBufFree(ret->buffer);
@@ -3616,6 +3619,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
 	    return(((xmlNsPtr) node)->href);
         case XML_ATTRIBUTE_NODE:{
 	    xmlAttrPtr attr = (xmlAttrPtr) node;
+	    const xmlChar *ret;
 
 	    if ((attr->children != NULL) &&
 	        (attr->children->type == XML_TEXT_NODE) &&
@@ -3629,10 +3633,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
                                         "xmlTextReaderSetup : malloc failed\n");
                         return (NULL);
                     }
+		    xmlBufSetAllocationScheme(reader->buffer,
+		                              XML_BUFFER_ALLOC_BOUNDED);
                 } else
                     xmlBufEmpty(reader->buffer);
 	        xmlBufGetNodeContent(reader->buffer, node);
-		return(xmlBufContent(reader->buffer));
+		ret = xmlBufContent(reader->buffer);
+		if (ret == NULL) {
+		    /* error on the buffer best to reallocate */
+		    xmlBufFree(reader->buffer);
+		    reader->buffer = xmlBufCreateSize(100);
+		    xmlBufSetAllocationScheme(reader->buffer,
+		                              XML_BUFFER_ALLOC_BOUNDED);
+		    ret = BAD_CAST "";
+		}
+		return(ret);
 	    }
 	    break;
 	}
@@ -5131,6 +5146,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader,
                         "xmlTextReaderSetup : malloc failed\n");
         return (-1);
     }
+    /* no operation on a reader should require a huge buffer */
+    xmlBufSetAllocationScheme(reader->buffer,
+			      XML_BUFFER_ALLOC_BOUNDED);
     if (reader->sax == NULL)
 	reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
     if (reader->sax == NULL) {
-- 
cgit v0.11.2

diff --git a/main/libxml2/CVE-2015-5312.patch b/main/libxml2/CVE-2015-5312.patch
new file mode 100644
index 0000000..ab9f31f
--- /dev/null
+++ b/main/libxml2/CVE-2015-5312.patch
@@ -0,0 +1,32 @@
From 69030714cde66d525a8884bda01b9e8f0abf8e1e Mon Sep 17 00:00:00 2001
From: David Drysdale <drysdale@google.com>
Date: Fri, 20 Nov 2015 11:13:45 +0800
Subject: CVE-2015-5312 Another entity expansion issue

For https://bugzilla.gnome.org/show_bug.cgi?id=756733
It is one case where the code in place to detect entities expansions
failed to exit when the situation was detected, leading to DoS
Problem reported by Kostya Serebryany @ Google
Patch provided by David Drysdale @ Google
---
 parser.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/parser.c b/parser.c
index b7b6668..da6e729 100644
--- a/parser.c
@@ -2806,6 +2806,10 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
 			                      0, 0, 0);
 		ctxt->depth--;
 
+		if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) ||
+		    (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR))
+		    goto int_error;
+
 		if (rep != NULL) {
 		    current = rep;
 		    while (*current != 0) { /* non input consuming loop */
-- 
cgit v0.11.2

diff --git a/main/libxml2/CVE-2015-7497.patch b/main/libxml2/CVE-2015-7497.patch
new file mode 100644
index 0000000..d734c60
--- /dev/null
+++ b/main/libxml2/CVE-2015-7497.patch
@@ -0,0 +1,32 @@
From 6360a31a84efe69d155ed96306b9a931a40beab9 Mon Sep 17 00:00:00 2001
From: David Drysdale <drysdale@google.com>
Date: Fri, 20 Nov 2015 10:47:12 +0800
Subject: CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey

For https://bugzilla.gnome.org/show_bug.cgi?id=756528
It was possible to hit a negative offset in the name indexing
used to randomize the dictionary key generation
Reported and fix provided by David Drysdale @ Google
---
 dict.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/dict.c b/dict.c
index 5f71d55..8c8f931 100644
--- a/dict.c
@@ -486,7 +486,10 @@ xmlDictComputeFastQKey(const xmlChar *prefix, int plen,
 	value += 30 * (*prefix);
 
     if (len > 10) {
-        value += name[len - (plen + 1 + 1)];
+        int offset = len - (plen + 1 + 1);
+	if (offset < 0)
+	    offset = len - (10 + 1);
+	value += name[offset];
         len = 10;
 	if (plen > 10)
 	    plen = 10;
-- 
cgit v0.11.2

diff --git a/main/libxml2/CVE-2015-7498.patch b/main/libxml2/CVE-2015-7498.patch
new file mode 100644
index 0000000..9682926
--- /dev/null
+++ b/main/libxml2/CVE-2015-7498.patch
@@ -0,0 +1,82 @@
From afd27c21f6b36e22682b7da20d726bce2dcb2f43 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Mon, 9 Nov 2015 18:07:18 +0800
Subject: Avoid processing entities after encoding conversion failures

For https://bugzilla.gnome.org/show_bug.cgi?id=756527
and was also raised by Chromium team in the past

When we hit a convwersion failure when switching encoding
it is bestter to stop parsing there, this was treated as a
fatal error but the parser was continuing to process to extract
more errors, unfortunately that makes little sense as the data
is obviously corrupt and can potentially lead to unexpected behaviour.
---
 parser.c          |  7 +++++--
 parserInternals.c | 11 ++++++++++-
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/parser.c b/parser.c
index 134afe7..c79b4e8 100644
--- a/parser.c
@@ -10665,7 +10665,8 @@ xmlParseXMLDecl(xmlParserCtxtPtr ctxt) {
 	xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, "Blank needed here\n");
     }
     xmlParseEncodingDecl(ctxt);
-    if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) {
+    if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) ||
+         (ctxt->instate == XML_PARSER_EOF)) {
 	/*
 	 * The XML REC instructs us to stop parsing right here
 	 */
@@ -10789,6 +10790,7 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) {
 
     if (CUR == 0) {
 	xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL);
+	return(-1);
     }
 
     /*
@@ -10806,7 +10808,8 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) {
 	 * Note that we will switch encoding on the fly.
 	 */
 	xmlParseXMLDecl(ctxt);
-	if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) {
+	if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) ||
+	    (ctxt->instate == XML_PARSER_EOF)) {
 	    /*
 	     * The XML REC instructs us to stop parsing right here
 	     */
diff --git a/parserInternals.c b/parserInternals.c
index df204fd..c8230c1 100644
--- a/parserInternals.c
@@ -937,6 +937,7 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc)
 {
     xmlCharEncodingHandlerPtr handler;
     int len = -1;
+    int ret;
 
     if (ctxt == NULL) return(-1);
     switch (enc) {
@@ -1097,7 +1098,15 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc)
     if (handler == NULL)
 	return(-1);
     ctxt->charset = XML_CHAR_ENCODING_UTF8;
-    return(xmlSwitchToEncodingInt(ctxt, handler, len));
+    ret = xmlSwitchToEncodingInt(ctxt, handler, len);
+    if ((ret < 0) || (ctxt->errNo == XML_I18N_CONV_FAILED)) {
+        /*
+	 * on encoding conversion errors, stop the parser
+	 */
+        xmlStopParser(ctxt);
+	ctxt->errNo = XML_I18N_CONV_FAILED;
+    }
+    return(ret);
 }
 
 /**
-- 
cgit v0.11.2

diff --git a/main/libxml2/CVE-2015-7499-1.patch b/main/libxml2/CVE-2015-7499-1.patch
new file mode 100644
index 0000000..d3e95d8
--- /dev/null
+++ b/main/libxml2/CVE-2015-7499-1.patch
@@ -0,0 +1,81 @@
From 28cd9cb747a94483f4aea7f0968d202c20bb4cfc Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Fri, 20 Nov 2015 14:55:30 +0800
Subject: Add xmlHaltParser() to stop the parser

The problem is doing it in a consistent and safe fashion
It's more complex than just setting ctxt->instate = XML_PARSER_EOF
Update the public function to reuse that new internal routine
---
 parser.c | 34 +++++++++++++++++++++++++++++-----
 1 file changed, 29 insertions(+), 5 deletions(-)

diff --git a/parser.c b/parser.c
index da6e729..b6e99b1 100644
--- a/parser.c
@@ -94,6 +94,8 @@ static xmlParserCtxtPtr
 xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID,
 	                  const xmlChar *base, xmlParserCtxtPtr pctx);
 
+static void xmlHaltParser(xmlParserCtxtPtr ctxt);
+
 /************************************************************************
  *									*
  *	Arbitrary limits set in the parser. See XML_PARSE_HUGE		*
@@ -12625,25 +12627,47 @@ xmlCreatePushParserCtxt(xmlSAXHandlerPtr sax, void *user_data,
 #endif /* LIBXML_PUSH_ENABLED */
 
 /**
- * xmlStopParser:
+ * xmlHaltParser:
  * @ctxt:  an XML parser context
  *
- * Blocks further parser processing
+ * Blocks further parser processing don't override error
+ * for internal use
  */
-void
-xmlStopParser(xmlParserCtxtPtr ctxt) {
+static void
+xmlHaltParser(xmlParserCtxtPtr ctxt) {
     if (ctxt == NULL)
         return;
     ctxt->instate = XML_PARSER_EOF;
-    ctxt->errNo = XML_ERR_USER_STOP;
     ctxt->disableSAX = 1;
     if (ctxt->input != NULL) {
+        /*
+	 * in case there was a specific allocation deallocate before
+	 * overriding base
+	 */
+        if (ctxt->input->free != NULL) {
+	    ctxt->input->free((xmlChar *) ctxt->input->base);
+	    ctxt->input->free = NULL;
+	}
 	ctxt->input->cur = BAD_CAST"";
 	ctxt->input->base = ctxt->input->cur;
     }
 }
 
 /**
+ * xmlStopParser:
+ * @ctxt:  an XML parser context
+ *
+ * Blocks further parser processing
+ */
+void
+xmlStopParser(xmlParserCtxtPtr ctxt) {
+    if (ctxt == NULL)
+        return;
+    xmlHaltParser(ctxt);
+    ctxt->errNo = XML_ERR_USER_STOP;
+}
+
+/**
  * xmlCreateIOParserCtxt:
  * @sax:  a SAX handler
  * @user_data:  The user data returned on SAX callbacks
-- 
cgit v0.11.2

diff --git a/main/libxml2/CVE-2015-7499-2.patch b/main/libxml2/CVE-2015-7499-2.patch
new file mode 100644
index 0000000..741b81b
--- /dev/null
+++ b/main/libxml2/CVE-2015-7499-2.patch
@@ -0,0 +1,36 @@
From 35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Fri, 20 Nov 2015 15:04:09 +0800
Subject: Detect incoherency on GROW

the current pointer to the input has to be between the base and end
if not stop everything we have an internal state error.
---
 parser.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/parser.c b/parser.c
index 1810f99..ab007aa 100644
--- a/parser.c
@@ -2075,9 +2075,16 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
          ((ctxt->input->buf) && (ctxt->input->buf->readcallback != (xmlInputReadCallback) xmlNop)) &&
         ((ctxt->options & XML_PARSE_HUGE) == 0)) {
         xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup");
-        ctxt->instate = XML_PARSER_EOF;
+        xmlHaltParser(ctxt);
+	return;
     }
     xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+    if ((ctxt->input->cur > ctxt->input->end) ||
+        (ctxt->input->cur < ctxt->input->base)) {
+        xmlHaltParser(ctxt);
+        xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "cur index out of bound");
+	return;
+    }
     if ((ctxt->input->cur != NULL) && (*ctxt->input->cur == 0) &&
         (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0))
 	    xmlPopInput(ctxt);
-- 
cgit v0.11.2

diff --git a/main/libxml2/CVE-2015-7500.patch b/main/libxml2/CVE-2015-7500.patch
new file mode 100644
index 0000000..1c031e2
--- /dev/null
+++ b/main/libxml2/CVE-2015-7500.patch
@@ -0,0 +1,106 @@
From f1063fdbe7fa66332bbb76874101c2a7b51b519f Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Fri, 20 Nov 2015 16:06:59 +0800
Subject: CVE-2015-7500 Fix memory access error due to incorrect entities
 boundaries

For https://bugzilla.gnome.org/show_bug.cgi?id=756525
handle properly the case where we popped out of the current entity
while processing a start tag
Reported by Kostya Serebryany @ Google

This slightly modifies the output of 754946 in regression tests
---
 parser.c                     | 28 ++++++++++++++++++++++------
 1 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/parser.c b/parser.c
index c7e4574..c5741e3 100644
--- a/parser.c
@@ -9348,7 +9348,7 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref,
     const xmlChar **atts = ctxt->atts;
     int maxatts = ctxt->maxatts;
     int nratts, nbatts, nbdef;
-    int i, j, nbNs, attval, oldline, oldcol;
+    int i, j, nbNs, attval, oldline, oldcol, inputNr;
     const xmlChar *base;
     unsigned long cur;
     int nsNr = ctxt->nsNr;
@@ -9367,6 +9367,7 @@ reparse:
     SHRINK;
     base = ctxt->input->base;
     cur = ctxt->input->cur - ctxt->input->base;
+    inputNr = ctxt->inputNr;
     oldline = ctxt->input->line;
     oldcol = ctxt->input->col;
     nbatts = 0;
@@ -9392,7 +9393,8 @@ reparse:
      */
     SKIP_BLANKS;
     GROW;
-    if (ctxt->input->base != base) goto base_changed;
+    if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+        goto base_changed;

     while (((RAW != '>') &&
 	   ((RAW != '/') || (NXT(1) != '>')) &&
@@ -9403,7 +9405,7 @@ reparse:

 	attname = xmlParseAttribute2(ctxt, prefix, localname,
 	                             &aprefix, &attvalue, &len, &alloc);
-	if (ctxt->input->base != base) {
+	if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) {
 	    if ((attvalue != NULL) && (alloc != 0))
 	        xmlFree(attvalue);
 	    attvalue = NULL;
@@ -9552,7 +9554,8 @@ skip_ns:
 		    break;
 		}
 		SKIP_BLANKS;
-		if (ctxt->input->base != base) goto base_changed;
+		if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+		    goto base_changed;
 		continue;
 	    }

@@ -9589,7 +9592,8 @@ failed:
 	GROW
         if (ctxt->instate == XML_PARSER_EOF)
             break;
-	if (ctxt->input->base != base) goto base_changed;
+	if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+	    goto base_changed;
 	if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
 	    break;
 	if (!IS_BLANK_CH(RAW)) {
@@ -9605,7 +9609,8 @@ failed:
 	    break;
 	}
         GROW;
-	if (ctxt->input->base != base) goto base_changed;
+	if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+	    goto base_changed;
     }

     /*
@@ -9772,6 +9777,17 @@ base_changed:
 	    if ((ctxt->attallocs[j] != 0) && (atts[i] != NULL))
 	        xmlFree((xmlChar *) atts[i]);
     }
+
+    /*
+     * We can't switch from one entity to another in the middle
+     * of a start tag
+     */
+    if (inputNr != ctxt->inputNr) {
+        xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
+		    "Start tag doesn't start and stop in the same entity\n");
+	return(NULL);
+    }
+
     ctxt->input->cur = ctxt->input->base + cur;
     ctxt->input->line = oldline;
     ctxt->input->col = oldcol;
--
cgit v0.11.2
diff --git a/main/libxml2/CVE-2015-7941_1.patch b/main/libxml2/CVE-2015-7941_1.patch
new file mode 100644
index 0000000..d688149
--- /dev/null
+++ b/main/libxml2/CVE-2015-7941_1.patch
@@ -0,0 +1,32 @@
From a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Mon, 23 Feb 2015 11:17:35 +0800
Subject: Stop parsing on entities boundaries errors

For https://bugzilla.gnome.org/show_bug.cgi?id=744980

There are times, like on unterminated entities that it's preferable to
stop parsing, even if that means less error reporting. Entities are
feeding the parser on further processing, and if they are ill defined
then it's possible to get the parser to bug. Also do the same on
Conditional Sections if the input is broken, as the structure of
the document can't be guessed.
---
 parser.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/parser.c b/parser.c
index a8d1b67..bbe97eb 100644
--- a/parser.c
@@ -5658,6 +5658,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) {
 	if (RAW != '>') {
 	    xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
 	            "xmlParseEntityDecl: entity %s not terminated\n", name);
+	    xmlStopParser(ctxt);
 	} else {
 	    if (input != ctxt->input) {
 		xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
-- 
cgit v0.11.2

diff --git a/main/libxml2/CVE-2015-7941_2.patch b/main/libxml2/CVE-2015-7941_2.patch
new file mode 100644
index 0000000..36b43ba
--- /dev/null
+++ b/main/libxml2/CVE-2015-7941_2.patch
@@ -0,0 +1,49 @@
From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Mon, 23 Feb 2015 11:29:20 +0800
Subject: Cleanup conditional section error handling

For https://bugzilla.gnome.org/show_bug.cgi?id=744980

The error handling of Conditional Section also need to be
straightened as the structure of the document can't be
guessed on a failure there and it's better to stop parsing
as further errors are likely to be irrelevant.
---
 parser.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/parser.c b/parser.c
index bbe97eb..fe603ac 100644
--- a/parser.c
@@ -6770,6 +6770,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
 	SKIP_BLANKS;
 	if (RAW != '[') {
 	    xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
+	    xmlStopParser(ctxt);
+	    return;
 	} else {
 	    if (ctxt->input->id != id) {
 		xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
@@ -6830,6 +6832,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
 	SKIP_BLANKS;
 	if (RAW != '[') {
 	    xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
+	    xmlStopParser(ctxt);
+	    return;
 	} else {
 	    if (ctxt->input->id != id) {
 		xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
@@ -6885,6 +6889,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
 
     } else {
 	xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
+	xmlStopParser(ctxt);
+	return;
     }
 
     if (RAW == 0)
-- 
cgit v0.11.2

diff --git a/main/libxml2/CVE-2015-7942-2.patch b/main/libxml2/CVE-2015-7942-2.patch
new file mode 100644
index 0000000..1a059fe
--- /dev/null
+++ b/main/libxml2/CVE-2015-7942-2.patch
@@ -0,0 +1,28 @@
From 41ac9049a27f52e7a1f3b341f8714149fc88d450 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Tue, 27 Oct 2015 10:53:44 +0800
Subject: Fix an error in previous Conditional section patch

an off by one mistake in the change, led to error on correct
document where the end of the included entity was exactly
the end of the conditional section, leading to regtest failure
---
 parser.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/parser.c b/parser.c
index b9217ff..d67b300 100644
--- a/parser.c
@@ -6916,7 +6916,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
 				 NULL, NULL);
 	}
 	if ((ctxt-> instate != XML_PARSER_EOF) &&
-	    ((ctxt->input->cur + 3) < ctxt->input->end))
+	    ((ctxt->input->cur + 3) <= ctxt->input->end))
 	    SKIP(3);
     }
 }
-- 
cgit v0.11.2

diff --git a/main/libxml2/CVE-2015-7942.patch b/main/libxml2/CVE-2015-7942.patch
new file mode 100644
index 0000000..bb0766a
--- /dev/null
+++ b/main/libxml2/CVE-2015-7942.patch
@@ -0,0 +1,32 @@
From bd0526e66a56e75a18da8c15c4750db8f801c52d Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Fri, 23 Oct 2015 19:02:28 +0800
Subject: Another variation of overflow in Conditional sections

Which happen after the previous fix to
https://bugzilla.gnome.org/show_bug.cgi?id=756456

But stopping the parser and exiting we didn't pop the intermediary entities
and doing the SKIP there applies on an input which may be too small
---
 parser.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/parser.c b/parser.c
index a65e4cc..b9217ff 100644
--- a/parser.c
@@ -6915,7 +6915,9 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
 	"All markup of the conditional section is not in the same entity\n",
 				 NULL, NULL);
 	}
-        SKIP(3);
+	if ((ctxt-> instate != XML_PARSER_EOF) &&
+	    ((ctxt->input->cur + 3) < ctxt->input->end))
+	    SKIP(3);
     }
 }
 
-- 
cgit v0.11.2

diff --git a/main/libxml2/CVE-2015-8035.patch b/main/libxml2/CVE-2015-8035.patch
new file mode 100644
index 0000000..92c26ca
--- /dev/null
+++ b/main/libxml2/CVE-2015-8035.patch
@@ -0,0 +1,31 @@
From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Tue, 3 Nov 2015 15:31:25 +0800
Subject: CVE-2015-8035 Fix XZ compression support loop

For https://bugzilla.gnome.org/show_bug.cgi?id=757466
DoS when parsing specially crafted XML document if XZ support
is compiled in (which wasn't the case for 2.9.2 and master since
Nov 2013, fixed in next commit !)
---
 xzlib.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/xzlib.c b/xzlib.c
index 0dcb9f4..1fab546 100644
--- a/xzlib.c
@@ -581,6 +581,10 @@ xz_decomp(xz_statep state)
             xz_error(state, LZMA_DATA_ERROR, "compressed data error");
             return -1;
         }
+        if (ret == LZMA_PROG_ERROR) {
+            xz_error(state, LZMA_PROG_ERROR, "compression error");
+            return -1;
+        }
     } while (strm->avail_out && ret != LZMA_STREAM_END);
 
     /* update available output and crc check value */
-- 
cgit v0.11.2

diff --git a/main/libxml2/CVE-2015-8242.patch b/main/libxml2/CVE-2015-8242.patch
new file mode 100644
index 0000000..b009ae1
--- /dev/null
+++ b/main/libxml2/CVE-2015-8242.patch
@@ -0,0 +1,42 @@
From 8fb4a770075628d6441fb17a1e435100e2f3b1a2 Mon Sep 17 00:00:00 2001
From: Hugh Davenport <hugh@allthethings.co.nz>
Date: Fri, 20 Nov 2015 17:16:06 +0800
Subject: CVE-2015-8242 Buffer overead with HTML parser in push mode

For https://bugzilla.gnome.org/show_bug.cgi?id=756372
Error in the code pointing to the codepoint in the stack for the
current char value instead of the pointer in the input that the SAX
callback expects
Reported and fixed by Hugh Davenport
---
 HTMLparser.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/HTMLparser.c b/HTMLparser.c
index bdf7807..b729197 100644
--- a/HTMLparser.c
@@ -5735,17 +5735,17 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
 				if (ctxt->keepBlanks) {
 				    if (ctxt->sax->characters != NULL)
 					ctxt->sax->characters(
-						ctxt->userData, &cur, 1);
+						ctxt->userData, &in->cur[0], 1);
 				} else {
 				    if (ctxt->sax->ignorableWhitespace != NULL)
 					ctxt->sax->ignorableWhitespace(
-						ctxt->userData, &cur, 1);
+						ctxt->userData, &in->cur[0], 1);
 				}
 			    } else {
 				htmlCheckParagraph(ctxt);
 				if (ctxt->sax->characters != NULL)
 				    ctxt->sax->characters(
-					    ctxt->userData, &cur, 1);
+					    ctxt->userData, &in->cur[0], 1);
 			    }
 			}
 			ctxt->token = 0;
-- 
cgit v0.11.2

-- 
2.6.2



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
View this thread in the archives