gnu: libxml2: Fix CVE-2017-{0663,7375,7376,9047,9048,9049,9050}.

* gnu/packages/patches/libxml2-CVE-2017-0663.patch,
gnu/packages/patches/libxml2-CVE-2017-7375.patch,
gnu/packages/patches/libxml2-CVE-2017-7376.patch,
gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch,
gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/xml.scm (libxml2)[replacement]: New field.
(libxml2/fixed): New variable.

Signed-off-by: Marius Bakke <mbakke@fastmail.com>
This commit is contained in:
Alex Vong 2017-08-30 21:21:21 +08:00 committed by Marius Bakke
parent ff54f194f3
commit 76fed2b3c4
No known key found for this signature in database
GPG Key ID: A2A06DF2A33A54FA
7 changed files with 608 additions and 0 deletions

View File

@ -803,6 +803,11 @@ dist_patch_DATA = \
%D%/packages/patches/libxcb-python-3.5-compat.patch \
%D%/packages/patches/libxml2-CVE-2016-4658.patch \
%D%/packages/patches/libxml2-CVE-2016-5131.patch \
%D%/packages/patches/libxml2-CVE-2017-0663.patch \
%D%/packages/patches/libxml2-CVE-2017-7375.patch \
%D%/packages/patches/libxml2-CVE-2017-7376.patch \
%D%/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch \
%D%/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch \
%D%/packages/patches/libxslt-generated-ids.patch \
%D%/packages/patches/libxslt-CVE-2016-4738.patch \
%D%/packages/patches/libxt-guix-search-paths.patch \

View File

@ -0,0 +1,53 @@
Fix CVE-2017-0663:
https://bugzilla.gnome.org/show_bug.cgi?id=780228 (not yet public)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0663
https://security-tracker.debian.org/tracker/CVE-2017-0663
Patch copied from upstream source repository:
https://git.gnome.org/browse/libxml2/commit/?id=92b9e8c8b3787068565a1820ba575d042f9eec66
From 92b9e8c8b3787068565a1820ba575d042f9eec66 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 6 Jun 2017 12:56:28 +0200
Subject: [PATCH] Fix type confusion in xmlValidateOneNamespace
Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types on
namespace declarations make no practical sense anyway.
Fixes bug 780228.
Found with libFuzzer and ASan.
---
valid.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/valid.c b/valid.c
index 8075d3a0..c51ea290 100644
--- a/valid.c
+++ b/valid.c
@@ -4627,6 +4627,12 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
}
}
+ /*
+ * Casting ns to xmlAttrPtr is wrong. We'd need separate functions
+ * xmlAddID and xmlAddRef for namespace declarations, but it makes
+ * no practical sense to use ID types anyway.
+ */
+#if 0
/* Validity Constraint: ID uniqueness */
if (attrDecl->atype == XML_ATTRIBUTE_ID) {
if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
@@ -4638,6 +4644,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
ret = 0;
}
+#endif
/* Validity Constraint: Notation Attributes */
if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) {
--
2.14.1

View File

@ -0,0 +1,45 @@
Fix CVE-2017-7375:
https://bugzilla.gnome.org/show_bug.cgi?id=780691 (not yet public)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7375
https://security-tracker.debian.org/tracker/CVE-2017-7375
Patch copied from upstream source repository:
https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e
From 90ccb58242866b0ba3edbef8fe44214a101c2b3e Mon Sep 17 00:00:00 2001
From: Neel Mehta <nmehta@google.com>
Date: Fri, 7 Apr 2017 17:43:02 +0200
Subject: [PATCH] Prevent unwanted external entity reference
For https://bugzilla.gnome.org/show_bug.cgi?id=780691
* parser.c: add a specific check to avoid PE reference
---
parser.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/parser.c b/parser.c
index 609a2703..c2c812de 100644
--- a/parser.c
+++ b/parser.c
@@ -8123,6 +8123,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
if (xmlPushInput(ctxt, input) < 0)
return;
} else {
+ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
+ ((ctxt->options & XML_PARSE_NOENT) == 0) &&
+ ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
+ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) &&
+ ((ctxt->options & XML_PARSE_DTDATTR) == 0) &&
+ (ctxt->replaceEntities == 0) &&
+ (ctxt->validate == 0))
+ return;
+
/*
* TODO !!!
* handle the extra spaces added before and after
--
2.14.1

View File

@ -0,0 +1,41 @@
Fix CVE-2017-7376:
https://bugzilla.gnome.org/show_bug.cgi?id=780690 (not yet public)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7376
https://security-tracker.debian.org/tracker/CVE-2017-7376
Patch copied from upstream source repository:
https://git.gnome.org/browse/libxml2/commit/?id=5dca9eea1bd4263bfa4d037ab2443de1cd730f7e
From 5dca9eea1bd4263bfa4d037ab2443de1cd730f7e Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Fri, 7 Apr 2017 17:13:28 +0200
Subject: [PATCH] Increase buffer space for port in HTTP redirect support
For https://bugzilla.gnome.org/show_bug.cgi?id=780690
nanohttp.c: the code wrongly assumed a short int port value.
---
nanohttp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/nanohttp.c b/nanohttp.c
index e109ad75..373425de 100644
--- a/nanohttp.c
+++ b/nanohttp.c
@@ -1423,9 +1423,9 @@ retry:
if (ctxt->port != 80) {
/* reserve space for ':xxxxx', incl. potential proxy */
if (proxy)
- blen += 12;
+ blen += 17;
else
- blen += 6;
+ blen += 11;
}
bp = (char*)xmlMallocAtomic(blen);
if ( bp == NULL ) {
--
2.14.1

File diff suppressed because one or more lines are too long

View File

@ -0,0 +1,319 @@
Fix CVE-2017-{9049,9050}:
https://bugzilla.gnome.org/show_bug.cgi?id=781205 (not yet public)
https://bugzilla.gnome.org/show_bug.cgi?id=781361 (not yet public)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9049
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050
http://www.openwall.com/lists/oss-security/2017/05/15/1
https://security-tracker.debian.org/tracker/CVE-2017-9049
https://security-tracker.debian.org/tracker/CVE-2017-9050
Patch copied from upstream source repository:
https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3
Changes to 'runtest.c' are removed since they introduce test failure
when applying to libxml2 2.9.4 release tarball.
From e26630548e7d138d2c560844c43820b6767251e3 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 5 Jun 2017 15:37:17 +0200
Subject: [PATCH] Fix handling of parameter-entity references
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
There were two bugs where parameter-entity references could lead to an
unexpected change of the input buffer in xmlParseNameComplex and
xmlDictLookup being called with an invalid pointer.
Percent sign in DTD Names
=========================
The NEXTL macro used to call xmlParserHandlePEReference. When parsing
"complex" names inside the DTD, this could result in entity expansion
which created a new input buffer. The fix is to simply remove the call
to xmlParserHandlePEReference from the NEXTL macro. This is safe because
no users of the macro require expansion of parameter entities.
- xmlParseNameComplex
- xmlParseNCNameComplex
- xmlParseNmtoken
The percent sign is not allowed in names, which are grammatical tokens.
- xmlParseEntityValue
Parameter-entity references in entity values are expanded but this
happens in a separate step in this function.
- xmlParseSystemLiteral
Parameter-entity references are ignored in the system literal.
- xmlParseAttValueComplex
- xmlParseCharDataComplex
- xmlParseCommentComplex
- xmlParsePI
- xmlParseCDSect
Parameter-entity references are ignored outside the DTD.
- xmlLoadEntityContent
This function is only called from xmlStringLenDecodeEntities and
entities are replaced in a separate step immediately after the function
call.
This bug could also be triggered with an internal subset and double
entity expansion.
This fixes bug 766956 initially reported by Wei Lei and independently by
Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone
involved.
xmlParseNameComplex with XML_PARSE_OLD10
========================================
When parsing Names inside an expanded parameter entity with the
XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the
GROW macro if the input buffer was exhausted. At the end of the
parameter entity's replacement text, this function would then call
xmlPopInput which invalidated the input buffer.
There should be no need to invoke GROW in this situation because the
buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and,
at least for UTF-8, in xmlCurrentChar. This also matches the code path
executed when XML_PARSE_OLD10 is not set.
This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).
Thanks to Marcel Böhme and Thuan Pham for the report.
Additional hardening
====================
A separate check was added in xmlParseNameComplex to validate the
buffer size.
---
Makefile.am | 18 ++++++++++++++++++
parser.c | 18 ++++++++++--------
result/errors10/781205.xml | 0
result/errors10/781205.xml.err | 21 +++++++++++++++++++++
result/errors10/781361.xml | 0
result/errors10/781361.xml.err | 13 +++++++++++++
result/valid/766956.xml | 0
result/valid/766956.xml.err | 9 +++++++++
result/valid/766956.xml.err.rdr | 10 ++++++++++
runtest.c | 3 +++
test/errors10/781205.xml | 3 +++
test/errors10/781361.xml | 3 +++
test/valid/766956.xml | 2 ++
test/valid/dtds/766956.dtd | 2 ++
14 files changed, 94 insertions(+), 8 deletions(-)
create mode 100644 result/errors10/781205.xml
create mode 100644 result/errors10/781205.xml.err
create mode 100644 result/errors10/781361.xml
create mode 100644 result/errors10/781361.xml.err
create mode 100644 result/valid/766956.xml
create mode 100644 result/valid/766956.xml.err
create mode 100644 result/valid/766956.xml.err.rdr
create mode 100644 test/errors10/781205.xml
create mode 100644 test/errors10/781361.xml
create mode 100644 test/valid/766956.xml
create mode 100644 test/valid/dtds/766956.dtd
diff --git a/Makefile.am b/Makefile.am
index 6fc8ffa9..10e716a5 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -427,6 +427,24 @@ Errtests : xmllint$(EXEEXT)
if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \
rm result.$$name error.$$name ; \
fi ; fi ; done)
+ @echo "## Error cases regression tests (old 1.0)"
+ -@(for i in $(srcdir)/test/errors10/*.xml ; do \
+ name=`basename $$i`; \
+ if [ ! -d $$i ] ; then \
+ if [ ! -f $(srcdir)/result/errors10/$$name ] ; then \
+ echo New test file $$name ; \
+ $(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i \
+ 2> $(srcdir)/result/errors10/$$name.err \
+ > $(srcdir)/result/errors10/$$name ; \
+ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \
+ else \
+ log=`$(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i 2> error.$$name > result.$$name ; \
+ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \
+ diff $(srcdir)/result/errors10/$$name result.$$name ; \
+ diff $(srcdir)/result/errors10/$$name.err error.$$name` ; \
+ if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \
+ rm result.$$name error.$$name ; \
+ fi ; fi ; done)
@echo "## Error cases stream regression tests"
-@(for i in $(srcdir)/test/errors/*.xml ; do \
name=`basename $$i`; \
diff --git a/parser.c b/parser.c
index df2efa55..a175ac4e 100644
--- a/parser.c
+++ b/parser.c
@@ -2121,7 +2121,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
ctxt->input->line++; ctxt->input->col = 1; \
} else ctxt->input->col++; \
ctxt->input->cur += l; \
- if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt); \
} while (0)
#define CUR_CHAR(l) xmlCurrentChar(ctxt, &l)
@@ -3412,13 +3411,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
len += l;
NEXTL(l);
c = CUR_CHAR(l);
- if (c == 0) {
- count = 0;
- GROW;
- if (ctxt->instate == XML_PARSER_EOF)
- return(NULL);
- c = CUR_CHAR(l);
- }
}
}
if ((len > XML_MAX_NAME_LENGTH) &&
@@ -3426,6 +3418,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
return(NULL);
}
+ if (ctxt->input->cur - ctxt->input->base < len) {
+ /*
+ * There were a couple of bugs where PERefs lead to to a change
+ * of the buffer. Check the buffer size to avoid passing an invalid
+ * pointer to xmlDictLookup.
+ */
+ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
+ "unexpected change of input buffer");
+ return (NULL);
+ }
if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r'))
return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len));
return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
diff --git a/result/errors10/781205.xml b/result/errors10/781205.xml
new file mode 100644
index 00000000..e69de29b
diff --git a/result/errors10/781205.xml.err b/result/errors10/781205.xml.err
new file mode 100644
index 00000000..da15c3f7
--- /dev/null
+++ b/result/errors10/781205.xml.err
@@ -0,0 +1,21 @@
+Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
+
+ %a;
+ ^
+Entity: line 1:
+<:0000
+^
+Entity: line 1: parser error : DOCTYPE improperly terminated
+ %a;
+ ^
+Entity: line 1:
+<:0000
+^
+namespace error : Failed to parse QName ':0000'
+ %a;
+ ^
+<:0000
+ ^
+./test/errors10/781205.xml:4: parser error : Couldn't find end of Start Tag :0000 line 1
+
+^
diff --git a/result/errors10/781361.xml b/result/errors10/781361.xml
new file mode 100644
index 00000000..e69de29b
diff --git a/result/errors10/781361.xml.err b/result/errors10/781361.xml.err
new file mode 100644
index 00000000..655f41a2
--- /dev/null
+++ b/result/errors10/781361.xml.err
@@ -0,0 +1,13 @@
+./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY', 'ANY' or '(' expected
+
+^
+./test/errors10/781361.xml:4: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
+
+
+^
+./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated
+
+^
+./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not found
+
+^
diff --git a/result/valid/766956.xml b/result/valid/766956.xml
new file mode 100644
index 00000000..e69de29b
diff --git a/result/valid/766956.xml.err b/result/valid/766956.xml.err
new file mode 100644
index 00000000..34b1dae6
--- /dev/null
+++ b/result/valid/766956.xml.err
@@ -0,0 +1,9 @@
+test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
+%ä%ent;
+ ^
+Entity: line 1: parser error : Content error in the external subset
+ %ent;
+ ^
+Entity: line 1:
+value
+^
diff --git a/result/valid/766956.xml.err.rdr b/result/valid/766956.xml.err.rdr
new file mode 100644
index 00000000..77603462
--- /dev/null
+++ b/result/valid/766956.xml.err.rdr
@@ -0,0 +1,10 @@
+test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
+%ä%ent;
+ ^
+Entity: line 1: parser error : Content error in the external subset
+ %ent;
+ ^
+Entity: line 1:
+value
+^
+./test/valid/766956.xml : failed to parse
diff --git a/test/errors10/781205.xml b/test/errors10/781205.xml
new file mode 100644
index 00000000..d9e9e839
--- /dev/null
+++ b/test/errors10/781205.xml
@@ -0,0 +1,3 @@
+<!DOCTYPE D [
+ <!ENTITY % a "<:0000">
+ %a;
diff --git a/test/errors10/781361.xml b/test/errors10/781361.xml
new file mode 100644
index 00000000..67476bcb
--- /dev/null
+++ b/test/errors10/781361.xml
@@ -0,0 +1,3 @@
+<!DOCTYPE doc [
+ <!ENTITY % elem "<!ELEMENT e0000000000">
+ %elem;
diff --git a/test/valid/766956.xml b/test/valid/766956.xml
new file mode 100644
index 00000000..19a95a0e
--- /dev/null
+++ b/test/valid/766956.xml
@@ -0,0 +1,2 @@
+<!DOCTYPE test SYSTEM "dtds/766956.dtd">
+<test/>
diff --git a/test/valid/dtds/766956.dtd b/test/valid/dtds/766956.dtd
new file mode 100644
index 00000000..dddde68b
--- /dev/null
+++ b/test/valid/dtds/766956.dtd
@@ -0,0 +1,2 @@
+<!ENTITY % ent "value">
+%ä%ent;
--
2.14.1

View File

@ -16,6 +16,7 @@
;;; Copyright © 2016, 2017 Marius Bakke <mbakke@fastmail.com>
;;; Copyright © 2017 Adriano Peluso <catonano@gmail.com>
;;; Copyright © 2017 Gregor Giesen <giesen@zaehlwerk.net>
;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@ -110,6 +111,7 @@ hierarchical form with variable field lengths.")
(package
(name "libxml2")
(version "2.9.4")
(replacement libxml2/fixed)
(source (origin
(method url-fetch)
(uri (string-append "ftp://xmlsoft.org/libxml2/libxml2-"
@ -138,6 +140,19 @@ hierarchical form with variable field lengths.")
project (but it is usable outside of the Gnome platform).")
(license license:x11)))
(define libxml2/fixed
(package
(inherit libxml2)
(source
(origin
(inherit (package-source libxml2))
(patches
(search-patches "libxml2-CVE-2017-0663.patch"
"libxml2-CVE-2017-7375.patch"
"libxml2-CVE-2017-7376.patch"
"libxml2-CVE-2017-9047+CVE-2017-9048.patch"
"libxml2-CVE-2017-9049+CVE-2017-9050.patch"))))))
(define-public python-libxml2
(package (inherit libxml2)
(name "python-libxml2")