diff --git a/gnu/local.mk b/gnu/local.mk index e94920e554..6e2d765159 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -616,8 +616,6 @@ dist_patch_DATA = \ %D%/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch \ %D%/packages/patches/libwmf-CVE-2015-4695.patch \ %D%/packages/patches/libwmf-CVE-2015-4696.patch \ - %D%/packages/patches/libxml2-CVE-2016-3627.patch \ - %D%/packages/patches/libxml2-CVE-2016-3705.patch \ %D%/packages/patches/libxslt-CVE-2015-7995.patch \ %D%/packages/patches/lirc-localstatedir.patch \ %D%/packages/patches/libpthread-glibc-preparation.patch \ diff --git a/gnu/packages/patches/libxml2-CVE-2016-3627.patch b/gnu/packages/patches/libxml2-CVE-2016-3627.patch deleted file mode 100644 index 782c9270cf..0000000000 --- a/gnu/packages/patches/libxml2-CVE-2016-3627.patch +++ /dev/null @@ -1,61 +0,0 @@ -From . - -From e5269fd1e83743f7e62c89eca45000c2e84e6edc Mon Sep 17 00:00:00 2001 -From: Peter Simons -Date: Thu, 14 Apr 2016 16:15:13 +0200 -Subject: [PATCH 1/2] xmlStringGetNodeList: limit the function to 1024 - recursions to avoid CVE-2016-3627 - -This patch prevents stack overflows like the one reported in -https://bugzilla.gnome.org/show_bug.cgi?id=762100. ---- - tree.c | 14 ++++++++++++-- - 1 file changed, 12 insertions(+), 2 deletions(-) - -Index: libxml2-2.9.3/tree.c -=================================================================== ---- libxml2-2.9.3.orig/tree.c -+++ libxml2-2.9.3/tree.c -@@ -1464,6 +1464,8 @@ out: - return(ret); - } - -+static xmlNodePtr xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel); -+ - /** - * xmlStringGetNodeList: - * @doc: the document -@@ -1475,6 +1477,12 @@ out: - */ - xmlNodePtr - xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) { -+ return xmlStringGetNodeListInternal(doc, value, 0); -+ } -+ -+xmlNodePtr -+xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel) { -+ - xmlNodePtr ret = NULL, last = NULL; - xmlNodePtr node; - xmlChar *val; -@@ -1483,6 +1491,8 @@ xmlStringGetNodeList(const xmlDoc *doc, - xmlEntityPtr ent; - xmlBufPtr buf; - -+ if (recursionLevel > 1024) return(NULL); -+ - if (value == NULL) return(NULL); - - buf = xmlBufCreateSize(0); -@@ -1593,8 +1603,9 @@ xmlStringGetNodeList(const xmlDoc *doc, - else if ((ent != NULL) && (ent->children == NULL)) { - xmlNodePtr temp; - -- ent->children = xmlStringGetNodeList(doc, -- (const xmlChar*)node->content); -+ ent->children = xmlStringGetNodeListInternal(doc, -+ (const xmlChar*)node->content, -+ recursionLevel+1); - ent->owner = 1; - temp = ent->children; - while (temp) { diff --git a/gnu/packages/patches/libxml2-CVE-2016-3705.patch b/gnu/packages/patches/libxml2-CVE-2016-3705.patch deleted file mode 100644 index e803630f3a..0000000000 --- a/gnu/packages/patches/libxml2-CVE-2016-3705.patch +++ /dev/null @@ -1,68 +0,0 @@ -From . - -From 6f0af3f6b9b1c5f82a2bb5ded65923437fee5d21 Mon Sep 17 00:00:00 2001 -From: Peter Simons -Date: Fri, 15 Apr 2016 11:56:55 +0200 -Subject: [PATCH 2/2] Add missing increments of recursion depth counter to XML - parser. - -The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call -xmlStringDecodeEntities() in a recursive context without incrementing the -'depth' counter in the parser context. Because of that omission, the parser -failed to detect attribute recursions in certain documents before running out -of stack space. ---- - parser.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/parser.c b/parser.c -index 9604a72..4da151f 100644 ---- a/parser.c -+++ b/parser.c -@@ -144,8 +144,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, - - ent->checked = 1; - -+ ++ctxt->depth; - rep = xmlStringDecodeEntities(ctxt, ent->content, - XML_SUBSTITUTE_REF, 0, 0, 0); -+ --ctxt->depth; - - ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; - if (rep != NULL) { -@@ -3966,8 +3968,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) { - * an entity declaration, it is bypassed and left as is. - * so XML_SUBSTITUTE_REF is not set here. - */ -+ ++ctxt->depth; - ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF, - 0, 0, 0); -+ --ctxt->depth; - if (orig != NULL) - *orig = buf; - else -@@ -4092,9 +4096,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { - } else if ((ent != NULL) && - (ctxt->replaceEntities != 0)) { - if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) { -+ ++ctxt->depth; - rep = xmlStringDecodeEntities(ctxt, ent->content, - XML_SUBSTITUTE_REF, - 0, 0, 0); -+ --ctxt->depth; - if (rep != NULL) { - current = rep; - while (*current != 0) { /* non input consuming */ -@@ -4130,8 +4136,10 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { - (ent->content != NULL) && (ent->checked == 0)) { - unsigned long oldnbent = ctxt->nbentities; - -+ ++ctxt->depth; - rep = xmlStringDecodeEntities(ctxt, ent->content, - XML_SUBSTITUTE_REF, 0, 0, 0); -+ --ctxt->depth; - - ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; - if (rep != NULL) { --- -2.8.1 diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index 782e356a70..dc5c60dca8 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -107,10 +107,16 @@ project (but it is usable outside of the Gnome platform).") (define libxml2/fixed (package (inherit libxml2) - (source (origin - (inherit (package-source libxml2)) - (patches (search-patches "libxml2-CVE-2016-3627.patch" - "libxml2-CVE-2016-3705.patch")))))) + (source + (let ((name "libxml2") + (version "2.9.4")) + (origin + (method url-fetch) + (uri (string-append "ftp://xmlsoft.org/libxml2/libxml2-" + version ".tar.gz")) + (sha256 + (base32 + "0g336cr0bw6dax1q48bblphmchgihx9p1pjmxdnrd6sh3qci3fgz"))))))) (define-public python-libxml2 (package (inherit libxml2)