gnu: libxml2: Update replacement to 2.9.4 [security fixes].
This fixes CVE-2016-{1762, 1833, 1834, 1835, 1836, 1837, 1838, 1839, 1840, 3627, 3705, 4483}. * gnu/packages/patches/libxml2-CVE-2016-3627.patch, gnu/packages/patches/libxml2-CVE-2016-3705.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them. * gnu/packages/xml.scm (libxml2/fixed): Update to 2.9.4. [source]: Remove patches.
This commit is contained in:
parent
c06f6db7a4
commit
df2dd07b88
|
@ -616,8 +616,6 @@ dist_patch_DATA = \
|
||||||
%D%/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch \
|
%D%/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch \
|
||||||
%D%/packages/patches/libwmf-CVE-2015-4695.patch \
|
%D%/packages/patches/libwmf-CVE-2015-4695.patch \
|
||||||
%D%/packages/patches/libwmf-CVE-2015-4696.patch \
|
%D%/packages/patches/libwmf-CVE-2015-4696.patch \
|
||||||
%D%/packages/patches/libxml2-CVE-2016-3627.patch \
|
|
||||||
%D%/packages/patches/libxml2-CVE-2016-3705.patch \
|
|
||||||
%D%/packages/patches/libxslt-CVE-2015-7995.patch \
|
%D%/packages/patches/libxslt-CVE-2015-7995.patch \
|
||||||
%D%/packages/patches/lirc-localstatedir.patch \
|
%D%/packages/patches/lirc-localstatedir.patch \
|
||||||
%D%/packages/patches/libpthread-glibc-preparation.patch \
|
%D%/packages/patches/libpthread-glibc-preparation.patch \
|
||||||
|
|
|
@ -1,61 +0,0 @@
|
||||||
From <http://seclists.org/fulldisclosure/2016/May/10>.
|
|
||||||
|
|
||||||
From e5269fd1e83743f7e62c89eca45000c2e84e6edc Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Simons <psimons () suse com>
|
|
||||||
Date: Thu, 14 Apr 2016 16:15:13 +0200
|
|
||||||
Subject: [PATCH 1/2] xmlStringGetNodeList: limit the function to 1024
|
|
||||||
recursions to avoid CVE-2016-3627
|
|
||||||
|
|
||||||
This patch prevents stack overflows like the one reported in
|
|
||||||
https://bugzilla.gnome.org/show_bug.cgi?id=762100.
|
|
||||||
---
|
|
||||||
tree.c | 14 ++++++++++++--
|
|
||||||
1 file changed, 12 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
Index: libxml2-2.9.3/tree.c
|
|
||||||
===================================================================
|
|
||||||
--- libxml2-2.9.3.orig/tree.c
|
|
||||||
+++ libxml2-2.9.3/tree.c
|
|
||||||
@@ -1464,6 +1464,8 @@ out:
|
|
||||||
return(ret);
|
|
||||||
}
|
|
||||||
|
|
||||||
+static xmlNodePtr xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel);
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* xmlStringGetNodeList:
|
|
||||||
* @doc: the document
|
|
||||||
@@ -1475,6 +1477,12 @@ out:
|
|
||||||
*/
|
|
||||||
xmlNodePtr
|
|
||||||
xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
|
|
||||||
+ return xmlStringGetNodeListInternal(doc, value, 0);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+xmlNodePtr
|
|
||||||
+xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel) {
|
|
||||||
+
|
|
||||||
xmlNodePtr ret = NULL, last = NULL;
|
|
||||||
xmlNodePtr node;
|
|
||||||
xmlChar *val;
|
|
||||||
@@ -1483,6 +1491,8 @@ xmlStringGetNodeList(const xmlDoc *doc,
|
|
||||||
xmlEntityPtr ent;
|
|
||||||
xmlBufPtr buf;
|
|
||||||
|
|
||||||
+ if (recursionLevel > 1024) return(NULL);
|
|
||||||
+
|
|
||||||
if (value == NULL) return(NULL);
|
|
||||||
|
|
||||||
buf = xmlBufCreateSize(0);
|
|
||||||
@@ -1593,8 +1603,9 @@ xmlStringGetNodeList(const xmlDoc *doc,
|
|
||||||
else if ((ent != NULL) && (ent->children == NULL)) {
|
|
||||||
xmlNodePtr temp;
|
|
||||||
|
|
||||||
- ent->children = xmlStringGetNodeList(doc,
|
|
||||||
- (const xmlChar*)node->content);
|
|
||||||
+ ent->children = xmlStringGetNodeListInternal(doc,
|
|
||||||
+ (const xmlChar*)node->content,
|
|
||||||
+ recursionLevel+1);
|
|
||||||
ent->owner = 1;
|
|
||||||
temp = ent->children;
|
|
||||||
while (temp) {
|
|
|
@ -1,68 +0,0 @@
|
||||||
From <http://seclists.org/fulldisclosure/2016/May/10>.
|
|
||||||
|
|
||||||
From 6f0af3f6b9b1c5f82a2bb5ded65923437fee5d21 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Simons <psimons () suse com>
|
|
||||||
Date: Fri, 15 Apr 2016 11:56:55 +0200
|
|
||||||
Subject: [PATCH 2/2] Add missing increments of recursion depth counter to XML
|
|
||||||
parser.
|
|
||||||
|
|
||||||
The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call
|
|
||||||
xmlStringDecodeEntities() in a recursive context without incrementing the
|
|
||||||
'depth' counter in the parser context. Because of that omission, the parser
|
|
||||||
failed to detect attribute recursions in certain documents before running out
|
|
||||||
of stack space.
|
|
||||||
---
|
|
||||||
parser.c | 8 ++++++++
|
|
||||||
1 file changed, 8 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/parser.c b/parser.c
|
|
||||||
index 9604a72..4da151f 100644
|
|
||||||
--- a/parser.c
|
|
||||||
+++ b/parser.c
|
|
||||||
@@ -144,8 +144,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
|
|
||||||
|
|
||||||
ent->checked = 1;
|
|
||||||
|
|
||||||
+ ++ctxt->depth;
|
|
||||||
rep = xmlStringDecodeEntities(ctxt, ent->content,
|
|
||||||
XML_SUBSTITUTE_REF, 0, 0, 0);
|
|
||||||
+ --ctxt->depth;
|
|
||||||
|
|
||||||
ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
|
|
||||||
if (rep != NULL) {
|
|
||||||
@@ -3966,8 +3968,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
|
|
||||||
* an entity declaration, it is bypassed and left as is.
|
|
||||||
* so XML_SUBSTITUTE_REF is not set here.
|
|
||||||
*/
|
|
||||||
+ ++ctxt->depth;
|
|
||||||
ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF,
|
|
||||||
0, 0, 0);
|
|
||||||
+ --ctxt->depth;
|
|
||||||
if (orig != NULL)
|
|
||||||
*orig = buf;
|
|
||||||
else
|
|
||||||
@@ -4092,9 +4096,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
|
|
||||||
} else if ((ent != NULL) &&
|
|
||||||
(ctxt->replaceEntities != 0)) {
|
|
||||||
if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) {
|
|
||||||
+ ++ctxt->depth;
|
|
||||||
rep = xmlStringDecodeEntities(ctxt, ent->content,
|
|
||||||
XML_SUBSTITUTE_REF,
|
|
||||||
0, 0, 0);
|
|
||||||
+ --ctxt->depth;
|
|
||||||
if (rep != NULL) {
|
|
||||||
current = rep;
|
|
||||||
while (*current != 0) { /* non input consuming */
|
|
||||||
@@ -4130,8 +4136,10 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
|
|
||||||
(ent->content != NULL) && (ent->checked == 0)) {
|
|
||||||
unsigned long oldnbent = ctxt->nbentities;
|
|
||||||
|
|
||||||
+ ++ctxt->depth;
|
|
||||||
rep = xmlStringDecodeEntities(ctxt, ent->content,
|
|
||||||
XML_SUBSTITUTE_REF, 0, 0, 0);
|
|
||||||
+ --ctxt->depth;
|
|
||||||
|
|
||||||
ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
|
|
||||||
if (rep != NULL) {
|
|
||||||
--
|
|
||||||
2.8.1
|
|
|
@ -107,10 +107,16 @@ project (but it is usable outside of the Gnome platform).")
|
||||||
(define libxml2/fixed
|
(define libxml2/fixed
|
||||||
(package
|
(package
|
||||||
(inherit libxml2)
|
(inherit libxml2)
|
||||||
(source (origin
|
(source
|
||||||
(inherit (package-source libxml2))
|
(let ((name "libxml2")
|
||||||
(patches (search-patches "libxml2-CVE-2016-3627.patch"
|
(version "2.9.4"))
|
||||||
"libxml2-CVE-2016-3705.patch"))))))
|
(origin
|
||||||
|
(method url-fetch)
|
||||||
|
(uri (string-append "ftp://xmlsoft.org/libxml2/libxml2-"
|
||||||
|
version ".tar.gz"))
|
||||||
|
(sha256
|
||||||
|
(base32
|
||||||
|
"0g336cr0bw6dax1q48bblphmchgihx9p1pjmxdnrd6sh3qci3fgz")))))))
|
||||||
|
|
||||||
(define-public python-libxml2
|
(define-public python-libxml2
|
||||||
(package (inherit libxml2)
|
(package (inherit libxml2)
|
||||||
|
|
Loading…
Reference in New Issue