rpms/libxml2
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Add correct fix for CVE-2020-24977 (RHBZ#1877788), thanks: Jan de Groot.

Browse Source
This commit is contained in:
Richard W.M. Jones 2020-11-11 13:33:18 +00:00
parent 80f8374a0f
commit 36ce67f6dc
3 changed files with 75 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
libxml2-2.9.10-CVE-2020-24977.patch
View File

@ -1,41 +1,36 @@
From 8e7c20a1af8776677d7890f30b7a180567701a49 Mon Sep 17 00:00:00 2001 From 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de> From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 3 Aug 2020 17:30:41 +0200 Date: Fri, 7 Aug 2020 21:54:27 +0200
Subject: [PATCH] Fix integer overflow when comparing schema dates Subject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout'
Found by OSS-Fuzz. Make sure that truncated UTF-8 sequences don't cause an out-of-bounds
array access.
Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for
the report.
Fixes #178.
--- ---
xmlschemastypes.c | 10 ++++++++++ xmllint.c | 6 ++++++
1 file changed, 10 insertions(+) 1 file changed, 6 insertions(+)
diff --git a/xmlschemastypes.c b/xmlschemastypes.c diff --git a/xmllint.c b/xmllint.c
index 4249d700..d6b9f924 100644 index f6a8e463..c647486f 100644
--- a/xmlschemastypes.c --- a/xmllint.c
+++ b/xmlschemastypes.c +++ b/xmllint.c
@@ -3691,6 +3691,8 @@ xmlSchemaCompareDurations(xmlSchemaValPtr x, xmlSchemaValPtr y) @@ -528,6 +528,12 @@ static void
minday = 0; xmlHTMLEncodeSend(void) {
maxday = 0; char *result;
} else {
+ if (myear > LONG_MAX / 366)
+ return -2;
/* FIXME: This doesn't take leap year exceptions every 100/400 years
into account. */
maxday = 365 * myear + (myear + 3) / 4;
@@ -4079,6 +4081,14 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y)
if ((x == NULL) || (y == NULL))
return -2;
+ if ((x->value.date.year > LONG_MAX / 366) || + /*
+ (x->value.date.year < LONG_MIN / 366) || + * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might
+ (y->value.date.year > LONG_MAX / 366) || + * end with a truncated UTF-8 sequence. This is a hack to at least avoid
+ (y->value.date.year < LONG_MIN / 366)) { + * an out-of-bounds read.
+ /* Possible overflow when converting to days. */ + */
+ return -2; + memset(&buffer[sizeof(buffer)-4], 0, 4);
+ } result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer);
+ if (result) {
if (x->value.date.tz_flag) { xmlGenericError(xmlGenericErrorContext, "%s", result);
if (!y->value.date.tz_flag) {
-- --
2.28.0.rc2 2.28.0.rc2

41
libxml2-2.9.10-fix-integer-overflow.patch Normal file
View File

@ -0,0 +1,41 @@
From 8e7c20a1af8776677d7890f30b7a180567701a49 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 3 Aug 2020 17:30:41 +0200
Subject: [PATCH] Fix integer overflow when comparing schema dates
Found by OSS-Fuzz.
---
xmlschemastypes.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/xmlschemastypes.c b/xmlschemastypes.c
index 4249d700..d6b9f924 100644
--- a/xmlschemastypes.c
+++ b/xmlschemastypes.c
@@ -3691,6 +3691,8 @@ xmlSchemaCompareDurations(xmlSchemaValPtr x, xmlSchemaValPtr y)
minday = 0;
maxday = 0;
} else {
+ if (myear > LONG_MAX / 366)
+ return -2;
/* FIXME: This doesn't take leap year exceptions every 100/400 years
into account. */
maxday = 365 * myear + (myear + 3) / 4;
@@ -4079,6 +4081,14 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y)
if ((x == NULL) || (y == NULL))
return -2;
+ if ((x->value.date.year > LONG_MAX / 366) ||
+ (x->value.date.year < LONG_MIN / 366) ||
+ (y->value.date.year > LONG_MAX / 366) ||
+ (y->value.date.year < LONG_MIN / 366)) {
+ /* Possible overflow when converting to days. */
+ return -2;
+ }
+
if (x->value.date.tz_flag) {
if (!y->value.date.tz_flag) {
--
2.28.0.rc2

8
libxml2.spec
View File

@ -1,6 +1,6 @@
Name: libxml2 Name: libxml2
Version: 2.9.10 Version: 2.9.10
Release: 7%{?dist} Release: 8%{?dist}
Summary: Library providing XML and HTML support Summary: Library providing XML and HTML support
License: MIT License: MIT
@ -17,8 +17,9 @@ Patch3: libxml2-2.9.10-CVE-2019-20388.patch
Patch4: libxml2-2.9.10-CVE-2020-7595.patch Patch4: libxml2-2.9.10-CVE-2020-7595.patch
# https://gitlab.gnome.org/GNOME/libxml2/merge_requests/71 # https://gitlab.gnome.org/GNOME/libxml2/merge_requests/71
Patch5: libxml2-2.9.10-parenthesize-type-checks.patch Patch5: libxml2-2.9.10-parenthesize-type-checks.patch
Patch6: libxml2-2.9.10-fix-integer-overflow.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1877788 # https://bugzilla.redhat.com/show_bug.cgi?id=1877788
Patch6: libxml2-2.9.10-CVE-2020-24977.patch Patch7: libxml2-2.9.10-CVE-2020-24977.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: make BuildRequires: make
@ -147,6 +148,9 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
%{python3_sitearch}/libxml2mod.so %{python3_sitearch}/libxml2mod.so
%changelog %changelog
* Wed Nov 11 2020 Richard W.M. Jones <rjones@redhat.com> - 2.9.10-8
- Add correct fix for CVE-2020-24977 (RHBZ#1877788), thanks: Jan de Groot.
* Fri Sep 11 2020 Richard W.M. Jones <rjones@redhat.com> - 2.9.10-7 * Fri Sep 11 2020 Richard W.M. Jones <rjones@redhat.com> - 2.9.10-7
- Add fix for CVE-2020-24977 (RHBZ#1877788). - Add fix for CVE-2020-24977 (RHBZ#1877788).