Fixes for CVE-2008-4225 and CVE-2008-4226

2008-11-17 16:02:13 +00:00 · 2008-11-17 16:02:13 +00:00 · 433e072488
commit 433e072488
parent 809d4f928f
3 changed files with 72 additions and 1 deletions
--- a/CVE-2008-4225.patch
+++ b/CVE-2008-4225.patch
@ -0,0 +1,26 @@
+--- tree.c.orig	2008-10-31 18:14:00.000000000 -0700
+++ tree.c	2008-10-31 18:14:35.000000000 -0700
+@@ -14,7 +14,7 @@
+ #include "libxml.h"
+ 
+ #include <string.h> /* for memset() only ! */
+-
+#include <limits.h>
+ #ifdef HAVE_CTYPE_H
+ #include <ctype.h>
+ #endif
+@@ -6996,7 +6996,13 @@
+ 	case XML_BUFFER_ALLOC_DOUBLEIT:
+ 	    /*take care of empty case*/
+ 	    newSize = (buf->size ? buf->size*2 : size + 10);
+-	    while (size > newSize) newSize *= 2;
+	    while (size > newSize) {
+	        if (newSize > UINT_MAX / 2) {
+	            xmlTreeErrMemory("growing buffer");
+	            return 0;
+	        }
+	        newSize *= 2;
+	    }
+ 	    break;
+ 	case XML_BUFFER_ALLOC_EXACT:
+ 	    newSize = size+10;
--- a/CVE-2008-4226.patch
+++ b/CVE-2008-4226.patch
@ -0,0 +1,38 @@
+--- SAX2.c.orig	2008-01-25 08:10:04.000000000 -0500
+++ SAX2.c	2008-11-07 05:07:34.000000000 -0500
+@@ -11,6 +11,7 @@
+ #include "libxml.h"
+ #include <stdlib.h>
+ #include <string.h>
+#include <limits.h>
+ #include <libxml/xmlmemory.h>
+ #include <libxml/tree.h>
+ #include <libxml/parser.h>
+@@ -26,6 +27,11 @@
+ #include <libxml/HTMLtree.h>
+ #include <libxml/globals.h>
+ 
+/* Define SIZE_T_MAX unless defined through <limits.h>. */
+#ifndef SIZE_T_MAX
+# define SIZE_T_MAX     ((size_t)-1)
+#endif /* !SIZE_T_MAX */
+
+ /* #define DEBUG_SAX2 */
+ /* #define DEBUG_SAX2_TREE */
+ 
+@@ -2445,9 +2451,14 @@
+ 	               (xmlDictOwns(ctxt->dict, lastChild->content))) {
+ 		lastChild->content = xmlStrdup(lastChild->content);
+ 	    }
+	    if ((size_t)ctxt->nodelen > SIZE_T_MAX - (size_t)len || 
+	        (size_t)ctxt->nodemem + (size_t)len > SIZE_T_MAX / 2) {
+	            xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented");
+	            return;
+	    }
+ 	    if (ctxt->nodelen + len >= ctxt->nodemem) {
+ 		xmlChar *newbuf;
+-		int size;
+		size_t size;
+ 
+ 		size = ctxt->nodemem + len;
+ 		size *= 2;
--- a/libxml2.spec
+++ b/libxml2.spec
@ -1,7 +1,7 @@
 Summary: Library providing XML and HTML support
 Name: libxml2
 Version: 2.7.2
-Release: 1%{?dist}%{?extra_release}
+Release: 2%{?dist}%{?extra_release}
 License: MIT
 Group: Development/Libraries
 Source: ftp://xmlsoft.org/libxml2-%{version}.tar.gz
@ -9,6 +9,8 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-root
 BuildRequires: python python-devel zlib-devel
 URL: http://xmlsoft.org/
 Patch0: libxml2-multilib.patch
+Patch1: CVE-2008-4225.patch
+Patch2: CVE-2008-4226.patch

 %description
 This library allows to manipulate XML files. It includes support 
@ -67,6 +69,8 @@ at parse time or later once the document has been modified.
 %prep
 %setup -q
 %patch0 -p1
+%patch1 -p0
+%patch2 -p0

 %build
 %configure
@ -141,6 +145,9 @@ rm -fr %{buildroot}
 %doc doc/python.html

 %changelog
+* Wed Nov 12 2008 Daniel Veillard <veillard@redhat.com> - 2.7.2-2.fc11
+- two patches for size overflows problems CVE-2008-4225 and CVE-2008-4226
+
 * Fri Oct  3 2008 Daniel Veillard <veillard@redhat.com> 2.7.2-1.fc10
 - new release 2.7.2
 - Fixes the known problems in 2.7.1