From 9c10d76726ac8a2d4577a2c8c25454468d881879 Mon Sep 17 00:00:00 2001 From: Troy Dawson Date: Mon, 16 Nov 2020 13:10:44 -0800 Subject: [PATCH] RHEL 9.0.0 Alpha bootstrap The content of this branch was automatically imported from Fedora ELN with the following as its source: https://src.fedoraproject.org/rpms/libxml2#cfc15dfe1a449af07eb17ef9451c09ccafd7f76a --- libxml2-2.9.10-CVE-2020-24977.patch | 61 ++++++------- libxml2-2.9.10-fix-integer-overflow.patch | 41 +++++++++ libxml2.spec | 18 +++- python-py_ssize_t.patch | 102 ++++++++++++++++++++++ 4 files changed, 187 insertions(+), 35 deletions(-) create mode 100644 libxml2-2.9.10-fix-integer-overflow.patch create mode 100644 python-py_ssize_t.patch diff --git a/libxml2-2.9.10-CVE-2020-24977.patch b/libxml2-2.9.10-CVE-2020-24977.patch index b5a7bec..67ef0ac 100644 --- a/libxml2-2.9.10-CVE-2020-24977.patch +++ b/libxml2-2.9.10-CVE-2020-24977.patch @@ -1,41 +1,36 @@ -From 8e7c20a1af8776677d7890f30b7a180567701a49 Mon Sep 17 00:00:00 2001 +From 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer -Date: Mon, 3 Aug 2020 17:30:41 +0200 -Subject: [PATCH] Fix integer overflow when comparing schema dates +Date: Fri, 7 Aug 2020 21:54:27 +0200 +Subject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout' -Found by OSS-Fuzz. +Make sure that truncated UTF-8 sequences don't cause an out-of-bounds +array access. + +Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for +the report. + +Fixes #178. --- - xmlschemastypes.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) + xmllint.c | 6 ++++++ + 1 file changed, 6 insertions(+) -diff --git a/xmlschemastypes.c b/xmlschemastypes.c -index 4249d700..d6b9f924 100644 ---- a/xmlschemastypes.c -+++ b/xmlschemastypes.c -@@ -3691,6 +3691,8 @@ xmlSchemaCompareDurations(xmlSchemaValPtr x, xmlSchemaValPtr y) - minday = 0; - maxday = 0; - } else { -+ if (myear > LONG_MAX / 366) -+ return -2; - /* FIXME: This doesn't take leap year exceptions every 100/400 years - into account. */ - maxday = 365 * myear + (myear + 3) / 4; -@@ -4079,6 +4081,14 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y) - if ((x == NULL) || (y == NULL)) - return -2; +diff --git a/xmllint.c b/xmllint.c +index f6a8e463..c647486f 100644 +--- a/xmllint.c ++++ b/xmllint.c +@@ -528,6 +528,12 @@ static void + xmlHTMLEncodeSend(void) { + char *result; -+ if ((x->value.date.year > LONG_MAX / 366) || -+ (x->value.date.year < LONG_MIN / 366) || -+ (y->value.date.year > LONG_MAX / 366) || -+ (y->value.date.year < LONG_MIN / 366)) { -+ /* Possible overflow when converting to days. */ -+ return -2; -+ } -+ - if (x->value.date.tz_flag) { - - if (!y->value.date.tz_flag) { ++ /* ++ * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might ++ * end with a truncated UTF-8 sequence. This is a hack to at least avoid ++ * an out-of-bounds read. ++ */ ++ memset(&buffer[sizeof(buffer)-4], 0, 4); + result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer); + if (result) { + xmlGenericError(xmlGenericErrorContext, "%s", result); -- 2.28.0.rc2 diff --git a/libxml2-2.9.10-fix-integer-overflow.patch b/libxml2-2.9.10-fix-integer-overflow.patch new file mode 100644 index 0000000..b5a7bec --- /dev/null +++ b/libxml2-2.9.10-fix-integer-overflow.patch @@ -0,0 +1,41 @@ +From 8e7c20a1af8776677d7890f30b7a180567701a49 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 3 Aug 2020 17:30:41 +0200 +Subject: [PATCH] Fix integer overflow when comparing schema dates + +Found by OSS-Fuzz. +--- + xmlschemastypes.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/xmlschemastypes.c b/xmlschemastypes.c +index 4249d700..d6b9f924 100644 +--- a/xmlschemastypes.c ++++ b/xmlschemastypes.c +@@ -3691,6 +3691,8 @@ xmlSchemaCompareDurations(xmlSchemaValPtr x, xmlSchemaValPtr y) + minday = 0; + maxday = 0; + } else { ++ if (myear > LONG_MAX / 366) ++ return -2; + /* FIXME: This doesn't take leap year exceptions every 100/400 years + into account. */ + maxday = 365 * myear + (myear + 3) / 4; +@@ -4079,6 +4081,14 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y) + if ((x == NULL) || (y == NULL)) + return -2; + ++ if ((x->value.date.year > LONG_MAX / 366) || ++ (x->value.date.year < LONG_MIN / 366) || ++ (y->value.date.year > LONG_MAX / 366) || ++ (y->value.date.year < LONG_MIN / 366)) { ++ /* Possible overflow when converting to days. */ ++ return -2; ++ } ++ + if (x->value.date.tz_flag) { + + if (!y->value.date.tz_flag) { +-- +2.28.0.rc2 + diff --git a/libxml2.spec b/libxml2.spec index d893cf5..dbda596 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,6 +1,6 @@ Name: libxml2 Version: 2.9.10 -Release: 7%{?dist} +Release: 9%{?dist} Summary: Library providing XML and HTML support License: MIT @@ -17,8 +17,11 @@ Patch3: libxml2-2.9.10-CVE-2019-20388.patch Patch4: libxml2-2.9.10-CVE-2020-7595.patch # https://gitlab.gnome.org/GNOME/libxml2/merge_requests/71 Patch5: libxml2-2.9.10-parenthesize-type-checks.patch +Patch6: libxml2-2.9.10-fix-integer-overflow.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1877788 -Patch6: libxml2-2.9.10-CVE-2020-24977.patch +Patch7: libxml2-2.9.10-CVE-2020-24977.patch +# https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/87 +Patch8: python-py_ssize_t.patch BuildRequires: gcc BuildRequires: make @@ -83,6 +86,9 @@ at parse time or later once the document has been modified. %autosetup -p1 find doc -type f -executable -print -exec chmod 0644 {} ';' +# Remove files generated by python/generator.py to force regenerating them +rm python/{libxml2-py.c,libxml2-py.h,libxml2-export.c} + %build mkdir py3 %global _configure ../configure @@ -147,6 +153,14 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz %{python3_sitearch}/libxml2mod.so %changelog +* Thu Nov 12 11:57:41 CET 2020 Victor Stinner - 2.9.10-9 +- Build the Python extension with the PY_SSIZE_T_CLEAN macro to make it + compatible with Python 3.10. +- Fixes: rhbz#1890878. + +* Wed Nov 11 2020 Richard W.M. Jones - 2.9.10-8 +- Add correct fix for CVE-2020-24977 (RHBZ#1877788), thanks: Jan de Groot. + * Fri Sep 11 2020 Richard W.M. Jones - 2.9.10-7 - Add fix for CVE-2020-24977 (RHBZ#1877788). diff --git a/python-py_ssize_t.patch b/python-py_ssize_t.patch new file mode 100644 index 0000000..c422dfc --- /dev/null +++ b/python-py_ssize_t.patch @@ -0,0 +1,102 @@ +From 43e946dd497cc6ff0067b8a8f85c620376dfd4cd Mon Sep 17 00:00:00 2001 +From: Victor Stinner +Date: Mon, 9 Nov 2020 18:19:31 +0100 +Subject: [PATCH 1/2] Build the Python extension with PY_SSIZE_T_CLEAN + +The Python extension module now uses Py_ssize_t rather than int for +string lengths. This change makes the extension compatible with +Python 3.10. + +Fixes #203. +--- + python/generator.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +From b3db67629465823f042a5f3303ecdf8e4bd09a76 Mon Sep 17 00:00:00 2001 +From: Victor Stinner +Date: Tue, 10 Nov 2020 15:42:36 +0100 +Subject: [PATCH 2/2] Convert python/libxml.c to PY_SSIZE_T_CLEAN + +Define PY_SSIZE_T_CLEAN macro in python/libxml.c and cast the string +length (int len) explicitly to Py_ssize_t when passing a string to a +function call using PyObject_CallMethod() with the "s#" format. +--- + python/libxml.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/python/generator.py b/python/generator.py +index c0cb3add..59d45e00 100755 +--- a/python/generator.py ++++ b/python/generator.py +@@ -393,7 +393,7 @@ def print_function_wrapper(name, output, export, include): + format_args = format_args + ", &%s" % (arg[0]) + if f == 's#': + format_args = format_args + ", &py_buffsize%d" % num_bufs +- c_args = c_args + " int py_buffsize%d;\n" % num_bufs ++ c_args = c_args + " Py_ssize_t py_buffsize%d;\n" % num_bufs + num_bufs = num_bufs + 1 + if c_call != "": + c_call = c_call + ", " +@@ -555,6 +555,7 @@ def buildStubs(): + export.write("/* Generated */\n\n") + wrapper = open("libxml2-py.c", "w") + wrapper.write("/* Generated */\n\n") ++ wrapper.write("#define PY_SSIZE_T_CLEAN\n") + wrapper.write("#include \n") + wrapper.write("#include \n") + wrapper.write("#include \n") +diff --git a/python/libxml.c b/python/libxml.c +index 81e709f3..3b66bd61 100644 +--- a/python/libxml.c ++++ b/python/libxml.c +@@ -11,6 +11,7 @@ + * + * daniel@veillard.com + */ ++#define PY_SSIZE_T_CLEAN + #include + #include + /* #include "config.h" */ +@@ -1048,10 +1049,10 @@ pythonCharacters(void *user_data, const xmlChar * ch, int len) + if (type != 0) { + if (type == 1) + result = PyObject_CallMethod(handler, (char *) "characters", +- (char *) "s#", ch, len); ++ (char *) "s#", ch, (Py_ssize_t)len); + else if (type == 2) + result = PyObject_CallMethod(handler, (char *) "data", +- (char *) "s#", ch, len); ++ (char *) "s#", ch, (Py_ssize_t)len); + if (PyErr_Occurred()) + PyErr_Print(); + Py_XDECREF(result); +@@ -1078,11 +1079,11 @@ pythonIgnorableWhitespace(void *user_data, const xmlChar * ch, int len) + result = + PyObject_CallMethod(handler, + (char *) "ignorableWhitespace", +- (char *) "s#", ch, len); ++ (char *) "s#", ch, (Py_ssize_t)len); + else if (type == 2) + result = + PyObject_CallMethod(handler, (char *) "data", +- (char *) "s#", ch, len); ++ (char *) "s#", ch, (Py_ssize_t)len); + Py_XDECREF(result); + } + } +@@ -1223,11 +1224,11 @@ pythonCdataBlock(void *user_data, const xmlChar * ch, int len) + if (type == 1) + result = + PyObject_CallMethod(handler, (char *) "cdataBlock", +- (char *) "s#", ch, len); ++ (char *) "s#", ch, (Py_ssize_t)len); + else if (type == 2) + result = + PyObject_CallMethod(handler, (char *) "cdata", +- (char *) "s#", ch, len); ++ (char *) "s#", ch, (Py_ssize_t)len); + if (PyErr_Occurred()) + PyErr_Print(); + Py_XDECREF(result); +-- +2.26.2