From 9e00af655305b592e912ff99df0d03a6655b46de Mon Sep 17 00:00:00 2001 From: Daniel Veillard Date: Mon, 10 Aug 2009 14:21:33 +0000 Subject: [PATCH] - two patches for parsing problems CVE-2009-2414 and CVE-2009-2416 Daniel --- libxml2-2.7.3-ficora-parse.patch | 159 +++++++++++++++++++++++++++++++ libxml2.spec | 5 + 2 files changed, 164 insertions(+) create mode 100644 libxml2-2.7.3-ficora-parse.patch diff --git a/libxml2-2.7.3-ficora-parse.patch b/libxml2-2.7.3-ficora-parse.patch new file mode 100644 index 0000000..e239b21 --- /dev/null +++ b/libxml2-2.7.3-ficora-parse.patch @@ -0,0 +1,159 @@ +diff --git a/parser.c b/parser.c +index a476060..b404722 100644 +--- a/parser.c ++++ b/parser.c +@@ -5323,7 +5323,8 @@ xmlParseNotationType(xmlParserCtxtPtr ctxt) { + if (name == NULL) { + xmlFatalErrMsg(ctxt, XML_ERR_NAME_REQUIRED, + "Name expected in NOTATION declaration\n"); +- return(ret); ++ xmlFreeEnumeration(ret); ++ return(NULL); + } + tmp = ret; + while (tmp != NULL) { +@@ -5339,7 +5340,10 @@ xmlParseNotationType(xmlParserCtxtPtr ctxt) { + } + if (tmp == NULL) { + cur = xmlCreateEnumeration(name); +- if (cur == NULL) return(ret); ++ if (cur == NULL) { ++ xmlFreeEnumeration(ret); ++ return(NULL); ++ } + if (last == NULL) ret = last = cur; + else { + last->next = cur; +@@ -5350,9 +5354,8 @@ xmlParseNotationType(xmlParserCtxtPtr ctxt) { + } while (RAW == '|'); + if (RAW != ')') { + xmlFatalErr(ctxt, XML_ERR_NOTATION_NOT_FINISHED, NULL); +- if ((last != NULL) && (last != ret)) +- xmlFreeEnumeration(last); +- return(ret); ++ xmlFreeEnumeration(ret); ++ return(NULL); + } + NEXT; + return(ret); +@@ -5407,7 +5410,10 @@ xmlParseEnumerationType(xmlParserCtxtPtr ctxt) { + cur = xmlCreateEnumeration(name); + if (!xmlDictOwns(ctxt->dict, name)) + xmlFree(name); +- if (cur == NULL) return(ret); ++ if (cur == NULL) { ++ xmlFreeEnumeration(ret); ++ return(NULL); ++ } + if (last == NULL) ret = last = cur; + else { + last->next = cur; +@@ -5775,9 +5781,10 @@ xmlParseElementMixedContentDecl(xmlParserCtxtPtr ctxt, int inputchk) { + } + + /** +- * xmlParseElementChildrenContentDecl: ++ * xmlParseElementChildrenContentDeclPriv: + * @ctxt: an XML parser context + * @inputchk: the input used for the current entity, needed for boundary checks ++ * @depth: the level of recursion + * + * parse the declaration for a Mixed Element content + * The leading '(' and spaces have been skipped in xmlParseElementContentDecl +@@ -5805,12 +5812,20 @@ xmlParseElementMixedContentDecl(xmlParserCtxtPtr ctxt, int inputchk) { + * Returns the tree of xmlElementContentPtr describing the element + * hierarchy. + */ +-xmlElementContentPtr +-xmlParseElementChildrenContentDecl (xmlParserCtxtPtr ctxt, int inputchk) { ++static xmlElementContentPtr ++xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk, ++ int depth) { + xmlElementContentPtr ret = NULL, cur = NULL, last = NULL, op = NULL; + const xmlChar *elem; + xmlChar type = 0; + ++ if (((depth > 128) && ((ctxt->options & XML_PARSE_HUGE) == 0)) || ++ (depth > 2048)) { ++ xmlFatalErrMsgInt(ctxt, XML_ERR_ELEMCONTENT_NOT_FINISHED, ++"xmlParseElementChildrenContentDecl : depth %d too deep, use XML_PARSE_HUGE\n", ++ depth); ++ return(NULL); ++ } + SKIP_BLANKS; + GROW; + if (RAW == '(') { +@@ -5819,7 +5834,8 @@ xmlParseElementChildrenContentDecl (xmlParserCtxtPtr ctxt, int inputchk) { + /* Recurse on first child */ + NEXT; + SKIP_BLANKS; +- cur = ret = xmlParseElementChildrenContentDecl(ctxt, inputid); ++ cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, ++ depth + 1); + SKIP_BLANKS; + GROW; + } else { +@@ -5951,7 +5967,8 @@ xmlParseElementChildrenContentDecl (xmlParserCtxtPtr ctxt, int inputchk) { + /* Recurse on second child */ + NEXT; + SKIP_BLANKS; +- last = xmlParseElementChildrenContentDecl(ctxt, inputid); ++ last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, ++ depth + 1); + SKIP_BLANKS; + } else { + elem = xmlParseName(ctxt); +@@ -6062,6 +6079,44 @@ xmlParseElementChildrenContentDecl (xmlParserCtxtPtr ctxt, int inputchk) { + } + + /** ++ * ++ * xmlParseElementChildrenContentDecl: ++ * @ctxt: an XML parser context ++ * @inputchk: the input used for the current entity, needed for boundary checks ++ * @depth: the level of recursion ++ * ++ * parse the declaration for a Mixed Element content ++ * The leading '(' and spaces have been skipped in xmlParseElementContentDecl ++ * ++ * [47] children ::= (choice | seq) ('?' | '*' | '+')? ++ * ++ * [48] cp ::= (Name | choice | seq) ('?' | '*' | '+')? ++ * ++ * [49] choice ::= '(' S? cp ( S? '|' S? cp )* S? ')' ++ * ++ * [50] seq ::= '(' S? cp ( S? ',' S? cp )* S? ')' ++ * ++ * [ VC: Proper Group/PE Nesting ] applies to [49] and [50] ++ * TODO Parameter-entity replacement text must be properly nested ++ * with parenthesized groups. That is to say, if either of the ++ * opening or closing parentheses in a choice, seq, or Mixed ++ * construct is contained in the replacement text for a parameter ++ * entity, both must be contained in the same replacement text. For ++ * interoperability, if a parameter-entity reference appears in a ++ * choice, seq, or Mixed construct, its replacement text should not ++ * be empty, and neither the first nor last non-blank character of ++ * the replacement text should be a connector (| or ,). ++ * ++ * Returns the tree of xmlElementContentPtr describing the element ++ * hierarchy. ++ */ ++xmlElementContentPtr ++xmlParseElementChildrenContentDecl(xmlParserCtxtPtr ctxt, int inputchk) { ++ /* stub left for API/ABI compat */ ++ return(xmlParseElementChildrenContentDeclPriv(ctxt, inputchk, 1)); ++} ++ ++/** + * xmlParseElementContentDecl: + * @ctxt: an XML parser context + * @name: the name of the element being defined. +@@ -6097,7 +6152,7 @@ xmlParseElementContentDecl(xmlParserCtxtPtr ctxt, const xmlChar *name, + tree = xmlParseElementMixedContentDecl(ctxt, inputid); + res = XML_ELEMENT_TYPE_MIXED; + } else { +- tree = xmlParseElementChildrenContentDecl(ctxt, inputid); ++ tree = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, 1); + res = XML_ELEMENT_TYPE_ELEMENT; + } + SKIP_BLANKS; diff --git a/libxml2.spec b/libxml2.spec index 1cb7c5e..0d9baee 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -9,6 +9,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRequires: python python-devel zlib-devel pkgconfig URL: http://xmlsoft.org/ Patch0: libxml2-multilib.patch +Patch1: libxml2-2.7.3-ficora-parse.patch %description This library allows to manipulate XML files. It includes support @@ -67,6 +68,7 @@ at parse time or later once the document has been modified. %prep %setup -q %patch0 -p1 +%patch1 -p1 %build %configure @@ -141,6 +143,9 @@ rm -fr %{buildroot} %doc doc/python.html %changelog +* Mon Aug 10 2009 Daniel Veillard - 2.7.3-4.fc11 +- two patches for parsing problems CVE-2009-2414 and CVE-2009-2416 + * Sat Jul 25 2009 Fedora Release Engineering - 2.7.3-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild