Compare commits
No commits in common. "c8" and "c9" have entirely different histories.
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/libxml2-2.9.7.tar.gz
|
||||
SOURCES/libxml2-2.9.13.tar.xz
|
||||
|
||||
@ -1 +1 @@
|
||||
ab3325e6cdda50ab2382fdfe0bdb6f7d1b9224a6 SOURCES/libxml2-2.9.7.tar.gz
|
||||
7dced00d88181d559ee76c6d8ef4571eb1bd0b26 SOURCES/libxml2-2.9.13.tar.xz
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From b9d4ab2fd6b7da380edab777a0414ef254804f0d Mon Sep 17 00:00:00 2001
|
||||
From 2b0aac140d739905c7848a42efc60bfe783a39b7 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Sat, 14 Oct 2023 22:45:54 +0200
|
||||
Subject: [PATCH] [CVE-2024-25062] xmlreader: Don't expand XIncludes when
|
||||
@ -13,17 +13,17 @@ Fixes #604.
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/xmlreader.c b/xmlreader.c
|
||||
index 34c4c6bc..8f2f9131 100644
|
||||
index 979385a13..fefd68e0b 100644
|
||||
--- a/xmlreader.c
|
||||
+++ b/xmlreader.c
|
||||
@@ -1511,6 +1511,7 @@ node_found:
|
||||
@@ -1443,6 +1443,7 @@ node_found:
|
||||
* Handle XInclude if asked for
|
||||
*/
|
||||
if ((reader->xinclude) && (reader->node != NULL) &&
|
||||
if ((reader->xinclude) && (reader->in_xinclude == 0) &&
|
||||
+ (reader->state != XML_TEXTREADER_BACKTRACK) &&
|
||||
(reader->node != NULL) &&
|
||||
(reader->node->type == XML_ELEMENT_NODE) &&
|
||||
(reader->node->ns != NULL) &&
|
||||
((xmlStrEqual(reader->node->ns->href, XINCLUDE_NS)) ||
|
||||
--
|
||||
2.44.0
|
||||
GitLab
|
||||
|
||||
@ -1,35 +0,0 @@
|
||||
diff -up libxml2-2.9.0/xzlib.c.do-not-check-crc libxml2-2.9.0/xzlib.c
|
||||
--- libxml2-2.9.0/xzlib.c.do-not-check-crc 2012-09-11 05:52:46.000000000 +0200
|
||||
+++ libxml2-2.9.0/xzlib.c 2012-11-19 19:28:42.431700534 +0100
|
||||
@@ -552,17 +552,20 @@ xz_decomp(xz_statep state)
|
||||
#ifdef HAVE_ZLIB_H
|
||||
if (state->how == GZIP) {
|
||||
if (gz_next4(state, &crc) == -1 || gz_next4(state, &len) == -1) {
|
||||
- xz_error(state, LZMA_DATA_ERROR, "unexpected end of file");
|
||||
- return -1;
|
||||
- }
|
||||
- if (crc != state->zstrm.adler) {
|
||||
- xz_error(state, LZMA_DATA_ERROR, "incorrect data check");
|
||||
- return -1;
|
||||
- }
|
||||
- if (len != (state->zstrm.total_out & 0xffffffffL)) {
|
||||
- xz_error(state, LZMA_DATA_ERROR, "incorrect length check");
|
||||
- return -1;
|
||||
- }
|
||||
+ /*
|
||||
+ xz_error(state, LZMA_DATA_ERROR, "unexpected end of file");
|
||||
+ return -1;
|
||||
+ */
|
||||
+ } else {
|
||||
+ if (crc != state->zstrm.adler) {
|
||||
+ xz_error(state, LZMA_DATA_ERROR, "incorrect data check");
|
||||
+ return -1;
|
||||
+ }
|
||||
+ if (len != (state->zstrm.total_out & 0xffffffffL)) {
|
||||
+ xz_error(state, LZMA_DATA_ERROR, "incorrect length check");
|
||||
+ return -1;
|
||||
+ }
|
||||
+ }
|
||||
state->strm.avail_in = 0;
|
||||
state->strm.next_in = NULL;
|
||||
state->strm.avail_out = 0;
|
||||
@ -1,4 +1,4 @@
|
||||
From d410ac5b7ef6ecf1254606408d55f98547c22bda Mon Sep 17 00:00:00 2001
|
||||
From ecc43dce8e2cd19f635841e788421d0f4bd72cce Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Tue, 8 Mar 2022 20:10:02 +0100
|
||||
Subject: [PATCH] [CVE-2022-29824] Fix integer overflows in xmlBuf and
|
||||
@ -16,7 +16,7 @@ Thanks to Felix Wilhelm for the report.
|
||||
2 files changed, 61 insertions(+), 97 deletions(-)
|
||||
|
||||
diff --git a/buf.c b/buf.c
|
||||
index 21cb9d80..f861d79b 100644
|
||||
index 24368d37..40a5ee06 100644
|
||||
--- a/buf.c
|
||||
+++ b/buf.c
|
||||
@@ -30,6 +30,10 @@
|
||||
@ -192,10 +192,10 @@ index 21cb9d80..f861d79b 100644
|
||||
|
||||
/**
|
||||
diff --git a/tree.c b/tree.c
|
||||
index 86a8da79..fc75f962 100644
|
||||
index 9d94aa42..86afb7d6 100644
|
||||
--- a/tree.c
|
||||
+++ b/tree.c
|
||||
@@ -7049,6 +7049,8 @@ xmlBufferPtr
|
||||
@@ -7104,6 +7104,8 @@ xmlBufferPtr
|
||||
xmlBufferCreateSize(size_t size) {
|
||||
xmlBufferPtr ret;
|
||||
|
||||
@ -204,7 +204,7 @@ index 86a8da79..fc75f962 100644
|
||||
ret = (xmlBufferPtr) xmlMalloc(sizeof(xmlBuffer));
|
||||
if (ret == NULL) {
|
||||
xmlTreeErrMemory("creating buffer");
|
||||
@@ -7056,7 +7058,7 @@ xmlBufferCreateSize(size_t size) {
|
||||
@@ -7111,7 +7113,7 @@ xmlBufferCreateSize(size_t size) {
|
||||
}
|
||||
ret->use = 0;
|
||||
ret->alloc = xmlBufferAllocScheme;
|
||||
@ -213,7 +213,7 @@ index 86a8da79..fc75f962 100644
|
||||
if (ret->size){
|
||||
ret->content = (xmlChar *) xmlMallocAtomic(ret->size * sizeof(xmlChar));
|
||||
if (ret->content == NULL) {
|
||||
@@ -7116,6 +7118,8 @@ xmlBufferCreateStatic(void *mem, size_t size) {
|
||||
@@ -7171,6 +7173,8 @@ xmlBufferCreateStatic(void *mem, size_t size) {
|
||||
|
||||
if ((mem == NULL) || (size == 0))
|
||||
return(NULL);
|
||||
@ -222,7 +222,7 @@ index 86a8da79..fc75f962 100644
|
||||
|
||||
ret = (xmlBufferPtr) xmlMalloc(sizeof(xmlBuffer));
|
||||
if (ret == NULL) {
|
||||
@@ -7263,28 +7267,23 @@ xmlBufferShrink(xmlBufferPtr buf, unsigned int len) {
|
||||
@@ -7318,28 +7322,23 @@ xmlBufferShrink(xmlBufferPtr buf, unsigned int len) {
|
||||
*/
|
||||
int
|
||||
xmlBufferGrow(xmlBufferPtr buf, unsigned int len) {
|
||||
@ -262,11 +262,11 @@ index 86a8da79..fc75f962 100644
|
||||
|
||||
if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {
|
||||
size_t start_buf = buf->content - buf->contentIO;
|
||||
@@ -7406,7 +7405,10 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
|
||||
@@ -7466,7 +7465,10 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
|
||||
case XML_BUFFER_ALLOC_IO:
|
||||
case XML_BUFFER_ALLOC_DOUBLEIT:
|
||||
/*take care of empty case*/
|
||||
- newSize = (buf->size ? buf->size*2 : size + 10);
|
||||
- newSize = (buf->size ? buf->size : size + 10);
|
||||
+ if (buf->size == 0)
|
||||
+ newSize = (size > UINT_MAX - 10 ? UINT_MAX : size + 10);
|
||||
+ else
|
||||
@ -274,7 +274,7 @@ index 86a8da79..fc75f962 100644
|
||||
while (size > newSize) {
|
||||
if (newSize > UINT_MAX / 2) {
|
||||
xmlTreeErrMemory("growing buffer");
|
||||
@@ -7416,7 +7418,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
|
||||
@@ -7476,7 +7478,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
|
||||
}
|
||||
break;
|
||||
case XML_BUFFER_ALLOC_EXACT:
|
||||
@ -283,7 +283,7 @@ index 86a8da79..fc75f962 100644
|
||||
break;
|
||||
case XML_BUFFER_ALLOC_HYBRID:
|
||||
if (buf->use < BASE_BUFFER_SIZE)
|
||||
@@ -7434,7 +7436,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
|
||||
@@ -7494,7 +7496,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
|
||||
break;
|
||||
|
||||
default:
|
||||
@ -292,7 +292,7 @@ index 86a8da79..fc75f962 100644
|
||||
break;
|
||||
}
|
||||
|
||||
@@ -7520,8 +7522,10 @@ xmlBufferAdd(xmlBufferPtr buf, const xmlChar *str, int len) {
|
||||
@@ -7580,8 +7582,10 @@ xmlBufferAdd(xmlBufferPtr buf, const xmlChar *str, int len) {
|
||||
if (len < 0) return -1;
|
||||
if (len == 0) return 0;
|
||||
|
||||
@ -305,7 +305,7 @@ index 86a8da79..fc75f962 100644
|
||||
if (!xmlBufferResize(buf, needSize)){
|
||||
xmlTreeErrMemory("growing buffer");
|
||||
return XML_ERR_NO_MEMORY;
|
||||
@@ -7634,29 +7638,7 @@ xmlBufferCat(xmlBufferPtr buf, const xmlChar *str) {
|
||||
@@ -7694,29 +7698,7 @@ xmlBufferCat(xmlBufferPtr buf, const xmlChar *str) {
|
||||
*/
|
||||
int
|
||||
xmlBufferCCat(xmlBufferPtr buf, const char *str) {
|
||||
@ -337,5 +337,5 @@ index 86a8da79..fc75f962 100644
|
||||
|
||||
/**
|
||||
--
|
||||
2.36.1
|
||||
2.36.0
|
||||
|
||||
@ -1,18 +1,28 @@
|
||||
From 7afb666b26cfb17689e5da98bed610a417083f9d Mon Sep 17 00:00:00 2001
|
||||
From: David King <amigadave@amigadave.com>
|
||||
Date: Tue, 3 Jan 2023 09:57:28 +0000
|
||||
Subject: [PATCH 1/2] Fix CVE-2022-40303
|
||||
From c846986356fc149915a74972bf198abc266bc2c0 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Thu, 25 Aug 2022 17:43:08 +0200
|
||||
Subject: [PATCH] [CVE-2022-40303] Fix integer overflows with XML_PARSE_HUGE
|
||||
|
||||
Adapted from https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0
|
||||
Also impose size limits when XML_PARSE_HUGE is set. Limit size of names
|
||||
to XML_MAX_TEXT_LENGTH (10 million bytes) and other content to
|
||||
XML_MAX_HUGE_LENGTH (1 billion bytes).
|
||||
|
||||
Move some the length checks to the end of the respective loop to make
|
||||
them strict.
|
||||
|
||||
xmlParseEntityValue didn't have a length limitation at all. But without
|
||||
XML_PARSE_HUGE, this should eventually trigger an error in xmlGROW.
|
||||
|
||||
Thanks to Maddie Stone working with Google Project Zero for the report!
|
||||
---
|
||||
parser.c | 232 +++++++++++++++++++++++++++++--------------------------
|
||||
1 file changed, 121 insertions(+), 111 deletions(-)
|
||||
parser.c | 233 +++++++++++++++++++++++++++++--------------------------
|
||||
1 file changed, 121 insertions(+), 112 deletions(-)
|
||||
|
||||
diff --git a/parser.c b/parser.c
|
||||
index 1c5e036e..e66e4196 100644
|
||||
index 93f031be..79479979 100644
|
||||
--- a/parser.c
|
||||
+++ b/parser.c
|
||||
@@ -108,6 +108,8 @@ static void xmlHaltParser(xmlParserCtxtPtr ctxt);
|
||||
@@ -102,6 +102,8 @@ xmlParseElementEnd(xmlParserCtxtPtr ctxt);
|
||||
* *
|
||||
************************************************************************/
|
||||
|
||||
@ -21,7 +31,7 @@ index 1c5e036e..e66e4196 100644
|
||||
#define XML_PARSER_BIG_ENTITY 1000
|
||||
#define XML_PARSER_LOT_ENTITY 5000
|
||||
|
||||
@@ -532,7 +534,7 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info)
|
||||
@@ -552,7 +554,7 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info)
|
||||
errmsg = "Malformed declaration expecting version";
|
||||
break;
|
||||
case XML_ERR_NAME_TOO_LONG:
|
||||
@ -30,7 +40,7 @@ index 1c5e036e..e66e4196 100644
|
||||
break;
|
||||
#if 0
|
||||
case:
|
||||
@@ -3150,6 +3152,9 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
|
||||
@@ -3202,6 +3204,9 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
|
||||
int len = 0, l;
|
||||
int c;
|
||||
int count = 0;
|
||||
@ -40,7 +50,17 @@ index 1c5e036e..e66e4196 100644
|
||||
|
||||
#ifdef DEBUG
|
||||
nbParseNameComplex++;
|
||||
@@ -3241,13 +3246,13 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
|
||||
@@ -3267,7 +3272,8 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
|
||||
if (ctxt->instate == XML_PARSER_EOF)
|
||||
return(NULL);
|
||||
}
|
||||
- len += l;
|
||||
+ if (len <= INT_MAX - l)
|
||||
+ len += l;
|
||||
NEXTL(l);
|
||||
c = CUR_CHAR(l);
|
||||
}
|
||||
@@ -3293,13 +3299,13 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
|
||||
if (ctxt->instate == XML_PARSER_EOF)
|
||||
return(NULL);
|
||||
}
|
||||
@ -57,7 +77,7 @@ index 1c5e036e..e66e4196 100644
|
||||
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
|
||||
return(NULL);
|
||||
}
|
||||
@@ -3286,7 +3291,10 @@ const xmlChar *
|
||||
@@ -3338,7 +3344,10 @@ const xmlChar *
|
||||
xmlParseName(xmlParserCtxtPtr ctxt) {
|
||||
const xmlChar *in;
|
||||
const xmlChar *ret;
|
||||
@ -69,7 +89,7 @@ index 1c5e036e..e66e4196 100644
|
||||
|
||||
GROW;
|
||||
|
||||
@@ -3310,8 +3318,7 @@ xmlParseName(xmlParserCtxtPtr ctxt) {
|
||||
@@ -3362,8 +3371,7 @@ xmlParseName(xmlParserCtxtPtr ctxt) {
|
||||
in++;
|
||||
if ((*in > 0) && (*in < 0x80)) {
|
||||
count = in - ctxt->input->cur;
|
||||
@ -79,7 +99,7 @@ index 1c5e036e..e66e4196 100644
|
||||
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
|
||||
return(NULL);
|
||||
}
|
||||
@@ -3333,6 +3340,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
|
||||
@@ -3384,6 +3392,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
|
||||
int len = 0, l;
|
||||
int c;
|
||||
int count = 0;
|
||||
@ -89,7 +109,7 @@ index 1c5e036e..e66e4196 100644
|
||||
size_t startPosition = 0;
|
||||
|
||||
#ifdef DEBUG
|
||||
@@ -3353,17 +3363,13 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
|
||||
@@ -3404,17 +3415,13 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
|
||||
while ((c != ' ') && (c != '>') && (c != '/') && /* test bigname.xml */
|
||||
(xmlIsNameChar(ctxt, c) && (c != ':'))) {
|
||||
if (count++ > XML_PARSER_CHUNK_SIZE) {
|
||||
@ -109,7 +129,7 @@ index 1c5e036e..e66e4196 100644
|
||||
NEXTL(l);
|
||||
c = CUR_CHAR(l);
|
||||
if (c == 0) {
|
||||
@@ -3381,8 +3387,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
|
||||
@@ -3432,8 +3439,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
|
||||
c = CUR_CHAR(l);
|
||||
}
|
||||
}
|
||||
@ -119,7 +139,7 @@ index 1c5e036e..e66e4196 100644
|
||||
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
|
||||
return(NULL);
|
||||
}
|
||||
@@ -3408,7 +3413,10 @@ static const xmlChar *
|
||||
@@ -3459,7 +3465,10 @@ static const xmlChar *
|
||||
xmlParseNCName(xmlParserCtxtPtr ctxt) {
|
||||
const xmlChar *in, *e;
|
||||
const xmlChar *ret;
|
||||
@ -131,7 +151,7 @@ index 1c5e036e..e66e4196 100644
|
||||
|
||||
#ifdef DEBUG
|
||||
nbParseNCName++;
|
||||
@@ -3433,8 +3441,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
|
||||
@@ -3484,8 +3493,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
|
||||
goto complex;
|
||||
if ((*in > 0) && (*in < 0x80)) {
|
||||
count = in - ctxt->input->cur;
|
||||
@ -141,7 +161,7 @@ index 1c5e036e..e66e4196 100644
|
||||
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
|
||||
return(NULL);
|
||||
}
|
||||
@@ -3517,6 +3524,9 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
|
||||
@@ -3567,6 +3575,9 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
|
||||
const xmlChar *cur = *str;
|
||||
int len = 0, l;
|
||||
int c;
|
||||
@ -151,7 +171,7 @@ index 1c5e036e..e66e4196 100644
|
||||
|
||||
#ifdef DEBUG
|
||||
nbParseStringName++;
|
||||
@@ -3552,12 +3562,6 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
|
||||
@@ -3602,12 +3613,6 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
|
||||
if (len + 10 > max) {
|
||||
xmlChar *tmp;
|
||||
|
||||
@ -164,7 +184,7 @@ index 1c5e036e..e66e4196 100644
|
||||
max *= 2;
|
||||
tmp = (xmlChar *) xmlRealloc(buffer,
|
||||
max * sizeof(xmlChar));
|
||||
@@ -3571,14 +3575,18 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
|
||||
@@ -3621,14 +3626,18 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
|
||||
COPY_BUF(l,buffer,len,c);
|
||||
cur += l;
|
||||
c = CUR_SCHAR(cur, l);
|
||||
@ -185,7 +205,7 @@ index 1c5e036e..e66e4196 100644
|
||||
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
|
||||
return(NULL);
|
||||
}
|
||||
@@ -3605,6 +3613,9 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
|
||||
@@ -3655,6 +3664,9 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
|
||||
int len = 0, l;
|
||||
int c;
|
||||
int count = 0;
|
||||
@ -195,7 +215,7 @@ index 1c5e036e..e66e4196 100644
|
||||
|
||||
#ifdef DEBUG
|
||||
nbParseNmToken++;
|
||||
@@ -3656,12 +3667,6 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
|
||||
@@ -3706,12 +3718,6 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
|
||||
if (len + 10 > max) {
|
||||
xmlChar *tmp;
|
||||
|
||||
@ -208,7 +228,7 @@ index 1c5e036e..e66e4196 100644
|
||||
max *= 2;
|
||||
tmp = (xmlChar *) xmlRealloc(buffer,
|
||||
max * sizeof(xmlChar));
|
||||
@@ -3675,6 +3680,11 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
|
||||
@@ -3725,6 +3731,11 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
|
||||
COPY_BUF(l,buffer,len,c);
|
||||
NEXTL(l);
|
||||
c = CUR_CHAR(l);
|
||||
@ -220,7 +240,7 @@ index 1c5e036e..e66e4196 100644
|
||||
}
|
||||
buffer[len] = 0;
|
||||
return(buffer);
|
||||
@@ -3682,8 +3692,7 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
|
||||
@@ -3732,8 +3743,7 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
|
||||
}
|
||||
if (len == 0)
|
||||
return(NULL);
|
||||
@ -230,7 +250,7 @@ index 1c5e036e..e66e4196 100644
|
||||
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
|
||||
return(NULL);
|
||||
}
|
||||
@@ -3709,6 +3718,9 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
|
||||
@@ -3759,6 +3769,9 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
|
||||
int len = 0;
|
||||
int size = XML_PARSER_BUFFER_SIZE;
|
||||
int c, l;
|
||||
@ -240,7 +260,7 @@ index 1c5e036e..e66e4196 100644
|
||||
xmlChar stop;
|
||||
xmlChar *ret = NULL;
|
||||
const xmlChar *cur = NULL;
|
||||
@@ -3768,6 +3780,14 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
|
||||
@@ -3818,6 +3831,12 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
|
||||
GROW;
|
||||
c = CUR_CHAR(l);
|
||||
}
|
||||
@ -248,14 +268,12 @@ index 1c5e036e..e66e4196 100644
|
||||
+ if (len > maxLength) {
|
||||
+ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
|
||||
+ "entity value too long\n");
|
||||
+ if (buf != NULL)
|
||||
+ xmlFree(buf);
|
||||
+ return(ret);
|
||||
+ goto error;
|
||||
+ }
|
||||
}
|
||||
buf[len] = 0;
|
||||
if (ctxt->instate == XML_PARSER_EOF)
|
||||
@@ -3855,6 +3875,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
|
||||
@@ -3905,6 +3924,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
|
||||
xmlChar *rep = NULL;
|
||||
size_t len = 0;
|
||||
size_t buf_size = 0;
|
||||
@ -265,7 +283,7 @@ index 1c5e036e..e66e4196 100644
|
||||
int c, l, in_space = 0;
|
||||
xmlChar *current = NULL;
|
||||
xmlEntityPtr ent;
|
||||
@@ -3886,16 +3909,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
|
||||
@@ -3936,16 +3958,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
|
||||
while (((NXT(0) != limit) && /* checked */
|
||||
(IS_CHAR(c)) && (c != '<')) &&
|
||||
(ctxt->instate != XML_PARSER_EOF)) {
|
||||
@ -279,10 +297,10 @@ index 1c5e036e..e66e4196 100644
|
||||
- "AttValue length too long\n");
|
||||
- goto mem_error;
|
||||
- }
|
||||
if (c == 0) break;
|
||||
if (c == '&') {
|
||||
in_space = 0;
|
||||
@@ -4041,6 +4054,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
|
||||
if (NXT(1) == '#') {
|
||||
@@ -4093,6 +4105,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
|
||||
}
|
||||
GROW;
|
||||
c = CUR_CHAR(l);
|
||||
@ -294,13 +312,13 @@ index 1c5e036e..e66e4196 100644
|
||||
}
|
||||
if (ctxt->instate == XML_PARSER_EOF)
|
||||
goto error;
|
||||
@@ -4062,16 +4080,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
|
||||
@@ -4114,16 +4131,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
|
||||
} else
|
||||
NEXT;
|
||||
|
||||
- /*
|
||||
- * There we potentially risk an overflow, don't allow attribute value of
|
||||
- * length more than INT_MAX it is a very reasonnable assumption !
|
||||
- * length more than INT_MAX it is a very reasonable assumption !
|
||||
- */
|
||||
- if (len >= INT_MAX) {
|
||||
- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
|
||||
@ -311,7 +329,7 @@ index 1c5e036e..e66e4196 100644
|
||||
if (attlen != NULL) *attlen = (int) len;
|
||||
return(buf);
|
||||
|
||||
@@ -4142,6 +4150,9 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
|
||||
@@ -4194,6 +4201,9 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
|
||||
int len = 0;
|
||||
int size = XML_PARSER_BUFFER_SIZE;
|
||||
int cur, l;
|
||||
@ -321,7 +339,7 @@ index 1c5e036e..e66e4196 100644
|
||||
xmlChar stop;
|
||||
int state = ctxt->instate;
|
||||
int count = 0;
|
||||
@@ -4169,13 +4180,6 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
|
||||
@@ -4221,13 +4231,6 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
|
||||
if (len + 5 >= size) {
|
||||
xmlChar *tmp;
|
||||
|
||||
@ -335,7 +353,7 @@ index 1c5e036e..e66e4196 100644
|
||||
size *= 2;
|
||||
tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar));
|
||||
if (tmp == NULL) {
|
||||
@@ -4203,6 +4207,12 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
|
||||
@@ -4256,6 +4259,12 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
|
||||
SHRINK;
|
||||
cur = CUR_CHAR(l);
|
||||
}
|
||||
@ -348,7 +366,7 @@ index 1c5e036e..e66e4196 100644
|
||||
}
|
||||
buf[len] = 0;
|
||||
ctxt->instate = (xmlParserInputState) state;
|
||||
@@ -4230,6 +4240,9 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
|
||||
@@ -4283,6 +4292,9 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
|
||||
xmlChar *buf = NULL;
|
||||
int len = 0;
|
||||
int size = XML_PARSER_BUFFER_SIZE;
|
||||
@ -358,7 +376,7 @@ index 1c5e036e..e66e4196 100644
|
||||
xmlChar cur;
|
||||
xmlChar stop;
|
||||
int count = 0;
|
||||
@@ -4257,12 +4270,6 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
|
||||
@@ -4310,12 +4322,6 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
|
||||
if (len + 1 >= size) {
|
||||
xmlChar *tmp;
|
||||
|
||||
@ -371,7 +389,7 @@ index 1c5e036e..e66e4196 100644
|
||||
size *= 2;
|
||||
tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar));
|
||||
if (tmp == NULL) {
|
||||
@@ -4289,6 +4296,11 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
|
||||
@@ -4343,6 +4349,11 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
|
||||
SHRINK;
|
||||
cur = CUR;
|
||||
}
|
||||
@ -383,7 +401,7 @@ index 1c5e036e..e66e4196 100644
|
||||
}
|
||||
buf[len] = 0;
|
||||
if (cur != stop) {
|
||||
@@ -4686,6 +4698,9 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
|
||||
@@ -4742,6 +4753,9 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
|
||||
int r, rl;
|
||||
int cur, l;
|
||||
size_t count = 0;
|
||||
@ -393,7 +411,7 @@ index 1c5e036e..e66e4196 100644
|
||||
int inputid;
|
||||
|
||||
inputid = ctxt->input->id;
|
||||
@@ -4731,13 +4746,6 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
|
||||
@@ -4787,13 +4801,6 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
|
||||
if ((r == '-') && (q == '-')) {
|
||||
xmlFatalErr(ctxt, XML_ERR_HYPHEN_IN_COMMENT, NULL);
|
||||
}
|
||||
@ -407,7 +425,7 @@ index 1c5e036e..e66e4196 100644
|
||||
if (len + 5 >= size) {
|
||||
xmlChar *new_buf;
|
||||
size_t new_size;
|
||||
@@ -4774,6 +4782,13 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
|
||||
@@ -4831,6 +4838,13 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
|
||||
GROW;
|
||||
cur = CUR_CHAR(l);
|
||||
}
|
||||
@ -421,7 +439,7 @@ index 1c5e036e..e66e4196 100644
|
||||
}
|
||||
buf[len] = 0;
|
||||
if (cur == 0) {
|
||||
@@ -4818,6 +4833,9 @@ xmlParseComment(xmlParserCtxtPtr ctxt) {
|
||||
@@ -4875,6 +4889,9 @@ xmlParseComment(xmlParserCtxtPtr ctxt) {
|
||||
xmlChar *buf = NULL;
|
||||
size_t size = XML_PARSER_BUFFER_SIZE;
|
||||
size_t len = 0;
|
||||
@ -431,7 +449,7 @@ index 1c5e036e..e66e4196 100644
|
||||
xmlParserInputState state;
|
||||
const xmlChar *in;
|
||||
size_t nbchar = 0;
|
||||
@@ -4901,8 +4919,7 @@ get_more:
|
||||
@@ -4958,8 +4975,7 @@ get_more:
|
||||
buf[len] = 0;
|
||||
}
|
||||
}
|
||||
@ -441,7 +459,7 @@ index 1c5e036e..e66e4196 100644
|
||||
xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
|
||||
"Comment too big found", NULL);
|
||||
xmlFree (buf);
|
||||
@@ -5098,6 +5115,9 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
|
||||
@@ -5159,6 +5175,9 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
|
||||
xmlChar *buf = NULL;
|
||||
size_t len = 0;
|
||||
size_t size = XML_PARSER_BUFFER_SIZE;
|
||||
@ -451,7 +469,7 @@ index 1c5e036e..e66e4196 100644
|
||||
int cur, l;
|
||||
const xmlChar *target;
|
||||
xmlParserInputState state;
|
||||
@@ -5172,14 +5192,6 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
|
||||
@@ -5234,14 +5253,6 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
|
||||
return;
|
||||
}
|
||||
count = 0;
|
||||
@ -466,7 +484,7 @@ index 1c5e036e..e66e4196 100644
|
||||
}
|
||||
COPY_BUF(l,buf,len,cur);
|
||||
NEXTL(l);
|
||||
@@ -5189,15 +5201,14 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
|
||||
@@ -5251,15 +5262,14 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
|
||||
GROW;
|
||||
cur = CUR_CHAR(l);
|
||||
}
|
||||
@ -489,7 +507,7 @@ index 1c5e036e..e66e4196 100644
|
||||
buf[len] = 0;
|
||||
if (cur != '?') {
|
||||
xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
|
||||
@@ -8851,6 +8862,9 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
|
||||
@@ -8954,6 +8964,9 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
|
||||
const xmlChar *in = NULL, *start, *end, *last;
|
||||
xmlChar *ret = NULL;
|
||||
int line, col;
|
||||
@ -499,27 +517,27 @@ index 1c5e036e..e66e4196 100644
|
||||
|
||||
GROW;
|
||||
in = (xmlChar *) CUR_PTR;
|
||||
@@ -8906,8 +8920,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
|
||||
in = in + delta;
|
||||
}
|
||||
end = ctxt->input->end;
|
||||
@@ -8993,8 +9006,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
|
||||
start = in;
|
||||
if (in >= end) {
|
||||
GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
|
||||
- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
|
||||
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
|
||||
+ if ((in - start) > maxLength) {
|
||||
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
|
||||
"AttValue length too long\n");
|
||||
return(NULL);
|
||||
@@ -8929,8 +8942,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
|
||||
in = in + delta;
|
||||
}
|
||||
end = ctxt->input->end;
|
||||
@@ -9007,8 +9019,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
|
||||
if ((*in++ == 0x20) && (*in == 0x20)) break;
|
||||
if (in >= end) {
|
||||
GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
|
||||
- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
|
||||
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
|
||||
+ if ((in - start) > maxLength) {
|
||||
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
|
||||
"AttValue length too long\n");
|
||||
return(NULL);
|
||||
@@ -8963,16 +8975,14 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
|
||||
@@ -9041,16 +9052,14 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
|
||||
last = last + delta;
|
||||
}
|
||||
end = ctxt->input->end;
|
||||
@ -538,17 +556,17 @@ index 1c5e036e..e66e4196 100644
|
||||
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
|
||||
"AttValue length too long\n");
|
||||
return(NULL);
|
||||
@@ -8994,8 +9004,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
|
||||
in = in + delta;
|
||||
}
|
||||
end = ctxt->input->end;
|
||||
@@ -9063,8 +9072,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
|
||||
col++;
|
||||
if (in >= end) {
|
||||
GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
|
||||
- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
|
||||
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
|
||||
+ if ((in - start) > maxLength) {
|
||||
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
|
||||
"AttValue length too long\n");
|
||||
return(NULL);
|
||||
@@ -9003,8 +9012,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
|
||||
@@ -9072,8 +9080,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
|
||||
}
|
||||
}
|
||||
last = in;
|
||||
@ -558,7 +576,7 @@ index 1c5e036e..e66e4196 100644
|
||||
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
|
||||
"AttValue length too long\n");
|
||||
return(NULL);
|
||||
@@ -9711,6 +9719,9 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
|
||||
@@ -9763,6 +9770,9 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
|
||||
int s, sl;
|
||||
int cur, l;
|
||||
int count = 0;
|
||||
@ -568,7 +586,7 @@ index 1c5e036e..e66e4196 100644
|
||||
|
||||
/* Check 2.6.0 was NXT(0) not RAW */
|
||||
if (CMP9(CUR_PTR, '<', '!', '[', 'C', 'D', 'A', 'T', 'A', '[')) {
|
||||
@@ -9744,13 +9755,6 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
|
||||
@@ -9796,13 +9806,6 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
|
||||
if (len + 5 >= size) {
|
||||
xmlChar *tmp;
|
||||
|
||||
@ -582,7 +600,7 @@ index 1c5e036e..e66e4196 100644
|
||||
tmp = (xmlChar *) xmlRealloc(buf, size * 2 * sizeof(xmlChar));
|
||||
if (tmp == NULL) {
|
||||
xmlFree(buf);
|
||||
@@ -9776,6 +9780,12 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
|
||||
@@ -9829,6 +9832,12 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
|
||||
}
|
||||
NEXTL(l);
|
||||
cur = CUR_CHAR(l);
|
||||
@ -596,5 +614,5 @@ index 1c5e036e..e66e4196 100644
|
||||
buf[len] = 0;
|
||||
ctxt->instate = XML_PARSER_CONTENT;
|
||||
--
|
||||
2.39.0
|
||||
GitLab
|
||||
|
||||
@ -1,7 +1,8 @@
|
||||
From a8fa5f7b5c3c745397b3178405d6be9fdb3cfcbc Mon Sep 17 00:00:00 2001
|
||||
From 1b41ec4e9433b05bb0376be4725804c54ef1d80b Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Wed, 31 Aug 2022 22:11:25 +0200
|
||||
Subject: [PATCH 2/2] Fix dict corruption caused by entity reference cycles
|
||||
Subject: [PATCH] [CVE-2022-40304] Fix dict corruption caused by entity
|
||||
reference cycles
|
||||
|
||||
When an entity reference cycle is detected, the entity content is
|
||||
cleared by setting its first byte to zero. But the entity content might
|
||||
@ -20,10 +21,10 @@ Zero for the report!
|
||||
1 file changed, 16 insertions(+), 39 deletions(-)
|
||||
|
||||
diff --git a/entities.c b/entities.c
|
||||
index c8193376..3bf1c3ce 100644
|
||||
index 84435515..d4e5412e 100644
|
||||
--- a/entities.c
|
||||
+++ b/entities.c
|
||||
@@ -112,36 +112,19 @@ xmlFreeEntity(xmlEntityPtr entity)
|
||||
@@ -128,36 +128,19 @@ xmlFreeEntity(xmlEntityPtr entity)
|
||||
if ((entity->children) && (entity->owner == 1) &&
|
||||
(entity == (xmlEntityPtr) entity->children->parent))
|
||||
xmlFreeNodeList(entity->children);
|
||||
@ -73,7 +74,7 @@ index c8193376..3bf1c3ce 100644
|
||||
xmlFree(entity);
|
||||
}
|
||||
|
||||
@@ -177,18 +160,12 @@ xmlCreateEntity(xmlDictPtr dict, const xmlChar *name, int type,
|
||||
@@ -193,18 +176,12 @@ xmlCreateEntity(xmlDictPtr dict, const xmlChar *name, int type,
|
||||
ret->SystemID = xmlStrdup(SystemID);
|
||||
} else {
|
||||
ret->name = xmlDictLookup(dict, name, -1);
|
||||
@ -96,5 +97,5 @@ index c8193376..3bf1c3ce 100644
|
||||
ret->length = 0;
|
||||
ret->content = NULL;
|
||||
--
|
||||
2.39.0
|
||||
GitLab
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From a40db8fde759261b042138646da36c632a739f31 Mon Sep 17 00:00:00 2001
|
||||
From 09a2dd453007f9c7205274623acdd73747c22d64 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Fri, 7 Apr 2023 11:49:27 +0200
|
||||
Subject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't
|
||||
@ -14,29 +14,24 @@ have an impact on security.
|
||||
Found by OSS-Fuzz.
|
||||
|
||||
Fixes #510.
|
||||
|
||||
Incorporates change from commit
|
||||
09a2dd453007f9c7205274623acdd73747c22d64.
|
||||
---
|
||||
dict.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
dict.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/dict.c b/dict.c
|
||||
index 0ef3718d..5e84cfca 100644
|
||||
index c29d2af7..12ba94fd 100644
|
||||
--- a/dict.c
|
||||
+++ b/dict.c
|
||||
@@ -444,8 +444,9 @@ static unsigned long
|
||||
@@ -453,7 +453,8 @@ static unsigned long
|
||||
xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
|
||||
unsigned long value = seed;
|
||||
|
||||
- if (name == NULL) return(0);
|
||||
- value = *name;
|
||||
+ if ((name == NULL) || (namelen <= 0))
|
||||
+ return(value);
|
||||
+ value += *name;
|
||||
value += *name;
|
||||
value <<= 5;
|
||||
if (namelen > 10) {
|
||||
value += name[namelen - 1];
|
||||
--
|
||||
2.41.0
|
||||
GitLab
|
||||
|
||||
@ -1,12 +0,0 @@
|
||||
diff -Nur libxml2-2.9.4.orig/python/types.c libxml2-2.9.4/python/types.c
|
||||
--- libxml2-2.9.4.orig/python/types.c 2016-02-09 03:17:33.000000000 -0700
|
||||
+++ libxml2-2.9.4/python/types.c 2016-12-21 12:34:06.755650986 -0700
|
||||
@@ -31,8 +31,6 @@
|
||||
const char *mode;
|
||||
|
||||
fd = PyObject_AsFileDescriptor(f);
|
||||
- if (!_PyVerify_fd(fd))
|
||||
- return(NULL);
|
||||
/*
|
||||
* Get the flags on the fd to understand how it was opened
|
||||
*/
|
||||
@ -1,88 +0,0 @@
|
||||
From c1ba6f54d32b707ca6d91cb3257ce9de82876b6f Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Sat, 15 Aug 2020 18:32:29 +0200
|
||||
Subject: [PATCH] Revert "Do not URI escape in server side includes"
|
||||
|
||||
This reverts commit 960f0e275616cadc29671a218d7fb9b69eb35588.
|
||||
|
||||
This commit introduced
|
||||
|
||||
- an infinite loop, found by OSS-Fuzz, which could be easily fixed.
|
||||
- an algorithm with quadratic runtime
|
||||
- a security issue, see
|
||||
https://bugzilla.gnome.org/show_bug.cgi?id=769760
|
||||
|
||||
A better approach is to add an option not to escape URLs at all
|
||||
which libxml2 should have possibly done in the first place.
|
||||
---
|
||||
HTMLtree.c | 49 +++++++++++--------------------------------------
|
||||
1 file changed, 11 insertions(+), 38 deletions(-)
|
||||
|
||||
diff --git a/HTMLtree.c b/HTMLtree.c
|
||||
index 8d236bb3..cdb7f86a 100644
|
||||
--- a/HTMLtree.c
|
||||
+++ b/HTMLtree.c
|
||||
@@ -706,49 +706,22 @@ htmlAttrDumpOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, xmlAttrPtr cur,
|
||||
(!xmlStrcasecmp(cur->name, BAD_CAST "src")) ||
|
||||
((!xmlStrcasecmp(cur->name, BAD_CAST "name")) &&
|
||||
(!xmlStrcasecmp(cur->parent->name, BAD_CAST "a"))))) {
|
||||
+ xmlChar *escaped;
|
||||
xmlChar *tmp = value;
|
||||
- /* xmlURIEscapeStr() escapes '"' so it can be safely used. */
|
||||
- xmlBufCCat(buf->buffer, "\"");
|
||||
|
||||
while (IS_BLANK_CH(*tmp)) tmp++;
|
||||
|
||||
- /* URI Escape everything, except server side includes. */
|
||||
- for ( ; ; ) {
|
||||
- xmlChar *escaped;
|
||||
- xmlChar endChar;
|
||||
- xmlChar *end = NULL;
|
||||
- xmlChar *start = (xmlChar *)xmlStrstr(tmp, BAD_CAST "<!--");
|
||||
- if (start != NULL) {
|
||||
- end = (xmlChar *)xmlStrstr(tmp, BAD_CAST "-->");
|
||||
- if (end != NULL) {
|
||||
- *start = '\0';
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- /* Escape the whole string, or until start (set to '\0'). */
|
||||
- escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+");
|
||||
- if (escaped != NULL) {
|
||||
- xmlBufCat(buf->buffer, escaped);
|
||||
- xmlFree(escaped);
|
||||
- } else {
|
||||
- xmlBufCat(buf->buffer, tmp);
|
||||
- }
|
||||
-
|
||||
- if (end == NULL) { /* Everything has been written. */
|
||||
- break;
|
||||
- }
|
||||
-
|
||||
- /* Do not escape anything within server side includes. */
|
||||
- *start = '<'; /* Restore the first character of "<!--". */
|
||||
- end += 3; /* strlen("-->") */
|
||||
- endChar = *end;
|
||||
- *end = '\0';
|
||||
- xmlBufCat(buf->buffer, start);
|
||||
- *end = endChar;
|
||||
- tmp = end;
|
||||
+ /*
|
||||
+ * the < and > have already been escaped at the entity level
|
||||
+ * And doing so here breaks server side includes
|
||||
+ */
|
||||
+ escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+<>");
|
||||
+ if (escaped != NULL) {
|
||||
+ xmlBufWriteQuotedString(buf->buffer, escaped);
|
||||
+ xmlFree(escaped);
|
||||
+ } else {
|
||||
+ xmlBufWriteQuotedString(buf->buffer, value);
|
||||
}
|
||||
-
|
||||
- xmlBufCCat(buf->buffer, "\"");
|
||||
} else {
|
||||
xmlBufWriteQuotedString(buf->buffer, value);
|
||||
}
|
||||
--
|
||||
GitLab
|
||||
|
||||
@ -1,33 +0,0 @@
|
||||
From 7ffcd44d7e6c46704f8af0321d9314cd26e0e18a Mon Sep 17 00:00:00 2001
|
||||
From: Zhipeng Xie <xiezhipeng1@huawei.com>
|
||||
Date: Tue, 20 Aug 2019 16:33:06 +0800
|
||||
Subject: [PATCH] Fix memory leak in xmlSchemaValidateStream
|
||||
|
||||
When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun
|
||||
alloc a new schema for ctxt->schema and set vctxt->xsiAssemble
|
||||
to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize
|
||||
vctxt->xsiAssemble to 0 again which cause the alloced schema
|
||||
can not be freed anymore.
|
||||
|
||||
Found with libFuzzer.
|
||||
|
||||
Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
|
||||
---
|
||||
xmlschemas.c | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/xmlschemas.c b/xmlschemas.c
|
||||
index 301c8449..39d92182 100644
|
||||
--- a/xmlschemas.c
|
||||
+++ b/xmlschemas.c
|
||||
@@ -28090,7 +28090,6 @@ xmlSchemaPreRun(xmlSchemaValidCtxtPtr vctxt) {
|
||||
vctxt->nberrors = 0;
|
||||
vctxt->depth = -1;
|
||||
vctxt->skipDepth = -1;
|
||||
- vctxt->xsiAssemble = 0;
|
||||
vctxt->hasKeyrefs = 0;
|
||||
#ifdef ENABLE_IDC_NODE_TABLES_TEST
|
||||
vctxt->createIDCNodeTables = 1;
|
||||
--
|
||||
2.24.1
|
||||
|
||||
@ -1,36 +0,0 @@
|
||||
From 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Fri, 7 Aug 2020 21:54:27 +0200
|
||||
Subject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout'
|
||||
|
||||
Make sure that truncated UTF-8 sequences don't cause an out-of-bounds
|
||||
array access.
|
||||
|
||||
Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for
|
||||
the report.
|
||||
|
||||
Fixes #178.
|
||||
---
|
||||
xmllint.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/xmllint.c b/xmllint.c
|
||||
index f6a8e4636..c647486f3 100644
|
||||
--- a/xmllint.c
|
||||
+++ b/xmllint.c
|
||||
@@ -528,6 +528,12 @@ static void
|
||||
xmlHTMLEncodeSend(void) {
|
||||
char *result;
|
||||
|
||||
+ /*
|
||||
+ * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might
|
||||
+ * end with a truncated UTF-8 sequence. This is a hack to at least avoid
|
||||
+ * an out-of-bounds read.
|
||||
+ */
|
||||
+ memset(&buffer[sizeof(buffer)-4], 0, 4);
|
||||
result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer);
|
||||
if (result) {
|
||||
xmlGenericError(xmlGenericErrorContext, "%s", result);
|
||||
--
|
||||
GitLab
|
||||
|
||||
@ -1,32 +0,0 @@
|
||||
From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001
|
||||
From: Zhipeng Xie <xiezhipeng1@huawei.com>
|
||||
Date: Thu, 12 Dec 2019 17:30:55 +0800
|
||||
Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities
|
||||
|
||||
When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef
|
||||
return NULL which cause a infinite loop in xmlStringLenDecodeEntities
|
||||
|
||||
Found with libFuzzer.
|
||||
|
||||
Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
|
||||
---
|
||||
parser.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/parser.c b/parser.c
|
||||
index d1c31963..a34bb6cd 100644
|
||||
--- a/parser.c
|
||||
+++ b/parser.c
|
||||
@@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
|
||||
else
|
||||
c = 0;
|
||||
while ((c != 0) && (c != end) && /* non input consuming loop */
|
||||
- (c != end2) && (c != end3)) {
|
||||
+ (c != end2) && (c != end3) &&
|
||||
+ (ctxt->instate != XML_PARSER_EOF)) {
|
||||
|
||||
if (c == 0) break;
|
||||
if ((c == '&') && (str[1] == '#')) {
|
||||
--
|
||||
2.24.1
|
||||
|
||||
@ -1,31 +0,0 @@
|
||||
From 1358d157d0bd83be1dfe356a69213df9fac0b539 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Wed, 21 Apr 2021 13:23:27 +0200
|
||||
Subject: [PATCH] Fix use-after-free with `xmllint --html --push`
|
||||
|
||||
Call htmlCtxtUseOptions to make sure that names aren't stored in
|
||||
dictionaries.
|
||||
|
||||
Note that this issue only affects xmllint using the HTML push parser.
|
||||
|
||||
Fixes #230.
|
||||
---
|
||||
xmllint.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/xmllint.c b/xmllint.c
|
||||
index 6ca1bf54..dbef273a 100644
|
||||
--- a/xmllint.c
|
||||
+++ b/xmllint.c
|
||||
@@ -2213,7 +2213,7 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) {
|
||||
if (res > 0) {
|
||||
ctxt = htmlCreatePushParserCtxt(NULL, NULL,
|
||||
chars, res, filename, XML_CHAR_ENCODING_NONE);
|
||||
- xmlCtxtUseOptions(ctxt, options);
|
||||
+ htmlCtxtUseOptions(ctxt, options);
|
||||
while ((res = fread(chars, 1, pushsize, f)) > 0) {
|
||||
htmlParseChunk(ctxt, chars, res, 0);
|
||||
}
|
||||
--
|
||||
GitLab
|
||||
|
||||
@ -1,49 +0,0 @@
|
||||
From bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2 Mon Sep 17 00:00:00 2001
|
||||
From: Joel Hockey <joel.hockey@gmail.com>
|
||||
Date: Sun, 16 Aug 2020 17:19:35 -0700
|
||||
Subject: [PATCH] Validate UTF8 in xmlEncodeEntities
|
||||
|
||||
Code is currently assuming UTF-8 without validating. Truncated UTF-8
|
||||
input can cause out-of-bounds array access.
|
||||
|
||||
Adds further checks to partial fix in 50f06b3e.
|
||||
|
||||
Fixes #178
|
||||
---
|
||||
entities.c | 16 +++++++++++++++-
|
||||
1 file changed, 15 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/entities.c b/entities.c
|
||||
index 37b99a56..1a8f86f0 100644
|
||||
--- a/entities.c
|
||||
+++ b/entities.c
|
||||
@@ -704,11 +704,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) {
|
||||
} else {
|
||||
/*
|
||||
* We assume we have UTF-8 input.
|
||||
+ * It must match either:
|
||||
+ * 110xxxxx 10xxxxxx
|
||||
+ * 1110xxxx 10xxxxxx 10xxxxxx
|
||||
+ * 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
|
||||
+ * That is:
|
||||
+ * cur[0] is 11xxxxxx
|
||||
+ * cur[1] is 10xxxxxx
|
||||
+ * cur[2] is 10xxxxxx if cur[0] is 111xxxxx
|
||||
+ * cur[3] is 10xxxxxx if cur[0] is 1111xxxx
|
||||
+ * cur[0] is not 11111xxx
|
||||
*/
|
||||
char buf[11], *ptr;
|
||||
int val = 0, l = 1;
|
||||
|
||||
- if (*cur < 0xC0) {
|
||||
+ if (((cur[0] & 0xC0) != 0xC0) ||
|
||||
+ ((cur[1] & 0xC0) != 0x80) ||
|
||||
+ (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) ||
|
||||
+ (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) ||
|
||||
+ (((cur[0] & 0xF8) == 0xF8))) {
|
||||
xmlEntitiesErr(XML_CHECK_NOT_UTF8,
|
||||
"xmlEncodeEntities: input not UTF-8");
|
||||
if (doc != NULL)
|
||||
--
|
||||
GitLab
|
||||
|
||||
@ -1,247 +0,0 @@
|
||||
From 752e5f71d7cea2ca5a7e7c0b8f72ed04ce654be4 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Wed, 10 Jun 2020 16:34:52 +0200
|
||||
Subject: [PATCH 1/2] Don't recurse into xi:include children in
|
||||
xmlXIncludeDoProcess
|
||||
|
||||
Otherwise, nested xi:include nodes might result in a use-after-free
|
||||
if XML_PARSE_NOXINCNODE is specified.
|
||||
|
||||
Found with libFuzzer and ASan.
|
||||
---
|
||||
result/XInclude/fallback3.xml | 8 ++++++++
|
||||
result/XInclude/fallback3.xml.err | 0
|
||||
result/XInclude/fallback3.xml.rdr | 25 +++++++++++++++++++++++++
|
||||
result/XInclude/fallback4.xml | 10 ++++++++++
|
||||
result/XInclude/fallback4.xml.err | 0
|
||||
result/XInclude/fallback4.xml.rdr | 29 +++++++++++++++++++++++++++++
|
||||
test/XInclude/docs/fallback3.xml | 9 +++++++++
|
||||
test/XInclude/docs/fallback4.xml | 7 +++++++
|
||||
xinclude.c | 24 ++++++++++--------------
|
||||
9 files changed, 98 insertions(+), 14 deletions(-)
|
||||
create mode 100644 result/XInclude/fallback3.xml
|
||||
create mode 100644 result/XInclude/fallback3.xml.err
|
||||
create mode 100644 result/XInclude/fallback3.xml.rdr
|
||||
create mode 100644 result/XInclude/fallback4.xml
|
||||
create mode 100644 result/XInclude/fallback4.xml.err
|
||||
create mode 100644 result/XInclude/fallback4.xml.rdr
|
||||
create mode 100644 test/XInclude/docs/fallback3.xml
|
||||
create mode 100644 test/XInclude/docs/fallback4.xml
|
||||
|
||||
diff --git a/result/XInclude/fallback3.xml b/result/XInclude/fallback3.xml
|
||||
new file mode 100644
|
||||
index 00000000..b4235514
|
||||
--- /dev/null
|
||||
+++ b/result/XInclude/fallback3.xml
|
||||
@@ -0,0 +1,8 @@
|
||||
+<?xml version="1.0"?>
|
||||
+<a>
|
||||
+ <doc xml:base="../ents/something.xml">
|
||||
+<p>something</p>
|
||||
+<p>really</p>
|
||||
+<p>simple</p>
|
||||
+</doc>
|
||||
+</a>
|
||||
diff --git a/result/XInclude/fallback3.xml.err b/result/XInclude/fallback3.xml.err
|
||||
new file mode 100644
|
||||
index 00000000..e69de29b
|
||||
diff --git a/result/XInclude/fallback3.xml.rdr b/result/XInclude/fallback3.xml.rdr
|
||||
new file mode 100644
|
||||
index 00000000..aa2f1374
|
||||
--- /dev/null
|
||||
+++ b/result/XInclude/fallback3.xml.rdr
|
||||
@@ -0,0 +1,25 @@
|
||||
+0 1 a 0 0
|
||||
+1 14 #text 0 1
|
||||
+
|
||||
+1 1 doc 0 0
|
||||
+2 14 #text 0 1
|
||||
+
|
||||
+2 1 p 0 0
|
||||
+3 3 #text 0 1 something
|
||||
+2 15 p 0 0
|
||||
+2 14 #text 0 1
|
||||
+
|
||||
+2 1 p 0 0
|
||||
+3 3 #text 0 1 really
|
||||
+2 15 p 0 0
|
||||
+2 14 #text 0 1
|
||||
+
|
||||
+2 1 p 0 0
|
||||
+3 3 #text 0 1 simple
|
||||
+2 15 p 0 0
|
||||
+2 14 #text 0 1
|
||||
+
|
||||
+1 15 doc 0 0
|
||||
+1 14 #text 0 1
|
||||
+
|
||||
+0 15 a 0 0
|
||||
diff --git a/result/XInclude/fallback4.xml b/result/XInclude/fallback4.xml
|
||||
new file mode 100644
|
||||
index 00000000..9883fd54
|
||||
--- /dev/null
|
||||
+++ b/result/XInclude/fallback4.xml
|
||||
@@ -0,0 +1,10 @@
|
||||
+<?xml version="1.0"?>
|
||||
+<a>
|
||||
+
|
||||
+ <doc xml:base="../ents/something.xml">
|
||||
+<p>something</p>
|
||||
+<p>really</p>
|
||||
+<p>simple</p>
|
||||
+</doc>
|
||||
+
|
||||
+</a>
|
||||
diff --git a/result/XInclude/fallback4.xml.err b/result/XInclude/fallback4.xml.err
|
||||
new file mode 100644
|
||||
index 00000000..e69de29b
|
||||
diff --git a/result/XInclude/fallback4.xml.rdr b/result/XInclude/fallback4.xml.rdr
|
||||
new file mode 100644
|
||||
index 00000000..628b9513
|
||||
--- /dev/null
|
||||
+++ b/result/XInclude/fallback4.xml.rdr
|
||||
@@ -0,0 +1,29 @@
|
||||
+0 1 a 0 0
|
||||
+1 14 #text 0 1
|
||||
+
|
||||
+1 14 #text 0 1
|
||||
+
|
||||
+1 1 doc 0 0
|
||||
+2 14 #text 0 1
|
||||
+
|
||||
+2 1 p 0 0
|
||||
+3 3 #text 0 1 something
|
||||
+2 15 p 0 0
|
||||
+2 14 #text 0 1
|
||||
+
|
||||
+2 1 p 0 0
|
||||
+3 3 #text 0 1 really
|
||||
+2 15 p 0 0
|
||||
+2 14 #text 0 1
|
||||
+
|
||||
+2 1 p 0 0
|
||||
+3 3 #text 0 1 simple
|
||||
+2 15 p 0 0
|
||||
+2 14 #text 0 1
|
||||
+
|
||||
+1 15 doc 0 0
|
||||
+1 14 #text 0 1
|
||||
+
|
||||
+1 14 #text 0 1
|
||||
+
|
||||
+0 15 a 0 0
|
||||
diff --git a/test/XInclude/docs/fallback3.xml b/test/XInclude/docs/fallback3.xml
|
||||
new file mode 100644
|
||||
index 00000000..0c8b6c9e
|
||||
--- /dev/null
|
||||
+++ b/test/XInclude/docs/fallback3.xml
|
||||
@@ -0,0 +1,9 @@
|
||||
+<a>
|
||||
+ <xi:include href="../ents/something.xml" xmlns:xi="http://www.w3.org/2001/XInclude">
|
||||
+ <xi:fallback>
|
||||
+ <xi:include href="c.xml">
|
||||
+ <xi:fallback>There is no c.xml ... </xi:fallback>
|
||||
+ </xi:include>
|
||||
+ </xi:fallback>
|
||||
+ </xi:include>
|
||||
+</a>
|
||||
diff --git a/test/XInclude/docs/fallback4.xml b/test/XInclude/docs/fallback4.xml
|
||||
new file mode 100644
|
||||
index 00000000..b500a635
|
||||
--- /dev/null
|
||||
+++ b/test/XInclude/docs/fallback4.xml
|
||||
@@ -0,0 +1,7 @@
|
||||
+<a>
|
||||
+ <xi:include href="c.xml" xmlns:xi="http://www.w3.org/2001/XInclude">
|
||||
+ <xi:fallback>
|
||||
+ <xi:include href="../ents/something.xml"/>
|
||||
+ </xi:fallback>
|
||||
+ </xi:include>
|
||||
+</a>
|
||||
diff --git a/xinclude.c b/xinclude.c
|
||||
index ba850fa5..f260c1a7 100644
|
||||
--- a/xinclude.c
|
||||
+++ b/xinclude.c
|
||||
@@ -2392,21 +2392,19 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
|
||||
* First phase: lookup the elements in the document
|
||||
*/
|
||||
cur = tree;
|
||||
- if (xmlXIncludeTestNode(ctxt, cur) == 1)
|
||||
- xmlXIncludePreProcessNode(ctxt, cur);
|
||||
while ((cur != NULL) && (cur != tree->parent)) {
|
||||
/* TODO: need to work on entities -> stack */
|
||||
- if ((cur->children != NULL) &&
|
||||
- (cur->children->type != XML_ENTITY_DECL) &&
|
||||
- (cur->children->type != XML_XINCLUDE_START) &&
|
||||
- (cur->children->type != XML_XINCLUDE_END)) {
|
||||
- cur = cur->children;
|
||||
- if (xmlXIncludeTestNode(ctxt, cur))
|
||||
- xmlXIncludePreProcessNode(ctxt, cur);
|
||||
- } else if (cur->next != NULL) {
|
||||
+ if (xmlXIncludeTestNode(ctxt, cur) == 1) {
|
||||
+ xmlXIncludePreProcessNode(ctxt, cur);
|
||||
+ } else if ((cur->children != NULL) &&
|
||||
+ (cur->children->type != XML_ENTITY_DECL) &&
|
||||
+ (cur->children->type != XML_XINCLUDE_START) &&
|
||||
+ (cur->children->type != XML_XINCLUDE_END)) {
|
||||
+ cur = cur->children;
|
||||
+ continue;
|
||||
+ }
|
||||
+ if (cur->next != NULL) {
|
||||
cur = cur->next;
|
||||
- if (xmlXIncludeTestNode(ctxt, cur))
|
||||
- xmlXIncludePreProcessNode(ctxt, cur);
|
||||
} else {
|
||||
if (cur == tree)
|
||||
break;
|
||||
@@ -2416,8 +2414,6 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
|
||||
break; /* do */
|
||||
if (cur->next != NULL) {
|
||||
cur = cur->next;
|
||||
- if (xmlXIncludeTestNode(ctxt, cur))
|
||||
- xmlXIncludePreProcessNode(ctxt, cur);
|
||||
break; /* do */
|
||||
}
|
||||
} while (cur != NULL);
|
||||
--
|
||||
2.31.1
|
||||
|
||||
|
||||
From 49cc4182543dba73216add4021994a81678763bd Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Thu, 22 Apr 2021 19:26:28 +0200
|
||||
Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude --dropdtd`
|
||||
|
||||
The --dropdtd option can leave dangling pointers in entity reference
|
||||
nodes. Make sure to skip these nodes when processing XIncludes.
|
||||
|
||||
This also avoids scanning entity declarations and even modifying
|
||||
them inadvertently during XInclude processing.
|
||||
|
||||
Move from a block list to an allow list approach to avoid descending
|
||||
into other node types that can't contain elements.
|
||||
|
||||
Fixes #237.
|
||||
---
|
||||
xinclude.c | 5 ++---
|
||||
1 file changed, 2 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/xinclude.c b/xinclude.c
|
||||
index f260c1a7..d7648529 100644
|
||||
--- a/xinclude.c
|
||||
+++ b/xinclude.c
|
||||
@@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
|
||||
if (xmlXIncludeTestNode(ctxt, cur) == 1) {
|
||||
xmlXIncludePreProcessNode(ctxt, cur);
|
||||
} else if ((cur->children != NULL) &&
|
||||
- (cur->children->type != XML_ENTITY_DECL) &&
|
||||
- (cur->children->type != XML_XINCLUDE_START) &&
|
||||
- (cur->children->type != XML_XINCLUDE_END)) {
|
||||
+ ((cur->type == XML_DOCUMENT_NODE) ||
|
||||
+ (cur->type == XML_ELEMENT_NODE))) {
|
||||
cur = cur->children;
|
||||
continue;
|
||||
}
|
||||
--
|
||||
2.31.1
|
||||
|
||||
@ -1,44 +0,0 @@
|
||||
From babe75030c7f64a37826bb3342317134568bef61 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Sat, 1 May 2021 16:53:33 +0200
|
||||
Subject: [PATCH] Propagate error in xmlParseElementChildrenContentDeclPriv
|
||||
|
||||
Check return value of recursive calls to
|
||||
xmlParseElementChildrenContentDeclPriv and return immediately in case
|
||||
of errors. Otherwise, struct xmlElementContent could contain unexpected
|
||||
null pointers, leading to a null deref when post-validating documents
|
||||
which aren't well-formed and parsed in recovery mode.
|
||||
|
||||
Fixes #243.
|
||||
---
|
||||
parser.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/parser.c b/parser.c
|
||||
index b42e6043..73c27edd 100644
|
||||
--- a/parser.c
|
||||
+++ b/parser.c
|
||||
@@ -6208,6 +6208,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
|
||||
SKIP_BLANKS;
|
||||
cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
|
||||
depth + 1);
|
||||
+ if (cur == NULL)
|
||||
+ return(NULL);
|
||||
SKIP_BLANKS;
|
||||
GROW;
|
||||
} else {
|
||||
@@ -6341,6 +6343,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
|
||||
SKIP_BLANKS;
|
||||
last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
|
||||
depth + 1);
|
||||
+ if (last == NULL) {
|
||||
+ if (ret != NULL)
|
||||
+ xmlFreeDocElementContent(ctxt->myDoc, ret);
|
||||
+ return(NULL);
|
||||
+ }
|
||||
SKIP_BLANKS;
|
||||
} else {
|
||||
elem = xmlParseName(ctxt);
|
||||
--
|
||||
GitLab
|
||||
|
||||
@ -1,67 +0,0 @@
|
||||
From 8598060bacada41a0eb09d95c97744ff4e428f8e Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Veillard <veillard@redhat.com>
|
||||
Date: Thu, 13 May 2021 14:55:12 +0200
|
||||
Subject: [PATCH] Patch for security issue CVE-2021-3541
|
||||
|
||||
This is relapted to parameter entities expansion and following
|
||||
the line of the billion laugh attack. Somehow in that path the
|
||||
counting of parameters was missed and the normal algorithm based
|
||||
on entities "density" was useless.
|
||||
---
|
||||
parser.c | 26 ++++++++++++++++++++++++++
|
||||
1 file changed, 26 insertions(+)
|
||||
|
||||
diff --git a/parser.c b/parser.c
|
||||
index f5e5e169..c9312fa4 100644
|
||||
--- a/parser.c
|
||||
+++ b/parser.c
|
||||
@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
|
||||
xmlEntityPtr ent, size_t replacement)
|
||||
{
|
||||
size_t consumed = 0;
|
||||
+ int i;
|
||||
|
||||
if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE))
|
||||
return (0);
|
||||
@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
|
||||
rep = NULL;
|
||||
}
|
||||
}
|
||||
+
|
||||
+ /*
|
||||
+ * Prevent entity exponential check, not just replacement while
|
||||
+ * parsing the DTD
|
||||
+ * The check is potentially costly so do that only once in a thousand
|
||||
+ */
|
||||
+ if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) &&
|
||||
+ (ctxt->nbentities % 1024 == 0)) {
|
||||
+ for (i = 0;i < ctxt->inputNr;i++) {
|
||||
+ consumed += ctxt->inputTab[i]->consumed +
|
||||
+ (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base);
|
||||
+ }
|
||||
+ if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) {
|
||||
+ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
|
||||
+ ctxt->instate = XML_PARSER_EOF;
|
||||
+ return (1);
|
||||
+ }
|
||||
+ consumed = 0;
|
||||
+ }
|
||||
+
|
||||
+
|
||||
+
|
||||
if (replacement != 0) {
|
||||
if (replacement < XML_MAX_TEXT_LENGTH)
|
||||
return(0);
|
||||
@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
|
||||
xmlChar start[4];
|
||||
xmlCharEncoding enc;
|
||||
|
||||
+ if (xmlParserEntityCheck(ctxt, 0, entity, 0))
|
||||
+ return;
|
||||
+
|
||||
if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
|
||||
((ctxt->options & XML_PARSE_NOENT) == 0) &&
|
||||
((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
|
||||
--
|
||||
GitLab
|
||||
|
||||
@ -1,196 +0,0 @@
|
||||
From 7f70302bfa9faeac9c9f7be8adf96d32c16acb72 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Tue, 8 Feb 2022 03:29:24 +0100
|
||||
Subject: [PATCH] [CVE-2022-23308] Use-after-free of ID and IDREF attributes
|
||||
|
||||
If a document is parsed with XML_PARSE_DTDVALID and without
|
||||
XML_PARSE_NOENT, the value of ID attributes has to be normalized after
|
||||
potentially expanding entities in xmlRemoveID. Otherwise, later calls
|
||||
to xmlGetID can return a pointer to previously freed memory.
|
||||
|
||||
ID attributes which are empty or contain only whitespace after
|
||||
entity expansion are affected in a similar way. This is fixed by
|
||||
not storing such attributes in the ID table.
|
||||
|
||||
The test to detect streaming mode when validating against a DTD was
|
||||
broken. In connection with the defects above, this could result in a
|
||||
use-after-free when using the xmlReader interface with validation.
|
||||
Fix detection of streaming mode to avoid similar issues. (This changes
|
||||
the expected result of a test case. But as far as I can tell, using the
|
||||
XML reader with XIncludes referencing the root document never worked
|
||||
properly, anyway.)
|
||||
|
||||
All of these issues can result in denial of service. Using xmlReader
|
||||
with validation could result in disclosure of memory via the error
|
||||
channel, typically stderr. The security impact of xmlGetID returning
|
||||
a pointer to freed memory depends on the application. The typical use
|
||||
case of calling xmlGetID on an unmodified document is not affected.
|
||||
---
|
||||
valid.c | 88 +++++++++++++++++++++++++++++++++++----------------------
|
||||
1 file changed, 55 insertions(+), 33 deletions(-)
|
||||
|
||||
diff --git a/valid.c b/valid.c
|
||||
index a64b96be..5b81059f 100644
|
||||
--- a/valid.c
|
||||
+++ b/valid.c
|
||||
@@ -479,6 +479,35 @@ nodeVPop(xmlValidCtxtPtr ctxt)
|
||||
return (ret);
|
||||
}
|
||||
|
||||
+/**
|
||||
+ * xmlValidNormalizeString:
|
||||
+ * @str: a string
|
||||
+ *
|
||||
+ * Normalize a string in-place.
|
||||
+ */
|
||||
+static void
|
||||
+xmlValidNormalizeString(xmlChar *str) {
|
||||
+ xmlChar *dst;
|
||||
+ const xmlChar *src;
|
||||
+
|
||||
+ if (str == NULL)
|
||||
+ return;
|
||||
+ src = str;
|
||||
+ dst = str;
|
||||
+
|
||||
+ while (*src == 0x20) src++;
|
||||
+ while (*src != 0) {
|
||||
+ if (*src == 0x20) {
|
||||
+ while (*src == 0x20) src++;
|
||||
+ if (*src != 0)
|
||||
+ *dst++ = 0x20;
|
||||
+ } else {
|
||||
+ *dst++ = *src++;
|
||||
+ }
|
||||
+ }
|
||||
+ *dst = 0;
|
||||
+}
|
||||
+
|
||||
#ifdef DEBUG_VALID_ALGO
|
||||
static void
|
||||
xmlValidPrintNode(xmlNodePtr cur) {
|
||||
@@ -2546,6 +2575,24 @@ xmlDumpNotationTable(xmlBufferPtr buf, xmlNotationTablePtr table) {
|
||||
(xmlDictOwns(dict, (const xmlChar *)(str)) == 0))) \
|
||||
xmlFree((char *)(str));
|
||||
|
||||
+static int
|
||||
+xmlIsStreaming(xmlValidCtxtPtr ctxt) {
|
||||
+ xmlParserCtxtPtr pctxt;
|
||||
+
|
||||
+ if (ctxt == NULL)
|
||||
+ return(0);
|
||||
+ /*
|
||||
+ * These magic values are also abused to detect whether we're validating
|
||||
+ * while parsing a document. In this case, userData points to the parser
|
||||
+ * context.
|
||||
+ */
|
||||
+ if ((ctxt->finishDtd != XML_CTXT_FINISH_DTD_0) &&
|
||||
+ (ctxt->finishDtd != XML_CTXT_FINISH_DTD_1))
|
||||
+ return(0);
|
||||
+ pctxt = ctxt->userData;
|
||||
+ return(pctxt->parseMode == XML_PARSE_READER);
|
||||
+}
|
||||
+
|
||||
/**
|
||||
* xmlFreeID:
|
||||
* @not: A id
|
||||
@@ -2589,7 +2636,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
|
||||
if (doc == NULL) {
|
||||
return(NULL);
|
||||
}
|
||||
- if (value == NULL) {
|
||||
+ if ((value == NULL) || (value[0] == 0)) {
|
||||
return(NULL);
|
||||
}
|
||||
if (attr == NULL) {
|
||||
@@ -2620,7 +2667,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
|
||||
*/
|
||||
ret->value = xmlStrdup(value);
|
||||
ret->doc = doc;
|
||||
- if ((ctxt != NULL) && (ctxt->vstateNr != 0)) {
|
||||
+ if (xmlIsStreaming(ctxt)) {
|
||||
/*
|
||||
* Operating in streaming mode, attr is gonna disapear
|
||||
*/
|
||||
@@ -2754,6 +2801,7 @@ xmlRemoveID(xmlDocPtr doc, xmlAttrPtr attr) {
|
||||
ID = xmlNodeListGetString(doc, attr->children, 1);
|
||||
if (ID == NULL)
|
||||
return(-1);
|
||||
+ xmlValidNormalizeString(ID);
|
||||
|
||||
id = xmlHashLookup(table, ID);
|
||||
if (id == NULL || id->attr != attr) {
|
||||
@@ -2942,7 +2990,7 @@ xmlAddRef(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
|
||||
* fill the structure.
|
||||
*/
|
||||
ret->value = xmlStrdup(value);
|
||||
- if ((ctxt != NULL) && (ctxt->vstateNr != 0)) {
|
||||
+ if (xmlIsStreaming(ctxt)) {
|
||||
/*
|
||||
* Operating in streaming mode, attr is gonna disapear
|
||||
*/
|
||||
@@ -3962,8 +4010,7 @@ xmlValidateAttributeValue2(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
|
||||
xmlChar *
|
||||
xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
|
||||
xmlNodePtr elem, const xmlChar *name, const xmlChar *value) {
|
||||
- xmlChar *ret, *dst;
|
||||
- const xmlChar *src;
|
||||
+ xmlChar *ret;
|
||||
xmlAttributePtr attrDecl = NULL;
|
||||
int extsubset = 0;
|
||||
|
||||
@@ -4004,19 +4051,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
|
||||
ret = xmlStrdup(value);
|
||||
if (ret == NULL)
|
||||
return(NULL);
|
||||
- src = value;
|
||||
- dst = ret;
|
||||
- while (*src == 0x20) src++;
|
||||
- while (*src != 0) {
|
||||
- if (*src == 0x20) {
|
||||
- while (*src == 0x20) src++;
|
||||
- if (*src != 0)
|
||||
- *dst++ = 0x20;
|
||||
- } else {
|
||||
- *dst++ = *src++;
|
||||
- }
|
||||
- }
|
||||
- *dst = 0;
|
||||
+ xmlValidNormalizeString(ret);
|
||||
if ((doc->standalone) && (extsubset == 1) && (!xmlStrEqual(value, ret))) {
|
||||
xmlErrValidNode(ctxt, elem, XML_DTD_NOT_STANDALONE,
|
||||
"standalone: %s on %s value had to be normalized based on external subset declaration\n",
|
||||
@@ -4048,8 +4083,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
|
||||
xmlChar *
|
||||
xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem,
|
||||
const xmlChar *name, const xmlChar *value) {
|
||||
- xmlChar *ret, *dst;
|
||||
- const xmlChar *src;
|
||||
+ xmlChar *ret;
|
||||
xmlAttributePtr attrDecl = NULL;
|
||||
|
||||
if (doc == NULL) return(NULL);
|
||||
@@ -4079,19 +4113,7 @@ xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem,
|
||||
ret = xmlStrdup(value);
|
||||
if (ret == NULL)
|
||||
return(NULL);
|
||||
- src = value;
|
||||
- dst = ret;
|
||||
- while (*src == 0x20) src++;
|
||||
- while (*src != 0) {
|
||||
- if (*src == 0x20) {
|
||||
- while (*src == 0x20) src++;
|
||||
- if (*src != 0)
|
||||
- *dst++ = 0x20;
|
||||
- } else {
|
||||
- *dst++ = *src++;
|
||||
- }
|
||||
- }
|
||||
- *dst = 0;
|
||||
+ xmlValidNormalizeString(ret);
|
||||
return(ret);
|
||||
}
|
||||
|
||||
--
|
||||
2.35.1
|
||||
|
||||
@ -1,191 +0,0 @@
|
||||
Make the XML entity recursion check more precise.
|
||||
|
||||
libxml doesn't detect entity recursion specifically but has a variety
|
||||
of related checks, such as entities not expanding too deeply or
|
||||
producing exponential blow-ups in content.
|
||||
|
||||
Because entity declarations are parsed in a separate context with
|
||||
their own element recursion budget, a recursive entity can overflow
|
||||
the stack using a lot of open elements (but within the per-context
|
||||
limit) as it slowly consumes (but does not exhaust) the entity depth
|
||||
budget.
|
||||
|
||||
This adds a specific, precise check for recursive entities that
|
||||
detects entity recursion specifically and fails immediately.
|
||||
|
||||
The existing entity expansion depth checks are still relevant for long
|
||||
chains of different entities.
|
||||
|
||||
BUG=628581
|
||||
|
||||
Review-Url: https://codereview.chromium.org/2539003002
|
||||
Cr-Commit-Position: refs/heads/master@{#436899}
|
||||
|
||||
|
||||
Index: libxml2-2.9.4/entities.c
|
||||
===================================================================
|
||||
--- libxml2-2.9.4.orig/entities.c
|
||||
+++ libxml2-2.9.4/entities.c
|
||||
@@ -159,6 +159,7 @@ xmlCreateEntity(xmlDictPtr dict, const x
|
||||
memset(ret, 0, sizeof(xmlEntity));
|
||||
ret->type = XML_ENTITY_DECL;
|
||||
ret->checked = 0;
|
||||
+ ret->guard = XML_ENTITY_NOT_BEING_CHECKED;
|
||||
|
||||
/*
|
||||
* fill the structure.
|
||||
@@ -931,6 +932,7 @@ xmlCopyEntity(xmlEntityPtr ent) {
|
||||
cur->orig = xmlStrdup(ent->orig);
|
||||
if (ent->URI != NULL)
|
||||
cur->URI = xmlStrdup(ent->URI);
|
||||
+ cur->guard = 0;
|
||||
return(cur);
|
||||
}
|
||||
|
||||
Index: libxml2-2.9.4/include/libxml/entities.h
|
||||
===================================================================
|
||||
--- libxml2-2.9.4.orig/include/libxml/entities.h
|
||||
+++ libxml2-2.9.4/include/libxml/entities.h
|
||||
@@ -30,6 +30,11 @@ typedef enum {
|
||||
XML_INTERNAL_PREDEFINED_ENTITY = 6
|
||||
} xmlEntityType;
|
||||
|
||||
+typedef enum {
|
||||
+ XML_ENTITY_NOT_BEING_CHECKED,
|
||||
+ XML_ENTITY_BEING_CHECKED /* entity check is in progress */
|
||||
+} xmlEntityRecursionGuard;
|
||||
+
|
||||
/*
|
||||
* An unit of storage for an entity, contains the string, the value
|
||||
* and the linkind data needed for the linking in the hash table.
|
||||
@@ -60,6 +65,7 @@ struct _xmlEntity {
|
||||
/* this is also used to count entities
|
||||
* references done from that entity
|
||||
* and if it contains '<' */
|
||||
+ xmlEntityRecursionGuard guard;
|
||||
};
|
||||
|
||||
/*
|
||||
Index: libxml2-2.9.4/parser.c
|
||||
===================================================================
|
||||
--- libxml2-2.9.4.orig/parser.c
|
||||
+++ libxml2-2.9.4/parser.c
|
||||
@@ -133,6 +133,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ct
|
||||
if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
|
||||
return (1);
|
||||
|
||||
+ if ((ent != NULL) && (ent->guard == XML_ENTITY_BEING_CHECKED)) {
|
||||
+ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
|
||||
+ return (1);
|
||||
+ }
|
||||
/*
|
||||
* This may look absurd but is needed to detect
|
||||
* entities problems
|
||||
@@ -143,12 +147,14 @@ xmlParserEntityCheck(xmlParserCtxtPtr ct
|
||||
unsigned long oldnbent = ctxt->nbentities;
|
||||
xmlChar *rep;
|
||||
|
||||
+ ent->guard = XML_ENTITY_BEING_CHECKED;
|
||||
ent->checked = 1;
|
||||
|
||||
++ctxt->depth;
|
||||
rep = xmlStringDecodeEntities(ctxt, ent->content,
|
||||
XML_SUBSTITUTE_REF, 0, 0, 0);
|
||||
--ctxt->depth;
|
||||
+ ent->guard = XML_ENTITY_NOT_BEING_CHECKED;
|
||||
if (ctxt->errNo == XML_ERR_ENTITY_LOOP) {
|
||||
ent->content[0] = 0;
|
||||
}
|
||||
@@ -7337,23 +7343,28 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
|
||||
* if its replacement text matches the production labeled
|
||||
* content.
|
||||
*/
|
||||
- if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) {
|
||||
- ctxt->depth++;
|
||||
- ret = xmlParseBalancedChunkMemoryInternal(ctxt, ent->content,
|
||||
- user_data, &list);
|
||||
- ctxt->depth--;
|
||||
-
|
||||
- } else if (ent->etype == XML_EXTERNAL_GENERAL_PARSED_ENTITY) {
|
||||
- ctxt->depth++;
|
||||
- ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt, ctxt->sax,
|
||||
- user_data, ctxt->depth, ent->URI,
|
||||
- ent->ExternalID, &list);
|
||||
- ctxt->depth--;
|
||||
- } else {
|
||||
- ret = XML_ERR_ENTITY_PE_INTERNAL;
|
||||
- xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR,
|
||||
- "invalid entity type found\n", NULL);
|
||||
- }
|
||||
+ if (ent->guard == XML_ENTITY_BEING_CHECKED) {
|
||||
+ ret = XML_ERR_ENTITY_LOOP;
|
||||
+ } else {
|
||||
+ ent->guard = XML_ENTITY_BEING_CHECKED;
|
||||
+ if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) {
|
||||
+ ctxt->depth++;
|
||||
+ ret = xmlParseBalancedChunkMemoryInternal(ctxt, ent->content,
|
||||
+ user_data, &list);
|
||||
+ ctxt->depth--;
|
||||
+ } else if (ent->etype == XML_EXTERNAL_GENERAL_PARSED_ENTITY) {
|
||||
+ ctxt->depth++;
|
||||
+ ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt, ctxt->sax,
|
||||
+ user_data, ctxt->depth, ent->URI,
|
||||
+ ent->ExternalID, &list);
|
||||
+ ctxt->depth--;
|
||||
+ } else {
|
||||
+ ret = XML_ERR_ENTITY_PE_INTERNAL;
|
||||
+ xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR,
|
||||
+ "invalid entity type found\n", NULL);
|
||||
+ }
|
||||
+ ent->guard = XML_ENTITY_NOT_BEING_CHECKED;
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Store the number of entities needing parsing for this entity
|
||||
@@ -7456,23 +7467,29 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
|
||||
else
|
||||
user_data = ctxt->userData;
|
||||
|
||||
- if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) {
|
||||
- ctxt->depth++;
|
||||
- ret = xmlParseBalancedChunkMemoryInternal(ctxt,
|
||||
- ent->content, user_data, NULL);
|
||||
- ctxt->depth--;
|
||||
- } else if (ent->etype ==
|
||||
- XML_EXTERNAL_GENERAL_PARSED_ENTITY) {
|
||||
- ctxt->depth++;
|
||||
- ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt,
|
||||
- ctxt->sax, user_data, ctxt->depth,
|
||||
- ent->URI, ent->ExternalID, NULL);
|
||||
- ctxt->depth--;
|
||||
- } else {
|
||||
- ret = XML_ERR_ENTITY_PE_INTERNAL;
|
||||
- xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR,
|
||||
- "invalid entity type found\n", NULL);
|
||||
- }
|
||||
+ if (ent->guard == XML_ENTITY_BEING_CHECKED) {
|
||||
+ ret = XML_ERR_ENTITY_LOOP;
|
||||
+ } else {
|
||||
+ ent->guard = XML_ENTITY_BEING_CHECKED;
|
||||
+ if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) {
|
||||
+ ctxt->depth++;
|
||||
+ ret = xmlParseBalancedChunkMemoryInternal(ctxt,
|
||||
+ ent->content, user_data, NULL);
|
||||
+ ctxt->depth--;
|
||||
+ } else if (ent->etype ==
|
||||
+ XML_EXTERNAL_GENERAL_PARSED_ENTITY) {
|
||||
+ ctxt->depth++;
|
||||
+ ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt,
|
||||
+ ctxt->sax, user_data, ctxt->depth,
|
||||
+ ent->URI, ent->ExternalID, NULL);
|
||||
+ ctxt->depth--;
|
||||
+ } else {
|
||||
+ ret = XML_ERR_ENTITY_PE_INTERNAL;
|
||||
+ xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR,
|
||||
+ "invalid entity type found\n", NULL);
|
||||
+ }
|
||||
+ ent->guard = XML_ENTITY_NOT_BEING_CHECKED;
|
||||
+ }
|
||||
if (ret == XML_ERR_ENTITY_LOOP) {
|
||||
xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
|
||||
return;
|
||||
@ -1,54 +0,0 @@
|
||||
From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Mon, 30 Jul 2018 12:54:38 +0200
|
||||
Subject: [PATCH] Fix nullptr deref with XPath logic ops
|
||||
|
||||
If the XPath stack is corrupted, for example by a misbehaving extension
|
||||
function, the "and" and "or" XPath operators could dereference NULL
|
||||
pointers. Check that the XPath stack isn't empty and optimize the
|
||||
logic operators slightly.
|
||||
|
||||
Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5
|
||||
|
||||
Also see
|
||||
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1595985
|
||||
|
||||
This is CVE-2018-14404.
|
||||
|
||||
Thanks to Guy Inbar for the report.
|
||||
---
|
||||
xpath.c | 10 ++++------
|
||||
1 file changed, 4 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/xpath.c b/xpath.c
|
||||
index 3fae0bf4..5e3bb9ff 100644
|
||||
--- a/xpath.c
|
||||
+++ b/xpath.c
|
||||
@@ -13234,9 +13234,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
|
||||
return(0);
|
||||
}
|
||||
xmlXPathBooleanFunction(ctxt, 1);
|
||||
- arg1 = valuePop(ctxt);
|
||||
- arg1->boolval &= arg2->boolval;
|
||||
- valuePush(ctxt, arg1);
|
||||
+ if (ctxt->value != NULL)
|
||||
+ ctxt->value->boolval &= arg2->boolval;
|
||||
xmlXPathReleaseObject(ctxt->context, arg2);
|
||||
return (total);
|
||||
case XPATH_OP_OR:
|
||||
@@ -13252,9 +13251,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
|
||||
return(0);
|
||||
}
|
||||
xmlXPathBooleanFunction(ctxt, 1);
|
||||
- arg1 = valuePop(ctxt);
|
||||
- arg1->boolval |= arg2->boolval;
|
||||
- valuePush(ctxt, arg1);
|
||||
+ if (ctxt->value != NULL)
|
||||
+ ctxt->value->boolval |= arg2->boolval;
|
||||
xmlXPathReleaseObject(ctxt->context, arg2);
|
||||
return (total);
|
||||
case XPATH_OP_EQUAL:
|
||||
--
|
||||
2.22.0
|
||||
|
||||
@ -1,50 +0,0 @@
|
||||
From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Mon, 30 Jul 2018 13:14:11 +0200
|
||||
Subject: [PATCH] Fix infinite loop in LZMA decompression
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Check the liblzma error code more thoroughly to avoid infinite loops.
|
||||
|
||||
Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13
|
||||
Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914
|
||||
|
||||
This is CVE-2018-9251 and CVE-2018-14567.
|
||||
|
||||
Thanks to Dongliang Mu and Simon Wörner for the reports.
|
||||
---
|
||||
xzlib.c | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/xzlib.c b/xzlib.c
|
||||
index a839169e..0ba88cfa 100644
|
||||
--- a/xzlib.c
|
||||
+++ b/xzlib.c
|
||||
@@ -562,6 +562,10 @@ xz_decomp(xz_statep state)
|
||||
"internal error: inflate stream corrupt");
|
||||
return -1;
|
||||
}
|
||||
+ /*
|
||||
+ * FIXME: Remapping a couple of error codes and falling through
|
||||
+ * to the LZMA error handling looks fragile.
|
||||
+ */
|
||||
if (ret == Z_MEM_ERROR)
|
||||
ret = LZMA_MEM_ERROR;
|
||||
if (ret == Z_DATA_ERROR)
|
||||
@@ -587,6 +591,11 @@ xz_decomp(xz_statep state)
|
||||
xz_error(state, LZMA_PROG_ERROR, "compression error");
|
||||
return -1;
|
||||
}
|
||||
+ if ((state->how != GZIP) &&
|
||||
+ (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) {
|
||||
+ xz_error(state, ret, "lzma error");
|
||||
+ return -1;
|
||||
+ }
|
||||
} while (strm->avail_out && ret != LZMA_STREAM_END);
|
||||
|
||||
/* update available output and crc check value */
|
||||
--
|
||||
2.22.0
|
||||
|
||||
@ -1,33 +0,0 @@
|
||||
From 5a02583c7e683896d84878bd90641d8d9b0d0549 Mon Sep 17 00:00:00 2001
|
||||
From: Zhipeng Xie <xiezhipeng1@huawei.com>
|
||||
Date: Wed, 7 Aug 2019 17:39:17 +0800
|
||||
Subject: [PATCH] Fix memory leak in xmlParseBalancedChunkMemoryRecover
|
||||
|
||||
When doc is NULL, namespace created in xmlTreeEnsureXMLDecl
|
||||
is bind to newDoc->oldNs, in this case, set newDoc->oldNs to
|
||||
NULL and free newDoc will cause a memory leak.
|
||||
|
||||
Found with libFuzzer.
|
||||
|
||||
Closes #82.
|
||||
---
|
||||
parser.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/parser.c b/parser.c
|
||||
index 1ce1ccf1..26d9f4e3 100644
|
||||
--- a/parser.c
|
||||
+++ b/parser.c
|
||||
@@ -13894,7 +13894,8 @@ xmlParseBalancedChunkMemoryRecover(xmlDocPtr doc, xmlSAXHandlerPtr sax,
|
||||
xmlFreeParserCtxt(ctxt);
|
||||
newDoc->intSubset = NULL;
|
||||
newDoc->extSubset = NULL;
|
||||
- newDoc->oldNs = NULL;
|
||||
+ if(doc != NULL)
|
||||
+ newDoc->oldNs = NULL;
|
||||
xmlFreeDoc(newDoc);
|
||||
|
||||
return(ret);
|
||||
--
|
||||
2.24.1
|
||||
|
||||
@ -6,9 +6,9 @@
|
||||
exec_prefix=@exec_prefix@
|
||||
includedir=@includedir@
|
||||
! libdir=@libdir@
|
||||
cflags=
|
||||
libs=
|
||||
|
||||
usage()
|
||||
{
|
||||
--- 3,14 ----
|
||||
prefix=@prefix@
|
||||
exec_prefix=@exec_prefix@
|
||||
@ -19,6 +19,6 @@
|
||||
! else
|
||||
! libdir=${exec_prefix}/lib64
|
||||
! fi
|
||||
cflags=
|
||||
libs=
|
||||
|
||||
usage()
|
||||
{
|
||||
|
||||
@ -1,72 +1,33 @@
|
||||
%if 0%{?rhel} > 7
|
||||
# Disable python2 build by default
|
||||
%bcond_with python2
|
||||
%else
|
||||
%bcond_without python2
|
||||
%endif
|
||||
|
||||
Name: libxml2
|
||||
Version: 2.9.7
|
||||
Release: 18%{?dist}.1
|
||||
Version: 2.9.13
|
||||
Release: 6%{?dist}
|
||||
Summary: Library providing XML and HTML support
|
||||
|
||||
License: MIT
|
||||
URL: http://xmlsoft.org/
|
||||
Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
|
||||
Source0: https://download.gnome.org/sources/%{name}/2.9/%{name}-%{version}.tar.xz
|
||||
Patch0: libxml2-multilib.patch
|
||||
# workaround for #877567 - Very weird bug gzip decompression bug in "recent" libxml2 versions
|
||||
Patch1: libxml2-2.9.0-do-not-check-crc.patch
|
||||
# In python3.6 _PyVerify_fd is no more
|
||||
# http://bugs.python.org/issue23524
|
||||
Patch2: libxml2-2.9.4-remove-pyverify_fd.patch
|
||||
# https://codereview.chromium.org/2539003002
|
||||
Patch3: libxml2-CVE-2016-9597.patch
|
||||
# Fix some crashes under Python 3
|
||||
# https://bugzilla.gnome.org/show_bug.cgi?id=789714
|
||||
Patch4: libxml2-python3-unicode-errors.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1565322
|
||||
Patch5: libxml2-CVE-2018-9251.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1595989
|
||||
Patch6: libxml2-CVE-2018-14404.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1793001
|
||||
Patch7: libxml2-CVE-2019-19956.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1799786
|
||||
Patch8: libxml2-2.9.7-CVE-2020-7595.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1810058
|
||||
Patch9: libxml2-2.9.7-CVE-2019-20388.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1878252
|
||||
Patch10: libxml2-2.9.7-CVE-2020-24977.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1956976
|
||||
Patch11: libxml2-2.9.7-CVE-2021-3516.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1957001
|
||||
Patch12: libxml2-2.9.7-CVE-2021-3517.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1957028
|
||||
Patch13: libxml2-2.9.7-CVE-2021-3518.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1957284
|
||||
Patch14: libxml2-2.9.7-CVE-2021-3537.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1958783
|
||||
Patch15: libxml2-2.9.7-CVE-2021-3541.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2057664
|
||||
Patch16: libxml2-2.9.7-CVE-2022-23308.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2082298
|
||||
Patch17: libxml2-2.9.7-CVE-2022-29824.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2120781
|
||||
Patch18: libxml2-2.9.7-CVE-2016-3709.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2136563
|
||||
Patch19: libxml2-2.9.7-CVE-2022-40303.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2136568
|
||||
Patch20: libxml2-2.9.7-CVE-2022-40304.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2186692
|
||||
Patch21: libxml2-2.9.13-CVE-2023-28484.patch
|
||||
Patch22: libxml2-2.9.13-CVE-2023-28484.2.patch
|
||||
Patch23: libxml2-2.9.7-CVE-2023-29469.patch
|
||||
# https://issues.redhat.com/browse/RHEL-5179
|
||||
Patch24: libxml2-2.11.0-fix-CVE-2023-39615.patch
|
||||
# https://issues.redhat.com/browse/RHEL-31056
|
||||
Patch25: libxml2-2.9.7-CVE-2024-25062.patch
|
||||
# Patch from openSUSE.
|
||||
# See: https://bugzilla.gnome.org/show_bug.cgi?id=789714
|
||||
Patch1: libxml2-2.9.8-python3-unicode-errors.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2082300
|
||||
Patch2: libxml2-2.9.13-CVE-2022-29824.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2136564
|
||||
Patch3: libxml2-2.9.13-CVE-2022-40303.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2136569
|
||||
Patch4: libxml2-2.9.13-CVE-2022-40304.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2186694
|
||||
Patch5: libxml2-2.9.13-CVE-2023-28484.patch
|
||||
Patch6: libxml2-2.9.13-CVE-2023-28484.2.patch
|
||||
Patch7: libxml2-2.9.13-CVE-2023-29469.patch
|
||||
# https://issues.redhat.com/browse/RHEL-5180
|
||||
Patch8: libxml2-2.11.0-fix-CVE-2023-39615.patch
|
||||
# https://issues.redhat.com/browse/RHEL-34457
|
||||
Patch9: libxml2-2.11.6-CVE-2024-25062.patch
|
||||
|
||||
BuildRequires: gcc
|
||||
BuildRequires: cmake-rpm-macros
|
||||
BuildRequires: gcc
|
||||
BuildRequires: make
|
||||
BuildRequires: pkgconfig(zlib)
|
||||
BuildRequires: pkgconfig(liblzma)
|
||||
|
||||
@ -106,26 +67,6 @@ Summary: Static library for libxml2
|
||||
Static library for libxml2 provided for specific uses or shaving a few
|
||||
microseconds when parsing, do not link to them for generic purpose packages.
|
||||
|
||||
%if %{with python2}
|
||||
%package -n python2-%{name}
|
||||
%{?python_provide:%python_provide python2-%{name}}
|
||||
Summary: Python bindings for the libxml2 library
|
||||
BuildRequires: python2-devel
|
||||
Requires: %{name}%{?_isa} = %{version}-%{release}
|
||||
Obsoletes: %{name}-python < %{version}-%{release}
|
||||
Provides: %{name}-python = %{version}-%{release}
|
||||
|
||||
%description -n python2-%{name}
|
||||
The libxml2-python package contains a Python 2 module that permits applications
|
||||
written in the Python programming language, version 2, to use the interface
|
||||
supplied by the libxml2 library to manipulate XML files.
|
||||
|
||||
This library allows to manipulate XML files. It includes support
|
||||
to read, modify and write XML and HTML files. There is DTDs support
|
||||
this includes parsing and validation even with complex DTDs, either
|
||||
at parse time or later once the document has been modified.
|
||||
%endif # with python2
|
||||
|
||||
%package -n python3-%{name}
|
||||
Summary: Python 3 bindings for the libxml2 library
|
||||
BuildRequires: python3-devel
|
||||
@ -147,27 +88,15 @@ at parse time or later once the document has been modified.
|
||||
%autosetup -p1
|
||||
find doc -type f -executable -print -exec chmod 0644 {} ';'
|
||||
|
||||
# Remove files generated by python/generator.py to force regenerating them
|
||||
rm python/{libxml2-py.c,libxml2-py.h,libxml2-export.c}
|
||||
|
||||
%build
|
||||
%if %{with python2}
|
||||
mkdir py2
|
||||
%endif # with python2
|
||||
mkdir py3
|
||||
%global _configure ../configure
|
||||
%global _configure_disable_silent_rules 1
|
||||
%if %{with python2}
|
||||
( cd py2 && %configure --cache-file=../config.cache --with-python=%{__python2} )
|
||||
%endif # with python2
|
||||
( cd py3 && %configure --cache-file=../config.cache --with-python=%{__python3} )
|
||||
%if %{with python2}
|
||||
%make_build -C py2
|
||||
%endif # with python2
|
||||
%make_build -C py3
|
||||
%configure --with-python=%{__python3}
|
||||
%make_build
|
||||
|
||||
%install
|
||||
%if %{with python2}
|
||||
%make_install -C py2
|
||||
%endif # with python2
|
||||
%make_install -C py3
|
||||
%make_install
|
||||
|
||||
# multiarch crazyness on timestamp differences or Makefile/binaries for examples
|
||||
touch -m --reference=%{buildroot}%{_includedir}/libxml2/libxml/parser.h %{buildroot}%{_bindir}/xml2-config
|
||||
@ -175,20 +104,17 @@ touch -m --reference=%{buildroot}%{_includedir}/libxml2/libxml/parser.h %{buildr
|
||||
find %{buildroot} -type f -name '*.la' -print -delete
|
||||
rm -vf %{buildroot}{%{python2_sitearch},%{python3_sitearch}}/*.a
|
||||
rm -vrf %{buildroot}%{_datadir}/doc/
|
||||
#(cd doc/examples ; make clean ; rm -rf .deps Makefile)
|
||||
(cd doc/examples ; make clean ; rm -rf .deps Makefile)
|
||||
gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
|
||||
|
||||
%check
|
||||
%if %{with python2}
|
||||
%make_build runtests -C py2
|
||||
%endif # with python2
|
||||
%make_build runtests -C py3
|
||||
%make_build runtests
|
||||
|
||||
%ldconfig_scriptlets
|
||||
|
||||
%files
|
||||
%license Copyright
|
||||
%doc AUTHORS NEWS README TODO
|
||||
%doc NEWS README.md TODO
|
||||
%{_libdir}/libxml2.so.2*
|
||||
%{_mandir}/man3/libxml.3*
|
||||
%{_bindir}/xmllint
|
||||
@ -216,15 +142,6 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
|
||||
%license Copyright
|
||||
%{_libdir}/libxml2.a
|
||||
|
||||
%if %{with python2}
|
||||
%files -n python2-%{name}
|
||||
%doc python/TODO python/libxml2class.txt
|
||||
%doc doc/*.py doc/python.html
|
||||
%{python2_sitearch}/libxml2.py*
|
||||
%{python2_sitearch}/drv_libxml2.py*
|
||||
%{python2_sitearch}/libxml2mod.so
|
||||
%endif # with python2
|
||||
|
||||
%files -n python3-%{name}
|
||||
%doc python/TODO python/libxml2class.txt
|
||||
%doc doc/*.py doc/python.html
|
||||
@ -235,58 +152,117 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
|
||||
%{python3_sitearch}/libxml2mod.so
|
||||
|
||||
%changelog
|
||||
* Mon Apr 29 2024 David King <amigadave@amigadave.com> - 2.9.7-18.1
|
||||
- Fix CVE-2024-25062 (RHEL-31056)
|
||||
* Mon Apr 29 2024 David King <amigadave@amigadave.com> - 2.9.13-6
|
||||
- Fix CVE-2024-25062 (RHEL-29196)
|
||||
|
||||
* Thu Sep 14 2023 David King <amigadave@amigadave.com> - 2.9.7-18
|
||||
- Fix CVE-2023-39615 (RHEL-5179)
|
||||
* Thu Sep 14 2023 David King <amigadave@amigadave.com> - 2.9.13-5
|
||||
- Fix CVE-2023-39615 (RHEL-5180)
|
||||
|
||||
* Fri Jul 14 2023 David King <amigadave@amigadave.com> - 2.9.7-17
|
||||
- Fix CVE-2023-28484 (#2186692)
|
||||
- Fix CVE-2023-29469 (#2186692)
|
||||
* Fri Apr 14 2023 David King <amigadave@amigadave.com> - 2.9.13-4
|
||||
- Fix CVE-2023-28484 (#2186694)
|
||||
- Fix CVE-2023-29469 (#2186694)
|
||||
|
||||
* Wed Nov 02 2022 David King <dking@redhat.com> - 2.9.7-16
|
||||
- Fix CVE-2022-40303 (#2136563)
|
||||
- Fix CVE-2022-40304 (#2136568)
|
||||
* Tue Nov 01 2022 David King <amigadave@amigadave.com> - 2.9.13-3
|
||||
- Fix CVE-2022-40303 (#2136564)
|
||||
- Fix CVE-2022-40304 (#2136569)
|
||||
|
||||
* Wed Aug 24 2022 David King <dking@redhat.com> - 2.9.7-15
|
||||
- Fix CVE-2016-3709 (#2120781)
|
||||
* Tue May 10 2022 David King <amigadave@amigadave.com> - 2.9.13-2
|
||||
- Fix CVE-2022-29824 (#2082300)
|
||||
|
||||
* Thu May 12 2022 David King <dking@redhat.com> - 2.9.7-14
|
||||
- Fix CVE-2022-29824 (#2082298)
|
||||
* Thu Feb 24 2022 David King <amigadave@amigadave.com> - 2.9.13-1
|
||||
- Update to 2.9.13 (#2057665)
|
||||
|
||||
* Thu Feb 24 2022 David King <dking@redhat.com> - 2.9.7-13
|
||||
- Bump release (#2057664)
|
||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.9.12-4
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
||||
* Thu Feb 24 2022 David King <dking@redhat.com> - 2.9.7-12
|
||||
- Fix CVE-2022-23308 (#2057664)
|
||||
* Wed Jun 09 2021 David King <dking@redhat.com> - 2.9.12-3
|
||||
- Fix xmlNodeDumpOutputInternal regression (#1969892)
|
||||
|
||||
* Wed May 19 2021 David King <dking@redhat.com> - 2.9.7-11
|
||||
- Fix CVE-2021-3541 (#1958783)
|
||||
* Tue May 25 2021 David King <dking@redhat.com> - 2.9.12-2
|
||||
- Fix multiarch conflict in devel subpackage (#1964346)
|
||||
|
||||
* Fri May 07 2021 David King <dking@redhat.com> - 2.9.7-10
|
||||
- Fix CVE-2021-3516 (#1956976)
|
||||
- Fix CVE-2021-3517 (#1957001)
|
||||
- Fix CVE-2021-3518 (#1957028)
|
||||
- Fix CVE-2021-3537 (#1957284)
|
||||
* Fri May 14 2021 David King <dking@redhat.com> - 2.9.12-1
|
||||
- Rebase to 2.9.12 (#1960623)
|
||||
|
||||
* Mon Oct 19 2020 David King <dking@redhat.com> - 2.9.7-9
|
||||
- Fix CVE-2020-24977 (#1878252)
|
||||
* Thu May 13 2021 David King <dking@redhat.com> - 2.9.10-12
|
||||
- Fix CVE-2021-3516 (#1956969)
|
||||
- Fix CVE-2021-3517 (#1957002)
|
||||
- Fix CVE-2021-3518 (#1957029)
|
||||
- Fix CVE-2021-3537 (#1957285)
|
||||
|
||||
* Mon Jan 20 2020 David King <dking@redhat.com> - 2.9.7-8
|
||||
- Fix CVE-2019-19956 (#1793001)
|
||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.9.10-11
|
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||
|
||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.10-10
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Thu Nov 12 11:57:41 CET 2020 Victor Stinner <vstinner@python.org> - 2.9.10-9
|
||||
- Build the Python extension with the PY_SSIZE_T_CLEAN macro to make it
|
||||
compatible with Python 3.10.
|
||||
- Fixes: rhbz#1890878.
|
||||
|
||||
* Wed Nov 11 2020 Richard W.M. Jones <rjones@redhat.com> - 2.9.10-8
|
||||
- Add correct fix for CVE-2020-24977 (RHBZ#1877788), thanks: Jan de Groot.
|
||||
|
||||
* Fri Sep 11 2020 Richard W.M. Jones <rjones@redhat.com> - 2.9.10-7
|
||||
- Add fix for CVE-2020-24977 (RHBZ#1877788).
|
||||
|
||||
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.10-6
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Sat May 23 2020 Miro Hrončok <mhroncok@redhat.com> - 2.9.10-5
|
||||
- Rebuilt for Python 3.9
|
||||
|
||||
* Mon Feb 10 2020 David King <amigadave@amigadave.com> - 2.9.10-4
|
||||
- Fix CVE-2019-20388 (#1799736)
|
||||
- Fix CVE-2020-7595 (#1799786)
|
||||
- Fix CVE-2019-20388 (#1810058)
|
||||
|
||||
* Thu Oct 24 2019 David King <dking@redhat.com> - 2.9.7-7
|
||||
- Fix CVE-2018-14404 (#1595989)
|
||||
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.10-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Thu Oct 24 2019 David King <dking@redhat.com> - 2.9.7-6
|
||||
- Fix CVE-2018-9251 (#1565322)
|
||||
* Fri Jan 03 2020 Jan Pokorny <jpokorny@fedoraproject.org> - 2.9.10-2
|
||||
- Fix relaxed approach to nested documents on object disposal (#1780573)
|
||||
|
||||
* Fri Aug 03 2018 Charalampos Stratakis <cstratak@redhat.com> - 2.9.7-5
|
||||
- Fix some crashes under Python 3
|
||||
- Conditionalize the python2 subpackage
|
||||
* Fri Nov 01 2019 David King <amigadave@amigadave.com> - 2.9.10-1
|
||||
- Update to 2.9.10 (#1767151)
|
||||
|
||||
* Thu Oct 31 2019 Miro Hrončok <mhroncok@redhat.com> - 2.9.9-7
|
||||
- Subpackage python2-libxml2 has been removed
|
||||
See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal
|
||||
|
||||
* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 2.9.9-6
|
||||
- Rebuilt for Python 3.8.0rc1 (#1748018)
|
||||
|
||||
* Fri Aug 23 2019 Florian Weimer <fweimer@redhat.com> - 2.9.9-5
|
||||
- Rebuild to fix corrupted libxml2-static package on aarch64 (#1745020)
|
||||
|
||||
* Fri Aug 16 2019 Miro Hrončok <mhroncok@redhat.com> - 2.9.9-4
|
||||
- Rebuilt for Python 3.8
|
||||
|
||||
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.9-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.9-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
|
||||
* Fri Jan 25 2019 David King <amigadave@amigadave.com> - 2.9.9-1
|
||||
- Update to 2.9.9
|
||||
|
||||
* Sun Jan 06 2019 Björn Esser <besser82@fedoraproject.org> - 2.9.8-5
|
||||
- Add patch to fix crash: xmlParserPrintFileContextInternal mangles utf8
|
||||
|
||||
* Thu Aug 02 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.9.8-4
|
||||
- Backport patches from upstream
|
||||
|
||||
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.8-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||
|
||||
* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 2.9.8-2
|
||||
- Rebuilt for Python 3.7
|
||||
|
||||
* Tue Apr 03 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.9.8-1
|
||||
- Update to 2.9.8
|
||||
|
||||
* Sat Feb 24 2018 Florian Weimer <fweimer@redhat.com> - 2.9.7-4
|
||||
- Rebuild with new LDFLAGS from redhat-rpm-config
|
||||
|
||||
Loading…
Reference in New Issue
Block a user