Hello community,
here is the log from the commit of package libxml2 for openSUSE:12.2 checked in at 2012-08-09 17:55:43
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.2/libxml2 (Old)
and /work/SRC/openSUSE:12.2/.libxml2.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libxml2", Maintainer is "VCizek@suse.com"
Changes:
--------
--- /work/SRC/openSUSE:12.2/libxml2/libxml2.changes 2012-06-25 15:45:26.000000000 +0200
+++ /work/SRC/openSUSE:12.2/.libxml2.new/libxml2.changes 2012-08-09 17:56:02.000000000 +0200
@@ -1,0 +2,5 @@
+Thu Jun 28 09:48:22 UTC 2012 - vcizek@suse.com
+
+- fixed CVE-2012-2807 (bnc#769184)
+
+-------------------------------------------------------------------
New:
----
libxml2-CVE-2012-2807.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libxml2.spec ++++++
--- /var/tmp/diff_new_pack.YgQlrV/_old 2012-08-09 17:56:02.000000000 +0200
+++ /var/tmp/diff_new_pack.YgQlrV/_new 2012-08-09 17:56:02.000000000 +0200
@@ -15,6 +15,7 @@
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
+
%define lname libxml2-2
Name: libxml2
@@ -29,6 +30,7 @@
Source2: baselibs.conf
Patch0: bigendian64.patch
Patch1: fix-perl.diff
+Patch2: libxml2-CVE-2012-2807.patch
BuildRequires: pkg-config
BuildRequires: readline-devel
BuildRequires: xz-devel
@@ -126,6 +128,7 @@
%setup -q -n %{name}-2.7.8
%patch0 -p0
%patch1 -p1 -R
+%patch2 -p1
%build
%configure --disable-static \
++++++ python-libxml2.spec ++++++
--- /var/tmp/diff_new_pack.YgQlrV/_old 2012-08-09 17:56:02.000000000 +0200
+++ /var/tmp/diff_new_pack.YgQlrV/_new 2012-08-09 17:56:02.000000000 +0200
@@ -15,6 +15,7 @@
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
+
Name: python-libxml2
Version: 2.7.8+git20120223
Release: 0
++++++ libxml2-CVE-2012-2807.patch ++++++
From 459eeb9dc752d5185f57ff6b135027f11981a626 Mon Sep 17 00:00:00 2001
From: Daniel Veillard
Date: Tue, 17 Jul 2012 08:19:17 +0000
Subject: Fix parser local buffers size problems
---
Index: libxml2-2.7.8/parser.c
===================================================================
--- libxml2-2.7.8.orig/parser.c 2012-03-01 06:25:02.000000000 +0100
+++ libxml2-2.7.8/parser.c 2012-08-01 13:36:55.890102432 +0200
@@ -40,6 +40,7 @@
#endif
#include
+#include
#include
#include
#include
@@ -117,10 +118,10 @@ xmlCreateEntityParserCtxtInternal(const
* parser option.
*/
static int
-xmlParserEntityCheck(xmlParserCtxtPtr ctxt, unsigned long size,
+xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
xmlEntityPtr ent)
{
- unsigned long consumed = 0;
+ size_t consumed = 0;
if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE))
return (0);
@@ -2589,15 +2590,17 @@ xmlParserHandlePEReference(xmlParserCtxt
/*
* Macro used to grow the current buffer.
+ * buffer##_size is expected to be a size_t
+ * mem_error: is expected to handle memory allocation failures
*/
#define growBuffer(buffer, n) { \
xmlChar *tmp; \
- buffer##_size *= 2; \
- buffer##_size += n; \
- tmp = (xmlChar *) \
- xmlRealloc(buffer, buffer##_size * sizeof(xmlChar)); \
+ size_t new_size = buffer##_size * 2 + n; \
+ if (new_size < buffer##_size) goto mem_error; \
+ tmp = (xmlChar *) xmlRealloc(buffer, new_size); \
if (tmp == NULL) goto mem_error; \
buffer = tmp; \
+ buffer##_size = new_size; \
}
/**
@@ -2623,14 +2626,14 @@ xmlChar *
xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
int what, xmlChar end, xmlChar end2, xmlChar end3) {
xmlChar *buffer = NULL;
- int buffer_size = 0;
+ size_t buffer_size = 0;
+ size_t nbchars = 0;
xmlChar *current = NULL;
xmlChar *rep = NULL;
const xmlChar *last;
xmlEntityPtr ent;
int c,l;
- int nbchars = 0;
if ((ctxt == NULL) || (str == NULL) || (len < 0))
return(NULL);
@@ -2647,7 +2650,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt
* allocate a translation buffer.
*/
buffer_size = XML_PARSER_BIG_BUFFER_SIZE;
- buffer = (xmlChar *) xmlMallocAtomic(buffer_size * sizeof(xmlChar));
+ buffer = (xmlChar *) xmlMallocAtomic(buffer_size);
if (buffer == NULL) goto mem_error;
/*
@@ -2667,7 +2670,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt
if (val != 0) {
COPY_BUF(0,buffer,nbchars,val);
}
- if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) {
+ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
}
} else if ((c == '&') && (what & XML_SUBSTITUTE_REF)) {
@@ -2685,7 +2688,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt
(ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
if (ent->content != NULL) {
COPY_BUF(0,buffer,nbchars,ent->content[0]);
- if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) {
+ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
}
} else {
@@ -2702,8 +2705,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt
current = rep;
while (*current != 0) { /* non input consuming loop */
buffer[nbchars++] = *current++;
- if (nbchars >
- buffer_size - XML_PARSER_BUFFER_SIZE) {
+ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
if (xmlParserEntityCheck(ctxt, nbchars, ent))
goto int_error;
growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
@@ -2717,7 +2719,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt
const xmlChar *cur = ent->name;
buffer[nbchars++] = '&';
- if (nbchars > buffer_size - i - XML_PARSER_BUFFER_SIZE) {
+ if (nbchars + i + XML_PARSER_BUFFER_SIZE > buffer_size) {
growBuffer(buffer, i + XML_PARSER_BUFFER_SIZE);
}
for (;i > 0;i--)
@@ -2745,8 +2747,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt
current = rep;
while (*current != 0) { /* non input consuming loop */
buffer[nbchars++] = *current++;
- if (nbchars >
- buffer_size - XML_PARSER_BUFFER_SIZE) {
+ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
if (xmlParserEntityCheck(ctxt, nbchars, ent))
goto int_error;
growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
@@ -2759,8 +2760,8 @@ xmlStringLenDecodeEntities(xmlParserCtxt
} else {
COPY_BUF(l,buffer,nbchars,c);
str += l;
- if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) {
- growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
+ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
+ growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
}
}
if (str < last)
@@ -3764,8 +3765,8 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
xmlChar limit = 0;
xmlChar *buf = NULL;
xmlChar *rep = NULL;
- int len = 0;
- int buf_size = 0;
+ size_t len = 0;
+ size_t buf_size = 0;
int c, l, in_space = 0;
xmlChar *current = NULL;
xmlEntityPtr ent;
@@ -3787,7 +3788,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
* allocate a translation buffer.
*/
buf_size = XML_PARSER_BUFFER_SIZE;
- buf = (xmlChar *) xmlMallocAtomic(buf_size * sizeof(xmlChar));
+ buf = (xmlChar *) xmlMallocAtomic(buf_size);
if (buf == NULL) goto mem_error;
/*
@@ -3804,7 +3805,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
if (val == '&') {
if (ctxt->replaceEntities) {
- if (len > buf_size - 10) {
+ if (len + 10 > buf_size) {
growBuffer(buf, 10);
}
buf[len++] = '&';
@@ -3813,7 +3814,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
* The reparsing will be done in xmlStringGetNodeList()
* called by the attribute() function in SAX.c
*/
- if (len > buf_size - 10) {
+ if (len + 10 > buf_size) {
growBuffer(buf, 10);
}
buf[len++] = '&';
@@ -3823,7 +3824,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
buf[len++] = ';';
}
} else if (val != 0) {
- if (len > buf_size - 10) {
+ if (len + 10 > buf_size) {
growBuffer(buf, 10);
}
len += xmlCopyChar(0, &buf[len], val);
@@ -3835,7 +3836,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
ctxt->nbentities += ent->owner;
if ((ent != NULL) &&
(ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
- if (len > buf_size - 10) {
+ if (len + 10 > buf_size) {
growBuffer(buf, 10);
}
if ((ctxt->replaceEntities == 0) &&
@@ -3863,7 +3864,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
current++;
} else
buf[len++] = *current++;
- if (len > buf_size - 10) {
+ if (len + 10 > buf_size) {
growBuffer(buf, 10);
}
}
@@ -3871,7 +3872,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
rep = NULL;
}
} else {
- if (len > buf_size - 10) {
+ if (len + 10 > buf_size) {
growBuffer(buf, 10);
}
if (ent->content != NULL)
@@ -3899,7 +3900,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
* Just output the reference
*/
buf[len++] = '&';
- while (len > buf_size - i - 10) {
+ while (len + i + 10 > buf_size) {
growBuffer(buf, i + 10);
}
for (;i > 0;i--)
@@ -3912,7 +3913,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
if ((len != 0) || (!normalize)) {
if ((!normalize) || (!in_space)) {
COPY_BUF(l,buf,len,0x20);
- while (len > buf_size - 10) {
+ while (len + 10 > buf_size) {
growBuffer(buf, 10);
}
}
@@ -3921,7 +3922,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
} else {
in_space = 0;
COPY_BUF(l,buf,len,c);
- if (len > buf_size - 10) {
+ if (len + 10 > buf_size) {
growBuffer(buf, 10);
}
}
@@ -3946,7 +3947,18 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
}
} else
NEXT;
- if (attlen != NULL) *attlen = len;
+
+ /*
+ * There we potentially risk an overflow, don't allow attribute value of
+ * lenght more than INT_MAX it is a very reasonnable assumption !
+ */
+ if (len >= INT_MAX) {
+ xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
+ "AttValue lenght too long\n");
+ goto mem_error;
+ }
+
+ if (attlen != NULL) *attlen = (int) len;
return(buf);
mem_error:
Index: libxml2-2.7.8/entities.c
===================================================================
--- libxml2-2.7.8.orig/entities.c 2012-03-01 06:25:02.000000000 +0100
+++ libxml2-2.7.8/entities.c 2012-08-01 13:36:02.213499245 +0200
@@ -528,13 +528,13 @@ xmlGetDocEntity(xmlDocPtr doc, const xml
* Macro used to grow the current buffer.
*/
#define growBufferReentrant() { \
- buffer_size *= 2; \
- buffer = (xmlChar *) \
- xmlRealloc(buffer, buffer_size * sizeof(xmlChar)); \
- if (buffer == NULL) { \
- xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed");\
- return(NULL); \
- } \
+ xmlChar *tmp; \
+ size_t new_size = buffer_size *= 2; \
+ if (new_size < buffer_size) goto mem_error; \
+ tmp = (xmlChar *) xmlRealloc(buffer, new_size); \
+ if (tmp == NULL) goto mem_error; \
+ buffer = tmp; \
+ buffer_size = new_size; \
}
@@ -555,7 +555,7 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc
const xmlChar *cur = input;
xmlChar *buffer = NULL;
xmlChar *out = NULL;
- int buffer_size = 0;
+ size_t buffer_size = 0;
int html = 0;
if (input == NULL) return(NULL);
@@ -574,8 +574,8 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc
out = buffer;
while (*cur != '\0') {
- if (out - buffer > buffer_size - 100) {
- int indx = out - buffer;
+ size_t indx = out - buffer;
+ if (indx + 100 > buffer_size) {
growBufferReentrant();
out = &buffer[indx];
@@ -692,6 +692,11 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc
}
*out = 0;
return(buffer);
+
+mem_error:
+ xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed");
+ xmlFree(buffer);
+ return(NULL);
}
/**
@@ -709,7 +714,7 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTR
const xmlChar *cur = input;
xmlChar *buffer = NULL;
xmlChar *out = NULL;
- int buffer_size = 0;
+ size_t buffer_size = 0;
if (input == NULL) return(NULL);
/*
@@ -724,8 +729,8 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTR
out = buffer;
while (*cur != '\0') {
- if (out - buffer > buffer_size - 10) {
- int indx = out - buffer;
+ size_t indx = out - buffer;
+ if (indx + 10 > buffer_size) {
growBufferReentrant();
out = &buffer[indx];
@@ -774,6 +779,11 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTR
}
*out = 0;
return(buffer);
+
+mem_error:
+ xmlEntitiesErrMemory("xmlEncodeSpecialChars: realloc failed");
+ xmlFree(buffer);
+ return(NULL);
}
/**
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org