commit libxml2 for openSUSE:Factory
From 6f0af3f6b9b1c5f82a2bb5ded65923437fee5d21 Mon Sep 17 00:00:00 2001 From: Peter Simons
Date: Fri, 15 Apr 2016 11:56:55 +0200 Subject: [PATCH 2/2] Add missing increments of recursion depth counter to XML
Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2016-05-08 10:38:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libxml2" Changes: -------- --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2016-03-26 15:20:25.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.libxml2.new/libxml2.changes 2016-05-08 10:38:37.000000000 +0200 @@ -1,0 +2,10 @@ +Tue May 3 11:40:42 UTC 2016 - sflees@suse.de + +- Add libxml2-2.9.1-CVE-2016-3627.patch to fix stack exhaustion + while parsing certain XML files in recovery mode (CVE-2016-3627, + bnc#972335). + +- Add 0001-Add-missing-increments-of-recursion-depth-counter-to.patch + to improve protection against Billion Laughs Attack (bnc#975947). + +------------------------------------------------------------------- New: ---- 0001-Add-missing-increments-of-recursion-depth-counter-to.patch libxml2-2.9.1-CVE-2016-3627.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libxml2.spec ++++++ --- /var/tmp/diff_new_pack.3PvXb1/_old 2016-05-08 10:38:38.000000000 +0200 +++ /var/tmp/diff_new_pack.3PvXb1/_new 2016-05-08 10:38:38.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package libxml2 # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,6 +29,10 @@ Source2: baselibs.conf Source3: %{name}.keyring Patch0: fix-perl.diff +# PATCH-FIX-SUSE bnc#972335 psimons@suse.com -- CVE-2016-3627 - stack exhaustion while parsing xml files in recovery mode +Patch1: libxml2-2.9.1-CVE-2016-3627.patch +# PATCH-FIX-SUSE bnc#975947 psimons@suse.com -- crash in xml validator +Patch2: 0001-Add-missing-increments-of-recursion-depth-counter-to.patch BuildRequires: fdupes BuildRequires: pkg-config BuildRequires: readline-devel @@ -124,6 +128,8 @@ %prep %setup -q %patch0 +%patch1 -p1 +%patch2 -p1 %build %configure --disable-static \ ++++++ python-libxml2.spec ++++++ --- /var/tmp/diff_new_pack.3PvXb1/_old 2016-05-08 10:38:38.000000000 +0200 +++ /var/tmp/diff_new_pack.3PvXb1/_new 2016-05-08 10:38:38.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package python-libxml2 # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed ++++++ 0001-Add-missing-increments-of-recursion-depth-counter-to.patch ++++++ parser. The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call xmlStringDecodeEntities() in a recursive context without incrementing the 'depth' counter in the parser context. Because of that omission, the parser failed to detect attribute recursions in certain documents before running out of stack space. --- parser.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/parser.c b/parser.c index 9604a72..4da151f 100644 --- a/parser.c +++ b/parser.c @@ -144,8 +144,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, ent->checked = 1; + ++ctxt->depth; rep = xmlStringDecodeEntities(ctxt, ent->content, XML_SUBSTITUTE_REF, 0, 0, 0); + --ctxt->depth; ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; if (rep != NULL) { @@ -3966,8 +3968,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) { * an entity declaration, it is bypassed and left as is. * so XML_SUBSTITUTE_REF is not set here. */ + ++ctxt->depth; ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF, 0, 0, 0); + --ctxt->depth; if (orig != NULL) *orig = buf; else @@ -4092,9 +4096,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { } else if ((ent != NULL) && (ctxt->replaceEntities != 0)) { if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) { + ++ctxt->depth; rep = xmlStringDecodeEntities(ctxt, ent->content, XML_SUBSTITUTE_REF, 0, 0, 0); + --ctxt->depth; if (rep != NULL) { current = rep; while (*current != 0) { /* non input consuming */ @@ -4130,8 +4136,10 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { (ent->content != NULL) && (ent->checked == 0)) { unsigned long oldnbent = ctxt->nbentities; + ++ctxt->depth; rep = xmlStringDecodeEntities(ctxt, ent->content, XML_SUBSTITUTE_REF, 0, 0, 0); + --ctxt->depth; ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; if (rep != NULL) { -- 2.8.1 ++++++ libxml2-2.9.1-CVE-2016-3627.patch ++++++
From e5269fd1e83743f7e62c89eca45000c2e84e6edc Mon Sep 17 00:00:00 2001 From: Peter Simons
Date: Thu, 14 Apr 2016 16:15:13 +0200 Subject: [PATCH 1/2] xmlStringGetNodeList: limit the function to 1024 recursions to avoid CVE-2016-3627
This patch prevents stack overflows like the one reported in https://bugzilla.gnome.org/show_bug.cgi?id=762100. --- tree.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) Index: libxml2-2.9.3/tree.c =================================================================== --- libxml2-2.9.3.orig/tree.c +++ libxml2-2.9.3/tree.c @@ -1464,6 +1464,8 @@ out: return(ret); } +static xmlNodePtr xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel); + /** * xmlStringGetNodeList: * @doc: the document @@ -1475,6 +1477,12 @@ out: */ xmlNodePtr xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) { + return xmlStringGetNodeListInternal(doc, value, 0); + } + +xmlNodePtr +xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel) { + xmlNodePtr ret = NULL, last = NULL; xmlNodePtr node; xmlChar *val; @@ -1483,6 +1491,8 @@ xmlStringGetNodeList(const xmlDoc *doc, xmlEntityPtr ent; xmlBufPtr buf; + if (recursionLevel > 1024) return(NULL); + if (value == NULL) return(NULL); buf = xmlBufCreateSize(0); @@ -1593,8 +1603,9 @@ xmlStringGetNodeList(const xmlDoc *doc, else if ((ent != NULL) && (ent->children == NULL)) { xmlNodePtr temp; - ent->children = xmlStringGetNodeList(doc, - (const xmlChar*)node->content); + ent->children = xmlStringGetNodeListInternal(doc, + (const xmlChar*)node->content, + recursionLevel+1); ent->owner = 1; temp = ent->children; while (temp) {
participants (1)
-
root@hilbert.suse.de