Hello community, here is the log from the commit of package libxml2 for openSUSE:11.3 checked in at Thu Dec 1 12:11:25 CET 2011. -------- --- old-versions/11.3/UPDATES/all/libxml2/libxml2.changes 2011-06-29 14:10:59.000000000 +0200 +++ 11.3/libxml2/libxml2.changes 2011-11-28 16:25:17.000000000 +0100 @@ -1,0 +2,5 @@ +Mon Nov 28 15:24:29 UTC 2011 - vcizek@suse.com + +- add libxml2-CVE-2011-2821.patch (bnc#732787) + +------------------------------------------------------------------- calling whatdependson for 11.3-i586 New: ---- libxml2-CVE-2011-2821.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libxml2-python.spec ++++++ --- /var/tmp/diff_new_pack.riC8d6/_old 2011-12-01 12:11:12.000000000 +0100 +++ /var/tmp/diff_new_pack.riC8d6/_new 2011-12-01 12:11:12.000000000 +0100 @@ -25,7 +25,7 @@ AutoReqProv: on Summary: Python Bindings for libxml2 Version: 2.7.7 -Release: 4.<RELEASE4> +Release: 4.<RELEASE5> Source: libxml2-%{version}.tar.bz2 Source1: libxml2-python-rpmlintrc %py_requires ++++++ libxml2.spec ++++++ --- /var/tmp/diff_new_pack.riC8d6/_old 2011-12-01 12:11:12.000000000 +0100 +++ /var/tmp/diff_new_pack.riC8d6/_new 2011-12-01 12:11:12.000000000 +0100 @@ -25,12 +25,13 @@ Summary: A Library to Manipulate XML Files Url: http://xmlsoft.org Version: 2.7.7 -Release: 4.<RELEASE7> +Release: 4.<RELEASE9> Source: %{name}-%{version}.tar.bz2 Source2: baselibs.conf Patch1: libxml2-xpath-ns-attr-axis.patch Patch2: libxml2-CVE-2010-4494.patch Patch3: libxml2-CVE-2011-1944.patch +Patch4: libxml2-CVE-2011-2821.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build # bug437293 %ifarch ppc64 @@ -105,6 +106,7 @@ %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 %build %configure \ ++++++ libxml2-CVE-2011-2821.patch ++++++
From f5048b3e71fc30ad096970b8df6e7af073bae4cb Mon Sep 17 00:00:00 2001 From: Daniel Veillard
Date: Thu, 18 Aug 2011 09:10:13 +0000 Subject: Hardening of XPath evaluation
Add a mechanism of frame for XPath evaluation when entering a function or a scoped evaluation, also fix a potential problem in predicate evaluation. --- Index: libxml2-2.7.6/include/libxml/xpath.h =================================================================== --- libxml2-2.7.6.orig/include/libxml/xpath.h 2009-09-24 17:31:59.000000000 +0200 +++ libxml2-2.7.6/include/libxml/xpath.h 2011-11-25 15:53:41.300858185 +0100 @@ -68,7 +68,8 @@ XPATH_UNDEF_PREFIX_ERROR, XPATH_ENCODING_ERROR, XPATH_INVALID_CHAR_ERROR, - XPATH_INVALID_CTXT + XPATH_INVALID_CTXT, + XPATH_STACK_ERROR } xmlXPathError; /* @@ -380,6 +381,8 @@ xmlXPathCompExprPtr comp; /* the precompiled expression */ int xptr; /* it this an XPointer expression */ xmlNodePtr ancestor; /* used for walking preceding axis */ + + int valueFrame; /* used to limit Pop on the stack */ }; /************************************************************************ Index: libxml2-2.7.6/xpath.c =================================================================== --- libxml2-2.7.6.orig/xpath.c 2011-11-25 15:51:55.000000000 +0100 +++ libxml2-2.7.6/xpath.c 2011-11-25 15:56:00.907034977 +0100 @@ -252,6 +252,7 @@ "Encoding error\n", "Char out of XML range\n", "Invalid or incomplete context\n", + "Stack usage errror\n", "?? Unknown error ??\n" /* Must be last in the list! */ }; #define MAXERRNO ((int)(sizeof(xmlXPathErrorMessages) / \ @@ -2398,6 +2399,42 @@ ************************************************************************/ /** + * xmlXPathSetFrame: + * @ctxt: an XPath parser context + * + * Set the callee evaluation frame + * + * Returns the previous frame value to be restored once done + */ +static int +xmlXPathSetFrame(xmlXPathParserContextPtr ctxt) { + int ret; + + if (ctxt == NULL) + return(0); + ret = ctxt->valueFrame; + ctxt->valueFrame = ctxt->valueNr; + return(ret); +} + +/** + * xmlXPathPopFrame: + * @ctxt: an XPath parser context + * @frame: the previous frame value + * + * Remove the callee evaluation frame + */ +static void +xmlXPathPopFrame(xmlXPathParserContextPtr ctxt, int frame) { + if (ctxt == NULL) + return; + if (ctxt->valueNr < ctxt->valueFrame) { + xmlXPatherror(ctxt, __FILE__, __LINE__, XPATH_STACK_ERROR); + } + ctxt->valueFrame = frame; +} + +/** * valuePop: * @ctxt: an XPath evaluation context * @@ -2412,6 +2449,12 @@ if ((ctxt == NULL) || (ctxt->valueNr <= 0)) return (NULL); + + if (ctxt->valueNr <= ctxt->valueFrame) { + xmlXPatherror(ctxt, __FILE__, __LINE__, XPATH_STACK_ERROR); + return (NULL); + } + ctxt->valueNr--; if (ctxt->valueNr > 0) ctxt->value = ctxt->valueTab[ctxt->valueNr - 1]; @@ -6154,6 +6197,7 @@ ret->valueNr = 0; ret->valueMax = 10; ret->value = NULL; + ret->valueFrame = 0; ret->context = ctxt; ret->comp = comp; @@ -11699,6 +11743,7 @@ xmlXPathObjectPtr contextObj = NULL, exprRes = NULL; xmlNodePtr oldContextNode, contextNode = NULL; xmlXPathContextPtr xpctxt = ctxt->context; + int frame; #ifdef LIBXML_XPTR_ENABLED /* @@ -11718,6 +11763,8 @@ */ exprOp = &ctxt->comp->steps[op->ch2]; for (i = 0; i < set->nodeNr; i++) { + xmlXPathObjectPtr tmp; + if (set->nodeTab[i] == NULL) continue; @@ -11745,23 +11792,25 @@ xmlXPathNodeSetAddUnique(contextObj->nodesetval, contextNode); + frame = xmlXPathSetFrame(ctxt); valuePush(ctxt, contextObj); res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1); + tmp = valuePop(ctxt); + xmlXPathPopFrame(ctxt, frame); if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) { - xmlXPathObjectPtr tmp; - /* pop the result if any */ - tmp = valuePop(ctxt); - if (tmp != contextObj) { + while (tmp != contextObj) { /* * Free up the result * then pop off contextObj, which will be freed later */ xmlXPathReleaseObject(xpctxt, tmp); - valuePop(ctxt); + tmp = valuePop(ctxt); } goto evaluation_error; } + /* push the result back onto the stack */ + valuePush(ctxt, tmp); if (res) pos++; @@ -13365,7 +13414,9 @@ xmlXPathFunction func; const xmlChar *oldFunc, *oldFuncURI; int i; + int frame; + frame = xmlXPathSetFrame(ctxt); if (op->ch1 != -1) total += xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]); @@ -13373,15 +13424,18 @@ xmlGenericError(xmlGenericErrorContext, "xmlXPathCompOpEval: parameter error\n"); ctxt->error = XPATH_INVALID_OPERAND; + xmlXPathPopFrame(ctxt, frame); return (total); } - for (i = 0; i < op->value; i++) + for (i = 0; i < op->value; i++) { if (ctxt->valueTab[(ctxt->valueNr - 1) - i] == NULL) { xmlGenericError(xmlGenericErrorContext, "xmlXPathCompOpEval: parameter error\n"); ctxt->error = XPATH_INVALID_OPERAND; + xmlXPathPopFrame(ctxt, frame); return (total); } + } if (op->cache != NULL) XML_CAST_FPTR(func) = op->cache; else { @@ -13397,6 +13451,7 @@ xmlGenericError(xmlGenericErrorContext, "xmlXPathCompOpEval: function %s bound to undefined prefix %s\n", (char *)op->value4, (char *)op->value5); + xmlXPathPopFrame(ctxt, frame); return (total); } func = xmlXPathFunctionLookupNS(ctxt->context, @@ -13418,6 +13473,7 @@ func(ctxt, op->value); ctxt->context->function = oldFunc; ctxt->context->functionURI = oldFuncURI; + xmlXPathPopFrame(ctxt, frame); return (total); } case XPATH_OP_ARG: @@ -14321,6 +14377,7 @@ ctxt->valueNr = 0; ctxt->valueMax = 10; ctxt->value = NULL; + ctxt->valueFrame = 0; } #ifdef XPATH_STREAMING if (ctxt->comp->stream) { Index: libxml2-2.7.6/xpointer.c =================================================================== --- libxml2-2.7.6.orig/xpointer.c 2009-09-24 17:32:00.000000000 +0200 +++ libxml2-2.7.6/xpointer.c 2011-11-25 15:53:41.306858364 +0100 @@ -1269,6 +1269,7 @@ ctxt->valueNr = 0; ctxt->valueMax = 10; ctxt->value = NULL; + ctxt->valueFrame = 0; } SKIP_BLANKS; if (CUR == '/') { continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org