* [PATCH 0/1] More libxml2 security fixes
@ 2016-05-27 2:57 Leo Famulari
2016-05-27 2:57 ` [PATCH 1/1] gnu: libxml2: Update replacement to 2.9.4 [security fixes] Leo Famulari
0 siblings, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2016-05-27 2:57 UTC (permalink / raw)
To: guix-devel
libxml2 2.9.4 is released, with a lot of fixed bugs, both with and
without CVE IDs:
https://git.gnome.org/browse/libxml2/log/
This patch updates the existing graft by removing patches for two of
these fixed bugs, and updating to 2.9.4, fixing 10 additional CVE bugs.
The question is: will it work to graft 2.9.4 in place of 2.9.3?
Can anyone recommend a package that uses libxml2 in an obvious way (e.g.
for parsing an XML configuration file)?
Leo Famulari (1):
gnu: libxml2: Update replacement to 2.9.4 [security fixes].
gnu/local.mk | 2 -
gnu/packages/patches/libxml2-CVE-2016-3627.patch | 61 ---------------------
gnu/packages/patches/libxml2-CVE-2016-3705.patch | 68 ------------------------
gnu/packages/xml.scm | 14 +++--
4 files changed, 10 insertions(+), 135 deletions(-)
delete mode 100644 gnu/packages/patches/libxml2-CVE-2016-3627.patch
delete mode 100644 gnu/packages/patches/libxml2-CVE-2016-3705.patch
--
2.8.3
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/1] gnu: libxml2: Update replacement to 2.9.4 [security fixes].
2016-05-27 2:57 [PATCH 0/1] More libxml2 security fixes Leo Famulari
@ 2016-05-27 2:57 ` Leo Famulari
2016-05-28 15:33 ` Ludovic Courtès
0 siblings, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2016-05-27 2:57 UTC (permalink / raw)
To: guix-devel
This fixes CVE-2016-{1762, 1833, 1834, 1835, 1836, 1837, 1838, 1839,
1840, 3627, 3705, 4483}.
* gnu/packages/patches/libxml2-CVE-2016-3627.patch,
gnu/packages/patches/libxml2-CVE-2016-3705.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
* gnu/packages/xml.scm (libxml2/fixed): Update to 2.9.4.
[source]: Remove patches.
---
gnu/local.mk | 2 -
gnu/packages/patches/libxml2-CVE-2016-3627.patch | 61 ---------------------
gnu/packages/patches/libxml2-CVE-2016-3705.patch | 68 ------------------------
gnu/packages/xml.scm | 14 +++--
4 files changed, 10 insertions(+), 135 deletions(-)
delete mode 100644 gnu/packages/patches/libxml2-CVE-2016-3627.patch
delete mode 100644 gnu/packages/patches/libxml2-CVE-2016-3705.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index f36389f..037264b 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -607,8 +607,6 @@ dist_patch_DATA = \
%D%/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch \
%D%/packages/patches/libwmf-CVE-2015-4695.patch \
%D%/packages/patches/libwmf-CVE-2015-4696.patch \
- %D%/packages/patches/libxml2-CVE-2016-3627.patch \
- %D%/packages/patches/libxml2-CVE-2016-3705.patch \
%D%/packages/patches/libxslt-CVE-2015-7995.patch \
%D%/packages/patches/lirc-localstatedir.patch \
%D%/packages/patches/libpthread-glibc-preparation.patch \
diff --git a/gnu/packages/patches/libxml2-CVE-2016-3627.patch b/gnu/packages/patches/libxml2-CVE-2016-3627.patch
deleted file mode 100644
index 782c927..0000000
--- a/gnu/packages/patches/libxml2-CVE-2016-3627.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From <http://seclists.org/fulldisclosure/2016/May/10>.
-
-From e5269fd1e83743f7e62c89eca45000c2e84e6edc Mon Sep 17 00:00:00 2001
-From: Peter Simons <psimons () suse com>
-Date: Thu, 14 Apr 2016 16:15:13 +0200
-Subject: [PATCH 1/2] xmlStringGetNodeList: limit the function to 1024
- recursions to avoid CVE-2016-3627
-
-This patch prevents stack overflows like the one reported in
-https://bugzilla.gnome.org/show_bug.cgi?id=762100.
----
- tree.c | 14 ++++++++++++--
- 1 file changed, 12 insertions(+), 2 deletions(-)
-
-Index: libxml2-2.9.3/tree.c
-===================================================================
---- libxml2-2.9.3.orig/tree.c
-+++ libxml2-2.9.3/tree.c
-@@ -1464,6 +1464,8 @@ out:
- return(ret);
- }
-
-+static xmlNodePtr xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel);
-+
- /**
- * xmlStringGetNodeList:
- * @doc: the document
-@@ -1475,6 +1477,12 @@ out:
- */
- xmlNodePtr
- xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
-+ return xmlStringGetNodeListInternal(doc, value, 0);
-+ }
-+
-+xmlNodePtr
-+xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel) {
-+
- xmlNodePtr ret = NULL, last = NULL;
- xmlNodePtr node;
- xmlChar *val;
-@@ -1483,6 +1491,8 @@ xmlStringGetNodeList(const xmlDoc *doc,
- xmlEntityPtr ent;
- xmlBufPtr buf;
-
-+ if (recursionLevel > 1024) return(NULL);
-+
- if (value == NULL) return(NULL);
-
- buf = xmlBufCreateSize(0);
-@@ -1593,8 +1603,9 @@ xmlStringGetNodeList(const xmlDoc *doc,
- else if ((ent != NULL) && (ent->children == NULL)) {
- xmlNodePtr temp;
-
-- ent->children = xmlStringGetNodeList(doc,
-- (const xmlChar*)node->content);
-+ ent->children = xmlStringGetNodeListInternal(doc,
-+ (const xmlChar*)node->content,
-+ recursionLevel+1);
- ent->owner = 1;
- temp = ent->children;
- while (temp) {
diff --git a/gnu/packages/patches/libxml2-CVE-2016-3705.patch b/gnu/packages/patches/libxml2-CVE-2016-3705.patch
deleted file mode 100644
index e803630..0000000
--- a/gnu/packages/patches/libxml2-CVE-2016-3705.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From <http://seclists.org/fulldisclosure/2016/May/10>.
-
-From 6f0af3f6b9b1c5f82a2bb5ded65923437fee5d21 Mon Sep 17 00:00:00 2001
-From: Peter Simons <psimons () suse com>
-Date: Fri, 15 Apr 2016 11:56:55 +0200
-Subject: [PATCH 2/2] Add missing increments of recursion depth counter to XML
- parser.
-
-The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call
-xmlStringDecodeEntities() in a recursive context without incrementing the
-'depth' counter in the parser context. Because of that omission, the parser
-failed to detect attribute recursions in certain documents before running out
-of stack space.
----
- parser.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/parser.c b/parser.c
-index 9604a72..4da151f 100644
---- a/parser.c
-+++ b/parser.c
-@@ -144,8 +144,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
-
- ent->checked = 1;
-
-+ ++ctxt->depth;
- rep = xmlStringDecodeEntities(ctxt, ent->content,
- XML_SUBSTITUTE_REF, 0, 0, 0);
-+ --ctxt->depth;
-
- ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
- if (rep != NULL) {
-@@ -3966,8 +3968,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
- * an entity declaration, it is bypassed and left as is.
- * so XML_SUBSTITUTE_REF is not set here.
- */
-+ ++ctxt->depth;
- ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF,
- 0, 0, 0);
-+ --ctxt->depth;
- if (orig != NULL)
- *orig = buf;
- else
-@@ -4092,9 +4096,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
- } else if ((ent != NULL) &&
- (ctxt->replaceEntities != 0)) {
- if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) {
-+ ++ctxt->depth;
- rep = xmlStringDecodeEntities(ctxt, ent->content,
- XML_SUBSTITUTE_REF,
- 0, 0, 0);
-+ --ctxt->depth;
- if (rep != NULL) {
- current = rep;
- while (*current != 0) { /* non input consuming */
-@@ -4130,8 +4136,10 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
- (ent->content != NULL) && (ent->checked == 0)) {
- unsigned long oldnbent = ctxt->nbentities;
-
-+ ++ctxt->depth;
- rep = xmlStringDecodeEntities(ctxt, ent->content,
- XML_SUBSTITUTE_REF, 0, 0, 0);
-+ --ctxt->depth;
-
- ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
- if (rep != NULL) {
---
-2.8.1
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 782e356..dc5c60d 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -107,10 +107,16 @@ project (but it is usable outside of the Gnome platform).")
(define libxml2/fixed
(package
(inherit libxml2)
- (source (origin
- (inherit (package-source libxml2))
- (patches (search-patches "libxml2-CVE-2016-3627.patch"
- "libxml2-CVE-2016-3705.patch"))))))
+ (source
+ (let ((name "libxml2")
+ (version "2.9.4"))
+ (origin
+ (method url-fetch)
+ (uri (string-append "ftp://xmlsoft.org/libxml2/libxml2-"
+ version ".tar.gz"))
+ (sha256
+ (base32
+ "0g336cr0bw6dax1q48bblphmchgihx9p1pjmxdnrd6sh3qci3fgz")))))))
(define-public python-libxml2
(package (inherit libxml2)
--
2.8.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 1/1] gnu: libxml2: Update replacement to 2.9.4 [security fixes].
2016-05-27 2:57 ` [PATCH 1/1] gnu: libxml2: Update replacement to 2.9.4 [security fixes] Leo Famulari
@ 2016-05-28 15:33 ` Ludovic Courtès
2016-05-28 18:04 ` Leo Famulari
2016-05-31 15:46 ` Leo Famulari
0 siblings, 2 replies; 5+ messages in thread
From: Ludovic Courtès @ 2016-05-28 15:33 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
Leo Famulari <leo@famulari.name> skribis:
> This fixes CVE-2016-{1762, 1833, 1834, 1835, 1836, 1837, 1838, 1839,
> 1840, 3627, 3705, 4483}.
>
> * gnu/packages/patches/libxml2-CVE-2016-3627.patch,
> gnu/packages/patches/libxml2-CVE-2016-3705.patch: Delete files.
> * gnu/local.mk (dist_patch_DATA): Remove them.
> * gnu/packages/xml.scm (libxml2/fixed): Update to 2.9.4.
> [source]: Remove patches.
If this is claimed to be ABI-compatible with 2.9.3, fine with me.
Thanks for looking into it!
Ludo’.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/1] gnu: libxml2: Update replacement to 2.9.4 [security fixes].
2016-05-28 15:33 ` Ludovic Courtès
@ 2016-05-28 18:04 ` Leo Famulari
2016-05-31 15:46 ` Leo Famulari
1 sibling, 0 replies; 5+ messages in thread
From: Leo Famulari @ 2016-05-28 18:04 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel
On Sat, May 28, 2016 at 05:33:26PM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
>
> > This fixes CVE-2016-{1762, 1833, 1834, 1835, 1836, 1837, 1838, 1839,
> > 1840, 3627, 3705, 4483}.
> >
> > * gnu/packages/patches/libxml2-CVE-2016-3627.patch,
> > gnu/packages/patches/libxml2-CVE-2016-3705.patch: Delete files.
> > * gnu/local.mk (dist_patch_DATA): Remove them.
> > * gnu/packages/xml.scm (libxml2/fixed): Update to 2.9.4.
> > [source]: Remove patches.
>
> If this is claimed to be ABI-compatible with 2.9.3, fine with me.
I've asked this question on xml@gnome.org, the relevant mailing list.
Waiting for a response...
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/1] gnu: libxml2: Update replacement to 2.9.4 [security fixes].
2016-05-28 15:33 ` Ludovic Courtès
2016-05-28 18:04 ` Leo Famulari
@ 2016-05-31 15:46 ` Leo Famulari
1 sibling, 0 replies; 5+ messages in thread
From: Leo Famulari @ 2016-05-31 15:46 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel
On Sat, May 28, 2016 at 05:33:26PM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
>
> > This fixes CVE-2016-{1762, 1833, 1834, 1835, 1836, 1837, 1838, 1839,
> > 1840, 3627, 3705, 4483}.
> >
> > * gnu/packages/patches/libxml2-CVE-2016-3627.patch,
> > gnu/packages/patches/libxml2-CVE-2016-3705.patch: Delete files.
> > * gnu/local.mk (dist_patch_DATA): Remove them.
> > * gnu/packages/xml.scm (libxml2/fixed): Update to 2.9.4.
> > [source]: Remove patches.
>
> If this is claimed to be ABI-compatible with 2.9.3, fine with me.
After a few days with no reply on the upstream mailing list, and with no
problems after reconfiguring my GuixSD GNOME system with this patch, I
applied it as df2dd07b88.
https://mail.gnome.org/archives/xml/2016-May/msg00031.html
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-05-31 15:46 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-05-27 2:57 [PATCH 0/1] More libxml2 security fixes Leo Famulari
2016-05-27 2:57 ` [PATCH 1/1] gnu: libxml2: Update replacement to 2.9.4 [security fixes] Leo Famulari
2016-05-28 15:33 ` Ludovic Courtès
2016-05-28 18:04 ` Leo Famulari
2016-05-31 15:46 ` Leo Famulari
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).