From: Alex Vong <alexvong1995@gmail.com>
To: 28294@debbugs.gnu.org
Subject: [bug#28294] [PATCH] gnu: libxml2: Fix CVE-2017-{0663, 7375, 7376, 9047, 9048, 9049, 9050}.
Date: Wed, 30 Aug 2017 21:31:58 +0800 [thread overview]
Message-ID: <87inh5uqpd.fsf@gmail.com> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 273 bytes --]
Severity: important
Tags: patch security
Hi,
This patch fixes CVEs of libxml2. The changes to 'runtest.c' in
'libxml2-CVE-2017-9049+CVE-2017-9050.patch are removed since they
introduce test failure. The changes only enable new tests so it should
be fine to remove them.
[-- Attachment #1.2: 0001-gnu-libxml2-Fix-CVE-2017-0663-7375-7376-9047-9048-90.patch --]
[-- Type: text/x-diff, Size: 37341 bytes --]
From 69182d050016889ee11d0c2459dcae1212f7579e Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Wed, 30 Aug 2017 21:21:21 +0800
Subject: [PATCH] gnu: libxml2: Fix
CVE-2017-{0663,7375,7376,9047,9048,9049,9050}.
* gnu/packages/patches/libxml2-CVE-2017-0663.patch,
gnu/packages/patches/libxml2-CVE-2017-7375.patch,
gnu/packages/patches/libxml2-CVE-2017-7376.patch,
gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch,
gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/xml.scm (libxml2)[source]: Use them.
---
gnu/local.mk | 5 +
gnu/packages/patches/libxml2-CVE-2017-0663.patch | 53 ++++
gnu/packages/patches/libxml2-CVE-2017-7375.patch | 45 +++
gnu/packages/patches/libxml2-CVE-2017-7376.patch | 41 +++
.../libxml2-CVE-2017-9047+CVE-2017-9048.patch | 130 +++++++++
.../libxml2-CVE-2017-9049+CVE-2017-9050.patch | 319 +++++++++++++++++++++
gnu/packages/xml.scm | 10 +-
7 files changed, 601 insertions(+), 2 deletions(-)
create mode 100644 gnu/packages/patches/libxml2-CVE-2017-0663.patch
create mode 100644 gnu/packages/patches/libxml2-CVE-2017-7375.patch
create mode 100644 gnu/packages/patches/libxml2-CVE-2017-7376.patch
create mode 100644 gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch
create mode 100644 gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 10d4ab114..9baaa1687 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -804,6 +804,11 @@ dist_patch_DATA = \
%D%/packages/patches/libxcb-python-3.5-compat.patch \
%D%/packages/patches/libxml2-CVE-2016-4658.patch \
%D%/packages/patches/libxml2-CVE-2016-5131.patch \
+ %D%/packages/patches/libxml2-CVE-2017-0663.patch \
+ %D%/packages/patches/libxml2-CVE-2017-7375.patch \
+ %D%/packages/patches/libxml2-CVE-2017-7376.patch \
+ %D%/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch\
+ %D%/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch\
%D%/packages/patches/libxslt-generated-ids.patch \
%D%/packages/patches/libxslt-CVE-2016-4738.patch \
%D%/packages/patches/libxt-guix-search-paths.patch \
diff --git a/gnu/packages/patches/libxml2-CVE-2017-0663.patch b/gnu/packages/patches/libxml2-CVE-2017-0663.patch
new file mode 100644
index 000000000..b0277a2d2
--- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2017-0663.patch
@@ -0,0 +1,53 @@
+Fix CVE-2017-0663:
+
+https://bugzilla.gnome.org/show_bug.cgi?id=780228 (not yet public)
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0663
+https://security-tracker.debian.org/tracker/CVE-2017-0663
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/libxml2/commit/?id=92b9e8c8b3787068565a1820ba575d042f9eec66
+
+From 92b9e8c8b3787068565a1820ba575d042f9eec66 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 6 Jun 2017 12:56:28 +0200
+Subject: [PATCH] Fix type confusion in xmlValidateOneNamespace
+
+Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types on
+namespace declarations make no practical sense anyway.
+
+Fixes bug 780228.
+
+Found with libFuzzer and ASan.
+---
+ valid.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/valid.c b/valid.c
+index 8075d3a0..c51ea290 100644
+--- a/valid.c
++++ b/valid.c
+@@ -4627,6 +4627,12 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
+ }
+ }
+
++ /*
++ * Casting ns to xmlAttrPtr is wrong. We'd need separate functions
++ * xmlAddID and xmlAddRef for namespace declarations, but it makes
++ * no practical sense to use ID types anyway.
++ */
++#if 0
+ /* Validity Constraint: ID uniqueness */
+ if (attrDecl->atype == XML_ATTRIBUTE_ID) {
+ if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
+@@ -4638,6 +4644,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
+ if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
+ ret = 0;
+ }
++#endif
+
+ /* Validity Constraint: Notation Attributes */
+ if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) {
+--
+2.14.1
+
diff --git a/gnu/packages/patches/libxml2-CVE-2017-7375.patch b/gnu/packages/patches/libxml2-CVE-2017-7375.patch
new file mode 100644
index 000000000..32af1ff6b
--- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2017-7375.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-7375:
+
+https://bugzilla.gnome.org/show_bug.cgi?id=780691 (not yet public)
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7375
+https://security-tracker.debian.org/tracker/CVE-2017-7375
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e
+
+From 90ccb58242866b0ba3edbef8fe44214a101c2b3e Mon Sep 17 00:00:00 2001
+From: Neel Mehta <nmehta@google.com>
+Date: Fri, 7 Apr 2017 17:43:02 +0200
+Subject: [PATCH] Prevent unwanted external entity reference
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=780691
+
+* parser.c: add a specific check to avoid PE reference
+---
+ parser.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index 609a2703..c2c812de 100644
+--- a/parser.c
++++ b/parser.c
+@@ -8123,6 +8123,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+ if (xmlPushInput(ctxt, input) < 0)
+ return;
+ } else {
++ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
++ ((ctxt->options & XML_PARSE_NOENT) == 0) &&
++ ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
++ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) &&
++ ((ctxt->options & XML_PARSE_DTDATTR) == 0) &&
++ (ctxt->replaceEntities == 0) &&
++ (ctxt->validate == 0))
++ return;
++
+ /*
+ * TODO !!!
+ * handle the extra spaces added before and after
+--
+2.14.1
+
diff --git a/gnu/packages/patches/libxml2-CVE-2017-7376.patch b/gnu/packages/patches/libxml2-CVE-2017-7376.patch
new file mode 100644
index 000000000..5b9e45bd8
--- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2017-7376.patch
@@ -0,0 +1,41 @@
+Fix CVE-2017-7376:
+
+https://bugzilla.gnome.org/show_bug.cgi?id=780690 (not yet public)
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7376
+https://security-tracker.debian.org/tracker/CVE-2017-7376
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/libxml2/commit/?id=5dca9eea1bd4263bfa4d037ab2443de1cd730f7e
+
+From 5dca9eea1bd4263bfa4d037ab2443de1cd730f7e Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 7 Apr 2017 17:13:28 +0200
+Subject: [PATCH] Increase buffer space for port in HTTP redirect support
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=780690
+
+nanohttp.c: the code wrongly assumed a short int port value.
+---
+ nanohttp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/nanohttp.c b/nanohttp.c
+index e109ad75..373425de 100644
+--- a/nanohttp.c
++++ b/nanohttp.c
+@@ -1423,9 +1423,9 @@ retry:
+ if (ctxt->port != 80) {
+ /* reserve space for ':xxxxx', incl. potential proxy */
+ if (proxy)
+- blen += 12;
++ blen += 17;
+ else
+- blen += 6;
++ blen += 11;
+ }
+ bp = (char*)xmlMallocAtomic(blen);
+ if ( bp == NULL ) {
+--
+2.14.1
+
diff --git a/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch b/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch
new file mode 100644
index 000000000..0a0e6d34c
--- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch
@@ -0,0 +1,130 @@
+Fix CVE-2017-{9047,9048}:
+
+https://bugzilla.gnome.org/show_bug.cgi?id=781333 (not yet public)
+https://bugzilla.gnome.org/show_bug.cgi?id=781701 (not yet public)
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9047
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9048
+http://www.openwall.com/lists/oss-security/2017/05/15/1
+https://security-tracker.debian.org/tracker/CVE-2017-9047
+https://security-tracker.debian.org/tracker/CVE-2017-9048
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74
+
+From 932cc9896ab41475d4aa429c27d9afd175959d74 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 3 Jun 2017 02:01:29 +0200
+Subject: [PATCH] Fix buffer size checks in xmlSnprintfElementContent
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+xmlSnprintfElementContent failed to correctly check the available
+buffer space in two locations.
+
+Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048).
+
+Thanks to Marcel Böhme and Thuan Pham for the report.
+---
+ result/valid/781333.xml | 5 +++++
+ result/valid/781333.xml.err | 3 +++
+ result/valid/781333.xml.err.rdr | 6 ++++++
+ test/valid/781333.xml | 4 ++++
+ valid.c | 20 +++++++++++---------
+ 5 files changed, 29 insertions(+), 9 deletions(-)
+ create mode 100644 result/valid/781333.xml
+ create mode 100644 result/valid/781333.xml.err
+ create mode 100644 result/valid/781333.xml.err.rdr
+ create mode 100644 test/valid/781333.xml
+
+diff --git a/result/valid/781333.xml b/result/valid/781333.xml
+new file mode 100644
+index 00000000..45dc451d
+--- /dev/null
++++ b/result/valid/781333.xml
+@@ -0,0 +1,5 @@
++<?xml version="1.0"?>
++<!DOCTYPE a [
++<!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll)>
++]>
++<a/>
+diff --git a/result/valid/781333.xml.err b/result/valid/781333.xml.err
+new file mode 100644
+index 00000000..b401b49a
+--- /dev/null
++++ b/result/valid/781333.xml.err
+@@ -0,0 +1,3 @@
++./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got
++<a/>
++ ^
+diff --git a/result/valid/781333.xml.err.rdr b/result/valid/781333.xml.err.rdr
+new file mode 100644
+index 00000000..5ff56992
+--- /dev/null
++++ b/result/valid/781333.xml.err.rdr
+@@ -0,0 +1,6 @@
++./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got
++<a/>
++ ^
++./test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more child
++
++^
+diff --git a/test/valid/781333.xml b/test/valid/781333.xml
+new file mode 100644
+index 00000000..b29e5a68
+--- /dev/null
++++ b/test/valid/781333.xml
+@@ -0,0 +1,4 @@
++<!DOCTYPE a [
++ <!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll)>
++]>
++<a/>
+diff --git a/valid.c b/valid.c
+index 19f84b82..9b2df56a 100644
+--- a/valid.c
++++ b/valid.c
+@@ -1262,22 +1262,23 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int
+ case XML_ELEMENT_CONTENT_PCDATA:
+ strcat(buf, "#PCDATA");
+ break;
+- case XML_ELEMENT_CONTENT_ELEMENT:
++ case XML_ELEMENT_CONTENT_ELEMENT: {
++ int qnameLen = xmlStrlen(content->name);
++
++ if (content->prefix != NULL)
++ qnameLen += xmlStrlen(content->prefix) + 1;
++ if (size - len < qnameLen + 10) {
++ strcat(buf, " ...");
++ return;
++ }
+ if (content->prefix != NULL) {
+- if (size - len < xmlStrlen(content->prefix) + 10) {
+- strcat(buf, " ...");
+- return;
+- }
+ strcat(buf, (char *) content->prefix);
+ strcat(buf, ":");
+ }
+- if (size - len < xmlStrlen(content->name) + 10) {
+- strcat(buf, " ...");
+- return;
+- }
+ if (content->name != NULL)
+ strcat(buf, (char *) content->name);
+ break;
++ }
+ case XML_ELEMENT_CONTENT_SEQ:
+ if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
+@@ -1319,6 +1320,7 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int
+ xmlSnprintfElementContent(buf, size, content->c2, 0);
+ break;
+ }
++ if (size - strlen(buf) <= 2) return;
+ if (englob)
+ strcat(buf, ")");
+ switch (content->ocur) {
+--
+2.14.1
+
diff --git a/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch b/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch
new file mode 100644
index 000000000..890e9c228
--- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch
@@ -0,0 +1,319 @@
+Fix CVE-2017-{9049,9050}:
+
+https://bugzilla.gnome.org/show_bug.cgi?id=781205 (not yet public)
+https://bugzilla.gnome.org/show_bug.cgi?id=781361 (not yet public)
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9049
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050
+http://www.openwall.com/lists/oss-security/2017/05/15/1
+https://security-tracker.debian.org/tracker/CVE-2017-9049
+https://security-tracker.debian.org/tracker/CVE-2017-9050
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3
+
+Changes to 'runtest.c' are removed since they introduce test failure
+when applying to libxml2 2.9.4 release tarball.
+
+From e26630548e7d138d2c560844c43820b6767251e3 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 5 Jun 2017 15:37:17 +0200
+Subject: [PATCH] Fix handling of parameter-entity references
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+There were two bugs where parameter-entity references could lead to an
+unexpected change of the input buffer in xmlParseNameComplex and
+xmlDictLookup being called with an invalid pointer.
+
+Percent sign in DTD Names
+=========================
+
+The NEXTL macro used to call xmlParserHandlePEReference. When parsing
+"complex" names inside the DTD, this could result in entity expansion
+which created a new input buffer. The fix is to simply remove the call
+to xmlParserHandlePEReference from the NEXTL macro. This is safe because
+no users of the macro require expansion of parameter entities.
+
+- xmlParseNameComplex
+- xmlParseNCNameComplex
+- xmlParseNmtoken
+
+The percent sign is not allowed in names, which are grammatical tokens.
+
+- xmlParseEntityValue
+
+Parameter-entity references in entity values are expanded but this
+happens in a separate step in this function.
+
+- xmlParseSystemLiteral
+
+Parameter-entity references are ignored in the system literal.
+
+- xmlParseAttValueComplex
+- xmlParseCharDataComplex
+- xmlParseCommentComplex
+- xmlParsePI
+- xmlParseCDSect
+
+Parameter-entity references are ignored outside the DTD.
+
+- xmlLoadEntityContent
+
+This function is only called from xmlStringLenDecodeEntities and
+entities are replaced in a separate step immediately after the function
+call.
+
+This bug could also be triggered with an internal subset and double
+entity expansion.
+
+This fixes bug 766956 initially reported by Wei Lei and independently by
+Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone
+involved.
+
+xmlParseNameComplex with XML_PARSE_OLD10
+========================================
+
+When parsing Names inside an expanded parameter entity with the
+XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the
+GROW macro if the input buffer was exhausted. At the end of the
+parameter entity's replacement text, this function would then call
+xmlPopInput which invalidated the input buffer.
+
+There should be no need to invoke GROW in this situation because the
+buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and,
+at least for UTF-8, in xmlCurrentChar. This also matches the code path
+executed when XML_PARSE_OLD10 is not set.
+
+This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).
+Thanks to Marcel Böhme and Thuan Pham for the report.
+
+Additional hardening
+====================
+
+A separate check was added in xmlParseNameComplex to validate the
+buffer size.
+---
+ Makefile.am | 18 ++++++++++++++++++
+ parser.c | 18 ++++++++++--------
+ result/errors10/781205.xml | 0
+ result/errors10/781205.xml.err | 21 +++++++++++++++++++++
+ result/errors10/781361.xml | 0
+ result/errors10/781361.xml.err | 13 +++++++++++++
+ result/valid/766956.xml | 0
+ result/valid/766956.xml.err | 9 +++++++++
+ result/valid/766956.xml.err.rdr | 10 ++++++++++
+ runtest.c | 3 +++
+ test/errors10/781205.xml | 3 +++
+ test/errors10/781361.xml | 3 +++
+ test/valid/766956.xml | 2 ++
+ test/valid/dtds/766956.dtd | 2 ++
+ 14 files changed, 94 insertions(+), 8 deletions(-)
+ create mode 100644 result/errors10/781205.xml
+ create mode 100644 result/errors10/781205.xml.err
+ create mode 100644 result/errors10/781361.xml
+ create mode 100644 result/errors10/781361.xml.err
+ create mode 100644 result/valid/766956.xml
+ create mode 100644 result/valid/766956.xml.err
+ create mode 100644 result/valid/766956.xml.err.rdr
+ create mode 100644 test/errors10/781205.xml
+ create mode 100644 test/errors10/781361.xml
+ create mode 100644 test/valid/766956.xml
+ create mode 100644 test/valid/dtds/766956.dtd
+
+diff --git a/Makefile.am b/Makefile.am
+index 6fc8ffa9..10e716a5 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -427,6 +427,24 @@ Errtests : xmllint$(EXEEXT)
+ if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \
+ rm result.$$name error.$$name ; \
+ fi ; fi ; done)
++ @echo "## Error cases regression tests (old 1.0)"
++ -@(for i in $(srcdir)/test/errors10/*.xml ; do \
++ name=`basename $$i`; \
++ if [ ! -d $$i ] ; then \
++ if [ ! -f $(srcdir)/result/errors10/$$name ] ; then \
++ echo New test file $$name ; \
++ $(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i \
++ 2> $(srcdir)/result/errors10/$$name.err \
++ > $(srcdir)/result/errors10/$$name ; \
++ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \
++ else \
++ log=`$(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i 2> error.$$name > result.$$name ; \
++ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \
++ diff $(srcdir)/result/errors10/$$name result.$$name ; \
++ diff $(srcdir)/result/errors10/$$name.err error.$$name` ; \
++ if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \
++ rm result.$$name error.$$name ; \
++ fi ; fi ; done)
+ @echo "## Error cases stream regression tests"
+ -@(for i in $(srcdir)/test/errors/*.xml ; do \
+ name=`basename $$i`; \
+diff --git a/parser.c b/parser.c
+index df2efa55..a175ac4e 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2121,7 +2121,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
+ ctxt->input->line++; ctxt->input->col = 1; \
+ } else ctxt->input->col++; \
+ ctxt->input->cur += l; \
+- if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt); \
+ } while (0)
+
+ #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l)
+@@ -3412,13 +3411,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+ len += l;
+ NEXTL(l);
+ c = CUR_CHAR(l);
+- if (c == 0) {
+- count = 0;
+- GROW;
+- if (ctxt->instate == XML_PARSER_EOF)
+- return(NULL);
+- c = CUR_CHAR(l);
+- }
+ }
+ }
+ if ((len > XML_MAX_NAME_LENGTH) &&
+@@ -3426,6 +3418,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
+ return(NULL);
+ }
++ if (ctxt->input->cur - ctxt->input->base < len) {
++ /*
++ * There were a couple of bugs where PERefs lead to to a change
++ * of the buffer. Check the buffer size to avoid passing an invalid
++ * pointer to xmlDictLookup.
++ */
++ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
++ "unexpected change of input buffer");
++ return (NULL);
++ }
+ if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r'))
+ return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len));
+ return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
+diff --git a/result/errors10/781205.xml b/result/errors10/781205.xml
+new file mode 100644
+index 00000000..e69de29b
+diff --git a/result/errors10/781205.xml.err b/result/errors10/781205.xml.err
+new file mode 100644
+index 00000000..da15c3f7
+--- /dev/null
++++ b/result/errors10/781205.xml.err
+@@ -0,0 +1,21 @@
++Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
++
++ %a;
++ ^
++Entity: line 1:
++<:0000
++^
++Entity: line 1: parser error : DOCTYPE improperly terminated
++ %a;
++ ^
++Entity: line 1:
++<:0000
++^
++namespace error : Failed to parse QName ':0000'
++ %a;
++ ^
++<:0000
++ ^
++./test/errors10/781205.xml:4: parser error : Couldn't find end of Start Tag :0000 line 1
++
++^
+diff --git a/result/errors10/781361.xml b/result/errors10/781361.xml
+new file mode 100644
+index 00000000..e69de29b
+diff --git a/result/errors10/781361.xml.err b/result/errors10/781361.xml.err
+new file mode 100644
+index 00000000..655f41a2
+--- /dev/null
++++ b/result/errors10/781361.xml.err
+@@ -0,0 +1,13 @@
++./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY', 'ANY' or '(' expected
++
++^
++./test/errors10/781361.xml:4: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
++
++
++^
++./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated
++
++^
++./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not found
++
++^
+diff --git a/result/valid/766956.xml b/result/valid/766956.xml
+new file mode 100644
+index 00000000..e69de29b
+diff --git a/result/valid/766956.xml.err b/result/valid/766956.xml.err
+new file mode 100644
+index 00000000..34b1dae6
+--- /dev/null
++++ b/result/valid/766956.xml.err
+@@ -0,0 +1,9 @@
++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
++%ä%ent;
++ ^
++Entity: line 1: parser error : Content error in the external subset
++ %ent;
++ ^
++Entity: line 1:
++value
++^
+diff --git a/result/valid/766956.xml.err.rdr b/result/valid/766956.xml.err.rdr
+new file mode 100644
+index 00000000..77603462
+--- /dev/null
++++ b/result/valid/766956.xml.err.rdr
+@@ -0,0 +1,10 @@
++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
++%ä%ent;
++ ^
++Entity: line 1: parser error : Content error in the external subset
++ %ent;
++ ^
++Entity: line 1:
++value
++^
++./test/valid/766956.xml : failed to parse
+diff --git a/test/errors10/781205.xml b/test/errors10/781205.xml
+new file mode 100644
+index 00000000..d9e9e839
+--- /dev/null
++++ b/test/errors10/781205.xml
+@@ -0,0 +1,3 @@
++<!DOCTYPE D [
++ <!ENTITY % a "<:0000">
++ %a;
+diff --git a/test/errors10/781361.xml b/test/errors10/781361.xml
+new file mode 100644
+index 00000000..67476bcb
+--- /dev/null
++++ b/test/errors10/781361.xml
+@@ -0,0 +1,3 @@
++<!DOCTYPE doc [
++ <!ENTITY % elem "<!ELEMENT e0000000000">
++ %elem;
+diff --git a/test/valid/766956.xml b/test/valid/766956.xml
+new file mode 100644
+index 00000000..19a95a0e
+--- /dev/null
++++ b/test/valid/766956.xml
+@@ -0,0 +1,2 @@
++<!DOCTYPE test SYSTEM "dtds/766956.dtd">
++<test/>
+diff --git a/test/valid/dtds/766956.dtd b/test/valid/dtds/766956.dtd
+new file mode 100644
+index 00000000..dddde68b
+--- /dev/null
++++ b/test/valid/dtds/766956.dtd
+@@ -0,0 +1,2 @@
++<!ENTITY % ent "value">
++%ä%ent;
+--
+2.14.1
+
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index dd229ba73..30ecbe72d 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -114,8 +114,14 @@ hierarchical form with variable field lengths.")
(method url-fetch)
(uri (string-append "ftp://xmlsoft.org/libxml2/libxml2-"
version ".tar.gz"))
- (patches (search-patches "libxml2-CVE-2016-4658.patch"
- "libxml2-CVE-2016-5131.patch"))
+ (patches
+ (search-patches "libxml2-CVE-2016-4658.patch"
+ "libxml2-CVE-2016-5131.patch"
+ "libxml2-CVE-2017-0663.patch"
+ "libxml2-CVE-2017-7375.patch"
+ "libxml2-CVE-2017-7376.patch"
+ "libxml2-CVE-2017-9047+CVE-2017-9048.patch"
+ "libxml2-CVE-2017-9049+CVE-2017-9050.patch"))
(sha256
(base32
"0g336cr0bw6dax1q48bblphmchgihx9p1pjmxdnrd6sh3qci3fgz"))))
--
2.14.1
[-- Attachment #1.3: Type: text/plain, Size: 14 bytes --]
Cheers,
Alex
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
next reply other threads:[~2017-08-30 13:33 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-30 13:31 Alex Vong [this message]
2017-08-30 18:57 ` [bug#28294] [PATCH] gnu: libxml2: Fix CVE-2017-{0663, 7375, 7376, 9047, 9048, 9049, 9050} Marius Bakke
2017-08-31 10:40 ` Alex Vong
2017-08-31 19:52 ` bug#28294: " Marius Bakke
2017-08-31 21:38 ` Fetching patches as origins instead of copying them into the Guix Git repo Leo Famulari
2017-08-31 21:52 ` Marius Bakke
2017-09-01 9:58 ` ng0
2017-09-01 10:03 ` ng0
2017-09-01 19:50 ` Leo Famulari
2017-09-02 17:09 ` Alex Vong
2017-09-04 18:47 ` Marius Bakke
2017-09-02 20:55 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87inh5uqpd.fsf@gmail.com \
--to=alexvong1995@gmail.com \
--cc=28294@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.