diff options
author | Kevin Daudt <kdaudt@alpinelinux.org> | 2021-07-22 15:40:03 +0000 |
---|---|---|
committer | Kevin Daudt <kdaudt@alpinelinux.org> | 2021-07-24 10:13:21 +0000 |
commit | c98faa01f539a92b4f87d5d63c758510b45aa8d0 (patch) | |
tree | 37d46776a4fb34e3a85962863442a2beff9bda9a | |
parent | a7bee2dd59efa74f16bf9a0ceb47830f4fdc040d (diff) |
main/libxml2: security upgrade to 2.9.12 (CVE-2021-3541)
See #12859
-rw-r--r-- | main/libxml2/APKBUILD | 20 | ||||
-rw-r--r-- | main/libxml2/CVE-2019-20388.patch | 12 | ||||
-rw-r--r-- | main/libxml2/CVE-2020-24977.patch | 40 | ||||
-rw-r--r-- | main/libxml2/CVE-2021-3517.patch | 49 | ||||
-rw-r--r-- | main/libxml2/CVE-2021-3518.patch | 15 | ||||
-rw-r--r-- | main/libxml2/CVE-2021-3537.patch | 44 | ||||
-rw-r--r-- | main/libxml2/libxml2-CVE-2020-7595.patch | 32 |
7 files changed, 5 insertions, 207 deletions
diff --git a/main/libxml2/APKBUILD b/main/libxml2/APKBUILD index b64d1b4d7f9..aa71cb601ca 100644 --- a/main/libxml2/APKBUILD +++ b/main/libxml2/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Carlo Landmeter <clandmeter@gmail.com> # Maintainer: Carlo Landmeter <clandmeter@gmail.com> pkgname=libxml2 -pkgver=2.9.10 -pkgrel=6 +pkgver=2.9.12 +pkgrel=0 pkgdesc="XML parsing library, version 2" url="http://www.xmlsoft.org/" arch="all" @@ -14,17 +14,13 @@ subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev $pkgname-utils py3-$pkgname:_py3" options="!strip" source="http://xmlsoft.org/sources/libxml2-$pkgver.tar.gz - CVE-2019-20388.patch - libxml2-CVE-2020-7595.patch revert-Make-xmlFreeNodeList-non-recursive.patch libxml2-2.9.8-python3-unicode-errors.patch - CVE-2020-24977.patch - CVE-2021-3517.patch - CVE-2021-3518.patch - CVE-2021-3537.patch " # secfixes: +# 2.9.11-r0: +# - CVE-2021-3541 # 2.9.10-r6: # - CVE-2021-3517 # - CVE-2021-3518 @@ -101,13 +97,7 @@ utils() { } sha512sums=" -0adfd12bfde89cbd6296ba6e66b6bed4edb814a74b4265bda34d95c41d9d92c696ee7adb0c737aaf9cc6e10426a31a35079b2a23d26c074e299858da12c072ed libxml2-2.9.10.tar.gz -46ade1189ef24cb56bd38c2c58aaacc8f3e8404656b9976754e9ec9bfe17f71e9a1fdb6febd02947f6120b5ce320cbc7391baf8d0cb042877bcf81553010ad04 CVE-2019-20388.patch -90db832e60c700e971669f57a54fdb297660c42602089b4e77e013a7051c880f380f0c98c059d9f54de99855b2d9be78fcf0639443f3765a925b52fc093fb4d9 libxml2-CVE-2020-7595.patch +df1c6486e80f0fcf3c506f3599bcfb94b620c00d0b5d26831bc983daa78d58ec58b5057b1ec7c1a26c694f40199c6234ee2a6dcabf65abfa10c447cb5705abbd libxml2-2.9.12.tar.gz 347178e432379d543683cba21b902e7305202c03e8dbd724ae395963d677096a5cfc4e345e208d498163ca5174683c167610fc2b297090476038bc2bb7c84b4f revert-Make-xmlFreeNodeList-non-recursive.patch a205c97fa1488fb8907cfa08b5f82e2055c80b86213dc3cc5c4b526fe6aa786bcc4e4eeb226c44635a1d021307b39e3940f706c42fb60e9e3e9b490a84164df7 libxml2-2.9.8-python3-unicode-errors.patch -b25a49cfb51569799ada41bad0efaf2666d70b9efb380987c3d5678fd943ada5d0baa18a3db5efa58dac65db8e2d2915ab5c6bac850d0c610656c89734853fd5 CVE-2020-24977.patch -9fc13877ddf53e5897dde490917ab6911e048c6fd6dca9f696c21e45f69ddaceae09a9bf92929317c84c96aeaa8531ffdf7737b1f7cde05de2a7be0e6fddd999 CVE-2021-3517.patch -5341026c46337dfb376ad0c0580ea287f81338a439737580eee67e2ffe833e695563245532072631509acd29e70ad0700663c16e2d531e5409c15f541e9ae3c4 CVE-2021-3518.patch -169568745f86235dc6d8dfb56597cf947dc66741cdf4dafc980658d614f7d21e67a1bacbeeed644d91c52cf3c56e9ef0857ec567bb6fd68d3e164e5f18bf87d5 CVE-2021-3537.patch " diff --git a/main/libxml2/CVE-2019-20388.patch b/main/libxml2/CVE-2019-20388.patch deleted file mode 100644 index 164b54ba2f1..00000000000 --- a/main/libxml2/CVE-2019-20388.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/xmlschemas.c b/xmlschemas.c -index 301c84499d4185ca3a760b512daeca8760edaf05..39d92182f51ff723413cb41a0101d97b6647cdee 100644 ---- a/xmlschemas.c -+++ b/xmlschemas.c -@@ -28090,7 +28090,6 @@ xmlSchemaPreRun(xmlSchemaValidCtxtPtr vctxt) { - vctxt->nberrors = 0; - vctxt->depth = -1; - vctxt->skipDepth = -1; -- vctxt->xsiAssemble = 0; - vctxt->hasKeyrefs = 0; - #ifdef ENABLE_IDC_NODE_TABLES_TEST - vctxt->createIDCNodeTables = 1; diff --git a/main/libxml2/CVE-2020-24977.patch b/main/libxml2/CVE-2020-24977.patch deleted file mode 100644 index 9633641ae47..00000000000 --- a/main/libxml2/CVE-2020-24977.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 8e7c20a1af8776677d7890f30b7a180567701a49 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer <wellnhofer@aevum.de> -Date: Mon, 3 Aug 2020 17:30:41 +0200 -Subject: [PATCH] Fix integer overflow when comparing schema dates - -Found by OSS-Fuzz. ---- - xmlschemastypes.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/xmlschemastypes.c b/xmlschemastypes.c -index 4249d7000..d6b9f924e 100644 ---- a/xmlschemastypes.c -+++ b/xmlschemastypes.c -@@ -3691,6 +3691,8 @@ xmlSchemaCompareDurations(xmlSchemaValPtr x, xmlSchemaValPtr y) - minday = 0; - maxday = 0; - } else { -+ if (myear > LONG_MAX / 366) -+ return -2; - /* FIXME: This doesn't take leap year exceptions every 100/400 years - into account. */ - maxday = 365 * myear + (myear + 3) / 4; -@@ -4079,6 +4081,14 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y) - if ((x == NULL) || (y == NULL)) - return -2; - -+ if ((x->value.date.year > LONG_MAX / 366) || -+ (x->value.date.year < LONG_MIN / 366) || -+ (y->value.date.year > LONG_MAX / 366) || -+ (y->value.date.year < LONG_MIN / 366)) { -+ /* Possible overflow when converting to days. */ -+ return -2; -+ } -+ - if (x->value.date.tz_flag) { - - if (!y->value.date.tz_flag) { --- -GitLab
\ No newline at end of file diff --git a/main/libxml2/CVE-2021-3517.patch b/main/libxml2/CVE-2021-3517.patch deleted file mode 100644 index e3ef73602ff..00000000000 --- a/main/libxml2/CVE-2021-3517.patch +++ /dev/null @@ -1,49 +0,0 @@ -From bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2 Mon Sep 17 00:00:00 2001 -From: Joel Hockey <joel.hockey@gmail.com> -Date: Sun, 16 Aug 2020 17:19:35 -0700 -Subject: [PATCH] Validate UTF8 in xmlEncodeEntities - -Code is currently assuming UTF-8 without validating. Truncated UTF-8 -input can cause out-of-bounds array access. - -Adds further checks to partial fix in 50f06b3e. - -Fixes #178 ---- - entities.c | 16 +++++++++++++++- - 1 file changed, 15 insertions(+), 1 deletion(-) - -diff --git a/entities.c b/entities.c -index 37b99a56..1a8f86f0 100644 ---- a/entities.c -+++ b/entities.c -@@ -704,11 +704,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) { - } else { - /* - * We assume we have UTF-8 input. -+ * It must match either: -+ * 110xxxxx 10xxxxxx -+ * 1110xxxx 10xxxxxx 10xxxxxx -+ * 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx -+ * That is: -+ * cur[0] is 11xxxxxx -+ * cur[1] is 10xxxxxx -+ * cur[2] is 10xxxxxx if cur[0] is 111xxxxx -+ * cur[3] is 10xxxxxx if cur[0] is 1111xxxx -+ * cur[0] is not 11111xxx - */ - char buf[11], *ptr; - int val = 0, l = 1; - -- if (*cur < 0xC0) { -+ if (((cur[0] & 0xC0) != 0xC0) || -+ ((cur[1] & 0xC0) != 0x80) || -+ (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) || -+ (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) || -+ (((cur[0] & 0xF8) == 0xF8))) { - xmlEntitiesErr(XML_CHECK_NOT_UTF8, - "xmlEncodeEntities: input not UTF-8"); - if (doc != NULL) --- -GitLab - diff --git a/main/libxml2/CVE-2021-3518.patch b/main/libxml2/CVE-2021-3518.patch deleted file mode 100644 index 3ed2a68e8d7..00000000000 --- a/main/libxml2/CVE-2021-3518.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -urN libxml2-2.9.10.orig/xinclude.c libxml2-2.9.10/xinclude.c ---- libxml2-2.9.10.orig/xinclude.c 2021-06-04 10:26:43.173188644 -0600 -+++ libxml2-2.9.10/xinclude.c 2021-06-04 10:28:19.633720058 -0600 -@@ -2397,9 +2397,8 @@ - while ((cur != NULL) && (cur != tree->parent)) { - /* TODO: need to work on entities -> stack */ - if ((cur->children != NULL) && -- (cur->children->type != XML_ENTITY_DECL) && -- (cur->children->type != XML_XINCLUDE_START) && -- (cur->children->type != XML_XINCLUDE_END)) { -+ ((cur->type == XML_DOCUMENT_NODE) || -+ (cur->type == XML_ELEMENT_NODE))) { - cur = cur->children; - if (xmlXIncludeTestNode(ctxt, cur)) - xmlXIncludePreProcessNode(ctxt, cur); diff --git a/main/libxml2/CVE-2021-3537.patch b/main/libxml2/CVE-2021-3537.patch deleted file mode 100644 index 3df1539523b..00000000000 --- a/main/libxml2/CVE-2021-3537.patch +++ /dev/null @@ -1,44 +0,0 @@ -From babe75030c7f64a37826bb3342317134568bef61 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer <wellnhofer@aevum.de> -Date: Sat, 1 May 2021 16:53:33 +0200 -Subject: [PATCH] Propagate error in xmlParseElementChildrenContentDeclPriv - -Check return value of recursive calls to -xmlParseElementChildrenContentDeclPriv and return immediately in case -of errors. Otherwise, struct xmlElementContent could contain unexpected -null pointers, leading to a null deref when post-validating documents -which aren't well-formed and parsed in recovery mode. - -Fixes #243. ---- - parser.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/parser.c b/parser.c -index b42e6043..73c27edd 100644 ---- a/parser.c -+++ b/parser.c -@@ -6208,6 +6208,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk, - SKIP_BLANKS; - cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, - depth + 1); -+ if (cur == NULL) -+ return(NULL); - SKIP_BLANKS; - GROW; - } else { -@@ -6341,6 +6343,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk, - SKIP_BLANKS; - last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, - depth + 1); -+ if (last == NULL) { -+ if (ret != NULL) -+ xmlFreeDocElementContent(ctxt->myDoc, ret); -+ return(NULL); -+ } - SKIP_BLANKS; - } else { - elem = xmlParseName(ctxt); --- -GitLab - diff --git a/main/libxml2/libxml2-CVE-2020-7595.patch b/main/libxml2/libxml2-CVE-2020-7595.patch deleted file mode 100644 index 3dd67749760..00000000000 --- a/main/libxml2/libxml2-CVE-2020-7595.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001 -From: Zhipeng Xie <xiezhipeng1@huawei.com> -Date: Thu, 12 Dec 2019 17:30:55 +0800 -Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities - -When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef -return NULL which cause a infinite loop in xmlStringLenDecodeEntities - -Found with libFuzzer. - -Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com> ---- - parser.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/parser.c b/parser.c -index d1c31963..a34bb6cd 100644 ---- a/parser.c -+++ b/parser.c -@@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, - else - c = 0; - while ((c != 0) && (c != end) && /* non input consuming loop */ -- (c != end2) && (c != end3)) { -+ (c != end2) && (c != end3) && -+ (ctxt->instate != XML_PARSER_EOF)) { - - if (c == 0) break; - if ((c == '&') && (str[1] == '#')) { --- -2.24.1 - |