diff options
author | Ariadne Conill <ariadne@dereferenced.org> | 2021-06-04 10:31:03 -0600 |
---|---|---|
committer | Ariadne Conill <ariadne@dereferenced.org> | 2021-06-04 10:48:24 -0600 |
commit | fff594f5c5e9d0112c73b322a0241d26f589e259 (patch) | |
tree | e241214d25a6b0c6bf9535ed924615557ba2ff03 | |
parent | c4164355fa7b547e47569987b1a5210331be7553 (diff) |
-rw-r--r-- | main/libxml2/APKBUILD | 18 | ||||
-rw-r--r-- | main/libxml2/CVE-2021-3517.patch | 49 | ||||
-rw-r--r-- | main/libxml2/CVE-2021-3518.patch | 15 | ||||
-rw-r--r-- | main/libxml2/CVE-2021-3537.patch | 44 |
4 files changed, 123 insertions, 3 deletions
diff --git a/main/libxml2/APKBUILD b/main/libxml2/APKBUILD index 75efe53cc49..a3b5f6edf0e 100644 --- a/main/libxml2/APKBUILD +++ b/main/libxml2/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Carlo Landmeter <clandmeter@gmail.com> pkgname=libxml2 pkgver=2.9.9 -pkgrel=4 +pkgrel=5 pkgdesc="XML parsing library, version 2" url="http://www.xmlsoft.org/" arch="all" @@ -17,10 +17,17 @@ source="http://xmlsoft.org/sources/$pkgname-$pkgver.tar.gz fix-null-pointer-dereference.patch CVE-2019-19956.patch CVE-2020-24977.patch + CVE-2021-3517.patch + CVE-2021-3518.patch + CVE-2021-3537.patch " builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 2.9.9-r5: +# - CVE-2021-3517 +# - CVE-2021-3518 +# - CVE-2021-3537 # 2.9.9-r4: # - CVE-2020-24977 # 2.9.9-r3: @@ -114,7 +121,12 @@ utils() { mkdir -p "$subpkgdir"/usr mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } -sha512sums="cb7784ba4e72e942614e12e4f83f4ceb275f3d738b30e3b5c1f25edf8e9fa6789e854685974eed95b362049dbf6c8e7357e0327d64c681ed390534ac154e6810 libxml2-2.9.9.tar.gz +sha512sums=" +cb7784ba4e72e942614e12e4f83f4ceb275f3d738b30e3b5c1f25edf8e9fa6789e854685974eed95b362049dbf6c8e7357e0327d64c681ed390534ac154e6810 libxml2-2.9.9.tar.gz 83074e582cdba8bedff40fc653731ad18ca357bde8f1420e2e8a2a38998b951aebcb73ca5d51859be3b4d9bc1a0308836ca2bb612269edbc61b9dd6ebc7fdb2a fix-null-pointer-dereference.patch 0e03d0dcfae1e99e06c7a4c9a4d863a1518589e403d79665727883b27d7c0d7026b18e29b7c68df41138fbdffb88d977c5ef10ce2ffb96d1a6255304d89c2bb6 CVE-2019-19956.patch -dfc6fa0232bd94635c66535734175c04e8b7461c216e1337da68d7c5dce36fc750f787f2ee08ef6d91521df55c45f4ae235f8f44bea697a7c734a3b62c9fab60 CVE-2020-24977.patch" +dfc6fa0232bd94635c66535734175c04e8b7461c216e1337da68d7c5dce36fc750f787f2ee08ef6d91521df55c45f4ae235f8f44bea697a7c734a3b62c9fab60 CVE-2020-24977.patch +9fc13877ddf53e5897dde490917ab6911e048c6fd6dca9f696c21e45f69ddaceae09a9bf92929317c84c96aeaa8531ffdf7737b1f7cde05de2a7be0e6fddd999 CVE-2021-3517.patch +5341026c46337dfb376ad0c0580ea287f81338a439737580eee67e2ffe833e695563245532072631509acd29e70ad0700663c16e2d531e5409c15f541e9ae3c4 CVE-2021-3518.patch +169568745f86235dc6d8dfb56597cf947dc66741cdf4dafc980658d614f7d21e67a1bacbeeed644d91c52cf3c56e9ef0857ec567bb6fd68d3e164e5f18bf87d5 CVE-2021-3537.patch +" diff --git a/main/libxml2/CVE-2021-3517.patch b/main/libxml2/CVE-2021-3517.patch new file mode 100644 index 00000000000..e3ef73602ff --- /dev/null +++ b/main/libxml2/CVE-2021-3517.patch @@ -0,0 +1,49 @@ +From bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2 Mon Sep 17 00:00:00 2001 +From: Joel Hockey <joel.hockey@gmail.com> +Date: Sun, 16 Aug 2020 17:19:35 -0700 +Subject: [PATCH] Validate UTF8 in xmlEncodeEntities + +Code is currently assuming UTF-8 without validating. Truncated UTF-8 +input can cause out-of-bounds array access. + +Adds further checks to partial fix in 50f06b3e. + +Fixes #178 +--- + entities.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/entities.c b/entities.c +index 37b99a56..1a8f86f0 100644 +--- a/entities.c ++++ b/entities.c +@@ -704,11 +704,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) { + } else { + /* + * We assume we have UTF-8 input. ++ * It must match either: ++ * 110xxxxx 10xxxxxx ++ * 1110xxxx 10xxxxxx 10xxxxxx ++ * 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx ++ * That is: ++ * cur[0] is 11xxxxxx ++ * cur[1] is 10xxxxxx ++ * cur[2] is 10xxxxxx if cur[0] is 111xxxxx ++ * cur[3] is 10xxxxxx if cur[0] is 1111xxxx ++ * cur[0] is not 11111xxx + */ + char buf[11], *ptr; + int val = 0, l = 1; + +- if (*cur < 0xC0) { ++ if (((cur[0] & 0xC0) != 0xC0) || ++ ((cur[1] & 0xC0) != 0x80) || ++ (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) || ++ (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) || ++ (((cur[0] & 0xF8) == 0xF8))) { + xmlEntitiesErr(XML_CHECK_NOT_UTF8, + "xmlEncodeEntities: input not UTF-8"); + if (doc != NULL) +-- +GitLab + diff --git a/main/libxml2/CVE-2021-3518.patch b/main/libxml2/CVE-2021-3518.patch new file mode 100644 index 00000000000..3ed2a68e8d7 --- /dev/null +++ b/main/libxml2/CVE-2021-3518.patch @@ -0,0 +1,15 @@ +diff -urN libxml2-2.9.10.orig/xinclude.c libxml2-2.9.10/xinclude.c +--- libxml2-2.9.10.orig/xinclude.c 2021-06-04 10:26:43.173188644 -0600 ++++ libxml2-2.9.10/xinclude.c 2021-06-04 10:28:19.633720058 -0600 +@@ -2397,9 +2397,8 @@ + while ((cur != NULL) && (cur != tree->parent)) { + /* TODO: need to work on entities -> stack */ + if ((cur->children != NULL) && +- (cur->children->type != XML_ENTITY_DECL) && +- (cur->children->type != XML_XINCLUDE_START) && +- (cur->children->type != XML_XINCLUDE_END)) { ++ ((cur->type == XML_DOCUMENT_NODE) || ++ (cur->type == XML_ELEMENT_NODE))) { + cur = cur->children; + if (xmlXIncludeTestNode(ctxt, cur)) + xmlXIncludePreProcessNode(ctxt, cur); diff --git a/main/libxml2/CVE-2021-3537.patch b/main/libxml2/CVE-2021-3537.patch new file mode 100644 index 00000000000..3df1539523b --- /dev/null +++ b/main/libxml2/CVE-2021-3537.patch @@ -0,0 +1,44 @@ +From babe75030c7f64a37826bb3342317134568bef61 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Sat, 1 May 2021 16:53:33 +0200 +Subject: [PATCH] Propagate error in xmlParseElementChildrenContentDeclPriv + +Check return value of recursive calls to +xmlParseElementChildrenContentDeclPriv and return immediately in case +of errors. Otherwise, struct xmlElementContent could contain unexpected +null pointers, leading to a null deref when post-validating documents +which aren't well-formed and parsed in recovery mode. + +Fixes #243. +--- + parser.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/parser.c b/parser.c +index b42e6043..73c27edd 100644 +--- a/parser.c ++++ b/parser.c +@@ -6208,6 +6208,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk, + SKIP_BLANKS; + cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, + depth + 1); ++ if (cur == NULL) ++ return(NULL); + SKIP_BLANKS; + GROW; + } else { +@@ -6341,6 +6343,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk, + SKIP_BLANKS; + last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, + depth + 1); ++ if (last == NULL) { ++ if (ret != NULL) ++ xmlFreeDocElementContent(ctxt->myDoc, ret); ++ return(NULL); ++ } + SKIP_BLANKS; + } else { + elem = xmlParseName(ctxt); +-- +GitLab + |