diff options
| -rw-r--r-- | main/libxml2/APKBUILD | 16 | ||||
| -rw-r--r-- | main/libxml2/CVE-2016-5131.patch | 174 | ||||
| -rw-r--r-- | main/libxml2/CVE-2016-9318.patch | 201 | ||||
| -rw-r--r-- | main/libxml2/CVE-2017-5969.patch | 63 |
4 files changed, 8 insertions, 446 deletions
diff --git a/main/libxml2/APKBUILD b/main/libxml2/APKBUILD index 47f9ac5fd41..b4e6be8075e 100644 --- a/main/libxml2/APKBUILD +++ b/main/libxml2/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Carlo Landmeter <clandmeter@gmail.com> # Maintainer: Carlo Landmeter <clandmeter@gmail.com> pkgname=libxml2 -pkgver=2.9.4 -pkgrel=3 +pkgver=2.9.5 +pkgrel=0 pkgdesc="XML parsing library, version 2" url="http://www.xmlsoft.org/" arch="all" @@ -11,11 +11,9 @@ depends= depends_dev="zlib-dev" makedepends="$depends_dev python-dev" subpackages="$pkgname-doc $pkgname-dev py-$pkgname:py $pkgname-utils" -source="ftp://ftp.xmlsoft.org/${pkgname}/${pkgname}-${pkgver}.tar.gz - CVE-2016-5131.patch - CVE-2016-9318.patch - CVE-2017-5969.patch - " +options="!strip" +source="ftp://ftp.xmlsoft.org/${pkgname}/${pkgname}-${pkgver}.tar.gz" +builddir="$srcdir/$pkgname-$pkgver" # secfixes: # 2.9.4-r1: @@ -24,6 +22,8 @@ source="ftp://ftp.xmlsoft.org/${pkgname}/${pkgname}-${pkgver}.tar.gz # - CVE-2016-9318 # 2.9.4-r3: # - CVE-2017-5969 +# 2.9.5-r0: +# - CVE-2017-16931 options="!strip" @@ -77,8 +77,8 @@ utils() { mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } - sha512sums="f5174ab1a3a0ec0037a47f47aa47def36674e02bfb42b57f609563f84c6247c585dbbb133c056953a5adb968d328f18cbc102eb0d00d48eb7c95478389e5daf9 libxml2-2.9.4.tar.gz c92cda9851fdf8af6cb21aa80f39b474cddef8c749298f5b51f76f871160ac9749fdaac3fa406cc0c75a666f7627983fce0e90fb2919f3a8c778e1148583be33 CVE-2016-5131.patch 508550f2f3489954abceee5404722dc7a8dcf6590219561a1ab36c2c14b1d1bfc2bad0403577db4e20c2c4e8c9114beb6bd80b165bb8e02c6cc52e6c5fb6e1ee CVE-2016-9318.patch c1ce2284bdd874bd6eb1b2bef0e2c8d561861f82b5f03c4b7155e3ed11e2c56743d2f624530f0c7672d65329a13199e534f51ec19f06d4b6941b861dda50ef67 CVE-2017-5969.patch" +sha512sums="197dbd1722e5f90eea43837323352f48d215e198aa6b95685645ef7511e2beba8aadc0dd67e099c945120c5dbe7f8c9da5f376b22f447059e9ffa941c1bfd175 libxml2-2.9.5.tar.gz" diff --git a/main/libxml2/CVE-2016-5131.patch b/main/libxml2/CVE-2016-5131.patch deleted file mode 100644 index 9ce3fb9d871..00000000000 --- a/main/libxml2/CVE-2016-5131.patch +++ /dev/null @@ -1,174 +0,0 @@ -From 9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer <wellnhofer@aevum.de> -Date: Tue, 28 Jun 2016 14:22:23 +0200 -Subject: Fix XPointer paths beginning with range-to - -The old code would invoke the broken xmlXPtrRangeToFunction. range-to -isn't really a function but a special kind of location step. Remove -this function and always handle range-to in the XPath code. - -The old xmlXPtrRangeToFunction could also be abused to trigger a -use-after-free error with the potential for remote code execution. - -Found with afl-fuzz. - -Fixes CVE-2016-5131. ---- - result/XPath/xptr/vidbase | 13 ++++++++ - test/XPath/xptr/vidbase | 1 + - xpath.c | 7 ++++- - xpointer.c | 76 ++++------------------------------------------- - 4 files changed, 26 insertions(+), 71 deletions(-) - -diff --git a/result/XPath/xptr/vidbase b/result/XPath/xptr/vidbase -index 8b9e92d..f19193e 100644 ---- a/result/XPath/xptr/vidbase -+++ b/result/XPath/xptr/vidbase -@@ -17,3 +17,16 @@ Object is a Location Set: - To node - ELEMENT p - -+ -+======================== -+Expression: xpointer(range-to(id('chapter2'))) -+Object is a Location Set: -+1 : Object is a range : -+ From node -+ / -+ To node -+ ELEMENT chapter -+ ATTRIBUTE id -+ TEXT -+ content=chapter2 -+ -diff --git a/test/XPath/xptr/vidbase b/test/XPath/xptr/vidbase -index b146383..884b106 100644 ---- a/test/XPath/xptr/vidbase -+++ b/test/XPath/xptr/vidbase -@@ -1,2 +1,3 @@ - xpointer(id('chapter1')/p) - xpointer(id('chapter1')/p[1]/range-to(following-sibling::p[2])) -+xpointer(range-to(id('chapter2'))) -diff --git a/xpath.c b/xpath.c -index d992841..5a01b1b 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -10691,13 +10691,18 @@ xmlXPathCompPathExpr(xmlXPathParserContextPtr ctxt) { - lc = 1; - break; - } else if ((NXT(len) == '(')) { -- /* Note Type or Function */ -+ /* Node Type or Function */ - if (xmlXPathIsNodeType(name)) { - #ifdef DEBUG_STEP - xmlGenericError(xmlGenericErrorContext, - "PathExpr: Type search\n"); - #endif - lc = 1; -+#ifdef LIBXML_XPTR_ENABLED -+ } else if (ctxt->xptr && -+ xmlStrEqual(name, BAD_CAST "range-to")) { -+ lc = 1; -+#endif - } else { - #ifdef DEBUG_STEP - xmlGenericError(xmlGenericErrorContext, -diff --git a/xpointer.c b/xpointer.c -index 676c510..d74174a 100644 ---- a/xpointer.c -+++ b/xpointer.c -@@ -1332,8 +1332,6 @@ xmlXPtrNewContext(xmlDocPtr doc, xmlNodePtr here, xmlNodePtr origin) { - ret->here = here; - ret->origin = origin; - -- xmlXPathRegisterFunc(ret, (xmlChar *)"range-to", -- xmlXPtrRangeToFunction); - xmlXPathRegisterFunc(ret, (xmlChar *)"range", - xmlXPtrRangeFunction); - xmlXPathRegisterFunc(ret, (xmlChar *)"range-inside", -@@ -2243,76 +2241,14 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) { - * @nargs: the number of args - * - * Implement the range-to() XPointer function -+ * -+ * Obsolete. range-to is not a real function but a special type of location -+ * step which is handled in xpath.c. - */ - void --xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, int nargs) { -- xmlXPathObjectPtr range; -- const xmlChar *cur; -- xmlXPathObjectPtr res, obj; -- xmlXPathObjectPtr tmp; -- xmlLocationSetPtr newset = NULL; -- xmlNodeSetPtr oldset; -- int i; -- -- if (ctxt == NULL) return; -- CHECK_ARITY(1); -- /* -- * Save the expression pointer since we will have to evaluate -- * it multiple times. Initialize the new set. -- */ -- CHECK_TYPE(XPATH_NODESET); -- obj = valuePop(ctxt); -- oldset = obj->nodesetval; -- ctxt->context->node = NULL; -- -- cur = ctxt->cur; -- newset = xmlXPtrLocationSetCreate(NULL); -- -- for (i = 0; i < oldset->nodeNr; i++) { -- ctxt->cur = cur; -- -- /* -- * Run the evaluation with a node list made of a single item -- * in the nodeset. -- */ -- ctxt->context->node = oldset->nodeTab[i]; -- tmp = xmlXPathNewNodeSet(ctxt->context->node); -- valuePush(ctxt, tmp); -- -- xmlXPathEvalExpr(ctxt); -- CHECK_ERROR; -- -- /* -- * The result of the evaluation need to be tested to -- * decided whether the filter succeeded or not -- */ -- res = valuePop(ctxt); -- range = xmlXPtrNewRangeNodeObject(oldset->nodeTab[i], res); -- if (range != NULL) { -- xmlXPtrLocationSetAdd(newset, range); -- } -- -- /* -- * Cleanup -- */ -- if (res != NULL) -- xmlXPathFreeObject(res); -- if (ctxt->value == tmp) { -- res = valuePop(ctxt); -- xmlXPathFreeObject(res); -- } -- -- ctxt->context->node = NULL; -- } -- -- /* -- * The result is used as the new evaluation set. -- */ -- xmlXPathFreeObject(obj); -- ctxt->context->node = NULL; -- ctxt->context->contextSize = -1; -- ctxt->context->proximityPosition = -1; -- valuePush(ctxt, xmlXPtrWrapLocationSet(newset)); -+xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, -+ int nargs ATTRIBUTE_UNUSED) { -+ XP_ERROR(XPATH_EXPR_ERROR); - } - - /** --- -cgit v0.12 - diff --git a/main/libxml2/CVE-2016-9318.patch b/main/libxml2/CVE-2016-9318.patch deleted file mode 100644 index 391b5748e15..00000000000 --- a/main/libxml2/CVE-2016-9318.patch +++ /dev/null @@ -1,201 +0,0 @@ -From 2304078555896cf1638c628f50326aeef6f0e0d0 Mon Sep 17 00:00:00 2001 -From: Doran Moppert <dmoppert@redhat.com> -Date: Fri, 7 Apr 2017 16:45:56 +0200 -Subject: Add an XML_PARSE_NOXXE flag to block all entities loading even local - -For https://bugzilla.gnome.org/show_bug.cgi?id=772726 - -* include/libxml/parser.h: Add a new parser flag XML_PARSE_NOXXE -* elfgcchack.h, xmlIO.h, xmlIO.c: associated loading routine -* include/libxml/xmlerror.h: new error raised -* xmllint.c: adds --noxxe flag to activate the option ---- - elfgcchack.h | 10 ++++++++++ - include/libxml/parser.h | 3 ++- - include/libxml/xmlIO.h | 8 ++++++++ - include/libxml/xmlerror.h | 1 + - parser.c | 4 ++++ - xmlIO.c | 40 +++++++++++++++++++++++++++++++++++----- - xmllint.c | 5 +++++ - 7 files changed, 65 insertions(+), 6 deletions(-) - -diff --git a/elfgcchack.h b/elfgcchack.h -index 8c52884..1b81dcd 100644 ---- a/elfgcchack.h -+++ b/elfgcchack.h -@@ -6547,6 +6547,16 @@ extern __typeof (xmlNoNetExternalEntityLoader) xmlNoNetExternalEntityLoader__int - #endif - #endif - -+#ifdef bottom_xmlIO -+#undef xmlNoXxeExternalEntityLoader -+extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader __attribute((alias("xmlNoXxeExternalEntityLoader__internal_alias"))); -+#else -+#ifndef xmlNoXxeExternalEntityLoader -+extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader__internal_alias __attribute((visibility("hidden"))); -+#define xmlNoXxeExternalEntityLoader xmlNoXxeExternalEntityLoader__internal_alias -+#endif -+#endif -+ - #ifdef bottom_tree - #undef xmlNodeAddContent - extern __typeof (xmlNodeAddContent) xmlNodeAddContent __attribute((alias("xmlNodeAddContent__internal_alias"))); -diff --git a/include/libxml/parser.h b/include/libxml/parser.h -index 47fbec0..63ca1b9 100644 ---- a/include/libxml/parser.h -+++ b/include/libxml/parser.h -@@ -1111,7 +1111,8 @@ typedef enum { - XML_PARSE_HUGE = 1<<19,/* relax any hardcoded limit from the parser */ - XML_PARSE_OLDSAX = 1<<20,/* parse using SAX2 interface before 2.7.0 */ - XML_PARSE_IGNORE_ENC= 1<<21,/* ignore internal document encoding hint */ -- XML_PARSE_BIG_LINES = 1<<22 /* Store big lines numbers in text PSVI field */ -+ XML_PARSE_BIG_LINES = 1<<22,/* Store big lines numbers in text PSVI field */ -+ XML_PARSE_NOXXE = 1<<23 /* Forbid any external entity loading */ - } xmlParserOption; - - XMLPUBFUN void XMLCALL -diff --git a/include/libxml/xmlIO.h b/include/libxml/xmlIO.h -index 3e41744..8d3fdef 100644 ---- a/include/libxml/xmlIO.h -+++ b/include/libxml/xmlIO.h -@@ -300,6 +300,14 @@ XMLPUBFUN xmlParserInputPtr XMLCALL - xmlParserCtxtPtr ctxt); - - /* -+ * A predefined entity loader external entity expansion -+ */ -+XMLPUBFUN xmlParserInputPtr XMLCALL -+ xmlNoXxeExternalEntityLoader (const char *URL, -+ const char *ID, -+ xmlParserCtxtPtr ctxt); -+ -+/* - * xmlNormalizeWindowsPath is obsolete, don't use it. - * Check xmlCanonicPath in uri.h for a better alternative. - */ -diff --git a/include/libxml/xmlerror.h b/include/libxml/xmlerror.h -index 037c16d..3036062 100644 ---- a/include/libxml/xmlerror.h -+++ b/include/libxml/xmlerror.h -@@ -470,6 +470,7 @@ typedef enum { - XML_IO_EADDRINUSE, /* 1554 */ - XML_IO_EALREADY, /* 1555 */ - XML_IO_EAFNOSUPPORT, /* 1556 */ -+ XML_IO_ILLEGAL_XXE, /* 1557 */ - XML_XINCLUDE_RECURSION=1600, - XML_XINCLUDE_PARSE_VALUE, /* 1601 */ - XML_XINCLUDE_ENTITY_DEF_MISMATCH, /* 1602 */ -diff --git a/parser.c b/parser.c -index 53a6b7f..609a270 100644 ---- a/parser.c -+++ b/parser.c -@@ -15350,6 +15350,10 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi - ctxt->options |= XML_PARSE_NONET; - options -= XML_PARSE_NONET; - } -+ if (options & XML_PARSE_NOXXE) { -+ ctxt->options |= XML_PARSE_NOXXE; -+ options -= XML_PARSE_NOXXE; -+ } - if (options & XML_PARSE_COMPACT) { - ctxt->options |= XML_PARSE_COMPACT; - options -= XML_PARSE_COMPACT; -diff --git a/xmlIO.c b/xmlIO.c -index 300ee47..e625612 100644 ---- a/xmlIO.c -+++ b/xmlIO.c -@@ -210,6 +210,7 @@ static const char *IOerr[] = { - "adddress in use", /* EADDRINUSE */ - "already in use", /* EALREADY */ - "unknown address familly", /* EAFNOSUPPORT */ -+ "Attempt to load external entity %s", /* XML_IO_ILLEGAL_XXE */ - }; - - #if defined(_WIN32) || defined (__DJGPP__) && !defined (__CYGWIN__) -@@ -4053,13 +4054,22 @@ xmlDefaultExternalEntityLoader(const char *URL, const char *ID, - xmlGenericError(xmlGenericErrorContext, - "xmlDefaultExternalEntityLoader(%s, xxx)\n", URL); - #endif -- if ((ctxt != NULL) && (ctxt->options & XML_PARSE_NONET)) { -+ if (ctxt != NULL) { - int options = ctxt->options; - -- ctxt->options -= XML_PARSE_NONET; -- ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt); -- ctxt->options = options; -- return(ret); -+ if (options & XML_PARSE_NOXXE) { -+ ctxt->options -= XML_PARSE_NOXXE; -+ ret = xmlNoXxeExternalEntityLoader(URL, ID, ctxt); -+ ctxt->options = options; -+ return(ret); -+ } -+ -+ if (options & XML_PARSE_NONET) { -+ ctxt->options -= XML_PARSE_NONET; -+ ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt); -+ ctxt->options = options; -+ return(ret); -+ } - } - #ifdef LIBXML_CATALOG_ENABLED - resource = xmlResolveResourceFromCatalog(URL, ID, ctxt); -@@ -4160,6 +4170,13 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID, - xmlParserInputPtr input = NULL; - xmlChar *resource = NULL; - -+ if (ctxt == NULL) { -+ return(NULL); -+ } -+ if (ctxt->input_id == 1) { -+ return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt); -+ } -+ - #ifdef LIBXML_CATALOG_ENABLED - resource = xmlResolveResourceFromCatalog(URL, ID, ctxt); - #endif -@@ -4182,5 +4199,18 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID, - return(input); - } - -+xmlParserInputPtr -+xmlNoXxeExternalEntityLoader(const char *URL, const char *ID, -+ xmlParserCtxtPtr ctxt) { -+ if (ctxt == NULL) { -+ return(NULL); -+ } -+ if (ctxt->input_id == 1) { -+ return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt); -+ } -+ xmlIOErr(XML_IO_ILLEGAL_XXE, (const char *) URL); -+ return(NULL); -+} -+ - #define bottom_xmlIO - #include "elfgcchack.h" -diff --git a/xmllint.c b/xmllint.c -index 67f7adb..d9368c1 100644 ---- a/xmllint.c -+++ b/xmllint.c -@@ -3019,6 +3019,7 @@ static void usage(const char *name) { - printf("\t--path 'paths': provide a set of paths for resources\n"); - printf("\t--load-trace : print trace of all external entities loaded\n"); - printf("\t--nonet : refuse to fetch DTDs or entities over network\n"); -+ printf("\t--noxxe : forbid any external entity loading\n"); - printf("\t--nocompact : do not generate compact text nodes\n"); - printf("\t--htmlout : output results as HTML\n"); - printf("\t--nowrap : do not put HTML doc wrapper\n"); -@@ -3461,6 +3462,10 @@ main(int argc, char **argv) { - (!strcmp(argv[i], "--nonet"))) { - options |= XML_PARSE_NONET; - xmlSetExternalEntityLoader(xmlNoNetExternalEntityLoader); -+ } else if ((!strcmp(argv[i], "-noxxe")) || -+ (!strcmp(argv[i], "--noxxe"))) { -+ options |= XML_PARSE_NOXXE; -+ xmlSetExternalEntityLoader(xmlNoXxeExternalEntityLoader); - } else if ((!strcmp(argv[i], "-nocompact")) || - (!strcmp(argv[i], "--nocompact"))) { - options &= ~XML_PARSE_COMPACT; --- -cgit v0.12 - diff --git a/main/libxml2/CVE-2017-5969.patch b/main/libxml2/CVE-2017-5969.patch deleted file mode 100644 index 367ad730d03..00000000000 --- a/main/libxml2/CVE-2017-5969.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 94691dc884d1a8ada39f073408b4bb92fe7fe882 Mon Sep 17 00:00:00 2001 -From: Daniel Veillard <veillard@redhat.com> -Date: Wed, 7 Jun 2017 16:47:36 +0200 -Subject: Fix NULL pointer deref in xmlDumpElementContent - -Can only be triggered in recovery mode. - -Fixes bug 758422 (CVE-2017-5969). ---- - valid.c | 24 ++++++++++++++---------- - 1 file changed, 14 insertions(+), 10 deletions(-) - -diff --git a/valid.c b/valid.c -index 9b2df56..8075d3a 100644 ---- a/valid.c -+++ b/valid.c -@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob) - xmlBufferWriteCHAR(buf, content->name); - break; - case XML_ELEMENT_CONTENT_SEQ: -- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || -- (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) -+ if ((content->c1 != NULL) && -+ ((content->c1->type == XML_ELEMENT_CONTENT_OR) || -+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ))) - xmlDumpElementContent(buf, content->c1, 1); - else - xmlDumpElementContent(buf, content->c1, 0); - xmlBufferWriteChar(buf, " , "); -- if ((content->c2->type == XML_ELEMENT_CONTENT_OR) || -- ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) && -- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))) -+ if ((content->c2 != NULL) && -+ ((content->c2->type == XML_ELEMENT_CONTENT_OR) || -+ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) && -+ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))) - xmlDumpElementContent(buf, content->c2, 1); - else - xmlDumpElementContent(buf, content->c2, 0); - break; - case XML_ELEMENT_CONTENT_OR: -- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || -- (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) -+ if ((content->c1 != NULL) && -+ ((content->c1->type == XML_ELEMENT_CONTENT_OR) || -+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ))) - xmlDumpElementContent(buf, content->c1, 1); - else - xmlDumpElementContent(buf, content->c1, 0); - xmlBufferWriteChar(buf, " | "); -- if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) || -- ((content->c2->type == XML_ELEMENT_CONTENT_OR) && -- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))) -+ if ((content->c2 != NULL) && -+ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) || -+ ((content->c2->type == XML_ELEMENT_CONTENT_OR) && -+ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))) - xmlDumpElementContent(buf, content->c2, 1); - else - xmlDumpElementContent(buf, content->c2, 0); --- -cgit v0.12 - |