diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..60a730f --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/libxml2-2.9.1.tar.gz diff --git a/.libxml2.metadata b/.libxml2.metadata new file mode 100644 index 0000000..1e53067 --- /dev/null +++ b/.libxml2.metadata @@ -0,0 +1 @@ +eb3e2146c6d68aea5c2a4422ed76fe196f933c21 SOURCES/libxml2-2.9.1.tar.gz diff --git a/SOURCES/CVE-2014-3660-rhel7.patch b/SOURCES/CVE-2014-3660-rhel7.patch new file mode 100644 index 0000000..8437f01 --- /dev/null +++ b/SOURCES/CVE-2014-3660-rhel7.patch @@ -0,0 +1,140 @@ +commit 8ed73eb939d6c9b79f3fa41b76916cc443196bbc +Author: Daniel Veillard +Date: Thu Oct 2 16:17:09 2014 +0800 + + Fix for CVE-2014-3660 + + Issues related to the billion laugh entity expansion which happened to + escape the initial set of fixes + +diff --git a/parser.c b/parser.c +index f30588c..3c72cbb 100644 +--- a/parser.c ++++ b/parser.c +@@ -130,6 +130,29 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + return (0); + if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) + return (1); ++ ++ /* ++ * This may look absurd but is needed to detect ++ * entities problems ++ */ ++ if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) && ++ (ent->content != NULL) && (ent->checked == 0)) { ++ unsigned long oldnbent = ctxt->nbentities; ++ xmlChar *rep; ++ ++ ent->checked = 1; ++ ++ rep = xmlStringDecodeEntities(ctxt, ent->content, ++ XML_SUBSTITUTE_REF, 0, 0, 0); ++ ++ ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; ++ if (rep != NULL) { ++ if (xmlStrchr(rep, '<')) ++ ent->checked |= 1; ++ xmlFree(rep); ++ rep = NULL; ++ } ++ } + if (replacement != 0) { + if (replacement < XML_MAX_TEXT_LENGTH) + return(0); +@@ -189,9 +212,12 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + return (0); + } else { + /* +- * strange we got no data for checking just return ++ * strange we got no data for checking + */ +- return (0); ++ if (((ctxt->lastError.code != XML_ERR_UNDECLARED_ENTITY) && ++ (ctxt->lastError.code != XML_WAR_UNDECLARED_ENTITY)) || ++ (ctxt->nbentities <= 10000)) ++ return (0); + } + xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); + return (1); +@@ -2584,6 +2610,7 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) { + name, NULL); + ctxt->valid = 0; + } ++ xmlParserEntityCheck(ctxt, 0, NULL, 0); + } else if (ctxt->input->free != deallocblankswrapper) { + input = xmlNewBlanksWrapperInputStream(ctxt, entity); + if (xmlPushInput(ctxt, input) < 0) +@@ -2737,6 +2764,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) || + (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR)) + goto int_error; ++ xmlParserEntityCheck(ctxt, 0, ent, 0); + if (ent != NULL) + ctxt->nbentities += ent->checked / 2; + if ((ent != NULL) && +@@ -2788,6 +2816,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + ent = xmlParseStringPEReference(ctxt, &str); + if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) + goto int_error; ++ xmlParserEntityCheck(ctxt, 0, ent, 0); + if (ent != NULL) + ctxt->nbentities += ent->checked / 2; + if (ent != NULL) { +@@ -7286,6 +7315,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { + (ret != XML_WAR_UNDECLARED_ENTITY)) { + xmlFatalErrMsgStr(ctxt, XML_ERR_UNDECLARED_ENTITY, + "Entity '%s' failed to parse\n", ent->name); ++ xmlParserEntityCheck(ctxt, 0, ent, 0); + } else if (list != NULL) { + xmlFreeNodeList(list); + list = NULL; +@@ -7392,7 +7422,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { + /* + * We are copying here, make sure there is no abuse + */ +- ctxt->sizeentcopy += ent->length; ++ ctxt->sizeentcopy += ent->length + 5; + if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) + return; + +@@ -7440,7 +7470,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { + /* + * We are copying here, make sure there is no abuse + */ +- ctxt->sizeentcopy += ent->length; ++ ctxt->sizeentcopy += ent->length + 5; + if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) + return; + +@@ -7626,6 +7656,7 @@ xmlParseEntityRef(xmlParserCtxtPtr ctxt) { + ctxt->sax->reference(ctxt->userData, name); + } + } ++ xmlParserEntityCheck(ctxt, 0, ent, 0); + ctxt->valid = 0; + } + +@@ -7819,6 +7850,7 @@ xmlParseStringEntityRef(xmlParserCtxtPtr ctxt, const xmlChar ** str) { + "Entity '%s' not defined\n", + name); + } ++ xmlParserEntityCheck(ctxt, 0, ent, 0); + /* TODO ? check regressions ctxt->valid = 0; */ + } + +@@ -7978,6 +8010,7 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) + name, NULL); + ctxt->valid = 0; + } ++ xmlParserEntityCheck(ctxt, 0, NULL, 0); + } else { + /* + * Internal checking in case the entity quest barfed +@@ -8217,6 +8250,7 @@ xmlParseStringPEReference(xmlParserCtxtPtr ctxt, const xmlChar **str) { + name, NULL); + ctxt->valid = 0; + } ++ xmlParserEntityCheck(ctxt, 0, NULL, 0); + } else { + /* + * Internal checking in case the entity quest barfed diff --git a/SOURCES/libxml2-2.9.0-do-not-check-crc.patch b/SOURCES/libxml2-2.9.0-do-not-check-crc.patch new file mode 100644 index 0000000..3e65077 --- /dev/null +++ b/SOURCES/libxml2-2.9.0-do-not-check-crc.patch @@ -0,0 +1,35 @@ +diff -up libxml2-2.9.0/xzlib.c.do-not-check-crc libxml2-2.9.0/xzlib.c +--- libxml2-2.9.0/xzlib.c.do-not-check-crc 2012-09-11 05:52:46.000000000 +0200 ++++ libxml2-2.9.0/xzlib.c 2012-11-19 19:28:42.431700534 +0100 +@@ -552,17 +552,20 @@ xz_decomp(xz_statep state) + #ifdef HAVE_ZLIB_H + if (state->how == GZIP) { + if (gz_next4(state, &crc) == -1 || gz_next4(state, &len) == -1) { +- xz_error(state, LZMA_DATA_ERROR, "unexpected end of file"); +- return -1; +- } +- if (crc != state->zstrm.adler) { +- xz_error(state, LZMA_DATA_ERROR, "incorrect data check"); +- return -1; +- } +- if (len != (state->zstrm.total_out & 0xffffffffL)) { +- xz_error(state, LZMA_DATA_ERROR, "incorrect length check"); +- return -1; +- } ++ /* ++ xz_error(state, LZMA_DATA_ERROR, "unexpected end of file"); ++ return -1; ++ */ ++ } else { ++ if (crc != state->zstrm.adler) { ++ xz_error(state, LZMA_DATA_ERROR, "incorrect data check"); ++ return -1; ++ } ++ if (len != (state->zstrm.total_out & 0xffffffffL)) { ++ xz_error(state, LZMA_DATA_ERROR, "incorrect length check"); ++ return -1; ++ } ++ } + state->strm.avail_in = 0; + state->strm.next_in = NULL; + state->strm.avail_out = 0; diff --git a/SOURCES/libxml2-Add-missing-increments-of-recursion-depth-counter-to-XML-parser.patch b/SOURCES/libxml2-Add-missing-increments-of-recursion-depth-counter-to-XML-parser.patch new file mode 100644 index 0000000..5f7200d --- /dev/null +++ b/SOURCES/libxml2-Add-missing-increments-of-recursion-depth-counter-to-XML-parser.patch @@ -0,0 +1,72 @@ +From d88b1b5e55b9ba0962408ff5e0327bf71a79e37a Mon Sep 17 00:00:00 2001 +From: Peter Simons +Date: Fri, 15 Apr 2016 11:56:55 +0200 +Subject: [PATCH] Add missing increments of recursion depth counter to XML + parser. +To: libvir-list@redhat.com + +For https://bugzilla.gnome.org/show_bug.cgi?id=765207 +CVE-2016-3705 +The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call +xmlStringDecodeEntities() in a recursive context without incrementing the +'depth' counter in the parser context. Because of that omission, the parser +failed to detect attribute recursions in certain documents before running out +of stack space. + +Signed-off-by: Daniel Veillard +--- + parser.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/parser.c b/parser.c +index 0accf54..32293d0 100644 +--- a/parser.c ++++ b/parser.c +@@ -144,8 +144,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + + ent->checked = 1; + ++ ++ctxt->depth; + rep = xmlStringDecodeEntities(ctxt, ent->content, + XML_SUBSTITUTE_REF, 0, 0, 0); ++ --ctxt->depth; + + ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; + if (rep != NULL) { +@@ -3963,8 +3965,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) { + * an entity declaration, it is bypassed and left as is. + * so XML_SUBSTITUTE_REF is not set here. + */ ++ ++ctxt->depth; + ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF, + 0, 0, 0); ++ --ctxt->depth; + if (orig != NULL) + *orig = buf; + else +@@ -4089,9 +4093,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + } else if ((ent != NULL) && + (ctxt->replaceEntities != 0)) { + if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) { ++ ++ctxt->depth; + rep = xmlStringDecodeEntities(ctxt, ent->content, + XML_SUBSTITUTE_REF, + 0, 0, 0); ++ --ctxt->depth; + if (rep != NULL) { + current = rep; + while (*current != 0) { /* non input consuming */ +@@ -4127,8 +4133,10 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + (ent->content != NULL) && (ent->checked == 0)) { + unsigned long oldnbent = ctxt->nbentities; + ++ ++ctxt->depth; + rep = xmlStringDecodeEntities(ctxt, ent->content, + XML_SUBSTITUTE_REF, 0, 0, 0); ++ --ctxt->depth; + + ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; + if (rep != NULL) { +-- +2.5.5 + diff --git a/SOURCES/libxml2-Add-xmlHaltParser-to-stop-the-parser.patch b/SOURCES/libxml2-Add-xmlHaltParser-to-stop-the-parser.patch new file mode 100644 index 0000000..c3cdbe1 --- /dev/null +++ b/SOURCES/libxml2-Add-xmlHaltParser-to-stop-the-parser.patch @@ -0,0 +1,84 @@ +From d6b6dc7bb5e68fa11cb980bc08c4d9ea3f39b190 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 20 Nov 2015 14:55:30 +0800 +Subject: [PATCH] Add xmlHaltParser() to stop the parser +To: libvir-list@redhat.com + +The problem is doing it in a consistent and safe fashion +It's more complex than just setting ctxt->instate = XML_PARSER_EOF +Update the public function to reuse that new internal routine + +Signed-off-by: Daniel Veillard +--- + parser.c | 34 +++++++++++++++++++++++++++++----- + 1 file changed, 29 insertions(+), 5 deletions(-) + +diff --git a/parser.c b/parser.c +index e536e54..5b4f719 100644 +--- a/parser.c ++++ b/parser.c +@@ -94,6 +94,8 @@ static xmlParserCtxtPtr + xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID, + const xmlChar *base, xmlParserCtxtPtr pctx); + ++static void xmlHaltParser(xmlParserCtxtPtr ctxt); ++ + /************************************************************************ + * * + * Arbitrary limits set in the parser. See XML_PARSE_HUGE * +@@ -12558,25 +12560,47 @@ xmlCreatePushParserCtxt(xmlSAXHandlerPtr sax, void *user_data, + #endif /* LIBXML_PUSH_ENABLED */ + + /** +- * xmlStopParser: ++ * xmlHaltParser: + * @ctxt: an XML parser context + * +- * Blocks further parser processing ++ * Blocks further parser processing don't override error ++ * for internal use + */ +-void +-xmlStopParser(xmlParserCtxtPtr ctxt) { ++static void ++xmlHaltParser(xmlParserCtxtPtr ctxt) { + if (ctxt == NULL) + return; + ctxt->instate = XML_PARSER_EOF; +- ctxt->errNo = XML_ERR_USER_STOP; + ctxt->disableSAX = 1; + if (ctxt->input != NULL) { ++ /* ++ * in case there was a specific allocation deallocate before ++ * overriding base ++ */ ++ if (ctxt->input->free != NULL) { ++ ctxt->input->free((xmlChar *) ctxt->input->base); ++ ctxt->input->free = NULL; ++ } + ctxt->input->cur = BAD_CAST""; + ctxt->input->base = ctxt->input->cur; + } + } + + /** ++ * xmlStopParser: ++ * @ctxt: an XML parser context ++ * ++ * Blocks further parser processing ++ */ ++void ++xmlStopParser(xmlParserCtxtPtr ctxt) { ++ if (ctxt == NULL) ++ return; ++ xmlHaltParser(ctxt); ++ ctxt->errNo = XML_ERR_USER_STOP; ++} ++ ++/** + * xmlCreateIOParserCtxt: + * @sax: a SAX handler + * @user_data: The user data returned on SAX callbacks +-- +2.5.0 + diff --git a/SOURCES/libxml2-Another-variation-of-overflow-in-Conditional-sections.patch b/SOURCES/libxml2-Another-variation-of-overflow-in-Conditional-sections.patch new file mode 100644 index 0000000..07186c3 --- /dev/null +++ b/SOURCES/libxml2-Another-variation-of-overflow-in-Conditional-sections.patch @@ -0,0 +1,35 @@ +From 8d9f8c6dca5fd34743ed11ef0c570c4306db10e5 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 23 Oct 2015 19:02:28 +0800 +Subject: [PATCH] Another variation of overflow in Conditional sections +To: libvir-list@redhat.com + +Which happen after the previous fix to +https://bugzilla.gnome.org/show_bug.cgi?id=756456 + +But stopping the parser and exiting we didn't pop the intermediary entities +and doing the SKIP there applies on an input which may be too small + +Signed-off-by: Daniel Veillard +--- + parser.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index e2e0ad8..4926ab0 100644 +--- a/parser.c ++++ b/parser.c +@@ -6895,7 +6895,9 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + "All markup of the conditional section is not in the same entity\n", + NULL, NULL); + } +- SKIP(3); ++ if ((ctxt-> instate != XML_PARSER_EOF) && ++ ((ctxt->input->cur + 3) < ctxt->input->end)) ++ SKIP(3); + } + } + +-- +2.5.0 + diff --git a/SOURCES/libxml2-Avoid-building-recursive-entities.patch b/SOURCES/libxml2-Avoid-building-recursive-entities.patch new file mode 100644 index 0000000..5507537 --- /dev/null +++ b/SOURCES/libxml2-Avoid-building-recursive-entities.patch @@ -0,0 +1,62 @@ +From 2fc95df152622cf5cf1d478af6ed3538e170118b Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Mon, 23 May 2016 12:27:58 +0800 +Subject: [PATCH] Avoid building recursive entities +To: libvir-list@redhat.com + +For https://bugzilla.gnome.org/show_bug.cgi?id=762100 + +When we detect a recusive entity we should really not +build the associated data, moreover if someone bypass +libxml2 fatal errors and still tries to serialize a broken +entity make sure we don't risk to get ito a recursion + +* parser.c: xmlParserEntityCheck() don't build if entity loop + were found and remove the associated text content +* tree.c: xmlStringGetNodeList() avoid a potential recursion + +Signed-off-by: Daniel Veillard +--- + parser.c | 6 +++++- + tree.c | 1 + + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index 32293d0..2ae44c5 100644 +--- a/parser.c ++++ b/parser.c +@@ -138,7 +138,8 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + * entities problems + */ + if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) && +- (ent->content != NULL) && (ent->checked == 0)) { ++ (ent->content != NULL) && (ent->checked == 0) && ++ (ctxt->errNo != XML_ERR_ENTITY_LOOP)) { + unsigned long oldnbent = ctxt->nbentities; + xmlChar *rep; + +@@ -148,6 +149,9 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + rep = xmlStringDecodeEntities(ctxt, ent->content, + XML_SUBSTITUTE_REF, 0, 0, 0); + --ctxt->depth; ++ if (ctxt->errNo == XML_ERR_ENTITY_LOOP) { ++ ent->content[0] = 0; ++ } + + ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; + if (rep != NULL) { +diff --git a/tree.c b/tree.c +index 7e5af26..83ec66f 100644 +--- a/tree.c ++++ b/tree.c +@@ -1588,6 +1588,7 @@ xmlStringGetNodeList(xmlDocPtr doc, const xmlChar *value) { + else if ((ent != NULL) && (ent->children == NULL)) { + xmlNodePtr temp; + ++ ent->children = (xmlNodePtr) -1; + ent->children = xmlStringGetNodeList(doc, + (const xmlChar*)node->content); + ent->owner = 1; +-- +2.5.5 + diff --git a/SOURCES/libxml2-Avoid-extra-processing-of-MarkupDecl-when-EOF.patch b/SOURCES/libxml2-Avoid-extra-processing-of-MarkupDecl-when-EOF.patch new file mode 100644 index 0000000..dccb5d0 --- /dev/null +++ b/SOURCES/libxml2-Avoid-extra-processing-of-MarkupDecl-when-EOF.patch @@ -0,0 +1,38 @@ +From eb1114e90b22e09d500840bac1e171763e8baa16 Mon Sep 17 00:00:00 2001 +From: Hugh Davenport +Date: Tue, 3 Nov 2015 20:40:49 +0800 +Subject: [PATCH] Avoid extra processing of MarkupDecl when EOF +To: libvir-list@redhat.com + +For https://bugzilla.gnome.org/show_bug.cgi?id=756263 + +One place where ctxt->instate == XML_PARSER_EOF whic was set up +by entity detection issues doesn't get noticed, and even overrided + +Signed-off-by: Daniel Veillard +--- + parser.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/parser.c b/parser.c +index b56d94c..262db1e 100644 +--- a/parser.c ++++ b/parser.c +@@ -6952,6 +6952,14 @@ xmlParseMarkupDecl(xmlParserCtxtPtr ctxt) { + xmlParsePI(ctxt); + } + } ++ ++ /* ++ * detect requirement to exit there and act accordingly ++ * and avoid having instate overriden later on ++ */ ++ if (ctxt->instate == XML_PARSER_EOF) ++ return; ++ + /* + * This is only for internal subset. On external entities, + * the replacement is done before parsing stage +-- +2.5.0 + diff --git a/SOURCES/libxml2-Avoid-processing-entities-after-encoding-conversion-failures.patch b/SOURCES/libxml2-Avoid-processing-entities-after-encoding-conversion-failures.patch new file mode 100644 index 0000000..540cf7b --- /dev/null +++ b/SOURCES/libxml2-Avoid-processing-entities-after-encoding-conversion-failures.patch @@ -0,0 +1,85 @@ +From 7c2be3213eeddd202c3e4c600cf3cfac06fb128a Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Mon, 9 Nov 2015 18:07:18 +0800 +Subject: [PATCH] Avoid processing entities after encoding conversion failures +To: libvir-list@redhat.com + +For https://bugzilla.gnome.org/show_bug.cgi?id=756527 +and was also raised by Chromium team in the past + +When we hit a convwersion failure when switching encoding +it is bestter to stop parsing there, this was treated as a +fatal error but the parser was continuing to process to extract +more errors, unfortunately that makes little sense as the data +is obviously corrupt and can potentially lead to unexpected behaviour. + +Signed-off-by: Daniel Veillard +--- + parser.c | 7 +++++-- + parserInternals.c | 11 ++++++++++- + 2 files changed, 15 insertions(+), 3 deletions(-) + +diff --git a/parser.c b/parser.c +index 262db1e..134ea7f 100644 +--- a/parser.c ++++ b/parser.c +@@ -10598,7 +10598,8 @@ xmlParseXMLDecl(xmlParserCtxtPtr ctxt) { + xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, "Blank needed here\n"); + } + xmlParseEncodingDecl(ctxt); +- if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) { ++ if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) || ++ (ctxt->instate == XML_PARSER_EOF)) { + /* + * The XML REC instructs us to stop parsing right here + */ +@@ -10722,6 +10723,7 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) { + + if (CUR == 0) { + xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL); ++ return(-1); + } + + /* +@@ -10739,7 +10741,8 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) { + * Note that we will switch encoding on the fly. + */ + xmlParseXMLDecl(ctxt); +- if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) { ++ if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) || ++ (ctxt->instate == XML_PARSER_EOF)) { + /* + * The XML REC instructs us to stop parsing right here + */ +diff --git a/parserInternals.c b/parserInternals.c +index f8a7041..9acfea4 100644 +--- a/parserInternals.c ++++ b/parserInternals.c +@@ -937,6 +937,7 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc) + { + xmlCharEncodingHandlerPtr handler; + int len = -1; ++ int ret; + + if (ctxt == NULL) return(-1); + switch (enc) { +@@ -1097,7 +1098,15 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc) + if (handler == NULL) + return(-1); + ctxt->charset = XML_CHAR_ENCODING_UTF8; +- return(xmlSwitchToEncodingInt(ctxt, handler, len)); ++ ret = xmlSwitchToEncodingInt(ctxt, handler, len); ++ if ((ret < 0) || (ctxt->errNo == XML_I18N_CONV_FAILED)) { ++ /* ++ * on encoding conversion errors, stop the parser ++ */ ++ xmlStopParser(ctxt); ++ ctxt->errNo = XML_I18N_CONV_FAILED; ++ } ++ return(ret); + } + + /** +-- +2.5.0 + diff --git a/SOURCES/libxml2-Bug-757711-heap-buffer-overflow-in-xmlFAParsePosCharGroup-https-bugzilla.gnome.org-show_bug.cgi-id-757711.patch b/SOURCES/libxml2-Bug-757711-heap-buffer-overflow-in-xmlFAParsePosCharGroup-https-bugzilla.gnome.org-show_bug.cgi-id-757711.patch new file mode 100644 index 0000000..c598fd0 --- /dev/null +++ b/SOURCES/libxml2-Bug-757711-heap-buffer-overflow-in-xmlFAParsePosCharGroup-https-bugzilla.gnome.org-show_bug.cgi-id-757711.patch @@ -0,0 +1,38 @@ +From 367c602b42f1afe7ed50508b01491b5690d54d52 Mon Sep 17 00:00:00 2001 +From: Pranjal Jumde +Date: Mon, 7 Mar 2016 06:34:26 -0800 +Subject: [PATCH] Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup + +To: libvir-list@redhat.com + +* xmlregexp.c: +(xmlFAParseCharRange): Only advance to the next character if +there is no error. Advancing to the next character in case of +an error while parsing regexp leads to an out of bounds access. + +Signed-off-by: Daniel Veillard +--- + xmlregexp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/xmlregexp.c b/xmlregexp.c +index 1f9911c..eb67b74 100644 +--- a/xmlregexp.c ++++ b/xmlregexp.c +@@ -5050,11 +5050,12 @@ xmlFAParseCharRange(xmlRegParserCtxtPtr ctxt) { + ERROR("Expecting the end of a char range"); + return; + } +- NEXTL(len); ++ + /* TODO check that the values are acceptable character ranges for XML */ + if (end < start) { + ERROR("End of range is before start of range"); + } else { ++ NEXTL(len); + xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg, + XML_REGEXP_CHARVAL, start, end, NULL); + } +-- +2.5.5 + diff --git a/SOURCES/libxml2-Bug-758588-Heap-based-buffer-overread-in-xmlParserPrintFileContextInternal-https-bugzilla.gnome.org-show_bug.cgi-id-758588.patch b/SOURCES/libxml2-Bug-758588-Heap-based-buffer-overread-in-xmlParserPrintFileContextInternal-https-bugzilla.gnome.org-show_bug.cgi-id-758588.patch new file mode 100644 index 0000000..2aba0e8 --- /dev/null +++ b/SOURCES/libxml2-Bug-758588-Heap-based-buffer-overread-in-xmlParserPrintFileContextInternal-https-bugzilla.gnome.org-show_bug.cgi-id-758588.patch @@ -0,0 +1,99 @@ +From 23ee7ce40943d063f1a15d672ae893e9bf1b0924 Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Fri, 12 Feb 2016 09:58:29 -0800 +Subject: [PATCH] Bug 758588: Heap-based buffer overread in + xmlParserPrintFileContextInternal + +To: libvir-list@redhat.com + +* parser.c: +(xmlParseEndTag2): Add bounds checks before dereferencing +ctxt->input->cur past the end of the buffer, or incrementing the +pointer past the end of the buffer. + +* result/errors/758588.xml: Add test result. +* result/errors/758588.xml.err: Ditto. +* result/errors/758588.xml.str: Ditto. +* test/errors/758588.xml: Add regression test. + +Signed-off-by: Daniel Veillard +--- + parser.c | 8 ++++++-- + result/errors/758588.xml | 0 + result/errors/758588.xml.err | 9 +++++++++ + result/errors/758588.xml.str | 10 ++++++++++ + test/errors/758588.xml | 1 + + 5 files changed, 26 insertions(+), 2 deletions(-) + create mode 100644 result/errors/758588.xml + create mode 100644 result/errors/758588.xml.err + create mode 100644 result/errors/758588.xml.str + create mode 100644 test/errors/758588.xml + +diff --git a/parser.c b/parser.c +index b1215ca..03bc4f8 100644 +--- a/parser.c ++++ b/parser.c +@@ -9758,6 +9758,7 @@ static void + xmlParseEndTag2(xmlParserCtxtPtr ctxt, const xmlChar *prefix, + const xmlChar *URI, int line, int nsNr, int tlen) { + const xmlChar *name; ++ size_t curLength; + + GROW; + if ((RAW != '<') || (NXT(1) != '/')) { +@@ -9766,8 +9767,11 @@ xmlParseEndTag2(xmlParserCtxtPtr ctxt, const xmlChar *prefix, + } + SKIP(2); + +- if ((tlen > 0) && (xmlStrncmp(ctxt->input->cur, ctxt->name, tlen) == 0)) { +- if (ctxt->input->cur[tlen] == '>') { ++ curLength = ctxt->input->end - ctxt->input->cur; ++ if ((tlen > 0) && (curLength >= (size_t)tlen) && ++ (xmlStrncmp(ctxt->input->cur, ctxt->name, tlen) == 0)) { ++ if ((curLength >= (size_t)(tlen + 1)) && ++ (ctxt->input->cur[tlen] == '>')) { + ctxt->input->cur += tlen + 1; + goto done; + } +diff --git a/result/errors/758588.xml.err b/result/errors/758588.xml.err +new file mode 100644 +index 0000000..dfa59bc +--- /dev/null ++++ b/result/errors/758588.xml.err +@@ -0,0 +1,9 @@ ++./test/errors/758588.xml:1: namespace error : Namespace prefix a-340282366920938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867261d on a is not defined ++63472597946867209384634725979468672093846347259794686720938463472597946867261d:a ++ ^ ++./test/errors/758588.xml:1: parser error : expected '>' ++2597946867209384634725979468672093846347259794686720938463472597946867261d:a>' ++2597946867209384634725979468672093846347259794686720938463472597946867261d:a> +Date: Tue Mar 1 11:34:04 2016 -0800 + + Bug 758605: Heap-based buffer overread in xmlDictAddString + + Reviewed by David Kilzer. + + * HTMLparser.c: + (htmlParseName): Add bounds check. + (htmlParseNameComplex): Ditto. + * result/HTML/758605.html: Added. + * result/HTML/758605.html.err: Added. + * result/HTML/758605.html.sax: Added. + * runtest.c: + (pushParseTest): The input for the new test case was so small + (4 bytes) that htmlParseChunk() was never called after + htmlCreatePushParserCtxt(), thereby creating a false positive + test failure. Fixed by using a do-while loop so we always call + htmlParseChunk() at least once. + * test/HTML/758605.html: Added. + +diff --git a/HTMLparser.c b/HTMLparser.c +index 4331d53..a897cb0 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -2471,6 +2471,10 @@ htmlParseName(htmlParserCtxtPtr ctxt) { + (*in == '_') || (*in == '-') || + (*in == ':') || (*in == '.')) + in++; ++ ++ if (in == ctxt->input->end) ++ return(NULL); ++ + if ((*in > 0) && (*in < 0x80)) { + count = in - ctxt->input->cur; + ret = xmlDictLookup(ctxt->dict, ctxt->input->cur, count); +@@ -2514,6 +2518,10 @@ htmlParseNameComplex(xmlParserCtxtPtr ctxt) { + NEXTL(l); + c = CUR_CHAR(l); + } ++ ++ if (ctxt->input->base > ctxt->input->cur - len) ++ return(NULL); ++ + return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); + } + +diff --git a/result/HTML/758605.html b/result/HTML/758605.html +new file mode 100644 +index 0000000..a085cce +--- /dev/null ++++ b/result/HTML/758605.html +@@ -0,0 +1,3 @@ ++ ++

& ++

+diff --git a/result/HTML/758605.html.err b/result/HTML/758605.html.err +new file mode 100644 +index 0000000..2b82be6 +--- /dev/null ++++ b/result/HTML/758605.html.err +@@ -0,0 +1,3 @@ ++./test/HTML/758605.html:1: HTML parser error : htmlParseEntityRef: no name ++ê ++ ^ +diff --git a/result/HTML/758605.html.sax b/result/HTML/758605.html.sax +new file mode 100644 +index 0000000..1f5cd32 +--- /dev/null ++++ b/result/HTML/758605.html.sax +@@ -0,0 +1,13 @@ ++SAX.setDocumentLocator() ++SAX.startDocument() ++SAX.error: htmlParseEntityRef: no name ++SAX.startElement(html) ++SAX.startElement(body) ++SAX.startElement(p) ++SAX.characters(&, 1) ++SAX.ignorableWhitespace( ++, 1) ++SAX.endElement(p) ++SAX.endElement(body) ++SAX.endElement(html) ++SAX.endDocument() +diff --git a/runtest.c b/runtest.c +index ccdd49b..0afa788 100644 +--- a/runtest.c ++++ b/runtest.c +@@ -1824,7 +1824,7 @@ pushParseTest(const char *filename, const char *result, + ctxt = xmlCreatePushParserCtxt(NULL, NULL, base + cur, 4, filename); + xmlCtxtUseOptions(ctxt, options); + cur += 4; +- while (cur < size) { ++ do { + if (cur + 1024 >= size) { + #ifdef LIBXML_HTML_ENABLED + if (options & XML_PARSE_HTML) +@@ -1842,7 +1842,7 @@ pushParseTest(const char *filename, const char *result, + xmlParseChunk(ctxt, base + cur, 1024, 0); + cur += 1024; + } +- } ++ } while (cur < size); + doc = ctxt->myDoc; + #ifdef LIBXML_HTML_ENABLED + if (options & XML_PARSE_HTML) +diff --git a/test/HTML/758605.html b/test/HTML/758605.html +new file mode 100644 +index 0000000..9b1b3c2 +--- /dev/null ++++ b/test/HTML/758605.html +@@ -0,0 +1 @@ ++&:� diff --git a/SOURCES/libxml2-Bug-759398-Heap-use-after-free-in-xmlDictComputeFastKey-https-bugzilla.gnome.org-show_bug.cgi-id-759398.patch b/SOURCES/libxml2-Bug-759398-Heap-use-after-free-in-xmlDictComputeFastKey-https-bugzilla.gnome.org-show_bug.cgi-id-759398.patch new file mode 100644 index 0000000..6f0e9a6 --- /dev/null +++ b/SOURCES/libxml2-Bug-759398-Heap-use-after-free-in-xmlDictComputeFastKey-https-bugzilla.gnome.org-show_bug.cgi-id-759398.patch @@ -0,0 +1,414 @@ +commit b226bfbe101b5160917bf649510c407ab997cb00 +Author: Pranjal Jumde +Date: Thu Mar 3 11:50:34 2016 -0800 + + Bug 759398: Heap use-after-free in xmlDictComputeFastKey + + * parser.c: + (xmlParseNCNameComplex): Store start position instead of a + pointer to the name since the underlying buffer may change, + resulting in a stale pointer being used. + * result/errors/759398.xml: Added. + * result/errors/759398.xml.err: Added. + * result/errors/759398.xml.str: Added. + * test/errors/759398.xml: Added test case. + +diff --git a/parser.c b/parser.c +index 03bc4f8..46ab0e8 100644 +--- a/parser.c ++++ b/parser.c +@@ -2008,6 +2008,7 @@ static int spacePop(xmlParserCtxtPtr ctxt) { + #define CUR (*ctxt->input->cur) + #define NXT(val) ctxt->input->cur[(val)] + #define CUR_PTR ctxt->input->cur ++#define BASE_PTR ctxt->input->base + + #define CMP4( s, c1, c2, c3, c4 ) \ + ( ((unsigned char *) s)[ 0 ] == c1 && ((unsigned char *) s)[ 1 ] == c2 && \ +@@ -3465,6 +3466,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + int len = 0, l; + int c; + int count = 0; ++ size_t startPosition = 0; + + #ifdef DEBUG + nbParseNCNameComplex++; +@@ -3474,6 +3476,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + * Handler for more complex cases + */ + GROW; ++ startPosition = CUR_PTR - BASE_PTR; + c = CUR_CHAR(l); + if ((c == ' ') || (c == '>') || (c == '/') || /* accelerators */ + (!xmlIsNameStartChar(ctxt, c) || (c == ':'))) { +@@ -3509,7 +3512,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); + return(NULL); + } +- return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); ++ return(xmlDictLookup(ctxt->dict, (BASE_PTR + startPosition), len)); + } + + /** +diff --git a/result/errors/759398.xml b/result/errors/759398.xml +new file mode 100644 +index 0000000..e69de29 +diff --git a/result/errors/759398.xml.err b/result/errors/759398.xml.err +new file mode 100644 +index 0000000..e08d9bf +--- /dev/null ++++ b/result/errors/759398.xml.err +@@ -0,0 +1,9 @@ ++./test/errors/759398.xml:210: parser error : StartTag: invalid element name ++need to worry about parsers whi ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++"> ++ ++'"> ++ ++ ++ ++ ++ ++ ++ ++ ++ ++amp, ++lt, ++gt, ++apos, ++quot"> ++ ++ ++ ++ ++ ++]> ++ ++ ++ ++ ++ ++
++Extensible Markup Language (XML) 1.0 ++ ++REC-xml-&iso6.doc.date; ++W3C Recommendation ++&draft.day;&draft.month;&draft.year; ++ ++ ++ ++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date; ++ ++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.xml ++ ++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.html ++ ++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.pdf ++ ++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.ps ++ ++ ++ ++htt����www.w3.org/TR/REC-xml ++ ++ ++ ++http://www.w3.org/TR/PR-xml-971208 ++ ++ ++ ++Tim Bray ++Textuality and Netscape ++tbray@textuality.com ++Jean Paoli ++Microsoft ++jeanpa@microsoft.com ++C. M. Sperberg-McQueen ++University of Illinois at Chicago ++cmsmcq@uic.edu ++ ++ ++

The Extensible Markup Language (XML) is a subset of ++SGML that is completely described in this document. Its goal is to ++enable generic SGML to be served, received, and processed on the Web ++in the way that is now possible with HTML. XML has been designed for ++ease of implementation and for interoperability with both SGML and ++HTML.

++ ++ ++

This document has been reviewed by W3C Members and ++other interested parties and has been endorsed by the ++Director as a W3C Recommendation. It is a stable ++document and may be used as reference material or cited ++as a normative reference from another document. W3C's ++role in making the Recommendation is to draw attention ++to the spPcification and to promote its widespread ++deployment. This enhances the functionality and ++interoperability of the Web.

++

++This document specifies a syntax created by subsetting an existing, ++widely used international text processing standard (Standard ++Generalized Markup Language, ISO 8879:1986(E) as amended and ++corrected) for use on the World Wide Web. It is a product of the W3C ++XML Activity, details of which can be found at http://www.w3.org/XML. A list of ++current W3C Recommendations and other technical documents can be found ++at http://www.w3.org/TR. ++

++

This specification uses the term URI, which is defined by , a work in progress expected to update and . ++

++

The list of known errors in this specification is ++available at ++http://www.w3.org/XML/xml-19980210-errata.

++

Please report errors in this document to ++xml-editor@w3.org. ++

++ ++ ++ ++ ++

Chicago, Vancouver, Mountain View, et al.: ++World-Wide Web Consortium, XML Working Group, 1996, 1997.

++ ++ ++

Created in electronic form.

++ ++ ++English ++Extended Backus-Naur Form (formal grammar) ++ ++ ++ ++1997-12-03 : CMSMcQ : yet further changes ++1997-12-02 : TB : further changes (see TB to XML WG, ++2 December 1997) ++1997-12-02 : CMSMcQ : deal with as many corrections and ++comments from the proofreaders as possible: ++entify hard-coded document date in pubdate element, ++change expansion of entity WebSGML, ++update status description as per Dan Connolly (am not sure ++about refernece to Berners-Lee et al.), ++add 'The' to abstract as per WG decision, ++move Relationship to Existing Standards to back matter and ++combine with References, ++re-order back matter so normative appendices come first, ++re-tag back matter so informative appendices are tagged informdiv1, ++remove XXX XXX from list of 'normative' specs in prose, ++move some references from Other References to Normative References, ++add RFC 1738, 1808, and 2141 to Other References (they are not ++normative since we do not require the processor to enforce any ++rules based on them), ++add reference to 'Fielding draft' (Berners-Lee et al.), ++move notation section to end of body, ++drop URIchar non-terminal and use SkipLit instead, ++lose stray reference to defunct nonterminal 'markupdecls', ++move reference to Aho et al. into appendix (Tim's right), ++add prose note saying that hash marks and fragment identifiers are ++NOT part of the URI formally speaking, and are NOT legal in ++system identifiers (processor 'may' signal an error). ++Work through: ++Tim Bray reacting to James Clark, ++Tim Bray on his own, ++Eve Maler, ++ ++NOT DONE YET: ++change binary / text to unparsed / parsed. ++handle James's suggestion about < in attriubte values ++uppercase hex characters, ++namechar list, ++ ++1997-12-01 : JB : add some column-width parameters ++1997-12-01 : CMSMcQ : begin round of changes to incorporate ++recent WG decisions and other corrections: ++binding sources of character encoding info (27 Aug / 3 Sept), ++correct wording of Faust quotation (restore dropped line), ++drop SDD from EncodingDecl, ++change text at version number 1.0, ++drop misleading (wrong!) sentence about ignorables and extenders, ++modify defin�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������xamples with Byte Order Mark. ++Add content model as a term and clarify that it applies to both ++mixed and element content. ++ ++1997-06-30 : CMSMcQ : change date, some cosmetic changes, ++changes to productions for choice, seq, Mixed, NotationType, ++Enumeration. Follow James Clark's suggestion and prohibit ++conditional sections in internal subset. TO DO: simplify ++production for ignored sections as a result, since we don't ++need to worry about parsers whi ++1997-06-29 : TB : various edits ++1997-06-29 : CMSMcQ : further changes: ++Suppress old FINAL EDIT comments and some dead material. ++Revise occurrences of % in grammar to exploit Henry Thompson's pun, ++especially markupdecl and attdef. ++Remove RMD requirement relating to element content (?). ++ ++1997-06-28 : CMSMcQ : Various changes for 1 July draft: ++Add text for draconian error handling (introduce ++the term Fatal Error). ++RE deleta est (changing wording from ++original announcement to restrict the requirement to validating ++parsers). ++Tag definition of validawwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww it meant 'may or may not'. ++1997-03-21 : TB : massive changes on plane flight from Chicago ++to Vancouver ++1997-03-21 : CMSMcQ : correct as many reported errors as possible. ++ ++1997-03-20 : CMSMcQ : correct typos listed in CMSMcQ hand copy of spec. ++1997 James Clark: ++Define the set of characters from which [^abc] subtracts. ++Charref should use just [0-9] not Digit. ++Location info needs cleaner treatment: remove? (ERB ++question). ++One example of a PI has wrong pic. ++Clarify discussion of encoding names. ++Encoding failure should lead to unspecified results; don't ++prescribe error recovery. ++Don't require exposure of entity boundaries. ++Ignore white space in element content. ++Reserve entity names of the form u-NNNN. ++Clarify relative URLs. ++And some of my own: ++Correct productions for content model: model cannot ++consist of a name, so "elements ::= cp" is no good. ++ ++1996-11-11 : CMSMcQ : revise for style. ++Add new rhs to entity declaration, for parameter entities. ++1996-11-10 : CMSMcQ : revise for style. ++Fix / complete section on names, characters. ++Add sections on parameter entities, conditional sections. ++Still to do: Add compatibility note on deterministic content models. ++Finish stylistic revision. ++1996-10-31 : TB : Add Entity Handling section ++1996-10-30 : TB : Clean up term & termdef. Slip in ++ERB decision re EMPTY. ++1996-10-28 : TB : Change DTD. Implement some of Michael's ++suggestions. Change comments back to //. Introduce language for ++XML namespace reservation. Add section on white-space handling. ++Lots more cleanup. ++1996-10-24 : CMSMcQ : quick tweaks, implement some ERB ++decisions. Characters are not integers. Comments are /* */ not //. ++Add bibliographic refs to 10646, HyTime, Unicode. ++Rename old Cdata as MsData since it's only seen ++in marked sections. Call them attribute-value pairs not ++name-value pairs, except once. Internal subset is optional, needs ++'?'. Implied attributes should be signaled to the app, not ++have values supplied by processor. ++1996-10-16 : TB : track down & excise all DSD references; ++introduce some EBNF for entity declarations. ++1996-10-?? nsistency check, fix up scraps so ++they all parse, get formatter working, correct a few productions. ++1996-10-10/11 : CMSMcQ : various maintenance, stylistic, and ++organizational changes: ++Replace a few literals with xmlpio and ++pi""entities, to make them consistent and ensure we can change pic ++reliably when the ERB votes. ++Drop paragraph on recognizers from notation section. ++Add match, exact match to terminology. ++Move old 2.2 XML Processors and Apps into intro. ++Mention comments, PIs, and marked sections in discussion of ++delimiter escaping. ++Streamline discussion of doctype decl syntax. ++Drop old section of 'PI syntax' for doctype decl, and add ++section on partial-DTD summary PIs to end of Logical Structures ++section. ++Revise DSD syntax section to use Tim's subset-in-a-PI ++mechanism. ++1996-10-10 : TB : eliminate name recognizers (and more?) ++1996-10-09 : CMSMcQ : revise for style, consistency through 2.3 ++(Characters) ++1996-10-09 : CMSMcQ : re-unite everything for convenience, ++at least temporarily, and revise quickly ++1996-10-08 : TB : first major homogenization pass ++1996-10-08 : TB : turn "current" attribute on div type into ++CDATA ++1996-10-02 : TB : remould into skeleton + entities ++1996-09-30 : CMSMcQ : add a few more sections prior to exchange ++ with Tim. ++1996-09-20 : CMSMcQ : finish transcribing notes. ++1996-09-19 : CMSMcQ : begin transcribing notes for draft. ++1996-09-13 : CMSMcQ : made outline from notes of 09-06, ++do some housekeeping ++ ++ ++
++<�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������m> is used to read XML documents ++and provide access to their content and structure. It is @ssumed that an XML processor is ++doing its work on behalf of another module, called the ++application. This specification describes the ++required beh\vior of an XML processor in terms of how it must read XML ++data and the information it must provide to the application.

++ ++ ++Origin and Goals ++

XML was developed by an XML Working Group (orisable over the ++Internet.

++

XML shall support a wide varie�y of applications.

 ++

XML shall be compatible with SGML.

 ++

It shall be easy to write programs which process XML ++documents.

 ++

The number of optional features in XML is to be kept to the ++absolute minimum, ideally zero.

 ++

XML documents shou +\ No newline at end of file diff --git a/SOURCES/libxml2-Bug-763071-heap-buffer-overflow-in-xmlStrncat-https-bugzilla.gnome.org-show_bug.cgi-id-763071.patch b/SOURCES/libxml2-Bug-763071-heap-buffer-overflow-in-xmlStrncat-https-bugzilla.gnome.org-show_bug.cgi-id-763071.patch new file mode 100644 index 0000000..8c2865f --- /dev/null +++ b/SOURCES/libxml2-Bug-763071-heap-buffer-overflow-in-xmlStrncat-https-bugzilla.gnome.org-show_bug.cgi-id-763071.patch @@ -0,0 +1,53 @@ +From b1a4e51efbfb1ae3a37a14be73d438aaab6b5c9e Mon Sep 17 00:00:00 2001 +From: Pranjal Jumde +Date: Tue, 8 Mar 2016 17:29:00 -0800 +Subject: [PATCH] Bug 763071: heap-buffer-overflow in xmlStrncat + +To: libvir-list@redhat.com + +* xmlstring.c: +(xmlStrncat): Return NULL if xmlStrlen returns a negative length. +(xmlStrncatNew): Ditto. + +Signed-off-by: Daniel Veillard +--- + xmlstring.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/xmlstring.c b/xmlstring.c +index a37220d..d465c23 100644 +--- a/xmlstring.c ++++ b/xmlstring.c +@@ -457,6 +457,8 @@ xmlStrncat(xmlChar *cur, const xmlChar *add, int len) { + return(xmlStrndup(add, len)); + + size = xmlStrlen(cur); ++ if (size < 0) ++ return(NULL); + ret = (xmlChar *) xmlRealloc(cur, (size + len + 1) * sizeof(xmlChar)); + if (ret == NULL) { + xmlErrMemory(NULL, NULL); +@@ -484,14 +486,19 @@ xmlStrncatNew(const xmlChar *str1, const xmlChar *str2, int len) { + int size; + xmlChar *ret; + +- if (len < 0) ++ if (len < 0) { + len = xmlStrlen(str2); ++ if (len < 0) ++ return(NULL); ++ } + if ((str2 == NULL) || (len == 0)) + return(xmlStrdup(str1)); + if (str1 == NULL) + return(xmlStrndup(str2, len)); + + size = xmlStrlen(str1); ++ if (size < 0) ++ return(NULL); + ret = (xmlChar *) xmlMalloc((size + len + 1) * sizeof(xmlChar)); + if (ret == NULL) { + xmlErrMemory(NULL, NULL); +-- +2.5.5 + diff --git a/SOURCES/libxml2-Bug-on-creating-new-stream-from-entity.patch b/SOURCES/libxml2-Bug-on-creating-new-stream-from-entity.patch new file mode 100644 index 0000000..ad95ae3 --- /dev/null +++ b/SOURCES/libxml2-Bug-on-creating-new-stream-from-entity.patch @@ -0,0 +1,30 @@ +From 3154c607f22497fa843b8ad8a596ef5523d42ee6 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 20 Nov 2015 15:07:38 +0800 +Subject: [PATCH] Bug on creating new stream from entity +To: libvir-list@redhat.com + +sometimes the entity could have a lenght of 0, i.e. it wasn't +parsed or used yet, and we ended up with an incoherent input state + +Signed-off-by: Daniel Veillard +--- + parserInternals.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/parserInternals.c b/parserInternals.c +index 9acfea4..1fe1f6a 100644 +--- a/parserInternals.c ++++ b/parserInternals.c +@@ -1459,6 +1459,8 @@ xmlNewEntityInputStream(xmlParserCtxtPtr ctxt, xmlEntityPtr entity) { + if (entity->URI != NULL) + input->filename = (char *) xmlStrdup((xmlChar *) entity->URI); + input->base = entity->content; ++ if (entity->length == 0) ++ entity->length = xmlStrlen(entity->content); + input->cur = entity->content; + input->length = entity->length; + input->end = &entity->content[input->length]; +-- +2.5.0 + diff --git a/SOURCES/libxml2-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-memory.patch b/SOURCES/libxml2-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-memory.patch new file mode 100644 index 0000000..704ff96 --- /dev/null +++ b/SOURCES/libxml2-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-memory.patch @@ -0,0 +1,179 @@ +From 5cec67e3f8d56e6e5fda2f90e102950cbb09e3d1 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Tue, 14 Apr 2015 17:41:48 +0800 +Subject: [PATCH] CVE-2015-1819 Enforce the reader to run in constant memory +To: libvir-list@redhat.com + +One of the operation on the reader could resolve entities +leading to the classic expansion issue. Make sure the +buffer used for xmlreader operation is bounded. +Introduce a new allocation type for the buffers for this effect. + +Signed-off-by: Daniel Veillard +--- + buf.c | 43 ++++++++++++++++++++++++++++++++++++++++++- + include/libxml/tree.h | 3 ++- + xmlreader.c | 20 +++++++++++++++++++- + 3 files changed, 63 insertions(+), 3 deletions(-) + +diff --git a/buf.c b/buf.c +index d1756c4..b52e41d 100644 +--- a/buf.c ++++ b/buf.c +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include /* for XML_MAX_TEXT_LENGTH */ + #include "buf.h" + + #define WITH_BUFFER_COMPAT +@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf, + if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) || + (scheme == XML_BUFFER_ALLOC_EXACT) || + (scheme == XML_BUFFER_ALLOC_HYBRID) || +- (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) { ++ (scheme == XML_BUFFER_ALLOC_IMMUTABLE) || ++ (scheme == XML_BUFFER_ALLOC_BOUNDED)) { + buf->alloc = scheme; + if (buf->buffer) + buf->buffer->alloc = scheme; +@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) { + size = buf->use + len + 100; + #endif + ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if ((buf->use + len >= XML_MAX_TEXT_LENGTH) || ++ (buf->size >= XML_MAX_TEXT_LENGTH)) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(0); ++ } ++ if (size >= XML_MAX_TEXT_LENGTH) ++ size = XML_MAX_TEXT_LENGTH; ++ } + if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) { + size_t start_buf = buf->content - buf->contentIO; + +@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size) + CHECK_COMPAT(buf) + + if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (size >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(0); ++ } ++ } + + /* Don't resize if we don't have to */ + if (size < buf->size) +@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) { + + needSize = buf->use + len + 2; + if (needSize > buf->size){ ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (needSize >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(-1); ++ } ++ } + if (!xmlBufResize(buf, needSize)){ + xmlBufMemoryError(buf, "growing buffer"); + return XML_ERR_NO_MEMORY; +@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) { + } + needSize = buf->use + len + 2; + if (needSize > buf->size){ ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (needSize >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(-1); ++ } ++ } + if (!xmlBufResize(buf, needSize)){ + xmlBufMemoryError(buf, "growing buffer"); + return XML_ERR_NO_MEMORY; +diff --git a/include/libxml/tree.h b/include/libxml/tree.h +index 7e06686..d904a44 100644 +--- a/include/libxml/tree.h ++++ b/include/libxml/tree.h +@@ -76,7 +76,8 @@ typedef enum { + XML_BUFFER_ALLOC_EXACT, /* grow only to the minimal size */ + XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */ + XML_BUFFER_ALLOC_IO, /* special allocation scheme used for I/O */ +- XML_BUFFER_ALLOC_HYBRID /* exact up to a threshold, and doubleit thereafter */ ++ XML_BUFFER_ALLOC_HYBRID, /* exact up to a threshold, and doubleit thereafter */ ++ XML_BUFFER_ALLOC_BOUNDED /* limit the upper size of the buffer */ + } xmlBufferAllocationScheme; + + /** +diff --git a/xmlreader.c b/xmlreader.c +index 00083d0..4fabaa9 100644 +--- a/xmlreader.c ++++ b/xmlreader.c +@@ -2077,6 +2077,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) { + "xmlNewTextReader : malloc failed\n"); + return(NULL); + } ++ /* no operation on a reader should require a huge buffer */ ++ xmlBufSetAllocationScheme(ret->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); + ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); + if (ret->sax == NULL) { + xmlBufFree(ret->buffer); +@@ -3602,6 +3605,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) { + return(((xmlNsPtr) node)->href); + case XML_ATTRIBUTE_NODE:{ + xmlAttrPtr attr = (xmlAttrPtr) node; ++ const xmlChar *ret; + + if ((attr->children != NULL) && + (attr->children->type == XML_TEXT_NODE) && +@@ -3615,10 +3619,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) { + "xmlTextReaderSetup : malloc failed\n"); + return (NULL); + } ++ xmlBufSetAllocationScheme(reader->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); + } else + xmlBufEmpty(reader->buffer); + xmlBufGetNodeContent(reader->buffer, node); +- return(xmlBufContent(reader->buffer)); ++ ret = xmlBufContent(reader->buffer); ++ if (ret == NULL) { ++ /* error on the buffer best to reallocate */ ++ xmlBufFree(reader->buffer); ++ reader->buffer = xmlBufCreateSize(100); ++ xmlBufSetAllocationScheme(reader->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); ++ ret = BAD_CAST ""; ++ } ++ return(ret); + } + break; + } +@@ -5117,6 +5132,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader, + "xmlTextReaderSetup : malloc failed\n"); + return (-1); + } ++ /* no operation on a reader should require a huge buffer */ ++ xmlBufSetAllocationScheme(reader->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); + if (reader->sax == NULL) + reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); + if (reader->sax == NULL) { +-- +2.5.0 + diff --git a/SOURCES/libxml2-CVE-2015-5312-Another-entity-expansion-issue.patch b/SOURCES/libxml2-CVE-2015-5312-Another-entity-expansion-issue.patch new file mode 100644 index 0000000..2a56a4b --- /dev/null +++ b/SOURCES/libxml2-CVE-2015-5312-Another-entity-expansion-issue.patch @@ -0,0 +1,35 @@ +From 4e1ea576167520bbc2bad50797119983e133af74 Mon Sep 17 00:00:00 2001 +From: David Drysdale +Date: Fri, 20 Nov 2015 11:13:45 +0800 +Subject: [PATCH] CVE-2015-5312 Another entity expansion issue +To: libvir-list@redhat.com + +For https://bugzilla.gnome.org/show_bug.cgi?id=756733 +It is one case where the code in place to detect entities expansions +failed to exit when the situation was detected, leading to DoS +Problem reported by Kostya Serebryany @ Google +Patch provided by David Drysdale @ Google + +Signed-off-by: Daniel Veillard +--- + parser.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/parser.c b/parser.c +index a58dda3..e536e54 100644 +--- a/parser.c ++++ b/parser.c +@@ -2801,6 +2801,10 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + 0, 0, 0); + ctxt->depth--; + ++ if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) || ++ (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR)) ++ goto int_error; ++ + if (rep != NULL) { + current = rep; + while (*current != 0) { /* non input consuming loop */ +-- +2.5.0 + diff --git a/SOURCES/libxml2-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDictComputeFastQKey.patch b/SOURCES/libxml2-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDictComputeFastQKey.patch new file mode 100644 index 0000000..3739993 --- /dev/null +++ b/SOURCES/libxml2-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDictComputeFastQKey.patch @@ -0,0 +1,36 @@ +From 540a3b58c233db4f2d2becea9c2b79b3ce190055 Mon Sep 17 00:00:00 2001 +From: David Drysdale +Date: Fri, 20 Nov 2015 10:47:12 +0800 +Subject: [PATCH] CVE-2015-7497 Avoid an heap buffer overflow in + xmlDictComputeFastQKey +To: libvir-list@redhat.com + +For https://bugzilla.gnome.org/show_bug.cgi?id=756528 +It was possible to hit a negative offset in the name indexing +used to randomize the dictionary key generation +Reported and fix provided by David Drysdale @ Google + +Signed-off-by: Daniel Veillard +--- + dict.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/dict.c b/dict.c +index 5f71d55..8c8f931 100644 +--- a/dict.c ++++ b/dict.c +@@ -486,7 +486,10 @@ xmlDictComputeFastQKey(const xmlChar *prefix, int plen, + value += 30 * (*prefix); + + if (len > 10) { +- value += name[len - (plen + 1 + 1)]; ++ int offset = len - (plen + 1 + 1); ++ if (offset < 0) ++ offset = len - (10 + 1); ++ value += name[offset]; + len = 10; + if (plen > 10) + plen = 10; +-- +2.5.0 + diff --git a/SOURCES/libxml2-CVE-2015-7500-Fix-memory-access-error-due-to-incorrect-entities-boundaries.patch b/SOURCES/libxml2-CVE-2015-7500-Fix-memory-access-error-due-to-incorrect-entities-boundaries.patch new file mode 100644 index 0000000..cf46f38 --- /dev/null +++ b/SOURCES/libxml2-CVE-2015-7500-Fix-memory-access-error-due-to-incorrect-entities-boundaries.patch @@ -0,0 +1,108 @@ +From d9825f106532a898bb6df46effa0bf099ec16a47 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 20 Nov 2015 16:06:59 +0800 +Subject: [PATCH] CVE-2015-7500 Fix memory access error due to incorrect + entities boundaries +To: libvir-list@redhat.com + +For https://bugzilla.gnome.org/show_bug.cgi?id=756525 +handle properly the case where we popped out of the current entity +while processing a start tag +Reported by Kostya Serebryany @ Google + +Signed-off-by: Daniel Veillard +--- + parser.c | 28 ++++++++++++++++++++++------ + 1 file changed, 22 insertions(+), 6 deletions(-) + +diff --git a/parser.c b/parser.c +index cc45e17..f4fc310 100644 +--- a/parser.c ++++ b/parser.c +@@ -9309,7 +9309,7 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref, + const xmlChar **atts = ctxt->atts; + int maxatts = ctxt->maxatts; + int nratts, nbatts, nbdef; +- int i, j, nbNs, attval, oldline, oldcol; ++ int i, j, nbNs, attval, oldline, oldcol, inputNr; + const xmlChar *base; + unsigned long cur; + int nsNr = ctxt->nsNr; +@@ -9328,6 +9328,7 @@ reparse: + SHRINK; + base = ctxt->input->base; + cur = ctxt->input->cur - ctxt->input->base; ++ inputNr = ctxt->inputNr; + oldline = ctxt->input->line; + oldcol = ctxt->input->col; + nbatts = 0; +@@ -9353,7 +9354,8 @@ reparse: + */ + SKIP_BLANKS; + GROW; +- if (ctxt->input->base != base) goto base_changed; ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) ++ goto base_changed; + + while (((RAW != '>') && + ((RAW != '/') || (NXT(1) != '>')) && +@@ -9364,7 +9366,7 @@ reparse: + + attname = xmlParseAttribute2(ctxt, prefix, localname, + &aprefix, &attvalue, &len, &alloc); +- if (ctxt->input->base != base) { ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) { + if ((attvalue != NULL) && (alloc != 0)) + xmlFree(attvalue); + attvalue = NULL; +@@ -9493,7 +9495,8 @@ skip_default_ns: + skip_ns: + if (alloc != 0) xmlFree(attvalue); + SKIP_BLANKS; +- if (ctxt->input->base != base) goto base_changed; ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) ++ goto base_changed; + continue; + } + +@@ -9530,7 +9533,8 @@ failed: + GROW + if (ctxt->instate == XML_PARSER_EOF) + break; +- if (ctxt->input->base != base) goto base_changed; ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) ++ goto base_changed; + if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>')))) + break; + if (!IS_BLANK_CH(RAW)) { +@@ -9546,7 +9550,8 @@ failed: + break; + } + GROW; +- if (ctxt->input->base != base) goto base_changed; ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) ++ goto base_changed; + } + + /* +@@ -9713,6 +9718,17 @@ base_changed: + if ((ctxt->attallocs[j] != 0) && (atts[i] != NULL)) + xmlFree((xmlChar *) atts[i]); + } ++ ++ /* ++ * We can't switch from one entity to another in the middle ++ * of a start tag ++ */ ++ if (inputNr != ctxt->inputNr) { ++ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, ++ "Start tag doesn't start and stop in the same entity\n"); ++ return(NULL); ++ } ++ + ctxt->input->cur = ctxt->input->base + cur; + ctxt->input->line = oldline; + ctxt->input->col = oldcol; +-- +2.5.0 + diff --git a/SOURCES/libxml2-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-push-mode.patch b/SOURCES/libxml2-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-push-mode.patch new file mode 100644 index 0000000..41afdb0 --- /dev/null +++ b/SOURCES/libxml2-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-push-mode.patch @@ -0,0 +1,45 @@ +From ebf48b59943833b5f57e909e5d00f0d6e75e874e Mon Sep 17 00:00:00 2001 +From: Hugh Davenport +Date: Fri, 20 Nov 2015 17:16:06 +0800 +Subject: [PATCH] CVE-2015-8242 Buffer overead with HTML parser in push mode +To: libvir-list@redhat.com + +For https://bugzilla.gnome.org/show_bug.cgi?id=756372 +Error in the code pointing to the codepoint in the stack for the +current char value instead of the pointer in the input that the SAX +callback expects +Reported and fixed by Hugh Davenport + +Signed-off-by: Daniel Veillard +--- + HTMLparser.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index cab499a..4331d53 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -5708,17 +5708,17 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) { + if (ctxt->keepBlanks) { + if (ctxt->sax->characters != NULL) + ctxt->sax->characters( +- ctxt->userData, &cur, 1); ++ ctxt->userData, &in->cur[0], 1); + } else { + if (ctxt->sax->ignorableWhitespace != NULL) + ctxt->sax->ignorableWhitespace( +- ctxt->userData, &cur, 1); ++ ctxt->userData, &in->cur[0], 1); + } + } else { + htmlCheckParagraph(ctxt); + if (ctxt->sax->characters != NULL) + ctxt->sax->characters( +- ctxt->userData, &cur, 1); ++ ctxt->userData, &in->cur[0], 1); + } + } + ctxt->token = 0; +-- +2.5.0 + diff --git a/SOURCES/libxml2-Cleanup-conditional-section-error-handling.patch b/SOURCES/libxml2-Cleanup-conditional-section-error-handling.patch new file mode 100644 index 0000000..834b0a8 --- /dev/null +++ b/SOURCES/libxml2-Cleanup-conditional-section-error-handling.patch @@ -0,0 +1,52 @@ +From 5b47a2c6666f0293a5164f094b9e8031914b1f8f Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Mon, 23 Feb 2015 11:29:20 +0800 +Subject: [PATCH] Cleanup conditional section error handling +To: libvir-list@redhat.com + +For https://bugzilla.gnome.org/show_bug.cgi?id=744980 + +The error handling of Conditional Section also need to be +straightened as the structure of the document can't be +guessed on a failure there and it's better to stop parsing +as further errors are likely to be irrelevant. + +Signed-off-by: Daniel Veillard +--- + parser.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/parser.c b/parser.c +index d790f8e..dc14e5c 100644 +--- a/parser.c ++++ b/parser.c +@@ -6761,6 +6761,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + SKIP_BLANKS; + if (RAW != '[') { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); ++ xmlStopParser(ctxt); ++ return; + } else { + if (ctxt->input->id != id) { + xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, +@@ -6821,6 +6823,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + SKIP_BLANKS; + if (RAW != '[') { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); ++ xmlStopParser(ctxt); ++ return; + } else { + if (ctxt->input->id != id) { + xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, +@@ -6876,6 +6880,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + + } else { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL); ++ xmlStopParser(ctxt); ++ return; + } + + if (RAW == 0) +-- +2.5.0 + diff --git a/SOURCES/libxml2-Detect-incoherency-on-GROW.patch b/SOURCES/libxml2-Detect-incoherency-on-GROW.patch new file mode 100644 index 0000000..088a961 --- /dev/null +++ b/SOURCES/libxml2-Detect-incoherency-on-GROW.patch @@ -0,0 +1,39 @@ +From dfc5aae623e97336323e59a94450f1a708eb7c0c Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 20 Nov 2015 15:04:09 +0800 +Subject: [PATCH] Detect incoherency on GROW +To: libvir-list@redhat.com + +the current pointer to the input has to be between the base and end +if not stop everything we have an internal state error. + +Signed-off-by: Daniel Veillard +--- + parser.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index 9aed98d..7602498 100644 +--- a/parser.c ++++ b/parser.c +@@ -2072,9 +2072,16 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) { + ((ctxt->input->buf) && (ctxt->input->buf->readcallback != (xmlInputReadCallback) xmlNop)) && + ((ctxt->options & XML_PARSE_HUGE) == 0)) { + xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup"); +- ctxt->instate = XML_PARSER_EOF; ++ xmlHaltParser(ctxt); ++ return; + } + xmlParserInputGrow(ctxt->input, INPUT_CHUNK); ++ if ((ctxt->input->cur > ctxt->input->end) || ++ (ctxt->input->cur < ctxt->input->base)) { ++ xmlHaltParser(ctxt); ++ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "cur index out of bound"); ++ return; ++ } + if ((ctxt->input->cur != NULL) && (*ctxt->input->cur == 0) && + (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0)) + xmlPopInput(ctxt); +-- +2.5.0 + diff --git a/SOURCES/libxml2-Do-not-fetch-external-parameter-entities.patch b/SOURCES/libxml2-Do-not-fetch-external-parameter-entities.patch new file mode 100644 index 0000000..7676940 --- /dev/null +++ b/SOURCES/libxml2-Do-not-fetch-external-parameter-entities.patch @@ -0,0 +1,34 @@ +commit 84b04b03bd6d31316fd5f0ad1c9cd31952671998 +Author: Daniel Veillard +Date: Tue Apr 22 15:30:56 2014 +0800 + + Do not fetch external parameter entities + + Unless explicitely asked for when validating or replacing entities + with their value. Problem pointed out by Daniel Berrange + +diff --git a/parser.c b/parser.c +index 3c72cbb..32f1475 100644 +--- a/parser.c ++++ b/parser.c +@@ -2622,6 +2622,20 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) { + xmlCharEncoding enc; + + /* ++ * Note: external parsed entities will not be loaded, it is ++ * not required for a non-validating parser, unless the ++ * option of validating, or substituting entities were ++ * given. Doing so is far more secure as the parser will ++ * only process data coming from the document entity by ++ * default. ++ */ ++ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && ++ ((ctxt->options & XML_PARSE_NOENT) == 0) && ++ ((ctxt->options & XML_PARSE_DTDVALID) == 0) && ++ (ctxt->validate == 0)) ++ return; ++ ++ /* + * handle the extra spaces added before and after + * c.f. http://www.w3.org/TR/REC-xml#as-PE + * this is done independently. diff --git a/SOURCES/libxml2-Do-not-print-error-context-when-there-is-none.patch b/SOURCES/libxml2-Do-not-print-error-context-when-there-is-none.patch new file mode 100644 index 0000000..8318b4b --- /dev/null +++ b/SOURCES/libxml2-Do-not-print-error-context-when-there-is-none.patch @@ -0,0 +1,31 @@ +From c5031779667ff362d670e34a42e9bc4f5a430793 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 20 Nov 2015 15:01:22 +0800 +Subject: [PATCH] Do not print error context when there is none +To: libvir-list@redhat.com + +Which now happens more frequently du to xmlHaltParser use + +Signed-off-by: Daniel Veillard +--- + error.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/error.c b/error.c +index cbcf5c9..9c45040 100644 +--- a/error.c ++++ b/error.c +@@ -177,7 +177,9 @@ xmlParserPrintFileContextInternal(xmlParserInputPtr input , + xmlChar content[81]; /* space for 80 chars + line terminator */ + xmlChar *ctnt; + +- if (input == NULL) return; ++ if ((input == NULL) || (input->cur == NULL) || ++ (*input->cur == 0)) return; ++ + cur = input->cur; + base = input->base; + /* skip backwards over any end-of-lines */ +-- +2.5.0 + diff --git a/SOURCES/libxml2-Fail-parsing-early-on-if-encoding-conversion-failed.patch b/SOURCES/libxml2-Fail-parsing-early-on-if-encoding-conversion-failed.patch new file mode 100644 index 0000000..983eae4 --- /dev/null +++ b/SOURCES/libxml2-Fail-parsing-early-on-if-encoding-conversion-failed.patch @@ -0,0 +1,38 @@ +From c171a25d614097e53ab84f64639de4dfbc197613 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Mon, 29 Jun 2015 16:10:26 +0800 +Subject: [PATCH] Fail parsing early on if encoding conversion failed +To: libvir-list@redhat.com + +For https://bugzilla.gnome.org/show_bug.cgi?id=751631 + +If we fail conversing the current input stream while +processing the encoding declaration of the XMLDecl +then it's safer to just abort there and not try to +report further errors. + +Signed-off-by: Daniel Veillard +--- + parser.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index dc14e5c..e2e0ad8 100644 +--- a/parser.c ++++ b/parser.c +@@ -10415,7 +10415,11 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ctxt) { + + handler = xmlFindCharEncodingHandler((const char *) encoding); + if (handler != NULL) { +- xmlSwitchToEncoding(ctxt, handler); ++ if (xmlSwitchToEncoding(ctxt, handler) < 0) { ++ /* failed to convert */ ++ ctxt->errNo = XML_ERR_UNSUPPORTED_ENCODING; ++ return(NULL); ++ } + } else { + xmlFatalErrMsgStr(ctxt, XML_ERR_UNSUPPORTED_ENCODING, + "Unsupported encoding %s\n", encoding); +-- +2.5.0 + diff --git a/SOURCES/libxml2-Fix-a-regression-in-xmlGetDocCompressMode.patch b/SOURCES/libxml2-Fix-a-regression-in-xmlGetDocCompressMode.patch new file mode 100644 index 0000000..c492149 --- /dev/null +++ b/SOURCES/libxml2-Fix-a-regression-in-xmlGetDocCompressMode.patch @@ -0,0 +1,129 @@ +From 268e6a3d615a14c6f6f1e8cf3d8c1e5c42ad1b41 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 10 May 2013 14:01:46 +0800 +Subject: [PATCH] Fix a regression in xmlGetDocCompressMode() +To: libvir-list@redhat.com + +The switch to xzlib had for consequence that the compression +level of the input was not gathered anymore in ctxt->input->buf, +then the parser compression flags was left to -1 and propagated +to the resulting document. +Fix the I/O layer to get compression detection in xzlib, +then carry it in the input buffer and the resulting document + + This should fix + https://lsbbugs.linuxfoundation.org/show_bug.cgi?id=3456 + +Signed-off-by: Daniel Veillard +--- + parser.c | 4 ++++ + xmlIO.c | 17 +++++++++++++++++ + xzlib.c | 25 +++++++++++++++++++++++++ + xzlib.h | 1 + + 4 files changed, 47 insertions(+) + +diff --git a/parser.c b/parser.c +index ee429f3..f30588c 100644 +--- a/parser.c ++++ b/parser.c +@@ -10681,6 +10681,10 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) { + ctxt->sax->startDocument(ctxt->userData); + if (ctxt->instate == XML_PARSER_EOF) + return(-1); ++ if ((ctxt->myDoc != NULL) && (ctxt->input != NULL) && ++ (ctxt->input->buf != NULL) && (ctxt->input->buf->compressed >= 0)) { ++ ctxt->myDoc->compression = ctxt->input->buf->compressed; ++ } + + /* + * The Misc part of the Prolog +diff --git a/xmlIO.c b/xmlIO.c +index 847cb7e..fc4e111 100644 +--- a/xmlIO.c ++++ b/xmlIO.c +@@ -2669,6 +2669,12 @@ __xmlParserInputBufferCreateFilename(const char *URI, xmlCharEncoding enc) { + #endif + } + #endif ++#ifdef HAVE_LZMA_H ++ if ((xmlInputCallbackTable[i].opencallback == xmlXzfileOpen) && ++ (strcmp(URI, "-") != 0)) { ++ ret->compressed = __libxml2_xzcompressed(context); ++ } ++#endif + } + else + xmlInputCallbackTable[i].closecallback (context); +@@ -3325,6 +3331,17 @@ xmlParserInputBufferGrow(xmlParserInputBufferPtr in, int len) { + if (res < 0) { + return(-1); + } ++ ++ /* ++ * try to establish compressed status of input if not done already ++ */ ++ if (in->compressed == -1) { ++#ifdef HAVE_LZMA_H ++ if (in->readcallback == xmlXzfileRead) ++ in->compressed = __libxml2_xzcompressed(in->context); ++#endif ++ } ++ + len = res; + if (in->encoder != NULL) { + unsigned int use; +diff --git a/xzlib.c b/xzlib.c +index 928bd17..150e803 100644 +--- a/xzlib.c ++++ b/xzlib.c +@@ -182,12 +182,37 @@ xz_open(const char *path, int fd, const char *mode ATTRIBUTE_UNUSED) + return (xzFile) state; + } + ++static int ++xz_compressed(xzFile f) { ++ xz_statep state; ++ ++ if (f == NULL) ++ return(-1); ++ state = (xz_statep) f; ++ if (state->init <= 0) ++ return(-1); ++ ++ switch (state->how) { ++ case COPY: ++ return(0); ++ case GZIP: ++ case LZMA: ++ return(1); ++ } ++ return(-1); ++} ++ + xzFile + __libxml2_xzopen(const char *path, const char *mode) + { + return xz_open(path, -1, mode); + } + ++int ++__libxml2_xzcompressed(xzFile f) { ++ return xz_compressed(f); ++} ++ + xzFile + __libxml2_xzdopen(int fd, const char *mode) + { +diff --git a/xzlib.h b/xzlib.h +index 43c75e1..29ba55e 100644 +--- a/xzlib.h ++++ b/xzlib.h +@@ -15,4 +15,5 @@ xzFile __libxml2_xzopen(const char *path, const char *mode); + xzFile __libxml2_xzdopen(int fd, const char *mode); + int __libxml2_xzread(xzFile file, void *buf, unsigned len); + int __libxml2_xzclose(xzFile file); ++int __libxml2_xzcompressed(xzFile f); + #endif /* LIBXML2_XZLIB_H */ +-- +1.8.3.1 + diff --git a/SOURCES/libxml2-Fix-an-error-in-previous-Conditional-section-patch.patch b/SOURCES/libxml2-Fix-an-error-in-previous-Conditional-section-patch.patch new file mode 100644 index 0000000..6a97263 --- /dev/null +++ b/SOURCES/libxml2-Fix-an-error-in-previous-Conditional-section-patch.patch @@ -0,0 +1,31 @@ +From 519455f1d543b1aa8f560dac03ec4127dfbab038 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Tue, 27 Oct 2015 10:53:44 +0800 +Subject: [PATCH] Fix an error in previous Conditional section patch +To: libvir-list@redhat.com + +an off by one mistake in the change, led to error on correct +document where the end of the included entity was exactly +the end of the conditional section, leading to regtest failure + +Signed-off-by: Daniel Veillard +--- + parser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index 4926ab0..b56d94c 100644 +--- a/parser.c ++++ b/parser.c +@@ -6896,7 +6896,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + NULL, NULL); + } + if ((ctxt-> instate != XML_PARSER_EOF) && +- ((ctxt->input->cur + 3) < ctxt->input->end)) ++ ((ctxt->input->cur + 3) <= ctxt->input->end)) + SKIP(3); + } + } +-- +2.5.0 + diff --git a/SOURCES/libxml2-Fix-inappropriate-fetch-of-entities-content.patch b/SOURCES/libxml2-Fix-inappropriate-fetch-of-entities-content.patch new file mode 100644 index 0000000..a9d6725 --- /dev/null +++ b/SOURCES/libxml2-Fix-inappropriate-fetch-of-entities-content.patch @@ -0,0 +1,47 @@ +From be24335cbc0019894e6222bd817e717c41550c3c Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Mon, 14 Mar 2016 17:19:44 +0800 +Subject: [PATCH] Fix inappropriate fetch of entities content +To: libvir-list@redhat.com + +For https://bugzilla.gnome.org/show_bug.cgi?id=761430 + +libfuzzer regression testing exposed another case where the parser would +fetch content of an external entity while not in validating mode. +Plug that hole + +Signed-off-by: Daniel Veillard +--- + parser.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index 46ab0e8..1936599 100644 +--- a/parser.c ++++ b/parser.c +@@ -2854,7 +2854,21 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + ctxt->nbentities += ent->checked / 2; + if (ent != NULL) { + if (ent->content == NULL) { +- xmlLoadEntityContent(ctxt, ent); ++ /* ++ * Note: external parsed entities will not be loaded, ++ * it is not required for a non-validating parser to ++ * complete external PEreferences coming from the ++ * internal subset ++ */ ++ if (((ctxt->options & XML_PARSE_NOENT) != 0) || ++ ((ctxt->options & XML_PARSE_DTDVALID) != 0) || ++ (ctxt->validate != 0)) { ++ xmlLoadEntityContent(ctxt, ent); ++ } else { ++ xmlWarningMsg(ctxt, XML_ERR_ENTITY_PROCESSING, ++ "not validating will not read content for PE entity %s\n", ++ ent->name, NULL); ++ } + } + ctxt->depth++; + rep = xmlStringDecodeEntities(ctxt, ent->content, what, +-- +2.5.5 + diff --git a/SOURCES/libxml2-Fix-missing-entities-after-CVE-2014-3660-fix.patch b/SOURCES/libxml2-Fix-missing-entities-after-CVE-2014-3660-fix.patch new file mode 100644 index 0000000..7efc515 --- /dev/null +++ b/SOURCES/libxml2-Fix-missing-entities-after-CVE-2014-3660-fix.patch @@ -0,0 +1,26 @@ +commit 27a93eff49526aacd34192258c19ff5d69d18c00 +Author: Daniel Veillard +Date: Thu Oct 23 11:35:36 2014 +0800 + + Fix missing entities after CVE-2014-3660 fix + + For https://bugzilla.gnome.org/show_bug.cgi?id=738805 + + The fix for CVE-2014-3660 introduced a regression in some case + where entity substitution is required and the entity is used + first in anotther entity referenced from an attribute value + +diff --git a/parser.c b/parser.c +index b58c2f0..f70d2b5 100644 +--- a/parser.c ++++ b/parser.c +@@ -7226,7 +7226,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { + * far more secure as the parser will only process data coming from + * the document entity by default. + */ +- if ((ent->checked == 0) && ++ if (((ent->checked == 0) || ++ ((ent->children == NULL) && (ctxt->options & XML_PARSE_NOENT))) && + ((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) || + (ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) { + unsigned long oldnbent = ctxt->nbentities; diff --git a/SOURCES/libxml2-Fix-parsing-short-unclosed-comment-uninitialized-access.patch b/SOURCES/libxml2-Fix-parsing-short-unclosed-comment-uninitialized-access.patch new file mode 100644 index 0000000..47f8b3c --- /dev/null +++ b/SOURCES/libxml2-Fix-parsing-short-unclosed-comment-uninitialized-access.patch @@ -0,0 +1,68 @@ +From 466ef17b8cf8d68393f3a56cda8e7a5504aacf98 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 30 Oct 2015 21:14:55 +0800 +Subject: [PATCH] Fix parsing short unclosed comment uninitialized access +To: libvir-list@redhat.com + +For https://bugzilla.gnome.org/show_bug.cgi?id=746048 +The HTML parser was too optimistic when processing comments and +didn't check for the end of the stream on the first 2 characters + +Signed-off-by: Daniel Veillard +--- + HTMLparser.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index dd0c1ea..cab499a 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -3245,12 +3245,17 @@ htmlParseComment(htmlParserCtxtPtr ctxt) { + ctxt->instate = state; + return; + } ++ len = 0; ++ buf[len] = 0; + q = CUR_CHAR(ql); ++ if (!IS_CHAR(q)) ++ goto unfinished; + NEXTL(ql); + r = CUR_CHAR(rl); ++ if (!IS_CHAR(r)) ++ goto unfinished; + NEXTL(rl); + cur = CUR_CHAR(l); +- len = 0; + while (IS_CHAR(cur) && + ((cur != '>') || + (r != '-') || (q != '-'))) { +@@ -3281,18 +3286,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt) { + } + } + buf[len] = 0; +- if (!IS_CHAR(cur)) { +- htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, +- "Comment not terminated \n