diff --git a/SOURCES/libxml2-2.9.1-CVE-2015-8035.patch b/SOURCES/libxml2-2.9.1-CVE-2015-8035.patch new file mode 100644 index 0000000..056faa4 --- /dev/null +++ b/SOURCES/libxml2-2.9.1-CVE-2015-8035.patch @@ -0,0 +1,31 @@ +From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Tue, 3 Nov 2015 15:31:25 +0800 +Subject: [PATCH] CVE-2015-8035 Fix XZ compression support loop + +For https://bugzilla.gnome.org/show_bug.cgi?id=757466 +DoS when parsing specially crafted XML document if XZ support +is compiled in (which wasn't the case for 2.9.2 and master since +Nov 2013, fixed in next commit !) +--- + xzlib.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/xzlib.c b/xzlib.c +index 0dcb9f48..1fab5463 100644 +--- a/xzlib.c ++++ b/xzlib.c +@@ -581,6 +581,10 @@ xz_decomp(xz_statep state) + xz_error(state, LZMA_DATA_ERROR, "compressed data error"); + return -1; + } ++ if (ret == LZMA_PROG_ERROR) { ++ xz_error(state, LZMA_PROG_ERROR, "compression error"); ++ return -1; ++ } + } while (strm->avail_out && ret != LZMA_STREAM_END); + + /* update available output and crc check value */ +-- +2.22.0 + diff --git a/SOURCES/libxml2-2.9.1-CVE-2016-5131.patch b/SOURCES/libxml2-2.9.1-CVE-2016-5131.patch new file mode 100644 index 0000000..8e77405 --- /dev/null +++ b/SOURCES/libxml2-2.9.1-CVE-2016-5131.patch @@ -0,0 +1,131 @@ +commit 3189fa5b5d1cce13e70cf282936736b2e7889a46 +Author: Nick Wellnhofer +Date: Tue Jun 28 14:22:23 2016 +0200 + + Fix XPointer paths beginning with range-to + + The old code would invoke the totally broken xmlXPtrRangeToFunction. + range-to isn't really a function but a special kind of location step. + Remove this function and always handle range-to in the XPath code. + + The old xmlXPtrRangeToFunction could also be abused to trigger a + use-after-free error with the potential for remote code execution. + +diff --git a/xpath.c b/xpath.c +index 751665b..7c24a82 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -10691,13 +10691,16 @@ xmlXPathCompPathExpr(xmlXPathParserContextPtr ctxt) { + lc = 1; + break; + } else if ((NXT(len) == '(')) { +- /* Note Type or Function */ ++ /* Node Type or Function */ + if (xmlXPathIsNodeType(name)) { + #ifdef DEBUG_STEP + xmlGenericError(xmlGenericErrorContext, + "PathExpr: Type search\n"); + #endif + lc = 1; ++ } else if (ctxt->xptr && ++ xmlStrEqual(name, BAD_CAST "range-to")) { ++ lc = 1; + } else { + #ifdef DEBUG_STEP + xmlGenericError(xmlGenericErrorContext, +diff --git a/xpointer.c b/xpointer.c +index 676c510..d74174a 100644 +--- a/xpointer.c ++++ b/xpointer.c +@@ -1332,8 +1332,6 @@ xmlXPtrNewContext(xmlDocPtr doc, xmlNodePtr here, xmlNodePtr origin) { + ret->here = here; + ret->origin = origin; + +- xmlXPathRegisterFunc(ret, (xmlChar *)"range-to", +- xmlXPtrRangeToFunction); + xmlXPathRegisterFunc(ret, (xmlChar *)"range", + xmlXPtrRangeFunction); + xmlXPathRegisterFunc(ret, (xmlChar *)"range-inside", +@@ -2243,76 +2241,14 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) { + * @nargs: the number of args + * + * Implement the range-to() XPointer function ++ * ++ * Obsolete. range-to is not a real function but a special type of location ++ * step which is handled in xpath.c. + */ + void +-xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, int nargs) { +- xmlXPathObjectPtr range; +- const xmlChar *cur; +- xmlXPathObjectPtr res, obj; +- xmlXPathObjectPtr tmp; +- xmlLocationSetPtr newset = NULL; +- xmlNodeSetPtr oldset; +- int i; +- +- if (ctxt == NULL) return; +- CHECK_ARITY(1); +- /* +- * Save the expression pointer since we will have to evaluate +- * it multiple times. Initialize the new set. +- */ +- CHECK_TYPE(XPATH_NODESET); +- obj = valuePop(ctxt); +- oldset = obj->nodesetval; +- ctxt->context->node = NULL; +- +- cur = ctxt->cur; +- newset = xmlXPtrLocationSetCreate(NULL); +- +- for (i = 0; i < oldset->nodeNr; i++) { +- ctxt->cur = cur; +- +- /* +- * Run the evaluation with a node list made of a single item +- * in the nodeset. +- */ +- ctxt->context->node = oldset->nodeTab[i]; +- tmp = xmlXPathNewNodeSet(ctxt->context->node); +- valuePush(ctxt, tmp); +- +- xmlXPathEvalExpr(ctxt); +- CHECK_ERROR; +- +- /* +- * The result of the evaluation need to be tested to +- * decided whether the filter succeeded or not +- */ +- res = valuePop(ctxt); +- range = xmlXPtrNewRangeNodeObject(oldset->nodeTab[i], res); +- if (range != NULL) { +- xmlXPtrLocationSetAdd(newset, range); +- } +- +- /* +- * Cleanup +- */ +- if (res != NULL) +- xmlXPathFreeObject(res); +- if (ctxt->value == tmp) { +- res = valuePop(ctxt); +- xmlXPathFreeObject(res); +- } +- +- ctxt->context->node = NULL; +- } +- +- /* +- * The result is used as the new evaluation set. +- */ +- xmlXPathFreeObject(obj); +- ctxt->context->node = NULL; +- ctxt->context->contextSize = -1; +- ctxt->context->proximityPosition = -1; +- valuePush(ctxt, xmlXPtrWrapLocationSet(newset)); ++xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, ++ int nargs ATTRIBUTE_UNUSED) { ++ XP_ERROR(XPATH_EXPR_ERROR); + } + + /** diff --git a/SOURCES/libxml2-2.9.1-CVE-2017-15412.patch b/SOURCES/libxml2-2.9.1-CVE-2017-15412.patch new file mode 100644 index 0000000..c708fc4 --- /dev/null +++ b/SOURCES/libxml2-2.9.1-CVE-2017-15412.patch @@ -0,0 +1,36 @@ +From 0f3b843b3534784ef57a4f9b874238aa1fda5a73 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 1 Jun 2017 23:12:19 +0200 +Subject: [PATCH] Fix XPath stack frame logic + +Move the calls to xmlXPathSetFrame and xmlXPathPopFrame around in +xmlXPathCompOpEvalPositionalPredicate to make sure that the context +object on the stack is actually protected. Otherwise, memory corruption +can occur when calling sloppily coded XPath extension functions. + +Fixes bug 783160. +--- + xpath.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/xpath.c b/xpath.c +index 94815075..b816bd36 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -11932,11 +11932,11 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt, + } + } + +- frame = xmlXPathSetFrame(ctxt); + valuePush(ctxt, contextObj); ++ frame = xmlXPathSetFrame(ctxt); + res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1); +- tmp = valuePop(ctxt); + xmlXPathPopFrame(ctxt, frame); ++ tmp = valuePop(ctxt); + + if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) { + while (tmp != contextObj) { +-- +2.22.0 + diff --git a/SOURCES/libxml2-2.9.1-CVE-2017-18258.patch b/SOURCES/libxml2-2.9.1-CVE-2017-18258.patch new file mode 100644 index 0000000..be7c3ae --- /dev/null +++ b/SOURCES/libxml2-2.9.1-CVE-2017-18258.patch @@ -0,0 +1,32 @@ +From e2a9122b8dde53d320750451e9907a7dcb2ca8bb Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 7 Sep 2017 18:36:01 +0200 +Subject: [PATCH] Set memory limit for LZMA decompression + +Otherwise malicious LZMA compressed files could consume large amounts +of memory when decompressed. + +According to the xz man page, files compressed with `xz -9` currently +require 65 MB to decompress, so set the limit to 100 MB. + +Should fix bug 786696. +--- + xzlib.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xzlib.c b/xzlib.c +index 782957f6..f43632bd 100644 +--- a/xzlib.c ++++ b/xzlib.c +@@ -408,7 +408,7 @@ xz_head(xz_statep state) + state->strm = init; + state->strm.avail_in = 0; + state->strm.next_in = NULL; +- if (lzma_auto_decoder(&state->strm, UINT64_MAX, 0) != LZMA_OK) { ++ if (lzma_auto_decoder(&state->strm, 100000000, 0) != LZMA_OK) { + xmlFree(state->out); + xmlFree(state->in); + state->size = 0; +-- +2.22.0 + diff --git a/SOURCES/libxml2-2.9.1-CVE-2018-14404.patch b/SOURCES/libxml2-2.9.1-CVE-2018-14404.patch new file mode 100644 index 0000000..0b64b4e --- /dev/null +++ b/SOURCES/libxml2-2.9.1-CVE-2018-14404.patch @@ -0,0 +1,54 @@ +From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 30 Jul 2018 12:54:38 +0200 +Subject: [PATCH] Fix nullptr deref with XPath logic ops + +If the XPath stack is corrupted, for example by a misbehaving extension +function, the "and" and "or" XPath operators could dereference NULL +pointers. Check that the XPath stack isn't empty and optimize the +logic operators slightly. + +Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5 + +Also see +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817 +https://bugzilla.redhat.com/show_bug.cgi?id=1595985 + +This is CVE-2018-14404. + +Thanks to Guy Inbar for the report. +--- + xpath.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/xpath.c b/xpath.c +index 3fae0bf4..5e3bb9ff 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -13234,9 +13234,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + return(0); + } + xmlXPathBooleanFunction(ctxt, 1); +- arg1 = valuePop(ctxt); +- arg1->boolval &= arg2->boolval; +- valuePush(ctxt, arg1); ++ if (ctxt->value != NULL) ++ ctxt->value->boolval &= arg2->boolval; + xmlXPathReleaseObject(ctxt->context, arg2); + return (total); + case XPATH_OP_OR: +@@ -13252,9 +13251,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + return(0); + } + xmlXPathBooleanFunction(ctxt, 1); +- arg1 = valuePop(ctxt); +- arg1->boolval |= arg2->boolval; +- valuePush(ctxt, arg1); ++ if (ctxt->value != NULL) ++ ctxt->value->boolval |= arg2->boolval; + xmlXPathReleaseObject(ctxt->context, arg2); + return (total); + case XPATH_OP_EQUAL: +-- +2.22.0 + diff --git a/SOURCES/libxml2-2.9.1-CVE-2018-14567.patch b/SOURCES/libxml2-2.9.1-CVE-2018-14567.patch new file mode 100644 index 0000000..150637a --- /dev/null +++ b/SOURCES/libxml2-2.9.1-CVE-2018-14567.patch @@ -0,0 +1,50 @@ +From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 30 Jul 2018 13:14:11 +0200 +Subject: [PATCH] Fix infinite loop in LZMA decompression +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Check the liblzma error code more thoroughly to avoid infinite loops. + +Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13 +Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914 + +This is CVE-2018-9251 and CVE-2018-14567. + +Thanks to Dongliang Mu and Simon Wörner for the reports. +--- + xzlib.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/xzlib.c b/xzlib.c +index a839169e..0ba88cfa 100644 +--- a/xzlib.c ++++ b/xzlib.c +@@ -562,6 +562,10 @@ xz_decomp(xz_statep state) + "internal error: inflate stream corrupt"); + return -1; + } ++ /* ++ * FIXME: Remapping a couple of error codes and falling through ++ * to the LZMA error handling looks fragile. ++ */ + if (ret == Z_MEM_ERROR) + ret = LZMA_MEM_ERROR; + if (ret == Z_DATA_ERROR) +@@ -587,6 +591,11 @@ xz_decomp(xz_statep state) + xz_error(state, LZMA_PROG_ERROR, "compression error"); + return -1; + } ++ if ((state->how != GZIP) && ++ (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) { ++ xz_error(state, ret, "lzma error"); ++ return -1; ++ } + } while (strm->avail_out && ret != LZMA_STREAM_END); + + /* update available output and crc check value */ +-- +2.22.0 + diff --git a/SPECS/libxml2.spec b/SPECS/libxml2.spec index 96cb4d2..b262772 100644 --- a/SPECS/libxml2.spec +++ b/SPECS/libxml2.spec @@ -4,7 +4,7 @@ Summary: Library providing XML and HTML support Name: libxml2 Version: 2.9.1 -Release: 6%{?dist}%{?extra_release}.3 +Release: 6%{?dist}%{?extra_release}.4 License: MIT Group: Development/Libraries Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz @@ -54,6 +54,18 @@ patch136: libxml2-Heap-based-buffer-underreads-due-to-xmlParseName.patch patch137: libxml2-Heap-use-after-free-in-htmlParsePubidLiteral-and-htmlParseSystemiteral.patch patch138: libxml2-Heap-use-after-free-in-xmlSAX2AttributeNs.patch patch139: libxml2-More-format-string-warnings-with-possible-format-string-vulnerability.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1595697 +patch140: libxml2-2.9.1-CVE-2015-8035.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1602817 +patch141: libxml2-2.9.1-CVE-2018-14404.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1729857 +patch142: libxml2-2.9.1-CVE-2017-15412.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1714050 +patch143: libxml2-2.9.1-CVE-2016-5131.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1579211 +patch144: libxml2-2.9.1-CVE-2017-18258.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1622715 +patch145: libxml2-2.9.1-CVE-2018-14567.patch %description @@ -157,6 +169,12 @@ at parse time or later once the document has been modified. %patch137 -p1 %patch138 -p1 %patch139 -p1 +%patch140 -p1 +%patch141 -p1 +%patch142 -p1 +%patch143 -p1 +%patch144 -p1 +%patch145 -p1 %build %configure @@ -239,6 +257,14 @@ rm -fr %{buildroot} %doc doc/python.html %changelog +* Fri Nov 01 2019 David King - 2.9.1-6.4 +- Fix CVE-2015-8035 (#1595697) +- Fix CVE-2018-14404 (#1602817) +- Fix CVE-2017-15412 (#1729857) +- Fix CVE-2016-5131 (#1714050) +- Fix CVE-2017-18258 (#1579211) +- Fix CVE-2018-1456 (#1622715) + * Mon Jun 6 2016 Daniel Veillard - libxml2-2.9.1-6.3 - Heap-based buffer overread in xmlNextChar (CVE-2016-1762) - Bug 763071: Heap-buffer-overflow in xmlStrncat (CVE-2016-1834)