From 34e1472e0d2e30a5d1dd53edcbd6000dafc6c93e Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 10 2016 14:42:59 +0000 Subject: import xerces-c-3.1.1-8.el7_2 --- diff --git a/SOURCES/xerces-c-CVE-2016-0729.patch b/SOURCES/xerces-c-CVE-2016-0729.patch new file mode 100644 index 0000000..8bb187d --- /dev/null +++ b/SOURCES/xerces-c-CVE-2016-0729.patch @@ -0,0 +1,394 @@ +diff -urNp xerces-c-3.1.1-patched/src/xercesc/internal/XMLReader.cpp xerces-c-3.1.1-patched-modified/src/xercesc/internal/XMLReader.cpp +--- xerces-c-3.1.1-patched/src/xercesc/internal/XMLReader.cpp 2016-03-03 11:14:06.855482706 -0500 ++++ xerces-c-3.1.1-patched-modified/src/xercesc/internal/XMLReader.cpp 2016-03-03 11:46:23.305567446 -0500 +@@ -1460,8 +1460,30 @@ void XMLReader::doInitDecode() + + while (fRawBufIndex < fRawBytesAvail) + { +- // Security fix: make sure there are at least sizeof(UCS4Ch) bytes to consume. ++ // Make sure there are at least sizeof(UCS4Ch) bytes to consume. + if (fRawBufIndex + sizeof(UCS4Ch) > fRawBytesAvail) { ++ fCharsAvail = 0; ++ fRawBufIndex = 0; ++ fMemoryManager->deallocate(fPublicId); ++ fMemoryManager->deallocate(fEncodingStr); ++ ArrayJanitor janValue(fSystemId, fMemoryManager); ++ ThrowXMLwithMemMgr1 ++ ( ++ TranscodingException ++ , XMLExcepts::Reader_CouldNotDecodeFirstLine ++ , fSystemId ++ , fMemoryManager ++ ); ++ } ++ ++ // Make sure we don't exhaust the limited prolog buffer size. ++ // Leave room for a space added at the end of this function. ++ if (fCharsAvail == kCharBufSize - 1) { ++ fCharsAvail = 0; ++ fRawBufIndex = 0; ++ fMemoryManager->deallocate(fPublicId); ++ fMemoryManager->deallocate(fEncodingStr); ++ ArrayJanitor janValue(fSystemId, fMemoryManager); + ThrowXMLwithMemMgr1 + ( + TranscodingException +@@ -1547,6 +1569,23 @@ void XMLReader::doInitDecode() + const char curCh = *asChars++; + fRawBufIndex++; + ++ // Make sure we don't exhaust the limited prolog buffer size. ++ // Leave room for a space added at the end of this function. ++ if (fCharsAvail == kCharBufSize - 1) { ++ fCharsAvail = 0; ++ fRawBufIndex = 0; ++ fMemoryManager->deallocate(fPublicId); ++ fMemoryManager->deallocate(fEncodingStr); ++ ArrayJanitor janValue(fSystemId, fMemoryManager); ++ ThrowXMLwithMemMgr1 ++ ( ++ TranscodingException ++ , XMLExcepts::Reader_CouldNotDecodeFirstLine ++ , fSystemId ++ , fMemoryManager ++ ); ++ } ++ + // Looks ok, so store it + fCharSizeBuf[fCharsAvail] = 1; + fCharBuf[fCharsAvail++] = XMLCh(curCh); +@@ -1630,8 +1669,30 @@ void XMLReader::doInitDecode() + + while (fRawBufIndex < fRawBytesAvail) + { +- // Security fix: make sure there are at least sizeof(UTF16Ch) bytes to consume. ++ // Make sure there are at least sizeof(UTF16Ch) bytes to consume. + if (fRawBufIndex + sizeof(UTF16Ch) > fRawBytesAvail) { ++ fCharsAvail = 0; ++ fRawBufIndex = 0; ++ fMemoryManager->deallocate(fPublicId); ++ fMemoryManager->deallocate(fEncodingStr); ++ ArrayJanitor janValue(fSystemId, fMemoryManager); ++ ThrowXMLwithMemMgr1 ++ ( ++ TranscodingException ++ , XMLExcepts::Reader_CouldNotDecodeFirstLine ++ , fSystemId ++ , fMemoryManager ++ ); ++ } ++ ++ // Make sure we don't exhaust the limited prolog buffer size. ++ // Leave room for a space added at the end of this function. ++ if (fCharsAvail == kCharBufSize - 1) { ++ fCharsAvail = 0; ++ fRawBufIndex = 0; ++ fMemoryManager->deallocate(fPublicId); ++ fMemoryManager->deallocate(fEncodingStr); ++ ArrayJanitor janValue(fSystemId, fMemoryManager); + ThrowXMLwithMemMgr1 + ( + TranscodingException +@@ -1676,6 +1737,24 @@ void XMLReader::doInitDecode() + const XMLCh chCur = XMLEBCDICTranscoder::xlatThisOne(*srcPtr++); + fRawBufIndex++; + ++ // Make sure we don't exhaust the limited prolog buffer size. ++ // Leave room for a space added at the end of this function. ++ if (fCharsAvail == kCharBufSize - 1) { ++ fCharsAvail = 0; ++ fRawBufIndex = 0; ++ fMemoryManager->deallocate(fPublicId); ++ fMemoryManager->deallocate(fEncodingStr); ++ ArrayJanitor janValue(fSystemId, fMemoryManager); ++ ThrowXMLwithMemMgr1 ++ ( ++ TranscodingException ++ , XMLExcepts::Reader_CouldNotDecodeFirstLine ++ , fSystemId ++ , fMemoryManager ++ ); ++ } ++ ++ + // + // And put it into the character buffer. This stuff has to + // look like it was normally transcoded. +@@ -1730,7 +1809,7 @@ void XMLReader::doInitDecode() + // + void XMLReader::refreshRawBuffer() + { +- // Security fix: make sure we don't underflow on the subtraction. ++ // Make sure we don't underflow on the subtraction. + if (fRawBufIndex > fRawBytesAvail) { + ThrowXMLwithMemMgr1 + ( +diff -urNp xerces-c-3.1.1-patched/src/xercesc/util/XMLUri.cpp xerces-c-3.1.1-patched-modified/src/xercesc/util/XMLUri.cpp +--- xerces-c-3.1.1-patched/src/xercesc/util/XMLUri.cpp 2016-03-03 11:13:54.871619517 -0500 ++++ xerces-c-3.1.1-patched-modified/src/xercesc/util/XMLUri.cpp 2016-03-03 11:30:38.593240739 -0500 +@@ -875,11 +875,21 @@ void XMLUri::initializePath(const XMLCh* + // check for valid escape sequence + if (testChar == chPercent) + { +- if (index+2 >= end || +- !XMLString::isHex(uriSpec[index+1]) || +- !XMLString::isHex(uriSpec[index+2])) ++ if (index + 2 >= end) + { +- XMLCh value1[BUF_LEN+1]; ++ XMLCh value1[3]; ++ value1[1] = chNull; ++ value1[2] = chNull; ++ XMLString::moveChars(value1, &(uriSpec[index]), (index + 1 >= end ? 1 : 2)); ++ ThrowXMLwithMemMgr2(MalformedURLException ++ , XMLExcepts::XMLNUM_URI_Component_Invalid_EscapeSequence ++ , errMsg_PATH ++ , value1 ++ , fMemoryManager); ++ } ++ else if (!XMLString::isHex(uriSpec[index+1]) || !XMLString::isHex(uriSpec[index+2])) ++ { ++ XMLCh value1[4]; + XMLString::moveChars(value1, &(uriSpec[index]), 3); + value1[3] = chNull; + ThrowXMLwithMemMgr2(MalformedURLException +@@ -892,7 +902,7 @@ void XMLUri::initializePath(const XMLCh* + else if (!isUnreservedCharacter(testChar) && + !isPathCharacter(testChar)) + { +- XMLCh value1[BUF_LEN+1]; ++ XMLCh value1[2]; + value1[0] = testChar; + value1[1] = chNull; + ThrowXMLwithMemMgr2(MalformedURLException +@@ -920,11 +930,21 @@ void XMLUri::initializePath(const XMLCh* + // check for valid escape sequence + if (testChar == chPercent) + { +- if (index+2 >= end || +- !XMLString::isHex(uriSpec[index+1]) || +- !XMLString::isHex(uriSpec[index+2])) ++ if (index + 2 >= end) + { +- XMLCh value1[BUF_LEN+1]; ++ XMLCh value1[3]; ++ value1[1] = chNull; ++ value1[2] = chNull; ++ XMLString::moveChars(value1, &(uriSpec[index]), (index + 1 >= end ? 1 : 2)); ++ ThrowXMLwithMemMgr2(MalformedURLException ++ , XMLExcepts::XMLNUM_URI_Component_Invalid_EscapeSequence ++ , errMsg_PATH ++ , value1 ++ , fMemoryManager); ++ } ++ else if (!XMLString::isHex(uriSpec[index+1]) || !XMLString::isHex(uriSpec[index+2])) ++ { ++ XMLCh value1[4]; + XMLString::moveChars(value1, &(uriSpec[index]), 3); + value1[3] = chNull; + ThrowXMLwithMemMgr2(MalformedURLException +@@ -941,7 +961,7 @@ void XMLUri::initializePath(const XMLCh* + // contains '[' and ']'. + else if (!isReservedOrUnreservedCharacter(testChar)) + { +- XMLCh value1[BUF_LEN+1]; ++ XMLCh value1[2]; + value1[0] = testChar; + value1[1] = chNull; + ThrowXMLwithMemMgr2(MalformedURLException +@@ -979,11 +999,21 @@ void XMLUri::initializePath(const XMLCh* + + if (testChar == chPercent) + { +- if (index+2 >= end || +- !XMLString::isHex(uriSpec[index+1]) || +- !XMLString::isHex(uriSpec[index+2])) ++ if (index + 2 >= end) ++ { ++ XMLCh value1[3]; ++ value1[1] = chNull; ++ value1[2] = chNull; ++ XMLString::moveChars(value1, &(uriSpec[index]), (index + 1 >= end ? 1 : 2)); ++ ThrowXMLwithMemMgr2(MalformedURLException ++ , XMLExcepts::XMLNUM_URI_Component_Invalid_EscapeSequence ++ , errMsg_QUERY ++ , value1 ++ , fMemoryManager); ++ } ++ if (!XMLString::isHex(uriSpec[index+1]) || !XMLString::isHex(uriSpec[index+2])) + { +- XMLCh value1[BUF_LEN+1]; ++ XMLCh value1[4]; + XMLString::moveChars(value1, &(uriSpec[index]), 3); + value1[3] = chNull; + ThrowXMLwithMemMgr2(MalformedURLException +@@ -995,7 +1025,7 @@ void XMLUri::initializePath(const XMLCh* + } + else if (!isReservedOrUnreservedCharacter(testChar)) + { +- XMLCh value1[BUF_LEN+1]; ++ XMLCh value1[2]; + value1[0] = testChar; + value1[1] = chNull; + ThrowXMLwithMemMgr2(MalformedURLException +@@ -1030,11 +1060,21 @@ void XMLUri::initializePath(const XMLCh* + + if (testChar == chPercent) + { +- if (index+2 >= end || +- !XMLString::isHex(uriSpec[index+1]) || +- !XMLString::isHex(uriSpec[index+2])) ++ if (index + 2 >= end) ++ { ++ XMLCh value1[3]; ++ value1[1] = chNull; ++ value1[2] = chNull; ++ XMLString::moveChars(value1, &(uriSpec[index]), (index + 1 >= end ? 1 : 2)); ++ ThrowXMLwithMemMgr2(MalformedURLException ++ , XMLExcepts::XMLNUM_URI_Component_Invalid_EscapeSequence ++ , errMsg_FRAGMENT ++ , value1 ++ , fMemoryManager); ++ } ++ if (!XMLString::isHex(uriSpec[index+1]) || !XMLString::isHex(uriSpec[index+2])) + { +- XMLCh value1[BUF_LEN+1]; ++ XMLCh value1[4]; + XMLString::moveChars(value1, &(uriSpec[index]), 3); + value1[3] = chNull; + ThrowXMLwithMemMgr2(MalformedURLException +@@ -1046,7 +1086,7 @@ void XMLUri::initializePath(const XMLCh* + } + else if (!isReservedOrUnreservedCharacter(testChar)) + { +- XMLCh value1[BUF_LEN+1]; ++ XMLCh value1[2]; + value1[0] = testChar; + value1[1] = chNull; + ThrowXMLwithMemMgr2(MalformedURLException +@@ -1410,14 +1450,15 @@ void XMLUri::isConformantUserInfo(const + } + else if (*tmpStr == chPercent) // '%' + { +- if (XMLString::isHex(*(tmpStr+1)) && // 1st hex +- XMLString::isHex(*(tmpStr+2)) ) // 2nd hex ++ if (XMLString::stringLen(tmpStr) >= 3 ++ && XMLString::isHex(*(tmpStr+1)) // 1st hex ++ && XMLString::isHex(*(tmpStr+2)) ) // 2nd hex + { + tmpStr+=3; + } + else + { +- XMLCh value1[BUF_LEN+1]; ++ XMLCh value1[4]; + value1[0] = chPercent; + value1[1] = *(tmpStr+1); + value1[2] = *(tmpStr+2); +@@ -1468,8 +1509,9 @@ bool XMLUri::isValidServerBasedAuthority + } + else if (userinfo[index] == chPercent) // '%' + { +- if (XMLString::isHex(userinfo[index+1]) && // 1st hex +- XMLString::isHex(userinfo[index+2]) ) // 2nd hex ++ if (index + 2 < userLen ++ && XMLString::isHex(userinfo[index+1]) // 1st hex ++ && XMLString::isHex(userinfo[index+2]) ) // 2nd hex + index +=3; + else + return false; +@@ -1508,8 +1550,9 @@ bool XMLUri::isValidServerBasedAuthority + } + else if (*tmpStr == chPercent) // '%' + { +- if (XMLString::isHex(*(tmpStr+1)) && // 1st hex +- XMLString::isHex(*(tmpStr+2)) ) // 2nd hex ++ if (XMLString::stringLen(tmpStr) >= 3 ++ && XMLString::isHex(*(tmpStr+1)) // 1st hex ++ && XMLString::isHex(*(tmpStr+2)) ) // 2nd hex + { + tmpStr+=3; + } +@@ -1537,8 +1580,9 @@ bool XMLUri::isValidRegistryBasedAuthori + } + else if (authority[index] == chPercent) // '%' + { +- if (XMLString::isHex(authority[index+1]) && // 1st hex +- XMLString::isHex(authority[index+2]) ) // 2nd hex ++ if (index + 2 < authLen ++ && XMLString::isHex(authority[index+1]) // 1st hex ++ && XMLString::isHex(authority[index+2]) ) // 2nd hex + index +=3; + else + return false; +@@ -1566,8 +1610,9 @@ bool XMLUri::isValidRegistryBasedAuthori + } + else if (*tmpStr == chPercent) // '%' + { +- if (XMLString::isHex(*(tmpStr+1)) && // 1st hex +- XMLString::isHex(*(tmpStr+2)) ) // 2nd hex ++ if (XMLString::stringLen(tmpStr) >= 3 ++ && XMLString::isHex(*(tmpStr + 1)) // 1st hex ++ && XMLString::isHex(*(tmpStr + 2))) // 2nd hex + { + tmpStr+=3; + } +@@ -1602,8 +1647,9 @@ bool XMLUri::isURIString(const XMLCh* co + } + else if (*tmpStr == chPercent) // '%' + { +- if (XMLString::isHex(*(tmpStr+1)) && // 1st hex +- XMLString::isHex(*(tmpStr+2)) ) // 2nd hex ++ if (XMLString::stringLen(tmpStr) >=3 ++ && XMLString::isHex(*(tmpStr+1)) // 1st hex ++ && XMLString::isHex(*(tmpStr+2)) ) // 2nd hex + { + tmpStr+=3; + } +diff -urNp xerces-c-3.1.1-patched/src/xercesc/util/XMLURL.cpp xerces-c-3.1.1-patched-modified/src/xercesc/util/XMLURL.cpp +--- xerces-c-3.1.1-patched/src/xercesc/util/XMLURL.cpp 2016-03-03 11:13:54.871619517 -0500 ++++ xerces-c-3.1.1-patched-modified/src/xercesc/util/XMLURL.cpp 2016-03-03 11:44:08.553089142 -0500 +@@ -117,8 +117,8 @@ static const XMLCh gListSix[] = { chP + static bool isHexDigit(const XMLCh toCheck) + { + if (((toCheck >= chDigit_0) && (toCheck <= chDigit_9)) +- || ((toCheck >= chLatin_A) && (toCheck <= chLatin_Z)) +- || ((toCheck >= chLatin_a) && (toCheck <= chLatin_z))) ++ || ((toCheck >= chLatin_A) && (toCheck <= chLatin_F)) ++ || ((toCheck >= chLatin_a) && (toCheck <= chLatin_f))) + { + return true; + } +@@ -130,7 +130,7 @@ static unsigned int xlatHexDigit(const X + if ((toXlat >= chDigit_0) && (toXlat <= chDigit_9)) + return (unsigned int)(toXlat - chDigit_0); + +- if ((toXlat >= chLatin_A) && (toXlat <= chLatin_Z)) ++ if ((toXlat >= chLatin_A) && (toXlat <= chLatin_F)) + return (unsigned int)(toXlat - chLatin_A) + 10; + + return (unsigned int)(toXlat - chLatin_a) + 10; +@@ -611,9 +611,20 @@ BinInputStream* XMLURL::makeNewStream() + + while (percentIndex != -1) { + +- if (percentIndex+2 >= (int)end || +- !isHexDigit(realPath[percentIndex+1]) || +- !isHexDigit(realPath[percentIndex+2])) ++ // Isolate the length/boundary check so we don't try and copy off the end. ++ if (percentIndex+2 >= (int)end) ++ { ++ XMLCh value1[3]; ++ value1[1] = chNull; ++ value1[2] = chNull; ++ XMLString::moveChars(value1, &(realPath[percentIndex]), (percentIndex + 1 >= (int)end ? 1 : 2)); ++ ThrowXMLwithMemMgr2(MalformedURLException ++ , XMLExcepts::XMLNUM_URI_Component_Invalid_EscapeSequence ++ , realPath ++ , value1 ++ , fMemoryManager); ++ } ++ else if (!isHexDigit(realPath[percentIndex+1]) || !isHexDigit(realPath[percentIndex+2])) + { + XMLCh value1[4]; + XMLString::moveChars(value1, &(realPath[percentIndex]), 3); diff --git a/SPECS/xerces-c.spec b/SPECS/xerces-c.spec index 8d0c0ef..9faf430 100644 --- a/SPECS/xerces-c.spec +++ b/SPECS/xerces-c.spec @@ -1,13 +1,14 @@ Summary: Validating XML Parser Name: xerces-c Version: 3.1.1 -Release: 7%{?dist} +Release: 8%{?dist} License: ASL 2.0 Group: System Environment/Libraries URL: http://xml.apache.org/xerces-c/ Source0: http://archive.apache.org/dist/xerces/c/3/sources/xerces-c-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Patch1: XMLReader.cpp.patch +Patch2: xerces-c-CVE-2016-0729.patch BuildRequires: dos2unix @@ -49,6 +50,7 @@ manipulating, and validating XML documents. %prep %setup -q %patch1 -p1 +%patch2 -p1 # Copy samples before build to avoid including built binaries in -doc package mkdir -p _docs cp -a samples/ _docs/ @@ -98,8 +100,11 @@ rm -rf $RPM_BUILD_ROOT %doc README LICENSE NOTICE CREDITS doc _docs/* %changelog +* Thu Mar 03 2016 Avesh Agarwal - 3.1.1-8 +Resolves: CVE-2016-0729 + * Mon Jun 22 2015 Avesh Agarwal - 3.1.1-7 -Resolves: rhbz#1217104 CVE-2015-0252 +Resolves: rhbz#1217105 CVE-2015-0252 * Fri Jan 24 2014 Daniel Mach - 3.1.1-6 - Mass rebuild 2014-01-24