diff --git a/SOURCES/xerces-c-CVE-2016-4463.patch b/SOURCES/xerces-c-CVE-2016-4463.patch new file mode 100644 index 0000000..abe08f3 --- /dev/null +++ b/SOURCES/xerces-c-CVE-2016-4463.patch @@ -0,0 +1,72 @@ +--- xerces-c-3.1.1-patched/src/xercesc/validators/DTD/DTDScanner.cpp 2016/06/10 01:28:38 1747618 ++++ xerces-c-3.1.1-patched-modified/src/xercesc/validators/DTD/DTDScanner.cpp 2016/06/10 01:38:34 1747619 +@@ -44,6 +44,8 @@ + + XERCES_CPP_NAMESPACE_BEGIN + ++#define CONTENTSPEC_DEPTH_LIMIT 1000 ++ + // --------------------------------------------------------------------------- + // Local methods + // --------------------------------------------------------------------------- +@@ -1038,8 +1040,13 @@ + + + ContentSpecNode* +-DTDScanner::scanChildren(const DTDElementDecl& elemDecl, XMLBuffer& bufToUse) ++DTDScanner::scanChildren(const DTDElementDecl& elemDecl, XMLBuffer& bufToUse, unsigned int& depth) + { ++ if (depth++ > CONTENTSPEC_DEPTH_LIMIT) { ++ fScanner->emitError(XMLErrs::UnterminatedDOCTYPE); ++ return 0; ++ } ++ + // Check for a PE ref here, but don't require spaces + checkForPERef(false, true); + +@@ -1240,7 +1247,7 @@ + // Recurse to handle this new guy + ContentSpecNode* subNode; + try { +- subNode = scanChildren(elemDecl, bufToUse); ++ subNode = scanChildren(elemDecl, bufToUse, depth); + } + catch (const XMLErrs::Codes) + { +@@ -1577,7 +1584,8 @@ + // + toFill.setModelType(DTDElementDecl::Children); + XMLBufBid bbTmp(fBufMgr); +- ContentSpecNode* resNode = scanChildren(toFill, bbTmp.getBuffer()); ++ unsigned int depth = 0; ++ ContentSpecNode* resNode = scanChildren(toFill, bbTmp.getBuffer(), depth); + status = (resNode != 0); + if (status) + toFill.setContentSpec(resNode); +@@ -2509,7 +2517,15 @@ + { + while (true) + { +- const XMLCh nextCh = fReaderMgr->peekNextChar(); ++ XMLCh nextCh; ++ ++ try { ++ nextCh = fReaderMgr->peekNextChar(); ++ } ++ catch (XMLException& ex) { ++ fScanner->emitError(XMLErrs::XMLException_Fatal, ex.getCode(), ex.getMessage(), NULL, NULL); ++ nextCh = chNull; ++ } + + if (!nextCh) + { +--- xerces-c-3.1.1-patched/src/xercesc/validators/DTD/DTDScanner.hpp 2016/06/10 01:28:38 1747618 ++++ xerces-c-3.1.1-patched-modified/src/xercesc/validators/DTD/DTDScanner.hpp 2016/06/10 01:38:34 1747619 +@@ -143,6 +143,7 @@ + ( + const DTDElementDecl& elemDecl + , XMLBuffer& bufToUse ++ , unsigned int& depth + ); + bool scanCharRef(XMLCh& toFill, XMLCh& second); + void scanComment(); diff --git a/SPECS/xerces-c.spec b/SPECS/xerces-c.spec index 9faf430..aea7057 100644 --- a/SPECS/xerces-c.spec +++ b/SPECS/xerces-c.spec @@ -1,7 +1,7 @@ Summary: Validating XML Parser Name: xerces-c Version: 3.1.1 -Release: 8%{?dist} +Release: 9%{?dist} License: ASL 2.0 Group: System Environment/Libraries URL: http://xml.apache.org/xerces-c/ @@ -9,6 +9,7 @@ Source0: http://archive.apache.org/dist/xerces/c/3/sources/xerces-c-%{version}.t BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Patch1: XMLReader.cpp.patch Patch2: xerces-c-CVE-2016-0729.patch +Patch3: xerces-c-CVE-2016-4463.patch BuildRequires: dos2unix @@ -51,6 +52,7 @@ manipulating, and validating XML documents. %setup -q %patch1 -p1 %patch2 -p1 +%patch3 -p1 # Copy samples before build to avoid including built binaries in -doc package mkdir -p _docs cp -a samples/ _docs/ @@ -100,6 +102,10 @@ rm -rf $RPM_BUILD_ROOT %doc README LICENSE NOTICE CREDITS doc _docs/* %changelog +* Wed Sep 05 2018 Robbie Harwood - 3.1.1-9 +- Fix CVE-2016-4463 +- Resolves: #1534481 + * Thu Mar 03 2016 Avesh Agarwal - 3.1.1-8 Resolves: CVE-2016-0729