main/libxml2: fix (CVE-2013-0338)

fixes #1662
author: Natanael Copa <ncopa@alpinelinux.org> 2013-04-11 12:27:47 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2013-04-11 12:37:02 +0000
commit: ce3adccd9865fd634d89940731b9c81c178a9b4c (patch)
tree: e1f624a425a04778ff4daf267f85fe56b6c25b14
parent: 17f105dd292281d4e6fb5176e4a0f4d1685c6ac3 (diff)
download: aports-ce3adccd9865fd634d89940731b9c81c178a9b4c.tar.bz2
aports-ce3adccd9865fd634d89940731b9c81c178a9b4c.tar.xz
2 files changed, 159 insertions, 4 deletions
diff --git a/main/libxml2/APKBUILD b/main/libxml2/APKBUILD
index 01959c3196..145ed22059 100644
--- a/main/libxml2/APKBUILD
+++ b/main/libxml2/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Carlo Landmeter <clandmeter at gmail>
 pkgname=libxml2
 pkgver=2.7.8
-pkgrel=5
+pkgrel=6
 pkgdesc="XML parsing library, version 2"
 url="http://www.xmlsoft.org/"
 arch="all"
@@ -26,6 +26,7 @@ source="ftp://ftp.xmlsoft.org/${pkgname}/${pkgname}-${pkgver}.tar.gz
 	libxml2-2.7.8-entities-local-buffers-size2.patch
 	libxml2-2.7.8-parser-local-buffers-size.patch
 	CVE-2012-5134.patch
+	CVE-2013-0338.patch
 	"
 
 options="!strip"
@@ -33,8 +34,10 @@ options="!strip"
 _builddir="$srcdir/$pkgname-$pkgver"
 prepare() {
 	cd "$_builddir"
-	for _i in "$srcdir"/*.patch; do
-		patch -p1 -i "$_i"
+	for i in $source; do
+		case $i in
+		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+		esac
 	done
 }
 
@@ -80,4 +83,5 @@ de02f584b928d3e25babc5c90aa800be  libxml2-2.7.8-allocation-error-copying-entitie
 c8c789a4fbdae599a47ecbfa32b889d7  libxml2-2.7.8-entities-local-buffers-size.patch
 cba1201e77dc0f3e337d9ff146a2666e  libxml2-2.7.8-entities-local-buffers-size2.patch
 6c5c7a125dddb616feb1b2f4254bf467  libxml2-2.7.8-parser-local-buffers-size.patch
-fe428448d74481d7547bc173cb40ef26  CVE-2012-5134.patch"
+fe428448d74481d7547bc173cb40ef26  CVE-2012-5134.patch
+5eb19e0b5107a9ee6cca8a5f04b44b77  CVE-2013-0338.patch"
diff --git a/main/libxml2/CVE-2013-0338.patch b/main/libxml2/CVE-2013-0338.patch
new file mode 100644
index 0000000000..201b355620
--- /dev/null
+++ b/main/libxml2/CVE-2013-0338.patch
@@ -0,0 +1,151 @@
+From 23f05e0c33987d6605387b300c4be5da2120a7ab Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 19 Feb 2013 02:21:49 +0000
+Subject: Detect excessive entities expansion upon replacement
+
+If entities expansion in the XML parser is asked for,
+it is possble to craft relatively small input document leading
+to excessive on-the-fly content generation.
+This patch accounts for those replacement and stop parsing
+after a given threshold. it can be bypassed as usual with the
+HUGE parser option.
+---
+diff --git a/include/libxml/parser.h b/include/libxml/parser.h
+index e1346e4..3f5730d 100644
+--- a/include/libxml/parser.h
++++ b/include/libxml/parser.h
+@@ -308,6 +308,8 @@ struct _xmlParserCtxt {
+
+     int                nodeInfoNr;    /* Depth of the parsing stack */
+     int                nodeInfoMax;   /* Max depth of the parsing stack */
+     xmlParserNodeInfo *nodeInfoTab;   /* array of nodeInfos */
++
++    unsigned long      sizeentcopy;   /* volume of entity copy */
+ };
+ 
+ /**
+diff --git a/parser.c b/parser.c
+index 91f8c90..ddf3b5b 100644
+--- a/parser.c
++++ b/parser.c
+@@ -122,7 +122,7 @@ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID,
+  */
+ static int
+ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+-                     xmlEntityPtr ent)
++                     xmlEntityPtr ent, size_t replacement)
+ {
+     size_t consumed = 0;
+ 
+@@ -130,7 +130,24 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+         return (0);
+     if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
+         return (1);
+-    if (size != 0) {
++    if (replacement != 0) {
++	if (replacement < XML_MAX_TEXT_LENGTH)
++	    return(0);
++
++        /*
++	 * If the volume of entity copy reaches 10 times the
++	 * amount of parsed data and over the large text threshold
++	 * then that's very likely to be an abuse.
++	 */
++        if (ctxt->input != NULL) {
++	    consumed = ctxt->input->consumed +
++	               (ctxt->input->cur - ctxt->input->base);
++	}
++        consumed += ctxt->sizeentities;
++
++        if (replacement < XML_PARSER_NON_LINEAR * consumed)
++	    return(0);
++    } else if (size != 0) {
+         /*
+          * Do the check based on the replacement size of the entity
+          */
+@@ -176,7 +193,6 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+          */
+         return (0);
+     }
+-
+     xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
+     return (1);
+ }
+@@ -2743,7 +2759,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ 		    while (*current != 0) { /* non input consuming loop */
+ 			buffer[nbchars++] = *current++;
+ 			if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
+-			    if (xmlParserEntityCheck(ctxt, nbchars, ent))
++			    if (xmlParserEntityCheck(ctxt, nbchars, ent, 0))
+ 				goto int_error;
+ 			    growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
+ 			}
+@@ -2785,7 +2801,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ 		    while (*current != 0) { /* non input consuming loop */
+ 			buffer[nbchars++] = *current++;
+ 			if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
+-			    if (xmlParserEntityCheck(ctxt, nbchars, ent))
++			    if (xmlParserEntityCheck(ctxt, nbchars, ent, 0))
+ 			        goto int_error;
+ 			    growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
+ 			}
+@@ -7203,7 +7219,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+ 	    xmlFreeNodeList(list);
+ 	    return;
+ 	}
+-	if (xmlParserEntityCheck(ctxt, 0, ent)) {
++	if (xmlParserEntityCheck(ctxt, 0, ent, 0)) {
+ 	    xmlFreeNodeList(list);
+ 	    return;
+ 	}
+@@ -7361,6 +7377,13 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+ 		xmlNodePtr nw = NULL, cur, firstChild = NULL;
+ 
+ 		/*
++		 * We are copying here, make sure there is no abuse
++		 */
++		ctxt->sizeentcopy += ent->length;
++		if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))
++		    return;
++
++		/*
+ 		 * when operating on a reader, the entities definitions
+ 		 * are always owning the entities subtree.
+ 		if (ctxt->parseMode == XML_PARSE_READER)
+@@ -7400,6 +7423,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+ 	    } else if ((list == NULL) || (ctxt->inputNr > 0)) {
+ 		xmlNodePtr nw = NULL, cur, next, last,
+ 			   firstChild = NULL;
++
++		/*
++		 * We are copying here, make sure there is no abuse
++		 */
++		ctxt->sizeentcopy += ent->length;
++		if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))
++		    return;
++
+ 		/*
+ 		 * Copy the entity child list and make it the new
+ 		 * entity child list. The goal is to make sure any
+@@ -14767,6 +14798,7 @@ xmlCtxtReset(xmlParserCtxtPtr ctxt)
+     ctxt->catalogs = NULL;
+     ctxt->nbentities = 0;
+     ctxt->sizeentities = 0;
++    ctxt->sizeentcopy = 0;
+     xmlInitNodeInfoSeq(&ctxt->node_seq);
+ 
+     if (ctxt->attsDefault != NULL) {
+diff --git a/parserInternals.c b/parserInternals.c
+index 02032d5..f8a7041 100644
+--- a/parserInternals.c
++++ b/parserInternals.c
+@@ -1757,6 +1757,8 @@
+     ctxt->charset = XML_CHAR_ENCODING_UTF8;
+     ctxt->catalogs = NULL;
+     ctxt->nbentities = 0;
++    ctxt->sizeentities = 0;
++    ctxt->sizeentcopy = 0;
+     xmlInitNodeInfoSeq(&ctxt->node_seq);
+     return(0);
+ }
+--
author	Natanael Copa <ncopa@alpinelinux.org>	2013-04-11 12:27:47 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2013-04-11 12:37:02 +0000
commit	ce3adccd9865fd634d89940731b9c81c178a9b4c (patch)
tree	e1f624a425a04778ff4daf267f85fe56b6c25b14
parent	17f105dd292281d4e6fb5176e4a0f4d1685c6ac3 (diff)
download	aports-ce3adccd9865fd634d89940731b9c81c178a9b4c.tar.bz2 aports-ce3adccd9865fd634d89940731b9c81c178a9b4c.tar.xz