diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2017-04-13 11:11:48 +0200 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2017-04-13 11:11:48 +0200 |
| commit | 0daf1361a8d912518e1827808f4023ef26153ba0 (patch) | |
| tree | 980432b66c9dea9185ed76d6345cfa35308e9b21 | |
| parent | 5466e2e8d58f16242930f6c33e85870504de9484 (diff) | |
| download | aports-0daf1361a8d912518e1827808f4023ef26153ba0.tar.bz2 aports-0daf1361a8d912518e1827808f4023ef26153ba0.tar.xz | |
main/libxml2: upgrade to 2.9.4
| -rw-r--r-- | main/libxml2/APKBUILD | 86 | ||||
| -rw-r--r-- | main/libxml2/CVE-2014-0191.patch | 36 | ||||
| -rw-r--r-- | main/libxml2/CVE-2015-1819.patch | 176 | ||||
| -rw-r--r-- | main/libxml2/CVE-2015-5312.patch | 32 | ||||
| -rw-r--r-- | main/libxml2/CVE-2015-7497.patch | 32 | ||||
| -rw-r--r-- | main/libxml2/CVE-2015-7498.patch | 82 | ||||
| -rw-r--r-- | main/libxml2/CVE-2015-7499-1.patch | 81 | ||||
| -rw-r--r-- | main/libxml2/CVE-2015-7499-2.patch | 36 | ||||
| -rw-r--r-- | main/libxml2/CVE-2015-7500.patch | 106 | ||||
| -rw-r--r-- | main/libxml2/CVE-2015-7941_1.patch | 32 | ||||
| -rw-r--r-- | main/libxml2/CVE-2015-7941_2.patch | 49 | ||||
| -rw-r--r-- | main/libxml2/CVE-2015-7942-2.patch | 28 | ||||
| -rw-r--r-- | main/libxml2/CVE-2015-7942.patch | 32 | ||||
| -rw-r--r-- | main/libxml2/CVE-2015-8035.patch | 31 | ||||
| -rw-r--r-- | main/libxml2/CVE-2015-8241.patch | 35 | ||||
| -rw-r--r-- | main/libxml2/CVE-2015-8242.patch | 42 | ||||
| -rw-r--r-- | main/libxml2/CVE-2015-8317-1.patch | 38 | ||||
| -rw-r--r-- | main/libxml2/CVE-2015-8317-2.patch | 35 | ||||
| -rw-r--r-- | main/libxml2/CVE-2016-1839-2073.patch | 129 | ||||
| -rw-r--r-- | main/libxml2/libxml2-pthread.patch | 11 |
20 files changed, 5 insertions, 1124 deletions
diff --git a/main/libxml2/APKBUILD b/main/libxml2/APKBUILD index f5ad97777f..505cfff9f0 100644 --- a/main/libxml2/APKBUILD +++ b/main/libxml2/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Carlo Landmeter <clandmeter@gmail.com> # Maintainer: Carlo Landmeter <clandmeter@gmail.com> pkgname=libxml2 -pkgver=2.9.2 -pkgrel=2 +pkgver=2.9.4 +pkgrel=0 pkgdesc="XML parsing library, version 2" url="http://www.xmlsoft.org/" arch="all" @@ -12,25 +12,6 @@ depends_dev="zlib-dev python-dev" makedepends="zlib-dev python-dev" subpackages="$pkgname-doc $pkgname-dev py-$pkgname:py $pkgname-utils" source="ftp://ftp.xmlsoft.org/${pkgname}/${pkgname}-${pkgver}.tar.gz - libxml2-pthread.patch - CVE-2014-0191.patch - CVE-2015-1819.patch - CVE-2015-5312.patch - CVE-2015-7497.patch - CVE-2015-7498.patch - CVE-2015-7499-1.patch - CVE-2015-7499-2.patch - CVE-2015-7500.patch - CVE-2015-7941_1.patch - CVE-2015-7941_2.patch - CVE-2015-7942.patch - CVE-2015-7942-2.patch - CVE-2015-8035.patch - CVE-2015-8241.patch - CVE-2015-8242.patch - CVE-2015-8317-1.patch - CVE-2015-8317-2.patch - CVE-2016-1839-2073.patch " options="!strip" @@ -82,63 +63,6 @@ utils() { mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } -md5sums="9e6a9aca9d155737868b3dc5fd82f788 libxml2-2.9.2.tar.gz -cc0da520c5296e87407d24166480da73 libxml2-pthread.patch -e6f432aea642badcb848e5791bcf6df7 CVE-2014-0191.patch -44b96e4a7c675f103628d7decfa56d37 CVE-2015-1819.patch -a6fdca7e058fe6fbaa248e8c0aae7424 CVE-2015-5312.patch -70b52327b3bbc473cfde89730f829aeb CVE-2015-7497.patch -5cfa24ef6c26ad780bcdd7dfad831fd1 CVE-2015-7498.patch -d876337f727521061309722c9d16ba9a CVE-2015-7499-1.patch -2852386b8844d628e6680e054fbbba4e CVE-2015-7499-2.patch -0be954db9ac4cf9055b95eed5077fb2e CVE-2015-7500.patch -286111441eed116f2edc489e9788d573 CVE-2015-7941_1.patch -44ad838bfb10784f016bf35ead4e1beb CVE-2015-7941_2.patch -7304667ea636d829feed9cc6747d5efb CVE-2015-7942.patch -ffdfbe9d5d7d334c5baca09060d56e78 CVE-2015-7942-2.patch -66f5aa382028e125202f6ac70f507c0a CVE-2015-8035.patch -6f8105eed1006d1d5587d3d88b7c5bbd CVE-2015-8241.patch -f5dc37a7162905c53ec86d06e20cb9b3 CVE-2015-8242.patch -f767ce95f29c9b63c31eaf6afb36e376 CVE-2015-8317-1.patch -017edcbd0f90ca13b23565f55f6c09e3 CVE-2015-8317-2.patch -3595e925283de7aa4ef4a90e71ec0c89 CVE-2016-1839-2073.patch" -sha256sums="5178c30b151d044aefb1b08bf54c3003a0ac55c59c866763997529d60770d5bc libxml2-2.9.2.tar.gz -97d5e152580774483c47b28483282a4180c2c375bb7716a807ec859e59c3ec2f libxml2-pthread.patch -288a762e8b115cecc02d920e4b36ebfa5249b8a6713a1a948e344d881d094ea8 CVE-2014-0191.patch -18cc94e2d1917e6e7b959d1ad1a1b1a907cdbd6fc7cfd52bfd2a7aaec7816bf2 CVE-2015-1819.patch -8676498e81d8f973c02bb0c8d56486be593c0179a0cc9d0c6e9bcdfff068bb05 CVE-2015-5312.patch -b63be023398e8d89068b968bacb8c50d9cac0b32eeec29c972d4b9a54f7288cd CVE-2015-7497.patch -56bf3c58cd388bdabf3b47613cfb2d84be564954d86836e815679ad4151923dc CVE-2015-7498.patch -ad99f8442cc6dc5127cb67c8b6277995f301b739ec8a60a474746c846e360ece CVE-2015-7499-1.patch -4c44c22a5f3156aff40a029d656caca55cc095cf3cbaeeabc0b6e09b03fcf08c CVE-2015-7499-2.patch -a482436a040e0c94efc669ac71bfd42427efd33a9e7d755897a6b0ae8b42e41f CVE-2015-7500.patch -86d575ab1273f9a182a5c589db3e7a93b7c4bed63ca3588a8a99a84235b990be CVE-2015-7941_1.patch -53c2adf000f8716a9e96aef9018cd824bb4cd24169d62686c1631bbee6ec60c8 CVE-2015-7941_2.patch -9095165d17db7e66060307fea16872ce5be63bd9f52e858f05200d6f12391ee4 CVE-2015-7942.patch -bd98845e4fb4405ae45f4dbdac097ac40db4e8ac8d2ff7194ac0997404ca37bf CVE-2015-7942-2.patch -3b4d7e17929e8cb4ce078a7358450b308e15c9b9aa9d125a4d945ef6623e9bae CVE-2015-8035.patch -fc8c07b99a5bb456a720eafc2393eb6b299930dc5cb1781494f692681e9818ac CVE-2015-8241.patch -e4a1441afcd4379455ed683216dfbee49b7ef5480f57c449481fb3928190b41f CVE-2015-8242.patch -81777f53a343a9d0dcf88c7871d52a2b7b5e7fc793ec3538cbe923d0919b2ae1 CVE-2015-8317-1.patch -0ef449496e8054809a653d33591326aaaf18aeffe8e2cfea28ede63b134e4430 CVE-2015-8317-2.patch -4e3fbfe5a596c725f4a857146ac2ed60b0dae60153d5ba0b02aacef5fb9c86a1 CVE-2016-1839-2073.patch" -sha512sums="a4e3b20e2efceed39c20379b32b746d4a1cf65c0cf7719d26c9bf7483c1f04a4e5a442ae2f36dc4ae8a4d011b67cfb58d9f6d0be034fa3e897a49059c9289565 libxml2-2.9.2.tar.gz -bda49c5e09605acc2bb36203521f750903d81345cc38af54b977e3ce71e288267fb3ab98f1813d846ab45461490482337f7af8b0f1a8a5e0b2c09e03bbadc7f7 libxml2-pthread.patch -41b6737b5cfe6392e3d781ebde48db0bf221bde89701742408afe625a88a67f6f6aed5cf04c1983ba2e7e04c2d819a8011908d23060365225571691c5e61cf11 CVE-2014-0191.patch -61c512e2f43bd0791e05a60c6bfa41a8a53bc95b2e45f983e6a87964246a6ab596955f9c9956d1f7ffd08fff774ab8d54222eeebb1e14cd5e54378e65ff677ce CVE-2015-1819.patch -3a1f95a681fed8ae26327246c767d332d863d401318e246cd97b79f63ac09aef7e9a82a6185e60e7de9d4489a9f21ed519d015ea9748da2ed065ab579c596b25 CVE-2015-5312.patch -50dcf87ddce80643d7bb0e622d3d67a095549571da5866c9b6f8867c28aa3b41fe43ae12e4c2aa2ddb4d084908dfb79cd84995089fead447c1f1db1bff6a0ca3 CVE-2015-7497.patch -6c3c7dbc23380f53d6a5122bd2d55cf2352822974d6cf7921dbe07f11b5396cdc5f1812263e10d53c41610989bbf7c5266f6751eb987c0fd93ff068e8f4348a2 CVE-2015-7498.patch -17c62e675e64366079a44753aaf460a026a0716b5a1bc7bace4156dc693639bf842c0be326877eebf4661943f93f43866967e1989603499233ae280f93c79d37 CVE-2015-7499-1.patch -9a51143edb520491653bf44c8cdce3a359d4ada33bb1352b2985a1e00bf6367941f7f41983b126fb1eca531811473966b20d03338873490ab328af6647a2d4e0 CVE-2015-7499-2.patch -1bddc8789cc37b015abee0659cafdb60936a38a4ec7d39e23ecc4c8ca0bf5fc73aefeb9a16f480749dc73bc9c752986dc5df6dc92d041d17677bce64b9d4588a CVE-2015-7500.patch -c86c62704b527e5b3e0834586a4a05e5acc059ececf80e45135bf9d00ed0531aa268366c9bdac1fb4f5fa98a03175f33d98e3edde4d351095b8aae456656579f CVE-2015-7941_1.patch -3711688706751455818ac29ecc49f221ce747173145ff076bc1a2223d8c00287362f0b5bfc6351583bc3edabe1f05546295d78633c0ccf9cfa4d48a5594e09d8 CVE-2015-7941_2.patch -bbf93ce9f9277f049ccac6644f72e4c2d42a7513762950c928bbdab3813a9a20123a3aef5c83b8448213026761150bc4ad5a2a89dd9eb770793b642a54ca3fd0 CVE-2015-7942.patch -40837e2cc46aa8972818aa4526926cffd213e4c5a689c66f4c4b864c339582588e03d98f4fcf5781977b3a71a2a0850de17540b0293e58755f07346471e76aa4 CVE-2015-7942-2.patch -071577d6d2f4fa2df1894fab3379ac461f79a785a3c54b04c729a1e06982d3ae0158526d213a4b375fa878fa7bb2a257cf9070092f8228ad5dc159f99ea71ea1 CVE-2015-8035.patch -baec4095aae6e272e8d6dc6b820af8fdc73fe50d7ae5bad12a3fc550cdf73d03e949e00eb81ea15c796f0b454400d88190edd0c59a8dd0606f8d21419ae4ebdf CVE-2015-8241.patch -98c83b942f718a765821771eb32aef70086edaedc44b83ecf291e8c65afdca63ec204b50d4dbfb87c13e6ded12cce3a7cfd3291449e9daa4d30d025525605e4d CVE-2015-8242.patch -eccf558670f2458ce087c4211dc911463427b9722a5e6aee2ba1b008636bde967c6f88d7751f7586a8d338111520d64d2480e36d8a284180b9f867fad7f9957b CVE-2015-8317-1.patch -04538232684bc44825b664d963aae41e4297a657404a4ea2b276a51f8f02f8334af35d630adccb48aa27a23b0aee328d41b1d4deff69aa28bed8f9f4cf1fae0b CVE-2015-8317-2.patch -943b30b6373192759e92b5fd354002c5b93a68f465ef43333f23e190674bf7e92d5461feb74f6c090b0eb68fcb1eb9957b44ade331b341182109cc95fbdac646 CVE-2016-1839-2073.patch" +md5sums="ae249165c173b1ff386ee8ad676815f5 libxml2-2.9.4.tar.gz" +sha256sums="ffb911191e509b966deb55de705387f14156e1a56b21824357cdf0053233633c libxml2-2.9.4.tar.gz" +sha512sums="f5174ab1a3a0ec0037a47f47aa47def36674e02bfb42b57f609563f84c6247c585dbbb133c056953a5adb968d328f18cbc102eb0d00d48eb7c95478389e5daf9 libxml2-2.9.4.tar.gz" diff --git a/main/libxml2/CVE-2014-0191.patch b/main/libxml2/CVE-2014-0191.patch deleted file mode 100644 index 4d5fe1a7aa..0000000000 --- a/main/libxml2/CVE-2014-0191.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 9cd1c3cfbd32655d60572c0a413e017260c854df Mon Sep 17 00:00:00 2001 -From: Daniel Veillard <veillard@redhat.com> -Date: Tue, 22 Apr 2014 15:30:56 +0800 -Subject: Do not fetch external parameter entities - -Unless explicitely asked for when validating or replacing entities -with their value. Problem pointed out by Daniel Berrange <berrange@redhat.com> - -diff --git a/parser.c b/parser.c -index 9347ac9..c0dea05 100644 ---- a/parser.c -+++ b/parser.c -@@ -2598,6 +2598,20 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) { - xmlCharEncoding enc; - - /* -+ * Note: external parsed entities will not be loaded, it is -+ * not required for a non-validating parser, unless the -+ * option of validating, or substituting entities were -+ * given. Doing so is far more secure as the parser will -+ * only process data coming from the document entity by -+ * default. -+ */ -+ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && -+ ((ctxt->options & XML_PARSE_NOENT) == 0) && -+ ((ctxt->options & XML_PARSE_DTDVALID) == 0) && -+ (ctxt->validate == 0)) -+ return; -+ -+ /* - * handle the extra spaces added before and after - * c.f. http://www.w3.org/TR/REC-xml#as-PE - * this is done independently. --- -cgit v0.10.1 - diff --git a/main/libxml2/CVE-2015-1819.patch b/main/libxml2/CVE-2015-1819.patch deleted file mode 100644 index e77202b56e..0000000000 --- a/main/libxml2/CVE-2015-1819.patch +++ /dev/null @@ -1,176 +0,0 @@ -From 213f1fe0d76d30eaed6e5853057defc43e6df2c9 Mon Sep 17 00:00:00 2001 -From: Daniel Veillard <veillard@redhat.com> -Date: Tue, 14 Apr 2015 17:41:48 +0800 -Subject: CVE-2015-1819 Enforce the reader to run in constant memory - -One of the operation on the reader could resolve entities -leading to the classic expansion issue. Make sure the -buffer used for xmlreader operation is bounded. -Introduce a new allocation type for the buffers for this effect. ---- - buf.c | 43 ++++++++++++++++++++++++++++++++++++++++++- - include/libxml/tree.h | 3 ++- - xmlreader.c | 20 +++++++++++++++++++- - 3 files changed, 63 insertions(+), 3 deletions(-) - -diff --git a/buf.c b/buf.c -index 6efc7b6..07922ff 100644 ---- a/buf.c -+++ b/buf.c -@@ -27,6 +27,7 @@ - #include <libxml/tree.h> - #include <libxml/globals.h> - #include <libxml/tree.h> -+#include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */ - #include "buf.h" - - #define WITH_BUFFER_COMPAT -@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf, - if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) || - (scheme == XML_BUFFER_ALLOC_EXACT) || - (scheme == XML_BUFFER_ALLOC_HYBRID) || -- (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) { -+ (scheme == XML_BUFFER_ALLOC_IMMUTABLE) || -+ (scheme == XML_BUFFER_ALLOC_BOUNDED)) { - buf->alloc = scheme; - if (buf->buffer) - buf->buffer->alloc = scheme; -@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) { - size = buf->use + len + 100; - #endif - -+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { -+ /* -+ * Used to provide parsing limits -+ */ -+ if ((buf->use + len >= XML_MAX_TEXT_LENGTH) || -+ (buf->size >= XML_MAX_TEXT_LENGTH)) { -+ xmlBufMemoryError(buf, "buffer error: text too long\n"); -+ return(0); -+ } -+ if (size >= XML_MAX_TEXT_LENGTH) -+ size = XML_MAX_TEXT_LENGTH; -+ } - if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) { - size_t start_buf = buf->content - buf->contentIO; - -@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size) - CHECK_COMPAT(buf) - - if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); -+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { -+ /* -+ * Used to provide parsing limits -+ */ -+ if (size >= XML_MAX_TEXT_LENGTH) { -+ xmlBufMemoryError(buf, "buffer error: text too long\n"); -+ return(0); -+ } -+ } - - /* Don't resize if we don't have to */ - if (size < buf->size) -@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) { - - needSize = buf->use + len + 2; - if (needSize > buf->size){ -+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { -+ /* -+ * Used to provide parsing limits -+ */ -+ if (needSize >= XML_MAX_TEXT_LENGTH) { -+ xmlBufMemoryError(buf, "buffer error: text too long\n"); -+ return(-1); -+ } -+ } - if (!xmlBufResize(buf, needSize)){ - xmlBufMemoryError(buf, "growing buffer"); - return XML_ERR_NO_MEMORY; -@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) { - } - needSize = buf->use + len + 2; - if (needSize > buf->size){ -+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { -+ /* -+ * Used to provide parsing limits -+ */ -+ if (needSize >= XML_MAX_TEXT_LENGTH) { -+ xmlBufMemoryError(buf, "buffer error: text too long\n"); -+ return(-1); -+ } -+ } - if (!xmlBufResize(buf, needSize)){ - xmlBufMemoryError(buf, "growing buffer"); - return XML_ERR_NO_MEMORY; -diff --git a/include/libxml/tree.h b/include/libxml/tree.h -index 2f90717..4a9b3bc 100644 ---- a/include/libxml/tree.h -+++ b/include/libxml/tree.h -@@ -76,7 +76,8 @@ typedef enum { - XML_BUFFER_ALLOC_EXACT, /* grow only to the minimal size */ - XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */ - XML_BUFFER_ALLOC_IO, /* special allocation scheme used for I/O */ -- XML_BUFFER_ALLOC_HYBRID /* exact up to a threshold, and doubleit thereafter */ -+ XML_BUFFER_ALLOC_HYBRID, /* exact up to a threshold, and doubleit thereafter */ -+ XML_BUFFER_ALLOC_BOUNDED /* limit the upper size of the buffer */ - } xmlBufferAllocationScheme; - - /** -diff --git a/xmlreader.c b/xmlreader.c -index f19e123..471e7e2 100644 ---- a/xmlreader.c -+++ b/xmlreader.c -@@ -2091,6 +2091,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) { - "xmlNewTextReader : malloc failed\n"); - return(NULL); - } -+ /* no operation on a reader should require a huge buffer */ -+ xmlBufSetAllocationScheme(ret->buffer, -+ XML_BUFFER_ALLOC_BOUNDED); - ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); - if (ret->sax == NULL) { - xmlBufFree(ret->buffer); -@@ -3616,6 +3619,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) { - return(((xmlNsPtr) node)->href); - case XML_ATTRIBUTE_NODE:{ - xmlAttrPtr attr = (xmlAttrPtr) node; -+ const xmlChar *ret; - - if ((attr->children != NULL) && - (attr->children->type == XML_TEXT_NODE) && -@@ -3629,10 +3633,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) { - "xmlTextReaderSetup : malloc failed\n"); - return (NULL); - } -+ xmlBufSetAllocationScheme(reader->buffer, -+ XML_BUFFER_ALLOC_BOUNDED); - } else - xmlBufEmpty(reader->buffer); - xmlBufGetNodeContent(reader->buffer, node); -- return(xmlBufContent(reader->buffer)); -+ ret = xmlBufContent(reader->buffer); -+ if (ret == NULL) { -+ /* error on the buffer best to reallocate */ -+ xmlBufFree(reader->buffer); -+ reader->buffer = xmlBufCreateSize(100); -+ xmlBufSetAllocationScheme(reader->buffer, -+ XML_BUFFER_ALLOC_BOUNDED); -+ ret = BAD_CAST ""; -+ } -+ return(ret); - } - break; - } -@@ -5131,6 +5146,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader, - "xmlTextReaderSetup : malloc failed\n"); - return (-1); - } -+ /* no operation on a reader should require a huge buffer */ -+ xmlBufSetAllocationScheme(reader->buffer, -+ XML_BUFFER_ALLOC_BOUNDED); - if (reader->sax == NULL) - reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); - if (reader->sax == NULL) { --- -cgit v0.11.2 - diff --git a/main/libxml2/CVE-2015-5312.patch b/main/libxml2/CVE-2015-5312.patch deleted file mode 100644 index ab9f31f016..0000000000 --- a/main/libxml2/CVE-2015-5312.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 69030714cde66d525a8884bda01b9e8f0abf8e1e Mon Sep 17 00:00:00 2001 -From: David Drysdale <drysdale@google.com> -Date: Fri, 20 Nov 2015 11:13:45 +0800 -Subject: CVE-2015-5312 Another entity expansion issue - -For https://bugzilla.gnome.org/show_bug.cgi?id=756733 -It is one case where the code in place to detect entities expansions -failed to exit when the situation was detected, leading to DoS -Problem reported by Kostya Serebryany @ Google -Patch provided by David Drysdale @ Google ---- - parser.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/parser.c b/parser.c -index b7b6668..da6e729 100644 ---- a/parser.c -+++ b/parser.c -@@ -2806,6 +2806,10 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, - 0, 0, 0); - ctxt->depth--; - -+ if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) || -+ (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR)) -+ goto int_error; -+ - if (rep != NULL) { - current = rep; - while (*current != 0) { /* non input consuming loop */ --- -cgit v0.11.2 - diff --git a/main/libxml2/CVE-2015-7497.patch b/main/libxml2/CVE-2015-7497.patch deleted file mode 100644 index d734c606c8..0000000000 --- a/main/libxml2/CVE-2015-7497.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 6360a31a84efe69d155ed96306b9a931a40beab9 Mon Sep 17 00:00:00 2001 -From: David Drysdale <drysdale@google.com> -Date: Fri, 20 Nov 2015 10:47:12 +0800 -Subject: CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey - -For https://bugzilla.gnome.org/show_bug.cgi?id=756528 -It was possible to hit a negative offset in the name indexing -used to randomize the dictionary key generation -Reported and fix provided by David Drysdale @ Google ---- - dict.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/dict.c b/dict.c -index 5f71d55..8c8f931 100644 ---- a/dict.c -+++ b/dict.c -@@ -486,7 +486,10 @@ xmlDictComputeFastQKey(const xmlChar *prefix, int plen, - value += 30 * (*prefix); - - if (len > 10) { -- value += name[len - (plen + 1 + 1)]; -+ int offset = len - (plen + 1 + 1); -+ if (offset < 0) -+ offset = len - (10 + 1); -+ value += name[offset]; - len = 10; - if (plen > 10) - plen = 10; --- -cgit v0.11.2 - diff --git a/main/libxml2/CVE-2015-7498.patch b/main/libxml2/CVE-2015-7498.patch deleted file mode 100644 index 9682926e39..0000000000 --- a/main/libxml2/CVE-2015-7498.patch +++ /dev/null @@ -1,82 +0,0 @@ -From afd27c21f6b36e22682b7da20d726bce2dcb2f43 Mon Sep 17 00:00:00 2001 -From: Daniel Veillard <veillard@redhat.com> -Date: Mon, 9 Nov 2015 18:07:18 +0800 -Subject: Avoid processing entities after encoding conversion failures - -For https://bugzilla.gnome.org/show_bug.cgi?id=756527 -and was also raised by Chromium team in the past - -When we hit a convwersion failure when switching encoding -it is bestter to stop parsing there, this was treated as a -fatal error but the parser was continuing to process to extract -more errors, unfortunately that makes little sense as the data -is obviously corrupt and can potentially lead to unexpected behaviour. ---- - parser.c | 7 +++++-- - parserInternals.c | 11 ++++++++++- - 2 files changed, 15 insertions(+), 3 deletions(-) - -diff --git a/parser.c b/parser.c -index 134afe7..c79b4e8 100644 ---- a/parser.c -+++ b/parser.c -@@ -10665,7 +10665,8 @@ xmlParseXMLDecl(xmlParserCtxtPtr ctxt) { - xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, "Blank needed here\n"); - } - xmlParseEncodingDecl(ctxt); -- if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) { -+ if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) || -+ (ctxt->instate == XML_PARSER_EOF)) { - /* - * The XML REC instructs us to stop parsing right here - */ -@@ -10789,6 +10790,7 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) { - - if (CUR == 0) { - xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL); -+ return(-1); - } - - /* -@@ -10806,7 +10808,8 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) { - * Note that we will switch encoding on the fly. - */ - xmlParseXMLDecl(ctxt); -- if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) { -+ if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) || -+ (ctxt->instate == XML_PARSER_EOF)) { - /* - * The XML REC instructs us to stop parsing right here - */ -diff --git a/parserInternals.c b/parserInternals.c -index df204fd..c8230c1 100644 ---- a/parserInternals.c -+++ b/parserInternals.c -@@ -937,6 +937,7 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc) - { - xmlCharEncodingHandlerPtr handler; - int len = -1; -+ int ret; - - if (ctxt == NULL) return(-1); - switch (enc) { -@@ -1097,7 +1098,15 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc) - if (handler == NULL) - return(-1); - ctxt->charset = XML_CHAR_ENCODING_UTF8; -- return(xmlSwitchToEncodingInt(ctxt, handler, len)); -+ ret = xmlSwitchToEncodingInt(ctxt, handler, len); -+ if ((ret < 0) || (ctxt->errNo == XML_I18N_CONV_FAILED)) { -+ /* -+ * on encoding conversion errors, stop the parser -+ */ -+ xmlStopParser(ctxt); -+ ctxt->errNo = XML_I18N_CONV_FAILED; -+ } -+ return(ret); - } - - /** --- -cgit v0.11.2 - diff --git a/main/libxml2/CVE-2015-7499-1.patch b/main/libxml2/CVE-2015-7499-1.patch deleted file mode 100644 index d3e95d8291..0000000000 --- a/main/libxml2/CVE-2015-7499-1.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 28cd9cb747a94483f4aea7f0968d202c20bb4cfc Mon Sep 17 00:00:00 2001 -From: Daniel Veillard <veillard@redhat.com> -Date: Fri, 20 Nov 2015 14:55:30 +0800 -Subject: Add xmlHaltParser() to stop the parser - -The problem is doing it in a consistent and safe fashion -It's more complex than just setting ctxt->instate = XML_PARSER_EOF -Update the public function to reuse that new internal routine ---- - parser.c | 34 +++++++++++++++++++++++++++++----- - 1 file changed, 29 insertions(+), 5 deletions(-) - -diff --git a/parser.c b/parser.c -index da6e729..b6e99b1 100644 ---- a/parser.c -+++ b/parser.c -@@ -94,6 +94,8 @@ static xmlParserCtxtPtr - xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID, - const xmlChar *base, xmlParserCtxtPtr pctx); - -+static void xmlHaltParser(xmlParserCtxtPtr ctxt); -+ - /************************************************************************ - * * - * Arbitrary limits set in the parser. See XML_PARSE_HUGE * -@@ -12625,25 +12627,47 @@ xmlCreatePushParserCtxt(xmlSAXHandlerPtr sax, void *user_data, - #endif /* LIBXML_PUSH_ENABLED */ - - /** -- * xmlStopParser: -+ * xmlHaltParser: - * @ctxt: an XML parser context - * -- * Blocks further parser processing -+ * Blocks further parser processing don't override error -+ * for internal use - */ --void --xmlStopParser(xmlParserCtxtPtr ctxt) { -+static void -+xmlHaltParser(xmlParserCtxtPtr ctxt) { - if (ctxt == NULL) - return; - ctxt->instate = XML_PARSER_EOF; -- ctxt->errNo = XML_ERR_USER_STOP; - ctxt->disableSAX = 1; - if (ctxt->input != NULL) { -+ /* -+ * in case there was a specific allocation deallocate before -+ * overriding base -+ */ -+ if (ctxt->input->free != NULL) { -+ ctxt->input->free((xmlChar *) ctxt->input->base); -+ ctxt->input->free = NULL; -+ } - ctxt->input->cur = BAD_CAST""; - ctxt->input->base = ctxt->input->cur; - } - } - - /** -+ * xmlStopParser: -+ * @ctxt: an XML parser context -+ * -+ * Blocks further parser processing -+ */ -+void -+xmlStopParser(xmlParserCtxtPtr ctxt) { -+ if (ctxt == NULL) -+ return; -+ xmlHaltParser(ctxt); -+ ctxt->errNo = XML_ERR_USER_STOP; -+} -+ -+/** - * xmlCreateIOParserCtxt: - * @sax: a SAX handler - * @user_data: The user data returned on SAX callbacks --- -cgit v0.11.2 - diff --git a/main/libxml2/CVE-2015-7499-2.patch b/main/libxml2/CVE-2015-7499-2.patch deleted file mode 100644 index 741b81b677..0000000000 --- a/main/libxml2/CVE-2015-7499-2.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da Mon Sep 17 00:00:00 2001 -From: Daniel Veillard <veillard@redhat.com> -Date: Fri, 20 Nov 2015 15:04:09 +0800 -Subject: Detect incoherency on GROW - -the current pointer to the input has to be between the base and end -if not stop everything we have an internal state error. ---- - parser.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/parser.c b/parser.c -index 1810f99..ab007aa 100644 ---- a/parser.c -+++ b/parser.c -@@ -2075,9 +2075,16 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) { - ((ctxt->input->buf) && (ctxt->input->buf->readcallback != (xmlInputReadCallback) xmlNop)) && - ((ctxt->options & XML_PARSE_HUGE) == 0)) { - xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup"); -- ctxt->instate = XML_PARSER_EOF; -+ xmlHaltParser(ctxt); -+ return; - } - xmlParserInputGrow(ctxt->input, INPUT_CHUNK); -+ if ((ctxt->input->cur > ctxt->input->end) || -+ (ctxt->input->cur < ctxt->input->base)) { -+ xmlHaltParser(ctxt); -+ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "cur index out of bound"); -+ return; -+ } - if ((ctxt->input->cur != NULL) && (*ctxt->input->cur == 0) && - (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0)) - xmlPopInput(ctxt); --- -cgit v0.11.2 - diff --git a/main/libxml2/CVE-2015-7500.patch b/main/libxml2/CVE-2015-7500.patch deleted file mode 100644 index 1c031e2e80..0000000000 --- a/main/libxml2/CVE-2015-7500.patch +++ /dev/null @@ -1,106 +0,0 @@ -From f1063fdbe7fa66332bbb76874101c2a7b51b519f Mon Sep 17 00:00:00 2001 -From: Daniel Veillard <veillard@redhat.com> -Date: Fri, 20 Nov 2015 16:06:59 +0800 -Subject: CVE-2015-7500 Fix memory access error due to incorrect entities - boundaries - -For https://bugzilla.gnome.org/show_bug.cgi?id=756525 -handle properly the case where we popped out of the current entity -while processing a start tag -Reported by Kostya Serebryany @ Google - -This slightly modifies the output of 754946 in regression tests ---- - parser.c | 28 ++++++++++++++++++++++------ - 1 files changed, 22 insertions(+), 6 deletions(-) - -diff --git a/parser.c b/parser.c -index c7e4574..c5741e3 100644 ---- a/parser.c -+++ b/parser.c -@@ -9348,7 +9348,7 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref, - const xmlChar **atts = ctxt->atts; - int maxatts = ctxt->maxatts; - int nratts, nbatts, nbdef; -- int i, j, nbNs, attval, oldline, oldcol; -+ int i, j, nbNs, attval, oldline, oldcol, inputNr; - const xmlChar *base; - unsigned long cur; - int nsNr = ctxt->nsNr; -@@ -9367,6 +9367,7 @@ reparse: - SHRINK; - base = ctxt->input->base; - cur = ctxt->input->cur - ctxt->input->base; -+ inputNr = ctxt->inputNr; - oldline = ctxt->input->line; - oldcol = ctxt->input->col; - nbatts = 0; -@@ -9392,7 +9393,8 @@ reparse: - */ - SKIP_BLANKS; - GROW; -- if (ctxt->input->base != base) goto base_changed; -+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) -+ goto base_changed; - - while (((RAW != '>') && - ((RAW != '/') || (NXT(1) != '>')) && -@@ -9403,7 +9405,7 @@ reparse: - - attname = xmlParseAttribute2(ctxt, prefix, localname, - &aprefix, &attvalue, &len, &alloc); -- if (ctxt->input->base != base) { -+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) { - if ((attvalue != NULL) && (alloc != 0)) - xmlFree(attvalue); - attvalue = NULL; -@@ -9552,7 +9554,8 @@ skip_ns: - break; - } - SKIP_BLANKS; -- if (ctxt->input->base != base) goto base_changed; -+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) -+ goto base_changed; - continue; - } - -@@ -9589,7 +9592,8 @@ failed: - GROW - if (ctxt->instate == XML_PARSER_EOF) - break; -- if (ctxt->input->base != base) goto base_changed; -+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) -+ goto base_changed; - if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>')))) - break; - if (!IS_BLANK_CH(RAW)) { -@@ -9605,7 +9609,8 @@ failed: - break; - } - GROW; -- if (ctxt->input->base != base) goto base_changed; -+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) -+ goto base_changed; - } - - /* -@@ -9772,6 +9777,17 @@ base_changed: - if ((ctxt->attallocs[j] != 0) && (atts[i] != NULL)) - xmlFree((xmlChar *) atts[i]); - } -+ -+ /* -+ * We can't switch from one entity to another in the middle -+ * of a start tag -+ */ -+ if (inputNr != ctxt->inputNr) { -+ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, -+ "Start tag doesn't start and stop in the same entity\n"); -+ return(NULL); -+ } -+ - ctxt->input->cur = ctxt->input->base + cur; - ctxt->input->line = oldline; - ctxt->input->col = oldcol; --- -cgit v0.11.2 diff --git a/main/libxml2/CVE-2015-7941_1.patch b/main/libxml2/CVE-2015-7941_1.patch deleted file mode 100644 index d688149f95..0000000000 --- a/main/libxml2/CVE-2015-7941_1.patch +++ /dev/null @@ -1,32 +0,0 @@ -From a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 Mon Sep 17 00:00:00 2001 -From: Daniel Veillard <veillard@redhat.com> -Date: Mon, 23 Feb 2015 11:17:35 +0800 -Subject: Stop parsing on entities boundaries errors - -For https://bugzilla.gnome.org/show_bug.cgi?id=744980 - -There are times, like on unterminated entities that it's preferable to -stop parsing, even if that means less error reporting. Entities are -feeding the parser on further processing, and if they are ill defined -then it's possible to get the parser to bug. Also do the same on -Conditional Sections if the input is broken, as the structure of -the document can't be guessed. ---- - parser.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/parser.c b/parser.c -index a8d1b67..bbe97eb 100644 ---- a/parser.c -+++ b/parser.c -@@ -5658,6 +5658,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) { - if (RAW != '>') { - xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED, - "xmlParseEntityDecl: entity %s not terminated\n", name); -+ xmlStopParser(ctxt); - } else { - if (input != ctxt->input) { - xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, --- -cgit v0.11.2 - diff --git a/main/libxml2/CVE-2015-7941_2.patch b/main/libxml2/CVE-2015-7941_2.patch deleted file mode 100644 index 36b43bacf8..0000000000 --- a/main/libxml2/CVE-2015-7941_2.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001 -From: Daniel Veillard <veillard@redhat.com> -Date: Mon, 23 Feb 2015 11:29:20 +0800 -Subject: Cleanup conditional section error handling - -For https://bugzilla.gnome.org/show_bug.cgi?id=744980 - -The error handling of Conditional Section also need to be -straightened as the structure of the document can't be -guessed on a failure there and it's better to stop parsing -as further errors are likely to be irrelevant. ---- - parser.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/parser.c b/parser.c -index bbe97eb..fe603ac 100644 ---- a/parser.c -+++ b/parser.c -@@ -6770,6 +6770,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { - SKIP_BLANKS; - if (RAW != '[') { - xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); -+ xmlStopParser(ctxt); -+ return; - } else { - if (ctxt->input->id != id) { - xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, -@@ -6830,6 +6832,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { - SKIP_BLANKS; - if (RAW != '[') { - xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); -+ xmlStopParser(ctxt); -+ return; - } else { - if (ctxt->input->id != id) { - xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, -@@ -6885,6 +6889,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { - - } else { - xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL); -+ xmlStopParser(ctxt); -+ return; - } - - if (RAW == 0) --- -cgit v0.11.2 - diff --git a/main/libxml2/CVE-2015-7942-2.patch b/main/libxml2/CVE-2015-7942-2.patch deleted file mode 100644 index 1a059fe40b..0000000000 --- a/main/libxml2/CVE-2015-7942-2.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 41ac9049a27f52e7a1f3b341f8714149fc88d450 Mon Sep 17 00:00:00 2001 -From: Daniel Veillard <veillard@redhat.com> -Date: Tue, 27 Oct 2015 10:53:44 +0800 -Subject: Fix an error in previous Conditional section patch - -an off by one mistake in the change, led to error on correct -document where the end of the included entity was exactly -the end of the conditional section, leading to regtest failure ---- - parser.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/parser.c b/parser.c -index b9217ff..d67b300 100644 ---- a/parser.c -+++ b/parser.c -@@ -6916,7 +6916,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { - NULL, NULL); - } - if ((ctxt-> instate != XML_PARSER_EOF) && -- ((ctxt->input->cur + 3) < ctxt->input->end)) -+ ((ctxt->input->cur + 3) <= ctxt->input->end)) - SKIP(3); - } - } --- -cgit v0.11.2 - diff --git a/main/libxml2/CVE-2015-7942.patch b/main/libxml2/CVE-2015-7942.patch deleted file mode 100644 index bb0766a559..0000000000 --- a/main/libxml2/CVE-2015-7942.patch +++ /dev/null @@ -1,32 +0,0 @@ -From bd0526e66a56e75a18da8c15c4750db8f801c52d Mon Sep 17 00:00:00 2001 -From: Daniel Veillard <veillard@redhat.com> -Date: Fri, 23 Oct 2015 19:02:28 +0800 -Subject: Another variation of overflow in Conditional sections - -Which happen after the previous fix to -https://bugzilla.gnome.org/show_bug.cgi?id=756456 - -But stopping the parser and exiting we didn't pop the intermediary entities -and doing the SKIP there applies on an input which may be too small ---- - parser.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/parser.c b/parser.c -index a65e4cc..b9217ff 100644 ---- a/parser.c -+++ b/parser.c -@@ -6915,7 +6915,9 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { - "All markup of the conditional section is not in the same entity\n", - NULL, NULL); - } -- SKIP(3); -+ if ((ctxt-> instate != XML_PARSER_EOF) && -+ ((ctxt->input->cur + 3) < ctxt->input->end)) -+ SKIP(3); - } - } - --- -cgit v0.11.2 - diff --git a/main/libxml2/CVE-2015-8035.patch b/main/libxml2/CVE-2015-8035.patch deleted file mode 100644 index 92c26ca56d..0000000000 --- a/main/libxml2/CVE-2015-8035.patch +++ /dev/null @@ -1,31 +0,0 @@ -From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001 -From: Daniel Veillard <veillard@redhat.com> -Date: Tue, 3 Nov 2015 15:31:25 +0800 -Subject: CVE-2015-8035 Fix XZ compression support loop - -For https://bugzilla.gnome.org/show_bug.cgi?id=757466 -DoS when parsing specially crafted XML document if XZ support -is compiled in (which wasn't the case for 2.9.2 and master since -Nov 2013, fixed in next commit !) ---- - xzlib.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/xzlib.c b/xzlib.c -index 0dcb9f4..1fab546 100644 ---- a/xzlib.c -+++ b/xzlib.c -@@ -581,6 +581,10 @@ xz_decomp(xz_statep state) - xz_error(state, LZMA_DATA_ERROR, "compressed data error"); - return -1; - } -+ if (ret == LZMA_PROG_ERROR) { -+ xz_error(state, LZMA_PROG_ERROR, "compression error"); -+ return -1; -+ } - } while (strm->avail_out && ret != LZMA_STREAM_END); - - /* update available output and crc check value */ --- -cgit v0.11.2 - diff --git a/main/libxml2/CVE-2015-8241.patch b/main/libxml2/CVE-2015-8241.patch deleted file mode 100644 index 2108f569b3..0000000000 --- a/main/libxml2/CVE-2015-8241.patch +++ /dev/null @@ -1,35 +0,0 @@ -From ab2b9a93ff19cedde7befbf2fcc48c6e352b6cbe Mon Sep 17 00:00:00 2001 -From: Hugh Davenport <hugh@allthethings.co.nz> -Date: Tue, 3 Nov 2015 20:40:49 +0800 -Subject: Avoid extra processing of MarkupDecl when EOF - -For https://bugzilla.gnome.org/show_bug.cgi?id=756263 - -One place where ctxt->instate == XML_PARSER_EOF whic was set up -by entity detection issues doesn't get noticed, and even overrided ---- - parser.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/parser.c b/parser.c -index d67b300..134afe7 100644 ---- a/parser.c -+++ b/parser.c -@@ -6972,6 +6972,14 @@ xmlParseMarkupDecl(xmlParserCtxtPtr ctxt) { - xmlParsePI(ctxt); - } - } -+ -+ /* -+ * detect requirement to exit there and act accordingly -+ * and avoid having instate overriden later on -+ */ -+ if (ctxt->instate == XML_PARSER_EOF) -+ return; -+ - /* - * This is only for internal subset. On external entities, - * the replacement is done before parsing stage --- -cgit v0.12 - diff --git a/main/libxml2/CVE-2015-8242.patch b/main/libxml2/CVE-2015-8242.patch deleted file mode 100644 index b009ae16ac..0000000000 --- a/main/libxml2/CVE-2015-8242.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 8fb4a770075628d6441fb17a1e435100e2f3b1a2 Mon Sep 17 00:00:00 2001 -From: Hugh Davenport <hugh@allthethings.co.nz> -Date: Fri, 20 Nov 2015 17:16:06 +0800 -Subject: CVE-2015-8242 Buffer overead with HTML parser in push mode - -For https://bugzilla.gnome.org/show_bug.cgi?id=756372 -Error in the code pointing to the codepoint in the stack for the -current char value instead of the pointer in the input that the SAX -callback expects -Reported and fixed by Hugh Davenport ---- - HTMLparser.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/HTMLparser.c b/HTMLparser.c -index bdf7807..b729197 100644 ---- a/HTMLparser.c -+++ b/HTMLparser.c -@@ -5735,17 +5735,17 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) { - if (ctxt->keepBlanks) { - if (ctxt->sax->characters != NULL) - ctxt->sax->characters( -- ctxt->userData, &cur, 1); -+ ctxt->userData, &in->cur[0], 1); - } else { - if (ctxt->sax->ignorableWhitespace != NULL) - ctxt->sax->ignorableWhitespace( -- ctxt->userData, &cur, 1); -+ ctxt->userData, &in->cur[0], 1); - } - } else { - htmlCheckParagraph(ctxt); - if (ctxt->sax->characters != NULL) - ctxt->sax->characters( -- ctxt->userData, &cur, 1); -+ ctxt->userData, &in->cur[0], 1); - } - } - ctxt->token = 0; --- -cgit v0.11.2 - diff --git a/main/libxml2/CVE-2015-8317-1.patch b/main/libxml2/CVE-2015-8317-1.patch deleted file mode 100644 index 3075d527e9..0000000000 --- a/main/libxml2/CVE-2015-8317-1.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 9aa37588ee78a06ca1379a9d9356eab16686099c Mon Sep 17 00:00:00 2001 -From: Daniel Veillard <veillard@redhat.com> -Date: Mon, 29 Jun 2015 09:08:25 +0800 -Subject: Do not process encoding values if the declaration if broken - -For https://bugzilla.gnome.org/show_bug.cgi?id=751603 - -If the string is not properly terminated do not try to convert -to the given encoding. ---- - parser.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/parser.c b/parser.c -index fe603ac..a3a9568 100644 ---- a/parser.c -+++ b/parser.c -@@ -10404,6 +10404,8 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ctxt) { - encoding = xmlParseEncName(ctxt); - if (RAW != '"') { - xmlFatalErr(ctxt, XML_ERR_STRING_NOT_CLOSED, NULL); -+ xmlFree((xmlChar *) encoding); -+ return(NULL); - } else - NEXT; - } else if (RAW == '\''){ -@@ -10411,6 +10413,8 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ctxt) { - encoding = xmlParseEncName(ctxt); - if (RAW != '\'') { - xmlFatalErr(ctxt, XML_ERR_STRING_NOT_CLOSED, NULL); -+ xmlFree((xmlChar *) encoding); -+ return(NULL); - } else - NEXT; - } else { --- -cgit v0.12 - diff --git a/main/libxml2/CVE-2015-8317-2.patch b/main/libxml2/CVE-2015-8317-2.patch deleted file mode 100644 index 3f4241d542..0000000000 --- a/main/libxml2/CVE-2015-8317-2.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 709a952110e98621c9b78c4f26462a9d8333102e Mon Sep 17 00:00:00 2001 -From: Daniel Veillard <veillard@redhat.com> -Date: Mon, 29 Jun 2015 16:10:26 +0800 -Subject: Fail parsing early on if encoding conversion failed - -For https://bugzilla.gnome.org/show_bug.cgi?id=751631 - -If we fail conversing the current input stream while -processing the encoding declaration of the XMLDecl -then it's safer to just abort there and not try to -report further errors. ---- - parser.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/parser.c b/parser.c -index a3a9568..0edd53b 100644 ---- a/parser.c -+++ b/parser.c -@@ -10471,7 +10471,11 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ctxt) { - - handler = xmlFindCharEncodingHandler((const char *) encoding); - if (handler != NULL) { -- xmlSwitchToEncoding(ctxt, handler); -+ if (xmlSwitchToEncoding(ctxt, handler) < 0) { -+ /* failed to convert */ -+ ctxt->errNo = XML_ERR_UNSUPPORTED_ENCODING; -+ return(NULL); -+ } - } else { - xmlFatalErrMsgStr(ctxt, XML_ERR_UNSUPPORTED_ENCODING, - "Unsupported encoding %s\n", encoding); --- -cgit v0.12 - diff --git a/main/libxml2/CVE-2016-1839-2073.patch b/main/libxml2/CVE-2016-1839-2073.patch deleted file mode 100644 index 4ee17e5711..0000000000 --- a/main/libxml2/CVE-2016-1839-2073.patch +++ /dev/null @@ -1,129 +0,0 @@ -From a820dbeac29d330bae4be05d9ecd939ad6b4aa33 Mon Sep 17 00:00:00 2001 -From: Pranjal Jumde <pjumde@apple.com> -Date: Tue, 1 Mar 2016 11:34:04 -0800 -Subject: Bug 758605: Heap-based buffer overread in xmlDictAddString - <https://bugzilla.gnome.org/show_bug.cgi?id=758605> - -Reviewed by David Kilzer. - -* HTMLparser.c: -(htmlParseName): Add bounds check. -(htmlParseNameComplex): Ditto. -* result/HTML/758605.html: Added. -* result/HTML/758605.html.err: Added. -* result/HTML/758605.html.sax: Added. -* runtest.c: -(pushParseTest): The input for the new test case was so small -(4 bytes) that htmlParseChunk() was never called after -htmlCreatePushParserCtxt(), thereby creating a false positive -test failure. Fixed by using a do-while loop so we always call -htmlParseChunk() at least once. -* test/HTML/758605.html: Added. ---- - HTMLparser.c | 8 ++++++++ - result/HTML/758605.html | 3 +++ - result/HTML/758605.html.err | 3 +++ - result/HTML/758605.html.sax | 13 +++++++++++++ - runtest.c | 4 ++-- - test/HTML/758605.html | 1 + - 6 files changed, 30 insertions(+), 2 deletions(-) - create mode 100644 result/HTML/758605.html - create mode 100644 result/HTML/758605.html.err - create mode 100644 result/HTML/758605.html.sax - create mode 100644 test/HTML/758605.html - -diff --git a/HTMLparser.c b/HTMLparser.c -index 69eed2b..1c112cc 100644 ---- a/HTMLparser.c -+++ b/HTMLparser.c -@@ -2471,6 +2471,10 @@ htmlParseName(htmlParserCtxtPtr ctxt) { - (*in == '_') || (*in == '-') || - (*in == ':') || (*in == '.')) - in++; -+ -+ if (in == ctxt->input->end) -+ return(NULL); -+ - if ((*in > 0) && (*in < 0x80)) { - count = in - ctxt->input->cur; - ret = xmlDictLookup(ctxt->dict, ctxt->input->cur, count); -@@ -2514,6 +2518,10 @@ htmlParseNameComplex(xmlParserCtxtPtr ctxt) { - NEXTL(l); - c = CUR_CHAR(l); - } -+ -+ if (ctxt->input->base > ctxt->input->cur - len) -+ return(NULL); -+ - return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); - } - -diff --git a/result/HTML/758605.html b/result/HTML/758605.html -new file mode 100644 -index 0000000..a085cce ---- /dev/null -+++ b/result/HTML/758605.html -@@ -0,0 +1,3 @@ -+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> -+<html><body><p>& -+</p></body></html> -diff --git a/result/HTML/758605.html.err b/result/HTML/758605.html.err -new file mode 100644 -index 0000000..2b82be6 ---- /dev/null -+++ b/result/HTML/758605.html.err -@@ -0,0 +1,3 @@ -+./test/HTML/758605.html:1: HTML parser error : htmlParseEntityRef: no name -+ê -+ ^ -diff --git a/result/HTML/758605.html.sax b/result/HTML/758605.html.sax -new file mode 100644 -index 0000000..1f5cd32 ---- /dev/null -+++ b/result/HTML/758605.html.sax -@@ -0,0 +1,13 @@ -+SAX.setDocumentLocator() -+SAX.startDocument() -+SAX.error: htmlParseEntityRef: no name -+SAX.startElement(html) -+SAX.startElement(body) -+SAX.startElement(p) -+SAX.characters(&, 1) -+SAX.ignorableWhitespace( -+, 1) -+SAX.endElement(p) -+SAX.endElement(body) -+SAX.endElement(html) -+SAX.endDocument() -diff --git a/runtest.c b/runtest.c -index 36fbe5a..bb74d2a 100644 ---- a/runtest.c -+++ b/runtest.c -@@ -1873,7 +1873,7 @@ pushParseTest(const char *filename, const char *result, - ctxt = xmlCreatePushParserCtxt(NULL, NULL, base + cur, 4, filename); - xmlCtxtUseOptions(ctxt, options); - cur += 4; -- while (cur < size) { -+ do { - if (cur + 1024 >= size) { - #ifdef LIBXML_HTML_ENABLED - if (options & XML_PARSE_HTML) -@@ -1891,7 +1891,7 @@ pushParseTest(const char *filename, const char *result, - xmlParseChunk(ctxt, base + cur, 1024, 0); - cur += 1024; - } -- } -+ } while (cur < size); - doc = ctxt->myDoc; - #ifdef LIBXML_HTML_ENABLED - if (options & XML_PARSE_HTML) -diff --git a/test/HTML/758605.html b/test/HTML/758605.html -new file mode 100644 -index 0000000..9b1b3c2 ---- /dev/null -+++ b/test/HTML/758605.html -@@ -0,0 +1 @@ -+&:ê --- -cgit v0.12 - diff --git a/main/libxml2/libxml2-pthread.patch b/main/libxml2/libxml2-pthread.patch deleted file mode 100644 index 77d7b3849b..0000000000 --- a/main/libxml2/libxml2-pthread.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- libxml2-2.9.1/threads.c.orig -+++ libxml2-2.9.1/threads.c -@@ -47,7 +47,7 @@ - #ifdef HAVE_PTHREAD_H - - static int libxml_is_threaded = -1; --#ifdef __GNUC__ -+#if defined(__GNUC__) && defined(__GLIBC__) - #ifdef linux - #if (__GNUC__ == 3 && __GNUC_MINOR__ >= 3) || (__GNUC__ > 3) - extern int pthread_once (pthread_once_t *__once_control, |