diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2014-12-05 14:40:35 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2014-12-05 14:40:35 +0000 |
commit | 3d3eb49962972f67fb1caefda50051e53f39d17a (patch) | |
tree | c9b5b608c4a0a6b407203cd5465f36198f7ce570 /main/librsvg | |
parent | 167f0dcc09a294a5cdd7f29cc405c019eacb5a88 (diff) | |
download | aports-3d3eb49962972f67fb1caefda50051e53f39d17a.tar.bz2 aports-3d3eb49962972f67fb1caefda50051e53f39d17a.tar.xz |
main/librsvg: security fix for CVE-2013-1881
Diffstat (limited to 'main/librsvg')
-rw-r--r-- | main/librsvg/APKBUILD | 19 | ||||
-rw-r--r-- | main/librsvg/CVE-2013-1881a.patch | 53 | ||||
-rw-r--r-- | main/librsvg/CVE-2013-1881b.patch | 168 |
3 files changed, 235 insertions, 5 deletions
diff --git a/main/librsvg/APKBUILD b/main/librsvg/APKBUILD index e43118c576..b52b31cb25 100644 --- a/main/librsvg/APKBUILD +++ b/main/librsvg/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=librsvg pkgver=2.37.0 -pkgrel=0 +pkgrel=1 pkgdesc="SAX-based renderer for SVG files into a GdkPixbuf" url="http://librsvg.sourceforge.net/" arch="all" @@ -11,7 +11,10 @@ depends= makedepends="gtk+-dev libcroco-dev libgsf-dev bzip2-dev gobject-introspection-dev" install= -source="http://ftp.gnome.org/pub/gnome/sources/$pkgname/${pkgver%.*}/$pkgname-$pkgver.tar.xz" +source="http://ftp.gnome.org/pub/gnome/sources/$pkgname/${pkgver%.*}/$pkgname-$pkgver.tar.xz + CVE-2013-1881a.patch + CVE-2013-1881b.patch + " depends_dev="glib-dev gtk+-dev cairo-dev libcroco-dev libgsf-dev" @@ -34,6 +37,12 @@ package() { find "$pkgdir" -name '*.la' -delete } -md5sums="3de91824870bf6758f37ab54bae2ac40 librsvg-2.37.0.tar.xz" -sha256sums="06c57dbcb29369d147b4e6ff4257c42ae5120c504c30fb567a27034ee30fd835 librsvg-2.37.0.tar.xz" -sha512sums="ba7207258503467cd8ffa041b216800bd558ad57c0868ff03309a1d6fd58757e9e28d9cd29106cb1f9fb3b349c58335cdf40a923a0856df870f1c3a279080265 librsvg-2.37.0.tar.xz" +md5sums="3de91824870bf6758f37ab54bae2ac40 librsvg-2.37.0.tar.xz +9fa86dcd2f0db5bf7dc12415fa448249 CVE-2013-1881a.patch +812f2574a75029872a8a028eedd1a3a8 CVE-2013-1881b.patch" +sha256sums="06c57dbcb29369d147b4e6ff4257c42ae5120c504c30fb567a27034ee30fd835 librsvg-2.37.0.tar.xz +6063a8edde39a68ce0e4d8c70eb6abed3b9e72671a4dab0b1ce62cb6ef72a94d CVE-2013-1881a.patch +61638ea656feab1c3dbd5566bab02c3c0f9102af88099bfffa38472b292a5a4a CVE-2013-1881b.patch" +sha512sums="ba7207258503467cd8ffa041b216800bd558ad57c0868ff03309a1d6fd58757e9e28d9cd29106cb1f9fb3b349c58335cdf40a923a0856df870f1c3a279080265 librsvg-2.37.0.tar.xz +61e8e509b9982de4b5f387bda111c77a2b769a885815b870a498c119512039e8923c24491c301f5e290fb434e486bf94ff45f9b74a5b80437adb892f27ef8d91 CVE-2013-1881a.patch +834a364b8b91a77dc5e4a210e7ff6797d763f0c813e8a3a94f44199b15ca5c9ce8401db5c3de6078745c0e1c7d7b59241167c293504947cf76b842259e30c1e6 CVE-2013-1881b.patch" diff --git a/main/librsvg/CVE-2013-1881a.patch b/main/librsvg/CVE-2013-1881a.patch new file mode 100644 index 0000000000..3ef979b3a5 --- /dev/null +++ b/main/librsvg/CVE-2013-1881a.patch @@ -0,0 +1,53 @@ +From d83e426fff3f6d0fa6042d0930fb70357db24125 Mon Sep 17 00:00:00 2001 +From: Christian Persch <chpe@gnome.org> +Date: Mon, 11 Feb 2013 22:36:30 +0100 +Subject: io: Use XML_PARSE_NONET + +We don't want to load resources off the net. + +Bug #691708. + +diff --git a/rsvg-base.c b/rsvg-base.c +index ed383d2..1f88479 100644 +--- a/rsvg-base.c ++++ b/rsvg-base.c +@@ -572,6 +572,7 @@ rsvg_start_xinclude (RsvgHandle * ctx, RsvgPropertyBag * atts) + goto fallback; + + xml_parser = xmlCreatePushParserCtxt (&rsvgSAXHandlerStruct, ctx, NULL, 0, NULL); ++ xml_parser->options |= XML_PARSE_NONET; + + buffer = _rsvg_xml_input_buffer_new_from_stream (stream, NULL /* cancellable */, XML_CHAR_ENCODING_NONE, &err); + g_object_unref (stream); +@@ -1111,6 +1112,7 @@ rsvg_handle_write_impl (RsvgHandle * handle, const guchar * buf, gsize count, GE + if (handle->priv->ctxt == NULL) { + handle->priv->ctxt = xmlCreatePushParserCtxt (&rsvgSAXHandlerStruct, handle, NULL, 0, + rsvg_handle_get_base_uri (handle)); ++ handle->priv->ctxt->options |= XML_PARSE_NONET; + + /* if false, external entities work, but internal ones don't. if true, internal entities + work, but external ones don't. favor internal entities, in order to not cause a +@@ -1767,6 +1769,7 @@ rsvg_handle_read_stream_sync (RsvgHandle *handle, + if (priv->ctxt == NULL) { + priv->ctxt = xmlCreatePushParserCtxt (&rsvgSAXHandlerStruct, handle, NULL, 0, + rsvg_handle_get_base_uri (handle)); ++ priv->ctxt->options |= XML_PARSE_NONET; + + /* if false, external entities work, but internal ones don't. if true, internal entities + work, but external ones don't. favor internal entities, in order to not cause a +diff --git a/rsvg-css.c b/rsvg-css.c +index 7813098..3f703cc 100644 +--- a/rsvg-css.c ++++ b/rsvg-css.c +@@ -836,6 +836,8 @@ rsvg_css_parse_xml_attribute_string (const char *attribute_string) + xmlSAX2InitDefaultSAXHandler (&handler, 0); + handler.serror = rsvg_xml_noerror; + parser = xmlCreatePushParserCtxt (&handler, NULL, tag, strlen (tag) + 1, NULL); ++ parser->options |= XML_PARSE_NONET; ++ + if (xmlParseDocument (parser) != 0) + goto done; + +-- +cgit v0.10.1 + diff --git a/main/librsvg/CVE-2013-1881b.patch b/main/librsvg/CVE-2013-1881b.patch new file mode 100644 index 0000000000..794f7e87d3 --- /dev/null +++ b/main/librsvg/CVE-2013-1881b.patch @@ -0,0 +1,168 @@ +From f01aded72c38f0e18bc7ff67dee800e380251c8e Mon Sep 17 00:00:00 2001 +From: Christian Persch <chpe@gnome.org> +Date: Mon, 11 Feb 2013 22:36:58 +0100 +Subject: io: Implement strict load policy + +Allow any file to load from data:, and any resource to load from other +resources. Only allow file: to load other file: URIs from below the path +of the base file. Any other loads are denied. + +Bug #691708. + +diff --git a/rsvg-base.c b/rsvg-base.c +index 1f88479..9d7c1ea 100644 +--- a/rsvg-base.c ++++ b/rsvg-base.c +@@ -25,6 +25,7 @@ + */ + + #include "config.h" ++#define _GNU_SOURCE 1 + + #include "rsvg.h" + #include "rsvg-private.h" +@@ -1002,6 +1003,7 @@ void + rsvg_handle_set_base_uri (RsvgHandle * handle, const char *base_uri) + { + gchar *uri; ++ GFile *file; + + g_return_if_fail (handle != NULL); + +@@ -1013,11 +1015,10 @@ rsvg_handle_set_base_uri (RsvgHandle * handle, const char *base_uri) + else + uri = rsvg_get_base_uri_from_filename (base_uri); + +- if (uri) { +- if (handle->priv->base_uri) +- g_free (handle->priv->base_uri); +- handle->priv->base_uri = uri; +- } ++ file = g_file_new_for_uri (uri ? uri : "data:"); ++ rsvg_handle_set_base_gfile (handle, file); ++ g_object_unref (file); ++ g_free (uri); + } + + /** +@@ -2149,12 +2150,84 @@ _rsvg_handle_allow_load (RsvgHandle *handle, + const char *uri, + GError **error) + { +- RsvgLoadPolicy policy = handle->priv->load_policy; ++ RsvgHandlePrivate *priv = handle->priv; ++ GFile *base; ++ char *path, *dir; ++ char *scheme = NULL, *cpath = NULL, *cdir = NULL; + +- if (policy == RSVG_LOAD_POLICY_ALL_PERMISSIVE) +- return TRUE; ++ g_assert (handle->priv->load_policy == RSVG_LOAD_POLICY_STRICT); ++ ++ scheme = g_uri_parse_scheme (uri); ++ ++ /* Not a valid URI */ ++ if (scheme == NULL) ++ goto deny; ++ ++ /* Allow loads of data: from any location */ ++ if (g_str_equal (scheme, "data")) ++ goto allow; ++ ++ /* No base to compare to? */ ++ if (priv->base_gfile == NULL) ++ goto deny; ++ ++ /* Deny loads from differing URI schemes */ ++ if (!g_file_has_uri_scheme (priv->base_gfile, scheme)) ++ goto deny; ++ ++ /* resource: is allowed to load anything from other resources */ ++ if (g_str_equal (scheme, "resource")) ++ goto allow; ++ ++ /* Non-file: isn't allowed to load anything */ ++ if (!g_str_equal (scheme, "file")) ++ goto deny; ++ ++ base = g_file_get_parent (priv->base_gfile); ++ if (base == NULL) ++ goto deny; + ++ dir = g_file_get_path (base); ++ g_object_unref (base); ++ ++ /* FIXME portability */ ++ cdir = canonicalize_file_name (dir); ++ g_free (dir); ++ if (cdir == NULL) ++ goto deny; ++ ++ path = g_filename_from_uri (uri, NULL, NULL); ++ if (path == NULL) ++ goto deny; ++ ++ /* FIXME portability */ ++ cpath = canonicalize_file_name (path); ++ g_free (path); ++ ++ if (cpath == NULL) ++ goto deny; ++ ++ /* Now check that @cpath is below @cdir */ ++ if (!g_str_has_prefix (cpath, cdir) || ++ cpath[strlen (cdir)] != G_DIR_SEPARATOR) ++ goto deny; ++ ++ /* Allow load! */ ++ ++ allow: ++ g_free (scheme); ++ free (cpath); ++ free (cdir); + return TRUE; ++ ++ deny: ++ g_free (scheme); ++ free (cpath); ++ free (cdir); ++ ++ g_set_error (error, G_IO_ERROR, G_IO_ERROR_PERMISSION_DENIED, ++ "File may not link to URI \"%s\"", uri); ++ return FALSE; + } + + static char * +diff --git a/rsvg-io.c b/rsvg-io.c +index 3d6c8b5..818d2ec 100644 +--- a/rsvg-io.c ++++ b/rsvg-io.c +@@ -79,7 +79,7 @@ rsvg_acquire_data_data (const char *uri, + gboolean base64 = FALSE; + + g_assert (out_len != NULL); +- g_assert (g_str_has_prefix (uri, "data:")); ++ g_assert (strncmp (uri, "data:", 5) == 0); + + mime_type = NULL; + start = uri + 5; +diff --git a/rsvg-private.h b/rsvg-private.h +index 25283d4..1961eaf 100644 +--- a/rsvg-private.h ++++ b/rsvg-private.h +@@ -123,10 +123,10 @@ struct RsvgSaxHandler { + }; + + typedef enum { +- RSVG_LOAD_POLICY_ALL_PERMISSIVE ++ RSVG_LOAD_POLICY_STRICT + } RsvgLoadPolicy; + +-#define RSVG_LOAD_POLICY_DEFAULT (RSVG_LOAD_POLICY_ALL_PERMISSIVE) ++#define RSVG_LOAD_POLICY_DEFAULT (RSVG_LOAD_POLICY_STRICT) + + struct RsvgHandlePrivate { + RsvgHandleFlags flags; +-- +cgit v0.10.1 + |