main/librsvg: security fix for CVE-2013-1881

3 files changed, 235 insertions, 5 deletions

diff --git a/main/librsvg/APKBUILD b/main/librsvg/APKBUILD
index e43118c576..b52b31cb25 100644
--- a/main/librsvg/APKBUILD
+++ b/main/librsvg/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=librsvg
 pkgver=2.37.0
-pkgrel=0
+pkgrel=1
 pkgdesc="SAX-based renderer for SVG files into a GdkPixbuf"
 url="http://librsvg.sourceforge.net/"
 arch="all"
@@ -11,7 +11,10 @@ depends=
 makedepends="gtk+-dev libcroco-dev libgsf-dev bzip2-dev
 	gobject-introspection-dev"
 install=
-source="http://ftp.gnome.org/pub/gnome/sources/$pkgname/${pkgver%.*}/$pkgname-$pkgver.tar.xz"
+source="http://ftp.gnome.org/pub/gnome/sources/$pkgname/${pkgver%.*}/$pkgname-$pkgver.tar.xz
+	CVE-2013-1881a.patch
+	CVE-2013-1881b.patch
+	"
 
 depends_dev="glib-dev gtk+-dev cairo-dev libcroco-dev libgsf-dev"
 
@@ -34,6 +37,12 @@ package() {
 	find "$pkgdir" -name '*.la' -delete
 }
 
-md5sums="3de91824870bf6758f37ab54bae2ac40  librsvg-2.37.0.tar.xz"
-sha256sums="06c57dbcb29369d147b4e6ff4257c42ae5120c504c30fb567a27034ee30fd835  librsvg-2.37.0.tar.xz"
-sha512sums="ba7207258503467cd8ffa041b216800bd558ad57c0868ff03309a1d6fd58757e9e28d9cd29106cb1f9fb3b349c58335cdf40a923a0856df870f1c3a279080265  librsvg-2.37.0.tar.xz"
+md5sums="3de91824870bf6758f37ab54bae2ac40  librsvg-2.37.0.tar.xz
+9fa86dcd2f0db5bf7dc12415fa448249  CVE-2013-1881a.patch
+812f2574a75029872a8a028eedd1a3a8  CVE-2013-1881b.patch"
+sha256sums="06c57dbcb29369d147b4e6ff4257c42ae5120c504c30fb567a27034ee30fd835  librsvg-2.37.0.tar.xz
+6063a8edde39a68ce0e4d8c70eb6abed3b9e72671a4dab0b1ce62cb6ef72a94d  CVE-2013-1881a.patch
+61638ea656feab1c3dbd5566bab02c3c0f9102af88099bfffa38472b292a5a4a  CVE-2013-1881b.patch"
+sha512sums="ba7207258503467cd8ffa041b216800bd558ad57c0868ff03309a1d6fd58757e9e28d9cd29106cb1f9fb3b349c58335cdf40a923a0856df870f1c3a279080265  librsvg-2.37.0.tar.xz
+61e8e509b9982de4b5f387bda111c77a2b769a885815b870a498c119512039e8923c24491c301f5e290fb434e486bf94ff45f9b74a5b80437adb892f27ef8d91  CVE-2013-1881a.patch
+834a364b8b91a77dc5e4a210e7ff6797d763f0c813e8a3a94f44199b15ca5c9ce8401db5c3de6078745c0e1c7d7b59241167c293504947cf76b842259e30c1e6  CVE-2013-1881b.patch"
diff --git a/main/librsvg/CVE-2013-1881a.patch b/main/librsvg/CVE-2013-1881a.patch
new file mode 100644
index 0000000000..3ef979b3a5
--- /dev/null
+++ b/main/librsvg/CVE-2013-1881a.patch
@@ -0,0 +1,53 @@
+From d83e426fff3f6d0fa6042d0930fb70357db24125 Mon Sep 17 00:00:00 2001
+From: Christian Persch <chpe@gnome.org>
+Date: Mon, 11 Feb 2013 22:36:30 +0100
+Subject: io: Use XML_PARSE_NONET
+
+We don't want to load resources off the net.
+
+Bug #691708.
+
+diff --git a/rsvg-base.c b/rsvg-base.c
+index ed383d2..1f88479 100644
+--- a/rsvg-base.c
++++ b/rsvg-base.c
+@@ -572,6 +572,7 @@ rsvg_start_xinclude (RsvgHandle * ctx, RsvgPropertyBag * atts)
+             goto fallback;
+ 
+         xml_parser = xmlCreatePushParserCtxt (&rsvgSAXHandlerStruct, ctx, NULL, 0, NULL);
++        xml_parser->options |= XML_PARSE_NONET;
+ 
+         buffer = _rsvg_xml_input_buffer_new_from_stream (stream, NULL /* cancellable */, XML_CHAR_ENCODING_NONE, &err);
+         g_object_unref (stream);
+@@ -1111,6 +1112,7 @@ rsvg_handle_write_impl (RsvgHandle * handle, const guchar * buf, gsize count, GE
+     if (handle->priv->ctxt == NULL) {
+         handle->priv->ctxt = xmlCreatePushParserCtxt (&rsvgSAXHandlerStruct, handle, NULL, 0,
+                                                       rsvg_handle_get_base_uri (handle));
++        handle->priv->ctxt->options |= XML_PARSE_NONET;
+ 
+         /* if false, external entities work, but internal ones don't. if true, internal entities
+            work, but external ones don't. favor internal entities, in order to not cause a
+@@ -1767,6 +1769,7 @@ rsvg_handle_read_stream_sync (RsvgHandle   *handle,
+     if (priv->ctxt == NULL) {
+         priv->ctxt = xmlCreatePushParserCtxt (&rsvgSAXHandlerStruct, handle, NULL, 0,
+                                               rsvg_handle_get_base_uri (handle));
++        priv->ctxt->options |= XML_PARSE_NONET;
+ 
+         /* if false, external entities work, but internal ones don't. if true, internal entities
+            work, but external ones don't. favor internal entities, in order to not cause a
+diff --git a/rsvg-css.c b/rsvg-css.c
+index 7813098..3f703cc 100644
+--- a/rsvg-css.c
++++ b/rsvg-css.c
+@@ -836,6 +836,8 @@ rsvg_css_parse_xml_attribute_string (const char *attribute_string)
+     xmlSAX2InitDefaultSAXHandler (&handler, 0);
+     handler.serror = rsvg_xml_noerror;
+     parser = xmlCreatePushParserCtxt (&handler, NULL, tag, strlen (tag) + 1, NULL);
++    parser->options |= XML_PARSE_NONET;
++
+     if (xmlParseDocument (parser) != 0)
+         goto done;
+ 
+-- 
+cgit v0.10.1
+
diff --git a/main/librsvg/CVE-2013-1881b.patch b/main/librsvg/CVE-2013-1881b.patch
new file mode 100644
index 0000000000..794f7e87d3
--- /dev/null
+++ b/main/librsvg/CVE-2013-1881b.patch
@@ -0,0 +1,168 @@
+From f01aded72c38f0e18bc7ff67dee800e380251c8e Mon Sep 17 00:00:00 2001
+From: Christian Persch <chpe@gnome.org>
+Date: Mon, 11 Feb 2013 22:36:58 +0100
+Subject: io: Implement strict load policy
+
+Allow any file to load from data:, and any resource to load from other
+resources. Only allow file: to load other file: URIs from below the path
+of the base file. Any other loads are denied.
+
+Bug #691708.
+
+diff --git a/rsvg-base.c b/rsvg-base.c
+index 1f88479..9d7c1ea 100644
+--- a/rsvg-base.c
++++ b/rsvg-base.c
+@@ -25,6 +25,7 @@
+ */
+ 
+ #include "config.h"
++#define _GNU_SOURCE 1
+ 
+ #include "rsvg.h"
+ #include "rsvg-private.h"
+@@ -1002,6 +1003,7 @@ void
+ rsvg_handle_set_base_uri (RsvgHandle * handle, const char *base_uri)
+ {
+     gchar *uri;
++    GFile *file;
+ 
+     g_return_if_fail (handle != NULL);
+ 
+@@ -1013,11 +1015,10 @@ rsvg_handle_set_base_uri (RsvgHandle * handle, const char *base_uri)
+     else
+         uri = rsvg_get_base_uri_from_filename (base_uri);
+ 
+-    if (uri) {
+-        if (handle->priv->base_uri)
+-            g_free (handle->priv->base_uri);
+-        handle->priv->base_uri = uri;
+-    }
++    file = g_file_new_for_uri (uri ? uri : "data:");
++    rsvg_handle_set_base_gfile (handle, file);
++    g_object_unref (file);
++    g_free (uri);
+ }
+ 
+ /**
+@@ -2149,12 +2150,84 @@ _rsvg_handle_allow_load (RsvgHandle *handle,
+                          const char *uri,
+                          GError **error)
+ {
+-    RsvgLoadPolicy policy = handle->priv->load_policy;
++    RsvgHandlePrivate *priv = handle->priv;
++    GFile *base;
++    char *path, *dir;
++    char *scheme = NULL, *cpath = NULL, *cdir = NULL;
+ 
+-    if (policy == RSVG_LOAD_POLICY_ALL_PERMISSIVE)
+-        return TRUE;
++    g_assert (handle->priv->load_policy == RSVG_LOAD_POLICY_STRICT);
++
++    scheme = g_uri_parse_scheme (uri);
++
++    /* Not a valid URI */
++    if (scheme == NULL)
++        goto deny;
++
++    /* Allow loads of data: from any location */
++    if (g_str_equal (scheme, "data"))
++        goto allow;
++
++    /* No base to compare to? */
++    if (priv->base_gfile == NULL)
++        goto deny;
++
++    /* Deny loads from differing URI schemes */
++    if (!g_file_has_uri_scheme (priv->base_gfile, scheme))
++        goto deny;
++
++    /* resource: is allowed to load anything from other resources */
++    if (g_str_equal (scheme, "resource"))
++        goto allow;
++
++    /* Non-file: isn't allowed to load anything */
++    if (!g_str_equal (scheme, "file"))
++        goto deny;
++
++    base = g_file_get_parent (priv->base_gfile);
++    if (base == NULL)
++        goto deny;
+ 
++    dir = g_file_get_path (base);
++    g_object_unref (base);
++
++    /* FIXME portability */
++    cdir = canonicalize_file_name (dir);
++    g_free (dir);
++    if (cdir == NULL)
++        goto deny;
++
++    path = g_filename_from_uri (uri, NULL, NULL);
++    if (path == NULL)
++        goto deny;
++
++    /* FIXME portability */
++    cpath = canonicalize_file_name (path);
++    g_free (path);
++
++    if (cpath == NULL)
++        goto deny;
++
++    /* Now check that @cpath is below @cdir */
++    if (!g_str_has_prefix (cpath, cdir) ||
++        cpath[strlen (cdir)] != G_DIR_SEPARATOR)
++        goto deny;
++
++    /* Allow load! */
++
++ allow:
++    g_free (scheme);
++    free (cpath);
++    free (cdir);
+     return TRUE;
++
++ deny:
++    g_free (scheme);
++    free (cpath);
++    free (cdir);
++
++    g_set_error (error, G_IO_ERROR, G_IO_ERROR_PERMISSION_DENIED,
++                 "File may not link to URI \"%s\"", uri);
++    return FALSE;
+ }
+ 
+ static char *
+diff --git a/rsvg-io.c b/rsvg-io.c
+index 3d6c8b5..818d2ec 100644
+--- a/rsvg-io.c
++++ b/rsvg-io.c
+@@ -79,7 +79,7 @@ rsvg_acquire_data_data (const char *uri,
+     gboolean base64 = FALSE;
+ 
+     g_assert (out_len != NULL);
+-    g_assert (g_str_has_prefix (uri, "data:"));
++    g_assert (strncmp (uri, "data:", 5) == 0);
+ 
+     mime_type = NULL;
+     start = uri + 5;
+diff --git a/rsvg-private.h b/rsvg-private.h
+index 25283d4..1961eaf 100644
+--- a/rsvg-private.h
++++ b/rsvg-private.h
+@@ -123,10 +123,10 @@ struct RsvgSaxHandler {
+ };
+ 
+ typedef enum {
+-    RSVG_LOAD_POLICY_ALL_PERMISSIVE
++    RSVG_LOAD_POLICY_STRICT
+ } RsvgLoadPolicy;
+ 
+-#define RSVG_LOAD_POLICY_DEFAULT (RSVG_LOAD_POLICY_ALL_PERMISSIVE)
++#define RSVG_LOAD_POLICY_DEFAULT (RSVG_LOAD_POLICY_STRICT)
+ 
+ struct RsvgHandlePrivate {
+     RsvgHandleFlags flags;
+-- 
+cgit v0.10.1
+