main/libxml2: sec fix for CVE-2016-9318

ref #7125

2 files changed, 212 insertions, 7 deletions

diff --git a/main/libxml2/APKBUILD b/main/libxml2/APKBUILD
index 7e4240ad08..47b555e715 100644
--- a/main/libxml2/APKBUILD
+++ b/main/libxml2/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Carlo Landmeter <clandmeter@gmail.com>
 pkgname=libxml2
 pkgver=2.9.4
-pkgrel=1
+pkgrel=2
 pkgdesc="XML parsing library, version 2"
 url="http://www.xmlsoft.org/"
 arch="all"
@@ -13,17 +13,20 @@ makedepends="$depends_dev python2-dev"
 subpackages="$pkgname-doc $pkgname-dev py-$pkgname:py $pkgname-utils"
 source="ftp://ftp.xmlsoft.org/${pkgname}/${pkgname}-${pkgver}.tar.gz
 	CVE-2016-5131.patch
+	CVE-2016-9318.patch
 	"
 
 # secfixes:
 #   2.9.4-r1:
 #     - CVE-2016-5131
+#   2.9.4-r2:
+#     - CVE-2016-9318
 
 options="!strip"
 
-_builddir="$srcdir/$pkgname-$pkgver"
+builddir="$srcdir/$pkgname-$pkgver"
 prepare() {
-	cd "$_builddir"
+	cd "$builddir"
 	for i in $source; do
 		case $i in
 		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
@@ -32,7 +35,7 @@ prepare() {
 }
 
 build() {
-	cd "$_builddir"
+	cd "$builddir"
 	./configure \
 		--build=$CBUILD \
 		--host=$CHOST \
@@ -46,7 +49,7 @@ build() {
 }
 
 package() {
-	cd "$_builddir"
+	cd "$builddir"
 	make -j1 DESTDIR="$pkgdir" install
 
 	install -Dm644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING
@@ -58,7 +61,7 @@ dev() {
 }
 
 py() {
-	cd "$_builddir"
+	cd "$builddir"
 	pkgdesc="$pkgname python bindings"
 	install -d "$subpkgdir"/usr/lib
 	mv "$pkgdir"/usr/lib/python* "$subpkgdir"/usr/lib/
@@ -73,4 +76,5 @@ utils() {
 
 
 sha512sums="f5174ab1a3a0ec0037a47f47aa47def36674e02bfb42b57f609563f84c6247c585dbbb133c056953a5adb968d328f18cbc102eb0d00d48eb7c95478389e5daf9  libxml2-2.9.4.tar.gz
-c92cda9851fdf8af6cb21aa80f39b474cddef8c749298f5b51f76f871160ac9749fdaac3fa406cc0c75a666f7627983fce0e90fb2919f3a8c778e1148583be33  CVE-2016-5131.patch"
+c92cda9851fdf8af6cb21aa80f39b474cddef8c749298f5b51f76f871160ac9749fdaac3fa406cc0c75a666f7627983fce0e90fb2919f3a8c778e1148583be33  CVE-2016-5131.patch
+508550f2f3489954abceee5404722dc7a8dcf6590219561a1ab36c2c14b1d1bfc2bad0403577db4e20c2c4e8c9114beb6bd80b165bb8e02c6cc52e6c5fb6e1ee  CVE-2016-9318.patch"
diff --git a/main/libxml2/CVE-2016-9318.patch b/main/libxml2/CVE-2016-9318.patch
new file mode 100644
index 0000000000..391b5748e1
--- /dev/null
+++ b/main/libxml2/CVE-2016-9318.patch
@@ -0,0 +1,201 @@
+From 2304078555896cf1638c628f50326aeef6f0e0d0 Mon Sep 17 00:00:00 2001
+From: Doran Moppert <dmoppert@redhat.com>
+Date: Fri, 7 Apr 2017 16:45:56 +0200
+Subject: Add an XML_PARSE_NOXXE flag to block all entities loading even local
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=772726
+
+* include/libxml/parser.h: Add a new parser flag XML_PARSE_NOXXE
+* elfgcchack.h, xmlIO.h, xmlIO.c: associated loading routine
+* include/libxml/xmlerror.h: new error raised
+* xmllint.c: adds --noxxe flag to activate the option
+---
+ elfgcchack.h              | 10 ++++++++++
+ include/libxml/parser.h   |  3 ++-
+ include/libxml/xmlIO.h    |  8 ++++++++
+ include/libxml/xmlerror.h |  1 +
+ parser.c                  |  4 ++++
+ xmlIO.c                   | 40 +++++++++++++++++++++++++++++++++++-----
+ xmllint.c                 |  5 +++++
+ 7 files changed, 65 insertions(+), 6 deletions(-)
+
+diff --git a/elfgcchack.h b/elfgcchack.h
+index 8c52884..1b81dcd 100644
+--- a/elfgcchack.h
++++ b/elfgcchack.h
+@@ -6547,6 +6547,16 @@ extern __typeof (xmlNoNetExternalEntityLoader) xmlNoNetExternalEntityLoader__int
+ #endif
+ #endif
+ 
++#ifdef bottom_xmlIO
++#undef xmlNoXxeExternalEntityLoader
++extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader __attribute((alias("xmlNoXxeExternalEntityLoader__internal_alias")));
++#else
++#ifndef xmlNoXxeExternalEntityLoader
++extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader__internal_alias __attribute((visibility("hidden")));
++#define xmlNoXxeExternalEntityLoader xmlNoXxeExternalEntityLoader__internal_alias
++#endif
++#endif
++
+ #ifdef bottom_tree
+ #undef xmlNodeAddContent
+ extern __typeof (xmlNodeAddContent) xmlNodeAddContent __attribute((alias("xmlNodeAddContent__internal_alias")));
+diff --git a/include/libxml/parser.h b/include/libxml/parser.h
+index 47fbec0..63ca1b9 100644
+--- a/include/libxml/parser.h
++++ b/include/libxml/parser.h
+@@ -1111,7 +1111,8 @@ typedef enum {
+     XML_PARSE_HUGE      = 1<<19,/* relax any hardcoded limit from the parser */
+     XML_PARSE_OLDSAX    = 1<<20,/* parse using SAX2 interface before 2.7.0 */
+     XML_PARSE_IGNORE_ENC= 1<<21,/* ignore internal document encoding hint */
+-    XML_PARSE_BIG_LINES = 1<<22 /* Store big lines numbers in text PSVI field */
++    XML_PARSE_BIG_LINES = 1<<22,/* Store big lines numbers in text PSVI field */
++    XML_PARSE_NOXXE	= 1<<23 /* Forbid any external entity loading */
+ } xmlParserOption;
+ 
+ XMLPUBFUN void XMLCALL
+diff --git a/include/libxml/xmlIO.h b/include/libxml/xmlIO.h
+index 3e41744..8d3fdef 100644
+--- a/include/libxml/xmlIO.h
++++ b/include/libxml/xmlIO.h
+@@ -300,6 +300,14 @@ XMLPUBFUN xmlParserInputPtr XMLCALL
+ 					 xmlParserCtxtPtr ctxt);
+ 
+ /*
++ * A predefined entity loader external entity expansion
++ */
++XMLPUBFUN xmlParserInputPtr XMLCALL
++	xmlNoXxeExternalEntityLoader	(const char *URL,
++					 const char *ID,
++					 xmlParserCtxtPtr ctxt);
++
++/*
+  * xmlNormalizeWindowsPath is obsolete, don't use it.
+  * Check xmlCanonicPath in uri.h for a better alternative.
+  */
+diff --git a/include/libxml/xmlerror.h b/include/libxml/xmlerror.h
+index 037c16d..3036062 100644
+--- a/include/libxml/xmlerror.h
++++ b/include/libxml/xmlerror.h
+@@ -470,6 +470,7 @@ typedef enum {
+     XML_IO_EADDRINUSE, /* 1554 */
+     XML_IO_EALREADY, /* 1555 */
+     XML_IO_EAFNOSUPPORT, /* 1556 */
++    XML_IO_ILLEGAL_XXE, /* 1557 */
+     XML_XINCLUDE_RECURSION=1600,
+     XML_XINCLUDE_PARSE_VALUE, /* 1601 */
+     XML_XINCLUDE_ENTITY_DEF_MISMATCH, /* 1602 */
+diff --git a/parser.c b/parser.c
+index 53a6b7f..609a270 100644
+--- a/parser.c
++++ b/parser.c
+@@ -15350,6 +15350,10 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi
+ 	ctxt->options |= XML_PARSE_NONET;
+         options -= XML_PARSE_NONET;
+     }
++    if (options & XML_PARSE_NOXXE) {
++	ctxt->options |= XML_PARSE_NOXXE;
++        options -= XML_PARSE_NOXXE;
++    }
+     if (options & XML_PARSE_COMPACT) {
+ 	ctxt->options |= XML_PARSE_COMPACT;
+         options -= XML_PARSE_COMPACT;
+diff --git a/xmlIO.c b/xmlIO.c
+index 300ee47..e625612 100644
+--- a/xmlIO.c
++++ b/xmlIO.c
+@@ -210,6 +210,7 @@ static const char *IOerr[] = {
+     "adddress in use",		/* EADDRINUSE */
+     "already in use",		/* EALREADY */
+     "unknown address familly",	/* EAFNOSUPPORT */
++    "Attempt to load external entity %s", /* XML_IO_ILLEGAL_XXE */
+ };
+ 
+ #if defined(_WIN32) || defined (__DJGPP__) && !defined (__CYGWIN__)
+@@ -4053,13 +4054,22 @@ xmlDefaultExternalEntityLoader(const char *URL, const char *ID,
+     xmlGenericError(xmlGenericErrorContext,
+                     "xmlDefaultExternalEntityLoader(%s, xxx)\n", URL);
+ #endif
+-    if ((ctxt != NULL) && (ctxt->options & XML_PARSE_NONET)) {
++    if (ctxt != NULL) {
+         int options = ctxt->options;
+ 
+-	ctxt->options -= XML_PARSE_NONET;
+-        ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt);
+-	ctxt->options = options;
+-	return(ret);
++        if (options & XML_PARSE_NOXXE) {
++            ctxt->options -= XML_PARSE_NOXXE;
++            ret = xmlNoXxeExternalEntityLoader(URL, ID, ctxt);
++            ctxt->options = options;
++            return(ret);
++        }
++ 
++        if (options & XML_PARSE_NONET) {
++            ctxt->options -= XML_PARSE_NONET;
++            ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt);
++            ctxt->options = options;
++            return(ret);
++        }
+     }
+ #ifdef LIBXML_CATALOG_ENABLED
+     resource = xmlResolveResourceFromCatalog(URL, ID, ctxt);
+@@ -4160,6 +4170,13 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID,
+     xmlParserInputPtr input = NULL;
+     xmlChar *resource = NULL;
+ 
++    if (ctxt == NULL) {
++        return(NULL);
++    }
++    if (ctxt->input_id == 1) {
++        return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt);
++    }
++
+ #ifdef LIBXML_CATALOG_ENABLED
+     resource = xmlResolveResourceFromCatalog(URL, ID, ctxt);
+ #endif
+@@ -4182,5 +4199,18 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID,
+     return(input);
+ }
+ 
++xmlParserInputPtr
++xmlNoXxeExternalEntityLoader(const char *URL, const char *ID,
++                          xmlParserCtxtPtr ctxt) {
++    if (ctxt == NULL) {
++        return(NULL);
++    }
++    if (ctxt->input_id == 1) {
++        return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt);
++    }
++    xmlIOErr(XML_IO_ILLEGAL_XXE, (const char *) URL);
++    return(NULL);
++}
++
+ #define bottom_xmlIO
+ #include "elfgcchack.h"
+diff --git a/xmllint.c b/xmllint.c
+index 67f7adb..d9368c1 100644
+--- a/xmllint.c
++++ b/xmllint.c
+@@ -3019,6 +3019,7 @@ static void usage(const char *name) {
+     printf("\t--path 'paths': provide a set of paths for resources\n");
+     printf("\t--load-trace : print trace of all external entities loaded\n");
+     printf("\t--nonet : refuse to fetch DTDs or entities over network\n");
++    printf("\t--noxxe : forbid any external entity loading\n");
+     printf("\t--nocompact : do not generate compact text nodes\n");
+     printf("\t--htmlout : output results as HTML\n");
+     printf("\t--nowrap : do not put HTML doc wrapper\n");
+@@ -3461,6 +3462,10 @@ main(int argc, char **argv) {
+                    (!strcmp(argv[i], "--nonet"))) {
+ 	    options |= XML_PARSE_NONET;
+ 	    xmlSetExternalEntityLoader(xmlNoNetExternalEntityLoader);
++        } else if ((!strcmp(argv[i], "-noxxe")) ||
++                   (!strcmp(argv[i], "--noxxe"))) {
++	    options |= XML_PARSE_NOXXE;
++	    xmlSetExternalEntityLoader(xmlNoXxeExternalEntityLoader);
+         } else if ((!strcmp(argv[i], "-nocompact")) ||
+                    (!strcmp(argv[i], "--nocompact"))) {
+ 	    options &= ~XML_PARSE_COMPACT;
+-- 
+cgit v0.12
+