diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2017-03-01 18:32:34 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2017-04-13 11:14:00 +0200 |
commit | bcc94c075904765e11b35a719e373388fbb4cf5b (patch) | |
tree | 12a6428ad62484bf09b93b91000eadbcadc583c2 /main | |
parent | 0daf1361a8d912518e1827808f4023ef26153ba0 (diff) | |
download | aports-bcc94c075904765e11b35a719e373388fbb4cf5b.tar.bz2 aports-bcc94c075904765e11b35a719e373388fbb4cf5b.tar.xz |
main/libxml2: secfix for CVE-2016-5153
Diffstat (limited to 'main')
-rw-r--r-- | main/libxml2/APKBUILD | 16 | ||||
-rw-r--r-- | main/libxml2/CVE-2016-5131.patch | 174 |
2 files changed, 186 insertions, 4 deletions
diff --git a/main/libxml2/APKBUILD b/main/libxml2/APKBUILD index 505cfff9f0..37f3a2ff91 100644 --- a/main/libxml2/APKBUILD +++ b/main/libxml2/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Carlo Landmeter <clandmeter@gmail.com> pkgname=libxml2 pkgver=2.9.4 -pkgrel=0 +pkgrel=1 pkgdesc="XML parsing library, version 2" url="http://www.xmlsoft.org/" arch="all" @@ -12,8 +12,13 @@ depends_dev="zlib-dev python-dev" makedepends="zlib-dev python-dev" subpackages="$pkgname-doc $pkgname-dev py-$pkgname:py $pkgname-utils" source="ftp://ftp.xmlsoft.org/${pkgname}/${pkgname}-${pkgver}.tar.gz + CVE-2016-5131.patch " +# secfixes: +# 2.9.4-r1: +# - CVE-2016-5131 + options="!strip" _builddir="$srcdir/$pkgname-$pkgver" @@ -63,6 +68,9 @@ utils() { mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } -md5sums="ae249165c173b1ff386ee8ad676815f5 libxml2-2.9.4.tar.gz" -sha256sums="ffb911191e509b966deb55de705387f14156e1a56b21824357cdf0053233633c libxml2-2.9.4.tar.gz" -sha512sums="f5174ab1a3a0ec0037a47f47aa47def36674e02bfb42b57f609563f84c6247c585dbbb133c056953a5adb968d328f18cbc102eb0d00d48eb7c95478389e5daf9 libxml2-2.9.4.tar.gz" +md5sums="ae249165c173b1ff386ee8ad676815f5 libxml2-2.9.4.tar.gz +c1b5fac8de60bcc1454433d331d5bd31 CVE-2016-5131.patch" +sha256sums="ffb911191e509b966deb55de705387f14156e1a56b21824357cdf0053233633c libxml2-2.9.4.tar.gz +4e0248f5a6877b157b9d736c412d4da7a2c015d58a816b859957efddb8d3c8d4 CVE-2016-5131.patch" +sha512sums="f5174ab1a3a0ec0037a47f47aa47def36674e02bfb42b57f609563f84c6247c585dbbb133c056953a5adb968d328f18cbc102eb0d00d48eb7c95478389e5daf9 libxml2-2.9.4.tar.gz +c92cda9851fdf8af6cb21aa80f39b474cddef8c749298f5b51f76f871160ac9749fdaac3fa406cc0c75a666f7627983fce0e90fb2919f3a8c778e1148583be33 CVE-2016-5131.patch" diff --git a/main/libxml2/CVE-2016-5131.patch b/main/libxml2/CVE-2016-5131.patch new file mode 100644 index 0000000000..9ce3fb9d87 --- /dev/null +++ b/main/libxml2/CVE-2016-5131.patch @@ -0,0 +1,174 @@ +From 9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Tue, 28 Jun 2016 14:22:23 +0200 +Subject: Fix XPointer paths beginning with range-to + +The old code would invoke the broken xmlXPtrRangeToFunction. range-to +isn't really a function but a special kind of location step. Remove +this function and always handle range-to in the XPath code. + +The old xmlXPtrRangeToFunction could also be abused to trigger a +use-after-free error with the potential for remote code execution. + +Found with afl-fuzz. + +Fixes CVE-2016-5131. +--- + result/XPath/xptr/vidbase | 13 ++++++++ + test/XPath/xptr/vidbase | 1 + + xpath.c | 7 ++++- + xpointer.c | 76 ++++------------------------------------------- + 4 files changed, 26 insertions(+), 71 deletions(-) + +diff --git a/result/XPath/xptr/vidbase b/result/XPath/xptr/vidbase +index 8b9e92d..f19193e 100644 +--- a/result/XPath/xptr/vidbase ++++ b/result/XPath/xptr/vidbase +@@ -17,3 +17,16 @@ Object is a Location Set: + To node + ELEMENT p + ++ ++======================== ++Expression: xpointer(range-to(id('chapter2'))) ++Object is a Location Set: ++1 : Object is a range : ++ From node ++ / ++ To node ++ ELEMENT chapter ++ ATTRIBUTE id ++ TEXT ++ content=chapter2 ++ +diff --git a/test/XPath/xptr/vidbase b/test/XPath/xptr/vidbase +index b146383..884b106 100644 +--- a/test/XPath/xptr/vidbase ++++ b/test/XPath/xptr/vidbase +@@ -1,2 +1,3 @@ + xpointer(id('chapter1')/p) + xpointer(id('chapter1')/p[1]/range-to(following-sibling::p[2])) ++xpointer(range-to(id('chapter2'))) +diff --git a/xpath.c b/xpath.c +index d992841..5a01b1b 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -10691,13 +10691,18 @@ xmlXPathCompPathExpr(xmlXPathParserContextPtr ctxt) { + lc = 1; + break; + } else if ((NXT(len) == '(')) { +- /* Note Type or Function */ ++ /* Node Type or Function */ + if (xmlXPathIsNodeType(name)) { + #ifdef DEBUG_STEP + xmlGenericError(xmlGenericErrorContext, + "PathExpr: Type search\n"); + #endif + lc = 1; ++#ifdef LIBXML_XPTR_ENABLED ++ } else if (ctxt->xptr && ++ xmlStrEqual(name, BAD_CAST "range-to")) { ++ lc = 1; ++#endif + } else { + #ifdef DEBUG_STEP + xmlGenericError(xmlGenericErrorContext, +diff --git a/xpointer.c b/xpointer.c +index 676c510..d74174a 100644 +--- a/xpointer.c ++++ b/xpointer.c +@@ -1332,8 +1332,6 @@ xmlXPtrNewContext(xmlDocPtr doc, xmlNodePtr here, xmlNodePtr origin) { + ret->here = here; + ret->origin = origin; + +- xmlXPathRegisterFunc(ret, (xmlChar *)"range-to", +- xmlXPtrRangeToFunction); + xmlXPathRegisterFunc(ret, (xmlChar *)"range", + xmlXPtrRangeFunction); + xmlXPathRegisterFunc(ret, (xmlChar *)"range-inside", +@@ -2243,76 +2241,14 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) { + * @nargs: the number of args + * + * Implement the range-to() XPointer function ++ * ++ * Obsolete. range-to is not a real function but a special type of location ++ * step which is handled in xpath.c. + */ + void +-xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, int nargs) { +- xmlXPathObjectPtr range; +- const xmlChar *cur; +- xmlXPathObjectPtr res, obj; +- xmlXPathObjectPtr tmp; +- xmlLocationSetPtr newset = NULL; +- xmlNodeSetPtr oldset; +- int i; +- +- if (ctxt == NULL) return; +- CHECK_ARITY(1); +- /* +- * Save the expression pointer since we will have to evaluate +- * it multiple times. Initialize the new set. +- */ +- CHECK_TYPE(XPATH_NODESET); +- obj = valuePop(ctxt); +- oldset = obj->nodesetval; +- ctxt->context->node = NULL; +- +- cur = ctxt->cur; +- newset = xmlXPtrLocationSetCreate(NULL); +- +- for (i = 0; i < oldset->nodeNr; i++) { +- ctxt->cur = cur; +- +- /* +- * Run the evaluation with a node list made of a single item +- * in the nodeset. +- */ +- ctxt->context->node = oldset->nodeTab[i]; +- tmp = xmlXPathNewNodeSet(ctxt->context->node); +- valuePush(ctxt, tmp); +- +- xmlXPathEvalExpr(ctxt); +- CHECK_ERROR; +- +- /* +- * The result of the evaluation need to be tested to +- * decided whether the filter succeeded or not +- */ +- res = valuePop(ctxt); +- range = xmlXPtrNewRangeNodeObject(oldset->nodeTab[i], res); +- if (range != NULL) { +- xmlXPtrLocationSetAdd(newset, range); +- } +- +- /* +- * Cleanup +- */ +- if (res != NULL) +- xmlXPathFreeObject(res); +- if (ctxt->value == tmp) { +- res = valuePop(ctxt); +- xmlXPathFreeObject(res); +- } +- +- ctxt->context->node = NULL; +- } +- +- /* +- * The result is used as the new evaluation set. +- */ +- xmlXPathFreeObject(obj); +- ctxt->context->node = NULL; +- ctxt->context->contextSize = -1; +- ctxt->context->proximityPosition = -1; +- valuePush(ctxt, xmlXPtrWrapLocationSet(newset)); ++xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, ++ int nargs ATTRIBUTE_UNUSED) { ++ XP_ERROR(XPATH_EXPR_ERROR); + } + + /** +-- +cgit v0.12 + |