From a83d9fc2a67ce5d5d51204b2f93077cb8d75d37f Mon Sep 17 00:00:00 2001 From: Carlo Landmeter Date: Sat, 11 May 2013 15:06:39 +0000 Subject: main/libxml2: upgrade to 2.9.1 --- main/libxml2/APKBUILD | 18 ++--- main/libxml2/CVE-2012-5134.patch | 21 ------ main/libxml2/CVE-2013-0338.patch | 150 --------------------------------------- 3 files changed, 5 insertions(+), 184 deletions(-) delete mode 100644 main/libxml2/CVE-2012-5134.patch delete mode 100644 main/libxml2/CVE-2013-0338.patch (limited to 'main/libxml2') diff --git a/main/libxml2/APKBUILD b/main/libxml2/APKBUILD index c6b0e27ab5..4121c44b2f 100644 --- a/main/libxml2/APKBUILD +++ b/main/libxml2/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Carlo Landmeter # Maintainer: Carlo Landmeter pkgname=libxml2 -pkgver=2.9.0 -pkgrel=3 +pkgver=2.9.1 +pkgrel=0 pkgdesc="XML parsing library, version 2" url="http://www.xmlsoft.org/" arch="all" @@ -12,8 +12,6 @@ depends_dev="zlib-dev python-dev" makedepends="zlib-dev python-dev" subpackages="$pkgname-doc $pkgname-dev py-$pkgname:py $pkgname-utils" source="ftp://ftp.xmlsoft.org/${pkgname}/${pkgname}-${pkgver}.tar.gz - CVE-2012-5134.patch - CVE-2013-0338.patch " options="!strip" @@ -61,12 +59,6 @@ utils() { mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } -md5sums="5b9bebf4f5d2200ae2c4efe8fa6103f7 libxml2-2.9.0.tar.gz -fe428448d74481d7547bc173cb40ef26 CVE-2012-5134.patch -eddb937c2bf9185ca826f130166bf58c CVE-2013-0338.patch" -sha256sums="ad25d91958b7212abdc12b9611cfb4dc4e5cddb6d1e9891532f48aacee422b82 libxml2-2.9.0.tar.gz -d68115aea0fb0d22cf716254228d199530cc54566ab0acf652b54be4bc227915 CVE-2012-5134.patch -b222fb0ec9abf8e18c8c069bbee96a7a53ef39673c09cc02eb00fd4a2177621d CVE-2013-0338.patch" -sha512sums="b13268ea3725a8b534974ece33981b001324164e5687df94b0d15c77189070e2a5d9f08c1646e5492e70a607ca0adf00788772fcf300ac2d4a110e9bf57d4afe libxml2-2.9.0.tar.gz -5a25c523ec2f75f1403b43eead6bba4c9e8046a68149e4b3654aef4cd97498e47a1a29f41ed9acf5bcd36cefa16b67eaf86db8d34edc0ae2892cb4c626cc9e9c CVE-2012-5134.patch -839bc35d1baf100a0193572ef78c64051f6fcbcf7c70d0c321142c54b15de52c7fd678c209d04c92d6e5e30a3b0e3346c94f3a7fa1ba706ab68081cd9a4fc2bf CVE-2013-0338.patch" +md5sums="9c0cfef285d5c4a5c80d00904ddab380 libxml2-2.9.1.tar.gz" +sha256sums="fd3c64cb66f2c4ea27e934d275904d92cec494a8e8405613780cbc8a71680fdb libxml2-2.9.1.tar.gz" +sha512sums="7b10de749485bc2eb2108063e97d89e70d6fbb78b1bf195ab5528c8c64e79483d55223a49d95934f4e00b00e906c18bdd34344703ffe158dcf08096905a44c1b libxml2-2.9.1.tar.gz" diff --git a/main/libxml2/CVE-2012-5134.patch b/main/libxml2/CVE-2012-5134.patch deleted file mode 100644 index 70905aaa75..0000000000 --- a/main/libxml2/CVE-2012-5134.patch +++ /dev/null @@ -1,21 +0,0 @@ -From 6a36fbe3b3e001a8a840b5c1fdd81cefc9947f0d Mon Sep 17 00:00:00 2001 -From: Daniel Veillard -Date: Mon, 29 Oct 2012 02:39:55 +0000 -Subject: Fix potential out of bound access - ---- -diff --git a/parser.c b/parser.c -index 0d8d7f2..bd634e9 100644 ---- a/parser.c -+++ b/parser.c -@@ -4076,7 +4076,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { - goto error; - - if ((in_space) && (normalize)) { -- while (buf[len - 1] == 0x20) len--; -+ while ((len > 0) && (buf[len - 1] == 0x20)) len--; - } - buf[len] = 0; - if (RAW == '<') { --- -cgit v0.9.0.2 diff --git a/main/libxml2/CVE-2013-0338.patch b/main/libxml2/CVE-2013-0338.patch deleted file mode 100644 index 8ecfc07393..0000000000 --- a/main/libxml2/CVE-2013-0338.patch +++ /dev/null @@ -1,150 +0,0 @@ -From 23f05e0c33987d6605387b300c4be5da2120a7ab Mon Sep 17 00:00:00 2001 -From: Daniel Veillard -Date: Tue, 19 Feb 2013 02:21:49 +0000 -Subject: Detect excessive entities expansion upon replacement - -If entities expansion in the XML parser is asked for, -it is possble to craft relatively small input document leading -to excessive on-the-fly content generation. -This patch accounts for those replacement and stop parsing -after a given threshold. it can be bypassed as usual with the -HUGE parser option. ---- -diff --git a/include/libxml/parser.h b/include/libxml/parser.h -index e1346e4..3f5730d 100644 ---- a/include/libxml/parser.h -+++ b/include/libxml/parser.h -@@ -310,6 +310,7 @@ struct _xmlParserCtxt { - xmlParserNodeInfo *nodeInfoTab; /* array of nodeInfos */ - - int input_id; /* we need to label inputs */ -+ unsigned long sizeentcopy; /* volume of entity copy */ - }; - - /** -diff --git a/parser.c b/parser.c -index 91f8c90..ddf3b5b 100644 ---- a/parser.c -+++ b/parser.c -@@ -122,7 +122,7 @@ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID, - */ - static int - xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, -- xmlEntityPtr ent) -+ xmlEntityPtr ent, size_t replacement) - { - size_t consumed = 0; - -@@ -130,7 +130,24 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, - return (0); - if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) - return (1); -- if (size != 0) { -+ if (replacement != 0) { -+ if (replacement < XML_MAX_TEXT_LENGTH) -+ return(0); -+ -+ /* -+ * If the volume of entity copy reaches 10 times the -+ * amount of parsed data and over the large text threshold -+ * then that's very likely to be an abuse. -+ */ -+ if (ctxt->input != NULL) { -+ consumed = ctxt->input->consumed + -+ (ctxt->input->cur - ctxt->input->base); -+ } -+ consumed += ctxt->sizeentities; -+ -+ if (replacement < XML_PARSER_NON_LINEAR * consumed) -+ return(0); -+ } else if (size != 0) { - /* - * Do the check based on the replacement size of the entity - */ -@@ -176,7 +193,6 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, - */ - return (0); - } -- - xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); - return (1); - } -@@ -2743,7 +2759,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, - while (*current != 0) { /* non input consuming loop */ - buffer[nbchars++] = *current++; - if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { -- if (xmlParserEntityCheck(ctxt, nbchars, ent)) -+ if (xmlParserEntityCheck(ctxt, nbchars, ent, 0)) - goto int_error; - growBuffer(buffer, XML_PARSER_BUFFER_SIZE); - } -@@ -2785,7 +2801,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, - while (*current != 0) { /* non input consuming loop */ - buffer[nbchars++] = *current++; - if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { -- if (xmlParserEntityCheck(ctxt, nbchars, ent)) -+ if (xmlParserEntityCheck(ctxt, nbchars, ent, 0)) - goto int_error; - growBuffer(buffer, XML_PARSER_BUFFER_SIZE); - } -@@ -7203,7 +7219,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { - xmlFreeNodeList(list); - return; - } -- if (xmlParserEntityCheck(ctxt, 0, ent)) { -+ if (xmlParserEntityCheck(ctxt, 0, ent, 0)) { - xmlFreeNodeList(list); - return; - } -@@ -7361,6 +7377,13 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { - xmlNodePtr nw = NULL, cur, firstChild = NULL; - - /* -+ * We are copying here, make sure there is no abuse -+ */ -+ ctxt->sizeentcopy += ent->length; -+ if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) -+ return; -+ -+ /* - * when operating on a reader, the entities definitions - * are always owning the entities subtree. - if (ctxt->parseMode == XML_PARSE_READER) -@@ -7400,6 +7423,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { - } else if ((list == NULL) || (ctxt->inputNr > 0)) { - xmlNodePtr nw = NULL, cur, next, last, - firstChild = NULL; -+ -+ /* -+ * We are copying here, make sure there is no abuse -+ */ -+ ctxt->sizeentcopy += ent->length; -+ if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) -+ return; -+ - /* - * Copy the entity child list and make it the new - * entity child list. The goal is to make sure any -@@ -14767,6 +14798,7 @@ xmlCtxtReset(xmlParserCtxtPtr ctxt) - ctxt->catalogs = NULL; - ctxt->nbentities = 0; - ctxt->sizeentities = 0; -+ ctxt->sizeentcopy = 0; - xmlInitNodeInfoSeq(&ctxt->node_seq); - - if (ctxt->attsDefault != NULL) { -diff --git a/parserInternals.c b/parserInternals.c -index 02032d5..f8a7041 100644 ---- a/parserInternals.c -+++ b/parserInternals.c -@@ -1719,6 +1719,8 @@ xmlInitParserCtxt(xmlParserCtxtPtr ctxt) - ctxt->charset = XML_CHAR_ENCODING_UTF8; - ctxt->catalogs = NULL; - ctxt->nbentities = 0; -+ ctxt->sizeentities = 0; -+ ctxt->sizeentcopy = 0; - ctxt->input_id = 1; - xmlInitNodeInfoSeq(&ctxt->node_seq); - return(0); --- -cgit v0.9.1 -- cgit v1.2.3