summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2012-02-28 15:56:27 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2012-02-28 15:56:27 +0000
commit924600203af8728926fcd03d44e983d247cd438d (patch)
tree22420033cc37b712d2c29cdfa6f2d81c62eacdad
parente5fda1cfc016cb1b5e8b3bfef053e1e332f68b52 (diff)
downloadaports-924600203af8728926fcd03d44e983d247cd438d.tar.bz2
aports-924600203af8728926fcd03d44e983d247cd438d.tar.xz
main/libxml2: security fix (CVE-2012-0841)
fixes #1026
-rw-r--r--main/libxml2/APKBUILD14
-rw-r--r--main/libxml2/cve-2012-0841.patch291
2 files changed, 300 insertions, 5 deletions
diff --git a/main/libxml2/APKBUILD b/main/libxml2/APKBUILD
index e7b2cc262..b3160ee17 100644
--- a/main/libxml2/APKBUILD
+++ b/main/libxml2/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
pkgname=libxml2
pkgver=2.7.8
-pkgrel=7
+pkgrel=8
pkgdesc="XML parsing library, version 2"
url="http://www.xmlsoft.org/"
arch="all"
@@ -13,15 +13,18 @@ makedepends="zlib-dev python-dev"
subpackages="$pkgname-doc $pkgname-dev py-$pkgname:py $pkgname-utils"
source="ftp://ftp.xmlsoft.org/${pkgname}/${pkgname}-${pkgver}.tar.gz
largefile64.patch
- libxml2-2.7.8-CVE-2011-1944.patch"
+ libxml2-2.7.8-CVE-2011-1944.patch
+ cve-2012-0841.patch"
options="!strip"
_builddir="$srcdir/$pkgname-$pkgver"
prepare() {
cd "$_builddir"
- for _i in "$srcdir"/*.patch; do
- patch -p1 -i "$_i"
+ for i in $source; do
+ case $i in
+ *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+ esac
done
}
@@ -60,4 +63,5 @@ utils() {
md5sums="8127a65e8c3b08856093099b52599c86 libxml2-2.7.8.tar.gz
5ad4915665608ebfa5b89f7908467a72 largefile64.patch
-49cba5245dfa6f2ec710324df947fff9 libxml2-2.7.8-CVE-2011-1944.patch"
+49cba5245dfa6f2ec710324df947fff9 libxml2-2.7.8-CVE-2011-1944.patch
+045c7f25e46de3127a6061e273de3f7b cve-2012-0841.patch"
diff --git a/main/libxml2/cve-2012-0841.patch b/main/libxml2/cve-2012-0841.patch
new file mode 100644
index 000000000..9b6f440d1
--- /dev/null
+++ b/main/libxml2/cve-2012-0841.patch
@@ -0,0 +1,291 @@
+From 8973d58b7498fa5100a876815476b81fd1a2412a Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Sat, 04 Feb 2012 11:07:44 +0000
+Subject: Add hash randomization to hash and dict structures
+
+Following http://www.ocert.org/advisories/ocert-2011-003.html
+it seems that having hash randomization might be a good idea
+when using XML with untrusted data
+* configure.in: lookup for rand, srand and time
+* dict.c: add randomization to dictionaries hash tables
+* hash.c: add randomization to normal hash tables
+---
+diff --git a/configure.in b/configure.in
+index fa80375..828b66a 100644
+--- a/configure.in
++++ b/configure.in
+@@ -512,6 +512,7 @@ AC_CHECK_FUNCS(strdup strndup strerror)
+ AC_CHECK_FUNCS(finite isnand fp_class class fpclass)
+ AC_CHECK_FUNCS(strftime localtime gettimeofday ftime)
+ AC_CHECK_FUNCS(stat _stat signal)
++AC_CHECK_FUNCS(rand srand time)
+
+ dnl Checking the standard string functions availability
+ AC_CHECK_FUNCS(printf sprintf fprintf snprintf vfprintf vsprintf vsnprintf sscanf,,
+diff --git a/dict.c b/dict.c
+index 3eff231..ae4966b 100644
+--- a/dict.c
++++ b/dict.c
+@@ -2,7 +2,7 @@
+ * dict.c: dictionary of reusable strings, just used to avoid allocation
+ * and freeing operations.
+ *
+- * Copyright (C) 2003 Daniel Veillard.
++ * Copyright (C) 2003-2012 Daniel Veillard.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+@@ -19,6 +19,28 @@
+ #define IN_LIBXML
+ #include "libxml.h"
+
++#ifdef HAVE_STDLIB_H
++#include <stdlib.h>
++#endif
++#ifdef HAVE_TIME_H
++#include <time.h>
++#endif
++
++/*
++ * Following http://www.ocert.org/advisories/ocert-2011-003.html
++ * it seems that having hash randomization might be a good idea
++ * when using XML with untrusted data
++ * Note1: that it works correctly only if compiled with WITH_BIG_KEY
++ * which is the default.
++ * Note2: the fast function used for a small dict won't protect very
++ * well but since the attack is based on growing a very big hash
++ * list we will use the BigKey algo as soon as the hash size grows
++ * over MIN_DICT_SIZE so this actually works
++ */
++#if defined(HAVE_RAND) && defined(HAVE_SRAND) && defined(HAVE_TIME)
++#define DICT_RANDOMIZATION
++#endif
++
+ #include <string.h>
+ #ifdef HAVE_STDINT_H
+ #include <stdint.h>
+@@ -44,23 +66,23 @@ typedef unsigned __int32 uint32_t;
+ #define WITH_BIG_KEY
+
+ #ifdef WITH_BIG_KEY
+-#define xmlDictComputeKey(dict, name, len) \
+- (((dict)->size == MIN_DICT_SIZE) ? \
+- xmlDictComputeFastKey(name, len) : \
+- xmlDictComputeBigKey(name, len))
+-
+-#define xmlDictComputeQKey(dict, prefix, plen, name, len) \
+- (((prefix) == NULL) ? \
+- (xmlDictComputeKey(dict, name, len)) : \
+- (((dict)->size == MIN_DICT_SIZE) ? \
+- xmlDictComputeFastQKey(prefix, plen, name, len) : \
+- xmlDictComputeBigQKey(prefix, plen, name, len)))
++#define xmlDictComputeKey(dict, name, len) \
++ (((dict)->size == MIN_DICT_SIZE) ? \
++ xmlDictComputeFastKey(name, len, (dict)->seed) : \
++ xmlDictComputeBigKey(name, len, (dict)->seed))
++
++#define xmlDictComputeQKey(dict, prefix, plen, name, len) \
++ (((prefix) == NULL) ? \
++ (xmlDictComputeKey(dict, name, len)) : \
++ (((dict)->size == MIN_DICT_SIZE) ? \
++ xmlDictComputeFastQKey(prefix, plen, name, len, (dict)->seed) : \
++ xmlDictComputeBigQKey(prefix, plen, name, len, (dict)->seed)))
+
+ #else /* !WITH_BIG_KEY */
+-#define xmlDictComputeKey(dict, name, len) \
+- xmlDictComputeFastKey(name, len)
+-#define xmlDictComputeQKey(dict, prefix, plen, name, len) \
+- xmlDictComputeFastQKey(prefix, plen, name, len)
++#define xmlDictComputeKey(dict, name, len) \
++ xmlDictComputeFastKey(name, len, (dict)->seed)
++#define xmlDictComputeQKey(dict, prefix, plen, name, len) \
++ xmlDictComputeFastQKey(prefix, plen, name, len, (dict)->seed)
+ #endif /* WITH_BIG_KEY */
+
+ /*
+@@ -98,6 +120,8 @@ struct _xmlDict {
+ xmlDictStringsPtr strings;
+
+ struct _xmlDict *subdict;
++ /* used for randomization */
++ int seed;
+ };
+
+ /*
+@@ -125,6 +149,9 @@ static int xmlInitializeDict(void) {
+ if ((xmlDictMutex = xmlNewRMutex()) == NULL)
+ return(0);
+
++#ifdef DICT_RANDOMIZATION
++ srand(time(NULL));
++#endif
+ xmlDictInitialized = 1;
+ return(1);
+ }
+@@ -277,13 +304,13 @@ found_pool:
+ */
+
+ static uint32_t
+-xmlDictComputeBigKey(const xmlChar* data, int namelen) {
++xmlDictComputeBigKey(const xmlChar* data, int namelen, int seed) {
+ uint32_t hash;
+ int i;
+
+ if (namelen <= 0 || data == NULL) return(0);
+
+- hash = 0;
++ hash = seed;
+
+ for (i = 0;i < namelen; i++) {
+ hash += data[i];
+@@ -310,12 +337,12 @@ xmlDictComputeBigKey(const xmlChar* data, int namelen) {
+ */
+ static unsigned long
+ xmlDictComputeBigQKey(const xmlChar *prefix, int plen,
+- const xmlChar *name, int len)
++ const xmlChar *name, int len, int seed)
+ {
+ uint32_t hash;
+ int i;
+
+- hash = 0;
++ hash = seed;
+
+ for (i = 0;i < plen; i++) {
+ hash += prefix[i];
+@@ -346,8 +373,8 @@ xmlDictComputeBigQKey(const xmlChar *prefix, int plen,
+ * for low hash table fill.
+ */
+ static unsigned long
+-xmlDictComputeFastKey(const xmlChar *name, int namelen) {
+- unsigned long value = 0L;
++xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
++ unsigned long value = seed;
+
+ if (name == NULL) return(0);
+ value = *name;
+@@ -381,9 +408,9 @@ xmlDictComputeFastKey(const xmlChar *name, int namelen) {
+ */
+ static unsigned long
+ xmlDictComputeFastQKey(const xmlChar *prefix, int plen,
+- const xmlChar *name, int len)
++ const xmlChar *name, int len, int seed)
+ {
+- unsigned long value = 0L;
++ unsigned long value = (unsigned long) seed;
+
+ if (plen == 0)
+ value += 30 * (unsigned long) ':';
+@@ -460,6 +487,11 @@ xmlDictCreate(void) {
+ dict->subdict = NULL;
+ if (dict->dict) {
+ memset(dict->dict, 0, MIN_DICT_SIZE * sizeof(xmlDictEntry));
++#ifdef DICT_RANDOMIZATION
++ dict->seed = rand();
++#else
++ dict->seed = 0;
++#endif
+ return(dict);
+ }
+ xmlFree(dict);
+@@ -486,6 +518,7 @@ xmlDictCreateSub(xmlDictPtr sub) {
+ #ifdef DICT_DEBUG_PATTERNS
+ fprintf(stderr, "R");
+ #endif
++ dict->seed = sub->seed;
+ dict->subdict = sub;
+ xmlDictReference(dict->subdict);
+ }
+diff --git a/hash.c b/hash.c
+index b78bc2d..fe1424f 100644
+--- a/hash.c
++++ b/hash.c
+@@ -3,7 +3,7 @@
+ *
+ * Reference: Your favorite introductory book on algorithms
+ *
+- * Copyright (C) 2000 Bjorn Reese and Daniel Veillard.
++ * Copyright (C) 2000,2012 Bjorn Reese and Daniel Veillard.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+@@ -21,6 +21,22 @@
+ #include "libxml.h"
+
+ #include <string.h>
++#ifdef HAVE_STDLIB_H
++#include <stdlib.h>
++#endif
++#ifdef HAVE_TIME_H
++#include <time.h>
++#endif
++
++/*
++ * Following http://www.ocert.org/advisories/ocert-2011-003.html
++ * it seems that having hash randomization might be a good idea
++ * when using XML with untrusted data
++ */
++#if defined(HAVE_RAND) && defined(HAVE_SRAND) && defined(HAVE_TIME)
++#define HASH_RANDOMIZATION
++#endif
++
+ #include <libxml/parser.h>
+ #include <libxml/hash.h>
+ #include <libxml/xmlmemory.h>
+@@ -31,6 +47,10 @@
+
+ /* #define DEBUG_GROW */
+
++#ifdef HASH_RANDOMIZATION
++static int hash_initialized = 0;
++#endif
++
+ /*
+ * A single entry in the hash table
+ */
+@@ -53,6 +73,9 @@ struct _xmlHashTable {
+ int size;
+ int nbElems;
+ xmlDictPtr dict;
++#ifdef HASH_RANDOMIZATION
++ int random_seed;
++#endif
+ };
+
+ /*
+@@ -65,6 +88,9 @@ xmlHashComputeKey(xmlHashTablePtr table, const xmlChar *name,
+ unsigned long value = 0L;
+ char ch;
+
++#ifdef HASH_RANDOMIZATION
++ value = table->random_seed;
++#endif
+ if (name != NULL) {
+ value += 30 * (*name);
+ while ((ch = *name++) != 0) {
+@@ -92,6 +118,9 @@ xmlHashComputeQKey(xmlHashTablePtr table,
+ unsigned long value = 0L;
+ char ch;
+
++#ifdef HASH_RANDOMIZATION
++ value = table->random_seed;
++#endif
+ if (prefix != NULL)
+ value += 30 * (*prefix);
+ else
+@@ -156,6 +185,13 @@ xmlHashCreate(int size) {
+ table->table = xmlMalloc(size * sizeof(xmlHashEntry));
+ if (table->table) {
+ memset(table->table, 0, size * sizeof(xmlHashEntry));
++#ifdef HASH_RANDOMIZATION
++ if (!hash_initialized) {
++ srand(time(NULL));
++ hash_initialized = 1;
++ }
++ table->random_seed = rand();
++#endif
+ return(table);
+ }
+ xmlFree(table);
+--
+cgit v0.9.0.2