From 493e9a5a8f613764cfa396c33ee6cb381b0dbbef Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Tue, 24 May 2016 14:11:52 +0200 Subject: gnu: libxml2: Fix CVE-2016-3627 and CVE-2016-3705. * gnu/packages/patches/libxml2-CVE-2016-3627.patch, gnu/packages/patches/libxml2-CVE-2016-3705.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/xml.scm (libxml2)[replacement]: New field. (libxml2/fixed): New variable. --- gnu/packages/patches/libxml2-CVE-2016-3627.patch | 61 +++++++++++++++++++++ gnu/packages/patches/libxml2-CVE-2016-3705.patch | 68 ++++++++++++++++++++++++ gnu/packages/xml.scm | 11 +++- 3 files changed, 139 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/libxml2-CVE-2016-3627.patch create mode 100644 gnu/packages/patches/libxml2-CVE-2016-3705.patch (limited to 'gnu/packages') diff --git a/gnu/packages/patches/libxml2-CVE-2016-3627.patch b/gnu/packages/patches/libxml2-CVE-2016-3627.patch new file mode 100644 index 0000000000..782c9270cf --- /dev/null +++ b/gnu/packages/patches/libxml2-CVE-2016-3627.patch @@ -0,0 +1,61 @@ +From . + +From e5269fd1e83743f7e62c89eca45000c2e84e6edc Mon Sep 17 00:00:00 2001 +From: Peter Simons +Date: Thu, 14 Apr 2016 16:15:13 +0200 +Subject: [PATCH 1/2] xmlStringGetNodeList: limit the function to 1024 + recursions to avoid CVE-2016-3627 + +This patch prevents stack overflows like the one reported in +https://bugzilla.gnome.org/show_bug.cgi?id=762100. +--- + tree.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +Index: libxml2-2.9.3/tree.c +=================================================================== +--- libxml2-2.9.3.orig/tree.c ++++ libxml2-2.9.3/tree.c +@@ -1464,6 +1464,8 @@ out: + return(ret); + } + ++static xmlNodePtr xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel); ++ + /** + * xmlStringGetNodeList: + * @doc: the document +@@ -1475,6 +1477,12 @@ out: + */ + xmlNodePtr + xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) { ++ return xmlStringGetNodeListInternal(doc, value, 0); ++ } ++ ++xmlNodePtr ++xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel) { ++ + xmlNodePtr ret = NULL, last = NULL; + xmlNodePtr node; + xmlChar *val; +@@ -1483,6 +1491,8 @@ xmlStringGetNodeList(const xmlDoc *doc, + xmlEntityPtr ent; + xmlBufPtr buf; + ++ if (recursionLevel > 1024) return(NULL); ++ + if (value == NULL) return(NULL); + + buf = xmlBufCreateSize(0); +@@ -1593,8 +1603,9 @@ xmlStringGetNodeList(const xmlDoc *doc, + else if ((ent != NULL) && (ent->children == NULL)) { + xmlNodePtr temp; + +- ent->children = xmlStringGetNodeList(doc, +- (const xmlChar*)node->content); ++ ent->children = xmlStringGetNodeListInternal(doc, ++ (const xmlChar*)node->content, ++ recursionLevel+1); + ent->owner = 1; + temp = ent->children; + while (temp) { diff --git a/gnu/packages/patches/libxml2-CVE-2016-3705.patch b/gnu/packages/patches/libxml2-CVE-2016-3705.patch new file mode 100644 index 0000000000..e803630f3a --- /dev/null +++ b/gnu/packages/patches/libxml2-CVE-2016-3705.patch @@ -0,0 +1,68 @@ +From . + +From 6f0af3f6b9b1c5f82a2bb5ded65923437fee5d21 Mon Sep 17 00:00:00 2001 +From: Peter Simons +Date: Fri, 15 Apr 2016 11:56:55 +0200 +Subject: [PATCH 2/2] Add missing increments of recursion depth counter to XML + parser. + +The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call +xmlStringDecodeEntities() in a recursive context without incrementing the +'depth' counter in the parser context. Because of that omission, the parser +failed to detect attribute recursions in certain documents before running out +of stack space. +--- + parser.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/parser.c b/parser.c +index 9604a72..4da151f 100644 +--- a/parser.c ++++ b/parser.c +@@ -144,8 +144,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + + ent->checked = 1; + ++ ++ctxt->depth; + rep = xmlStringDecodeEntities(ctxt, ent->content, + XML_SUBSTITUTE_REF, 0, 0, 0); ++ --ctxt->depth; + + ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; + if (rep != NULL) { +@@ -3966,8 +3968,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) { + * an entity declaration, it is bypassed and left as is. + * so XML_SUBSTITUTE_REF is not set here. + */ ++ ++ctxt->depth; + ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF, + 0, 0, 0); ++ --ctxt->depth; + if (orig != NULL) + *orig = buf; + else +@@ -4092,9 +4096,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + } else if ((ent != NULL) && + (ctxt->replaceEntities != 0)) { + if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) { ++ ++ctxt->depth; + rep = xmlStringDecodeEntities(ctxt, ent->content, + XML_SUBSTITUTE_REF, + 0, 0, 0); ++ --ctxt->depth; + if (rep != NULL) { + current = rep; + while (*current != 0) { /* non input consuming */ +@@ -4130,8 +4136,10 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + (ent->content != NULL) && (ent->checked == 0)) { + unsigned long oldnbent = ctxt->nbentities; + ++ ++ctxt->depth; + rep = xmlStringDecodeEntities(ctxt, ent->content, + XML_SUBSTITUTE_REF, 0, 0, 0); ++ --ctxt->depth; + + ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; + if (rep != NULL) { +-- +2.8.1 diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index 9eaf71aefa..96bb8b76c6 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2013, 2014, 2015 Ludovic Courtès +;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès ;;; Copyright © 2013, 2015 Andreas Enge ;;; Copyright © 2015 Eric Bavier ;;; Copyright © 2015 Sou Bunnbu @@ -77,6 +77,7 @@ (define-public libxml2 (package (name "libxml2") (version "2.9.3") + (replacement libxml2/fixed) ;multiple CVEs (source (origin (method url-fetch) (uri (string-append "ftp://xmlsoft.org/libxml2/libxml2-" @@ -103,6 +104,14 @@ (define-public libxml2 project (but it is usable outside of the Gnome platform).") (license license:x11))) +(define libxml2/fixed + (package + (inherit libxml2) + (source (origin + (inherit (package-source libxml2)) + (patches (search-patches "libxml2-CVE-2016-3627.patch" + "libxml2-CVE-2016-3705.patch")))))) + (define-public python-libxml2 (package (inherit libxml2) (name "python-libxml2") -- cgit v1.2.3