From 93863a5e7257ea074a9a5e3f36a393a8ec29fedf Mon Sep 17 00:00:00 2001 From: Ricardo Wurmus Date: Wed, 23 Nov 2016 22:13:28 +0100 Subject: gnu: Add perl-xml-libxslt. * gnu/packages/xml.scm (perl-xml-libxslt): New variable. --- gnu/packages/xml.scm | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) (limited to 'gnu/packages/xml.scm') diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index 505d585e66..80534d69f2 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -329,6 +329,29 @@ XML parser and the high performance DOM implementation.") @code{XML::LibXML}.") (license (package-license perl)))) +(define-public perl-xml-libxslt + (package + (name "perl-xml-libxslt") + (version "1.95") + (source + (origin + (method url-fetch) + (uri (string-append "mirror://cpan/authors/id/S/SH/SHLOMIF/" + "XML-LibXSLT-" version ".tar.gz")) + (sha256 + (base32 + "0dggycql18kfxzkb1kw3yc7gslxlrrgyyn2r2ygsylycb89j3jpi")))) + (build-system perl-build-system) + (inputs + `(("libxslt" ,libxslt))) + (propagated-inputs + `(("perl-xml-libxml" ,perl-xml-libxml))) + (home-page "http://search.cpan.org/dist/XML-LibXSLT") + (synopsis "Perl bindings to GNOME libxslt library") + (description "This Perl module is an interface to the GNOME project's +libxslt library.") + (license (package-license perl)))) + (define-public perl-xml-namespacesupport (package (name "perl-xml-namespacesupport") -- cgit v1.2.3 From ffbc7d65535d4fdf98ae395e79f04844abab2f15 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Wed, 30 Nov 2016 12:29:09 +0200 Subject: gnu: perl-graph-readwrite: Update to 2.09. * gnu/packages/xml.scm (perl-graph-readwrite): Update to 2.09. --- gnu/packages/xml.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'gnu/packages/xml.scm') diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index 80534d69f2..258bfb258c 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -167,7 +167,7 @@ based on libxml for XML parsing, tree manipulation and XPath support.") (define-public perl-graph-readwrite (package (name "perl-graph-readwrite") - (version "2.08") + (version "2.09") (source (origin (method url-fetch) @@ -177,7 +177,7 @@ based on libxml for XML parsing, tree manipulation and XPath support.") ".tar.gz")) (sha256 (base32 - "1wjni212nfz9irp19nx9if1lj3w9cybpdbzhii4g8macpryjj7ci")))) + "0jlsg64pmy6ka5q5gy851nnyfgjzvhyxc576bhns3vi2x5ng07mh")))) (build-system perl-build-system) (propagated-inputs `(("perl-graph" ,perl-graph) -- cgit v1.2.3 From f3aa34cc5abcfb3283931f425056cd2f5b2b9852 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Wed, 30 Nov 2016 13:25:38 +0200 Subject: gnu: perl-xml-libxml-simple: Update to 0.97. * gnu/packages/xml.scm (perl-xml-libxml-simple): Update to 0.97. --- gnu/packages/xml.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'gnu/packages/xml.scm') diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index 258bfb258c..d2b206c673 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -310,14 +310,14 @@ XML parser and the high performance DOM implementation.") (define-public perl-xml-libxml-simple (package (name "perl-xml-libxml-simple") - (version "0.95") + (version "0.97") (source (origin (method url-fetch) (uri (string-append "mirror://cpan/authors/id/M/MA/MARKOV/" "XML-LibXML-Simple-" version ".tar.gz")) (sha256 (base32 - "0qqfqj5bgqmh1j4iv8dwl3g00nsmcvf2b7w1d09k9d77rrb249xi")))) + "1g8nlk3zdz2cclxf7azvsb3jfxmvy6ml8wmj774k4qjqcsqmzk0w")))) (build-system perl-build-system) (propagated-inputs `(("perl-file-slurp-tiny" ,perl-file-slurp-tiny) -- cgit v1.2.3 From 4e5465f2556d83e6db31dc0365088efd3e2d49ac Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Wed, 30 Nov 2016 13:30:58 +0200 Subject: gnu: perl-xml-dom: Update to 1.46. * gnu/packages/xml.scm (perl-xml-dom): Update to 1.46. [propagated-inputs]: Add perl-xml-parser. --- gnu/packages/xml.scm | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'gnu/packages/xml.scm') diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index d2b206c673..118fc29459 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -514,7 +514,7 @@ EntityRef, CharRef, Reference, Name, NmToken, and AttValue.") (define-public perl-xml-dom (package (name "perl-xml-dom") - (version "1.44") + (version "1.46") (source (origin (method url-fetch) (uri (string-append @@ -522,11 +522,12 @@ EntityRef, CharRef, Reference, Name, NmToken, and AttValue.") version ".tar.gz")) (sha256 (base32 - "1r0ampc88ni3sjpzr583k86076qg399arfm9xirv3cw49k3k5bzn")))) + "0phpkc4li43m2g44hdcvyxzy9pymqwlqhh5hwp2xc0cv8l5lp8lb")))) (build-system perl-build-system) (propagated-inputs `(("perl-libwww" ,perl-libwww) ("perl-libxml" ,perl-libxml) + ("perl-xml-parser" ,perl-xml-parser) ("perl-xml-regexp" ,perl-xml-regexp))) (license (package-license perl)) (synopsis -- cgit v1.2.3 From 18c832b02e7fa355ae3b8399bc72d2157d36c101 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Wed, 30 Nov 2016 13:33:42 +0200 Subject: gnu: perl-xml-compile: Update to 1.54. * gnu/packages/xml.scm (perl-xml-compile): Update to 1.54. --- gnu/packages/xml.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'gnu/packages/xml.scm') diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index 118fc29459..1d638893d6 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -566,14 +566,14 @@ This module provide functions which simplify writing tests for (define-public perl-xml-compile (package (name "perl-xml-compile") - (version "1.51") + (version "1.54") (source (origin (method url-fetch) (uri (string-append "mirror://cpan/authors/id/M/MA/MARKOV/" "XML-Compile-" version ".tar.gz")) (sha256 (base32 - "06fj4zf0yh4kf3kx4bhwrmrjr6al40nasasbgfhn8f1zxwkmm8f2")))) + "1hp41960bpqxvv1samv9hc0ghhmvs3i16r4rfl9yp54lp6jhsr2c")))) (build-system perl-build-system) (propagated-inputs `(("perl-log-report" ,perl-log-report) -- cgit v1.2.3 From 6b9d3f55394163ce743341c0ca5ba379d918bdf5 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Wed, 30 Nov 2016 13:34:56 +0200 Subject: gnu: perl-xml-compile-cache: Update to 1.05. * gnu/packages/xml.scm (perl-xml-compile-cache): Update to 1.05. --- gnu/packages/xml.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'gnu/packages/xml.scm') diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index 1d638893d6..ed5e7e112a 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -591,14 +591,14 @@ a schema.") (define-public perl-xml-compile-cache (package (name "perl-xml-compile-cache") - (version "1.04") + (version "1.05") (source (origin (method url-fetch) (uri (string-append "mirror://cpan/authors/id/M/MA/MARKOV/" "XML-Compile-Cache-" version ".tar.gz")) (sha256 (base32 - "1689dm54n7wb0n0cl9n77vk0kvg0mcckn2hz9ahigjhvazah8740")))) + "0xbwlszhi9hg8sxm5ylglm2qvnb689i595p913awrj2g4mp9yfsw")))) (build-system perl-build-system) (propagated-inputs `(("perl-log-report" ,perl-log-report) -- cgit v1.2.3 From 0c3e27a4f47badf20d366e62e2104599d6019dd4 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Wed, 30 Nov 2016 13:36:57 +0200 Subject: gnu: perl-xml-compile-soap: Update to 3.20. * gnu/packages/xml.scm (perl-xml-compile-soap): Update to 3.20. --- gnu/packages/xml.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'gnu/packages/xml.scm') diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index ed5e7e112a..20fcca3504 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -614,14 +614,14 @@ a schema.") (define-public perl-xml-compile-soap (package (name "perl-xml-compile-soap") - (version "3.13") + (version "3.20") (source (origin (method url-fetch) (uri (string-append "mirror://cpan/authors/id/M/MA/MARKOV/" "XML-Compile-SOAP-" version ".tar.gz")) (sha256 (base32 - "08qw63l78040nh37xzapbqp43g6s5l67bvskf3dyyizlarjx5mi4")))) + "0qplb77qr97pc9yis51jmphl9gbq9xyf8abldpxkwvdn6iqlbgx5")))) (build-system perl-build-system) (propagated-inputs `(("perl-file-slurp-tiny" ,perl-file-slurp-tiny) -- cgit v1.2.3 From 28a3b6b42ccfa98eb87856399c0457f6f0a84152 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Wed, 30 Nov 2016 13:39:11 +0200 Subject: gnu: perl-xml-compile-wsdl11: Update to 3.05. * gnu/packages/xml.scm (perl-xml-compile-wsdl11): Update to 3.05. --- gnu/packages/xml.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'gnu/packages/xml.scm') diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index 20fcca3504..ecf0f81bc4 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -642,14 +642,14 @@ used.") (define-public perl-xml-compile-wsdl11 (package (name "perl-xml-compile-wsdl11") - (version "3.04") + (version "3.05") (source (origin (method url-fetch) (uri (string-append "mirror://cpan/authors/id/M/MA/MARKOV/" "XML-Compile-WSDL11-" version ".tar.gz")) (sha256 (base32 - "0pyikwnfwpangvnkf5dbdagy4z93ag9824f1ax5qaibc3ghca8kv")))) + "1a50in1qrbzx3924wvrhgfm5fcxz5cd95f3z9z2xgln27q1zssc4")))) (build-system perl-build-system) (propagated-inputs `(("perl-log-report" ,perl-log-report) -- cgit v1.2.3 From 47b4cedf5d8235f2b3558fe41049a65d55cd1ddf Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Wed, 30 Nov 2016 13:46:28 +0200 Subject: gnu: perl-xml-xpath: Update to 1.40. * gnu/packages/xml.scm (perl-xml-xpath): Update to 1.40. --- gnu/packages/xml.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'gnu/packages/xml.scm') diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index ecf0f81bc4..594a1a471c 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -707,14 +707,14 @@ RSS 0.91, RSS 1.0, RSS 2.0, Atom") (define-public perl-xml-xpath (package (name "perl-xml-xpath") - (version "1.37") + (version "1.40") (source (origin (method url-fetch) (uri (string-append "mirror://cpan/authors/id/M/MA/MANWAR/" "XML-XPath-" version ".tar.gz")) (sha256 (base32 - "0997l8vjgq8p7d1irvp6amqyrv24x7f8hybjm4l4ayag32b13bmq")))) + "07pa0bl42jka8mj7jshjynx8vpfh8b4cdyiv4zlkqvkqz98nzxib")))) (build-system perl-build-system) (native-inputs `(("perl-path-tiny" ,perl-path-tiny))) -- cgit v1.2.3 From 0c83c6bf2669367e81012391b5bc4ab0406ffbf3 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Sat, 24 Dec 2016 19:09:03 -0500 Subject: gnu: libxml2: Fix CVE-2016-4658. * gnu/packages/xml.scm (libxml2)[replacement]: New field. (libxml2/fixed): New variable. * gnu/packages/patches/libxml2-CVE-2016-4658.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + gnu/packages/patches/libxml2-CVE-2016-4658.patch | 257 +++++++++++++++++++++++ gnu/packages/xml.scm | 9 + 3 files changed, 267 insertions(+) create mode 100644 gnu/packages/patches/libxml2-CVE-2016-4658.patch (limited to 'gnu/packages/xml.scm') diff --git a/gnu/local.mk b/gnu/local.mk index ee8f1e591f..a1137cf36f 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -696,6 +696,7 @@ dist_patch_DATA = \ %D%/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch \ %D%/packages/patches/libwmf-CVE-2015-4695.patch \ %D%/packages/patches/libwmf-CVE-2015-4696.patch \ + %D%/packages/patches/libxml2-CVE-2016-4658.patch \ %D%/packages/patches/libxslt-generated-ids.patch \ %D%/packages/patches/libxslt-CVE-2016-4738.patch \ %D%/packages/patches/linux-pam-no-setfsuid.patch \ diff --git a/gnu/packages/patches/libxml2-CVE-2016-4658.patch b/gnu/packages/patches/libxml2-CVE-2016-4658.patch new file mode 100644 index 0000000000..a4e1f31fae --- /dev/null +++ b/gnu/packages/patches/libxml2-CVE-2016-4658.patch @@ -0,0 +1,257 @@ +Fix CVE-2016-4658: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4658 + +Patch copied from upstream source repository: + +https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b + +From c1d1f7121194036608bf555f08d3062a36fd344b Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 28 Jun 2016 18:34:52 +0200 +Subject: [PATCH] Disallow namespace nodes in XPointer ranges + +Namespace nodes must be copied to avoid use-after-free errors. +But they don't necessarily have a physical representation in a +document, so simply disallow them in XPointer ranges. + +Found with afl-fuzz. + +Fixes CVE-2016-4658. +--- + xpointer.c | 149 +++++++++++++++++++++++-------------------------------------- + 1 file changed, 56 insertions(+), 93 deletions(-) + +diff --git a/xpointer.c b/xpointer.c +index a7b03fbd..694d120e 100644 +--- a/xpointer.c ++++ b/xpointer.c +@@ -320,6 +320,45 @@ xmlXPtrRangesEqual(xmlXPathObjectPtr range1, xmlXPathObjectPtr range2) { + } + + /** ++ * xmlXPtrNewRangeInternal: ++ * @start: the starting node ++ * @startindex: the start index ++ * @end: the ending point ++ * @endindex: the ending index ++ * ++ * Internal function to create a new xmlXPathObjectPtr of type range ++ * ++ * Returns the newly created object. ++ */ ++static xmlXPathObjectPtr ++xmlXPtrNewRangeInternal(xmlNodePtr start, int startindex, ++ xmlNodePtr end, int endindex) { ++ xmlXPathObjectPtr ret; ++ ++ /* ++ * Namespace nodes must be copied (see xmlXPathNodeSetDupNs). ++ * Disallow them for now. ++ */ ++ if ((start != NULL) && (start->type == XML_NAMESPACE_DECL)) ++ return(NULL); ++ if ((end != NULL) && (end->type == XML_NAMESPACE_DECL)) ++ return(NULL); ++ ++ ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); ++ if (ret == NULL) { ++ xmlXPtrErrMemory("allocating range"); ++ return(NULL); ++ } ++ memset(ret, 0, sizeof(xmlXPathObject)); ++ ret->type = XPATH_RANGE; ++ ret->user = start; ++ ret->index = startindex; ++ ret->user2 = end; ++ ret->index2 = endindex; ++ return(ret); ++} ++ ++/** + * xmlXPtrNewRange: + * @start: the starting node + * @startindex: the start index +@@ -344,17 +383,7 @@ xmlXPtrNewRange(xmlNodePtr start, int startindex, + if (endindex < 0) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = startindex; +- ret->user2 = end; +- ret->index2 = endindex; ++ ret = xmlXPtrNewRangeInternal(start, startindex, end, endindex); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -381,17 +410,8 @@ xmlXPtrNewRangePoints(xmlXPathObjectPtr start, xmlXPathObjectPtr end) { + if (end->type != XPATH_POINT) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start->user; +- ret->index = start->index; +- ret->user2 = end->user; +- ret->index2 = end->index; ++ ret = xmlXPtrNewRangeInternal(start->user, start->index, end->user, ++ end->index); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -416,17 +436,7 @@ xmlXPtrNewRangePointNode(xmlXPathObjectPtr start, xmlNodePtr end) { + if (start->type != XPATH_POINT) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start->user; +- ret->index = start->index; +- ret->user2 = end; +- ret->index2 = -1; ++ ret = xmlXPtrNewRangeInternal(start->user, start->index, end, -1); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -453,17 +463,7 @@ xmlXPtrNewRangeNodePoint(xmlNodePtr start, xmlXPathObjectPtr end) { + if (end->type != XPATH_POINT) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = -1; +- ret->user2 = end->user; +- ret->index2 = end->index; ++ ret = xmlXPtrNewRangeInternal(start, -1, end->user, end->index); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -486,17 +486,7 @@ xmlXPtrNewRangeNodes(xmlNodePtr start, xmlNodePtr end) { + if (end == NULL) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = -1; +- ret->user2 = end; +- ret->index2 = -1; ++ ret = xmlXPtrNewRangeInternal(start, -1, end, -1); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -516,17 +506,7 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) { + if (start == NULL) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = -1; +- ret->user2 = NULL; +- ret->index2 = -1; ++ ret = xmlXPtrNewRangeInternal(start, -1, NULL, -1); + return(ret); + } + +@@ -541,6 +521,8 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) { + */ + xmlXPathObjectPtr + xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) { ++ xmlNodePtr endNode; ++ int endIndex; + xmlXPathObjectPtr ret; + + if (start == NULL) +@@ -549,7 +531,12 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) { + return(NULL); + switch (end->type) { + case XPATH_POINT: ++ endNode = end->user; ++ endIndex = end->index; ++ break; + case XPATH_RANGE: ++ endNode = end->user2; ++ endIndex = end->index2; + break; + case XPATH_NODESET: + /* +@@ -557,39 +544,15 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) { + */ + if (end->nodesetval->nodeNr <= 0) + return(NULL); ++ endNode = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1]; ++ endIndex = -1; + break; + default: + /* TODO */ + return(NULL); + } + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = -1; +- switch (end->type) { +- case XPATH_POINT: +- ret->user2 = end->user; +- ret->index2 = end->index; +- break; +- case XPATH_RANGE: +- ret->user2 = end->user2; +- ret->index2 = end->index2; +- break; +- case XPATH_NODESET: { +- ret->user2 = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1]; +- ret->index2 = -1; +- break; +- } +- default: +- STRANGE +- return(NULL); +- } ++ ret = xmlXPtrNewRangeInternal(start, -1, endNode, endIndex); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +-- +2.11.0 + diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index 594a1a471c..d821338b52 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -74,6 +74,7 @@ things the parser might find in the XML document (like start tags).") (define-public libxml2 (package (name "libxml2") + (replacement libxml2/fixed) (version "2.9.4") (source (origin (method url-fetch) @@ -101,6 +102,14 @@ things the parser might find in the XML document (like start tags).") project (but it is usable outside of the Gnome platform).") (license license:x11))) +(define libxml2/fixed + (package + (inherit libxml2) + (source + (origin + (inherit (package-source libxml2)) + (patches (search-patches "libxml2-CVE-2016-4658.patch")))))) + (define-public python-libxml2 (package (inherit libxml2) (name "python-libxml2") -- cgit v1.2.3 From 3a2bcac6bd5a372553079750717ed4e9e6a638f1 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Sat, 24 Dec 2016 19:11:30 -0500 Subject: gnu: libxml2: Fix CVE-2016-5131. * gnu/packages/patches/libxml2-CVE-2016-5131.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/xml.scm (libxml2/fixed)[source]: Add it. --- gnu/local.mk | 1 + gnu/packages/patches/libxml2-CVE-2016-5131.patch | 218 +++++++++++++++++++++++ gnu/packages/xml.scm | 3 +- 3 files changed, 221 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/libxml2-CVE-2016-5131.patch (limited to 'gnu/packages/xml.scm') diff --git a/gnu/local.mk b/gnu/local.mk index a1137cf36f..106adb2351 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -697,6 +697,7 @@ dist_patch_DATA = \ %D%/packages/patches/libwmf-CVE-2015-4695.patch \ %D%/packages/patches/libwmf-CVE-2015-4696.patch \ %D%/packages/patches/libxml2-CVE-2016-4658.patch \ + %D%/packages/patches/libxml2-CVE-2016-5131.patch \ %D%/packages/patches/libxslt-generated-ids.patch \ %D%/packages/patches/libxslt-CVE-2016-4738.patch \ %D%/packages/patches/linux-pam-no-setfsuid.patch \ diff --git a/gnu/packages/patches/libxml2-CVE-2016-5131.patch b/gnu/packages/patches/libxml2-CVE-2016-5131.patch new file mode 100644 index 0000000000..38938c8e3e --- /dev/null +++ b/gnu/packages/patches/libxml2-CVE-2016-5131.patch @@ -0,0 +1,218 @@ +Fix CVE-2016-5131: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5131 + +Patches copied from upstream source repository (the test suite fails +without the 2nd patch): + +https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e +https://git.gnome.org/browse/libxml2/commit/?id=a005199330b86dada19d162cae15ef9bdcb6baa8 + +From 9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 28 Jun 2016 14:22:23 +0200 +Subject: [PATCH] Fix XPointer paths beginning with range-to + +The old code would invoke the broken xmlXPtrRangeToFunction. range-to +isn't really a function but a special kind of location step. Remove +this function and always handle range-to in the XPath code. + +The old xmlXPtrRangeToFunction could also be abused to trigger a +use-after-free error with the potential for remote code execution. + +Found with afl-fuzz. + +Fixes CVE-2016-5131. +--- + result/XPath/xptr/vidbase | 13 ++++++++ + test/XPath/xptr/vidbase | 1 + + xpath.c | 7 ++++- + xpointer.c | 76 ++++------------------------------------------- + 4 files changed, 26 insertions(+), 71 deletions(-) + +diff --git a/result/XPath/xptr/vidbase b/result/XPath/xptr/vidbase +index 8b9e92d6..f19193e7 100644 +--- a/result/XPath/xptr/vidbase ++++ b/result/XPath/xptr/vidbase +@@ -17,3 +17,16 @@ Object is a Location Set: + To node + ELEMENT p + ++ ++======================== ++Expression: xpointer(range-to(id('chapter2'))) ++Object is a Location Set: ++1 : Object is a range : ++ From node ++ / ++ To node ++ ELEMENT chapter ++ ATTRIBUTE id ++ TEXT ++ content=chapter2 ++ +diff --git a/test/XPath/xptr/vidbase b/test/XPath/xptr/vidbase +index b1463830..884b1065 100644 +--- a/test/XPath/xptr/vidbase ++++ b/test/XPath/xptr/vidbase +@@ -1,2 +1,3 @@ + xpointer(id('chapter1')/p) + xpointer(id('chapter1')/p[1]/range-to(following-sibling::p[2])) ++xpointer(range-to(id('chapter2'))) +diff --git a/xpath.c b/xpath.c +index d992841e..5a01b1b3 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -10691,13 +10691,18 @@ xmlXPathCompPathExpr(xmlXPathParserContextPtr ctxt) { + lc = 1; + break; + } else if ((NXT(len) == '(')) { +- /* Note Type or Function */ ++ /* Node Type or Function */ + if (xmlXPathIsNodeType(name)) { + #ifdef DEBUG_STEP + xmlGenericError(xmlGenericErrorContext, + "PathExpr: Type search\n"); + #endif + lc = 1; ++#ifdef LIBXML_XPTR_ENABLED ++ } else if (ctxt->xptr && ++ xmlStrEqual(name, BAD_CAST "range-to")) { ++ lc = 1; ++#endif + } else { + #ifdef DEBUG_STEP + xmlGenericError(xmlGenericErrorContext, +diff --git a/xpointer.c b/xpointer.c +index 676c5105..d74174a3 100644 +--- a/xpointer.c ++++ b/xpointer.c +@@ -1332,8 +1332,6 @@ xmlXPtrNewContext(xmlDocPtr doc, xmlNodePtr here, xmlNodePtr origin) { + ret->here = here; + ret->origin = origin; + +- xmlXPathRegisterFunc(ret, (xmlChar *)"range-to", +- xmlXPtrRangeToFunction); + xmlXPathRegisterFunc(ret, (xmlChar *)"range", + xmlXPtrRangeFunction); + xmlXPathRegisterFunc(ret, (xmlChar *)"range-inside", +@@ -2243,76 +2241,14 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) { + * @nargs: the number of args + * + * Implement the range-to() XPointer function ++ * ++ * Obsolete. range-to is not a real function but a special type of location ++ * step which is handled in xpath.c. + */ + void +-xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, int nargs) { +- xmlXPathObjectPtr range; +- const xmlChar *cur; +- xmlXPathObjectPtr res, obj; +- xmlXPathObjectPtr tmp; +- xmlLocationSetPtr newset = NULL; +- xmlNodeSetPtr oldset; +- int i; +- +- if (ctxt == NULL) return; +- CHECK_ARITY(1); +- /* +- * Save the expression pointer since we will have to evaluate +- * it multiple times. Initialize the new set. +- */ +- CHECK_TYPE(XPATH_NODESET); +- obj = valuePop(ctxt); +- oldset = obj->nodesetval; +- ctxt->context->node = NULL; +- +- cur = ctxt->cur; +- newset = xmlXPtrLocationSetCreate(NULL); +- +- for (i = 0; i < oldset->nodeNr; i++) { +- ctxt->cur = cur; +- +- /* +- * Run the evaluation with a node list made of a single item +- * in the nodeset. +- */ +- ctxt->context->node = oldset->nodeTab[i]; +- tmp = xmlXPathNewNodeSet(ctxt->context->node); +- valuePush(ctxt, tmp); +- +- xmlXPathEvalExpr(ctxt); +- CHECK_ERROR; +- +- /* +- * The result of the evaluation need to be tested to +- * decided whether the filter succeeded or not +- */ +- res = valuePop(ctxt); +- range = xmlXPtrNewRangeNodeObject(oldset->nodeTab[i], res); +- if (range != NULL) { +- xmlXPtrLocationSetAdd(newset, range); +- } +- +- /* +- * Cleanup +- */ +- if (res != NULL) +- xmlXPathFreeObject(res); +- if (ctxt->value == tmp) { +- res = valuePop(ctxt); +- xmlXPathFreeObject(res); +- } +- +- ctxt->context->node = NULL; +- } +- +- /* +- * The result is used as the new evaluation set. +- */ +- xmlXPathFreeObject(obj); +- ctxt->context->node = NULL; +- ctxt->context->contextSize = -1; +- ctxt->context->proximityPosition = -1; +- valuePush(ctxt, xmlXPtrWrapLocationSet(newset)); ++xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, ++ int nargs ATTRIBUTE_UNUSED) { ++ XP_ERROR(XPATH_EXPR_ERROR); + } + + /** +-- +2.11.0 + +From a005199330b86dada19d162cae15ef9bdcb6baa8 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 28 Jun 2016 14:19:58 +0200 +Subject: [PATCH] Fix comparison with root node in xmlXPathCmpNodes + +This change has already been made in xmlXPathCmpNodesExt but not in +xmlXPathCmpNodes. +--- + xpath.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/xpath.c b/xpath.c +index 751665b8..d992841e 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -3342,13 +3342,13 @@ xmlXPathCmpNodes(xmlNodePtr node1, xmlNodePtr node2) { + * compute depth to root + */ + for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) { +- if (cur == node1) ++ if (cur->parent == node1) + return(1); + depth2++; + } + root = cur; + for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) { +- if (cur == node2) ++ if (cur->parent == node2) + return(-1); + depth1++; + } +-- +2.11.0 + diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index d821338b52..32b658489c 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -108,7 +108,8 @@ project (but it is usable outside of the Gnome platform).") (source (origin (inherit (package-source libxml2)) - (patches (search-patches "libxml2-CVE-2016-4658.patch")))))) + (patches (search-patches "libxml2-CVE-2016-4658.patch" + "libxml2-CVE-2016-5131.patch")))))) (define-public python-libxml2 (package (inherit libxml2) -- cgit v1.2.3