libxml2-2.9.10-security_fixes-1.patch 5.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184
  1. Submitted By: Ken Moffat <ken at linuxfromscratch dot org>
  2. Date: 2020-11-21
  3. Initial Package Version: 2.9.10
  4. Upstream Status: Applied
  5. Origin: Found at fedora.
  6. Description: Various fixes, including CVE-2019-20388, CVE-2020-7595,
  7. CVE-2020-24977. I think that worst case these are DOS vulnerabilities.
  8. From 0815302dee2b78139832c2080348086a0564836b Mon Sep 17 00:00:00 2001
  9. From: Nick Wellnhofer <wellnhofer@aevum.de>
  10. Date: Fri, 6 Dec 2019 12:27:29 +0100
  11. Subject: [PATCH] Fix freeing of nested documents
  12. Apparently, some libxslt RVTs can contain nested document nodes, see
  13. issue #132. I'm not sure how this happens exactly but it can cause a
  14. segfault in xmlFreeNodeList after the changes in commit 0762c9b6.
  15. Make sure not to touch the (nonexistent) `content` member of xmlDocs.
  16. ---
  17. tree.c | 5 +++++
  18. 1 file changed, 5 insertions(+)
  19. diff --git a/tree.c b/tree.c
  20. index 070670f1..0d7fc98c 100644
  21. --- a/tree.c
  22. +++ b/tree.c
  23. @@ -3708,6 +3708,11 @@ xmlFreeNodeList(xmlNodePtr cur) {
  24. (cur->type != XML_XINCLUDE_START) &&
  25. (cur->type != XML_XINCLUDE_END) &&
  26. (cur->type != XML_ENTITY_REF_NODE) &&
  27. + (cur->type != XML_DOCUMENT_NODE) &&
  28. +#ifdef LIBXML_DOCB_ENABLED
  29. + (cur->type != XML_DOCB_DOCUMENT_NODE) &&
  30. +#endif
  31. + (cur->type != XML_HTML_DOCUMENT_NODE) &&
  32. (cur->content != (xmlChar *) &(cur->properties))) {
  33. DICT_FREE(cur->content)
  34. }
  35. --
  36. 2.22.0
  37. From 6088a74bcf7d0c42e24cff4594d804e1d3c9fbca Mon Sep 17 00:00:00 2001
  38. From: Zhipeng Xie <xiezhipeng1@huawei.com>
  39. Date: Tue, 20 Aug 2019 16:33:06 +0800
  40. Subject: [PATCH] Fix memory leak in xmlSchemaValidateStream
  41. When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun
  42. alloc a new schema for ctxt->schema and set vctxt->xsiAssemble
  43. to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize
  44. vctxt->xsiAssemble to 0 again which cause the alloced schema
  45. can not be freed anymore.
  46. Found with libFuzzer.
  47. Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
  48. ---
  49. xmlschemas.c | 1 -
  50. 1 file changed, 1 deletion(-)
  51. diff --git a/xmlschemas.c b/xmlschemas.c
  52. index 301c8449..39d92182 100644
  53. --- a/xmlschemas.c
  54. +++ b/xmlschemas.c
  55. @@ -28090,7 +28090,6 @@ xmlSchemaPreRun(xmlSchemaValidCtxtPtr vctxt) {
  56. vctxt->nberrors = 0;
  57. vctxt->depth = -1;
  58. vctxt->skipDepth = -1;
  59. - vctxt->xsiAssemble = 0;
  60. vctxt->hasKeyrefs = 0;
  61. #ifdef ENABLE_IDC_NODE_TABLES_TEST
  62. vctxt->createIDCNodeTables = 1;
  63. --
  64. 2.24.1
  65. From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001
  66. From: Zhipeng Xie <xiezhipeng1@huawei.com>
  67. Date: Thu, 12 Dec 2019 17:30:55 +0800
  68. Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities
  69. When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef
  70. return NULL which cause a infinite loop in xmlStringLenDecodeEntities
  71. Found with libFuzzer.
  72. Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
  73. ---
  74. parser.c | 3 ++-
  75. 1 file changed, 2 insertions(+), 1 deletion(-)
  76. diff --git a/parser.c b/parser.c
  77. index d1c31963..a34bb6cd 100644
  78. --- a/parser.c
  79. +++ b/parser.c
  80. @@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
  81. else
  82. c = 0;
  83. while ((c != 0) && (c != end) && /* non input consuming loop */
  84. - (c != end2) && (c != end3)) {
  85. + (c != end2) && (c != end3) &&
  86. + (ctxt->instate != XML_PARSER_EOF)) {
  87. if (c == 0) break;
  88. if ((c == '&') && (str[1] == '#')) {
  89. --
  90. 2.24.1
  91. From 8e7c20a1af8776677d7890f30b7a180567701a49 Mon Sep 17 00:00:00 2001
  92. From: Nick Wellnhofer <wellnhofer@aevum.de>
  93. Date: Mon, 3 Aug 2020 17:30:41 +0200
  94. Subject: [PATCH] Fix integer overflow when comparing schema dates
  95. Found by OSS-Fuzz.
  96. ---
  97. xmlschemastypes.c | 10 ++++++++++
  98. 1 file changed, 10 insertions(+)
  99. diff --git a/xmlschemastypes.c b/xmlschemastypes.c
  100. index 4249d700..d6b9f924 100644
  101. --- a/xmlschemastypes.c
  102. +++ b/xmlschemastypes.c
  103. @@ -3691,6 +3691,8 @@ xmlSchemaCompareDurations(xmlSchemaValPtr x, xmlSchemaValPtr y)
  104. minday = 0;
  105. maxday = 0;
  106. } else {
  107. + if (myear > LONG_MAX / 366)
  108. + return -2;
  109. /* FIXME: This doesn't take leap year exceptions every 100/400 years
  110. into account. */
  111. maxday = 365 * myear + (myear + 3) / 4;
  112. @@ -4079,6 +4081,14 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y)
  113. if ((x == NULL) || (y == NULL))
  114. return -2;
  115. + if ((x->value.date.year > LONG_MAX / 366) ||
  116. + (x->value.date.year < LONG_MIN / 366) ||
  117. + (y->value.date.year > LONG_MAX / 366) ||
  118. + (y->value.date.year < LONG_MIN / 366)) {
  119. + /* Possible overflow when converting to days. */
  120. + return -2;
  121. + }
  122. +
  123. if (x->value.date.tz_flag) {
  124. if (!y->value.date.tz_flag) {
  125. --
  126. 2.28.0.rc2
  127. From 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001
  128. From: Nick Wellnhofer <wellnhofer@aevum.de>
  129. Date: Fri, 7 Aug 2020 21:54:27 +0200
  130. Subject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout'
  131. Make sure that truncated UTF-8 sequences don't cause an out-of-bounds
  132. array access.
  133. Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for
  134. the report.
  135. Fixes #178.
  136. ---
  137. xmllint.c | 6 ++++++
  138. 1 file changed, 6 insertions(+)
  139. diff --git a/xmllint.c b/xmllint.c
  140. index f6a8e463..c647486f 100644
  141. --- a/xmllint.c
  142. +++ b/xmllint.c
  143. @@ -528,6 +528,12 @@ static void
  144. xmlHTMLEncodeSend(void) {
  145. char *result;
  146. + /*
  147. + * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might
  148. + * end with a truncated UTF-8 sequence. This is a hack to at least avoid
  149. + * an out-of-bounds read.
  150. + */
  151. + memset(&buffer[sizeof(buffer)-4], 0, 4);
  152. result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer);
  153. if (result) {
  154. xmlGenericError(xmlGenericErrorContext, "%s", result);
  155. --
  156. 2.28.0.rc2