Hi,
On the oss-security mailing list where reports about several CVEs concerning
libxml2.
These patches fixes CVE-2017-9047, CVE-2017-9048, CVE-2017-9049 and
CVE-2017-9050.
Cheers,
Matthias
patch-CVE-2017-9047:
--- valid.c.orig Mon May 23 09:25:25 2016
+++ valid.c Wed May 31 16:13:56 2017
@@ -1270,6 +1270,7 @@ xmlSnprintfElementContent(char *buf, int size, xmlElem
}
strcat(buf, (char *) content->prefix);
strcat(buf, ":");
+ len += xmlStrlen(content->prefix);
}
if (size - len < xmlStrlen(content->name) + 10) {
strcat(buf, " ...");
patch-CVE-2017-9048:
--- valid.c.orig Wed May 31 16:16:48 2017
+++ valid.c Wed May 31 16:17:03 2017
@@ -1320,6 +1320,7 @@ xmlSnprintfElementContent(char *buf, int size, xmlElem
xmlSnprintfElementContent(buf, size, content->c2, 0);
break;
}
+ if (size - strlen(buf) <= 2) return;
if (englob)
strcat(buf, ")");
switch (content->ocur) {
patch-CVE-2017-9049 (also fixes CVE-2017-9050):
--- parser.c.orig Wed May 31 16:18:36 2017
+++ parser.c Wed May 31 16:20:09 2017
@@ -3312,6 +3312,7 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
int len = 0, l;
int c;
int count = 0;
+ size_t startPosition = 0;
#ifdef DEBUG
nbParseNameComplex++;
@@ -3323,6 +3324,7 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
GROW;
if (ctxt->instate == XML_PARSER_EOF)
return(NULL);
+ startPosition = CUR_PTR - BASE_PTR;
c = CUR_CHAR(l);
if ((ctxt->options & XML_PARSE_OLD10) == 0) {
/*
@@ -3420,9 +3422,11 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
return(NULL);
}
- if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r'))
- return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len));
- return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
+
+ if (BASE_PTR + startPosition + len > ctxt->input->end)
+ return(NULL);
+
+ return(xmlDictLookup(ctxt->dict, BASE_PTR + startPosition, len));
}
/**
No comments:
Post a Comment