On Thu, Jun 01, 2017 at 09:09:48AM +0200, Matthias Pitzl wrote:
> Hi,
>
> On the oss-security mailing list where reports about several CVEs concerning
> libxml2.
> These patches fixes CVE-2017-9047, CVE-2017-9048, CVE-2017-9049 and
> CVE-2017-9050.
OK?
Index: Makefile
===================================================================
RCS file: /cvs/ports/textproc/libxml/Makefile,v
retrieving revision 1.168
diff -u -p -u -p -r1.168 Makefile
--- Makefile 30 Dec 2016 15:54:57 -0000 1.168
+++ Makefile 2 Jun 2017 09:26:07 -0000
@@ -4,7 +4,7 @@ COMMENT-main= XML parsing library
COMMENT-python= Python bindings for libxml
VERSION= 2.9.4
-REVISION-main= 0
+REVISION-main= 1
DISTNAME= libxml2-${VERSION}
PKGNAME-main= libxml-${VERSION}
PKGNAME-python= py-libxml-${VERSION}
Index: patches/patch-parser_c
===================================================================
RCS file: patches/patch-parser_c
diff -N patches/patch-parser_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-parser_c 2 Jun 2017 09:26:07 -0000
@@ -0,0 +1,38 @@
+$OpenBSD$
+
+Fix CVE-2017-9049 and CVE-2017-9050.
+
+Index: parser.c
+--- parser.c.orig
++++ parser.c
+@@ -3312,6 +3312,7 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+ int len = 0, l;
+ int c;
+ int count = 0;
++ size_t startPosition = 0;
+
+ #ifdef DEBUG
+ nbParseNameComplex++;
+@@ -3323,6 +3324,7 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+ GROW;
+ if (ctxt->instate == XML_PARSER_EOF)
+ return(NULL);
++ startPosition = CUR_PTR - BASE_PTR;
+ c = CUR_CHAR(l);
+ if ((ctxt->options & XML_PARSE_OLD10) == 0) {
+ /*
+@@ -3420,9 +3422,11 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
+ return(NULL);
+ }
+- if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r'))
+- return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len));
+- return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
++
++ if (BASE_PTR + startPosition + len > ctxt->input->end)
++ return(NULL);
++
++ return(xmlDictLookup(ctxt->dict, BASE_PTR + startPosition, len));
+ }
+
+ /**
Index: patches/patch-valid_c
===================================================================
RCS file: patches/patch-valid_c
diff -N patches/patch-valid_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-valid_c 2 Jun 2017 09:26:07 -0000
@@ -0,0 +1,23 @@
+$OpenBSD$
+
+Fix CVE-2017-9047 and CVE-2017-9048.
+
+Index: valid.c
+--- valid.c.orig
++++ valid.c
+@@ -1270,6 +1270,7 @@ xmlSnprintfElementContent(char *buf, int size, xmlElem
+ }
+ strcat(buf, (char *) content->prefix);
+ strcat(buf, ":");
++ len += xmlStrlen(content->prefix);
+ }
+ if (size - len < xmlStrlen(content->name) + 10) {
+ strcat(buf, " ...");
+@@ -1319,6 +1320,7 @@ xmlSnprintfElementContent(char *buf, int size, xmlElem
+ xmlSnprintfElementContent(buf, size, content->c2, 0);
+ break;
+ }
++ if (size - strlen(buf) <= 2) return;
+ if (englob)
+ strcat(buf, ")");
+ switch (content->ocur) {
No comments:
Post a Comment