Hello community, here is the log from the commit of package libxml2 for openSUSE:12.2 checked in at 2012-08-09 17:55:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2/libxml2 (Old) and /work/SRC/openSUSE:12.2/.libxml2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libxml2", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:12.2/libxml2/libxml2.changes 2012-06-25 15:45:26.000000000 +0200 +++ /work/SRC/openSUSE:12.2/.libxml2.new/libxml2.changes 2012-08-09 17:56:02.000000000 +0200 @@ -1,0 +2,5 @@ +Thu Jun 28 09:48:22 UTC 2012 - [email protected] + +- fixed CVE-2012-2807 (bnc#769184) + +------------------------------------------------------------------- New: ---- libxml2-CVE-2012-2807.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libxml2.spec ++++++ --- /var/tmp/diff_new_pack.YgQlrV/_old 2012-08-09 17:56:02.000000000 +0200 +++ /var/tmp/diff_new_pack.YgQlrV/_new 2012-08-09 17:56:02.000000000 +0200 @@ -15,6 +15,7 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # + %define lname libxml2-2 Name: libxml2 @@ -29,6 +30,7 @@ Source2: baselibs.conf Patch0: bigendian64.patch Patch1: fix-perl.diff +Patch2: libxml2-CVE-2012-2807.patch BuildRequires: pkg-config BuildRequires: readline-devel BuildRequires: xz-devel @@ -126,6 +128,7 @@ %setup -q -n %{name}-2.7.8 %patch0 -p0 %patch1 -p1 -R +%patch2 -p1 %build %configure --disable-static \ ++++++ python-libxml2.spec ++++++ --- /var/tmp/diff_new_pack.YgQlrV/_old 2012-08-09 17:56:02.000000000 +0200 +++ /var/tmp/diff_new_pack.YgQlrV/_new 2012-08-09 17:56:02.000000000 +0200 @@ -15,6 +15,7 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # + Name: python-libxml2 Version: 2.7.8+git20120223 Release: 0 ++++++ libxml2-CVE-2012-2807.patch ++++++ >From 459eeb9dc752d5185f57ff6b135027f11981a626 Mon Sep 17 00:00:00 2001 From: Daniel Veillard <[email protected]> Date: Tue, 17 Jul 2012 08:19:17 +0000 Subject: Fix parser local buffers size problems --- Index: libxml2-2.7.8/parser.c =================================================================== --- libxml2-2.7.8.orig/parser.c 2012-03-01 06:25:02.000000000 +0100 +++ libxml2-2.7.8/parser.c 2012-08-01 13:36:55.890102432 +0200 @@ -40,6 +40,7 @@ #endif #include <stdlib.h> +#include <limits.h> #include <string.h> #include <stdarg.h> #include <libxml/xmlmemory.h> @@ -117,10 +118,10 @@ xmlCreateEntityParserCtxtInternal(const * parser option. */ static int -xmlParserEntityCheck(xmlParserCtxtPtr ctxt, unsigned long size, +xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, xmlEntityPtr ent) { - unsigned long consumed = 0; + size_t consumed = 0; if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE)) return (0); @@ -2589,15 +2590,17 @@ xmlParserHandlePEReference(xmlParserCtxt /* * Macro used to grow the current buffer. + * buffer##_size is expected to be a size_t + * mem_error: is expected to handle memory allocation failures */ #define growBuffer(buffer, n) { \ xmlChar *tmp; \ - buffer##_size *= 2; \ - buffer##_size += n; \ - tmp = (xmlChar *) \ - xmlRealloc(buffer, buffer##_size * sizeof(xmlChar)); \ + size_t new_size = buffer##_size * 2 + n; \ + if (new_size < buffer##_size) goto mem_error; \ + tmp = (xmlChar *) xmlRealloc(buffer, new_size); \ if (tmp == NULL) goto mem_error; \ buffer = tmp; \ + buffer##_size = new_size; \ } /** @@ -2623,14 +2626,14 @@ xmlChar * xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, int what, xmlChar end, xmlChar end2, xmlChar end3) { xmlChar *buffer = NULL; - int buffer_size = 0; + size_t buffer_size = 0; + size_t nbchars = 0; xmlChar *current = NULL; xmlChar *rep = NULL; const xmlChar *last; xmlEntityPtr ent; int c,l; - int nbchars = 0; if ((ctxt == NULL) || (str == NULL) || (len < 0)) return(NULL); @@ -2647,7 +2650,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt * allocate a translation buffer. */ buffer_size = XML_PARSER_BIG_BUFFER_SIZE; - buffer = (xmlChar *) xmlMallocAtomic(buffer_size * sizeof(xmlChar)); + buffer = (xmlChar *) xmlMallocAtomic(buffer_size); if (buffer == NULL) goto mem_error; /* @@ -2667,7 +2670,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt if (val != 0) { COPY_BUF(0,buffer,nbchars,val); } - if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) { + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { growBuffer(buffer, XML_PARSER_BUFFER_SIZE); } } else if ((c == '&') && (what & XML_SUBSTITUTE_REF)) { @@ -2685,7 +2688,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) { if (ent->content != NULL) { COPY_BUF(0,buffer,nbchars,ent->content[0]); - if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) { + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { growBuffer(buffer, XML_PARSER_BUFFER_SIZE); } } else { @@ -2702,8 +2705,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt current = rep; while (*current != 0) { /* non input consuming loop */ buffer[nbchars++] = *current++; - if (nbchars > - buffer_size - XML_PARSER_BUFFER_SIZE) { + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { if (xmlParserEntityCheck(ctxt, nbchars, ent)) goto int_error; growBuffer(buffer, XML_PARSER_BUFFER_SIZE); @@ -2717,7 +2719,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt const xmlChar *cur = ent->name; buffer[nbchars++] = '&'; - if (nbchars > buffer_size - i - XML_PARSER_BUFFER_SIZE) { + if (nbchars + i + XML_PARSER_BUFFER_SIZE > buffer_size) { growBuffer(buffer, i + XML_PARSER_BUFFER_SIZE); } for (;i > 0;i--) @@ -2745,8 +2747,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt current = rep; while (*current != 0) { /* non input consuming loop */ buffer[nbchars++] = *current++; - if (nbchars > - buffer_size - XML_PARSER_BUFFER_SIZE) { + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { if (xmlParserEntityCheck(ctxt, nbchars, ent)) goto int_error; growBuffer(buffer, XML_PARSER_BUFFER_SIZE); @@ -2759,8 +2760,8 @@ xmlStringLenDecodeEntities(xmlParserCtxt } else { COPY_BUF(l,buffer,nbchars,c); str += l; - if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) { - growBuffer(buffer, XML_PARSER_BUFFER_SIZE); + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { + growBuffer(buffer, XML_PARSER_BUFFER_SIZE); } } if (str < last) @@ -3764,8 +3765,8 @@ xmlParseAttValueComplex(xmlParserCtxtPtr xmlChar limit = 0; xmlChar *buf = NULL; xmlChar *rep = NULL; - int len = 0; - int buf_size = 0; + size_t len = 0; + size_t buf_size = 0; int c, l, in_space = 0; xmlChar *current = NULL; xmlEntityPtr ent; @@ -3787,7 +3788,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr * allocate a translation buffer. */ buf_size = XML_PARSER_BUFFER_SIZE; - buf = (xmlChar *) xmlMallocAtomic(buf_size * sizeof(xmlChar)); + buf = (xmlChar *) xmlMallocAtomic(buf_size); if (buf == NULL) goto mem_error; /* @@ -3804,7 +3805,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr if (val == '&') { if (ctxt->replaceEntities) { - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } buf[len++] = '&'; @@ -3813,7 +3814,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr * The reparsing will be done in xmlStringGetNodeList() * called by the attribute() function in SAX.c */ - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } buf[len++] = '&'; @@ -3823,7 +3824,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr buf[len++] = ';'; } } else if (val != 0) { - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } len += xmlCopyChar(0, &buf[len], val); @@ -3835,7 +3836,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt->nbentities += ent->owner; if ((ent != NULL) && (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) { - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } if ((ctxt->replaceEntities == 0) && @@ -3863,7 +3864,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr current++; } else buf[len++] = *current++; - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } } @@ -3871,7 +3872,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr rep = NULL; } } else { - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } if (ent->content != NULL) @@ -3899,7 +3900,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr * Just output the reference */ buf[len++] = '&'; - while (len > buf_size - i - 10) { + while (len + i + 10 > buf_size) { growBuffer(buf, i + 10); } for (;i > 0;i--) @@ -3912,7 +3913,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr if ((len != 0) || (!normalize)) { if ((!normalize) || (!in_space)) { COPY_BUF(l,buf,len,0x20); - while (len > buf_size - 10) { + while (len + 10 > buf_size) { growBuffer(buf, 10); } } @@ -3921,7 +3922,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr } else { in_space = 0; COPY_BUF(l,buf,len,c); - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } } @@ -3946,7 +3947,18 @@ xmlParseAttValueComplex(xmlParserCtxtPtr } } else NEXT; - if (attlen != NULL) *attlen = len; + + /* + * There we potentially risk an overflow, don't allow attribute value of + * lenght more than INT_MAX it is a very reasonnable assumption ! + */ + if (len >= INT_MAX) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue lenght too long\n"); + goto mem_error; + } + + if (attlen != NULL) *attlen = (int) len; return(buf); mem_error: Index: libxml2-2.7.8/entities.c =================================================================== --- libxml2-2.7.8.orig/entities.c 2012-03-01 06:25:02.000000000 +0100 +++ libxml2-2.7.8/entities.c 2012-08-01 13:36:02.213499245 +0200 @@ -528,13 +528,13 @@ xmlGetDocEntity(xmlDocPtr doc, const xml * Macro used to grow the current buffer. */ #define growBufferReentrant() { \ - buffer_size *= 2; \ - buffer = (xmlChar *) \ - xmlRealloc(buffer, buffer_size * sizeof(xmlChar)); \ - if (buffer == NULL) { \ - xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed");\ - return(NULL); \ - } \ + xmlChar *tmp; \ + size_t new_size = buffer_size *= 2; \ + if (new_size < buffer_size) goto mem_error; \ + tmp = (xmlChar *) xmlRealloc(buffer, new_size); \ + if (tmp == NULL) goto mem_error; \ + buffer = tmp; \ + buffer_size = new_size; \ } @@ -555,7 +555,7 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc const xmlChar *cur = input; xmlChar *buffer = NULL; xmlChar *out = NULL; - int buffer_size = 0; + size_t buffer_size = 0; int html = 0; if (input == NULL) return(NULL); @@ -574,8 +574,8 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc out = buffer; while (*cur != '\0') { - if (out - buffer > buffer_size - 100) { - int indx = out - buffer; + size_t indx = out - buffer; + if (indx + 100 > buffer_size) { growBufferReentrant(); out = &buffer[indx]; @@ -692,6 +692,11 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc } *out = 0; return(buffer); + +mem_error: + xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed"); + xmlFree(buffer); + return(NULL); } /** @@ -709,7 +714,7 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTR const xmlChar *cur = input; xmlChar *buffer = NULL; xmlChar *out = NULL; - int buffer_size = 0; + size_t buffer_size = 0; if (input == NULL) return(NULL); /* @@ -724,8 +729,8 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTR out = buffer; while (*cur != '\0') { - if (out - buffer > buffer_size - 10) { - int indx = out - buffer; + size_t indx = out - buffer; + if (indx + 10 > buffer_size) { growBufferReentrant(); out = &buffer[indx]; @@ -774,6 +779,11 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTR } *out = 0; return(buffer); + +mem_error: + xmlEntitiesErrMemory("xmlEncodeSpecialChars: realloc failed"); + xmlFree(buffer); + return(NULL); } /** -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
