Hi Mike, attached is the ported version of the patch. Not much to port apart from raising an error because xmlErrEncodingInt does not exist in libxml1.
Attached is the patch that I will upload now. It will be also available on: http://people.debian.org/~nion/nmu-diff/libxml-1.8.17-14_1.8.17-14.1.patch Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u libxml-1.8.17/debian/changelog libxml-1.8.17/debian/changelog
--- libxml-1.8.17/debian/changelog
+++ libxml-1.8.17/debian/changelog
@@ -1,3 +1,13 @@
+libxml (1:1.8.17-14.1) unstable; urgency=high
+
+ * Non-maintainer upload by security team.
+ * This update addresses the following security issue:
+ - CVE-2007-6284: The xmlCurrentChar function allows context-dependent
+ attackers to cause a denial of service (infinite loop) via XML
+ containing invalid UTF-8 sequences (Closes: #460666).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Mon, 14 Jan 2008 13:34:19 +0100
+
libxml (1:1.8.17-14) unstable; urgency=low
* debian/control: Bumped Standards-Version to 3.7.2.1. No changes needed.
only in patch2:
unchanged:
--- libxml-1.8.17.orig/parser.c
+++ libxml-1.8.17/parser.c
@@ -881,6 +881,8 @@
c = *cur;
if (c & 0x80) {
+ if (((c & 0x40) == 0) || (c == 0xC0))
+ goto encoding_error;
if (cur[1] == 0)
xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
if ((cur[1] & 0xc0) != 0x80)
@@ -903,18 +905,25 @@
val |= (cur[1] & 0x3f) << 12;
val |= (cur[2] & 0x3f) << 6;
val |= cur[3] & 0x3f;
+ if (val < 0x10000)
+ goto encoding_error;
} else {
/* 3-byte code */
*len = 3;
val = (cur[0] & 0xf) << 12;
val |= (cur[1] & 0x3f) << 6;
val |= cur[2] & 0x3f;
+ if (val < 0x800)
+ goto encoding_error;
+
}
} else {
/* 2-byte code */
*len = 2;
val = (cur[0] & 0x1f) << 6;
val |= cur[1] & 0x3f;
+ if (val < 0x80)
+ goto encoding_error;
}
if (!IS_CHAR(val)) {
if ((ctxt->sax != NULL) &&
@@ -927,6 +936,13 @@
} else {
/* 1-byte code */
*len = 1;
+ if (*ctxt->input->cur == 0)
+ xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+ if ((*ctxt->input->cur == 0) &&
+ (ctxt->input->end > ctxt->input->cur)) {
+ ctxt->sax->error(ctxt->userData, "Char 0x%X out of allowed range\n", val);
+ goto encoding_error;
+ }
if (*ctxt->input->cur == 0xD) {
if (ctxt->input->cur[1] == 0xA) {
ctxt->nbChars++;
pgpJJ0WhKG9P4.pgp
Description: PGP signature

