[fink-core] Expat CVE-2016-0718 regression fix

Thu, 28 Jul 2016 08:39:49 -0700 

Hi there!


We had a bug report that the earlier fix to CVE-2016-0718 (known as
CVE-2016-0718-v2-1-1-1.patch) introduced a regression bug where tag
names may be served truncated to the application using Expat [1], unlike
before.

I'm not including security teams (except Python) with this mail because
the regression fix itself does not have known security implications.
/However/, as fixing CVE-2016-0718 reduced stability with regard to that
regression, I would personally consider this patch something to push to
security update channels, e.g. Debian jessie security updates.

I am sorry about the inconvenience.

The regression fix is attached and applies to both

 * Expat 2.1.1 + CVE-2016-0718-v2-1-1-1.patch

 * Expat 2.2.0

I'm confident enough about the patch that I have applied the patch in
Gentoo [2].

Best



Sebastian


[1] https://sourceforge.net/p/expat/bugs/539/
[2]
https://github.com/gentoo/gentoo/commit/16a87b549461e49ac8b7915d892d4d8ca187c1b1

>From 3e6190e433479e56f8c1e5adc1198b3c86b15577 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebast...@pipping.org>
Date: Sun, 17 Jul 2016 20:22:29 +0200
Subject: [PATCH] Fix regression introduced by patch to CVE-2016-0718 (bug
 #539)

Tag names were cut off in some cases; reported by Andy Wang
---
 expat/lib/xmlparse.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
index 13e080d..2630310 100644
--- a/expat/lib/xmlparse.c
+++ b/expat/lib/xmlparse.c
@@ -2430,7 +2430,7 @@ doContent(XML_Parser parser,
                        &fromPtr, rawNameEnd,
                        (ICHAR **)&toPtr, (ICHAR *)tag->bufEnd - 1);
             convLen = (int)(toPtr - (XML_Char *)tag->buf);
-            if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) {
+            if ((fromPtr >= rawNameEnd) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) {
               tag->name.strLen = convLen;
               break;
             }
-- 
2.9.2


------------------------------------------------------------------------------

_______________________________________________
fink-core mailing list
fink-core@lists.sourceforge.net
List archive:
http://news.gmane.org/gmane.os.apple.fink.core
Subscription management:
https://lists.sourceforge.net/lists/listinfo/fink-core

Reply via email to