OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 31-Oct-2004 10:11:07
Branch: OPENPKG_2_2_SOLID Handle: 2004103109110600
Modified files: (Branch: OPENPKG_2_2_SOLID)
openpkg-src/libxml libxml.patch libxml.spec
Log:
Fix Security Bugs (OpenPKG-SA-2004.050-libxml, CAN-2004-0989)
Summary:
Revision Changes Path
1.6.6.1 +144 -0 openpkg-src/libxml/libxml.patch
1.86.2.2 +1 -1 openpkg-src/libxml/libxml.spec
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/libxml/libxml.patch
============================================================================
$ cvs diff -u -r1.6 -r1.6.6.1 libxml.patch
--- openpkg-src/libxml/libxml.patch 10 Dec 2003 20:45:51 -0000 1.6
+++ openpkg-src/libxml/libxml.patch 31 Oct 2004 09:11:06 -0000 1.6.6.1
@@ -46,3 +46,147 @@
char buf6[INET6_ADDRSTRLEN];
inet_ntop (AF_INET6, &((struct sockaddr_in6 *)&dataAddr)->sin6_addr,
buf6, INET6_ADDRSTRLEN);
+
+-----------------------------------------------------------------------------
+
+Fix Security Bugs (OpenPKG-SA-2004.050-libxml, CAN-2004-0989)
+
+Multiple buffer overflows may allow remote attackers to execute
+arbitrary code via (1) a long FTP URL that is not properly handled by
+the xmlNanoFTPScanURL function, (2) a long proxy URL containing FTP
+data that is not properly handled by the xmlNanoFTPScanProxy function,
+and other overflows related to manipulation of DNS length values,
+including (3) xmlNanoFTPConnect, (4) xmlNanoHTTPConnectHost, and (5)
+xmlNanoHTTPConnectHost.
+
+Index: nanoftp.c
+--- nanoftp.c.orig 2004-08-16 01:01:26 +0200
++++ nanoftp.c 2004-10-31 09:44:59 +0100
+@@ -355,8 +355,13 @@
+
+ if (cur[0] == '[') {
+ cur++;
+- while (cur[0] != ']')
++ while ((cur[0] != ']') && (indx < XML_NANO_MAX_URLBUF-1))
+ buf[indx++] = *cur++;
++ if (indx >= XML_NANO_MAX_URLBUF-1) {
++ xmlGenericError(xmlGenericErrorContext,
++ "\nxmlNanoFTPScanURL: %s", "Syntax Error\n");
++ return;
++ }
+
+ if (!strchr (buf, ':')) {
+ xmlGenericError (xmlGenericErrorContext, "\nxmlNanoFTPScanURL: %s",
+@@ -604,8 +609,14 @@
+
+ if (cur[0] == '[') {
+ cur++;
+- while (cur[0] != ']')
++ while ((cur[0] != ']') && (indx < XML_NANO_MAX_URLBUF-1))
+ buf[indx++] = *cur++;
++ if (indx >= XML_NANO_MAX_URLBUF-1) {
++ xmlGenericError (xmlGenericErrorContext,
++ "\nxmlNanoFTPScanProxy: %s", "Syntax error\n");
++ return;
++ }
++
+ if (!strchr (buf, ':')) {
+ xmlGenericError (xmlGenericErrorContext, "\nxmlNanoFTPScanProxy: %s",
+ "Use [IPv6]/IPv4 format\n");
+@@ -1095,22 +1106,25 @@
+ if (!tmp) {
+ if (result)
+ freeaddrinfo (result);
++ __xmlIOErr(XML_FROM_FTP, 0, "getaddrinfo failed");
+ return (-1);
+ }
++ if (tmp->ai_addrlen > sizeof(ctxt->ftpAddr)) {
++ __xmlIOErr(XML_FROM_FTP, 0, "gethostbyname address mismatch");
++ return (-1);
++ }
++ if (tmp->ai_family == AF_INET6) {
++ memcpy (&ctxt->ftpAddr, tmp->ai_addr, tmp->ai_addrlen);
++ ((struct sockaddr_in6 *) &ctxt->ftpAddr)->sin6_port = htons (port);
++ ctxt->controlFd = socket (AF_INET6, SOCK_STREAM, 0);
++ }
+ else {
+- if (tmp->ai_family == AF_INET6) {
+- memcpy (&ctxt->ftpAddr, tmp->ai_addr, tmp->ai_addrlen);
+- ((struct sockaddr_in6 *) &ctxt->ftpAddr)->sin6_port = htons (port);
+- ctxt->controlFd = socket (AF_INET6, SOCK_STREAM, 0);
+- }
+- else {
+- memcpy (&ctxt->ftpAddr, tmp->ai_addr, tmp->ai_addrlen);
+- ((struct sockaddr_in *) &ctxt->ftpAddr)->sin_port = htons (port);
+- ctxt->controlFd = socket (AF_INET, SOCK_STREAM, 0);
+- }
+- addrlen = tmp->ai_addrlen;
+- freeaddrinfo (result);
++ memcpy (&ctxt->ftpAddr, tmp->ai_addr, tmp->ai_addrlen);
++ ((struct sockaddr_in *) &ctxt->ftpAddr)->sin_port = htons (port);
++ ctxt->controlFd = socket (AF_INET, SOCK_STREAM, 0);
+ }
++ addrlen = tmp->ai_addrlen;
++ freeaddrinfo (result);
+ }
+ else
+ #endif
+@@ -1123,6 +1137,11 @@
+ __xmlIOErr(XML_FROM_FTP, 0, "gethostbyname failed");
+ return (-1);
+ }
++ if ((unsigned int) hp->h_length >
++ sizeof(((struct sockaddr_in *)&ctxt->ftpAddr)->sin_addr)) {
++ __xmlIOErr(XML_FROM_FTP, 0, "gethostbyname address mismatch");
++ return (-1);
++ }
+
+ /*
+ * Prepare the socket
+Index: nanohttp.c
+--- nanohttp.c.orig 2004-09-20 22:01:04 +0200
++++ nanohttp.c 2004-10-31 09:44:59 +0100
+@@ -1072,11 +1072,21 @@
+ for (res = result; res; res = res->ai_next) {
+ if (res->ai_family == AF_INET || res->ai_family == AF_INET6) {
+ if (res->ai_family == AF_INET6) {
++ if (res->ai_addrlen > sizeof(sockin6)) {
++ __xmlIOErr(XML_FROM_HTTP, 0, "address size mismatch\n");
++ freeaddrinfo (result);
++ return (-1);
++ }
+ memcpy (&sockin6, res->ai_addr, res->ai_addrlen);
+ sockin6.sin6_port = htons (port);
+ addr = (struct sockaddr *)&sockin6;
+ }
+ else {
++ if (res->ai_addrlen > sizeof(sockin)) {
++ __xmlIOErr(XML_FROM_HTTP, 0, "address size mismatch\n");
++ freeaddrinfo (result);
++ return (-1);
++ }
+ memcpy (&sockin, res->ai_addr, res->ai_addrlen);
+ sockin.sin_port = htons (port);
+ addr = (struct sockaddr *)&sockin;
+@@ -1141,6 +1151,10 @@
+ for (i = 0; h->h_addr_list[i]; i++) {
+ if (h->h_addrtype == AF_INET) {
+ /* A records (IPv4) */
++ if ((unsigned int) h->h_length > sizeof(ia)) {
++ __xmlIOErr(XML_FROM_HTTP, 0, "address size mismatch\n");
++ return (-1);
++ }
+ memcpy (&ia, h->h_addr_list[i], h->h_length);
+ sockin.sin_family = h->h_addrtype;
+ sockin.sin_addr = ia;
+@@ -1149,6 +1163,10 @@
+ #ifdef SUPPORT_IP6
+ } else if (have_ipv6 () && (h->h_addrtype == AF_INET6)) {
+ /* AAAA records (IPv6) */
++ if ((unsigned int) h->h_length > sizeof(ia6)) {
++ __xmlIOErr(XML_FROM_HTTP, 0, "address size mismatch\n");
++ return (-1);
++ }
+ memcpy (&ia6, h->h_addr_list[i], h->h_length);
+ sockin6.sin6_family = h->h_addrtype;
+ sockin6.sin6_addr = ia6;
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/libxml/libxml.spec
============================================================================
$ cvs diff -u -r1.86.2.1 -r1.86.2.2 libxml.spec
--- openpkg-src/libxml/libxml.spec 11 Oct 2004 18:56:43 -0000 1.86.2.1
+++ openpkg-src/libxml/libxml.spec 31 Oct 2004 09:11:06 -0000 1.86.2.2
@@ -34,7 +34,7 @@
Group: SGML
License: LGPL
Version: 2.6.14
-Release: 2.2.0
+Release: 2.2.1
# list of sources
Source0: ftp://xmlsoft.org/libxml2-%{version}.tar.gz
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
