Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2017-06-02 10:29:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libxml2" Fri Jun 2 10:29:22 2017 rev:85 rq:497430 version:2.9.4 Changes: -------- --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2017-03-10 21:44:25.306481823 +0100 +++ /work/SRC/openSUSE:Factory/.libxml2.new/libxml2.changes 2017-06-02 10:29:23.385329513 +0200 @@ -1,0 +2,11 @@ +Mon May 22 15:42:43 UTC 2017 - [email protected] + +- Security fixes: + * libxml2-CVE-2017-9049.patch [bsc#1039066] + * heap-based buffer overflow (xmlDictComputeFastKey func) + * libxml2-CVE-2017-9048.patch [bsc#1039063] + * stack overflow vulnerability (xmlSnprintfElementContent func) + * libxml2-CVE-2017-9047.patch [bsc#1039064] + * stack overflow vulnerability (xmlSnprintfElementContent func) + +------------------------------------------------------------------- New: ---- libxml2-CVE-2017-9047.patch libxml2-CVE-2017-9048.patch libxml2-CVE-2017-9049.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libxml2.spec ++++++ --- /var/tmp/diff_new_pack.29r4Ny/_old 2017-06-02 10:29:24.101228357 +0200 +++ /var/tmp/diff_new_pack.29r4Ny/_new 2017-06-02 10:29:24.105227792 +0200 @@ -33,6 +33,13 @@ Patch1: libxml2-2.9.4-fix_attribute_decoding.patch # PATCH-FIX-UPSTREAM bsc#1005544 [email protected] -- Disallow namespace nodes in XPointer ranges Patch2: libxml2-CVE-2016-4658.patch +# PATCH-FIX-UPSTREAM bsc#1039063 -- [email protected] -- stack overflow vulnerability +Patch3: libxml2-CVE-2017-9047.patch +# PATCH-FIX-UPSTREAM bsc#1039064 -- [email protected] -- stack overflow vulnerability +Patch4: libxml2-CVE-2017-9048.patch +# PATCH-FIX-UPSTREAM bsc#1039066 -- [email protected] -- heap-based buffer overflow +Patch5: libxml2-CVE-2017-9049.patch + BuildRequires: fdupes BuildRequires: pkg-config BuildRequires: readline-devel @@ -130,6 +137,9 @@ %patch0 %patch1 -p1 %patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 %build %configure --disable-static \ ++++++ libxml2-CVE-2017-9047.patch ++++++ Index: libxml2-2.9.4/valid.c =================================================================== --- libxml2-2.9.4.orig/valid.c +++ libxml2-2.9.4/valid.c @@ -1270,6 +1270,7 @@ xmlSnprintfElementContent(char *buf, int } strcat(buf, (char *) content->prefix); strcat(buf, ":"); + len += xmlStrlen(content->prefix); } if (size - len < xmlStrlen(content->name) + 10) { strcat(buf, " ..."); ++++++ libxml2-CVE-2017-9048.patch ++++++ Index: libxml2-2.9.4/valid.c =================================================================== --- libxml2-2.9.4.orig/valid.c +++ libxml2-2.9.4/valid.c @@ -1320,6 +1320,7 @@ xmlSnprintfElementContent(char *buf, int xmlSnprintfElementContent(buf, size, content->c2, 0); break; } + if (size - strlen(buf) <= 2) return; if (englob) strcat(buf, ")"); switch (content->ocur) { ++++++ libxml2-CVE-2017-9049.patch ++++++ --- a/parser.c +++ a/parser.c @@ -3312,6 +3312,7 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { int len = 0, l; int c; int count = 0; + size_t startPosition = 0; #ifdef DEBUG nbParseNameComplex++; @@ -3323,6 +3324,7 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { GROW; if (ctxt->instate == XML_PARSER_EOF) return(NULL); + startPosition = CUR_PTR - BASE_PTR; c = CUR_CHAR(l); if ((ctxt->options & XML_PARSE_OLD10) == 0) { /* @@ -3420,9 +3422,11 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); return(NULL); } - if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r')) - return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len)); - return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); + + if (BASE_PTR + startPosition + len > ctxt->input->end) + return(NULL); + + return(xmlDictLookup(ctxt->dict, BASE_PTR + startPosition, len)); } /**
