Hello community,
here is the log from the commit of package libxml2 for openSUSE:Factory checked
in at 2017-06-20 11:00:00
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libxml2 (Old)
and /work/SRC/openSUSE:Factory/.libxml2.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libxml2"
Tue Jun 20 11:00:00 2017 rev:86 rq:504140 version:2.9.4
Changes:
--------
--- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2017-06-02
10:29:23.385329513 +0200
+++ /work/SRC/openSUSE:Factory/.libxml2.new/libxml2.changes 2017-06-20
11:00:55.163117626 +0200
@@ -1,0 +2,14 @@
+Thu Jun 15 13:12:25 UTC 2017 - pmonrealgonza...@suse.com
+
+- Security fix:
+ * libxml2-CVE-2017-0663.patch [bsc#1044337, CVE-2017-0663]
+ * Fix Heap buffer overflow in xmlAddID
+
+-------------------------------------------------------------------
+Wed Jun 14 14:15:38 UTC 2017 - pmonrealgonza...@suse.com
+
+- Security fix:
+ * libxml2-CVE-2017-5969.patch [bsc#1024989, CVE-2017-5969]
+ * Fix NULL pointer deref in xmlDumpElementContent
+
+-------------------------------------------------------------------
New:
----
libxml2-CVE-2017-0663.patch
libxml2-CVE-2017-5969.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libxml2.spec ++++++
--- /var/tmp/diff_new_pack.2YQhpV/_old 2017-06-20 11:00:56.722897764 +0200
+++ /var/tmp/diff_new_pack.2YQhpV/_new 2017-06-20 11:00:56.722897764 +0200
@@ -39,6 +39,10 @@
Patch4: libxml2-CVE-2017-9048.patch
# PATCH-FIX-UPSTREAM bsc#1039066 -- pmonrealgonza...@suse.com -- heap-based
buffer overflow
Patch5: libxml2-CVE-2017-9049.patch
+# PATCH-FIX-UPSTREAM bnc#1024989 pmonrealgonza...@suse.com -- CVE-2017-5969
NULL pointer derefence parsing xml file
+Patch6: libxml2-CVE-2017-5969.patch
+# PATCH-FIX-UPSTREAM bnc#1044337 pmonrealgonza...@suse.com -- CVE-2017-0663:
libxml2: Heap buffer overflow in xmlAddID
+Patch7: libxml2-CVE-2017-0663.patch
BuildRequires: fdupes
BuildRequires: pkg-config
@@ -140,6 +144,8 @@
%patch3 -p1
%patch4 -p1
%patch5 -p1
+%patch6 -p1
+%patch7 -p1
%build
%configure --disable-static \
++++++ libxml2-CVE-2017-0663.patch ++++++
>From 92b9e8c8b3787068565a1820ba575d042f9eec66 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnho...@aevum.de>
Date: Tue, 6 Jun 2017 12:56:28 +0200
Subject: Fix type confusion in xmlValidateOneNamespace
Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types on
namespace declarations make no practical sense anyway.
Fixes bug 780228.
Found with libFuzzer and ASan.
---
valid.c | 7 +++++++
1 file changed, 7 insertions(+)
Index: libxml2-2.9.4/valid.c
===================================================================
--- libxml2-2.9.4.orig/valid.c
+++ libxml2-2.9.4/valid.c
@@ -4627,6 +4627,12 @@ xmlNodePtr elem, const xmlChar *prefix,
}
}
+ /*
+ * Casting ns to xmlAttrPtr is wrong. We'd need separate functions
+ * xmlAddID and xmlAddRef for namespace declarations, but it makes
+ * no practical sense to use ID types anyway.
+ */
+#if 0
/* Validity Constraint: ID uniqueness */
if (attrDecl->atype == XML_ATTRIBUTE_ID) {
if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
@@ -4638,6 +4644,7 @@ xmlNodePtr elem, const xmlChar *prefix,
if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
ret = 0;
}
+#endif
/* Validity Constraint: Notation Attributes */
if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) {
++++++ libxml2-CVE-2017-5969.patch ++++++
>From 94691dc884d1a8ada39f073408b4bb92fe7fe882 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veill...@redhat.com>
Date: Wed, 7 Jun 2017 16:47:36 +0200
Subject: Fix NULL pointer deref in xmlDumpElementContent
Can only be triggered in recovery mode.
Fixes bug 758422 (CVE-2017-5969).
---
valid.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
diff --git a/valid.c b/valid.c
index 9b2df56..8075d3a 100644
--- a/valid.c
+++ b/valid.c
@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf,
xmlElementContentPtr content, int glob)
xmlBufferWriteCHAR(buf, content->name);
break;
case XML_ELEMENT_CONTENT_SEQ:
- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
+ if ((content->c1 != NULL) &&
+ ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
xmlDumpElementContent(buf, content->c1, 1);
else
xmlDumpElementContent(buf, content->c1, 0);
xmlBufferWriteChar(buf, " , ");
- if ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
- ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
+ if ((content->c2 != NULL) &&
+ ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
+ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
+ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
xmlDumpElementContent(buf, content->c2, 1);
else
xmlDumpElementContent(buf, content->c2, 0);
break;
case XML_ELEMENT_CONTENT_OR:
- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
+ if ((content->c1 != NULL) &&
+ ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
xmlDumpElementContent(buf, content->c1, 1);
else
xmlDumpElementContent(buf, content->c1, 0);
xmlBufferWriteChar(buf, " | ");
- if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
- ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
+ if ((content->c2 != NULL) &&
+ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
+ ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
+ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
xmlDumpElementContent(buf, content->c2, 1);
else
xmlDumpElementContent(buf, content->c2, 0);
--
cgit v0.12
