Author: ken Date: Fri Nov 20 17:20:09 2020 New Revision: 4227 Log: Fixes for libxml2 and libexif.
Added: trunk/libexif/libexif-0.6.22-upstream_fixes-1.patch trunk/libxml2/libxml2-2.9.10-upstream_fixes.patch Added: trunk/libexif/libexif-0.6.22-upstream_fixes-1.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ trunk/libexif/libexif-0.6.22-upstream_fixes-1.patch Fri Nov 20 17:20:09 2020 (r4227) @@ -0,0 +1,100 @@ +Submitted By: Ken Moffat <ken at linuxfromscratch dot org> +Date: 2020-11-21 +Initial Package Version: 0.6.22 +Upstream Status: Applied +Origin: Found at fedora +Description: Fixes CVE-2020-0181, -0198, -0452. The first two are merely +DOS, the last is an oob write on integer oveflow which could possibly +be exploited for remote code execution or disclosure of sensitive +information. + +From ce03ad7ef4e8aeefce79192bf5b6f69fae396f0c Mon Sep 17 00:00:00 2001 +From: Marcus Meissner <[email protected]> +Date: Mon, 8 Jun 2020 17:27:06 +0200 +Subject: [PATCH] fixed another unsigned integer overflow + +first fixed by google in android fork, +https://android.googlesource.com/platform/external/libexif/+/1e187b62682ffab5003c702657d6d725b4278f16%5E%21/#F0 + +(use a more generic overflow check method, also check second overflow instance.) + +https://security-tracker.debian.org/tracker/CVE-2020-0198 +--- + libexif/exif-data.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/libexif/exif-data.c b/libexif/exif-data.c +index 8b280d3..b495726 100644 +--- a/libexif/exif-data.c ++++ b/libexif/exif-data.c +@@ -47,6 +47,8 @@ + #undef JPEG_MARKER_APP1 + #define JPEG_MARKER_APP1 0xe1 + ++#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize )) ++ + static const unsigned char ExifHeader[] = {0x45, 0x78, 0x69, 0x66, 0x00, 0x00}; + + struct _ExifDataPrivate +@@ -327,7 +329,7 @@ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d, + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o); + return; + } +- if (s > ds - o) { ++ if (CHECKOVERFLOW(o,ds,s)) { + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o); + return; + } +@@ -420,9 +422,9 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd, + } + + /* Read the number of entries */ +- if ((offset + 2 < offset) || (offset + 2 < 2) || (offset + 2 > ds)) { ++ if (CHECKOVERFLOW(offset, ds, 2)) { + exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData", +- "Tag data past end of buffer (%u > %u)", offset+2, ds); ++ "Tag data past end of buffer (%u+2 > %u)", offset, ds); + return; + } + n = exif_get_short (d + offset, data->priv->order); +@@ -431,7 +433,7 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd, + offset += 2; + + /* Check if we have enough data. */ +- if (offset + 12 * n > ds) { ++ if (CHECKOVERFLOW(offset, ds, 12*n)) { + n = (ds - offset) / 12; + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", + "Short data; only loading %hu entries...", n); +From 9266d14b5ca4e29b970fa03272318e5f99386e06 Mon Sep 17 00:00:00 2001 +From: Marcus Meissner <[email protected]> +Date: Thu, 5 Nov 2020 09:50:08 +0100 +Subject: [PATCH] fixed a incorrect overflow check that could be optimized + away. + +inspired by: +https://android.googlesource.com/platform/external/libexif/+/8e7345f3bc0bad06ac369d6cbc1124c8ceaf7d4b + +https://source.android.com/security/bulletin/2020-11-01 + +CVE-2020-0452 +--- + NEWS | 3 ++- + libexif/exif-entry.c | 4 ++-- + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/libexif/exif-entry.c b/libexif/exif-entry.c +index 3fc0ff9..4b866ce 100644 +--- a/libexif/exif-entry.c ++++ b/libexif/exif-entry.c +@@ -1371,8 +1371,8 @@ exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen) + { + unsigned char *utf16; + +- /* Sanity check the size to prevent overflow */ +- if (e->size+sizeof(uint16_t)+1 < e->size) break; ++ /* Sanity check the size to prevent overflow. Note EXIF files are 64kb at most. */ ++ if (e->size >= 65536 - sizeof(uint16_t)*2) break; + + /* The tag may not be U+0000-terminated , so make a local + U+0000-terminated copy before converting it */ Added: trunk/libxml2/libxml2-2.9.10-upstream_fixes.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ trunk/libxml2/libxml2-2.9.10-upstream_fixes.patch Fri Nov 20 17:20:09 2020 (r4227) @@ -0,0 +1,183 @@ +Submitted By: Ken Moffat <ken at linuxfromscratch dot org> +Date: 2020-11-21 +Initial Package Version: 2.9.10 +Upstream Status: Applied +Origin: Found at fedora. +Description: Various fixes, including CVE-2019-20388, CVE-2020-7595, +CVE-2020-24977. I think that worst case these are DOS vulnerabilities. + +From 0815302dee2b78139832c2080348086a0564836b Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <[email protected]> +Date: Fri, 6 Dec 2019 12:27:29 +0100 +Subject: [PATCH] Fix freeing of nested documents + +Apparently, some libxslt RVTs can contain nested document nodes, see +issue #132. I'm not sure how this happens exactly but it can cause a +segfault in xmlFreeNodeList after the changes in commit 0762c9b6. + +Make sure not to touch the (nonexistent) `content` member of xmlDocs. +--- + tree.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/tree.c b/tree.c +index 070670f1..0d7fc98c 100644 +--- a/tree.c ++++ b/tree.c +@@ -3708,6 +3708,11 @@ xmlFreeNodeList(xmlNodePtr cur) { + (cur->type != XML_XINCLUDE_START) && + (cur->type != XML_XINCLUDE_END) && + (cur->type != XML_ENTITY_REF_NODE) && ++ (cur->type != XML_DOCUMENT_NODE) && ++#ifdef LIBXML_DOCB_ENABLED ++ (cur->type != XML_DOCB_DOCUMENT_NODE) && ++#endif ++ (cur->type != XML_HTML_DOCUMENT_NODE) && + (cur->content != (xmlChar *) &(cur->properties))) { + DICT_FREE(cur->content) + } +-- +2.22.0 + +From 6088a74bcf7d0c42e24cff4594d804e1d3c9fbca Mon Sep 17 00:00:00 2001 +From: Zhipeng Xie <[email protected]> +Date: Tue, 20 Aug 2019 16:33:06 +0800 +Subject: [PATCH] Fix memory leak in xmlSchemaValidateStream + +When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun +alloc a new schema for ctxt->schema and set vctxt->xsiAssemble +to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize +vctxt->xsiAssemble to 0 again which cause the alloced schema +can not be freed anymore. + +Found with libFuzzer. + +Signed-off-by: Zhipeng Xie <[email protected]> +--- + xmlschemas.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/xmlschemas.c b/xmlschemas.c +index 301c8449..39d92182 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -28090,7 +28090,6 @@ xmlSchemaPreRun(xmlSchemaValidCtxtPtr vctxt) { + vctxt->nberrors = 0; + vctxt->depth = -1; + vctxt->skipDepth = -1; +- vctxt->xsiAssemble = 0; + vctxt->hasKeyrefs = 0; + #ifdef ENABLE_IDC_NODE_TABLES_TEST + vctxt->createIDCNodeTables = 1; +-- +2.24.1 + +From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001 +From: Zhipeng Xie <[email protected]> +Date: Thu, 12 Dec 2019 17:30:55 +0800 +Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities + +When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef +return NULL which cause a infinite loop in xmlStringLenDecodeEntities + +Found with libFuzzer. + +Signed-off-by: Zhipeng Xie <[email protected]> +--- + parser.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index d1c31963..a34bb6cd 100644 +--- a/parser.c ++++ b/parser.c +@@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + else + c = 0; + while ((c != 0) && (c != end) && /* non input consuming loop */ +- (c != end2) && (c != end3)) { ++ (c != end2) && (c != end3) && ++ (ctxt->instate != XML_PARSER_EOF)) { + + if (c == 0) break; + if ((c == '&') && (str[1] == '#')) { +-- +2.24.1 + +From 8e7c20a1af8776677d7890f30b7a180567701a49 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <[email protected]> +Date: Mon, 3 Aug 2020 17:30:41 +0200 +Subject: [PATCH] Fix integer overflow when comparing schema dates + +Found by OSS-Fuzz. +--- + xmlschemastypes.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/xmlschemastypes.c b/xmlschemastypes.c +index 4249d700..d6b9f924 100644 +--- a/xmlschemastypes.c ++++ b/xmlschemastypes.c +@@ -3691,6 +3691,8 @@ xmlSchemaCompareDurations(xmlSchemaValPtr x, xmlSchemaValPtr y) + minday = 0; + maxday = 0; + } else { ++ if (myear > LONG_MAX / 366) ++ return -2; + /* FIXME: This doesn't take leap year exceptions every 100/400 years + into account. */ + maxday = 365 * myear + (myear + 3) / 4; +@@ -4079,6 +4081,14 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y) + if ((x == NULL) || (y == NULL)) + return -2; + ++ if ((x->value.date.year > LONG_MAX / 366) || ++ (x->value.date.year < LONG_MIN / 366) || ++ (y->value.date.year > LONG_MAX / 366) || ++ (y->value.date.year < LONG_MIN / 366)) { ++ /* Possible overflow when converting to days. */ ++ return -2; ++ } ++ + if (x->value.date.tz_flag) { + + if (!y->value.date.tz_flag) { +-- +2.28.0.rc2 + +From 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <[email protected]> +Date: Fri, 7 Aug 2020 21:54:27 +0200 +Subject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout' + +Make sure that truncated UTF-8 sequences don't cause an out-of-bounds +array access. + +Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for +the report. + +Fixes #178. +--- + xmllint.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/xmllint.c b/xmllint.c +index f6a8e463..c647486f 100644 +--- a/xmllint.c ++++ b/xmllint.c +@@ -528,6 +528,12 @@ static void + xmlHTMLEncodeSend(void) { + char *result; + ++ /* ++ * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might ++ * end with a truncated UTF-8 sequence. This is a hack to at least avoid ++ * an out-of-bounds read. ++ */ ++ memset(&buffer[sizeof(buffer)-4], 0, 4); + result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer); + if (result) { + xmlGenericError(xmlGenericErrorContext, "%s", result); +-- +2.28.0.rc2 + -- http://lists.linuxfromscratch.org/listinfo/patches FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
