ppisar pushed to perl-XML-LibXML (f25). "Fix CVE-2017-10672"

Mon, 17 Jul 2017 04:59:46 -0700 

From 7568f1dd3cc88c017c13ff98ac69ed3561d0255e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com>
Date: Mon, 17 Jul 2017 13:23:33 +0200
Subject: Fix CVE-2017-10672

---
 XML-LibXML-2.0129-CVE-2017-10672.patch | 77 ++++++++++++++++++++++++++++++++++
 perl-XML-LibXML.spec                   |  8 +++-
 2 files changed, 84 insertions(+), 1 deletion(-)
 create mode 100644 XML-LibXML-2.0129-CVE-2017-10672.patch

diff --git a/XML-LibXML-2.0129-CVE-2017-10672.patch 
b/XML-LibXML-2.0129-CVE-2017-10672.patch
new file mode 100644
index 0000000..dd7c702
--- /dev/null
+++ b/XML-LibXML-2.0129-CVE-2017-10672.patch
@@ -0,0 +1,77 @@
+diff -urN XML-LibXML-2.0129.orig/LibXML.xs XML-LibXML-2.0129/LibXML.xs
+--- XML-LibXML-2.0129.orig/LibXML.xs   2016-06-24 18:01:53.000000000 +0200
++++ XML-LibXML-2.0129/LibXML.xs        2017-07-13 12:41:48.000000000 +0200
+@@ -4829,38 +4829,42 @@
+     PREINIT:
+         xmlNodePtr ret = NULL;
+     CODE:
+-       if ( self->type == XML_DOCUMENT_NODE ) {
+-                switch ( nNode->type ) {
+-                case XML_ELEMENT_NODE:
+-                    warn("replaceChild with an element on a document node not 
supported yet!");
+-                    XSRETURN_UNDEF;
+-                    break;
+-                case XML_DOCUMENT_FRAG_NODE:
+-                    warn("replaceChild with a document fragment node on a 
document node not supported yet!");
+-                    XSRETURN_UNDEF;
+-                    break;
+-                case XML_TEXT_NODE:
+-                case XML_CDATA_SECTION_NODE:
+-                    warn("replaceChild with a text node not supported on a 
document node!");
+-                    XSRETURN_UNDEF;
+-                    break;
+-                default:
+-                    break;
+-                }
+-        }
+-        ret = domReplaceChild( self, nNode, oNode );
+-        if (ret == NULL) {
+-            XSRETURN_UNDEF;
+-        }
+-        else {
+-            LibXML_reparent_removed_node(ret);
+-            RETVAL = PmmNodeToSv(ret, PmmOWNERPO(PmmPROXYNODE(ret)));
+-            if (nNode->type == XML_DTD_NODE) {
+-                LibXML_set_int_subset(nNode->doc, nNode);
++       if( nNode == oNode ) {
++           RETVAL = nNode;
++       }else{
++           if ( self->type == XML_DOCUMENT_NODE ) {
++                    switch ( nNode->type ) {
++                    case XML_ELEMENT_NODE:
++                        warn("replaceChild with an element on a document node 
not supported yet!");
++                        XSRETURN_UNDEF;
++                        break;
++                    case XML_DOCUMENT_FRAG_NODE:
++                        warn("replaceChild with a document fragment node on a 
document node not supported yet!");
++                        XSRETURN_UNDEF;
++                        break;
++                    case XML_TEXT_NODE:
++                    case XML_CDATA_SECTION_NODE:
++                        warn("replaceChild with a text node not supported on 
a document node!");
++                        XSRETURN_UNDEF;
++                        break;
++                    default:
++                        break;
++                    }
+             }
+-            if ( nNode->_private != NULL ) {
+-                PmmFixOwner( PmmPROXYNODE(nNode),
+-                             PmmOWNERPO(PmmPROXYNODE(self)) );
++            ret = domReplaceChild( self, nNode, oNode );
++            if (ret == NULL) {
++                XSRETURN_UNDEF;
++            }
++            else {
++                LibXML_reparent_removed_node(ret);
++                RETVAL = PmmNodeToSv(ret, PmmOWNERPO(PmmPROXYNODE(ret)));
++                if (nNode->type == XML_DTD_NODE) {
++                    LibXML_set_int_subset(nNode->doc, nNode);
++                }
++                if ( nNode->_private != NULL ) {
++                    PmmFixOwner( PmmPROXYNODE(nNode),
++                                 PmmOWNERPO(PmmPROXYNODE(self)) );
++                }
+             }
+         }
+     OUTPUT:
diff --git a/perl-XML-LibXML.spec b/perl-XML-LibXML.spec
index 391b796..fe25ad4 100644
--- a/perl-XML-LibXML.spec
+++ b/perl-XML-LibXML.spec
@@ -15,6 +15,9 @@ Group:          Development/Libraries
 License:        (GPL+ or Artistic) and MIT
 URL:            http://search.cpan.org/dist/XML-LibXML/
 Source0:        
http://search.cpan.org/CPAN/authors/id/S/SH/SHLOMIF/XML-LibXML-%{version}.tar.gz
 
+# Fix CVE-2017-10672 (use-after-free by controlling the arguments to
+# a replaceChild call), bug #1470205
+Patch0:         XML-LibXML-2.0129-CVE-2017-10672.patch
 BuildRequires:  coreutils
 BuildRequires:  findutils
 BuildRequires:  glibc-common
@@ -93,6 +96,7 @@ validating XML parser and the high performance DOM 
implementation.
 
 %prep
 %setup -q -n XML-LibXML-%{version}
+%patch0 -p1
 chmod -x *.c
 for i in Changes; do
   /usr/bin/iconv -f iso8859-1 -t utf-8 $i > $i.conv && /bin/mv -f $i.conv $i
@@ -136,10 +140,12 @@ fi
 %{_mandir}/man3/*.3*
 
 %changelog
-* Fri Jul 14 2017 Petr Pisar <ppi...@redhat.com> - 1:2.0129-2
+* Mon Jul 17 2017 Petr Pisar <ppi...@redhat.com> - 1:2.0129-2
 - perl dependency renamed to perl-interpreter
   <https://fedoraproject.org/wiki/Changes/perl_Package_to_Install_Core_Modules>
 - Rename perl dependency in scriptlets
+- Fix CVE-2017-10672 (use-after-free by controlling the arguments to
+  a replaceChild call) (bug #1470205)
 
 * Wed Mar 15 2017 Jitka Plesnikova <jples...@redhat.com> - 1:2.0129-1
 - 2.0129 bump
-- 
cgit v1.1


        
https://src.fedoraproject.org/cgit/perl-XML-LibXML.git/commit/?h=f25&id=7568f1dd3cc88c017c13ff98ac69ed3561d0255e
_______________________________________________
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org

Reply via email to