This is an automated email from the git hooks/post-receive script. carnil pushed a commit to branch stretch in repository libxml-libxml-perl.
commit 852fef98034bebcb843007234f03c31d06fccc7d Author: Salvatore Bonaccorso <car...@debian.org> Date: Sun Oct 29 13:10:46 2017 +0100 CVE-2017-10672: Use-after-free by controlling the arguments to a replaceChild call Closes: #866676 --- .../patches/CVE-2017-10672/0001-Update-dom.c.patch | 28 ++++++ .../0002-bug-use-after-free-in-replaceChild.patch | 34 ++++++++ .../patches/CVE-2017-10672/0003-Update-ufa.t.patch | 34 ++++++++ .../patches/CVE-2017-10672/0004-Update-ufa.t.patch | 35 ++++++++ .../patches/CVE-2017-10672/0005-Update-ufa.t.patch | 28 ++++++ .../CVE-2017-10672/0006-Fix-replaceChild.patch | 99 ++++++++++++++++++++++ .../patches/CVE-2017-10672/0007-Update-ufa.t.patch | 26 ++++++ .../CVE-2017-10672/0008-fix-replaceChild.patch | 29 +++++++ debian/patches/series | 8 ++ 9 files changed, 321 insertions(+) diff --git a/debian/patches/CVE-2017-10672/0001-Update-dom.c.patch b/debian/patches/CVE-2017-10672/0001-Update-dom.c.patch new file mode 100644 index 0000000..1ac2fb1 --- /dev/null +++ b/debian/patches/CVE-2017-10672/0001-Update-dom.c.patch @@ -0,0 +1,28 @@ +From: sungta <tadinhs...@gmail.com> +Date: Wed, 12 Jul 2017 16:35:36 +0700 +Subject: [1/8] Update dom.c +Origin: https://github.com/shlomif/perl-XML-LibXML/commit/729cb0f96a4c7c4d5c885f3d699fe587edb30cab +Bug-Debian: https://bugs.debian.org/866676 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10672 +Bug: https://rt.cpan.org/Public/Bug/Display.html?id=122246 + +--- + dom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/dom.c b/dom.c +index 87eb61d..10eb33d 100644 +--- a/dom.c ++++ b/dom.c +@@ -798,7 +798,7 @@ domReplaceChild( xmlNodePtr self, xmlNodePtr new, xmlNodePtr old ) { + return NULL; + + if ( new == old ) +- return new; ++ return NULL; + + if ( new == NULL ) { + /* level2 sais nothing about this case :( */ +-- +2.15.0.rc2 + diff --git a/debian/patches/CVE-2017-10672/0002-bug-use-after-free-in-replaceChild.patch b/debian/patches/CVE-2017-10672/0002-bug-use-after-free-in-replaceChild.patch new file mode 100644 index 0000000..85cf128 --- /dev/null +++ b/debian/patches/CVE-2017-10672/0002-bug-use-after-free-in-replaceChild.patch @@ -0,0 +1,34 @@ +From: sungta <tadinhs...@gmail.com> +Date: Wed, 12 Jul 2017 17:02:59 +0700 +Subject: [2/8] bug use after free in replaceChild +Origin: https://github.com/shlomif/perl-XML-LibXML/commit/7188660dba5f9c339005766062305d58fa0f757c +Bug-Debian: https://bugs.debian.org/866676 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10672 +Bug: https://rt.cpan.org/Public/Bug/Display.html?id=122246 + +test case for use after free in replaceChild +--- + t/ufa.t | 10 ++++++++++ + 1 file changed, 10 insertions(+) + create mode 100644 t/ufa.t + +diff --git a/t/ufa.t b/t/ufa.t +new file mode 100644 +index 0000000..ef3ce9d +--- /dev/null ++++ b/t/ufa.t +@@ -0,0 +1,10 @@ ++#test bug use after free in function replaceChild ++use XML::LibXML; ++BEGIN { $| = 1 } ++my $data='<mipu94><pwn4fun><ufanode>-------------------------------------------------------tadinhsung-at-gmail-dot-com-----------------------------------------------------</ufanode></pwn4fun></mipu94>'; ++ ++my $parser = XML::LibXML->new(); ++my $info = $parser->load_xml(string=>$data) or die; ++my $root = $info->findnodes("mipu94")->[0]; ++my $ufanode = $root->findnodes("pwn4fun/ufanode")->[0]; ++$root->replaceChild($ufanode,$ufanode); +\ No newline at end of file +-- +2.15.0.rc2 + diff --git a/debian/patches/CVE-2017-10672/0003-Update-ufa.t.patch b/debian/patches/CVE-2017-10672/0003-Update-ufa.t.patch new file mode 100644 index 0000000..4b2f857 --- /dev/null +++ b/debian/patches/CVE-2017-10672/0003-Update-ufa.t.patch @@ -0,0 +1,34 @@ +From: sungta <tadinhs...@gmail.com> +Date: Wed, 12 Jul 2017 17:35:09 +0700 +Subject: [3/8] Update ufa.t +Origin: https://github.com/shlomif/perl-XML-LibXML/commit/075f314d1b0e6624127d6cc1573c51c9d1c91bc2 +Bug-Debian: https://bugs.debian.org/866676 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10672 +Bug: https://rt.cpan.org/Public/Bug/Display.html?id=122246 + +--- + t/ufa.t | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/t/ufa.t b/t/ufa.t +index ef3ce9d..0ebbbf2 100644 +--- a/t/ufa.t ++++ b/t/ufa.t +@@ -1,4 +1,7 @@ + #test bug use after free in function replaceChild ++use strict; ++use warnings; ++use Test::More; + use XML::LibXML; + BEGIN { $| = 1 } + my $data='<mipu94><pwn4fun><ufanode>-------------------------------------------------------tadinhsung-at-gmail-dot-com-----------------------------------------------------</ufanode></pwn4fun></mipu94>'; +@@ -7,4 +10,4 @@ my $parser = XML::LibXML->new(); + my $info = $parser->load_xml(string=>$data) or die; + my $root = $info->findnodes("mipu94")->[0]; + my $ufanode = $root->findnodes("pwn4fun/ufanode")->[0]; +-$root->replaceChild($ufanode,$ufanode); +\ No newline at end of file ++ok(!$root->replaceChild($ufanode,$ufanode),"Test UFA in replaceChild"); +-- +2.15.0.rc2 + diff --git a/debian/patches/CVE-2017-10672/0004-Update-ufa.t.patch b/debian/patches/CVE-2017-10672/0004-Update-ufa.t.patch new file mode 100644 index 0000000..85aed55 --- /dev/null +++ b/debian/patches/CVE-2017-10672/0004-Update-ufa.t.patch @@ -0,0 +1,35 @@ +From: sungta <tadinhs...@gmail.com> +Date: Wed, 12 Jul 2017 17:42:33 +0700 +Subject: [4/8] Update ufa.t +Origin: https://github.com/shlomif/perl-XML-LibXML/commit/6c437bef155bf9146ac65be31052b72eda718b11 +Bug-Debian: https://bugs.debian.org/866676 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10672 +Bug: https://rt.cpan.org/Public/Bug/Display.html?id=122246 + +--- + t/ufa.t | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/t/ufa.t b/t/ufa.t +index 0ebbbf2..fce4489 100644 +--- a/t/ufa.t ++++ b/t/ufa.t +@@ -1,13 +1,12 @@ + #test bug use after free in function replaceChild +-use strict; +-use warnings; + use Test::More; + use XML::LibXML; ++ + BEGIN { $| = 1 } + my $data='<mipu94><pwn4fun><ufanode>-------------------------------------------------------tadinhsung-at-gmail-dot-com-----------------------------------------------------</ufanode></pwn4fun></mipu94>'; +- + my $parser = XML::LibXML->new(); + my $info = $parser->load_xml(string=>$data) or die; + my $root = $info->findnodes("mipu94")->[0]; + my $ufanode = $root->findnodes("pwn4fun/ufanode")->[0]; + ok(!$root->replaceChild($ufanode,$ufanode),"Test UFA in replaceChild"); ++done_testing(); +-- +2.15.0.rc2 + diff --git a/debian/patches/CVE-2017-10672/0005-Update-ufa.t.patch b/debian/patches/CVE-2017-10672/0005-Update-ufa.t.patch new file mode 100644 index 0000000..a47b93d --- /dev/null +++ b/debian/patches/CVE-2017-10672/0005-Update-ufa.t.patch @@ -0,0 +1,28 @@ +From: sungta <tadinhs...@gmail.com> +Date: Wed, 12 Jul 2017 17:55:56 +0700 +Subject: [5/8] Update ufa.t +Origin: https://github.com/shlomif/perl-XML-LibXML/commit/91a2b9008c059fb4df3fbee4a5cf7169eb160d7f +Bug-Debian: https://bugs.debian.org/866676 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10672 +Bug: https://rt.cpan.org/Public/Bug/Display.html?id=122246 + +--- + t/ufa.t | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/t/ufa.t b/t/ufa.t +index fce4489..753419e 100644 +--- a/t/ufa.t ++++ b/t/ufa.t +@@ -1,7 +1,6 @@ +-#test bug use after free in function replaceChild + use Test::More; + use XML::LibXML; +- ++#test bug use after free in function replaceChild + BEGIN { $| = 1 } + my $data='<mipu94><pwn4fun><ufanode>-------------------------------------------------------tadinhsung-at-gmail-dot-com-----------------------------------------------------</ufanode></pwn4fun></mipu94>'; + my $parser = XML::LibXML->new(); +-- +2.15.0.rc2 + diff --git a/debian/patches/CVE-2017-10672/0006-Fix-replaceChild.patch b/debian/patches/CVE-2017-10672/0006-Fix-replaceChild.patch new file mode 100644 index 0000000..43af9da --- /dev/null +++ b/debian/patches/CVE-2017-10672/0006-Fix-replaceChild.patch @@ -0,0 +1,99 @@ +From: sungta <tadinhs...@gmail.com> +Date: Mon, 23 Oct 2017 14:04:59 +0700 +Subject: [6/8] Fix replaceChild +Origin: https://github.com/shlomif/perl-XML-LibXML/commit/a83e805fdd968e6065db1293bfe5f91cc1c5fea6 +Bug-Debian: https://bugs.debian.org/866676 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10672 +Bug: https://rt.cpan.org/Public/Bug/Display.html?id=122246 + +if newNode == oldNode or self == newNode then do nothing, just return nNode. +--- + LibXML.xs | 70 ++++++++++++++++++++++++++++++++++----------------------------- + 1 file changed, 38 insertions(+), 32 deletions(-) + +diff --git a/LibXML.xs b/LibXML.xs +index ad415c8..718f7db 100644 +--- a/LibXML.xs ++++ b/LibXML.xs +@@ -4829,40 +4829,46 @@ replaceChild( self, nNode, oNode ) + PREINIT: + xmlNodePtr ret = NULL; + CODE: +- if ( self->type == XML_DOCUMENT_NODE ) { +- switch ( nNode->type ) { +- case XML_ELEMENT_NODE: +- warn("replaceChild with an element on a document node not supported yet!"); +- XSRETURN_UNDEF; +- break; +- case XML_DOCUMENT_FRAG_NODE: +- warn("replaceChild with a document fragment node on a document node not supported yet!"); +- XSRETURN_UNDEF; +- break; +- case XML_TEXT_NODE: +- case XML_CDATA_SECTION_NODE: +- warn("replaceChild with a text node not supported on a document node!"); +- XSRETURN_UNDEF; +- break; +- default: +- break; +- } +- } +- ret = domReplaceChild( self, nNode, oNode ); +- if (ret == NULL) { +- XSRETURN_UNDEF; +- } +- else { +- LibXML_reparent_removed_node(ret); +- RETVAL = PmmNodeToSv(ret, PmmOWNERPO(PmmPROXYNODE(ret))); +- if (nNode->type == XML_DTD_NODE) { +- LibXML_set_int_subset(nNode->doc, nNode); ++ // if newNode == oldNode or self == newNode then do nothing, just return nNode. ++ if(nNode == oNode || self == nNode ){ ++ RETVAL = nNode; ++ } ++ else{ ++ if ( self->type == XML_DOCUMENT_NODE ) { ++ switch ( nNode->type ) { ++ case XML_ELEMENT_NODE: ++ warn("replaceChild with an element on a document node not supported yet!"); ++ XSRETURN_UNDEF; ++ break; ++ case XML_DOCUMENT_FRAG_NODE: ++ warn("replaceChild with a document fragment node on a document node not supported yet!"); ++ XSRETURN_UNDEF; ++ break; ++ case XML_TEXT_NODE: ++ case XML_CDATA_SECTION_NODE: ++ warn("replaceChild with a text node not supported on a document node!"); ++ XSRETURN_UNDEF; ++ break; ++ default: ++ break; ++ } + } +- if ( nNode->_private != NULL ) { +- PmmFixOwner( PmmPROXYNODE(nNode), +- PmmOWNERPO(PmmPROXYNODE(self)) ); ++ ret = domReplaceChild( self, nNode, oNode ); ++ if (ret == NULL) { ++ XSRETURN_UNDEF; + } +- } ++ else { ++ LibXML_reparent_removed_node(ret); ++ RETVAL = PmmNodeToSv(ret, PmmOWNERPO(PmmPROXYNODE(ret))); ++ if (nNode->type == XML_DTD_NODE) { ++ LibXML_set_int_subset(nNode->doc, nNode); ++ } ++ if ( nNode->_private != NULL ) { ++ PmmFixOwner( PmmPROXYNODE(nNode), ++ PmmOWNERPO(PmmPROXYNODE(self)) ); ++ } ++ } ++ } + OUTPUT: + RETVAL + +-- +2.15.0.rc2 + diff --git a/debian/patches/CVE-2017-10672/0007-Update-ufa.t.patch b/debian/patches/CVE-2017-10672/0007-Update-ufa.t.patch new file mode 100644 index 0000000..48a4228 --- /dev/null +++ b/debian/patches/CVE-2017-10672/0007-Update-ufa.t.patch @@ -0,0 +1,26 @@ +From: sungta <tadinhs...@gmail.com> +Date: Mon, 23 Oct 2017 14:06:36 +0700 +Subject: [7/8] Update ufa.t +Origin: https://github.com/shlomif/perl-XML-LibXML/commit/a9d12057647c1df50b42dca1bc35df657354f3f6 +Bug-Debian: https://bugs.debian.org/866676 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10672 +Bug: https://rt.cpan.org/Public/Bug/Display.html?id=122246 + +--- + t/ufa.t | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/t/ufa.t b/t/ufa.t +index 753419e..26764f3 100644 +--- a/t/ufa.t ++++ b/t/ufa.t +@@ -7,5 +7,5 @@ my $parser = XML::LibXML->new(); + my $info = $parser->load_xml(string=>$data) or die; + my $root = $info->findnodes("mipu94")->[0]; + my $ufanode = $root->findnodes("pwn4fun/ufanode")->[0]; +-ok(!$root->replaceChild($ufanode,$ufanode),"Test UFA in replaceChild"); ++ok($root->replaceChild($ufanode,$ufanode),"Test UFA in replaceChild"); + done_testing(); +-- +2.15.0.rc2 + diff --git a/debian/patches/CVE-2017-10672/0008-fix-replaceChild.patch b/debian/patches/CVE-2017-10672/0008-fix-replaceChild.patch new file mode 100644 index 0000000..eb0f7d5 --- /dev/null +++ b/debian/patches/CVE-2017-10672/0008-fix-replaceChild.patch @@ -0,0 +1,29 @@ +From: sungta <tadinhs...@gmail.com> +Date: Mon, 23 Oct 2017 14:17:01 +0700 +Subject: [8/8] fix replaceChild +Origin: https://github.com/shlomif/perl-XML-LibXML/commit/85dc8d5d4b905b323a46ef7e611d889b1c3375df +Bug-Debian: https://bugs.debian.org/866676 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10672 +Bug: https://rt.cpan.org/Public/Bug/Display.html?id=122246 + +--- + LibXML.xs | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/LibXML.xs b/LibXML.xs +index 718f7db..298ff0d 100644 +--- a/LibXML.xs ++++ b/LibXML.xs +@@ -4831,7 +4831,8 @@ replaceChild( self, nNode, oNode ) + CODE: + // if newNode == oldNode or self == newNode then do nothing, just return nNode. + if(nNode == oNode || self == nNode ){ +- RETVAL = nNode; ++ ret = nNode; ++ RETVAL = PmmNodeToSv(ret, PmmOWNERPO(PmmPROXYNODE(ret))); + } + else{ + if ( self->type == XML_DOCUMENT_NODE ) { +-- +2.15.0.rc2 + diff --git a/debian/patches/series b/debian/patches/series index c15e2c3..2825dca 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,10 @@ fail-build-no-libxml2.patch disable_runtime-version_warning.patch +CVE-2017-10672/0001-Update-dom.c.patch +CVE-2017-10672/0002-bug-use-after-free-in-replaceChild.patch +CVE-2017-10672/0003-Update-ufa.t.patch +CVE-2017-10672/0004-Update-ufa.t.patch +CVE-2017-10672/0005-Update-ufa.t.patch +CVE-2017-10672/0006-Fix-replaceChild.patch +CVE-2017-10672/0007-Update-ufa.t.patch +CVE-2017-10672/0008-fix-replaceChild.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libxml-libxml-perl.git _______________________________________________ Pkg-perl-cvs-commits mailing list Pkg-perl-cvs-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits