[xml/sgml-pkgs] Bug#782782: fix for CVE-2015-1819 in stretch/sid
Mike Gabriel
mike.gabriel at das-netzwerkteam.de
Fri May 29 13:45:01 UTC 2015
Control: tags -1 patch
.debdiff for libxml2 2.9.2+dfsg1-3 (currently in unstable) attached...
light+love
Mike
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
diff -Nru libxml2-2.9.2+dfsg1/debian/changelog libxml2-2.9.2+dfsg1/debian/changelog
--- libxml2-2.9.2+dfsg1/debian/changelog 2015-02-01 05:37:42.000000000 +0100
+++ libxml2-2.9.2+dfsg1/debian/changelog 2015-05-29 15:41:55.000000000 +0200
@@ -1,3 +1,13 @@
+libxml2 (2.9.2+dfsg1-3.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * debian/patches:
+ + Add 0004-Enforce-the-reader-to-run-in-constant-memory-CVE-2015-1819.patch.
+ Fix CVE-2015-1819: Enforce the reader to run in constant memory.
+ (Closes: #782782).
+
+ -- Mike Gabriel <sunweaver at debian.org> Fri, 29 May 2015 15:40:53 +0200
+
libxml2 (2.9.2+dfsg1-3) unstable; urgency=medium
* Add icu related deps for -dev and -dbg packages
diff -Nru libxml2-2.9.2+dfsg1/debian/patches/0004-Enforce-the-reader-to-run-in-constant-memory-CVE-2015-1819.patch libxml2-2.9.2+dfsg1/debian/patches/0004-Enforce-the-reader-to-run-in-constant-memory-CVE-2015-1819.patch
--- libxml2-2.9.2+dfsg1/debian/patches/0004-Enforce-the-reader-to-run-in-constant-memory-CVE-2015-1819.patch 1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.2+dfsg1/debian/patches/0004-Enforce-the-reader-to-run-in-constant-memory-CVE-2015-1819.patch 2015-05-29 15:39:08.000000000 +0200
@@ -0,0 +1,166 @@
+From 213f1fe0d76d30eaed6e5853057defc43e6df2c9 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard at redhat.com>
+Date: Tue, 14 Apr 2015 17:41:48 +0800
+Subject: CVE-2015-1819 Enforce the reader to run in constant memory
+
+One of the operation on the reader could resolve entities
+leading to the classic expansion issue. Make sure the
+buffer used for xmlreader operation is bounded.
+Introduce a new allocation type for the buffers for this effect.
+
+v2: rebased against libxml2 2.9.2
+ Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
+diff --git a/buf.c b/buf.c
+index 6efc7b6..07922ff 100644
+--- a/buf.c
++++ b/buf.c
+@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf,
+ if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) ||
+ (scheme == XML_BUFFER_ALLOC_EXACT) ||
+ (scheme == XML_BUFFER_ALLOC_HYBRID) ||
+- (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) {
++ (scheme == XML_BUFFER_ALLOC_IMMUTABLE) ||
++ (scheme == XML_BUFFER_ALLOC_BOUNDED)) {
+ buf->alloc = scheme;
+ if (buf->buffer)
+ buf->buffer->alloc = scheme;
+@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) {
+ size = buf->use + len + 100;
+ #endif
+
++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++ /*
++ * Used to provide parsing limits
++ */
++ if ((buf->use + len >= XML_MAX_TEXT_LENGTH) ||
++ (buf->size >= XML_MAX_TEXT_LENGTH)) {
++ xmlBufMemoryError(buf, "buffer error: text too long\n");
++ return(0);
++ }
++ if (size >= XML_MAX_TEXT_LENGTH)
++ size = XML_MAX_TEXT_LENGTH;
++ }
+ if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {
+ size_t start_buf = buf->content - buf->contentIO;
+
+@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size)
+ CHECK_COMPAT(buf)
+
+ if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++ /*
++ * Used to provide parsing limits
++ */
++ if (size >= XML_MAX_TEXT_LENGTH) {
++ xmlBufMemoryError(buf, "buffer error: text too long\n");
++ return(0);
++ }
++ }
+
+ /* Don't resize if we don't have to */
+ if (size < buf->size)
+@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
+
+ needSize = buf->use + len + 2;
+ if (needSize > buf->size){
++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++ /*
++ * Used to provide parsing limits
++ */
++ if (needSize >= XML_MAX_TEXT_LENGTH) {
++ xmlBufMemoryError(buf, "buffer error: text too long\n");
++ return(-1);
++ }
++ }
+ if (!xmlBufResize(buf, needSize)){
+ xmlBufMemoryError(buf, "growing buffer");
+ return XML_ERR_NO_MEMORY;
+@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) {
+ }
+ needSize = buf->use + len + 2;
+ if (needSize > buf->size){
++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++ /*
++ * Used to provide parsing limits
++ */
++ if (needSize >= XML_MAX_TEXT_LENGTH) {
++ xmlBufMemoryError(buf, "buffer error: text too long\n");
++ return(-1);
++ }
++ }
+ if (!xmlBufResize(buf, needSize)){
+ xmlBufMemoryError(buf, "growing buffer");
+ return XML_ERR_NO_MEMORY;
+diff --git a/include/libxml/tree.h b/include/libxml/tree.h
+index 2f90717..4a9b3bc 100644
+--- a/include/libxml/tree.h
++++ b/include/libxml/tree.h
+@@ -76,7 +76,8 @@ typedef enum {
+ XML_BUFFER_ALLOC_EXACT, /* grow only to the minimal size */
+ XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */
+ XML_BUFFER_ALLOC_IO, /* special allocation scheme used for I/O */
+- XML_BUFFER_ALLOC_HYBRID /* exact up to a threshold, and doubleit thereafter */
++ XML_BUFFER_ALLOC_HYBRID, /* exact up to a threshold, and doubleit thereafter */
++ XML_BUFFER_ALLOC_BOUNDED /* limit the upper size of the buffer */
+ } xmlBufferAllocationScheme;
+
+ /**
+diff --git a/xmlreader.c b/xmlreader.c
+index f19e123..471e7e2 100644
+--- a/xmlreader.c
++++ b/xmlreader.c
+@@ -2091,6 +2091,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) {
+ "xmlNewTextReader : malloc failed\n");
+ return(NULL);
+ }
++ /* no operation on a reader should require a huge buffer */
++ xmlBufSetAllocationScheme(ret->buffer,
++ XML_BUFFER_ALLOC_BOUNDED);
+ ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
+ if (ret->sax == NULL) {
+ xmlBufFree(ret->buffer);
+@@ -3616,6 +3619,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
+ return(((xmlNsPtr) node)->href);
+ case XML_ATTRIBUTE_NODE:{
+ xmlAttrPtr attr = (xmlAttrPtr) node;
++ const xmlChar *ret;
+
+ if ((attr->children != NULL) &&
+ (attr->children->type == XML_TEXT_NODE) &&
+@@ -3629,10 +3633,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
+ "xmlTextReaderSetup : malloc failed\n");
+ return (NULL);
+ }
++ xmlBufSetAllocationScheme(reader->buffer,
++ XML_BUFFER_ALLOC_BOUNDED);
+ } else
+ xmlBufEmpty(reader->buffer);
+ xmlBufGetNodeContent(reader->buffer, node);
+- return(xmlBufContent(reader->buffer));
++ ret = xmlBufContent(reader->buffer);
++ if (ret == NULL) {
++ /* error on the buffer best to reallocate */
++ xmlBufFree(reader->buffer);
++ reader->buffer = xmlBufCreateSize(100);
++ xmlBufSetAllocationScheme(reader->buffer,
++ XML_BUFFER_ALLOC_BOUNDED);
++ ret = BAD_CAST "";
++ }
++ return(ret);
+ }
+ break;
+ }
+@@ -5131,6 +5146,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader,
+ "xmlTextReaderSetup : malloc failed\n");
+ return (-1);
+ }
++ /* no operation on a reader should require a huge buffer */
++ xmlBufSetAllocationScheme(reader->buffer,
++ XML_BUFFER_ALLOC_BOUNDED);
+ if (reader->sax == NULL)
+ reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
+ if (reader->sax == NULL) {
+--
+cgit v0.10.2
+
+
diff -Nru libxml2-2.9.2+dfsg1/debian/patches/series libxml2-2.9.2+dfsg1/debian/patches/series
--- libxml2-2.9.2+dfsg1/debian/patches/series 2015-02-01 05:32:38.000000000 +0100
+++ libxml2-2.9.2+dfsg1/debian/patches/series 2015-05-29 15:40:15.000000000 +0200
@@ -1,3 +1,4 @@
0001-modify-xml2-config-and-pkgconfig-behaviour.patch
0002-fix-python-multiarch-includes.patch
0003-Fix-missing-entities-after-CVE-2014-3660-fix.patch
+0004-Enforce-the-reader-to-run-in-constant-memory-CVE-2015-1819.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.alioth.debian.org/pipermail/debian-xml-sgml-pkgs/attachments/20150529/919fb354/attachment.sig>
More information about the debian-xml-sgml-pkgs
mailing list