diff options
| author |   Gilles Dartiguelongue <eva@gentoo.org> | 2017-08-23 09:27:49 +0200 |
|---|---|---|
| committer | Gilles Dartiguelongue <eva@gentoo.org> | 2017-08-23 09:28:56 +0200 |
| commit | 9f36ba11942153b51031264201e9a9491fb00ebd (patch) | |
| tree | 18d56f0aa39cf134d32c1cbe2594e195fcb36ff4 /dev-libs | |
| parent | app-vim/phpdocs: EAPI 6 bump. (diff) | |
| download | gentoo-9f36ba11942153b51031264201e9a9491fb00ebd.tar.gz gentoo-9f36ba11942153b51031264201e9a9491fb00ebd.tar.bz2 gentoo-9f36ba11942153b51031264201e9a9491fb00ebd.zip | |
dev-libs/libxml2: version bump 2.9.4-r1 → 2.9.4-r2
Apply a round of security fixes.
Gentoo-Bugs: 599192, 586886, 618604, 622914, 605208, 623206
Package-Manager: Portage-2.3.8, Repoman-2.3.3
Diffstat (limited to 'dev-libs')
8 files changed, 1061 insertions, 0 deletions
diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2016-9318.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2016-9318.patch new file mode 100644 index 000000000000..5d1adb014a0e --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2016-9318.patch @@ -0,0 +1,202 @@ +From 292be65a52ab9e0eb3a53b4e0be5a57bc6de59d3 Mon Sep 17 00:00:00 2001 +From: Doran Moppert <dmoppert@redhat.com> +Date: Fri, 7 Apr 2017 16:45:56 +0200 +Subject: [PATCH 6/7] Add an XML_PARSE_NOXXE flag to block all entities loading + even local + +For https://bugzilla.gnome.org/show_bug.cgi?id=772726 + +* include/libxml/parser.h: Add a new parser flag XML_PARSE_NOXXE +* elfgcchack.h, xmlIO.h, xmlIO.c: associated loading routine +* include/libxml/xmlerror.h: new error raised +* xmllint.c: adds --noxxe flag to activate the option +--- + elfgcchack.h | 10 ++++++++++ + include/libxml/parser.h | 3 ++- + include/libxml/xmlIO.h | 8 ++++++++ + include/libxml/xmlerror.h | 1 + + parser.c | 4 ++++ + xmlIO.c | 40 +++++++++++++++++++++++++++++++++++----- + xmllint.c | 5 +++++ + 7 files changed, 65 insertions(+), 6 deletions(-) + +diff --git a/elfgcchack.h b/elfgcchack.h +index 8c52884a..1b81dcde 100644 +--- a/elfgcchack.h ++++ b/elfgcchack.h +@@ -6547,6 +6547,16 @@ extern __typeof (xmlNoNetExternalEntityLoader) xmlNoNetExternalEntityLoader__int + #endif + #endif + ++#ifdef bottom_xmlIO ++#undef xmlNoXxeExternalEntityLoader ++extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader __attribute((alias("xmlNoXxeExternalEntityLoader__internal_alias"))); ++#else ++#ifndef xmlNoXxeExternalEntityLoader ++extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader__internal_alias __attribute((visibility("hidden"))); ++#define xmlNoXxeExternalEntityLoader xmlNoXxeExternalEntityLoader__internal_alias ++#endif ++#endif ++ + #ifdef bottom_tree + #undef xmlNodeAddContent + extern __typeof (xmlNodeAddContent) xmlNodeAddContent __attribute((alias("xmlNodeAddContent__internal_alias"))); +diff --git a/include/libxml/parser.h b/include/libxml/parser.h +index 47fbec03..63ca1b97 100644 +--- a/include/libxml/parser.h ++++ b/include/libxml/parser.h +@@ -1111,7 +1111,8 @@ typedef enum { + XML_PARSE_HUGE = 1<<19,/* relax any hardcoded limit from the parser */ + XML_PARSE_OLDSAX = 1<<20,/* parse using SAX2 interface before 2.7.0 */ + XML_PARSE_IGNORE_ENC= 1<<21,/* ignore internal document encoding hint */ +- XML_PARSE_BIG_LINES = 1<<22 /* Store big lines numbers in text PSVI field */ ++ XML_PARSE_BIG_LINES = 1<<22,/* Store big lines numbers in text PSVI field */ ++ XML_PARSE_NOXXE = 1<<23 /* Forbid any external entity loading */ + } xmlParserOption; + + XMLPUBFUN void XMLCALL +diff --git a/include/libxml/xmlIO.h b/include/libxml/xmlIO.h +index 3e41744d..8d3fdef5 100644 +--- a/include/libxml/xmlIO.h ++++ b/include/libxml/xmlIO.h +@@ -299,6 +299,14 @@ XMLPUBFUN xmlParserInputPtr XMLCALL + const char *ID, + xmlParserCtxtPtr ctxt); + ++/* ++ * A predefined entity loader external entity expansion ++ */ ++XMLPUBFUN xmlParserInputPtr XMLCALL ++ xmlNoXxeExternalEntityLoader (const char *URL, ++ const char *ID, ++ xmlParserCtxtPtr ctxt); ++ + /* + * xmlNormalizeWindowsPath is obsolete, don't use it. + * Check xmlCanonicPath in uri.h for a better alternative. +diff --git a/include/libxml/xmlerror.h b/include/libxml/xmlerror.h +index 037c16d5..3036062d 100644 +--- a/include/libxml/xmlerror.h ++++ b/include/libxml/xmlerror.h +@@ -470,6 +470,7 @@ typedef enum { + XML_IO_EADDRINUSE, /* 1554 */ + XML_IO_EALREADY, /* 1555 */ + XML_IO_EAFNOSUPPORT, /* 1556 */ ++ XML_IO_ILLEGAL_XXE, /* 1557 */ + XML_XINCLUDE_RECURSION=1600, + XML_XINCLUDE_PARSE_VALUE, /* 1601 */ + XML_XINCLUDE_ENTITY_DEF_MISMATCH, /* 1602 */ +diff --git a/parser.c b/parser.c +index b832406a..8e11c127 100644 +--- a/parser.c ++++ b/parser.c +@@ -15352,6 +15352,10 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi + ctxt->options |= XML_PARSE_NONET; + options -= XML_PARSE_NONET; + } ++ if (options & XML_PARSE_NOXXE) { ++ ctxt->options |= XML_PARSE_NOXXE; ++ options -= XML_PARSE_NOXXE; ++ } + if (options & XML_PARSE_COMPACT) { + ctxt->options |= XML_PARSE_COMPACT; + options -= XML_PARSE_COMPACT; +diff --git a/xmlIO.c b/xmlIO.c +index 6e61f45a..34881461 100644 +--- a/xmlIO.c ++++ b/xmlIO.c +@@ -212,6 +212,7 @@ static const char *IOerr[] = { + "adddress in use", /* EADDRINUSE */ + "already in use", /* EALREADY */ + "unknown address familly", /* EAFNOSUPPORT */ ++ "Attempt to load external entity %s", /* XML_IO_ILLEGAL_XXE */ + }; + + #if defined(_WIN32) || defined (__DJGPP__) && !defined (__CYGWIN__) +@@ -4057,13 +4058,22 @@ xmlDefaultExternalEntityLoader(const char *URL, const char *ID, + xmlGenericError(xmlGenericErrorContext, + "xmlDefaultExternalEntityLoader(%s, xxx)\n", URL); + #endif +- if ((ctxt != NULL) && (ctxt->options & XML_PARSE_NONET)) { ++ if (ctxt != NULL) { + int options = ctxt->options; + +- ctxt->options -= XML_PARSE_NONET; +- ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt); +- ctxt->options = options; +- return(ret); ++ if (options & XML_PARSE_NOXXE) { ++ ctxt->options -= XML_PARSE_NOXXE; ++ ret = xmlNoXxeExternalEntityLoader(URL, ID, ctxt); ++ ctxt->options = options; ++ return(ret); ++ } ++ ++ if (options & XML_PARSE_NONET) { ++ ctxt->options -= XML_PARSE_NONET; ++ ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt); ++ ctxt->options = options; ++ return(ret); ++ } + } + #ifdef LIBXML_CATALOG_ENABLED + resource = xmlResolveResourceFromCatalog(URL, ID, ctxt); +@@ -4164,6 +4174,13 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID, + xmlParserInputPtr input = NULL; + xmlChar *resource = NULL; + ++ if (ctxt == NULL) { ++ return(NULL); ++ } ++ if (ctxt->input_id == 1) { ++ return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt); ++ } ++ + #ifdef LIBXML_CATALOG_ENABLED + resource = xmlResolveResourceFromCatalog(URL, ID, ctxt); + #endif +@@ -4186,5 +4203,18 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID, + return(input); + } + ++xmlParserInputPtr ++xmlNoXxeExternalEntityLoader(const char *URL, const char *ID, ++ xmlParserCtxtPtr ctxt) { ++ if (ctxt == NULL) { ++ return(NULL); ++ } ++ if (ctxt->input_id == 1) { ++ return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt); ++ } ++ xmlIOErr(XML_IO_ILLEGAL_XXE, (const char *) URL); ++ return(NULL); ++} ++ + #define bottom_xmlIO + #include "elfgcchack.h" +diff --git a/xmllint.c b/xmllint.c +index f8eb7ec4..8f304cda 100644 +--- a/xmllint.c ++++ b/xmllint.c +@@ -3019,6 +3019,7 @@ static void usage(const char *name) { + printf("\t--path 'paths': provide a set of paths for resources\n"); + printf("\t--load-trace : print trace of all external entities loaded\n"); + printf("\t--nonet : refuse to fetch DTDs or entities over network\n"); ++ printf("\t--noxxe : forbid any external entity loading\n"); + printf("\t--nocompact : do not generate compact text nodes\n"); + printf("\t--htmlout : output results as HTML\n"); + printf("\t--nowrap : do not put HTML doc wrapper\n"); +@@ -3461,6 +3462,10 @@ main(int argc, char **argv) { + (!strcmp(argv[i], "--nonet"))) { + options |= XML_PARSE_NONET; + xmlSetExternalEntityLoader(xmlNoNetExternalEntityLoader); ++ } else if ((!strcmp(argv[i], "-noxxe")) || ++ (!strcmp(argv[i], "--noxxe"))) { ++ options |= XML_PARSE_NOXXE; ++ xmlSetExternalEntityLoader(xmlNoXxeExternalEntityLoader); + } else if ((!strcmp(argv[i], "-nocompact")) || + (!strcmp(argv[i], "--nocompact"))) { + options &= ~XML_PARSE_COMPACT; +-- +2.14.1 + diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-5969.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-5969.patch new file mode 100644 index 000000000000..4d1362f2f934 --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-5969.patch @@ -0,0 +1,63 @@ +From 8952ce48a5fa1d3de1f087f10e8b6e47bb59f4e3 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Wed, 7 Jun 2017 16:47:36 +0200 +Subject: [PATCH 1/7] Fix NULL pointer deref in xmlDumpElementContent + +Can only be triggered in recovery mode. + +Fixes bug 758422 (CVE-2017-5969). +--- + valid.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +diff --git a/valid.c b/valid.c +index 19f84b82..0a8e58ab 100644 +--- a/valid.c ++++ b/valid.c +@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob) + xmlBufferWriteCHAR(buf, content->name); + break; + case XML_ELEMENT_CONTENT_SEQ: +- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || +- (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) ++ if ((content->c1 != NULL) && ++ ((content->c1->type == XML_ELEMENT_CONTENT_OR) || ++ (content->c1->type == XML_ELEMENT_CONTENT_SEQ))) + xmlDumpElementContent(buf, content->c1, 1); + else + xmlDumpElementContent(buf, content->c1, 0); + xmlBufferWriteChar(buf, " , "); +- if ((content->c2->type == XML_ELEMENT_CONTENT_OR) || +- ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) && +- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))) ++ if ((content->c2 != NULL) && ++ ((content->c2->type == XML_ELEMENT_CONTENT_OR) || ++ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) && ++ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))) + xmlDumpElementContent(buf, content->c2, 1); + else + xmlDumpElementContent(buf, content->c2, 0); + break; + case XML_ELEMENT_CONTENT_OR: +- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || +- (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) ++ if ((content->c1 != NULL) && ++ ((content->c1->type == XML_ELEMENT_CONTENT_OR) || ++ (content->c1->type == XML_ELEMENT_CONTENT_SEQ))) + xmlDumpElementContent(buf, content->c1, 1); + else + xmlDumpElementContent(buf, content->c1, 0); + xmlBufferWriteChar(buf, " | "); +- if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) || +- ((content->c2->type == XML_ELEMENT_CONTENT_OR) && +- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))) ++ if ((content->c2 != NULL) && ++ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) || ++ ((content->c2->type == XML_ELEMENT_CONTENT_OR) && ++ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))) + xmlDumpElementContent(buf, content->c2, 1); + else + xmlDumpElementContent(buf, content->c2, 0); +-- +2.14.1 + diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7375.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7375.patch new file mode 100644 index 000000000000..db9d597ad73e --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7375.patch @@ -0,0 +1,35 @@ +From 9ea49a06b9421b6a3a9c243fb1ec23b19bd6b049 Mon Sep 17 00:00:00 2001 +From: Neel Mehta <nmehta@google.com> +Date: Fri, 7 Apr 2017 17:43:02 +0200 +Subject: [PATCH 7/7] Prevent unwanted external entity reference + +For https://bugzilla.gnome.org/show_bug.cgi?id=780691 + +* parser.c: add a specific check to avoid PE reference +--- + parser.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/parser.c b/parser.c +index 8e11c127..e8e962bb 100644 +--- a/parser.c ++++ b/parser.c +@@ -8125,6 +8125,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) + if (xmlPushInput(ctxt, input) < 0) + return; + } else { ++ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && ++ ((ctxt->options & XML_PARSE_NOENT) == 0) && ++ ((ctxt->options & XML_PARSE_DTDVALID) == 0) && ++ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) && ++ ((ctxt->options & XML_PARSE_DTDATTR) == 0) && ++ (ctxt->replaceEntities == 0) && ++ (ctxt->validate == 0)) ++ return; ++ + /* + * TODO !!! + * handle the extra spaces added before and after +-- +2.14.1 + diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9047-9048.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9047-9048.patch new file mode 100644 index 000000000000..f7c48cd877d7 --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9047-9048.patch @@ -0,0 +1,116 @@ +From 839b89e678b5265a0e6b0477410e64fac669d578 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Sat, 3 Jun 2017 02:01:29 +0200 +Subject: [PATCH 4/7] Fix buffer size checks in xmlSnprintfElementContent +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +xmlSnprintfElementContent failed to correctly check the available +buffer space in two locations. + +Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048). + +Thanks to Marcel Böhme and Thuan Pham for the report. +--- + result/valid/781333.xml | 5 +++++ + result/valid/781333.xml.err | 3 +++ + result/valid/781333.xml.err.rdr | 6 ++++++ + test/valid/781333.xml | 4 ++++ + valid.c | 20 +++++++++++--------- + 5 files changed, 29 insertions(+), 9 deletions(-) + create mode 100644 result/valid/781333.xml + create mode 100644 result/valid/781333.xml.err + create mode 100644 result/valid/781333.xml.err.rdr + create mode 100644 test/valid/781333.xml + +diff --git a/result/valid/781333.xml b/result/valid/781333.xml +new file mode 100644 +index 00000000..45dc451d +--- /dev/null ++++ b/result/valid/781333.xml +@@ -0,0 +1,5 @@ ++<?xml version="1.0"?> ++<!DOCTYPE a [ ++<!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll)> ++]> ++<a/> +diff --git a/result/valid/781333.xml.err b/result/valid/781333.xml.err +new file mode 100644 +index 00000000..b401b49a +--- /dev/null ++++ b/result/valid/781333.xml.err +@@ -0,0 +1,3 @@ ++./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got ++<a/> ++ ^ +diff --git a/result/valid/781333.xml.err.rdr b/result/valid/781333.xml.err.rdr +new file mode 100644 +index 00000000..5ff56992 +--- /dev/null ++++ b/result/valid/781333.xml.err.rdr +@@ -0,0 +1,6 @@ ++./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got ++<a/> ++ ^ ++./test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more child ++ ++^ +diff --git a/test/valid/781333.xml b/test/valid/781333.xml +new file mode 100644 +index 00000000..b29e5a68 +--- /dev/null ++++ b/test/valid/781333.xml +@@ -0,0 +1,4 @@ ++<!DOCTYPE a [ ++ <!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll)> ++]> ++<a/> +diff --git a/valid.c b/valid.c +index 0a8e58ab..8075d3a0 100644 +--- a/valid.c ++++ b/valid.c +@@ -1266,22 +1266,23 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int + case XML_ELEMENT_CONTENT_PCDATA: + strcat(buf, "#PCDATA"); + break; +- case XML_ELEMENT_CONTENT_ELEMENT: ++ case XML_ELEMENT_CONTENT_ELEMENT: { ++ int qnameLen = xmlStrlen(content->name); ++ ++ if (content->prefix != NULL) ++ qnameLen += xmlStrlen(content->prefix) + 1; ++ if (size - len < qnameLen + 10) { ++ strcat(buf, " ..."); ++ return; ++ } + if (content->prefix != NULL) { +- if (size - len < xmlStrlen(content->prefix) + 10) { +- strcat(buf, " ..."); +- return; +- } + strcat(buf, (char *) content->prefix); + strcat(buf, ":"); + } +- if (size - len < xmlStrlen(content->name) + 10) { +- strcat(buf, " ..."); +- return; +- } + if (content->name != NULL) + strcat(buf, (char *) content->name); + break; ++ } + case XML_ELEMENT_CONTENT_SEQ: + if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || + (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) +@@ -1323,6 +1324,7 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int + xmlSnprintfElementContent(buf, size, content->c2, 0); + break; + } ++ if (size - strlen(buf) <= 2) return; + if (englob) + strcat(buf, ")"); + switch (content->ocur) { +-- +2.14.1 + diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9049-9050.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9049-9050.patch new file mode 100644 index 000000000000..abf43ef9815d --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9049-9050.patch @@ -0,0 +1,316 @@ +From 9c95d1b7f3951efe09df66ec41d7b19d6283084d Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Mon, 5 Jun 2017 15:37:17 +0200 +Subject: [PATCH 3/7] Fix handling of parameter-entity references +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +There were two bugs where parameter-entity references could lead to an +unexpected change of the input buffer in xmlParseNameComplex and +xmlDictLookup being called with an invalid pointer. + +Percent sign in DTD Names +========================= + +The NEXTL macro used to call xmlParserHandlePEReference. When parsing +"complex" names inside the DTD, this could result in entity expansion +which created a new input buffer. The fix is to simply remove the call +to xmlParserHandlePEReference from the NEXTL macro. This is safe because +no users of the macro require expansion of parameter entities. + +- xmlParseNameComplex +- xmlParseNCNameComplex +- xmlParseNmtoken + +The percent sign is not allowed in names, which are grammatical tokens. + +- xmlParseEntityValue + +Parameter-entity references in entity values are expanded but this +happens in a separate step in this function. + +- xmlParseSystemLiteral + +Parameter-entity references are ignored in the system literal. + +- xmlParseAttValueComplex +- xmlParseCharDataComplex +- xmlParseCommentComplex +- xmlParsePI +- xmlParseCDSect + +Parameter-entity references are ignored outside the DTD. + +- xmlLoadEntityContent + +This function is only called from xmlStringLenDecodeEntities and +entities are replaced in a separate step immediately after the function +call. + +This bug could also be triggered with an internal subset and double +entity expansion. + +This fixes bug 766956 initially reported by Wei Lei and independently by +Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone +involved. + +xmlParseNameComplex with XML_PARSE_OLD10 +======================================== + +When parsing Names inside an expanded parameter entity with the +XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the +GROW macro if the input buffer was exhausted. At the end of the +parameter entity's replacement text, this function would then call +xmlPopInput which invalidated the input buffer. + +There should be no need to invoke GROW in this situation because the +buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and, +at least for UTF-8, in xmlCurrentChar. This also matches the code path +executed when XML_PARSE_OLD10 is not set. + +This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050). +Thanks to Marcel Böhme and Thuan Pham for the report. + +Additional hardening +==================== + +A separate check was added in xmlParseNameComplex to validate the +buffer size. +--- + Makefile.am | 18 ++++++++++++++++++ + parser.c | 18 ++++++++++-------- + result/errors10/781205.xml | 0 + result/errors10/781205.xml.err | 21 +++++++++++++++++++++ + result/errors10/781361.xml | 0 + result/errors10/781361.xml.err | 13 +++++++++++++ + result/valid/766956.xml | 0 + result/valid/766956.xml.err | 9 +++++++++ + result/valid/766956.xml.err.rdr | 10 ++++++++++ + runtest.c | 3 +++ + test/errors10/781205.xml | 3 +++ + test/errors10/781361.xml | 3 +++ + test/valid/766956.xml | 2 ++ + test/valid/dtds/766956.dtd | 2 ++ + 14 files changed, 94 insertions(+), 8 deletions(-) + create mode 100644 result/errors10/781205.xml + create mode 100644 result/errors10/781205.xml.err + create mode 100644 result/errors10/781361.xml + create mode 100644 result/errors10/781361.xml.err + create mode 100644 result/valid/766956.xml + create mode 100644 result/valid/766956.xml.err + create mode 100644 result/valid/766956.xml.err.rdr + create mode 100644 test/errors10/781205.xml + create mode 100644 test/errors10/781361.xml + create mode 100644 test/valid/766956.xml + create mode 100644 test/valid/dtds/766956.dtd + +diff --git a/Makefile.am b/Makefile.am +index 3b52bae7..bf20124e 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -422,6 +422,24 @@ Errtests : xmllint$(EXEEXT) + if [ -n "$$log" ] ; then echo $$name result ; echo $$log ; fi ; \ + rm result.$$name error.$$name ; \ + fi ; fi ; done) ++ @echo "## Error cases regression tests (old 1.0)" ++ -@(for i in $(srcdir)/test/errors10/*.xml ; do \ ++ name=`basename $$i`; \ ++ if [ ! -d $$i ] ; then \ ++ if [ ! -f $(srcdir)/result/errors10/$$name ] ; then \ ++ echo New test file $$name ; \ ++ $(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i \ ++ 2> $(srcdir)/result/errors10/$$name.err \ ++ > $(srcdir)/result/errors10/$$name ; \ ++ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \ ++ else \ ++ log=`$(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i 2> error.$$name > result.$$name ; \ ++ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \ ++ diff $(srcdir)/result/errors10/$$name result.$$name ; \ ++ diff $(srcdir)/result/errors10/$$name.err error.$$name` ; \ ++ if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \ ++ rm result.$$name error.$$name ; \ ++ fi ; fi ; done) + @echo "## Error cases stream regression tests" + -@(for i in $(srcdir)/test/errors/*.xml ; do \ + name=`basename $$i`; \ +diff --git a/parser.c b/parser.c +index 53a6b7f0..b832406a 100644 +--- a/parser.c ++++ b/parser.c +@@ -2115,7 +2115,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) { + ctxt->input->line++; ctxt->input->col = 1; \ + } else ctxt->input->col++; \ + ctxt->input->cur += l; \ +- if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt); \ + } while (0) + + #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l) +@@ -3406,13 +3405,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { + len += l; + NEXTL(l); + c = CUR_CHAR(l); +- if (c == 0) { +- count = 0; +- GROW; +- if (ctxt->instate == XML_PARSER_EOF) +- return(NULL); +- c = CUR_CHAR(l); +- } + } + } + if ((len > XML_MAX_NAME_LENGTH) && +@@ -3420,6 +3412,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); + return(NULL); + } ++ if (ctxt->input->cur - ctxt->input->base < len) { ++ /* ++ * There were a couple of bugs where PERefs lead to to a change ++ * of the buffer. Check the buffer size to avoid passing an invalid ++ * pointer to xmlDictLookup. ++ */ ++ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, ++ "unexpected change of input buffer"); ++ return (NULL); ++ } + if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r')) + return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len)); + return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); +diff --git a/result/errors10/781205.xml b/result/errors10/781205.xml +new file mode 100644 +index 00000000..e69de29b +diff --git a/result/errors10/781205.xml.err b/result/errors10/781205.xml.err +new file mode 100644 +index 00000000..da15c3f7 +--- /dev/null ++++ b/result/errors10/781205.xml.err +@@ -0,0 +1,21 @@ ++Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration ++ ++ %a; ++ ^ ++Entity: line 1: ++<:0000 ++^ ++Entity: line 1: parser error : DOCTYPE improperly terminated ++ %a; ++ ^ ++Entity: line 1: ++<:0000 ++^ ++namespace error : Failed to parse QName ':0000' ++ %a; ++ ^ ++<:0000 ++ ^ ++./test/errors10/781205.xml:4: parser error : Couldn't find end of Start Tag :0000 line 1 ++ ++^ +diff --git a/result/errors10/781361.xml b/result/errors10/781361.xml +new file mode 100644 +index 00000000..e69de29b +diff --git a/result/errors10/781361.xml.err b/result/errors10/781361.xml.err +new file mode 100644 +index 00000000..655f41a2 +--- /dev/null ++++ b/result/errors10/781361.xml.err +@@ -0,0 +1,13 @@ ++./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY', 'ANY' or '(' expected ++ ++^ ++./test/errors10/781361.xml:4: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration ++ ++ ++^ ++./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated ++ ++^ ++./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not found ++ ++^ +diff --git a/result/valid/766956.xml b/result/valid/766956.xml +new file mode 100644 +index 00000000..e69de29b +diff --git a/result/valid/766956.xml.err b/result/valid/766956.xml.err +new file mode 100644 +index 00000000..34b1dae6 +--- /dev/null ++++ b/result/valid/766956.xml.err +@@ -0,0 +1,9 @@ ++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';' ++%ä%ent; ++ ^ ++Entity: line 1: parser error : Content error in the external subset ++ %ent; ++ ^ ++Entity: line 1: ++value ++^ +diff --git a/result/valid/766956.xml.err.rdr b/result/valid/766956.xml.err.rdr +new file mode 100644 +index 00000000..77603462 +--- /dev/null ++++ b/result/valid/766956.xml.err.rdr +@@ -0,0 +1,10 @@ ++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';' ++%ä%ent; ++ ^ ++Entity: line 1: parser error : Content error in the external subset ++ %ent; ++ ^ ++Entity: line 1: ++value ++^ ++./test/valid/766956.xml : failed to parse +diff --git a/runtest.c b/runtest.c +index 7d030bdc..cd233da9 100644 +--- a/runtest.c ++++ b/runtest.c +@@ -4202,6 +4202,9 @@ testDesc testDescriptions[] = { + { "Error cases regression tests", + errParseTest, "./test/errors/*.xml", "result/errors/", "", ".err", + 0 }, ++ { "Error cases regression tests (old 1.0)", ++ errParseTest, "./test/errors10/*.xml", "result/errors10/", "", ".err", ++ XML_PARSE_OLD10 }, + #ifdef LIBXML_READER_ENABLED + { "Error cases stream regression tests", + streamParseTest, "./test/errors/*.xml", "result/errors/", NULL, ".str", +diff --git a/test/errors10/781205.xml b/test/errors10/781205.xml +new file mode 100644 +index 00000000..d9e9e839 +--- /dev/null ++++ b/test/errors10/781205.xml +@@ -0,0 +1,3 @@ ++<!DOCTYPE D [ ++ <!ENTITY % a "<:0000"> ++ %a; +diff --git a/test/errors10/781361.xml b/test/errors10/781361.xml +new file mode 100644 +index 00000000..67476bcb +--- /dev/null ++++ b/test/errors10/781361.xml +@@ -0,0 +1,3 @@ ++<!DOCTYPE doc [ ++ <!ENTITY % elem "<!ELEMENT e0000000000"> ++ %elem; +diff --git a/test/valid/766956.xml b/test/valid/766956.xml +new file mode 100644 +index 00000000..19a95a0e +--- /dev/null ++++ b/test/valid/766956.xml +@@ -0,0 +1,2 @@ ++<!DOCTYPE test SYSTEM "dtds/766956.dtd"> ++<test/> +diff --git a/test/valid/dtds/766956.dtd b/test/valid/dtds/766956.dtd +new file mode 100644 +index 00000000..dddde68b +--- /dev/null ++++ b/test/valid/dtds/766956.dtd +@@ -0,0 +1,2 @@ ++<!ENTITY % ent "value"> ++%ä%ent; +-- +2.14.1 + diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-heap-buffer-overflow.patch b/dev-libs/libxml2/files/libxml2-2.9.4-heap-buffer-overflow.patch new file mode 100644 index 000000000000..770a1832b190 --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.9.4-heap-buffer-overflow.patch @@ -0,0 +1,32 @@ +From df4f9bdc7a37908ded8bd1fec4f75509eaa156de Mon Sep 17 00:00:00 2001 +From: David Kilzer <ddkilzer@apple.com> +Date: Tue, 4 Jul 2017 18:38:03 +0200 +Subject: [PATCH 5/7] Heap-buffer-overflow read of size 1 in + xmlFAParsePosCharGroup + +Credit to OSS-Fuzz. + +Add a check to xmlFAParseCharRange() for the end of the buffer +to prevent reading past the end of it. + +This fixes Bug 784017. +--- + xmlregexp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xmlregexp.c b/xmlregexp.c +index ca3b4f46..6676c2a8 100644 +--- a/xmlregexp.c ++++ b/xmlregexp.c +@@ -5051,7 +5051,7 @@ xmlFAParseCharRange(xmlRegParserCtxtPtr ctxt) { + return; + } + len = 1; +- } else if ((cur != 0x5B) && (cur != 0x5D)) { ++ } else if ((cur != '\0') && (cur != 0x5B) && (cur != 0x5D)) { + end = CUR_SCHAR(ctxt->cur, len); + } else { + ERROR("Expecting the end of a char range"); +-- +2.14.1 + diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-osd-validation.patch b/dev-libs/libxml2/files/libxml2-2.9.4-osd-validation.patch new file mode 100644 index 000000000000..9d1a03346f67 --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.9.4-osd-validation.patch @@ -0,0 +1,66 @@ +From 8bc6baccc7da291c2338b8d95953ea487b0b3ca1 Mon Sep 17 00:00:00 2001 +From: Alex Henrie <alexhenrie24@gmail.com> +Date: Thu, 26 May 2016 17:38:35 -0600 +Subject: [PATCH 2/7] Fix attribute decoding during XML schema validation + +For https://bugzilla.gnome.org/show_bug.cgi?id=766834 + +vctxt->parserCtxt is always NULL in xmlSchemaSAXHandleStartElementNs, +so this function can't call xmlStringLenDecodeEntities to decode the +entities. +--- + xmlschemas.c | 30 +++++++++++++++++++++++++----- + 1 file changed, 25 insertions(+), 5 deletions(-) + +diff --git a/xmlschemas.c b/xmlschemas.c +index e1b3a4f0..59535e5c 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -27391,6 +27391,7 @@ xmlSchemaSAXHandleStartElementNs(void *ctx, + * attributes yet. + */ + if (nb_attributes != 0) { ++ int valueLen, k, l; + xmlChar *value; + + for (j = 0, i = 0; i < nb_attributes; i++, j += 5) { +@@ -27400,12 +27401,31 @@ xmlSchemaSAXHandleStartElementNs(void *ctx, + * libxml2 differs from normal SAX here in that it escapes all ampersands + * as & instead of delivering the raw converted string. Changing the + * behavior at this point would break applications that use this API, so +- * we are forced to work around it. There is no danger of accidentally +- * decoding some entity other than & in this step because without +- * unescaped ampersands there can be no other entities in the string. ++ * we are forced to work around it. + */ +- value = xmlStringLenDecodeEntities(vctxt->parserCtxt, attributes[j+3], +- attributes[j+4] - attributes[j+3], XML_SUBSTITUTE_REF, 0, 0, 0); ++ valueLen = attributes[j+4] - attributes[j+3]; ++ value = xmlMallocAtomic(valueLen + 1); ++ if (value == NULL) { ++ xmlSchemaVErrMemory(vctxt, ++ "allocating string for decoded attribute", ++ NULL); ++ goto internal_error; ++ } ++ for (k = 0, l = 0; k < valueLen; l++) { ++ if (k < valueLen - 4 && ++ attributes[j+3][k+0] == '&' && ++ attributes[j+3][k+1] == '#' && ++ attributes[j+3][k+2] == '3' && ++ attributes[j+3][k+3] == '8' && ++ attributes[j+3][k+4] == ';') { ++ value[l] = '&'; ++ k += 5; ++ } else { ++ value[l] = attributes[j+3][k]; ++ k++; ++ } ++ } ++ value[l] = '\0'; + /* + * TODO: Set the node line. + */ +-- +2.14.1 + diff --git a/dev-libs/libxml2/libxml2-2.9.4-r2.ebuild b/dev-libs/libxml2/libxml2-2.9.4-r2.ebuild new file mode 100644 index 000000000000..22b6dec79b0c --- /dev/null +++ b/dev-libs/libxml2/libxml2-2.9.4-r2.ebuild @@ -0,0 +1,231 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 +PYTHON_COMPAT=( python2_7 python3_{4,5,6} ) +PYTHON_REQ_USE="xml" + +inherit libtool flag-o-matic ltprune python-r1 autotools prefix multilib-minimal + +DESCRIPTION="Version 2 of the library to manipulate XML files" +HOMEPAGE="http://www.xmlsoft.org/" + +LICENSE="MIT" +SLOT="2" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt" +IUSE="debug examples icu ipv6 lzma python readline static-libs test" +REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" + +XSTS_HOME="http://www.w3.org/XML/2004/xml-schema-test-suite" +XSTS_NAME_1="xmlschema2002-01-16" +XSTS_NAME_2="xmlschema2004-01-14" +XSTS_TARBALL_1="xsts-2002-01-16.tar.gz" +XSTS_TARBALL_2="xsts-2004-01-14.tar.gz" +XMLCONF_TARBALL="xmlts20080827.tar.gz" + +SRC_URI="ftp://xmlsoft.org/${PN}/${PN}-${PV/_rc/-rc}.tar.gz + test? ( + ${XSTS_HOME}/${XSTS_NAME_1}/${XSTS_TARBALL_1} + ${XSTS_HOME}/${XSTS_NAME_2}/${XSTS_TARBALL_2} + http://www.w3.org/XML/Test/${XMLCONF_TARBALL} )" + +RDEPEND=" + >=sys-libs/zlib-1.2.8-r1:=[${MULTILIB_USEDEP}] + icu? ( >=dev-libs/icu-51.2-r1:=[${MULTILIB_USEDEP}] ) + lzma? ( >=app-arch/xz-utils-5.0.5-r1:=[${MULTILIB_USEDEP}] ) + python? ( ${PYTHON_DEPS} ) + readline? ( sys-libs/readline:= ) +" +DEPEND="${EDEPEND} + dev-util/gtk-doc-am + virtual/pkgconfig + hppa? ( >=sys-devel/binutils-2.15.92.0.2 ) +" + +S="${WORKDIR}/${PN}-${PV%_rc*}" + +MULTILIB_CHOST_TOOLS=( + /usr/bin/xml2-config +) + +src_unpack() { + # ${A} isn't used to avoid unpacking of test tarballs into $WORKDIR, + # as they are needed as tarballs in ${S}/xstc instead and not unpacked + unpack ${P/_rc/-rc}.tar.gz + cd "${S}" || die + + if use test; then + cp "${DISTDIR}/${XSTS_TARBALL_1}" \ + "${DISTDIR}/${XSTS_TARBALL_2}" \ + "${S}"/xstc/ \ + || die "Failed to install test tarballs" + unpack ${XMLCONF_TARBALL} + fi +} + +src_prepare() { + default + + DOCS=( AUTHORS ChangeLog NEWS README* TODO* ) + + # Patches needed for prefix support + eapply "${FILESDIR}"/${PN}-2.7.1-catalog_path.patch + + eprefixify catalog.c xmlcatalog.c runtest.c xmllint.c + + # Fix build for Windows platform + # https://bugzilla.gnome.org/show_bug.cgi?id=760456 + eapply "${FILESDIR}"/${PN}-2.8.0_rc1-winnt.patch + + # Disable programs that we don't actually install. + # https://bugzilla.gnome.org/show_bug.cgi?id=760457 + eapply "${FILESDIR}"/${PN}-2.9.2-disable-tests.patch + + # Fix python detection, bug #567066 + # https://bugzilla.gnome.org/show_bug.cgi?id=760458 + eapply "${FILESDIR}"/${PN}-2.9.2-python-ABIFLAG.patch + + # Apply round of security patches wrt bugs + # 589816, 597112, 597114, 597116. This will be included + # in the next upstream release + eapply "${FILESDIR}"/${PN}-2.9.4-CVE-2016-4658.patch + eapply "${FILESDIR}"/${PN}-2.9.4-CVE-2016-5131.patch + eapply "${FILESDIR}"/${PN}-2.9.4-nullptrderef.patch + eapply "${FILESDIR}"/${PN}-2.9.4-nullptrderef2.patch + + # Apply round of security patches wrt bugs: + # 599192, 586886, 618604, 622914, 605208, 623206 + # This will be included in the next upstream release + eapply "${FILESDIR}"/${P}-CVE-2017-5969.patch + eapply "${FILESDIR}"/${P}-osd-validation.patch + eapply "${FILESDIR}"/${P}-CVE-2017-9049-9050.patch + eapply "${FILESDIR}"/${P}-CVE-2017-9047-9048.patch + eapply "${FILESDIR}"/${P}-heap-buffer-overflow.patch + eapply "${FILESDIR}"/${P}-CVE-2016-9318.patch + eapply "${FILESDIR}"/${P}-CVE-2017-7375.patch + + # Avoid final linking arguments for python modules + if [[ ${CHOST} == *-darwin* ]] ; then + sed -i -e '/PYTHON_LIBS/s/ldflags/libs/' configure.ac || die + fi + + # Please do not remove, as else we get references to PORTAGE_TMPDIR + # in /usr/lib/python?.?/site-packages/libxml2mod.la among things. + # We now need to run eautoreconf at the end to prevent maintainer mode. +# elibtoolize +# epunt_cxx # if we don't eautoreconf + + eautoreconf +} + +multilib_src_configure() { + # filter seemingly problematic CFLAGS (#26320) + filter-flags -fprefetch-loop-arrays -funroll-loops + + # USE zlib support breaks gnome2 + # (libgnomeprint for instance fails to compile with + # fresh install, and existing) - <azarah@gentoo.org> (22 Dec 2002). + + # The meaning of the 'debug' USE flag does not apply to the --with-debug + # switch (enabling the libxml2 debug module). See bug #100898. + + # --with-mem-debug causes unusual segmentation faults (bug #105120). + + libxml2_configure() { + ECONF_SOURCE="${S}" econf \ + --with-html-subdir=${PF}/html \ + $(use_with debug run-debug) \ + $(use_with icu) \ + $(use_with lzma) \ + $(use_enable ipv6) \ + $(use_enable static-libs static) \ + $(multilib_native_use_with readline) \ + $(multilib_native_use_with readline history) \ + "$@" + } + + libxml2_py_configure() { + mkdir -p "${BUILD_DIR}" || die # ensure python build dirs exist + run_in_build_dir libxml2_configure "--with-python=${ROOT%/}${PYTHON}" # odd build system, also see bug #582130 + } + + libxml2_configure --without-python # build python bindings separately + + if multilib_is_native_abi && use python; then + python_foreach_impl libxml2_py_configure + fi +} + +multilib_src_compile() { + default + if multilib_is_native_abi && use python; then + local native_builddir=${BUILD_DIR} + python_foreach_impl libxml2_py_emake top_builddir="${native_builddir}" all + fi +} + +multilib_src_test() { + default + multilib_is_native_abi && use python && python_foreach_impl libxml2_py_emake test +} + +multilib_src_install() { + emake DESTDIR="${D}" \ + EXAMPLES_DIR="${EPREFIX}"/usr/share/doc/${PF}/examples install + + if multilib_is_native_abi && use python; then + python_foreach_impl libxml2_py_emake \ + DESTDIR="${D}" \ + docsdir="${EPREFIX}"/usr/share/doc/${PF}/python \ + exampledir="${EPREFIX}"/usr/share/doc/${PF}/python/examples \ + install + python_foreach_impl python_optimize + fi +} + +multilib_src_install_all() { + # on windows, xmllint is installed by interix libxml2 in parent prefix. + # this is the version to use. the native winnt version does not support + # symlinks, which makes repoman fail if the portage tree is linked in + # from another location (which is my default). -- mduft + if [[ ${CHOST} == *-winnt* ]]; then + rm -rf "${ED}"/usr/bin/xmllint + rm -rf "${ED}"/usr/bin/xmlcatalog + fi + + rm -rf "${ED}"/usr/share/doc/${P} + einstalldocs + + if ! use examples; then + rm -rf "${ED}"/usr/share/doc/${PF}/examples + rm -rf "${ED}"/usr/share/doc/${PF}/python/examples + fi + + prune_libtool_files --modules +} + +pkg_postinst() { + # We don't want to do the xmlcatalog during stage1, as xmlcatalog will not + # be in / and stage1 builds to ROOT=/tmp/stage1root. This fixes bug #208887. + if [[ "${ROOT}" != "/" ]]; then + elog "Skipping XML catalog creation for stage building (bug #208887)." + else + # need an XML catalog, so no-one writes to a non-existent one + CATALOG="${EROOT}etc/xml/catalog" + + # we dont want to clobber an existing catalog though, + # only ensure that one is there + # <obz@gentoo.org> + if [[ ! -e ${CATALOG} ]]; then + [[ -d "${EROOT}etc/xml" ]] || mkdir -p "${EROOT}etc/xml" + "${EPREFIX}"/usr/bin/xmlcatalog --create > "${CATALOG}" + einfo "Created XML catalog in ${CATALOG}" + fi + fi +} + +libxml2_py_emake() { + pushd "${BUILD_DIR}/python" > /dev/null || die + emake "$@" + popd > /dev/null +} |