Commit 3ab88c20 authored by Salvatore Bonaccorso's avatar Salvatore Bonaccorso Committed by Bill Blough

Imported Debian patch 3.1.3+debian-2.1

parent 2a69cc4b
xerces-c (3.1.3+debian-2.1) unstable; urgency=medium
In addition to the fix for CVE-2016-4463 this update enables applications to
fully disable DTD processing through the use of an environment variable.
.
XERCES_DISABLE_DTD set to "1" will cause the scanner to report a fatal error
if a DTD is seen. Existing applications won't see any change.
-- Salvatore Bonaccorso <carnil@debian.org> Tue, 28 Jun 2016 16:50:55 +0200
xerces-c (3.1.3+debian-2.1) unstable; urgency=medium
* Non-maintainer upload.
* CVE-2016-4463: Apache Xerces-C XML Parser Crashes on Malformed DTD
(Closes: #828990)
* Enable the ability to disable DTD processing through the use of an env
variable
* Add NEWS.Debian entry to document the XERCES_DISABLE_DTD variable
-- Salvatore Bonaccorso <carnil@debian.org> Fri, 01 Jul 2016 14:28:51 +0200
xerces-c (3.1.3+debian-2) unstable; urgency=medium
* Fix CVE-2016-2099: Exception handling mistake in DTDScanner.
......
Description: CVE-2016-4463: Apache Xerces-C XML Parser Crashes on Malformed DTD
Origin: upstream, https://svn.apache.org/r1747619
Bug: https://issues.apache.org/jira/browse/XERCESC-2069
Forwarded: not-needed
Author: Scott Cantor <cantor.2@osu.edu>
Last-Update: 2016-06-28
--- a/src/xercesc/validators/DTD/DTDScanner.cpp
+++ b/src/xercesc/validators/DTD/DTDScanner.cpp
@@ -44,6 +44,8 @@
XERCES_CPP_NAMESPACE_BEGIN
+#define CONTENTSPEC_DEPTH_LIMIT 1000
+
// ---------------------------------------------------------------------------
// Local methods
// ---------------------------------------------------------------------------
@@ -1038,8 +1040,13 @@ bool DTDScanner::scanCharRef(XMLCh& firs
ContentSpecNode*
-DTDScanner::scanChildren(const DTDElementDecl& elemDecl, XMLBuffer& bufToUse)
+DTDScanner::scanChildren(const DTDElementDecl& elemDecl, XMLBuffer& bufToUse, unsigned int& depth)
{
+ if (depth++ > CONTENTSPEC_DEPTH_LIMIT) {
+ fScanner->emitError(XMLErrs::UnterminatedDOCTYPE);
+ return 0;
+ }
+
// Check for a PE ref here, but don't require spaces
checkForPERef(false, true);
@@ -1240,7 +1247,7 @@ DTDScanner::scanChildren(const DTDElemen
// Recurse to handle this new guy
ContentSpecNode* subNode;
try {
- subNode = scanChildren(elemDecl, bufToUse);
+ subNode = scanChildren(elemDecl, bufToUse, depth);
}
catch (const XMLErrs::Codes)
{
@@ -1577,7 +1584,8 @@ bool DTDScanner::scanContentSpec(DTDElem
//
toFill.setModelType(DTDElementDecl::Children);
XMLBufBid bbTmp(fBufMgr);
- ContentSpecNode* resNode = scanChildren(toFill, bbTmp.getBuffer());
+ unsigned int depth = 0;
+ ContentSpecNode* resNode = scanChildren(toFill, bbTmp.getBuffer(), depth);
status = (resNode != 0);
if (status)
toFill.setContentSpec(resNode);
--- a/src/xercesc/validators/DTD/DTDScanner.hpp
+++ b/src/xercesc/validators/DTD/DTDScanner.hpp
@@ -143,6 +143,7 @@ private:
(
const DTDElementDecl& elemDecl
, XMLBuffer& bufToUse
+ , unsigned int& depth
);
bool scanCharRef(XMLCh& toFill, XMLCh& second);
void scanComment();
Description: Disable DTD processing through the use of an env variable
XERCES_DISABLE_DTD set to "1" will cause the scanner to report a fatal
error if a DTD is seen. Existing applications won't see any change.
Origin: upstream, http://svn.apache.org/r1747620
Bug: https://issues.apache.org/jira/browse/XERCESC-2070
Forwarded: not-needed
Author: Scott Cantor <cantor.2@osu.edu>
Last-Update: 2016-06-28
--- a/src/xercesc/internal/XMLScanner.cpp
+++ b/src/xercesc/internal/XMLScanner.cpp
@@ -1270,8 +1270,15 @@ void XMLScanner::scanProlog()
if (sawDocTypeDecl) {
emitError(XMLErrs::DuplicateDocTypeDecl);
}
- scanDocTypeDecl();
- sawDocTypeDecl = true;
+
+ const char* envvar = getenv("XERCES_DISABLE_DTD");
+ if (envvar && !strcmp(envvar, "1")) {
+ emitError(XMLErrs::InvalidDocumentStructure);
+ }
+ else {
+ scanDocTypeDecl();
+ sawDocTypeDecl = true;
+ }
// if reusing grammar, this has been validated already in first scan
// skip for performance
cve_2016_2099
CVE-2016-4463.patch
disable-DTD-processing-through-envvariable.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment