Commit b5d863f9 authored by Salvatore Bonaccorso's avatar Salvatore Bonaccorso Committed by Mattia Rizzolo

Import Debian changes 2.9.4+dfsg1-5.1

libxml2 (2.9.4+dfsg1-5.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Fix NULL pointer deref in xmlDumpElementContent (CVE-2017-5969)
    (Closes: #855001)
  * Check for integer overflow in memory debug code (CVE-2017-5130)
    (Closes: #880000)
  * Fix copy-paste errors in error messages
  * python: remove single use of _PyVerify_fd (Closes: #878684)
parent eb23bd53
libxml2 (2.9.4+dfsg1-5.1) unstable; urgency=medium
* Non-maintainer upload.
* Fix NULL pointer deref in xmlDumpElementContent (CVE-2017-5969)
(Closes: #855001)
* Check for integer overflow in memory debug code (CVE-2017-5130)
(Closes: #880000)
* Fix copy-paste errors in error messages
* python: remove single use of _PyVerify_fd (Closes: #878684)
-- Salvatore Bonaccorso <carnil@debian.org> Sat, 18 Nov 2017 16:39:04 +0100
libxml2 (2.9.4+dfsg1-5) unstable; urgency=medium
* Team upload.
......
From: Daniel Veillard <veillard@redhat.com>
Date: Wed, 7 Jun 2017 16:47:36 +0200
Subject: Fix NULL pointer deref in xmlDumpElementContent
Origin: https://git.gnome.org/browse/libxml2/commit/?id=94691dc884d1a8ada39f073408b4bb92fe7fe882
Bug-Debian: https://bugs.debian.org/855001
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5969
Can only be triggered in recovery mode.
Fixes bug 758422 (CVE-2017-5969).
---
valid.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
diff --git a/valid.c b/valid.c
index 9b2df56a..8075d3a0 100644
--- a/valid.c
+++ b/valid.c
@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob)
xmlBufferWriteCHAR(buf, content->name);
break;
case XML_ELEMENT_CONTENT_SEQ:
- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
+ if ((content->c1 != NULL) &&
+ ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
xmlDumpElementContent(buf, content->c1, 1);
else
xmlDumpElementContent(buf, content->c1, 0);
xmlBufferWriteChar(buf, " , ");
- if ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
- ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
+ if ((content->c2 != NULL) &&
+ ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
+ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
+ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
xmlDumpElementContent(buf, content->c2, 1);
else
xmlDumpElementContent(buf, content->c2, 0);
break;
case XML_ELEMENT_CONTENT_OR:
- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
+ if ((content->c1 != NULL) &&
+ ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
xmlDumpElementContent(buf, content->c1, 1);
else
xmlDumpElementContent(buf, content->c1, 0);
xmlBufferWriteChar(buf, " | ");
- if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
- ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
+ if ((content->c2 != NULL) &&
+ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
+ ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
+ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
xmlDumpElementContent(buf, content->c2, 1);
else
xmlDumpElementContent(buf, content->c2, 0);
--
2.15.0
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 6 Jun 2017 13:21:14 +0200
Subject: Check for integer overflow in memory debug code
Origin: https://git.gnome.org/browse/libxml2/commit/?id=897dffbae322b46b83f99a607d527058a72c51ed
Bug-Debian: https://bugs.debian.org/880000
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5130
Fixes bug 783026.
Thanks to Pranjal Jumde for the report.
---
xmlmemory.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/xmlmemory.c b/xmlmemory.c
index f08c8c3d..c53141fb 100644
--- a/xmlmemory.c
+++ b/xmlmemory.c
@@ -172,6 +172,13 @@ xmlMallocLoc(size_t size, const char * file, int line)
TEST_POINT
+ if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
+ xmlGenericError(xmlGenericErrorContext,
+ "xmlMallocLoc : Unsigned overflow\n");
+ xmlMemoryDump();
+ return(NULL);
+ }
+
p = (MEMHDR *) malloc(RESERVE_SIZE+size);
if (!p) {
@@ -352,6 +359,13 @@ xmlReallocLoc(void *ptr,size_t size, const char * file, int line)
#endif
xmlMutexUnlock(xmlMemMutex);
+ if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
+ xmlGenericError(xmlGenericErrorContext,
+ "xmlMallocLoc : Unsigned overflow\n");
+ xmlMemoryDump();
+ return(NULL);
+ }
+
tmp = (MEMHDR *) realloc(p,RESERVE_SIZE+size);
if (!tmp) {
free(p);
@@ -499,6 +513,13 @@ xmlMemStrdupLoc(const char *str, const char *file, int line)
if (!xmlMemInitialized) xmlInitMemory();
TEST_POINT
+ if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
+ xmlGenericError(xmlGenericErrorContext,
+ "xmlMallocLoc : Unsigned overflow\n");
+ xmlMemoryDump();
+ return(NULL);
+ }
+
p = (MEMHDR *) malloc(RESERVE_SIZE+size);
if (!p) {
goto error;
--
2.15.0
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 11 Jun 2017 17:12:21 +0200
Subject: Fix copy-paste errors in error messages
Origin: https://git.gnome.org/browse/libxml2/commit/?id=ed48d65b4d6c5cec7be035ad5eebeba873b4b955
Bug-Debian: https://bugs.debian.org/880000
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5130
Thanks to David Kilzer for the review.
---
xmlmemory.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/xmlmemory.c b/xmlmemory.c
index c53141fb..58de2eda 100644
--- a/xmlmemory.c
+++ b/xmlmemory.c
@@ -250,7 +250,7 @@ xmlMallocAtomicLoc(size_t size, const char * file, int line)
if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
xmlGenericError(xmlGenericErrorContext,
- "xmlMallocAtomicLoc : Unsigned overflow prevented\n");
+ "xmlMallocAtomicLoc : Unsigned overflow\n");
xmlMemoryDump();
return(NULL);
}
@@ -361,7 +361,7 @@ xmlReallocLoc(void *ptr,size_t size, const char * file, int line)
if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
xmlGenericError(xmlGenericErrorContext,
- "xmlMallocLoc : Unsigned overflow\n");
+ "xmlReallocLoc : Unsigned overflow\n");
xmlMemoryDump();
return(NULL);
}
@@ -515,7 +515,7 @@ xmlMemStrdupLoc(const char *str, const char *file, int line)
if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
xmlGenericError(xmlGenericErrorContext,
- "xmlMallocLoc : Unsigned overflow\n");
+ "xmlMemStrdupLoc : Unsigned overflow\n");
xmlMemoryDump();
return(NULL);
}
--
2.15.0
From: Patrick Welche <prlw1@cam.ac.uk>
Date: Mon, 6 Nov 2017 16:20:25 +0000
Subject: python: remove single use of _PyVerify_fd
Origin: https://bugzilla.gnome.org/attachment.cgi?id=363064
Bug: https://bugzilla.gnome.org/show_bug.cgi?id=776815
Bug-Debian: https://bugs.debian.org/878684
_PyVerify_fd disappeared from python with:
https://hg.python.org/cpython/rev/e88e2049b793
https://bugzilla.gnome.org/show_bug.cgi?id=776815
---
python/types.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/python/types.c b/python/types.c
index f237677..124af56 100644
--- a/python/types.c
+++ b/python/types.c
@@ -31,8 +31,6 @@ libxml_PyFileGet(PyObject *f) {
const char *mode;
fd = PyObject_AsFileDescriptor(f);
- if (!_PyVerify_fd(fd))
- return(NULL);
/*
* Get the flags on the fd to understand how it was opened
*/
--
2.15.0
......@@ -11,3 +11,7 @@
0011-Fix-handling-of-parameter-entity-references.patch
0012-Fix-buffer-size-checks-in-xmlSnprintfElementContent.patch
0013-Fix-type-confusion-in-xmlValidateOneNamespace.patch
0014-Fix-NULL-pointer-deref-in-xmlDumpElementContent.patch
0015-Check-for-integer-overflow-in-memory-debug-code.patch
0016-Fix-copy-paste-errors-in-error-messages.patch
0017-python-remove-single-use-of-_PyVerify_fd.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment