M gnu/local.mk => gnu/local.mk +2 -0
@@ 606,6 606,8 @@ dist_patch_DATA = \
%D%/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch \
%D%/packages/patches/libwmf-CVE-2015-4695.patch \
%D%/packages/patches/libwmf-CVE-2015-4696.patch \
+ %D%/packages/patches/libxml2-CVE-2016-3627.patch \
+ %D%/packages/patches/libxml2-CVE-2016-3705.patch \
%D%/packages/patches/libxslt-CVE-2015-7995.patch \
%D%/packages/patches/lirc-localstatedir.patch \
%D%/packages/patches/libpthread-glibc-preparation.patch \
A gnu/packages/patches/libxml2-CVE-2016-3627.patch => gnu/packages/patches/libxml2-CVE-2016-3627.patch +61 -0
@@ 0,0 1,61 @@
+From <http://seclists.org/fulldisclosure/2016/May/10>.
+
+From e5269fd1e83743f7e62c89eca45000c2e84e6edc Mon Sep 17 00:00:00 2001
+From: Peter Simons <psimons () suse com>
+Date: Thu, 14 Apr 2016 16:15:13 +0200
+Subject: [PATCH 1/2] xmlStringGetNodeList: limit the function to 1024
+ recursions to avoid CVE-2016-3627
+
+This patch prevents stack overflows like the one reported in
+https://bugzilla.gnome.org/show_bug.cgi?id=762100.
+---
+ tree.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+Index: libxml2-2.9.3/tree.c
+===================================================================
+--- libxml2-2.9.3.orig/tree.c
++++ libxml2-2.9.3/tree.c
+@@ -1464,6 +1464,8 @@ out:
+ return(ret);
+ }
+
++static xmlNodePtr xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel);
++
+ /**
+ * xmlStringGetNodeList:
+ * @doc: the document
+@@ -1475,6 +1477,12 @@ out:
+ */
+ xmlNodePtr
+ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
++ return xmlStringGetNodeListInternal(doc, value, 0);
++ }
++
++xmlNodePtr
++xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel) {
++
+ xmlNodePtr ret = NULL, last = NULL;
+ xmlNodePtr node;
+ xmlChar *val;
+@@ -1483,6 +1491,8 @@ xmlStringGetNodeList(const xmlDoc *doc,
+ xmlEntityPtr ent;
+ xmlBufPtr buf;
+
++ if (recursionLevel > 1024) return(NULL);
++
+ if (value == NULL) return(NULL);
+
+ buf = xmlBufCreateSize(0);
+@@ -1593,8 +1603,9 @@ xmlStringGetNodeList(const xmlDoc *doc,
+ else if ((ent != NULL) && (ent->children == NULL)) {
+ xmlNodePtr temp;
+
+- ent->children = xmlStringGetNodeList(doc,
+- (const xmlChar*)node->content);
++ ent->children = xmlStringGetNodeListInternal(doc,
++ (const xmlChar*)node->content,
++ recursionLevel+1);
+ ent->owner = 1;
+ temp = ent->children;
+ while (temp) {
A gnu/packages/patches/libxml2-CVE-2016-3705.patch => gnu/packages/patches/libxml2-CVE-2016-3705.patch +68 -0
@@ 0,0 1,68 @@
+From <http://seclists.org/fulldisclosure/2016/May/10>.
+
+From 6f0af3f6b9b1c5f82a2bb5ded65923437fee5d21 Mon Sep 17 00:00:00 2001
+From: Peter Simons <psimons () suse com>
+Date: Fri, 15 Apr 2016 11:56:55 +0200
+Subject: [PATCH 2/2] Add missing increments of recursion depth counter to XML
+ parser.
+
+The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call
+xmlStringDecodeEntities() in a recursive context without incrementing the
+'depth' counter in the parser context. Because of that omission, the parser
+failed to detect attribute recursions in certain documents before running out
+of stack space.
+---
+ parser.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index 9604a72..4da151f 100644
+--- a/parser.c
++++ b/parser.c
+@@ -144,8 +144,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+
+ ent->checked = 1;
+
++ ++ctxt->depth;
+ rep = xmlStringDecodeEntities(ctxt, ent->content,
+ XML_SUBSTITUTE_REF, 0, 0, 0);
++ --ctxt->depth;
+
+ ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
+ if (rep != NULL) {
+@@ -3966,8 +3968,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
+ * an entity declaration, it is bypassed and left as is.
+ * so XML_SUBSTITUTE_REF is not set here.
+ */
++ ++ctxt->depth;
+ ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF,
+ 0, 0, 0);
++ --ctxt->depth;
+ if (orig != NULL)
+ *orig = buf;
+ else
+@@ -4092,9 +4096,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+ } else if ((ent != NULL) &&
+ (ctxt->replaceEntities != 0)) {
+ if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) {
++ ++ctxt->depth;
+ rep = xmlStringDecodeEntities(ctxt, ent->content,
+ XML_SUBSTITUTE_REF,
+ 0, 0, 0);
++ --ctxt->depth;
+ if (rep != NULL) {
+ current = rep;
+ while (*current != 0) { /* non input consuming */
+@@ -4130,8 +4136,10 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+ (ent->content != NULL) && (ent->checked == 0)) {
+ unsigned long oldnbent = ctxt->nbentities;
+
++ ++ctxt->depth;
+ rep = xmlStringDecodeEntities(ctxt, ent->content,
+ XML_SUBSTITUTE_REF, 0, 0, 0);
++ --ctxt->depth;
+
+ ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
+ if (rep != NULL) {
+--
+2.8.1
M gnu/packages/xml.scm => gnu/packages/xml.scm +10 -1
@@ 1,5 1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org>
;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
@@ 77,6 77,7 @@ things the parser might find in the XML document (like start tags).")
(package
(name "libxml2")
(version "2.9.3")
+ (replacement libxml2/fixed) ;multiple CVEs
(source (origin
(method url-fetch)
(uri (string-append "ftp://xmlsoft.org/libxml2/libxml2-"
@@ 103,6 104,14 @@ things the parser might find in the XML document (like start tags).")
project (but it is usable outside of the Gnome platform).")
(license license:x11)))
+(define libxml2/fixed
+ (package
+ (inherit libxml2)
+ (source (origin
+ (inherit (package-source libxml2))
+ (patches (search-patches "libxml2-CVE-2016-3627.patch"
+ "libxml2-CVE-2016-3705.patch"))))))
+
(define-public python-libxml2
(package (inherit libxml2)
(name "python-libxml2")