diff options
author | Ludovic Courtès <ludo@gnu.org> | 2016-05-24 14:11:52 +0200 |
---|---|---|
committer | Ludovic Courtès <ludo@gnu.org> | 2016-05-24 14:15:18 +0200 |
commit | 493e9a5a8f613764cfa396c33ee6cb381b0dbbef (patch) | |
tree | 5ea6d5c7d117cb1f905ef8dfff710db9ab8f618c /gnu/packages/patches/libxml2-CVE-2016-3627.patch | |
parent | c0d2e7b197a3c511eb1bf60b61ee6fdc673e36f4 (diff) | |
download | guix-493e9a5a8f613764cfa396c33ee6cb381b0dbbef.tar.gz |
gnu: libxml2: Fix CVE-2016-3627 and CVE-2016-3705.
* gnu/packages/patches/libxml2-CVE-2016-3627.patch, gnu/packages/patches/libxml2-CVE-2016-3705.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/xml.scm (libxml2)[replacement]: New field. (libxml2/fixed): New variable.
Diffstat (limited to 'gnu/packages/patches/libxml2-CVE-2016-3627.patch')
-rw-r--r-- | gnu/packages/patches/libxml2-CVE-2016-3627.patch | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/gnu/packages/patches/libxml2-CVE-2016-3627.patch b/gnu/packages/patches/libxml2-CVE-2016-3627.patch new file mode 100644 index 0000000000..782c9270cf --- /dev/null +++ b/gnu/packages/patches/libxml2-CVE-2016-3627.patch @@ -0,0 +1,61 @@ +From <http://seclists.org/fulldisclosure/2016/May/10>. + +From e5269fd1e83743f7e62c89eca45000c2e84e6edc Mon Sep 17 00:00:00 2001 +From: Peter Simons <psimons () suse com> +Date: Thu, 14 Apr 2016 16:15:13 +0200 +Subject: [PATCH 1/2] xmlStringGetNodeList: limit the function to 1024 + recursions to avoid CVE-2016-3627 + +This patch prevents stack overflows like the one reported in +https://bugzilla.gnome.org/show_bug.cgi?id=762100. +--- + tree.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +Index: libxml2-2.9.3/tree.c +=================================================================== +--- libxml2-2.9.3.orig/tree.c ++++ libxml2-2.9.3/tree.c +@@ -1464,6 +1464,8 @@ out: + return(ret); + } + ++static xmlNodePtr xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel); ++ + /** + * xmlStringGetNodeList: + * @doc: the document +@@ -1475,6 +1477,12 @@ out: + */ + xmlNodePtr + xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) { ++ return xmlStringGetNodeListInternal(doc, value, 0); ++ } ++ ++xmlNodePtr ++xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel) { ++ + xmlNodePtr ret = NULL, last = NULL; + xmlNodePtr node; + xmlChar *val; +@@ -1483,6 +1491,8 @@ xmlStringGetNodeList(const xmlDoc *doc, + xmlEntityPtr ent; + xmlBufPtr buf; + ++ if (recursionLevel > 1024) return(NULL); ++ + if (value == NULL) return(NULL); + + buf = xmlBufCreateSize(0); +@@ -1593,8 +1603,9 @@ xmlStringGetNodeList(const xmlDoc *doc, + else if ((ent != NULL) && (ent->children == NULL)) { + xmlNodePtr temp; + +- ent->children = xmlStringGetNodeList(doc, +- (const xmlChar*)node->content); ++ ent->children = xmlStringGetNodeListInternal(doc, ++ (const xmlChar*)node->content, ++ recursionLevel+1); + ent->owner = 1; + temp = ent->children; + while (temp) { |