summary refs log tree commit diff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/libxml2-CVE-2016-3627.patch61
-rw-r--r--gnu/packages/patches/libxml2-CVE-2016-3705.patch68
2 files changed, 0 insertions, 129 deletions
diff --git a/gnu/packages/patches/libxml2-CVE-2016-3627.patch b/gnu/packages/patches/libxml2-CVE-2016-3627.patch
deleted file mode 100644
index 782c9270cf..0000000000
--- a/gnu/packages/patches/libxml2-CVE-2016-3627.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From <http://seclists.org/fulldisclosure/2016/May/10>.
-
-From e5269fd1e83743f7e62c89eca45000c2e84e6edc Mon Sep 17 00:00:00 2001
-From: Peter Simons <psimons () suse com>
-Date: Thu, 14 Apr 2016 16:15:13 +0200
-Subject: [PATCH 1/2] xmlStringGetNodeList: limit the function to 1024
- recursions to avoid CVE-2016-3627
-
-This patch prevents stack overflows like the one reported in
-https://bugzilla.gnome.org/show_bug.cgi?id=762100.
----
- tree.c | 14 ++++++++++++--
- 1 file changed, 12 insertions(+), 2 deletions(-)
-
-Index: libxml2-2.9.3/tree.c
-===================================================================
---- libxml2-2.9.3.orig/tree.c
-+++ libxml2-2.9.3/tree.c
-@@ -1464,6 +1464,8 @@ out:
-     return(ret);
- }
- 
-+static xmlNodePtr xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel);
-+
- /**
-  * xmlStringGetNodeList:
-  * @doc:  the document
-@@ -1475,6 +1477,12 @@ out:
-  */
- xmlNodePtr
- xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
-+   return xmlStringGetNodeListInternal(doc, value, 0);
-+ }
-+
-+xmlNodePtr
-+xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel) {
-+
-     xmlNodePtr ret = NULL, last = NULL;
-     xmlNodePtr node;
-     xmlChar *val;
-@@ -1483,6 +1491,8 @@ xmlStringGetNodeList(const xmlDoc *doc,
-     xmlEntityPtr ent;
-     xmlBufPtr buf;
- 
-+    if (recursionLevel > 1024) return(NULL);
-+
-     if (value == NULL) return(NULL);
- 
-     buf = xmlBufCreateSize(0);
-@@ -1593,8 +1603,9 @@ xmlStringGetNodeList(const xmlDoc *doc,
- 			else if ((ent != NULL) && (ent->children == NULL)) {
- 			    xmlNodePtr temp;
- 
--			    ent->children = xmlStringGetNodeList(doc,
--				    (const xmlChar*)node->content);
-+			    ent->children = xmlStringGetNodeListInternal(doc,
-+				    (const xmlChar*)node->content,
-+                                    recursionLevel+1);
- 			    ent->owner = 1;
- 			    temp = ent->children;
- 			    while (temp) {
diff --git a/gnu/packages/patches/libxml2-CVE-2016-3705.patch b/gnu/packages/patches/libxml2-CVE-2016-3705.patch
deleted file mode 100644
index e803630f3a..0000000000
--- a/gnu/packages/patches/libxml2-CVE-2016-3705.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From <http://seclists.org/fulldisclosure/2016/May/10>.
-
-From 6f0af3f6b9b1c5f82a2bb5ded65923437fee5d21 Mon Sep 17 00:00:00 2001
-From: Peter Simons <psimons () suse com>
-Date: Fri, 15 Apr 2016 11:56:55 +0200
-Subject: [PATCH 2/2] Add missing increments of recursion depth counter to XML
- parser.
-
-The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call
-xmlStringDecodeEntities() in a recursive context without incrementing the
-'depth' counter in the parser context. Because of that omission, the parser
-failed to detect attribute recursions in certain documents before running out
-of stack space.
----
- parser.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/parser.c b/parser.c
-index 9604a72..4da151f 100644
---- a/parser.c
-+++ b/parser.c
-@@ -144,8 +144,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
- 
- 	ent->checked = 1;
- 
-+        ++ctxt->depth;
- 	rep = xmlStringDecodeEntities(ctxt, ent->content,
- 				  XML_SUBSTITUTE_REF, 0, 0, 0);
-+        --ctxt->depth;
- 
- 	ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
- 	if (rep != NULL) {
-@@ -3966,8 +3968,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
- 	 * an entity declaration, it is bypassed and left as is.
- 	 * so XML_SUBSTITUTE_REF is not set here.
- 	 */
-+        ++ctxt->depth;
- 	ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF,
- 				      0, 0, 0);
-+        --ctxt->depth;
- 	if (orig != NULL)
- 	    *orig = buf;
- 	else
-@@ -4092,9 +4096,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
- 		} else if ((ent != NULL) &&
- 		           (ctxt->replaceEntities != 0)) {
- 		    if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) {
-+			++ctxt->depth;
- 			rep = xmlStringDecodeEntities(ctxt, ent->content,
- 						      XML_SUBSTITUTE_REF,
- 						      0, 0, 0);
-+			--ctxt->depth;
- 			if (rep != NULL) {
- 			    current = rep;
- 			    while (*current != 0) { /* non input consuming */
-@@ -4130,8 +4136,10 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
- 			(ent->content != NULL) && (ent->checked == 0)) {
- 			unsigned long oldnbent = ctxt->nbentities;
- 
-+			++ctxt->depth;
- 			rep = xmlStringDecodeEntities(ctxt, ent->content,
- 						  XML_SUBSTITUTE_REF, 0, 0, 0);
-+			--ctxt->depth;
- 
- 			ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
- 			if (rep != NULL) {
--- 
-2.8.1