powerel7
/
base
2
0
Fork 0
Code Issues Pull Requests Releases Activity

libxml2 package update 

Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org>
master
basebuilder_pel7x64builder0 2018-06-06 11:05:09 +02:00
parent e66f763b89
commit f6e3408a7f
43 changed files with 5129 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

140
SOURCES/CVE-2014-3660-rhel7.patch Normal file
View File

@ -0,0 +1,140 @@
commit 8ed73eb939d6c9b79f3fa41b76916cc443196bbc
Author: Daniel Veillard <veillard@redhat.com>
Date: Thu Oct 2 16:17:09 2014 +0800

Fix for CVE-2014-3660
Issues related to the billion laugh entity expansion which happened to
escape the initial set of fixes

diff --git a/parser.c b/parser.c
index f30588c..3c72cbb 100644
--- a/parser.c
+++ b/parser.c
@@ -130,6 +130,29 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
return (0);
if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
return (1);
+
+ /*
+ * This may look absurd but is needed to detect
+ * entities problems
+ */
+ if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) &&
+ (ent->content != NULL) && (ent->checked == 0)) {
+ unsigned long oldnbent = ctxt->nbentities;
+ xmlChar *rep;
+
+ ent->checked = 1;
+
+ rep = xmlStringDecodeEntities(ctxt, ent->content,
+ XML_SUBSTITUTE_REF, 0, 0, 0);
+
+ ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
+ if (rep != NULL) {
+ if (xmlStrchr(rep, '<'))
+ ent->checked |= 1;
+ xmlFree(rep);
+ rep = NULL;
+ }
+ }
if (replacement != 0) {
if (replacement < XML_MAX_TEXT_LENGTH)
return(0);
@@ -189,9 +212,12 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
return (0);
} else {
/*
- * strange we got no data for checking just return
+ * strange we got no data for checking
*/
- return (0);
+ if (((ctxt->lastError.code != XML_ERR_UNDECLARED_ENTITY) &&
+ (ctxt->lastError.code != XML_WAR_UNDECLARED_ENTITY)) ||
+ (ctxt->nbentities <= 10000))
+ return (0);
}
xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
return (1);
@@ -2584,6 +2610,7 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) {
name, NULL);
ctxt->valid = 0;
}
+ xmlParserEntityCheck(ctxt, 0, NULL, 0);
} else if (ctxt->input->free != deallocblankswrapper) {
input = xmlNewBlanksWrapperInputStream(ctxt, entity);
if (xmlPushInput(ctxt, input) < 0)
@@ -2737,6 +2764,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) ||
(ctxt->lastError.code == XML_ERR_INTERNAL_ERROR))
goto int_error;
+ xmlParserEntityCheck(ctxt, 0, ent, 0);
if (ent != NULL)
ctxt->nbentities += ent->checked / 2;
if ((ent != NULL) &&
@@ -2788,6 +2816,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
ent = xmlParseStringPEReference(ctxt, &str);
if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
goto int_error;
+ xmlParserEntityCheck(ctxt, 0, ent, 0);
if (ent != NULL)
ctxt->nbentities += ent->checked / 2;
if (ent != NULL) {
@@ -7286,6 +7315,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
(ret != XML_WAR_UNDECLARED_ENTITY)) {
xmlFatalErrMsgStr(ctxt, XML_ERR_UNDECLARED_ENTITY,
"Entity '%s' failed to parse\n", ent->name);
+ xmlParserEntityCheck(ctxt, 0, ent, 0);
} else if (list != NULL) {
xmlFreeNodeList(list);
list = NULL;
@@ -7392,7 +7422,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
/*
* We are copying here, make sure there is no abuse
*/
- ctxt->sizeentcopy += ent->length;
+ ctxt->sizeentcopy += ent->length + 5;
if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))
return;
@@ -7440,7 +7470,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
/*
* We are copying here, make sure there is no abuse
*/
- ctxt->sizeentcopy += ent->length;
+ ctxt->sizeentcopy += ent->length + 5;
if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))
return;
@@ -7626,6 +7656,7 @@ xmlParseEntityRef(xmlParserCtxtPtr ctxt) {
ctxt->sax->reference(ctxt->userData, name);
}
}
+ xmlParserEntityCheck(ctxt, 0, ent, 0);
ctxt->valid = 0;
}
@@ -7819,6 +7850,7 @@ xmlParseStringEntityRef(xmlParserCtxtPtr ctxt, const xmlChar ** str) {
"Entity '%s' not defined\n",
name);
}
+ xmlParserEntityCheck(ctxt, 0, ent, 0);
/* TODO ? check regressions ctxt->valid = 0; */
}
@@ -7978,6 +8010,7 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
name, NULL);
ctxt->valid = 0;
}
+ xmlParserEntityCheck(ctxt, 0, NULL, 0);
} else {
/*
* Internal checking in case the entity quest barfed
@@ -8217,6 +8250,7 @@ xmlParseStringPEReference(xmlParserCtxtPtr ctxt, const xmlChar **str) {
name, NULL);
ctxt->valid = 0;
}
+ xmlParserEntityCheck(ctxt, 0, NULL, 0);
} else {
/*
* Internal checking in case the entity quest barfed

35
SOURCES/libxml2-2.9.0-do-not-check-crc.patch Normal file
View File

@ -0,0 +1,35 @@
diff -up libxml2-2.9.0/xzlib.c.do-not-check-crc libxml2-2.9.0/xzlib.c
--- libxml2-2.9.0/xzlib.c.do-not-check-crc 2012-09-11 05:52:46.000000000 +0200
+++ libxml2-2.9.0/xzlib.c 2012-11-19 19:28:42.431700534 +0100
@@ -552,17 +552,20 @@ xz_decomp(xz_statep state)
#ifdef HAVE_ZLIB_H
if (state->how == GZIP) {
if (gz_next4(state, &crc) == -1 || gz_next4(state, &len) == -1) {
- xz_error(state, LZMA_DATA_ERROR, "unexpected end of file");
- return -1;
- }
- if (crc != state->zstrm.adler) {
- xz_error(state, LZMA_DATA_ERROR, "incorrect data check");
- return -1;
- }
- if (len != (state->zstrm.total_out & 0xffffffffL)) {
- xz_error(state, LZMA_DATA_ERROR, "incorrect length check");
- return -1;
- }
+ /*
+ xz_error(state, LZMA_DATA_ERROR, "unexpected end of file");
+ return -1;
+ */
+ } else {
+ if (crc != state->zstrm.adler) {
+ xz_error(state, LZMA_DATA_ERROR, "incorrect data check");
+ return -1;
+ }
+ if (len != (state->zstrm.total_out & 0xffffffffL)) {
+ xz_error(state, LZMA_DATA_ERROR, "incorrect length check");
+ return -1;
+ }
+ }
state->strm.avail_in = 0;
state->strm.next_in = NULL;
state->strm.avail_out = 0;

72
SOURCES/libxml2-Add-missing-increments-of-recursion-depth-counter-to-XML-parser.patch Normal file
View File

@ -0,0 +1,72 @@
From d88b1b5e55b9ba0962408ff5e0327bf71a79e37a Mon Sep 17 00:00:00 2001
From: Peter Simons <psimons@suse.com>
Date: Fri, 15 Apr 2016 11:56:55 +0200
Subject: [PATCH] Add missing increments of recursion depth counter to XML
parser.
To: libvir-list@redhat.com

For https://bugzilla.gnome.org/show_bug.cgi?id=765207
CVE-2016-3705
The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call
xmlStringDecodeEntities() in a recursive context without incrementing the
'depth' counter in the parser context. Because of that omission, the parser
failed to detect attribute recursions in certain documents before running out
of stack space.

Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
parser.c | 8 ++++++++
1 file changed, 8 insertions(+)

diff --git a/parser.c b/parser.c
index 0accf54..32293d0 100644
--- a/parser.c
+++ b/parser.c
@@ -144,8 +144,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
ent->checked = 1;
+ ++ctxt->depth;
rep = xmlStringDecodeEntities(ctxt, ent->content,
XML_SUBSTITUTE_REF, 0, 0, 0);
+ --ctxt->depth;
ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
if (rep != NULL) {
@@ -3963,8 +3965,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
* an entity declaration, it is bypassed and left as is.
* so XML_SUBSTITUTE_REF is not set here.
*/
+ ++ctxt->depth;
ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF,
0, 0, 0);
+ --ctxt->depth;
if (orig != NULL)
*orig = buf;
else
@@ -4089,9 +4093,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
} else if ((ent != NULL) &&
(ctxt->replaceEntities != 0)) {
if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) {
+ ++ctxt->depth;
rep = xmlStringDecodeEntities(ctxt, ent->content,
XML_SUBSTITUTE_REF,
0, 0, 0);
+ --ctxt->depth;
if (rep != NULL) {
current = rep;
while (*current != 0) { /* non input consuming */
@@ -4127,8 +4133,10 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
(ent->content != NULL) && (ent->checked == 0)) {
unsigned long oldnbent = ctxt->nbentities;
+ ++ctxt->depth;
rep = xmlStringDecodeEntities(ctxt, ent->content,
XML_SUBSTITUTE_REF, 0, 0, 0);
+ --ctxt->depth;
ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
if (rep != NULL) {
--
2.5.5

84
SOURCES/libxml2-Add-xmlHaltParser-to-stop-the-parser.patch Normal file
View File

@ -0,0 +1,84 @@
From d6b6dc7bb5e68fa11cb980bc08c4d9ea3f39b190 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Fri, 20 Nov 2015 14:55:30 +0800
Subject: [PATCH] Add xmlHaltParser() to stop the parser
To: libvir-list@redhat.com

The problem is doing it in a consistent and safe fashion
It's more complex than just setting ctxt->instate = XML_PARSER_EOF
Update the public function to reuse that new internal routine

Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
parser.c | 34 +++++++++++++++++++++++++++++-----
1 file changed, 29 insertions(+), 5 deletions(-)

diff --git a/parser.c b/parser.c
index e536e54..5b4f719 100644
--- a/parser.c
+++ b/parser.c
@@ -94,6 +94,8 @@ static xmlParserCtxtPtr
xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID,
const xmlChar *base, xmlParserCtxtPtr pctx);
+static void xmlHaltParser(xmlParserCtxtPtr ctxt);
+
/************************************************************************
* *
* Arbitrary limits set in the parser. See XML_PARSE_HUGE *
@@ -12558,25 +12560,47 @@ xmlCreatePushParserCtxt(xmlSAXHandlerPtr sax, void *user_data,
#endif /* LIBXML_PUSH_ENABLED */
/**
- * xmlStopParser:
+ * xmlHaltParser:
* @ctxt: an XML parser context
*
- * Blocks further parser processing
+ * Blocks further parser processing don't override error
+ * for internal use
*/
-void
-xmlStopParser(xmlParserCtxtPtr ctxt) {
+static void
+xmlHaltParser(xmlParserCtxtPtr ctxt) {
if (ctxt == NULL)
return;
ctxt->instate = XML_PARSER_EOF;
- ctxt->errNo = XML_ERR_USER_STOP;
ctxt->disableSAX = 1;
if (ctxt->input != NULL) {
+ /*
+ * in case there was a specific allocation deallocate before
+ * overriding base
+ */
+ if (ctxt->input->free != NULL) {
+ ctxt->input->free((xmlChar *) ctxt->input->base);
+ ctxt->input->free = NULL;
+ }
ctxt->input->cur = BAD_CAST"";
ctxt->input->base = ctxt->input->cur;
}
}
/**
+ * xmlStopParser:
+ * @ctxt: an XML parser context
+ *
+ * Blocks further parser processing
+ */
+void
+xmlStopParser(xmlParserCtxtPtr ctxt) {
+ if (ctxt == NULL)
+ return;
+ xmlHaltParser(ctxt);
+ ctxt->errNo = XML_ERR_USER_STOP;
+}
+
+/**
* xmlCreateIOParserCtxt:
* @sax: a SAX handler
* @user_data: The user data returned on SAX callbacks
--
2.5.0

35
SOURCES/libxml2-Another-variation-of-overflow-in-Conditional-sections.patch Normal file
View File

@ -0,0 +1,35 @@
From 8d9f8c6dca5fd34743ed11ef0c570c4306db10e5 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Fri, 23 Oct 2015 19:02:28 +0800
Subject: [PATCH] Another variation of overflow in Conditional sections
To: libvir-list@redhat.com

Which happen after the previous fix to
https://bugzilla.gnome.org/show_bug.cgi?id=756456

But stopping the parser and exiting we didn't pop the intermediary entities
and doing the SKIP there applies on an input which may be too small

Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
parser.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/parser.c b/parser.c
index e2e0ad8..4926ab0 100644
--- a/parser.c
+++ b/parser.c
@@ -6895,7 +6895,9 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
"All markup of the conditional section is not in the same entity\n",
NULL, NULL);
}
- SKIP(3);
+ if ((ctxt-> instate != XML_PARSER_EOF) &&
+ ((ctxt->input->cur + 3) < ctxt->input->end))
+ SKIP(3);
}
}
--
2.5.0

62
SOURCES/libxml2-Avoid-building-recursive-entities.patch Normal file
View File

@ -0,0 +1,62 @@
From 2fc95df152622cf5cf1d478af6ed3538e170118b Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Mon, 23 May 2016 12:27:58 +0800
Subject: [PATCH] Avoid building recursive entities
To: libvir-list@redhat.com

For https://bugzilla.gnome.org/show_bug.cgi?id=762100

When we detect a recusive entity we should really not
build the associated data, moreover if someone bypass
libxml2 fatal errors and still tries to serialize a broken
entity make sure we don't risk to get ito a recursion

* parser.c: xmlParserEntityCheck() don't build if entity loop
were found and remove the associated text content
* tree.c: xmlStringGetNodeList() avoid a potential recursion

Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
parser.c | 6 +++++-
tree.c | 1 +
2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/parser.c b/parser.c
index 32293d0..2ae44c5 100644
--- a/parser.c
+++ b/parser.c
@@ -138,7 +138,8 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
* entities problems
*/
if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) &&
- (ent->content != NULL) && (ent->checked == 0)) {
+ (ent->content != NULL) && (ent->checked == 0) &&
+ (ctxt->errNo != XML_ERR_ENTITY_LOOP)) {
unsigned long oldnbent = ctxt->nbentities;
xmlChar *rep;
@@ -148,6 +149,9 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
rep = xmlStringDecodeEntities(ctxt, ent->content,
XML_SUBSTITUTE_REF, 0, 0, 0);
--ctxt->depth;
+ if (ctxt->errNo == XML_ERR_ENTITY_LOOP) {
+ ent->content[0] = 0;
+ }
ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
if (rep != NULL) {
diff --git a/tree.c b/tree.c
index 7e5af26..83ec66f 100644
--- a/tree.c
+++ b/tree.c
@@ -1588,6 +1588,7 @@ xmlStringGetNodeList(xmlDocPtr doc, const xmlChar *value) {
else if ((ent != NULL) && (ent->children == NULL)) {
xmlNodePtr temp;
+ ent->children = (xmlNodePtr) -1;
ent->children = xmlStringGetNodeList(doc,
(const xmlChar*)node->content);
ent->owner = 1;
--
2.5.5

38
SOURCES/libxml2-Avoid-extra-processing-of-MarkupDecl-when-EOF.patch Normal file
View File

@ -0,0 +1,38 @@
From eb1114e90b22e09d500840bac1e171763e8baa16 Mon Sep 17 00:00:00 2001
From: Hugh Davenport <hugh@allthethings.co.nz>
Date: Tue, 3 Nov 2015 20:40:49 +0800
Subject: [PATCH] Avoid extra processing of MarkupDecl when EOF
To: libvir-list@redhat.com

For https://bugzilla.gnome.org/show_bug.cgi?id=756263

One place where ctxt->instate == XML_PARSER_EOF whic was set up
by entity detection issues doesn't get noticed, and even overrided

Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
parser.c | 8 ++++++++
1 file changed, 8 insertions(+)

diff --git a/parser.c b/parser.c
index b56d94c..262db1e 100644
--- a/parser.c
+++ b/parser.c
@@ -6952,6 +6952,14 @@ xmlParseMarkupDecl(xmlParserCtxtPtr ctxt) {
xmlParsePI(ctxt);
}
}
+
+ /*
+ * detect requirement to exit there and act accordingly
+ * and avoid having instate overriden later on
+ */
+ if (ctxt->instate == XML_PARSER_EOF)
+ return;
+
/*
* This is only for internal subset. On external entities,
* the replacement is done before parsing stage
--
2.5.0

85
SOURCES/libxml2-Avoid-processing-entities-after-encoding-conversion-failures.patch Normal file
View File

@ -0,0 +1,85 @@
From 7c2be3213eeddd202c3e4c600cf3cfac06fb128a Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Mon, 9 Nov 2015 18:07:18 +0800
Subject: [PATCH] Avoid processing entities after encoding conversion failures
To: libvir-list@redhat.com

For https://bugzilla.gnome.org/show_bug.cgi?id=756527
and was also raised by Chromium team in the past

When we hit a convwersion failure when switching encoding
it is bestter to stop parsing there, this was treated as a
fatal error but the parser was continuing to process to extract
more errors, unfortunately that makes little sense as the data
is obviously corrupt and can potentially lead to unexpected behaviour.

Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
parser.c | 7 +++++--
parserInternals.c | 11 ++++++++++-
2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/parser.c b/parser.c
index 262db1e..134ea7f 100644
--- a/parser.c
+++ b/parser.c
@@ -10598,7 +10598,8 @@ xmlParseXMLDecl(xmlParserCtxtPtr ctxt) {
xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, "Blank needed here\n");
}
xmlParseEncodingDecl(ctxt);
- if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) {
+ if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) ||
+ (ctxt->instate == XML_PARSER_EOF)) {
/*
* The XML REC instructs us to stop parsing right here
*/
@@ -10722,6 +10723,7 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) {
if (CUR == 0) {
xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL);
+ return(-1);
}
/*
@@ -10739,7 +10741,8 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) {
* Note that we will switch encoding on the fly.
*/
xmlParseXMLDecl(ctxt);
- if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) {
+ if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) ||
+ (ctxt->instate == XML_PARSER_EOF)) {
/*
* The XML REC instructs us to stop parsing right here
*/
diff --git a/parserInternals.c b/parserInternals.c
index f8a7041..9acfea4 100644
--- a/parserInternals.c
+++ b/parserInternals.c
@@ -937,6 +937,7 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc)
{
xmlCharEncodingHandlerPtr handler;
int len = -1;
+ int ret;
if (ctxt == NULL) return(-1);
switch (enc) {
@@ -1097,7 +1098,15 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc)
if (handler == NULL)
return(-1);
ctxt->charset = XML_CHAR_ENCODING_UTF8;
- return(xmlSwitchToEncodingInt(ctxt, handler, len));
+ ret = xmlSwitchToEncodingInt(ctxt, handler, len);
+ if ((ret < 0) || (ctxt->errNo == XML_I18N_CONV_FAILED)) {
+ /*
+ * on encoding conversion errors, stop the parser
+ */
+ xmlStopParser(ctxt);
+ ctxt->errNo = XML_I18N_CONV_FAILED;
+ }
+ return(ret);
}
/**
--
2.5.0

38
SOURCES/libxml2-Bug-757711-heap-buffer-overflow-in-xmlFAParsePosCharGroup-https-bugzilla.gnome.org-show_bug.cgi-id-757711.patch Normal file
View File

@ -0,0 +1,38 @@
From 367c602b42f1afe7ed50508b01491b5690d54d52 Mon Sep 17 00:00:00 2001
From: Pranjal Jumde <pjumde@apple.com>
Date: Mon, 7 Mar 2016 06:34:26 -0800
Subject: [PATCH] Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup
<https://bugzilla.gnome.org/show_bug.cgi?id=757711>
To: libvir-list@redhat.com

* xmlregexp.c:
(xmlFAParseCharRange): Only advance to the next character if
there is no error. Advancing to the next character in case of
an error while parsing regexp leads to an out of bounds access.

Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
xmlregexp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/xmlregexp.c b/xmlregexp.c
index 1f9911c..eb67b74 100644
--- a/xmlregexp.c
+++ b/xmlregexp.c
@@ -5050,11 +5050,12 @@ xmlFAParseCharRange(xmlRegParserCtxtPtr ctxt) {
ERROR("Expecting the end of a char range");
return;
}
- NEXTL(len);
+
/* TODO check that the values are acceptable character ranges for XML */
if (end < start) {
ERROR("End of range is before start of range");
} else {
+ NEXTL(len);
xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg,
XML_REGEXP_CHARVAL, start, end, NULL);
}
--
2.5.5

99
SOURCES/libxml2-Bug-758588-Heap-based-buffer-overread-in-xmlParserPrintFileContextInternal-https-bugzilla.gnome.org-show_bug.cgi-id-758588.patch Normal file
View File

File diff suppressed because one or more lines are too long

114
SOURCES/libxml2-Bug-758605-Heap-based-buffer-overread-in-xmlDictAddString-https-bugzilla.gnome.org-show_bug.cgi-id-758605.patch Normal file
View File

@ -0,0 +1,114 @@
commit 3018042fd3c11c3d6cda36b3cbae4f7bb4f20c3d
Author: Pranjal Jumde <pjumde@apple.com>
Date: Tue Mar 1 11:34:04 2016 -0800

Bug 758605: Heap-based buffer overread in xmlDictAddString <https://bugzilla.gnome.org/show_bug.cgi?id=758605>
Reviewed by David Kilzer.
* HTMLparser.c:
(htmlParseName): Add bounds check.
(htmlParseNameComplex): Ditto.
* result/HTML/758605.html: Added.
* result/HTML/758605.html.err: Added.
* result/HTML/758605.html.sax: Added.
* runtest.c:
(pushParseTest): The input for the new test case was so small
(4 bytes) that htmlParseChunk() was never called after
htmlCreatePushParserCtxt(), thereby creating a false positive
test failure. Fixed by using a do-while loop so we always call
htmlParseChunk() at least once.
* test/HTML/758605.html: Added.

diff --git a/HTMLparser.c b/HTMLparser.c
index 4331d53..a897cb0 100644
--- a/HTMLparser.c
+++ b/HTMLparser.c
@@ -2471,6 +2471,10 @@ htmlParseName(htmlParserCtxtPtr ctxt) {
(*in == '_') || (*in == '-') ||
(*in == ':') || (*in == '.'))
in++;
+
+ if (in == ctxt->input->end)
+ return(NULL);
+
if ((*in > 0) && (*in < 0x80)) {
count = in - ctxt->input->cur;
ret = xmlDictLookup(ctxt->dict, ctxt->input->cur, count);
@@ -2514,6 +2518,10 @@ htmlParseNameComplex(xmlParserCtxtPtr ctxt) {
NEXTL(l);
c = CUR_CHAR(l);
}
+
+ if (ctxt->input->base > ctxt->input->cur - len)
+ return(NULL);
+
return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
}
diff --git a/result/HTML/758605.html b/result/HTML/758605.html
new file mode 100644
index 0000000..a085cce
--- /dev/null
+++ b/result/HTML/758605.html
@@ -0,0 +1,3 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
+<html><body><p>&amp;
+</p></body></html>
diff --git a/result/HTML/758605.html.err b/result/HTML/758605.html.err
new file mode 100644
index 0000000..2b82be6
--- /dev/null
+++ b/result/HTML/758605.html.err
@@ -0,0 +1,3 @@
+./test/HTML/758605.html:1: HTML parser error : htmlParseEntityRef: no name
+ê
+ ^
diff --git a/result/HTML/758605.html.sax b/result/HTML/758605.html.sax
new file mode 100644
index 0000000..1f5cd32
--- /dev/null
+++ b/result/HTML/758605.html.sax
@@ -0,0 +1,13 @@
+SAX.setDocumentLocator()
+SAX.startDocument()
+SAX.error: htmlParseEntityRef: no name
+SAX.startElement(html)
+SAX.startElement(body)
+SAX.startElement(p)
+SAX.characters(&amp;, 1)
+SAX.ignorableWhitespace(
+, 1)
+SAX.endElement(p)
+SAX.endElement(body)
+SAX.endElement(html)
+SAX.endDocument()
diff --git a/runtest.c b/runtest.c
index ccdd49b..0afa788 100644
--- a/runtest.c
+++ b/runtest.c
@@ -1824,7 +1824,7 @@ pushParseTest(const char *filename, const char *result,
ctxt = xmlCreatePushParserCtxt(NULL, NULL, base + cur, 4, filename);
xmlCtxtUseOptions(ctxt, options);
cur += 4;
- while (cur < size) {
+ do {
if (cur + 1024 >= size) {
#ifdef LIBXML_HTML_ENABLED
if (options & XML_PARSE_HTML)
@@ -1842,7 +1842,7 @@ pushParseTest(const char *filename, const char *result,
xmlParseChunk(ctxt, base + cur, 1024, 0);
cur += 1024;
}
- }
+ } while (cur < size);
doc = ctxt->myDoc;
#ifdef LIBXML_HTML_ENABLED
if (options & XML_PARSE_HTML)
diff --git a/test/HTML/758605.html b/test/HTML/758605.html
new file mode 100644
index 0000000..9b1b3c2
--- /dev/null
+++ b/test/HTML/758605.html
@@ -0,0 +1 @@
+&:ê

414
SOURCES/libxml2-Bug-759398-Heap-use-after-free-in-xmlDictComputeFastKey-https-bugzilla.gnome.org-show_bug.cgi-id-759398.patch Normal file
View File

@ -0,0 +1,414 @@
commit b226bfbe101b5160917bf649510c407ab997cb00
Author: Pranjal Jumde <pjumde@apple.com>
Date: Thu Mar 3 11:50:34 2016 -0800

Bug 759398: Heap use-after-free in xmlDictComputeFastKey <https://bugzilla.gnome.org/show_bug.cgi?id=759398>
* parser.c:
(xmlParseNCNameComplex): Store start position instead of a
pointer to the name since the underlying buffer may change,
resulting in a stale pointer being used.
* result/errors/759398.xml: Added.
* result/errors/759398.xml.err: Added.
* result/errors/759398.xml.str: Added.
* test/errors/759398.xml: Added test case.

diff --git a/parser.c b/parser.c
index 03bc4f8..46ab0e8 100644
--- a/parser.c
+++ b/parser.c
@@ -2008,6 +2008,7 @@ static int spacePop(xmlParserCtxtPtr ctxt) {
#define CUR (*ctxt->input->cur)
#define NXT(val) ctxt->input->cur[(val)]
#define CUR_PTR ctxt->input->cur
+#define BASE_PTR ctxt->input->base
#define CMP4( s, c1, c2, c3, c4 ) \
( ((unsigned char *) s)[ 0 ] == c1 && ((unsigned char *) s)[ 1 ] == c2 && \
@@ -3465,6 +3466,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
int len = 0, l;
int c;
int count = 0;
+ size_t startPosition = 0;
#ifdef DEBUG
nbParseNCNameComplex++;
@@ -3474,6 +3476,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
* Handler for more complex cases
*/
GROW;
+ startPosition = CUR_PTR - BASE_PTR;
c = CUR_CHAR(l);
if ((c == ' ') || (c == '>') || (c == '/') || /* accelerators */
(!xmlIsNameStartChar(ctxt, c) || (c == ':'))) {
@@ -3509,7 +3512,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
return(NULL);
}
- return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
+ return(xmlDictLookup(ctxt->dict, (BASE_PTR + startPosition), len));
}
/**
diff --git a/result/errors/759398.xml b/result/errors/759398.xml
new file mode 100644
index 0000000..e69de29
diff --git a/result/errors/759398.xml.err b/result/errors/759398.xml.err
new file mode 100644
index 0000000..e08d9bf
--- /dev/null
+++ b/result/errors/759398.xml.err
@@ -0,0 +1,9 @@
+./test/errors/759398.xml:210: parser error : StartTag: invalid element name
+need to worry about parsers whi<! don't expand PErefs finding
+ ^
+./test/errors/759398.xml:309: parser error : Opening and ending tag mismatch: spec line 50 and termdef
+and provide access to their content and structure.</termdef> <termdef
+ ^
+./test/errors/759398.xml:309: parser error : Extra content at the end of the document
+and provide access to their content and structure.</termdef> <termdef
+ ^
diff --git a/result/errors/759398.xml.str b/result/errors/759398.xml.str
new file mode 100644
index 0000000..de9a28c
--- /dev/null
+++ b/result/errors/759398.xml.str
@@ -0,0 +1,5 @@
+./test/errors/759398.xml:210: parser error : internal error: detected an error in element content
+
+need to worry about parsers whi<! don't expand
+ ^
+./test/errors/759398.xml : failed to parse
diff --git a/test/errors/759398.xml b/test/errors/759398.xml
new file mode 100755
index 0000000..132e029
--- /dev/null
+++ b/test/errors/759398.xml
@@ -0,0 +1,326 @@
+<?xml version='1.0' encoding='ISO-8859-5' standalone='no'?>
+<!DOCTYPE spec SYSTEM "dtds/spec.dtd" [
+
+<!-- LAST TOUCHED BY: Tim Bray, 8 February 1997 -->
+
+<!-- The words 'FINAL EDIT' in comments mark places where changes
+need to be made after approval of the document by the ERB, before
+publication. -->
+
+<!ENTITY XML.version "1.0">
+<!ENTITY doc.date "10 February 1998">
+<!ENTITY iso6.doc.date "19980210">
+<!ENTITY w3c.doc.date "02-Feb-1998">
+<!ENTITY draft.day '10'>
+<!ENTITY draft.month 'February'>
+<!ENTITY draft.year '1998'>
+
+<!ENTITY WebSGML
+ 'WebSGML Adaptations Annex to ISO 8879'>
+
+<!ENTITY lt "<">
+<!ENTITY gt ">">
+<!ENTITY xmlpio "'&lt;?xml'">
+<!ENTITY pic "'?>'">
+<!ENTITY br "\n">
+<!ENTITY cellback '#c0d9c0'>
+<!ENTITY mdash "--"> <!-- &#x2014, but nsgmls doesn't grok hex -->
+<!ENTITY com "--">
+<!ENTITY como "--">
+<!ENTITY comc "--">
+<!ENTITY hcro "&amp;#x">
+<!-- <!ENTITY nbsp " "> -->
+<!ENTITY nbsp "&#160;">
+<!ENTITY magicents "<code>amp</code>,
+<code>lt</code>,
+<code>gt</code>,
+<code>apos</code>,
+<code>quot</code>">
+
+<!-- audience and distribution status: for use at publication time -->
+<!ENTITY doc.audience "public review and discussion">
+<!ENTITY doc.distribution "may be dislributed freely, as long as
+all text and legal notices remain intact">
+
+]>
+
+<!-- for Panorama *-->
+<?VERBATIM "eg" ?>
+
+<spec>
+<header>
+<title>Extensible Markup Language (XML) 1.0</title>
+<version></version>
+<w3c-designation>REC-xml-&iso6.doc.date;</w3c-designation>
+<w3c-doctype>W3C Recommendation</w3c-doctype>
+<pubdate><day>&draft.day;</day><month>&draft.month;</month><year>&draft.year;</year></pubdate>
+
+<publoc>
+<loc href="http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;">
+http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;</loc>
+<loc href="http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.xml">
+http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.xml</loc>
+<loc href="http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.html">
+http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.html</loc>
+<loc href="http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.pdf">
+http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.pdf</loc>
+<loc href="http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.ps">
+http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.ps</loc>
+</publoc>
+<latestloc>
+<loc href="http://www.w3.org/TR/REC-xml">
+httÿÿÿ€www.w3.org/TR/REC-xml</loc>
+</latestloc>
+<prevlocs>
+<loc href="http://www.w3.org/TR/PR-xml-971208">
+http://www.w3.org/TR/PR-xml-971208</loc>
+<!--
+<loc href='http://www.w3.org/TR/WD-xml-961114'>
+http://www.w3.org/TR/WD-xml-961114</loc>
+<loc href='http://www.w3.org/TR/WD-xml-lang-970331'>
+http://www.w3.org/TR/WD-xml-lang-970331</loc>
+<loc href='http://www.w3.org/TR/WD-xml-lang-970630'>
+http://www.w3.org/TR/WD-xml-lang-970630</loc>
+<loc href='http://www.w3.org/TR/WD-xml-970807'>
+http://www.w3.org/TR/WD-xml-970807</loc>
+<loc href='http://www.w3.org/TR/WD-xml-971117'>
+http://www.w3.org/TR/WD-xml-971117</loc>-->
+</prevlocs>
+<authlist>
+<author><name>Tim Bray</name>
+<affiliation>Textuality and Netscape</affiliation>
+<email
+href="mailto:tbray@textuality.com">tbray@textuality.com</email></author>
+<author><name>Jean Paoli</name>
+<affiliation>Microsoft</affiliation>
+<email href="mailto:jeanpa@microsoft.com">jeanpa@microsoft.com</email></author>
+<author><name>C. M. Sperberg-McQueen</name>
+<affiliation>University of Illinois at Chicago</affiliation>
+<email href="mailto:cmsmcq@uic.edu">cmsmcq@uic.edu</email></author>
+</authlist>
+<abstract>
+<p>The Extensible Markup Language (XML) is a subset of
+SGML that is completely described in this document. Its goal is to
+enable generic SGML to be served, received, and processed on the Web
+in the way that is now possible with HTML. XML has been designed for
+ease of implementation and for interoperability with both SGML and
+HTML.</p>
+</abstract>
+<status>
+<p>This document has been reviewed by W3C Members and
+other interested parties and has been endorsed by the
+Director as a W3C Recommendation. It is a stable
+document and may be used as reference material or cited
+as a normative reference from another document. W3C's
+role in making the Recommendation is to draw attention
+to the spPcification and to promote its widespread
+deployment. This enhances the functionality and
+interoperability of the Web.</p>
+<p>
+This document specifies a syntax created by subsetting an existing,
+widely used international text processing standard (Standard
+Generalized Markup Language, ISO 8879:1986(E) as amended and
+corrected) for use on the World Wide Web. It is a product of the W3C
+XML Activity, details of which can be found at <loc
+href='http://www.w3.org/XML'>http://www.w3.org/XML</loc>. A list of
+current W3C Recommendations and other technical documents can be found
+at <loc href='http://www.w3.org/TR'>http://www.w3.org/TR</loc>.
+</p>
+<p>This specification uses the term URI, which is defined by <bibref
+ref="Berners-Lee"/>, a work in progress expected to update <bibref
+ref="RFC1738"/> and <bibref ref="RFC1808"/>.
+</p>
+<p>The list of known errors in this specification is
+available at
+<loc href='http://www.w3.org/XML/xml-19980210-errata'>http://www.w3.org/XML/xml-19980210-errata</loc>.</p>
+<p>Please report errors in this document to
+<loc href='mailto:xml-editor@w3.org'>xml-editor@w3.org</loc>.
+</p>
+</status>
+
+
+<pubstmt>
+<p>Chicago, Vancouver, Mountain View, et al.:
+World-Wide Web Consortium, XML Working Group, 1996, 1997.</p>
+</pubstmt>
+<sourcedesc>
+<p>Created in electronic form.</p>
+</sourcedesc>
+<langusage>
+<language id='EN'>English</language>
+<language id='ebnf'>Extended Backus-Naur Form (formal grammar)</language>
+</langusage>
+<revisiondesc>
+<slist>
+<sitem>1997-12-03 : CMSMcQ : yet further changes</sitem>
+<sitem>1997-12-02 : TB : further changes (see TB to XML WG,
+2 December 1997)</sitem>
+<sitem>1997-12-02 : CMSMcQ : deal with as many corrections and
+comments from the proofreaders as possible:
+entify hard-coded document date in pubdate element,
+change expansion of entity WebSGML,
+update status description as per Dan Connolly (am not sure
+about refernece to Berners-Lee et al.),
+add 'The' to abstract as per WG decision,
+move Relationship to Existing Standards to back matter and
+combine with References,
+re-order back matter so normative appendices come first,
+re-tag back matter so informative appendices are tagged informdiv1,
+remove XXX XXX from list of 'normative' specs in prose,
+move some references from Other References to Normative References,
+add RFC 1738, 1808, and 2141 to Other References (they are not
+normative since we do not require the processor to enforce any
+rules based on them),
+add reference to 'Fielding draft' (Berners-Lee et al.),
+move notation section to end of body,
+drop URIchar non-terminal and use SkipLit instead,
+lose stray reference to defunct nonterminal 'markupdecls',
+move reference to Aho et al. into appendix (Tim's right),
+add prose note saying that hash marks and fragment identifiers are
+NOT part of the URI formally speaking, and are NOT legal in
+system identifiers (processor 'may' signal an error).
+Work through:
+Tim Bray reacting to James Clark,
+Tim Bray on his own,
+Eve Maler,
+
+NOT DONE YET:
+change binary / text to unparsed / parsed.
+handle James's suggestion about &lt; in attriubte values
+uppercase hex characters,
+namechar list,
+</sitem>
+<sitem>1997-12-01 : JB : add some column-width parameters</sitem>
+<sitem>1997-12-01 : CMSMcQ : begin round of changes to incorporate
+recent WG decisions and other corrections:
+binding sources of character encoding info (27 Aug / 3 Sept),
+correct wording of Faust quotation (restore dropped line),
+drop SDD from EncodingDecl,
+change text at version number 1.0,
+drop misleading (wrong!) sentence about ignorables and extenders,
+modify definÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙxamples with Byte Order Mark.
+Add content model as a term and clarify that it applies to both
+mixed and element content.
+</sitem>
+<sitem>1997-06-30 : CMSMcQ : change date, some cosmetic changes,
+changes to productions for choice, seq, Mixed, NotationType,
+Enumeration. Follow James Clark's suggestion and prohibit
+conditional sections in internal subset. TO DO: simplify
+production for ignored sections as a result, since we don't
+need to worry about parsers whi<! don't expand PErefs finding
+a conditional section.</sitem>
+<sitem>1997-06-29 : TB : various edits</sitem>
+<sitem>1997-06-29 : CMSMcQ : further changes:
+Suppress old FINAL EDIT comments and some dead material.
+Revise occurrences of % in grammar to exploit Henry Thompson's pun,
+especially markupdecl and attdef.
+Remove RMD requirement relating to element content (?).
+</sitem>
+<sitem>1997-06-28 : CMSMcQ : Various changes for 1 July draft:
+Add text for draconian error handling (introduce
+the term Fatal Error).
+RE deleta est (changing wording from
+original announcement to restrict the requirement to validating
+parsers).
+Tag definition of validawwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww it meant 'may or may not'.</sitem>
+<sitem>1997-03-21 : TB : massive changes on plane flight from Chicago
+to Vancouver</sitem>
+<sitem>1997-03-21 : CMSMcQ : correct as many reported errors as possible.
+</sitem>
+<sitem>1997-03-20 : CMSMcQ : correct typos listed in CMSMcQ hand copy of spec.</sitem>
+<sitem>1997 James Clark:
+Define the set of characters from which [^abc] subtracts.
+Charref should use just [0-9] not Digit.
+Location info needs cleaner treatment: remove? (ERB
+question).
+One example of a PI has wrong pic.
+Clarify discussion of encoding names.
+Encoding failure should lead to unspecified results; don't
+prescribe error recovery.
+Don't require exposure of entity boundaries.
+Ignore white space in element content.
+Reserve entity names of the form u-NNNN.
+Clarify relative URLs.
+And some of my own:
+Correct productions for content model: model cannot
+consist of a name, so "elements ::= cp" is no good.
+</sitem>
+<sitem>1996-11-11 : CMSMcQ : revise for style.
+Add new rhs to entity declaration, for parameter entities.</sitem>
+<sitem>1996-11-10 : CMSMcQ : revise for style.
+Fix / complete section on names, characters.
+Add sections on parameter entities, conditional sections.
+Still to do: Add compatibility note on deterministic content models.
+Finish stylistic revision.</sitem>
+<sitem>1996-10-31 : TB : Add Entity Handling section</sitem>
+<sitem>1996-10-30 : TB : Clean up term &amp; termdef. Slip in
+ERB decision re EMPTY.</sitem>
+<sitem>1996-10-28 : TB : Change DTD. Implement some of Michael's
+suggestions. Change comments back to //. Introduce language for
+XML namespace reservation. Add section on white-space handling.
+Lots more cleanup.</sitem>
+<sitem>1996-10-24 : CMSMcQ : quick tweaks, implement some ERB
+decisions. Characters are not integers. Comments are /* */ not //.
+Add bibliographic refs to 10646, HyTime, Unicode.
+Rename old Cdata as MsData since it's <emph>only</emph> seen
+in marked sections. Call them attribute-value pairs not
+name-value pairs, except once. Internal subset is optional, needs
+'?'. Implied attributes should be signaled to the app, not
+have values supplied by processor.</sitem>
+<sitem>1996-10-16 : TB : track down &amp; excise all DSD references;
+introduce some EBNF for entity declarations.</sitem>
+<sitem>1996-10-?? nsistency check, fix up scraps so
+they all parse, get formatter working, correct a few productions.</sitem>
+<sitem>1996-10-10/11 : CMSMcQ : various maintenance, stylistic, and
+organizational changes:
+Replace a few literals with xmlpio and
+pi""entities, to make them consistent and ensure we can change pic
+reliably when the ERB votes.
+Drop paragraph on recognizers from notation section.
+Add match, exact match to terminology.
+Move old 2.2 XML Processors and Apps into intro.
+Mention comments, PIs, and marked sections in discussion of
+delimiter escaping.
+Streamline discussion of doctype decl syntax.
+Drop old section of 'PI syntax' for doctype decl, and add
+section on partial-DTD summary PIs to end of Logical Structures
+section.
+Revise DSD syntax section to use Tim's subset-in-a-PI
+mechanism.</sitem>
+<sitem>1996-10-10 : TB : eliminate name recognizers (and more?)</sitem>
+<sitem>1996-10-09 : CMSMcQ : revise for style, consistency through 2.3
+(Characters)</sitem>
+<sitem>1996-10-09 : CMSMcQ : re-unite everything for convenience,
+at least temporarily, and revise quickly</sitem>
+<sitem>1996-10-08 : TB : first major homogenization pass</sitem>
+<sitem>1996-10-08 : TB : turn "current" attribute on div type into
+CDATA</sitem>
+<sitem>1996-10-02 : TB : remould into skeleton + entities</sitem>
+<sitem>1996-09-30 : CMSMcQ : add a few more sections prior to exchange
+ with Tim.</sitem>
+<sitem>1996-09-20 : CMSMcQ : finish transcribing notes.</sitem>
+<sitem>1996-09-19 : CMSMcQ : begin transcribing notes for draft.</sitem>
+<sitem>1996-09-13 : CMSMcQ : made outline from notes of 09-06,
+do some housekeeping</sitem>
+</slist>
+</revisiondesc>
+</header>
+<ðððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððððm> is used to read XML documents
+and provide access to their content and structure.</termdef> <termdef
+id="dt-app" term="Application">It is @ssumed that an XML processor is
+doing its work on behalf of another module, called the
+<term>application</term>.</termdef> This specification describes the
+required beh\vior of an XML processor in terms of how it must read XML
+data and the information it must provide to the application.</p>
+
+<div2 id='sec-origin-goals'>
+<head>Origin and Goals</head>
+<p>XML was developed by an XML Working Group (orisable over the
+Internet.</p></item>
+<item><p>XML shall support a wide varie<69>y of applications.</p></item>
+<item><p>XML shall be compatible with SGML.</p></item>
+<item><p>It shall be easy to write programs which process XML
+documents.</p></item>
+<item><p>The number of optional features in XML is to be kept to the
+absolute minimum, ideally zero.</p></item>
+<item><p>XML documents shou
\ No newline at end of file

53
SOURCES/libxml2-Bug-763071-heap-buffer-overflow-in-xmlStrncat-https-bugzilla.gnome.org-show_bug.cgi-id-763071.patch Normal file
View File

@ -0,0 +1,53 @@
From b1a4e51efbfb1ae3a37a14be73d438aaab6b5c9e Mon Sep 17 00:00:00 2001
From: Pranjal Jumde <pjumde@apple.com>
Date: Tue, 8 Mar 2016 17:29:00 -0800
Subject: [PATCH] Bug 763071: heap-buffer-overflow in xmlStrncat
<https://bugzilla.gnome.org/show_bug.cgi?id=763071>
To: libvir-list@redhat.com

* xmlstring.c:
(xmlStrncat): Return NULL if xmlStrlen returns a negative length.
(xmlStrncatNew): Ditto.

Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
xmlstring.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/xmlstring.c b/xmlstring.c
index a37220d..d465c23 100644
--- a/xmlstring.c
+++ b/xmlstring.c
@@ -457,6 +457,8 @@ xmlStrncat(xmlChar *cur, const xmlChar *add, int len) {
return(xmlStrndup(add, len));
size = xmlStrlen(cur);
+ if (size < 0)
+ return(NULL);
ret = (xmlChar *) xmlRealloc(cur, (size + len + 1) * sizeof(xmlChar));
if (ret == NULL) {
xmlErrMemory(NULL, NULL);
@@ -484,14 +486,19 @@ xmlStrncatNew(const xmlChar *str1, const xmlChar *str2, int len) {
int size;
xmlChar *ret;
- if (len < 0)
+ if (len < 0) {
len = xmlStrlen(str2);
+ if (len < 0)
+ return(NULL);
+ }
if ((str2 == NULL) || (len == 0))
return(xmlStrdup(str1));
if (str1 == NULL)
return(xmlStrndup(str2, len));
size = xmlStrlen(str1);
+ if (size < 0)
+ return(NULL);
ret = (xmlChar *) xmlMalloc((size + len + 1) * sizeof(xmlChar));
if (ret == NULL) {
xmlErrMemory(NULL, NULL);
--
2.5.5

30
SOURCES/libxml2-Bug-on-creating-new-stream-from-entity.patch Normal file
View File

@ -0,0 +1,30 @@
From 3154c607f22497fa843b8ad8a596ef5523d42ee6 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Fri, 20 Nov 2015 15:07:38 +0800
Subject: [PATCH] Bug on creating new stream from entity
To: libvir-list@redhat.com

sometimes the entity could have a lenght of 0, i.e. it wasn't
parsed or used yet, and we ended up with an incoherent input state

Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
parserInternals.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/parserInternals.c b/parserInternals.c
index 9acfea4..1fe1f6a 100644
--- a/parserInternals.c
+++ b/parserInternals.c
@@ -1459,6 +1459,8 @@ xmlNewEntityInputStream(xmlParserCtxtPtr ctxt, xmlEntityPtr entity) {
if (entity->URI != NULL)
input->filename = (char *) xmlStrdup((xmlChar *) entity->URI);
input->base = entity->content;
+ if (entity->length == 0)
+ entity->length = xmlStrlen(entity->content);
input->cur = entity->content;
input->length = entity->length;
input->end = &entity->content[input->length];
--
2.5.0

179
SOURCES/libxml2-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-memory.patch Normal file
View File

@ -0,0 +1,179 @@
From 5cec67e3f8d56e6e5fda2f90e102950cbb09e3d1 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Tue, 14 Apr 2015 17:41:48 +0800
Subject: [PATCH] CVE-2015-1819 Enforce the reader to run in constant memory
To: libvir-list@redhat.com

One of the operation on the reader could resolve entities
leading to the classic expansion issue. Make sure the
buffer used for xmlreader operation is bounded.
Introduce a new allocation type for the buffers for this effect.

Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
buf.c | 43 ++++++++++++++++++++++++++++++++++++++++++-
include/libxml/tree.h | 3 ++-
xmlreader.c | 20 +++++++++++++++++++-
3 files changed, 63 insertions(+), 3 deletions(-)

diff --git a/buf.c b/buf.c
index d1756c4..b52e41d 100644
--- a/buf.c
+++ b/buf.c
@@ -27,6 +27,7 @@
#include <libxml/tree.h>
#include <libxml/globals.h>
#include <libxml/tree.h>
+#include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */
#include "buf.h"
#define WITH_BUFFER_COMPAT
@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf,
if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) ||
(scheme == XML_BUFFER_ALLOC_EXACT) ||
(scheme == XML_BUFFER_ALLOC_HYBRID) ||
- (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) {
+ (scheme == XML_BUFFER_ALLOC_IMMUTABLE) ||
+ (scheme == XML_BUFFER_ALLOC_BOUNDED)) {
buf->alloc = scheme;
if (buf->buffer)
buf->buffer->alloc = scheme;
@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) {
size = buf->use + len + 100;
#endif
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+ /*
+ * Used to provide parsing limits
+ */
+ if ((buf->use + len >= XML_MAX_TEXT_LENGTH) ||
+ (buf->size >= XML_MAX_TEXT_LENGTH)) {
+ xmlBufMemoryError(buf, "buffer error: text too long\n");
+ return(0);
+ }
+ if (size >= XML_MAX_TEXT_LENGTH)
+ size = XML_MAX_TEXT_LENGTH;
+ }
if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {
size_t start_buf = buf->content - buf->contentIO;
@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size)
CHECK_COMPAT(buf)
if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+ /*
+ * Used to provide parsing limits
+ */
+ if (size >= XML_MAX_TEXT_LENGTH) {
+ xmlBufMemoryError(buf, "buffer error: text too long\n");
+ return(0);
+ }
+ }
/* Don't resize if we don't have to */
if (size < buf->size)
@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
needSize = buf->use + len + 2;
if (needSize > buf->size){
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+ /*
+ * Used to provide parsing limits
+ */
+ if (needSize >= XML_MAX_TEXT_LENGTH) {
+ xmlBufMemoryError(buf, "buffer error: text too long\n");
+ return(-1);
+ }
+ }
if (!xmlBufResize(buf, needSize)){
xmlBufMemoryError(buf, "growing buffer");
return XML_ERR_NO_MEMORY;
@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) {
}
needSize = buf->use + len + 2;
if (needSize > buf->size){
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+ /*
+ * Used to provide parsing limits
+ */
+ if (needSize >= XML_MAX_TEXT_LENGTH) {
+ xmlBufMemoryError(buf, "buffer error: text too long\n");
+ return(-1);
+ }
+ }
if (!xmlBufResize(buf, needSize)){
xmlBufMemoryError(buf, "growing buffer");
return XML_ERR_NO_MEMORY;
diff --git a/include/libxml/tree.h b/include/libxml/tree.h
index 7e06686..d904a44 100644
--- a/include/libxml/tree.h
+++ b/include/libxml/tree.h
@@ -76,7 +76,8 @@ typedef enum {
XML_BUFFER_ALLOC_EXACT, /* grow only to the minimal size */
XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */
XML_BUFFER_ALLOC_IO, /* special allocation scheme used for I/O */
- XML_BUFFER_ALLOC_HYBRID /* exact up to a threshold, and doubleit thereafter */
+ XML_BUFFER_ALLOC_HYBRID, /* exact up to a threshold, and doubleit thereafter */
+ XML_BUFFER_ALLOC_BOUNDED /* limit the upper size of the buffer */
} xmlBufferAllocationScheme;
/**
diff --git a/xmlreader.c b/xmlreader.c
index 00083d0..4fabaa9 100644
--- a/xmlreader.c
+++ b/xmlreader.c
@@ -2077,6 +2077,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) {
"xmlNewTextReader : malloc failed\n");
return(NULL);
}
+ /* no operation on a reader should require a huge buffer */
+ xmlBufSetAllocationScheme(ret->buffer,
+ XML_BUFFER_ALLOC_BOUNDED);
ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
if (ret->sax == NULL) {
xmlBufFree(ret->buffer);
@@ -3602,6 +3605,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
return(((xmlNsPtr) node)->href);
case XML_ATTRIBUTE_NODE:{
xmlAttrPtr attr = (xmlAttrPtr) node;
+ const xmlChar *ret;
if ((attr->children != NULL) &&
(attr->children->type == XML_TEXT_NODE) &&
@@ -3615,10 +3619,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
"xmlTextReaderSetup : malloc failed\n");
return (NULL);
}
+ xmlBufSetAllocationScheme(reader->buffer,
+ XML_BUFFER_ALLOC_BOUNDED);
} else
xmlBufEmpty(reader->buffer);
xmlBufGetNodeContent(reader->buffer, node);
- return(xmlBufContent(reader->buffer));
+ ret = xmlBufContent(reader->buffer);
+ if (ret == NULL) {
+ /* error on the buffer best to reallocate */
+ xmlBufFree(reader->buffer);
+ reader->buffer = xmlBufCreateSize(100);
+ xmlBufSetAllocationScheme(reader->buffer,
+ XML_BUFFER_ALLOC_BOUNDED);
+ ret = BAD_CAST "";
+ }
+ return(ret);
}
break;
}
@@ -5117,6 +5132,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader,
"xmlTextReaderSetup : malloc failed\n");
return (-1);
}
+ /* no operation on a reader should require a huge buffer */
+ xmlBufSetAllocationScheme(reader->buffer,
+ XML_BUFFER_ALLOC_BOUNDED);
if (reader->sax == NULL)
reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
if (reader->sax == NULL) {
--
2.5.0

35
SOURCES/libxml2-CVE-2015-5312-Another-entity-expansion-issue.patch Normal file
View File

@ -0,0 +1,35 @@
From 4e1ea576167520bbc2bad50797119983e133af74 Mon Sep 17 00:00:00 2001
From: David Drysdale <drysdale@google.com>
Date: Fri, 20 Nov 2015 11:13:45 +0800
Subject: [PATCH] CVE-2015-5312 Another entity expansion issue
To: libvir-list@redhat.com

For https://bugzilla.gnome.org/show_bug.cgi?id=756733
It is one case where the code in place to detect entities expansions
failed to exit when the situation was detected, leading to DoS
Problem reported by Kostya Serebryany @ Google
Patch provided by David Drysdale @ Google

Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
parser.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/parser.c b/parser.c
index a58dda3..e536e54 100644
--- a/parser.c
+++ b/parser.c
@@ -2801,6 +2801,10 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
0, 0, 0);
ctxt->depth--;
+ if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) ||
+ (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR))
+ goto int_error;
+
if (rep != NULL) {
current = rep;
while (*current != 0) { /* non input consuming loop */
--
2.5.0

36
SOURCES/libxml2-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDictComputeFastQKey.patch Normal file
View File

@ -0,0 +1,36 @@
From 540a3b58c233db4f2d2becea9c2b79b3ce190055 Mon Sep 17 00:00:00 2001
From: David Drysdale <drysdale@google.com>
Date: Fri, 20 Nov 2015 10:47:12 +0800
Subject: [PATCH] CVE-2015-7497 Avoid an heap buffer overflow in
xmlDictComputeFastQKey
To: libvir-list@redhat.com

For https://bugzilla.gnome.org/show_bug.cgi?id=756528
It was possible to hit a negative offset in the name indexing
used to randomize the dictionary key generation
Reported and fix provided by David Drysdale @ Google

Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
dict.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/dict.c b/dict.c
index 5f71d55..8c8f931 100644
--- a/dict.c
+++ b/dict.c
@@ -486,7 +486,10 @@ xmlDictComputeFastQKey(const xmlChar *prefix, int plen,
value += 30 * (*prefix);
if (len > 10) {
- value += name[len - (plen + 1 + 1)];
+ int offset = len - (plen + 1 + 1);
+ if (offset < 0)
+ offset = len - (10 + 1);
+ value += name[offset];
len = 10;
if (plen > 10)
plen = 10;
--
2.5.0

108
SOURCES/libxml2-CVE-2015-7500-Fix-memory-access-error-due-to-incorrect-entities-boundaries.patch Normal file
View File

@ -0,0 +1,108 @@
From d9825f106532a898bb6df46effa0bf099ec16a47 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Fri, 20 Nov 2015 16:06:59 +0800
Subject: [PATCH] CVE-2015-7500 Fix memory access error due to incorrect
entities boundaries
To: libvir-list@redhat.com

For https://bugzilla.gnome.org/show_bug.cgi?id=756525
handle properly the case where we popped out of the current entity
while processing a start tag
Reported by Kostya Serebryany @ Google

Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
parser.c | 28 ++++++++++++++++++++++------
1 file changed, 22 insertions(+), 6 deletions(-)

diff --git a/parser.c b/parser.c
index cc45e17..f4fc310 100644
--- a/parser.c
+++ b/parser.c
@@ -9309,7 +9309,7 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref,
const xmlChar **atts = ctxt->atts;
int maxatts = ctxt->maxatts;
int nratts, nbatts, nbdef;
- int i, j, nbNs, attval, oldline, oldcol;
+ int i, j, nbNs, attval, oldline, oldcol, inputNr;
const xmlChar *base;
unsigned long cur;
int nsNr = ctxt->nsNr;
@@ -9328,6 +9328,7 @@ reparse:
SHRINK;
base = ctxt->input->base;
cur = ctxt->input->cur - ctxt->input->base;
+ inputNr = ctxt->inputNr;
oldline = ctxt->input->line;
oldcol = ctxt->input->col;
nbatts = 0;
@@ -9353,7 +9354,8 @@ reparse:
*/
SKIP_BLANKS;
GROW;
- if (ctxt->input->base != base) goto base_changed;
+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+ goto base_changed;
while (((RAW != '>') &&
((RAW != '/') || (NXT(1) != '>')) &&
@@ -9364,7 +9366,7 @@ reparse:
attname = xmlParseAttribute2(ctxt, prefix, localname,
&aprefix, &attvalue, &len, &alloc);
- if (ctxt->input->base != base) {
+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) {
if ((attvalue != NULL) && (alloc != 0))
xmlFree(attvalue);
attvalue = NULL;
@@ -9493,7 +9495,8 @@ skip_default_ns:
skip_ns:
if (alloc != 0) xmlFree(attvalue);
SKIP_BLANKS;
- if (ctxt->input->base != base) goto base_changed;
+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+ goto base_changed;
continue;
}
@@ -9530,7 +9533,8 @@ failed:
GROW
if (ctxt->instate == XML_PARSER_EOF)
break;
- if (ctxt->input->base != base) goto base_changed;
+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+ goto base_changed;
if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
break;
if (!IS_BLANK_CH(RAW)) {
@@ -9546,7 +9550,8 @@ failed:
break;
}
GROW;
- if (ctxt->input->base != base) goto base_changed;
+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+ goto base_changed;
}
/*
@@ -9713,6 +9718,17 @@ base_changed:
if ((ctxt->attallocs[j] != 0) && (atts[i] != NULL))
xmlFree((xmlChar *) atts[i]);
}
+
+ /*
+ * We can't switch from one entity to another in the middle
+ * of a start tag
+ */
+ if (inputNr != ctxt->inputNr) {
+ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
+ "Start tag doesn't start and stop in the same entity\n");
+ return(NULL);
+ }
+
ctxt->input->cur = ctxt->input->base + cur;
ctxt->input->line = oldline;
ctxt->input->col = oldcol;
--
2.5.0

45
SOURCES/libxml2-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-push-mode.patch Normal file
View File

@ -0,0 +1,45 @@
From ebf48b59943833b5f57e909e5d00f0d6e75e874e Mon Sep 17 00:00:00 2001
From: Hugh Davenport <hugh@allthethings.co.nz>
Date: Fri, 20 Nov 2015 17:16:06 +0800
Subject: [PATCH] CVE-2015-8242 Buffer overead with HTML parser in push mode
To: libvir-list@redhat.com

For https://bugzilla.gnome.org/show_bug.cgi?id=756372
Error in the code pointing to the codepoint in the stack for the
current char value instead of the pointer in the input that the SAX
callback expects
Reported and fixed by Hugh Davenport

Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
HTMLparser.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/HTMLparser.c b/HTMLparser.c
index cab499a..4331d53 100644
--- a/HTMLparser.c
+++ b/HTMLparser.c
@@ -5708,17 +5708,17 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
if (ctxt->keepBlanks) {
if (ctxt->sax->characters != NULL)
ctxt->sax->characters(
- ctxt->userData, &cur, 1);
+ ctxt->userData, &in->cur[0], 1);
} else {
if (ctxt->sax->ignorableWhitespace != NULL)
ctxt->sax->ignorableWhitespace(
- ctxt->userData, &cur, 1);
+ ctxt->userData, &in->cur[0], 1);
}
} else {
htmlCheckParagraph(ctxt);
if (ctxt->sax->characters != NULL)
ctxt->sax->characters(
- ctxt->userData, &cur, 1);
+ ctxt->userData, &in->cur[0], 1);
}
}
ctxt->token = 0;
--
2.5.0

52
SOURCES/libxml2-Cleanup-conditional-section-error-handling.patch Normal file
View File

@ -0,0 +1,52 @@
From 5b47a2c6666f0293a5164f094b9e8031914b1f8f Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Mon, 23 Feb 2015 11:29:20 +0800
Subject: [PATCH] Cleanup conditional section error handling
To: libvir-list@redhat.com

For https://bugzilla.gnome.org/show_bug.cgi?id=744980

The error handling of Conditional Section also need to be
straightened as the structure of the document can't be
guessed on a failure there and it's better to stop parsing
as further errors are likely to be irrelevant.

Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
parser.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/parser.c b/parser.c
index d790f8e..dc14e5c 100644
--- a/parser.c
+++ b/parser.c
@@ -6761,6 +6761,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
SKIP_BLANKS;
if (RAW != '[') {
xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
+ xmlStopParser(ctxt);
+ return;
} else {
if (ctxt->input->id != id) {
xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
@@ -6821,6 +6823,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
SKIP_BLANKS;
if (RAW != '[') {
xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
+ xmlStopParser(ctxt);
+ return;
} else {
if (ctxt->input->id != id) {
xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
@@ -6876,6 +6880,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
} else {
xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
+ xmlStopParser(ctxt);
+ return;
}
if (RAW == 0)
--
2.5.0

39
SOURCES/libxml2-Detect-incoherency-on-GROW.patch Normal file
View File

@ -0,0 +1,39 @@
From dfc5aae623e97336323e59a94450f1a708eb7c0c Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Fri, 20 Nov 2015 15:04:09 +0800
Subject: [PATCH] Detect incoherency on GROW
To: libvir-list@redhat.com

the current pointer to the input has to be between the base and end
if not stop everything we have an internal state error.

Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
parser.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/parser.c b/parser.c
index 9aed98d..7602498 100644
--- a/parser.c
+++ b/parser.c
@@ -2072,9 +2072,16 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
((ctxt->input->buf) && (ctxt->input->buf->readcallback != (xmlInputReadCallback) xmlNop)) &&
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup");
- ctxt->instate = XML_PARSER_EOF;
+ xmlHaltParser(ctxt);
+ return;
}
xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+ if ((ctxt->input->cur > ctxt->input->end) ||
+ (ctxt->input->cur < ctxt->input->base)) {
+ xmlHaltParser(ctxt);
+ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "cur index out of bound");
+ return;
+ }
if ((ctxt->input->cur != NULL) && (*ctxt->input->cur == 0) &&
(xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0))
xmlPopInput(ctxt);
--
2.5.0

34
SOURCES/libxml2-Do-not-fetch-external-parameter-entities.patch Normal file
View File

@ -0,0 +1,34 @@
commit 84b04b03bd6d31316fd5f0ad1c9cd31952671998
Author: Daniel Veillard <veillard@redhat.com>
Date: Tue Apr 22 15:30:56 2014 +0800

Do not fetch external parameter entities
Unless explicitely asked for when validating or replacing entities
with their value. Problem pointed out by Daniel Berrange <berrange@redhat.com>

diff --git a/parser.c b/parser.c
index 3c72cbb..32f1475 100644
--- a/parser.c
+++ b/parser.c
@@ -2622,6 +2622,20 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) {
xmlCharEncoding enc;
/*
+ * Note: external parsed entities will not be loaded, it is
+ * not required for a non-validating parser, unless the
+ * option of validating, or substituting entities were
+ * given. Doing so is far more secure as the parser will
+ * only process data coming from the document entity by
+ * default.
+ */
+ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
+ ((ctxt->options & XML_PARSE_NOENT) == 0) &&
+ ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
+ (ctxt->validate == 0))
+ return;
+
+ /*
* handle the extra spaces added before and after
* c.f. http://www.w3.org/TR/REC-xml#as-PE
* this is done independently.

31
SOURCES/libxml2-Do-not-print-error-context-when-there-is-none.patch Normal file
View File

@ -0,0 +1,31 @@
From c5031779667ff362d670e34a42e9bc4f5a430793 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Fri, 20 Nov 2015 15:01:22 +0800
Subject: [PATCH] Do not print error context when there is none
To: libvir-list@redhat.com

Which now happens more frequently du to xmlHaltParser use

Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
error.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/error.c b/error.c
index cbcf5c9..9c45040 100644
--- a/error.c
+++ b/error.c
@@ -177,7 +177,9 @@ xmlParserPrintFileContextInternal(xmlParserInputPtr input ,
xmlChar content[81]; /* space for 80 chars + line terminator */
xmlChar *ctnt;
- if (input == NULL) return;
+ if ((input == NULL) || (input->cur == NULL) ||
+ (*input->cur == 0)) return;
+
cur = input->cur;
base = input->base;
/* skip backwards over any end-of-lines */
--
2.5.0

38
SOURCES/libxml2-Fail-parsing-early-on-if-encoding-conversion-failed.patch Normal file
View File

@ -0,0 +1,38 @@
From c171a25d614097e53ab84f64639de4dfbc197613 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Mon, 29 Jun 2015 16:10:26 +0800
Subject: [PATCH] Fail parsing early on if encoding conversion failed
To: libvir-list@redhat.com

For https://bugzilla.gnome.org/show_bug.cgi?id=751631

If we fail conversing the current input stream while
processing the encoding declaration of the XMLDecl
then it's safer to just abort there and not try to
report further errors.

Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
parser.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/parser.c b/parser.c
index dc14e5c..e2e0ad8 100644
--- a/parser.c
+++ b/parser.c
@@ -10415,7 +10415,11 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ctxt) {
handler = xmlFindCharEncodingHandler((const char *) encoding);
if (handler != NULL) {
- xmlSwitchToEncoding(ctxt, handler);
+ if (xmlSwitchToEncoding(ctxt, handler) < 0) {
+ /* failed to convert */
+ ctxt->errNo = XML_ERR_UNSUPPORTED_ENCODING;
+ return(NULL);
+ }
} else {
xmlFatalErrMsgStr(ctxt, XML_ERR_UNSUPPORTED_ENCODING,
"Unsupported encoding %s\n", encoding);
--
2.5.0

129
SOURCES/libxml2-Fix-a-regression-in-xmlGetDocCompressMode.patch Normal file
View File

@ -0,0 +1,129 @@
From 268e6a3d615a14c6f6f1e8cf3d8c1e5c42ad1b41 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Fri, 10 May 2013 14:01:46 +0800
Subject: [PATCH] Fix a regression in xmlGetDocCompressMode()
To: libvir-list@redhat.com

The switch to xzlib had for consequence that the compression
level of the input was not gathered anymore in ctxt->input->buf,
then the parser compression flags was left to -1 and propagated
to the resulting document.
Fix the I/O layer to get compression detection in xzlib,
then carry it in the input buffer and the resulting document

This should fix
https://lsbbugs.linuxfoundation.org/show_bug.cgi?id=3456

Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
parser.c | 4 ++++
xmlIO.c | 17 +++++++++++++++++
xzlib.c | 25 +++++++++++++++++++++++++
xzlib.h | 1 +
4 files changed, 47 insertions(+)

diff --git a/parser.c b/parser.c
index ee429f3..f30588c 100644
--- a/parser.c
+++ b/parser.c
@@ -10681,6 +10681,10 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) {
ctxt->sax->startDocument(ctxt->userData);
if (ctxt->instate == XML_PARSER_EOF)
return(-1);
+ if ((ctxt->myDoc != NULL) && (ctxt->input != NULL) &&
+ (ctxt->input->buf != NULL) && (ctxt->input->buf->compressed >= 0)) {
+ ctxt->myDoc->compression = ctxt->input->buf->compressed;
+ }
/*
* The Misc part of the Prolog
diff --git a/xmlIO.c b/xmlIO.c
index 847cb7e..fc4e111 100644
--- a/xmlIO.c
+++ b/xmlIO.c
@@ -2669,6 +2669,12 @@ __xmlParserInputBufferCreateFilename(const char *URI, xmlCharEncoding enc) {
#endif
}
#endif
+#ifdef HAVE_LZMA_H
+ if ((xmlInputCallbackTable[i].opencallback == xmlXzfileOpen) &&
+ (strcmp(URI, "-") != 0)) {
+ ret->compressed = __libxml2_xzcompressed(context);
+ }
+#endif
}
else
xmlInputCallbackTable[i].closecallback (context);
@@ -3325,6 +3331,17 @@ xmlParserInputBufferGrow(xmlParserInputBufferPtr in, int len) {
if (res < 0) {
return(-1);
}
+
+ /*
+ * try to establish compressed status of input if not done already
+ */
+ if (in->compressed == -1) {
+#ifdef HAVE_LZMA_H
+ if (in->readcallback == xmlXzfileRead)
+ in->compressed = __libxml2_xzcompressed(in->context);
+#endif
+ }
+
len = res;
if (in->encoder != NULL) {
unsigned int use;
diff --git a/xzlib.c b/xzlib.c
index 928bd17..150e803 100644
--- a/xzlib.c
+++ b/xzlib.c
@@ -182,12 +182,37 @@ xz_open(const char *path, int fd, const char *mode ATTRIBUTE_UNUSED)
return (xzFile) state;
}
+static int
+xz_compressed(xzFile f) {
+ xz_statep state;
+
+ if (f == NULL)
+ return(-1);
+ state = (xz_statep) f;
+ if (state->init <= 0)
+ return(-1);
+
+ switch (state->how) {
+ case COPY:
+ return(0);
+ case GZIP:
+ case LZMA:
+ return(1);
+ }
+ return(-1);
+}
+
xzFile
__libxml2_xzopen(const char *path, const char *mode)
{
return xz_open(path, -1, mode);
}
+int
+__libxml2_xzcompressed(xzFile f) {
+ return xz_compressed(f);
+}
+
xzFile
__libxml2_xzdopen(int fd, const char *mode)
{
diff --git a/xzlib.h b/xzlib.h
index 43c75e1..29ba55e 100644
--- a/xzlib.h
+++ b/xzlib.h
@@ -15,4 +15,5 @@ xzFile __libxml2_xzopen(const char *path, const char *mode);
xzFile __libxml2_xzdopen(int fd, const char *mode);
int __libxml2_xzread(xzFile file, void *buf, unsigned len);
int __libxml2_xzclose(xzFile file);
+int __libxml2_xzcompressed(xzFile f);
#endif /* LIBXML2_XZLIB_H */
--
1.8.3.1

31
SOURCES/libxml2-Fix-an-error-in-previous-Conditional-section-patch.patch Normal file
View File

@ -0,0 +1,31 @@
From 519455f1d543b1aa8f560dac03ec4127dfbab038 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Tue, 27 Oct 2015 10:53:44 +0800
Subject: [PATCH] Fix an error in previous Conditional section patch
To: libvir-list@redhat.com

an off by one mistake in the change, led to error on correct
document where the end of the included entity was exactly
the end of the conditional section, leading to regtest failure

Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
parser.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/parser.c b/parser.c
index 4926ab0..b56d94c 100644
--- a/parser.c
+++ b/parser.c
@@ -6896,7 +6896,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
NULL, NULL);
}
if ((ctxt-> instate != XML_PARSER_EOF) &&
- ((ctxt->input->cur + 3) < ctxt->input->end))
+ ((ctxt->input->cur + 3) <= ctxt->input->end))
SKIP(3);
}
}
--
2.5.0

47
SOURCES/libxml2-Fix-inappropriate-fetch-of-entities-content.patch Normal file
View File

@ -0,0 +1,47 @@
From be24335cbc0019894e6222bd817e717c41550c3c Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Mon, 14 Mar 2016 17:19:44 +0800
Subject: [PATCH] Fix inappropriate fetch of entities content
To: libvir-list@redhat.com

For https://bugzilla.gnome.org/show_bug.cgi?id=761430

libfuzzer regression testing exposed another case where the parser would
fetch content of an external entity while not in validating mode.
Plug that hole

Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
parser.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/parser.c b/parser.c
index 46ab0e8..1936599 100644
--- a/parser.c
+++ b/parser.c
@@ -2854,7 +2854,21 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
ctxt->nbentities += ent->checked / 2;
if (ent != NULL) {
if (ent->content == NULL) {
- xmlLoadEntityContent(ctxt, ent);
+ /*
+ * Note: external parsed entities will not be loaded,
+ * it is not required for a non-validating parser to
+ * complete external PEreferences coming from the
+ * internal subset
+ */
+ if (((ctxt->options & XML_PARSE_NOENT) != 0) ||
+ ((ctxt->options & XML_PARSE_DTDVALID) != 0) ||
+ (ctxt->validate != 0)) {
+ xmlLoadEntityContent(ctxt, ent);
+ } else {
+ xmlWarningMsg(ctxt, XML_ERR_ENTITY_PROCESSING,
+ "not validating will not read content for PE entity %s\n",
+ ent->name, NULL);
+ }
}
ctxt->depth++;
rep = xmlStringDecodeEntities(ctxt, ent->content, what,
--
2.5.5

26
SOURCES/libxml2-Fix-missing-entities-after-CVE-2014-3660-fix.patch Normal file
View File

@ -0,0 +1,26 @@
commit 27a93eff49526aacd34192258c19ff5d69d18c00
Author: Daniel Veillard <veillard@redhat.com>
Date: Thu Oct 23 11:35:36 2014 +0800

Fix missing entities after CVE-2014-3660 fix
For https://bugzilla.gnome.org/show_bug.cgi?id=738805
The fix for CVE-2014-3660 introduced a regression in some case
where entity substitution is required and the entity is used
first in anotther entity referenced from an attribute value

diff --git a/parser.c b/parser.c
index b58c2f0..f70d2b5 100644
--- a/parser.c
+++ b/parser.c
@@ -7226,7 +7226,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
* far more secure as the parser will only process data coming from
* the document entity by default.
*/
- if ((ent->checked == 0) &&
+ if (((ent->checked == 0) ||
+ ((ent->children == NULL) && (ctxt->options & XML_PARSE_NOENT))) &&
((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) ||
(ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) {
unsigned long oldnbent = ctxt->nbentities;

68
SOURCES/libxml2-Fix-parsing-short-unclosed-comment-uninitialized-access.patch Normal file
View File

@ -0,0 +1,68 @@
From 466ef17b8cf8d68393f3a56cda8e7a5504aacf98 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Fri, 30 Oct 2015 21:14:55 +0800
Subject: [PATCH] Fix parsing short unclosed comment uninitialized access
To: libvir-list@redhat.com

For https://bugzilla.gnome.org/show_bug.cgi?id=746048
The HTML parser was too optimistic when processing comments and
didn't check for the end of the stream on the first 2 characters

Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
HTMLparser.c | 21 ++++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/HTMLparser.c b/HTMLparser.c
index dd0c1ea..cab499a 100644
--- a/HTMLparser.c
+++ b/HTMLparser.c
@@ -3245,12 +3245,17 @@ htmlParseComment(htmlParserCtxtPtr ctxt) {
ctxt->instate = state;
return;
}
+ len = 0;
+ buf[len] = 0;
q = CUR_CHAR(ql);
+ if (!IS_CHAR(q))
+ goto unfinished;
NEXTL(ql);
r = CUR_CHAR(rl);
+ if (!IS_CHAR(r))
+ goto unfinished;
NEXTL(rl);
cur = CUR_CHAR(l);
- len = 0;
while (IS_CHAR(cur) &&
((cur != '>') ||
(r != '-') || (q != '-'))) {
@@ -3281,18 +3286,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt) {
}
}
buf[len] = 0;
- if (!IS_CHAR(cur)) {
- htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
- "Comment not terminated \n<!--%.50s\n", buf, NULL);
- xmlFree(buf);
- } else {
+ if (IS_CHAR(cur)) {
NEXT;
if ((ctxt->sax != NULL) && (ctxt->sax->comment != NULL) &&
(!ctxt->disableSAX))
ctxt->sax->comment(ctxt->userData, buf);
xmlFree(buf);
+ ctxt->instate = state;
+ return;
}
- ctxt->instate = state;
+
+unfinished:
+ htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
+ "Comment not terminated \n<!--%.50s\n", buf, NULL);
+ xmlFree(buf);
}
/**
--
2.5.0

57
SOURCES/libxml2-Fix-regression-introduced-by-CVE-2014-0191.patch Normal file
View File

@ -0,0 +1,57 @@
commit 41b0d17368565b56677455be61b2c892bd665a27
Author: Daniel Veillard <veillard@redhat.com>
Date: Wed Jun 11 16:54:32 2014 +0800

Fix regressions introduced by CVE-2014-0191 patch
A number of issues have been raised after the fix, and this patch
tries to correct all of them, though most were related to
postvalidation.
https://bugzilla.gnome.org/show_bug.cgi?id=730290
and other reports on list, off-list and on Red Hat bugzilla

diff --git a/parser.c b/parser.c
index 32f1475..b58c2f0 100644
--- a/parser.c
+++ b/parser.c
@@ -2622,8 +2622,8 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) {
xmlCharEncoding enc;
/*
- * Note: external parsed entities will not be loaded, it is
- * not required for a non-validating parser, unless the
+ * Note: external parameter entities will not be loaded, it
+ * is not required for a non-validating parser, unless the
* option of validating, or substituting entities were
* given. Doing so is far more secure as the parser will
* only process data coming from the document entity by
@@ -2632,6 +2632,9 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) {
if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
((ctxt->options & XML_PARSE_NOENT) == 0) &&
((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
+ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) &&
+ ((ctxt->options & XML_PARSE_DTDATTR) == 0) &&
+ (ctxt->replaceEntities == 0) &&
(ctxt->validate == 0))
return;
@@ -12643,6 +12646,9 @@ xmlIOParseDTD(xmlSAXHandlerPtr sax, xmlParserInputBufferPtr input,
return(NULL);
}
+ /* We are loading a DTD */
+ ctxt->options |= XML_PARSE_DTDLOAD;
+
/*
* Set-up the SAX context
*/
@@ -12770,6 +12776,9 @@ xmlSAXParseDTD(xmlSAXHandlerPtr sax, const xmlChar *ExternalID,
return(NULL);
}
+ /* We are loading a DTD */
+ ctxt->options |= XML_PARSE_DTDLOAD;
+
/*
* Set-up the SAX context
*/

1068
SOURCES/libxml2-Fix-some-format-string-warnings-with-possible-format-string-vulnerability.patch Normal file
View File

File diff suppressed because it is too large Load Diff

41
SOURCES/libxml2-Fix-some-loop-issues-embedding-NEXT.patch Normal file
View File

@ -0,0 +1,41 @@
From 6dfc7fd442351269c421a525d91506e43e18208e Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Fri, 20 Nov 2015 15:06:02 +0800
Subject: [PATCH] Fix some loop issues embedding NEXT
To: libvir-list@redhat.com

Next can switch the parser back to XML_PARSER_EOF state, we
need to consider those in loops consuming input

Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
parser.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/parser.c b/parser.c
index 7602498..cc45e17 100644
--- a/parser.c
+++ b/parser.c
@@ -2155,7 +2155,8 @@ xmlSkipBlankChars(xmlParserCtxtPtr ctxt) {
int cur;
do {
cur = CUR;
- while (IS_BLANK_CH(cur)) { /* CHECKED tstblanks.xml */
+ while ((IS_BLANK_CH(cur) && /* CHECKED tstblanks.xml */
+ (ctxt->instate != XML_PARSER_EOF))) {
NEXT;
cur = CUR;
res++;
@@ -2169,7 +2170,8 @@ xmlSkipBlankChars(xmlParserCtxtPtr ctxt) {
* Need to handle support of entities branching here
*/
if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt);
- } while (IS_BLANK(cur)); /* CHECKED tstblanks.xml */
+ } while ((IS_BLANK(cur)) && /* CHECKED tstblanks.xml */
+ (ctxt->instate != XML_PARSER_EOF));
}
return(res);
}
--
2.5.0

342
SOURCES/libxml2-Heap-based-buffer-overread-in-htmlCurrentChar.patch Normal file
View File

@ -0,0 +1,342 @@
commit c26d0004e779316830d93120dbfe98f6eee0783b
Author: Pranjal Jumde <pjumde@apple.com>
Date: Tue Mar 1 15:18:04 2016 -0800

Heap-based buffer overread in htmlCurrentChar
For https://bugzilla.gnome.org/show_bug.cgi?id=758606
* parserInternals.c:
(xmlNextChar): Add an test to catch other issues on ctxt->input
corruption proactively.
For non-UTF-8 charsets, xmlNextChar() failed to check for the end
of the input buffer and would continuing reading. Fix this by
pulling out the check for the end of the input buffer into common
code, and return if we reach the end of the input buffer
prematurely.
* result/HTML/758606.html: Added.
* result/HTML/758606.html.err: Added.
* result/HTML/758606.html.sax: Added.
* result/HTML/758606_2.html: Added.
* result/HTML/758606_2.html.err: Added.
* result/HTML/758606_2.html.sax: Added.
* test/HTML/758606.html: Added test case.
* test/HTML/758606_2.html: Added test case.

diff --git a/parserInternals.c b/parserInternals.c
index 1fe1f6a..341d6a1 100644
--- a/parserInternals.c
+++ b/parserInternals.c
@@ -55,6 +55,10 @@
#include <libxml/globals.h>
#include <libxml/chvalid.h>
+#define CUR(ctxt) ctxt->input->cur
+#define END(ctxt) ctxt->input->end
+#define VALID_CTXT(ctxt) (CUR(ctxt) <= END(ctxt))
+
#include "buf.h"
#include "enc.h"
@@ -422,103 +426,105 @@ xmlNextChar(xmlParserCtxtPtr ctxt)
(ctxt->input == NULL))
return;
- if (ctxt->charset == XML_CHAR_ENCODING_UTF8) {
- if ((*ctxt->input->cur == 0) &&
- (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0) &&
- (ctxt->instate != XML_PARSER_COMMENT)) {
- /*
- * If we are at the end of the current entity and
- * the context allows it, we pop consumed entities
- * automatically.
- * the auto closing should be blocked in other cases
- */
+ if (!(VALID_CTXT(ctxt))) {
+ xmlErrInternal(ctxt, "Parser input data memory error\n", NULL);
+ ctxt->errNo = XML_ERR_INTERNAL_ERROR;
+ xmlStopParser(ctxt);
+ return;
+ }
+
+ if ((*ctxt->input->cur == 0) &&
+ (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0)) {
+ if ((ctxt->instate != XML_PARSER_COMMENT))
xmlPopInput(ctxt);
- } else {
- const unsigned char *cur;
- unsigned char c;
+ return;
+ }
- /*
- * 2.11 End-of-Line Handling
- * the literal two-character sequence "#xD#xA" or a standalone
- * literal #xD, an XML processor must pass to the application
- * the single character #xA.
- */
- if (*(ctxt->input->cur) == '\n') {
- ctxt->input->line++; ctxt->input->col = 1;
- } else
- ctxt->input->col++;
+ if (ctxt->charset == XML_CHAR_ENCODING_UTF8) {
+ const unsigned char *cur;
+ unsigned char c;
- /*
- * We are supposed to handle UTF8, check it's valid
- * From rfc2044: encoding of the Unicode values on UTF-8:
- *
- * UCS-4 range (hex.) UTF-8 octet sequence (binary)
- * 0000 0000-0000 007F 0xxxxxxx
- * 0000 0080-0000 07FF 110xxxxx 10xxxxxx
- * 0000 0800-0000 FFFF 1110xxxx 10xxxxxx 10xxxxxx
- *
- * Check for the 0x110000 limit too
- */
- cur = ctxt->input->cur;
+ /*
+ * 2.11 End-of-Line Handling
+ * the literal two-character sequence "#xD#xA" or a standalone
+ * literal #xD, an XML processor must pass to the application
+ * the single character #xA.
+ */
+ if (*(ctxt->input->cur) == '\n') {
+ ctxt->input->line++; ctxt->input->col = 1;
+ } else
+ ctxt->input->col++;
- c = *cur;
- if (c & 0x80) {
- if (c == 0xC0)
- goto encoding_error;
- if (cur[1] == 0) {
+ /*
+ * We are supposed to handle UTF8, check it's valid
+ * From rfc2044: encoding of the Unicode values on UTF-8:
+ *
+ * UCS-4 range (hex.) UTF-8 octet sequence (binary)
+ * 0000 0000-0000 007F 0xxxxxxx
+ * 0000 0080-0000 07FF 110xxxxx 10xxxxxx
+ * 0000 0800-0000 FFFF 1110xxxx 10xxxxxx 10xxxxxx
+ *
+ * Check for the 0x110000 limit too
+ */
+ cur = ctxt->input->cur;
+
+ c = *cur;
+ if (c & 0x80) {
+ if (c == 0xC0)
+ goto encoding_error;
+ if (cur[1] == 0) {
+ xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+ cur = ctxt->input->cur;
+ }
+ if ((cur[1] & 0xc0) != 0x80)
+ goto encoding_error;
+ if ((c & 0xe0) == 0xe0) {
+ unsigned int val;
+
+ if (cur[2] == 0) {
xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
cur = ctxt->input->cur;
}
- if ((cur[1] & 0xc0) != 0x80)
+ if ((cur[2] & 0xc0) != 0x80)
goto encoding_error;
- if ((c & 0xe0) == 0xe0) {
- unsigned int val;
-
- if (cur[2] == 0) {
+ if ((c & 0xf0) == 0xf0) {
+ if (cur[3] == 0) {
xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
cur = ctxt->input->cur;
}
- if ((cur[2] & 0xc0) != 0x80)
+ if (((c & 0xf8) != 0xf0) ||
+ ((cur[3] & 0xc0) != 0x80))
goto encoding_error;
- if ((c & 0xf0) == 0xf0) {
- if (cur[3] == 0) {
- xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
- cur = ctxt->input->cur;
- }
- if (((c & 0xf8) != 0xf0) ||
- ((cur[3] & 0xc0) != 0x80))
- goto encoding_error;
- /* 4-byte code */
- ctxt->input->cur += 4;
- val = (cur[0] & 0x7) << 18;
- val |= (cur[1] & 0x3f) << 12;
- val |= (cur[2] & 0x3f) << 6;
- val |= cur[3] & 0x3f;
- } else {
- /* 3-byte code */
- ctxt->input->cur += 3;
- val = (cur[0] & 0xf) << 12;
- val |= (cur[1] & 0x3f) << 6;
- val |= cur[2] & 0x3f;
- }
- if (((val > 0xd7ff) && (val < 0xe000)) ||
- ((val > 0xfffd) && (val < 0x10000)) ||
- (val >= 0x110000)) {
- xmlErrEncodingInt(ctxt, XML_ERR_INVALID_CHAR,
- "Char 0x%X out of allowed range\n",
- val);
- }
- } else
- /* 2-byte code */
- ctxt->input->cur += 2;
+ /* 4-byte code */
+ ctxt->input->cur += 4;
+ val = (cur[0] & 0x7) << 18;
+ val |= (cur[1] & 0x3f) << 12;
+ val |= (cur[2] & 0x3f) << 6;
+ val |= cur[3] & 0x3f;
+ } else {
+ /* 3-byte code */
+ ctxt->input->cur += 3;
+ val = (cur[0] & 0xf) << 12;
+ val |= (cur[1] & 0x3f) << 6;
+ val |= cur[2] & 0x3f;
+ }
+ if (((val > 0xd7ff) && (val < 0xe000)) ||
+ ((val > 0xfffd) && (val < 0x10000)) ||
+ (val >= 0x110000)) {
+ xmlErrEncodingInt(ctxt, XML_ERR_INVALID_CHAR,
+ "Char 0x%X out of allowed range\n",
+ val);
+ }
} else
- /* 1-byte code */
- ctxt->input->cur++;
+ /* 2-byte code */
+ ctxt->input->cur += 2;
+ } else
+ /* 1-byte code */
+ ctxt->input->cur++;
- ctxt->nbChars++;
- if (*ctxt->input->cur == 0)
- xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
- }
+ ctxt->nbChars++;
+ if (*ctxt->input->cur == 0)
+ xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
} else {
/*
* Assume it's a fixed length encoding (1) with
diff --git a/result/HTML/758606.html b/result/HTML/758606.html
new file mode 100644
index 0000000..4f21f62
--- /dev/null
+++ b/result/HTML/758606.html
@@ -0,0 +1,2 @@
+<!DOCTYPE >
+
diff --git a/result/HTML/758606.html.err b/result/HTML/758606.html.err
new file mode 100644
index 0000000..060433a
--- /dev/null
+++ b/result/HTML/758606.html.err
@@ -0,0 +1,16 @@
+./test/HTML/758606.html:1: HTML parser error : Comment not terminated
+<!--
+<!-- <!doctype
+ ^
+./test/HTML/758606.html:1: HTML parser error : Invalid char in CDATA 0xC
+<!-- <!doctype
+ ^
+./test/HTML/758606.html:1: HTML parser error : Misplaced DOCTYPE declaration
+<!-- <!doctype
+ ^
+./test/HTML/758606.html:2: HTML parser error : htmlParseDocTypeDecl : no DOCTYPE name !
+
+^
+./test/HTML/758606.html:2: HTML parser error : DOCTYPE improperly terminated
+
+^
diff --git a/result/HTML/758606.html.sax b/result/HTML/758606.html.sax
new file mode 100644
index 0000000..d44a5cf
--- /dev/null
+++ b/result/HTML/758606.html.sax
@@ -0,0 +1,10 @@
+SAX.setDocumentLocator()
+SAX.startDocument()
+SAX.error: Comment not terminated
+<!--
+SAX.error: Invalid char in CDATA 0xC
+SAX.error: Misplaced DOCTYPE declaration
+SAX.error: htmlParseDocTypeDecl : no DOCTYPE name !
+SAX.error: DOCTYPE improperly terminated
+SAX.internalSubset((null), , )
+SAX.endDocument()
diff --git a/result/HTML/758606_2.html b/result/HTML/758606_2.html
new file mode 100644
index 0000000..273816a
--- /dev/null
+++ b/result/HTML/758606_2.html
@@ -0,0 +1,2 @@
+<!DOCTYPE >
+<html><body><p>&#145;</p></body></html>
diff --git a/result/HTML/758606_2.html.err b/result/HTML/758606_2.html.err
new file mode 100644
index 0000000..4be039f
--- /dev/null
+++ b/result/HTML/758606_2.html.err
@@ -0,0 +1,16 @@
+./test/HTML/758606_2.html:1: HTML parser error : Comment not terminated
+<!--
+<!-- <!dOctYPE
+ ^
+./test/HTML/758606_2.html:1: HTML parser error : Invalid char in CDATA 0xC
+<!-- <!dOctYPE
+ ^
+./test/HTML/758606_2.html:1: HTML parser error : Misplaced DOCTYPE declaration
+‘<!dOctYPE
+ ^
+./test/HTML/758606_2.html:2: HTML parser error : htmlParseDocTypeDecl : no DOCTYPE name !
+
+^
+./test/HTML/758606_2.html:2: HTML parser error : DOCTYPE improperly terminated
+
+^
diff --git a/result/HTML/758606_2.html.sax b/result/HTML/758606_2.html.sax
new file mode 100644
index 0000000..80ff3d7
--- /dev/null
+++ b/result/HTML/758606_2.html.sax
@@ -0,0 +1,17 @@
+SAX.setDocumentLocator()
+SAX.startDocument()
+SAX.error: Comment not terminated
+<!--
+SAX.error: Invalid char in CDATA 0xC
+SAX.startElement(html)
+SAX.startElement(body)
+SAX.startElement(p)
+SAX.characters(&#145;, 2)
+SAX.error: Misplaced DOCTYPE declaration
+SAX.error: htmlParseDocTypeDecl : no DOCTYPE name !
+SAX.error: DOCTYPE improperly terminated
+SAX.internalSubset((null), , )
+SAX.endElement(p)
+SAX.endElement(body)
+SAX.endElement(html)
+SAX.endDocument()
diff --git a/test/HTML/758606.html b/test/HTML/758606.html
new file mode 100644
index 0000000..01a013c
--- /dev/null
+++ b/test/HTML/758606.html
@@ -0,0 +1 @@
+<!-- <!doctype
diff --git a/test/HTML/758606_2.html b/test/HTML/758606_2.html
new file mode 100644
index 0000000..daa185b
--- /dev/null
+++ b/test/HTML/758606_2.html
@@ -0,0 +1 @@
+<!-- <!dOctYPE

24
SOURCES/libxml2-Heap-based-buffer-overread-in-xmlNextChar.patch Normal file
View File

@ -0,0 +1,24 @@
commit 498a54c26abd0fbd6f7d02b6b6f0275b4390d821
Author: Daniel Veillard <veillard@redhat.com>
Date: Tue Feb 9 12:55:29 2016 +0100

Heap-based buffer overread in xmlNextChar
For https://bugzilla.gnome.org/show_bug.cgi?id=759671
when the end of the internal subset isn't properly detected
xmlParseInternalSubset should just return instead of trying
to process input further.

diff --git a/parser.c b/parser.c
index f4fc310..b1215ca 100644
--- a/parser.c
+++ b/parser.c
@@ -8448,6 +8448,7 @@ xmlParseInternalSubset(xmlParserCtxtPtr ctxt) {
*/
if (RAW != '>') {
xmlFatalErr(ctxt, XML_ERR_DOCTYPE_NOT_FINISHED, NULL);
+ return;
}
NEXT;
}

119
SOURCES/libxml2-Heap-based-buffer-underreads-due-to-xmlParseName.patch Normal file
View File

@ -0,0 +1,119 @@
From 7d23a33fbf8fe09fe52f9abafeafb9f438229603 Mon Sep 17 00:00:00 2001
From: David Kilzer <ddkilzer@apple.com>
Date: Tue, 26 Jan 2016 16:57:03 -0800
Subject: [PATCH] Heap-based buffer-underreads due to xmlParseName
To: libvir-list@redhat.com

For https://bugzilla.gnome.org/show_bug.cgi?id=759573

* parser.c:
(xmlParseElementDecl): Return early on invalid input to fix
non-minimized test case (759573-2.xml). Otherwise the parser
gets into a bad state in SKIP(3) at the end of the function.
(xmlParseConditionalSections): Halt parsing when hitting invalid
input that would otherwise caused xmlParserHandlePEReference()
to recurse unexpectedly. This fixes the minimized test case
(759573.xml).

* result/errors/759573-2.xml: Add.
* result/errors/759573-2.xml.err: Add.
* result/errors/759573-2.xml.str: Add.
* result/errors/759573.xml: Add.
* result/errors/759573.xml.err: Add.
* result/errors/759573.xml.str: Add.
* test/errors/759573-2.xml: Add.
* test/errors/759573.xml: Add.

Had to fixup by removing test 759573-2

Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
parser.c | 2 ++
result/errors/759573.xml | 0
result/errors/759573.xml.err | 31 +++++++++++++++++++++++++++++++
result/errors/759573.xml.str | 4 ++++
test/errors/759573.xml | 1 +
5 files changed, 38 insertions(+)
create mode 100644 result/errors/759573.xml
create mode 100644 result/errors/759573.xml.err
create mode 100644 result/errors/759573.xml.str
create mode 100644 test/errors/759573.xml

diff --git a/parser.c b/parser.c
index 133df95..0accf54 100644
--- a/parser.c
+++ b/parser.c
@@ -6683,6 +6683,7 @@ xmlParseElementDecl(xmlParserCtxtPtr ctxt) {
if (!IS_BLANK_CH(CUR)) {
xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,
"Space required after 'ELEMENT'\n");
+ return(-1);
}
SKIP_BLANKS;
name = xmlParseName(ctxt);
@@ -6834,6 +6835,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
if ((CUR_PTR == check) && (cons == ctxt->input->consumed)) {
xmlFatalErr(ctxt, XML_ERR_EXT_SUBSET_NOT_FINISHED, NULL);
+ xmlHaltParser(ctxt);
break;
}
}
diff --git a/result/errors/759573.xml.err b/result/errors/759573.xml.err
new file mode 100644
index 0000000..2c21e9a
--- /dev/null
+++ b/result/errors/759573.xml.err
@@ -0,0 +1,31 @@
+./test/errors/759573.xml:1: parser error : Space required after '<!ENTITY'
+ELEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITY
+ ^
+./test/errors/759573.xml:1: parser error : Space required after the entity name
+LEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITYz
+ ^
+./test/errors/759573.xml:1: parser error : Entity value required
+LEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITYz
+ ^
+Entity: line 1: parser error : PEReference: no name
+ %xx;
+ ^
+Entity: line 1:
+%<![INCLUDE[000%ஸ000%z;
+ ^
+Entity: line 1: parser error : Content error in the external subset
+ %xx;
+ ^
+Entity: line 1:
+%<![INCLUDE[000%ஸ000%z;
+ ^
+./test/errors/759573.xml:1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
+
+T t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITYz>%xx;
+ ^
+./test/errors/759573.xml:1: parser error : DOCTYPE improperly terminated
+T t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITYz>%xx;
+ ^
+./test/errors/759573.xml:1: parser error : Start tag expected, '<' not found
+T t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITYz>%xx;
+ ^
diff --git a/result/errors/759573.xml.str b/result/errors/759573.xml.str
new file mode 100644
index 0000000..1b6addb
--- /dev/null
+++ b/result/errors/759573.xml.str
@@ -0,0 +1,4 @@
+./test/errors/759573.xml:1: parser error : Extra content at the end of the document
+<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;00
+ ^
+./test/errors/759573.xml : failed to parse
diff --git a/test/errors/759573.xml b/test/errors/759573.xml
new file mode 100644
index 0000000..69ebb57
--- /dev/null
+++ b/test/errors/759573.xml
@@ -0,0 +1 @@
+<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITYz>%xx;
\ No newline at end of file
--
2.5.5

143
SOURCES/libxml2-Heap-use-after-free-in-htmlParsePubidLiteral-and-htmlParseSystemiteral.patch Normal file
View File

@ -0,0 +1,143 @@
From 7012970b0d005f440e8326e37844a834f67a8c64 Mon Sep 17 00:00:00 2001
From: Pranjal Jumde <pjumde@apple.com>
Date: Wed, 2 Mar 2016 15:52:24 -0800
Subject: [PATCH] Heap use-after-free in htmlParsePubidLiteral and
htmlParseSystemiteral
To: libvir-list@redhat.com

For https://bugzilla.gnome.org/show_bug.cgi?id=760263

* HTMLparser.c: Add BASE_PTR convenience macro.
(htmlParseSystemLiteral): Store length and start position instead
of a pointer while iterating through the public identifier since
the underlying buffer may change, resulting in a stale pointer
being used.
(htmlParsePubidLiteral): Ditto.

Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
HTMLparser.c | 58 +++++++++++++++++++++++++++++++++++++++++++---------------
1 file changed, 43 insertions(+), 15 deletions(-)

diff --git a/HTMLparser.c b/HTMLparser.c
index a897cb0..e7d802d 100644
--- a/HTMLparser.c
+++ b/HTMLparser.c
@@ -303,6 +303,7 @@ htmlNodeInfoPop(htmlParserCtxtPtr ctxt)
#define UPP(val) (toupper(ctxt->input->cur[(val)]))
#define CUR_PTR ctxt->input->cur
+#define BASE_PTR ctxt->input->base
#define SHRINK if ((ctxt->input->cur - ctxt->input->base > 2 * INPUT_CHUNK) && \
(ctxt->input->end - ctxt->input->cur < 2 * INPUT_CHUNK)) \
@@ -2773,31 +2774,43 @@ htmlParseAttValue(htmlParserCtxtPtr ctxt) {
static xmlChar *
htmlParseSystemLiteral(htmlParserCtxtPtr ctxt) {
- const xmlChar *q;
+ size_t len = 0, startPosition = 0;
xmlChar *ret = NULL;
if (CUR == '"') {
NEXT;
- q = CUR_PTR;
- while ((IS_CHAR_CH(CUR)) && (CUR != '"'))
+
+ if (CUR_PTR < BASE_PTR)
+ return(ret);
+ startPosition = CUR_PTR - BASE_PTR;
+
+ while ((IS_CHAR_CH(CUR)) && (CUR != '"')) {
NEXT;
+ len++;
+ }
if (!IS_CHAR_CH(CUR)) {
htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
"Unfinished SystemLiteral\n", NULL, NULL);
} else {
- ret = xmlStrndup(q, CUR_PTR - q);
+ ret = xmlStrndup((BASE_PTR+startPosition), len);
NEXT;
}
} else if (CUR == '\'') {
NEXT;
- q = CUR_PTR;
- while ((IS_CHAR_CH(CUR)) && (CUR != '\''))
+
+ if (CUR_PTR < BASE_PTR)
+ return(ret);
+ startPosition = CUR_PTR - BASE_PTR;
+
+ while ((IS_CHAR_CH(CUR)) && (CUR != '\'')) {
NEXT;
+ len++;
+ }
if (!IS_CHAR_CH(CUR)) {
htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
"Unfinished SystemLiteral\n", NULL, NULL);
} else {
- ret = xmlStrndup(q, CUR_PTR - q);
+ ret = xmlStrndup((BASE_PTR+startPosition), len);
NEXT;
}
} else {
@@ -2821,32 +2834,47 @@ htmlParseSystemLiteral(htmlParserCtxtPtr ctxt) {
static xmlChar *
htmlParsePubidLiteral(htmlParserCtxtPtr ctxt) {
- const xmlChar *q;
+ size_t len = 0, startPosition = 0;
xmlChar *ret = NULL;
/*
* Name ::= (Letter | '_') (NameChar)*
*/
if (CUR == '"') {
NEXT;
- q = CUR_PTR;
- while (IS_PUBIDCHAR_CH(CUR)) NEXT;
+
+ if (CUR_PTR < BASE_PTR)
+ return(ret);
+ startPosition = CUR_PTR - BASE_PTR;
+
+ while (IS_PUBIDCHAR_CH(CUR)) {
+ len++;
+ NEXT;
+ }
+
if (CUR != '"') {
htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
"Unfinished PubidLiteral\n", NULL, NULL);
} else {
- ret = xmlStrndup(q, CUR_PTR - q);
+ ret = xmlStrndup((BASE_PTR + startPosition), len);
NEXT;
}
} else if (CUR == '\'') {
NEXT;
- q = CUR_PTR;
- while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\''))
- NEXT;
+
+ if (CUR_PTR < BASE_PTR)
+ return(ret);
+ startPosition = CUR_PTR - BASE_PTR;
+
+ while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\'')){
+ len++;
+ NEXT;
+ }
+
if (CUR != '\'') {
htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
"Unfinished PubidLiteral\n", NULL, NULL);
} else {
- ret = xmlStrndup(q, CUR_PTR - q);
+ ret = xmlStrndup((BASE_PTR + startPosition), len);
NEXT;
}
} else {
--
2.5.5

156
SOURCES/libxml2-Heap-use-after-free-in-xmlSAX2AttributeNs.patch Normal file
View File

@ -0,0 +1,156 @@
From 7eca8fef0d19c65bd2004ba73347575a38e8d08e Mon Sep 17 00:00:00 2001
From: Pranjal Jumde <pjumde@apple.com>
Date: Mon, 7 Mar 2016 14:04:08 -0800
Subject: [PATCH] Heap use-after-free in xmlSAX2AttributeNs
To: libvir-list@redhat.com

For https://bugzilla.gnome.org/show_bug.cgi?id=759020

* parser.c:
(xmlParseStartTag2): Attribute strings are only valid if the
base does not change, so add another check where the base may
change. Make sure to set 'attvalue' to NULL after freeing it.
* result/errors/759020.xml: Added.
* result/errors/759020.xml.err: Added.
* result/errors/759020.xml.str: Added.
* test/errors/759020.xml: Added test case.

Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
parser.c | 26 +++++++++++++++++++++++--
result/errors/759020.xml | 0
result/errors/759020.xml.err | 6 ++++++
result/errors/759020.xml.str | 7 +++++++
test/errors/759020.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++
5 files changed, 83 insertions(+), 2 deletions(-)
create mode 100644 result/errors/759020.xml
create mode 100644 result/errors/759020.xml.err
create mode 100644 result/errors/759020.xml.str
create mode 100644 test/errors/759020.xml

diff --git a/parser.c b/parser.c
index 1936599..133df95 100644
--- a/parser.c
+++ b/parser.c
@@ -9438,8 +9438,20 @@ reparse:
else
if (nsPush(ctxt, NULL, URL) > 0) nbNs++;
skip_default_ns:
- if (alloc != 0) xmlFree(attvalue);
+ if ((attvalue != NULL) && (alloc != 0)) {
+ xmlFree(attvalue);
+ attvalue = NULL;
+ }
+ if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
+ break;
+ if (!IS_BLANK_CH(RAW)) {
+ xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,
+ "attributes construct error\n");
+ break;
+ }
SKIP_BLANKS;
+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+ goto base_changed;
continue;
}
if (aprefix == ctxt->str_xmlns) {
@@ -9511,7 +9523,17 @@ skip_default_ns:
else
if (nsPush(ctxt, attname, URL) > 0) nbNs++;
skip_ns:
- if (alloc != 0) xmlFree(attvalue);
+ if ((attvalue != NULL) && (alloc != 0)) {
+ xmlFree(attvalue);
+ attvalue = NULL;
+ }
+ if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
+ break;
+ if (!IS_BLANK_CH(RAW)) {
+ xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,
+ "attributes construct error\n");
+ break;
+ }
SKIP_BLANKS;
if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
goto base_changed;
diff --git a/result/errors/759020.xml.err b/result/errors/759020.xml.err
new file mode 100644
index 0000000..a0d3051
--- /dev/null
+++ b/result/errors/759020.xml.err
@@ -0,0 +1,6 @@
+./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute
+0000000000000000000000000000000000000000000000000000000000000000000000000000000'
+ ^
+./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00 line 2
+
+ ^
diff --git a/result/errors/759020.xml.str b/result/errors/759020.xml.str
new file mode 100644
index 0000000..998d6d2
--- /dev/null
+++ b/result/errors/759020.xml.str
@@ -0,0 +1,7 @@
+./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute
+0000000000000000000000000000000000000000000000000000000000000000000000000000000'
+ ^
+./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00
+
+ ^
+./test/errors/759020.xml : failed to parse
diff --git a/test/errors/759020.xml b/test/errors/759020.xml
new file mode 100644
index 0000000..db23275
--- /dev/null
+++ b/test/errors/759020.xml
@@ -0,0 +1,46 @@
+<?l 00000000000000000000000000000?>
+<s00 w0000="000" h00000="000"
+ xmlns = '00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
--
2.5.5

208
SOURCES/libxml2-More-format-string-warnings-with-possible-format-string-vulnerability.patch Normal file
View File

@ -0,0 +1,208 @@
From 6a2a4e753bbba26b2de3d32f11c28691bec967dc Mon Sep 17 00:00:00 2001
From: David Kilzer <ddkilzer@apple.com>
Date: Mon, 23 May 2016 14:58:41 +0800
Subject: [PATCH] More format string warnings with possible format string
vulnerability
To: libvir-list@redhat.com

For https://bugzilla.gnome.org/show_bug.cgi?id=761029

adds a new xmlEscapeFormatString() function to escape composed format
strings

Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
libxml.h | 3 +++
relaxng.c | 3 ++-
xmlschemas.c | 39 ++++++++++++++++++++++++++-------------
xmlstring.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 86 insertions(+), 14 deletions(-)

diff --git a/libxml.h b/libxml.h
index 4558b70..88e515f 100644
--- a/libxml.h
+++ b/libxml.h
@@ -9,6 +9,8 @@
#ifndef __XML_LIBXML_H__
#define __XML_LIBXML_H__
+#include <libxml/xmlstring.h>
+
#ifndef NO_LARGEFILE_SOURCE
#ifndef _LARGEFILE_SOURCE
#define _LARGEFILE_SOURCE
@@ -93,6 +95,7 @@ int __xmlInitializeDict(void);
int __xmlRandom(void);
#endif
+XMLPUBFUN xmlChar * XMLCALL xmlEscapeFormatString(xmlChar **msg);
int xmlNop(void);
#ifdef IN_LIBXML
diff --git a/relaxng.c b/relaxng.c
index b531081..99e9901 100644
--- a/relaxng.c
+++ b/relaxng.c
@@ -2215,7 +2215,8 @@ xmlRelaxNGGetErrorString(xmlRelaxNGValidErr err, const xmlChar * arg1,
snprintf(msg, 1000, "Unknown error code %d\n", err);
}
msg[1000 - 1] = 0;
- return (xmlStrdup((xmlChar *) msg));
+ xmlChar *result = xmlCharStrdup(msg);
+ return (xmlEscapeFormatString(&result));
}
/**
diff --git a/xmlschemas.c b/xmlschemas.c
index 398cdd8..1bcb0f0 100644
--- a/xmlschemas.c
+++ b/xmlschemas.c
@@ -1769,7 +1769,7 @@ xmlSchemaFormatItemForReport(xmlChar **buf,
}
FREE_AND_NULL(str)
- return (*buf);
+ return (xmlEscapeFormatString(buf));
}
/**
@@ -2247,6 +2247,13 @@ xmlSchemaFormatNodeForError(xmlChar ** msg,
TODO
return (NULL);
}
+
+ /*
+ * xmlSchemaFormatItemForReport() also returns an escaped format
+ * string, so do this before calling it below (in the future).
+ */
+ xmlEscapeFormatString(msg);
+
/*
* VAL TODO: The output of the given schema component is currently
* disabled.
@@ -2474,11 +2481,13 @@ xmlSchemaSimpleTypeErr(xmlSchemaAbstractCtxtPtr actxt,
msg = xmlStrcat(msg, BAD_CAST " '");
if (type->builtInType != 0) {
msg = xmlStrcat(msg, BAD_CAST "xs:");
- msg = xmlStrcat(msg, type->name);
- } else
- msg = xmlStrcat(msg,
- xmlSchemaFormatQName(&str,
- type->targetNamespace, type->name));
+ str = xmlStrdup(type->name);
+ } else {
+ const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name);
+ if (!str)
+ str = xmlStrdup(qName);
+ }
+ msg = xmlStrcat(msg, xmlEscapeFormatString(&str));
msg = xmlStrcat(msg, BAD_CAST "'");
FREE_AND_NULL(str);
}
@@ -2615,7 +2624,7 @@ xmlSchemaComplexTypeErr(xmlSchemaAbstractCtxtPtr actxt,
str = xmlStrcat(str, BAD_CAST ", ");
}
str = xmlStrcat(str, BAD_CAST " ).\n");
- msg = xmlStrcat(msg, BAD_CAST str);
+ msg = xmlStrcat(msg, xmlEscapeFormatString(&str));
FREE_AND_NULL(str)
} else
msg = xmlStrcat(msg, BAD_CAST "\n");
@@ -3139,11 +3148,13 @@ xmlSchemaPSimpleTypeErr(xmlSchemaParserCtxtPtr ctxt,
msg = xmlStrcat(msg, BAD_CAST " '");
if (type->builtInType != 0) {
msg = xmlStrcat(msg, BAD_CAST "xs:");
- msg = xmlStrcat(msg, type->name);
- } else
- msg = xmlStrcat(msg,
- xmlSchemaFormatQName(&str,
- type->targetNamespace, type->name));
+ str = xmlStrdup(type->name);
+ } else {
+ const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name);
+ if (!str)
+ str = xmlStrdup(qName);
+ }
+ msg = xmlStrcat(msg, xmlEscapeFormatString(&str));
msg = xmlStrcat(msg, BAD_CAST "'.");
FREE_AND_NULL(str);
}
@@ -3156,7 +3167,9 @@ xmlSchemaPSimpleTypeErr(xmlSchemaParserCtxtPtr ctxt,
}
if (expected) {
msg = xmlStrcat(msg, BAD_CAST " Expected is '");
- msg = xmlStrcat(msg, BAD_CAST expected);
+ xmlChar *expectedEscaped = xmlCharStrdup(expected);
+ msg = xmlStrcat(msg, xmlEscapeFormatString(&expectedEscaped));
+ FREE_AND_NULL(expectedEscaped);
msg = xmlStrcat(msg, BAD_CAST "'.\n");
} else
msg = xmlStrcat(msg, BAD_CAST "\n");
diff --git a/xmlstring.c b/xmlstring.c
index c66eef3..9164d2e 100644
--- a/xmlstring.c
+++ b/xmlstring.c
@@ -987,5 +987,60 @@ xmlUTF8Strsub(const xmlChar *utf, int start, int len) {
return(xmlUTF8Strndup(utf, len));
}
+/**
+ * xmlEscapeFormatString:
+ * @msg: a pointer to the string in which to escape '%' characters.
+ * Must be a heap-allocated buffer created by libxml2 that may be
+ * returned, or that may be freed and replaced.
+ *
+ * Replaces the string pointed to by 'msg' with an escaped string.
+ * Returns the same string with all '%' characters escaped.
+ */
+xmlChar *
+xmlEscapeFormatString(xmlChar **msg)
+{
+ xmlChar *msgPtr = NULL;
+ xmlChar *result = NULL;
+ xmlChar *resultPtr = NULL;
+ size_t count = 0;
+ size_t msgLen = 0;
+ size_t resultLen = 0;
+
+ if (!msg || !*msg)
+ return(NULL);
+
+ for (msgPtr = *msg; *msgPtr != '\0'; ++msgPtr) {
+ ++msgLen;
+ if (*msgPtr == '%')
+ ++count;
+ }
+
+ if (count == 0)
+ return(*msg);
+
+ resultLen = msgLen + count + 1;
+ result = (xmlChar *) xmlMallocAtomic(resultLen * sizeof(xmlChar));
+ if (result == NULL) {
+ /* Clear *msg to prevent format string vulnerabilities in
+ out-of-memory situations. */
+ xmlFree(*msg);
+ *msg = NULL;
+ xmlErrMemory(NULL, NULL);
+ return(NULL);
+ }
+
+ for (msgPtr = *msg, resultPtr = result; *msgPtr != '\0'; ++msgPtr, ++resultPtr) {
+ *resultPtr = *msgPtr;
+ if (*msgPtr == '%')
+ *(++resultPtr) = '%';
+ }
+ result[resultLen - 1] = '\0';
+
+ xmlFree(*msg);
+ *msg = result;
+
+ return *msg;
+}
+
#define bottom_xmlstring
#include "elfgcchack.h"
--
2.5.5

178
SOURCES/libxml2-Reuse-xmlHaltParser-where-it-makes-sense.patch Normal file
View File

@ -0,0 +1,178 @@
From 586849318286965d6ede2932ccd31176b4f7fe81 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Fri, 20 Nov 2015 14:59:30 +0800
Subject: [PATCH] Reuse xmlHaltParser() where it makes sense
To: libvir-list@redhat.com

Unify the various place where either xmlStopParser was called
(which resets the error as a side effect) and places where we
used ctxt->instate = XML_PARSER_EOF to stop further processing

Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
parser.c | 37 +++++++++++++++++--------------------
1 file changed, 17 insertions(+), 20 deletions(-)

diff --git a/parser.c b/parser.c
index 5b4f719..9aed98d 100644
--- a/parser.c
+++ b/parser.c
@@ -1773,7 +1773,7 @@ nodePush(xmlParserCtxtPtr ctxt, xmlNodePtr value)
xmlFatalErrMsgInt(ctxt, XML_ERR_INTERNAL_ERROR,
"Excessive depth in document: %d use XML_PARSE_HUGE option\n",
xmlParserMaxDepth);
- ctxt->instate = XML_PARSER_EOF;
+ xmlHaltParser(ctxt);
return(-1);
}
ctxt->nodeTab[ctxt->nodeNr] = value;
@@ -5655,7 +5655,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) {
if (RAW != '>') {
xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
"xmlParseEntityDecl: entity %s not terminated\n", name);
- xmlStopParser(ctxt);
+ xmlHaltParser(ctxt);
} else {
if (input != ctxt->input) {
xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
@@ -6767,8 +6767,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
SKIP_BLANKS;
if (RAW != '[') {
xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
- xmlStopParser(ctxt);
- ctxt->errNo = XML_ERR_CONDSEC_INVALID;
+ xmlHaltParser(ctxt);
return;
} else {
if (ctxt->input->id != id) {
@@ -6830,8 +6829,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
SKIP_BLANKS;
if (RAW != '[') {
xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
- xmlStopParser(ctxt);
- ctxt->errNo = XML_ERR_CONDSEC_INVALID;
+ xmlHaltParser(ctxt);
return;
} else {
if (ctxt->input->id != id) {
@@ -6888,8 +6886,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
} else {
xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
- xmlStopParser(ctxt);
- ctxt->errNo = XML_ERR_CONDSEC_INVALID_KEYWORD;
+ xmlHaltParser(ctxt);
return;
}
@@ -7100,7 +7097,7 @@ xmlParseExternalSubset(xmlParserCtxtPtr ctxt, const xmlChar *ExternalID,
/*
* The XML REC instructs us to stop parsing right here
*/
- ctxt->instate = XML_PARSER_EOF;
+ xmlHaltParser(ctxt);
return;
}
}
@@ -8087,7 +8084,7 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
* The XML REC instructs us to stop parsing
* right here
*/
- ctxt->instate = XML_PARSER_EOF;
+ xmlHaltParser(ctxt);
return;
}
}
@@ -9986,7 +9983,7 @@ xmlParseContent(xmlParserCtxtPtr ctxt) {
if ((cons == ctxt->input->consumed) && (test == CUR_PTR)) {
xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
"detected an error in element content\n");
- ctxt->instate = XML_PARSER_EOF;
+ xmlHaltParser(ctxt);
break;
}
}
@@ -10021,7 +10018,7 @@ xmlParseElement(xmlParserCtxtPtr ctxt) {
xmlFatalErrMsgInt(ctxt, XML_ERR_INTERNAL_ERROR,
"Excessive depth in document: %d use XML_PARSE_HUGE option\n",
xmlParserMaxDepth);
- ctxt->instate = XML_PARSER_EOF;
+ xmlHaltParser(ctxt);
return;
}
@@ -11345,7 +11342,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
ctxt->sax->setDocumentLocator(ctxt->userData,
&xmlDefaultSAXLocator);
xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL);
- ctxt->instate = XML_PARSER_EOF;
+ xmlHaltParser(ctxt);
#ifdef DEBUG_PUSH
xmlGenericError(xmlGenericErrorContext,
"PP: entering EOF\n");
@@ -11378,7 +11375,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
* The XML REC instructs us to stop parsing right
* here
*/
- ctxt->instate = XML_PARSER_EOF;
+ xmlHaltParser(ctxt);
return(0);
}
ctxt->standalone = ctxt->input->standalone;
@@ -11434,7 +11431,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
cur = ctxt->input->cur[0];
if (cur != '<') {
xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL);
- ctxt->instate = XML_PARSER_EOF;
+ xmlHaltParser(ctxt);
if ((ctxt->sax) && (ctxt->sax->endDocument != NULL))
ctxt->sax->endDocument(ctxt->userData);
goto done;
@@ -11466,7 +11463,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
goto done;
if (name == NULL) {
spacePop(ctxt);
- ctxt->instate = XML_PARSER_EOF;
+ xmlHaltParser(ctxt);
if ((ctxt->sax) && (ctxt->sax->endDocument != NULL))
ctxt->sax->endDocument(ctxt->userData);
goto done;
@@ -11633,7 +11630,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
if ((cons == ctxt->input->consumed) && (test == CUR_PTR)) {
xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
"detected an error in element content\n");
- ctxt->instate = XML_PARSER_EOF;
+ xmlHaltParser(ctxt);
break;
}
break;
@@ -11954,7 +11951,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
goto done;
} else {
xmlFatalErr(ctxt, XML_ERR_DOCUMENT_END, NULL);
- ctxt->instate = XML_PARSER_EOF;
+ xmlHaltParser(ctxt);
#ifdef DEBUG_PUSH
xmlGenericError(xmlGenericErrorContext,
"PP: entering EOF\n");
@@ -12318,7 +12315,7 @@ xmldecl_done:
res = xmlParserInputBufferPush(ctxt->input->buf, size, chunk);
if (res < 0) {
ctxt->errNo = XML_PARSER_EOF;
- ctxt->disableSAX = 1;
+ xmlHaltParser(ctxt);
return (XML_PARSER_EOF);
}
xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input, base, cur);
@@ -12372,7 +12369,7 @@ xmldecl_done:
((ctxt->input->cur - ctxt->input->base) > XML_MAX_LOOKUP_LIMIT)) &&
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup");
- ctxt->instate = XML_PARSER_EOF;
+ xmlHaltParser(ctxt);
}
if ((ctxt->errNo != XML_ERR_OK) && (ctxt->disableSAX == 1))
return(ctxt->errNo);
--
2.5.0

35
SOURCES/libxml2-Stop-parsing-on-entities-boundaries-errors.patch Normal file
View File

@ -0,0 +1,35 @@
From f0dbfaebd1a4a647ed1902ca16839ecfcb89c422 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Mon, 23 Feb 2015 11:17:35 +0800
Subject: [PATCH] Stop parsing on entities boundaries errors
To: libvir-list@redhat.com

For https://bugzilla.gnome.org/show_bug.cgi?id=744980

There are times, like on unterminated entities that it's preferable to
stop parsing, even if that means less error reporting. Entities are
feeding the parser on further processing, and if they are ill defined
then it's possible to get the parser to bug. Also do the same on
Conditional Sections if the input is broken, as the structure of
the document can't be guessed.

Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
parser.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/parser.c b/parser.c
index f70d2b5..d790f8e 100644
--- a/parser.c
+++ b/parser.c
@@ -5649,6 +5649,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) {
if (RAW != '>') {
xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
"xmlParseEntityDecl: entity %s not terminated\n", name);
+ xmlStopParser(ctxt);
} else {
if (input != ctxt->input) {
xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
--
2.5.0

24
SOURCES/libxml2-multilib.patch Normal file
View File

@ -0,0 +1,24 @@
*** XML/xml2-config.in.orig 2006-06-06 16:35:56.000000000 +0200
--- XML/xml2-config.in 2006-06-06 16:36:24.000000000 +0200
***************
*** 3,9 ****
prefix=@prefix@
exec_prefix=@exec_prefix@
includedir=@includedir@
! libdir=@libdir@
usage()
{
--- 3,14 ----
prefix=@prefix@
exec_prefix=@exec_prefix@
includedir=@includedir@
! if [ "`ldd /bin/sh | grep lib64`" = "" ]
! then
! libdir=${exec_prefix}/lib
! else
! libdir=${exec_prefix}/lib64
! fi
usage()
{

44
SOURCES/libxml2-xmlStopParser-reset-errNo.patch Normal file
View File

@ -0,0 +1,44 @@
From 5b3397ee81277ed70af58a247a0d731de9c7a6c7 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Mon, 9 Nov 2015 18:16:00 +0800
Subject: [PATCH] xmlStopParser reset errNo
To: libvir-list@redhat.com

I had used it in contexts where that information ought to be preserved

Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
parser.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/parser.c b/parser.c
index 134ea7f..a58dda3 100644
--- a/parser.c
+++ b/parser.c
@@ -6762,6 +6762,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
if (RAW != '[') {
xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
xmlStopParser(ctxt);
+ ctxt->errNo = XML_ERR_CONDSEC_INVALID;
return;
} else {
if (ctxt->input->id != id) {
@@ -6824,6 +6825,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
if (RAW != '[') {
xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
xmlStopParser(ctxt);
+ ctxt->errNo = XML_ERR_CONDSEC_INVALID;
return;
} else {
if (ctxt->input->id != id) {
@@ -6881,6 +6883,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
} else {
xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
xmlStopParser(ctxt);
+ ctxt->errNo = XML_ERR_CONDSEC_INVALID_KEYWORD;
return;
}
--
2.5.0

493
SPECS/libxml2.spec Normal file
View File

@ -0,0 +1,493 @@
# for -O3 on ppc64 c.f. 1051068
%global _performance_build 1

Summary: Library providing XML and HTML support
Name: libxml2
Version: 2.9.1
Release: 6%{?dist}%{?extra_release}.3
License: MIT
Group: Development/Libraries
Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-root
BuildRequires: python python-devel zlib-devel pkgconfig xz-devel
URL: http://xmlsoft.org/
Patch0: libxml2-multilib.patch
Patch1: libxml2-2.9.0-do-not-check-crc.patch

Patch100: libxml2-Fix-a-regression-in-xmlGetDocCompressMode.patch
Patch101: CVE-2014-3660-rhel7.patch
Patch102: libxml2-Fix-missing-entities-after-CVE-2014-3660-fix.patch
Patch103: libxml2-Do-not-fetch-external-parameter-entities.patch
Patch104: libxml2-Fix-regression-introduced-by-CVE-2014-0191.patch
Patch105: libxml2-Stop-parsing-on-entities-boundaries-errors.patch
Patch106: libxml2-Cleanup-conditional-section-error-handling.patch
Patch107: libxml2-Fail-parsing-early-on-if-encoding-conversion-failed.patch
Patch108: libxml2-Another-variation-of-overflow-in-Conditional-sections.patch
Patch109: libxml2-Fix-an-error-in-previous-Conditional-section-patch.patch
Patch110: libxml2-Fix-parsing-short-unclosed-comment-uninitialized-access.patch
Patch111: libxml2-Avoid-extra-processing-of-MarkupDecl-when-EOF.patch
Patch112: libxml2-Avoid-processing-entities-after-encoding-conversion-failures.patch
Patch113: libxml2-xmlStopParser-reset-errNo.patch
Patch114: libxml2-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDictComputeFastQKey.patch
Patch115: libxml2-CVE-2015-5312-Another-entity-expansion-issue.patch
Patch116: libxml2-Add-xmlHaltParser-to-stop-the-parser.patch
Patch117: libxml2-Reuse-xmlHaltParser-where-it-makes-sense.patch
Patch118: libxml2-Do-not-print-error-context-when-there-is-none.patch
Patch119: libxml2-Detect-incoherency-on-GROW.patch
Patch120: libxml2-Fix-some-loop-issues-embedding-NEXT.patch
Patch121: libxml2-Bug-on-creating-new-stream-from-entity.patch
Patch122: libxml2-CVE-2015-7500-Fix-memory-access-error-due-to-incorrect-entities-boundaries.patch
Patch123: libxml2-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-push-mode.patch
Patch124: libxml2-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-memory.patch
patch125: libxml2-Add-missing-increments-of-recursion-depth-counter-to-XML-parser.patch
patch126: libxml2-Avoid-building-recursive-entities.patch
patch127: libxml2-Bug-757711-heap-buffer-overflow-in-xmlFAParsePosCharGroup-https-bugzilla.gnome.org-show_bug.cgi-id-757711.patch
patch128: libxml2-Bug-758588-Heap-based-buffer-overread-in-xmlParserPrintFileContextInternal-https-bugzilla.gnome.org-show_bug.cgi-id-758588.patch
patch129: libxml2-Bug-758605-Heap-based-buffer-overread-in-xmlDictAddString-https-bugzilla.gnome.org-show_bug.cgi-id-758605.patch
patch130: libxml2-Bug-759398-Heap-use-after-free-in-xmlDictComputeFastKey-https-bugzilla.gnome.org-show_bug.cgi-id-759398.patch
patch131: libxml2-Bug-763071-heap-buffer-overflow-in-xmlStrncat-https-bugzilla.gnome.org-show_bug.cgi-id-763071.patch
patch132: libxml2-Fix-inappropriate-fetch-of-entities-content.patch
patch133: libxml2-Fix-some-format-string-warnings-with-possible-format-string-vulnerability.patch
patch134: libxml2-Heap-based-buffer-overread-in-htmlCurrentChar.patch
patch135: libxml2-Heap-based-buffer-overread-in-xmlNextChar.patch
patch136: libxml2-Heap-based-buffer-underreads-due-to-xmlParseName.patch
patch137: libxml2-Heap-use-after-free-in-htmlParsePubidLiteral-and-htmlParseSystemiteral.patch
patch138: libxml2-Heap-use-after-free-in-xmlSAX2AttributeNs.patch
patch139: libxml2-More-format-string-warnings-with-possible-format-string-vulnerability.patch


%description
This library allows to manipulate XML files. It includes support
to read, modify and write XML and HTML files. There is DTDs support
this includes parsing and validation even with complex DtDs, either
at parse time or later once the document has been modified. The output
can be a simple SAX stream or and in-memory DOM like representations.
In this case one can use the built-in XPath and XPointer implementation
to select sub nodes or ranges. A flexible Input/Output mechanism is
available, with existing HTTP and FTP modules and combined to an
URI library.

%package devel
Summary: Libraries, includes, etc. to develop XML and HTML applications
Group: Development/Libraries
Requires: libxml2 = %{version}-%{release}
Requires: zlib-devel
Requires: xz-devel
Requires: pkgconfig

%description devel
Libraries, include files, etc you can use to develop XML applications.
This library allows to manipulate XML files. It includes support
to read, modify and write XML and HTML files. There is DTDs support
this includes parsing and validation even with complex DtDs, either
at parse time or later once the document has been modified. The output
can be a simple SAX stream or and in-memory DOM like representations.
In this case one can use the built-in XPath and XPointer implementation
to select sub nodes or ranges. A flexible Input/Output mechanism is
available, with existing HTTP and FTP modules and combined to an
URI library.

%package static
Summary: Static library for libxml2
Group: Development/Libraries
Requires: libxml2 = %{version}-%{release}

%description static
Static library for libxml2 provided for specific uses or shaving a few
microseconds when parsing, do not link to them for generic purpose packages.

%package python
Summary: Python bindings for the libxml2 library
Group: Development/Libraries
Requires: libxml2 = %{version}-%{release}

%description python
The libxml2-python package contains a module that permits applications
written in the Python programming language to use the interface
supplied by the libxml2 library to manipulate XML files.

This library allows to manipulate XML files. It includes support
to read, modify and write XML and HTML files. There is DTDs support
this includes parsing and validation even with complex DTDs, either
at parse time or later once the document has been modified.

%prep
%setup -q
%patch0 -p1
# workaround for #877567 - Very weird bug gzip decompression bug in "recent" libxml2 versions
%patch1 -p1 -b .do-not-check-crc

%patch100 -p1
%patch101 -p1
%patch102 -p1
%patch103 -p1
%patch104 -p1
%patch105 -p1
%patch106 -p1
%patch107 -p1
%patch108 -p1
%patch109 -p1
%patch110 -p1
%patch111 -p1
%patch112 -p1
%patch113 -p1
%patch114 -p1
%patch115 -p1
%patch116 -p1
%patch117 -p1
%patch118 -p1
%patch119 -p1
%patch120 -p1
%patch121 -p1
%patch122 -p1
%patch123 -p1
%patch124 -p1
%patch125 -p1
%patch126 -p1
%patch127 -p1
%patch128 -p1
%patch129 -p1
%patch130 -p1
%patch131 -p1
%patch132 -p1
%patch133 -p1
%patch134 -p1
%patch135 -p1
%patch136 -p1
%patch137 -p1
%patch138 -p1
%patch139 -p1

%build
%configure
make %{_smp_mflags}

%install
rm -fr %{buildroot}

make install DESTDIR=%{buildroot}

# multiarch crazyness on timestamp differences or Makefile/binaries for examples
touch -m --reference=$RPM_BUILD_ROOT/%{_includedir}/libxml2/libxml/parser.h $RPM_BUILD_ROOT/%{_bindir}/xml2-config

rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
rm -f $RPM_BUILD_ROOT%{_libdir}/python*/site-packages/*.a
rm -f $RPM_BUILD_ROOT%{_libdir}/python*/site-packages/*.la
rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/libxml2-%{version}/*
rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/libxml2-python-%{version}/*
(cd doc/examples ; make clean ; rm -rf .deps Makefile)
gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz

%check
make runtests

%clean
rm -fr %{buildroot}

%post -p /sbin/ldconfig

%postun -p /sbin/ldconfig

%files
%defattr(-, root, root)

%doc AUTHORS NEWS README Copyright TODO
%doc %{_mandir}/man1/xmllint.1*
%doc %{_mandir}/man1/xmlcatalog.1*
%doc %{_mandir}/man3/libxml.3*

%{_libdir}/lib*.so.*
%{_bindir}/xmllint
%{_bindir}/xmlcatalog

%files devel
%defattr(-, root, root)

%doc %{_mandir}/man1/xml2-config.1*
%doc AUTHORS NEWS README Copyright
%doc doc/*.html doc/html doc/*.gif doc/*.png
%doc doc/tutorial doc/libxml2-api.xml.gz
%doc doc/examples
%doc %dir %{_datadir}/gtk-doc/html/libxml2
%doc %{_datadir}/gtk-doc/html/libxml2/*.devhelp
%doc %{_datadir}/gtk-doc/html/libxml2/*.html
%doc %{_datadir}/gtk-doc/html/libxml2/*.png
%doc %{_datadir}/gtk-doc/html/libxml2/*.css

%{_libdir}/lib*.so
%{_libdir}/*.sh
%{_includedir}/*
%{_bindir}/xml2-config
%{_datadir}/aclocal/libxml.m4
%{_libdir}/pkgconfig/libxml-2.0.pc

%files static
%defattr(-, root, root)

%{_libdir}/*a

%files python
%defattr(-, root, root)

%{_libdir}/python*/site-packages/libxml2.py*
%{_libdir}/python*/site-packages/drv_libxml2.py*
%{_libdir}/python*/site-packages/libxml2mod*
%doc python/TODO
%doc python/libxml2class.txt
%doc python/tests/*.py
%doc doc/*.py
%doc doc/python.html

%changelog
* Mon Jun 6 2016 Daniel Veillard <veillard@redhat.com> - libxml2-2.9.1-6.3
- Heap-based buffer overread in xmlNextChar (CVE-2016-1762)
- Bug 763071: Heap-buffer-overflow in xmlStrncat <https://bugzilla.gnome.org/show_bug.cgi?id=763071> (CVE-2016-1834)
- Bug 757711: Heap-buffer-overflow in xmlFAParsePosCharGroup <https://bugzilla.gnome.org/show_bug.cgi?id=757711> (CVE-2016-1840)
- Bug 758588: Heap-based buffer overread in xmlParserPrintFileContextInternal <https://bugzilla.gnome.org/show_bug.cgi?id=758588> (CVE-2016-1838)
- Bug 758605: Heap-based buffer overread in xmlDictAddString <https://bugzilla.gnome.org/show_bug.cgi?id=758605> (CVE-2016-1839)
- Bug 759398: Heap use-after-free in xmlDictComputeFastKey <https://bugzilla.gnome.org/show_bug.cgi?id=759398> (CVE-2016-1836)
- Fix inappropriate fetch of entities content (CVE-2016-4449)
- Heap use-after-free in htmlParsePubidLiteral and htmlParseSystemiteral (CVE-2016-1837)
- Heap use-after-free in xmlSAX2AttributeNs (CVE-2016-1835)
- Heap-based buffer-underreads due to xmlParseName (CVE-2016-4447)
- Heap-based buffer overread in htmlCurrentChar (CVE-2016-1833)
- Add missing increments of recursion depth counter to XML parser. (CVE-2016-3705)
- Avoid building recursive entities (CVE-2016-3627)
- Fix some format string warnings with possible format string vulnerability (CVE-2016-4448)
- More format string warnings with possible format string vulnerability (CVE-2016-4448)

* Mon Nov 30 2015 Daniel Veillard <veillard@redhat.com> - 2.9.1-6.2
- Fix a series of CVEs (rhbz#1286496)
- CVE-2015-7941 Stop parsing on entities boundaries errors
- CVE-2015-7941 Cleanup conditional section error handling
- CVE-2015-8317 Fail parsing early on if encoding conversion failed
- CVE-2015-7942 Another variation of overflow in Conditional sections
- CVE-2015-7942 Fix an error in previous Conditional section patch
- Fix parsing short unclosed comment uninitialized access
- CVE-2015-7498 Avoid processing entities after encoding conversion failures
- CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey
- CVE-2015-5312 Another entity expansion issue
- CVE-2015-7499 Add xmlHaltParser() to stop the parser
- CVE-2015-7499 Detect incoherency on GROW
- CVE-2015-7500 Fix memory access error due to incorrect entities boundaries
- CVE-2015-8242 Buffer overead with HTML parser in push mode
- CVE-2015-1819 Enforce the reader to run in constant memory

* Mon Mar 23 2015 Daniel Veillard <veillard@redhat.com> - 2.9.1-6
- Fix missing entities after CVE-2014-3660 fix
- CVE-2014-0191 Do not fetch external parameter entities (rhbz#1195650)
- Fix regressions introduced by CVE-2014-0191 patch

* Sat Oct 11 2014 Daniel Veillard <veillard@redhat.com> - 2.9.1-5.1
- CVE-2014-3660 denial of service via recursive entity expansion (rhbz#1149087)

* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.9.1-5
- Mass rebuild 2014-01-24

* Wed Jan 15 2014 Daniel Veillard <veillard@redhat.com> - 2.9.1-4
- rebuild to activate -O3 on ppc64 rhbz#1051068

* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 2.9.1-3
- Mass rebuild 2013-12-27

* Fri Nov 15 2013 Daniel Veillard <veillard@redhat.com> - 2.9.1-2
- Fix a regression in xmlGetDocCompressMode() rhbz#963716

* Fri Apr 19 2013 Daniel Veillard <veillard@redhat.com> - 2.9.1-1
- upstream release of 2.9.1
- a couple more API entry point
- compatibility with python3
- a lot of bug fixes

* Mon Feb 11 2013 Daniel Veillard <veillard@redhat.com> - 2.9.0-4
- fix --nocheck build which I broke in october rhbz#909767

* Mon Nov 19 2012 Jaroslav Reznik <jreznik@redhat.com> - 2.9.0-3
- workaround for crc/len check failure, rhbz#877567

* Thu Oct 11 2012 Daniel Veillard <veillard@redhat.com> - 2.9.0-2
- remaining cleanups from merge bug rhbz#226079
- do not put the docs in the main package, only in -devel rhbz#864731

* Tue Sep 11 2012 Daniel Veillard <veillard@redhat.com> - 2.9.0-1
- upstream release of 2.9.0
- A few new API entry points
- More resilient push parser mode
- A lot of portability improvement
- Faster XPath evaluation
- a lot of bug fixes and smaller improvement

* Fri Aug 10 2012 Daniel Veillard <veillard@redhat.com> - 2.9.0-0rc1
- upstream release candidate 1 of 2.9.0
- introduce a small API change, but ABI compatible, see
https://mail.gnome.org/archives/xml/2012-August/msg00005.html
patches for php, gcc/libjava and evolution-data-connector are upstream
Grab me in cases of problems veillard@redhat.com
- many bug fixes including security aspects and small improvements

* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.8.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild

* Wed May 23 2012 Daniel Veillard <veillard@redhat.com> - 2.8.0-1
- upstream release of 2.8.0
- add lzma compression support
- many bug fixes and small improvements

* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.7.8-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild

* Fri Mar 4 2011 Daniel Veillard <veillard@redhat.com> - 2.7.8-6
- fix a double free in XPath CVE-2010-4494 bug 665965

* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.7.8-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild

* Fri Nov 5 2010 Daniel Veillard <veillard@redhat.com> - 2.7.8-4
- reactivate shared libs versionning script

* Thu Nov 4 2010 Daniel Veillard <veillard@redhat.com> - 2.7.8-1
- Upstream release of 2.7.8
- various bug fixes, including potential crashes
- new non-destructive formatting option
- date parsing updated to RFC 5646

* Wed Jul 21 2010 David Malcolm <dmalcolm@redhat.com> - 2.7.7-2
- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild

* Mon Mar 15 2010 Daniel Veillard <veillard@redhat.com> - 2.7.7-1
- Upstream release of 2.7.7
- fix serious trouble with zlib >= 1.2.4
- xmllint new option --xpath
- various HTML parser improvements
- includes a number of nug fixes

* Tue Oct 6 2009 Daniel Veillard <veillard@redhat.com> - 2.7.6-1
- Upstream release of 2.7.6
- restore thread support off by default in 2.7.5

* Thu Sep 24 2009 Daniel Veillard <veillard@redhat.com> - 2.7.5-1
- Upstream release of 2.7.5
- fix a couple of Relax-NG validation problems
- couple more fixes

* Tue Sep 15 2009 Daniel Veillard <veillard@redhat.com> - 2.7.4-2
- fix a problem with little data at startup affecting inkscape #523002

* Thu Sep 10 2009 Daniel Veillard <veillard@redhat.com> - 2.7.4-1
- upstream release 2.7.4
- symbol versioning of libxml2 shared libs
- very large number of bug fixes

* Mon Aug 10 2009 Daniel Veillard <veillard@redhat.com> - 2.7.3-4
- two patches for parsing problems CVE-2009-2414 and CVE-2009-2416

* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.7.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild

* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.7.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild

* Sun Jan 18 2009 Daniel Veillard <veillard@redhat.com> - 2.7.3-1
- new release 2.7.3
- limit default max size of text nodes
- special parser mode for PHP
- bug fixes and more compiler checks

* Wed Dec 3 2008 Ignacio Vazquez-Abrams <ivazqueznet+rpm@gmail.com> - 2.7.2-7
- Pull back into Python 2.6

* Wed Dec 3 2008 Caolán McNamara <caolanm@redhat.com> - 2.7.2-6
- AutoProvides requires BuildRequires pkgconfig

* Wed Dec 3 2008 Caolán McNamara <caolanm@redhat.com> - 2.7.2-5
- rebuild to get provides(libxml-2.0) into HEAD rawhide

* Mon Dec 1 2008 Ignacio Vazquez-Abrams <ivazqueznet+rpm@gmail.com> - 2.7.2-4
- Rebuild for pkgconfig logic

* Fri Nov 28 2008 Ignacio Vazquez-Abrams <ivazqueznet+rpm@gmail.com> - 2.7.2-3
- Rebuild for Python 2.6

* Wed Nov 12 2008 Daniel Veillard <veillard@redhat.com> - 2.7.2-2.fc11
- two patches for size overflows problems CVE-2008-4225 and CVE-2008-4226

* Fri Oct 3 2008 Daniel Veillard <veillard@redhat.com> 2.7.2-1.fc10
- new release 2.7.2
- Fixes the known problems in 2.7.1
- increase the set of options when saving documents

* Thu Oct 2 2008 Daniel Veillard <veillard@redhat.com> 2.7.1-2.fc10
- fix a nasty bug in 2.7.x, http://bugzilla.gnome.org/show_bug.cgi?id=554660

* Mon Sep 1 2008 Daniel Veillard <veillard@redhat.com> 2.7.1-1.fc10
- fix python serialization which was broken in 2.7.0
- Resolve: rhbz#460774

* Sat Aug 30 2008 Daniel Veillard <veillard@redhat.com> 2.7.0-1.fc10
- upstream release of 2.7.0
- switch to XML 1.0 5th edition
- switch to RFC 3986 for URI parsing
- better entity handling
- option to remove hardcoded limitations in the parser
- more testing
- a new API to allocate entity nodes
- and lot of fixes and clanups

* Mon Aug 25 2008 Daniel Veillard <veillard@redhat.com> 2.6.32-4.fc10
- fix for entities recursion problem
- Resolve: rhbz#459714

* Fri May 30 2008 Daniel Veillard <veillard@redhat.com> 2.6.32-3.fc10
- cleanup based on Fedora packaging guidelines, should fix #226079
- separate a -static package

* Thu May 15 2008 Daniel Veillard <veillard@redhat.com> 2.6.32-2.fc10
- try to fix multiarch problems like #440206

* Tue Apr 8 2008 Daniel Veillard <veillard@redhat.com> 2.6.32-1.fc9
- upstream release 2.6.32 see http://xmlsoft.org/news.html
- many bug fixed upstream

* Wed Feb 20 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 2.6.31-2
- Autorebuild for GCC 4.3

* Fri Jan 11 2008 Daniel Veillard <veillard@redhat.com> 2.6.31-1.fc9
- upstream release 2.6.31 see http://xmlsoft.org/news.html
- many bug fixed upstream

* Thu Aug 23 2007 Daniel Veillard <veillard@redhat.com> 2.6.30-1
- upstream release 2.6.30 see http://xmlsoft.org/news.html
- many bug fixed upstream

* Tue Jun 12 2007 Daniel Veillard <veillard@redhat.com> 2.6.29-1
- upstream release 2.6.29 see http://xmlsoft.org/news.html
- many bug fixed upstream

* Wed May 16 2007 Matthias Clasen <mclasen@redhat.com> 2.6.28-2
- Bump revision to fix N-V-R problem

* Tue Apr 17 2007 Daniel Veillard <veillard@redhat.com> 2.6.28-1
- upstream release 2.6.28 see http://xmlsoft.org/news.html
- many bug fixed upstream

* Thu Dec 7 2006 Jeremy Katz <katzj@redhat.com> - 2.6.27-2
- rebuild against python 2.5

* Wed Oct 25 2006 Daniel Veillard <veillard@redhat.com> 2.6.27-1
- upstream release 2.6.27 see http://xmlsoft.org/news.html
- very large amount of bug fixes reported upstream

* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 2.6.26-2.1.1
- rebuild

* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 2.6.26-2.1
- rebuild

* Wed Jun 7 2006 Daniel Veillard <veillard@redhat.com> 2.6.26-2
- fix bug #192873
* Tue Jun 6 2006 Daniel Veillard <veillard@redhat.com> 2.6.26-1
- upstream release 2.6.26 see http://xmlsoft.org/news.html

* Tue Jun 6 2006 Daniel Veillard <veillard@redhat.com>
- upstream release 2.6.25 broken, do not ship !