mirror of
https://github.com/motioneye-project/motioneyeos.git
synced 2025-07-27 21:26:36 +00:00
libxml2: security bump to version 2.9.3
- Fixes: - CVE-2015-5312 - Another entity expansion issue - CVE-2015-7497 - Avoid an heap buffer overflow in xmlDictComputeFastQKey - CVE-2015-7500 - Fix memory access error due to incorrect entities boundaries - CVE-2015-8242 - Buffer overead with HTML parser in push mode - Incorporates upstreamed patches as well, which also fixed: - CVE-2015-1819 - The xmlreader in libxml allows remote attackers to cause a denial of service (memory consumption) via crafted XML data, related to an XML Entity Expansion (XEE) attack. - CVE-2015-7941 - out-of-bounds memory access. - CVE-2015-7942 - heap-buffer-overflow in xmlParseConditionalSections. - CVE-2015-8035 - DoS via crafted xz file. Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This commit is contained in:
parent
b18e4b5849
commit
08e08586b5
@ -1,28 +0,0 @@
|
|||||||
From dd6125f4b58fe7bc270e51bc3fcf41cd228d22fc Mon Sep 17 00:00:00 2001
|
|
||||||
From: Samuel Martin <s.martin49@gmail.com>
|
|
||||||
Date: Mon, 29 Dec 2014 20:40:18 +0100
|
|
||||||
Subject: [PATCH] libxml2-config.cmake.in: update include directories
|
|
||||||
|
|
||||||
Align the include directories on those from the pkg-config module.
|
|
||||||
|
|
||||||
Signed-off-by: Samuel Martin <s.martin49@gmail.com>
|
|
||||||
---
|
|
||||||
libxml2-config.cmake.in | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/libxml2-config.cmake.in b/libxml2-config.cmake.in
|
|
||||||
index ac29329..6b16fc2 100644
|
|
||||||
--- a/libxml2-config.cmake.in
|
|
||||||
+++ b/libxml2-config.cmake.in
|
|
||||||
@@ -21,7 +21,7 @@ set(LIBXML2_VERSION_MINOR @LIBXML_MINOR_VERSION@)
|
|
||||||
set(LIBXML2_VERSION_MICRO @LIBXML_MICRO_VERSION@)
|
|
||||||
set(LIBXML2_VERSION_STRING "@VERSION@")
|
|
||||||
set(LIBXML2_INSTALL_PREFIX ${_libxml2_rootdir})
|
|
||||||
-set(LIBXML2_INCLUDE_DIRS ${_libxml2_rootdir}/include)
|
|
||||||
+set(LIBXML2_INCLUDE_DIRS ${_libxml2_rootdir}/include ${_libxml2_rootdir}/include/libxml2)
|
|
||||||
set(LIBXML2_LIBRARY_DIR ${_libxml2_rootdir}/lib)
|
|
||||||
set(LIBXML2_LIBRARIES -L${LIBXML2_LIBRARY_DIR} -lxml2)
|
|
||||||
|
|
||||||
--
|
|
||||||
2.2.1
|
|
||||||
|
|
@ -1,52 +0,0 @@
|
|||||||
Fix musl compile
|
|
||||||
|
|
||||||
Downloaded from upstream commit
|
|
||||||
https://git.gnome.org/browse/libxml2/commit/?id=fff8a6b87e05200a0ad0af6f86c2e859c7de9172
|
|
||||||
|
|
||||||
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
|
|
||||||
---
|
|
||||||
From fff8a6b87e05200a0ad0af6f86c2e859c7de9172 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Michael Heimpold <mhei@heimpold.de>
|
|
||||||
Date: Mon, 22 Dec 2014 11:12:12 +0800
|
|
||||||
Subject: threads: use forward declarations only for glibc
|
|
||||||
|
|
||||||
Fixes bug #704908
|
|
||||||
|
|
||||||
The declarations of pthread functions, used to generate weak references
|
|
||||||
to them, fail to suppress macros. Thus, if any pthread function has
|
|
||||||
been provided as a macro, compiling threads.c will fail.
|
|
||||||
This breaks on musl libc, which defines pthread_equal as a macro (in
|
|
||||||
addition to providing the function, as required).
|
|
||||||
|
|
||||||
Prevent the declarations for e.g. musl libc by refining the condition.
|
|
||||||
|
|
||||||
The idea for this solution was borrowed from the alpine linux guys, see
|
|
||||||
http://git.alpinelinux.org/cgit/aports/tree/main/libxml2/libxml2-pthread.patch
|
|
||||||
|
|
||||||
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
|
|
||||||
|
|
||||||
diff --git a/threads.c b/threads.c
|
|
||||||
index 8921204..78006a2 100644
|
|
||||||
--- a/threads.c
|
|
||||||
+++ b/threads.c
|
|
||||||
@@ -47,7 +47,7 @@
|
|
||||||
#ifdef HAVE_PTHREAD_H
|
|
||||||
|
|
||||||
static int libxml_is_threaded = -1;
|
|
||||||
-#ifdef __GNUC__
|
|
||||||
+#if defined(__GNUC__) && defined(__GLIBC__)
|
|
||||||
#ifdef linux
|
|
||||||
#if (__GNUC__ == 3 && __GNUC_MINOR__ >= 3) || (__GNUC__ > 3)
|
|
||||||
extern int pthread_once (pthread_once_t *__once_control,
|
|
||||||
@@ -89,7 +89,7 @@ extern int pthread_cond_signal ()
|
|
||||||
__attribute((weak));
|
|
||||||
#endif
|
|
||||||
#endif /* linux */
|
|
||||||
-#endif /* __GNUC__ */
|
|
||||||
+#endif /* defined(__GNUC__) && defined(__GLIBC__) */
|
|
||||||
#endif /* HAVE_PTHREAD_H */
|
|
||||||
|
|
||||||
/*
|
|
||||||
--
|
|
||||||
cgit v0.10.2
|
|
||||||
|
|
@ -1,178 +0,0 @@
|
|||||||
From 213f1fe0d76d30eaed6e5853057defc43e6df2c9 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daniel Veillard <veillard@redhat.com>
|
|
||||||
Date: Tue, 14 Apr 2015 17:41:48 +0800
|
|
||||||
Subject: CVE-2015-1819 Enforce the reader to run in constant memory
|
|
||||||
|
|
||||||
One of the operation on the reader could resolve entities
|
|
||||||
leading to the classic expansion issue. Make sure the
|
|
||||||
buffer used for xmlreader operation is bounded.
|
|
||||||
Introduce a new allocation type for the buffers for this effect.
|
|
||||||
|
|
||||||
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
|
|
||||||
---
|
|
||||||
buf.c | 43 ++++++++++++++++++++++++++++++++++++++++++-
|
|
||||||
include/libxml/tree.h | 3 ++-
|
|
||||||
xmlreader.c | 20 +++++++++++++++++++-
|
|
||||||
3 files changed, 63 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/buf.c b/buf.c
|
|
||||||
index 6efc7b6..07922ff 100644
|
|
||||||
--- a/buf.c
|
|
||||||
+++ b/buf.c
|
|
||||||
@@ -27,6 +27,7 @@
|
|
||||||
#include <libxml/tree.h>
|
|
||||||
#include <libxml/globals.h>
|
|
||||||
#include <libxml/tree.h>
|
|
||||||
+#include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */
|
|
||||||
#include "buf.h"
|
|
||||||
|
|
||||||
#define WITH_BUFFER_COMPAT
|
|
||||||
@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf,
|
|
||||||
if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) ||
|
|
||||||
(scheme == XML_BUFFER_ALLOC_EXACT) ||
|
|
||||||
(scheme == XML_BUFFER_ALLOC_HYBRID) ||
|
|
||||||
- (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) {
|
|
||||||
+ (scheme == XML_BUFFER_ALLOC_IMMUTABLE) ||
|
|
||||||
+ (scheme == XML_BUFFER_ALLOC_BOUNDED)) {
|
|
||||||
buf->alloc = scheme;
|
|
||||||
if (buf->buffer)
|
|
||||||
buf->buffer->alloc = scheme;
|
|
||||||
@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) {
|
|
||||||
size = buf->use + len + 100;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
|
|
||||||
+ /*
|
|
||||||
+ * Used to provide parsing limits
|
|
||||||
+ */
|
|
||||||
+ if ((buf->use + len >= XML_MAX_TEXT_LENGTH) ||
|
|
||||||
+ (buf->size >= XML_MAX_TEXT_LENGTH)) {
|
|
||||||
+ xmlBufMemoryError(buf, "buffer error: text too long\n");
|
|
||||||
+ return(0);
|
|
||||||
+ }
|
|
||||||
+ if (size >= XML_MAX_TEXT_LENGTH)
|
|
||||||
+ size = XML_MAX_TEXT_LENGTH;
|
|
||||||
+ }
|
|
||||||
if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {
|
|
||||||
size_t start_buf = buf->content - buf->contentIO;
|
|
||||||
|
|
||||||
@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size)
|
|
||||||
CHECK_COMPAT(buf)
|
|
||||||
|
|
||||||
if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
|
|
||||||
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
|
|
||||||
+ /*
|
|
||||||
+ * Used to provide parsing limits
|
|
||||||
+ */
|
|
||||||
+ if (size >= XML_MAX_TEXT_LENGTH) {
|
|
||||||
+ xmlBufMemoryError(buf, "buffer error: text too long\n");
|
|
||||||
+ return(0);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
|
|
||||||
/* Don't resize if we don't have to */
|
|
||||||
if (size < buf->size)
|
|
||||||
@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
|
|
||||||
|
|
||||||
needSize = buf->use + len + 2;
|
|
||||||
if (needSize > buf->size){
|
|
||||||
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
|
|
||||||
+ /*
|
|
||||||
+ * Used to provide parsing limits
|
|
||||||
+ */
|
|
||||||
+ if (needSize >= XML_MAX_TEXT_LENGTH) {
|
|
||||||
+ xmlBufMemoryError(buf, "buffer error: text too long\n");
|
|
||||||
+ return(-1);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
if (!xmlBufResize(buf, needSize)){
|
|
||||||
xmlBufMemoryError(buf, "growing buffer");
|
|
||||||
return XML_ERR_NO_MEMORY;
|
|
||||||
@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) {
|
|
||||||
}
|
|
||||||
needSize = buf->use + len + 2;
|
|
||||||
if (needSize > buf->size){
|
|
||||||
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
|
|
||||||
+ /*
|
|
||||||
+ * Used to provide parsing limits
|
|
||||||
+ */
|
|
||||||
+ if (needSize >= XML_MAX_TEXT_LENGTH) {
|
|
||||||
+ xmlBufMemoryError(buf, "buffer error: text too long\n");
|
|
||||||
+ return(-1);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
if (!xmlBufResize(buf, needSize)){
|
|
||||||
xmlBufMemoryError(buf, "growing buffer");
|
|
||||||
return XML_ERR_NO_MEMORY;
|
|
||||||
diff --git a/include/libxml/tree.h b/include/libxml/tree.h
|
|
||||||
index 2f90717..4a9b3bc 100644
|
|
||||||
--- a/include/libxml/tree.h
|
|
||||||
+++ b/include/libxml/tree.h
|
|
||||||
@@ -76,7 +76,8 @@ typedef enum {
|
|
||||||
XML_BUFFER_ALLOC_EXACT, /* grow only to the minimal size */
|
|
||||||
XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */
|
|
||||||
XML_BUFFER_ALLOC_IO, /* special allocation scheme used for I/O */
|
|
||||||
- XML_BUFFER_ALLOC_HYBRID /* exact up to a threshold, and doubleit thereafter */
|
|
||||||
+ XML_BUFFER_ALLOC_HYBRID, /* exact up to a threshold, and doubleit thereafter */
|
|
||||||
+ XML_BUFFER_ALLOC_BOUNDED /* limit the upper size of the buffer */
|
|
||||||
} xmlBufferAllocationScheme;
|
|
||||||
|
|
||||||
/**
|
|
||||||
diff --git a/xmlreader.c b/xmlreader.c
|
|
||||||
index f19e123..471e7e2 100644
|
|
||||||
--- a/xmlreader.c
|
|
||||||
+++ b/xmlreader.c
|
|
||||||
@@ -2091,6 +2091,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) {
|
|
||||||
"xmlNewTextReader : malloc failed\n");
|
|
||||||
return(NULL);
|
|
||||||
}
|
|
||||||
+ /* no operation on a reader should require a huge buffer */
|
|
||||||
+ xmlBufSetAllocationScheme(ret->buffer,
|
|
||||||
+ XML_BUFFER_ALLOC_BOUNDED);
|
|
||||||
ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
|
|
||||||
if (ret->sax == NULL) {
|
|
||||||
xmlBufFree(ret->buffer);
|
|
||||||
@@ -3616,6 +3619,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
|
|
||||||
return(((xmlNsPtr) node)->href);
|
|
||||||
case XML_ATTRIBUTE_NODE:{
|
|
||||||
xmlAttrPtr attr = (xmlAttrPtr) node;
|
|
||||||
+ const xmlChar *ret;
|
|
||||||
|
|
||||||
if ((attr->children != NULL) &&
|
|
||||||
(attr->children->type == XML_TEXT_NODE) &&
|
|
||||||
@@ -3629,10 +3633,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
|
|
||||||
"xmlTextReaderSetup : malloc failed\n");
|
|
||||||
return (NULL);
|
|
||||||
}
|
|
||||||
+ xmlBufSetAllocationScheme(reader->buffer,
|
|
||||||
+ XML_BUFFER_ALLOC_BOUNDED);
|
|
||||||
} else
|
|
||||||
xmlBufEmpty(reader->buffer);
|
|
||||||
xmlBufGetNodeContent(reader->buffer, node);
|
|
||||||
- return(xmlBufContent(reader->buffer));
|
|
||||||
+ ret = xmlBufContent(reader->buffer);
|
|
||||||
+ if (ret == NULL) {
|
|
||||||
+ /* error on the buffer best to reallocate */
|
|
||||||
+ xmlBufFree(reader->buffer);
|
|
||||||
+ reader->buffer = xmlBufCreateSize(100);
|
|
||||||
+ xmlBufSetAllocationScheme(reader->buffer,
|
|
||||||
+ XML_BUFFER_ALLOC_BOUNDED);
|
|
||||||
+ ret = BAD_CAST "";
|
|
||||||
+ }
|
|
||||||
+ return(ret);
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
@@ -5131,6 +5146,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader,
|
|
||||||
"xmlTextReaderSetup : malloc failed\n");
|
|
||||||
return (-1);
|
|
||||||
}
|
|
||||||
+ /* no operation on a reader should require a huge buffer */
|
|
||||||
+ xmlBufSetAllocationScheme(reader->buffer,
|
|
||||||
+ XML_BUFFER_ALLOC_BOUNDED);
|
|
||||||
if (reader->sax == NULL)
|
|
||||||
reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
|
|
||||||
if (reader->sax == NULL) {
|
|
||||||
--
|
|
||||||
cgit v0.11.2
|
|
||||||
|
|
@ -1,34 +0,0 @@
|
|||||||
From a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daniel Veillard <veillard@redhat.com>
|
|
||||||
Date: Mon, 23 Feb 2015 11:17:35 +0800
|
|
||||||
Subject: Stop parsing on entities boundaries errors
|
|
||||||
|
|
||||||
For https://bugzilla.gnome.org/show_bug.cgi?id=744980
|
|
||||||
|
|
||||||
There are times, like on unterminated entities that it's preferable to
|
|
||||||
stop parsing, even if that means less error reporting. Entities are
|
|
||||||
feeding the parser on further processing, and if they are ill defined
|
|
||||||
then it's possible to get the parser to bug. Also do the same on
|
|
||||||
Conditional Sections if the input is broken, as the structure of
|
|
||||||
the document can't be guessed.
|
|
||||||
|
|
||||||
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
|
|
||||||
---
|
|
||||||
parser.c | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/parser.c b/parser.c
|
|
||||||
index a8d1b67..bbe97eb 100644
|
|
||||||
--- a/parser.c
|
|
||||||
+++ b/parser.c
|
|
||||||
@@ -5658,6 +5658,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) {
|
|
||||||
if (RAW != '>') {
|
|
||||||
xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
|
|
||||||
"xmlParseEntityDecl: entity %s not terminated\n", name);
|
|
||||||
+ xmlStopParser(ctxt);
|
|
||||||
} else {
|
|
||||||
if (input != ctxt->input) {
|
|
||||||
xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
|
|
||||||
--
|
|
||||||
cgit v0.11.2
|
|
||||||
|
|
@ -1,51 +0,0 @@
|
|||||||
From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daniel Veillard <veillard@redhat.com>
|
|
||||||
Date: Mon, 23 Feb 2015 11:29:20 +0800
|
|
||||||
Subject: Cleanup conditional section error handling
|
|
||||||
|
|
||||||
For https://bugzilla.gnome.org/show_bug.cgi?id=744980
|
|
||||||
|
|
||||||
The error handling of Conditional Section also need to be
|
|
||||||
straightened as the structure of the document can't be
|
|
||||||
guessed on a failure there and it's better to stop parsing
|
|
||||||
as further errors are likely to be irrelevant.
|
|
||||||
|
|
||||||
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
|
|
||||||
---
|
|
||||||
parser.c | 6 ++++++
|
|
||||||
1 file changed, 6 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/parser.c b/parser.c
|
|
||||||
index bbe97eb..fe603ac 100644
|
|
||||||
--- a/parser.c
|
|
||||||
+++ b/parser.c
|
|
||||||
@@ -6770,6 +6770,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
|
|
||||||
SKIP_BLANKS;
|
|
||||||
if (RAW != '[') {
|
|
||||||
xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
|
|
||||||
+ xmlStopParser(ctxt);
|
|
||||||
+ return;
|
|
||||||
} else {
|
|
||||||
if (ctxt->input->id != id) {
|
|
||||||
xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
|
|
||||||
@@ -6830,6 +6832,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
|
|
||||||
SKIP_BLANKS;
|
|
||||||
if (RAW != '[') {
|
|
||||||
xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
|
|
||||||
+ xmlStopParser(ctxt);
|
|
||||||
+ return;
|
|
||||||
} else {
|
|
||||||
if (ctxt->input->id != id) {
|
|
||||||
xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
|
|
||||||
@@ -6885,6 +6889,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
|
|
||||||
|
|
||||||
} else {
|
|
||||||
xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
|
|
||||||
+ xmlStopParser(ctxt);
|
|
||||||
+ return;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (RAW == 0)
|
|
||||||
--
|
|
||||||
cgit v0.11.2
|
|
||||||
|
|
@ -1,34 +0,0 @@
|
|||||||
From bd0526e66a56e75a18da8c15c4750db8f801c52d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daniel Veillard <veillard@redhat.com>
|
|
||||||
Date: Fri, 23 Oct 2015 19:02:28 +0800
|
|
||||||
Subject: Another variation of overflow in Conditional sections
|
|
||||||
|
|
||||||
Which happen after the previous fix to
|
|
||||||
https://bugzilla.gnome.org/show_bug.cgi?id=756456
|
|
||||||
|
|
||||||
But stopping the parser and exiting we didn't pop the intermediary entities
|
|
||||||
and doing the SKIP there applies on an input which may be too small
|
|
||||||
|
|
||||||
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
|
|
||||||
---
|
|
||||||
parser.c | 4 +++-
|
|
||||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/parser.c b/parser.c
|
|
||||||
index a65e4cc..b9217ff 100644
|
|
||||||
--- a/parser.c
|
|
||||||
+++ b/parser.c
|
|
||||||
@@ -6915,7 +6915,9 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
|
|
||||||
"All markup of the conditional section is not in the same entity\n",
|
|
||||||
NULL, NULL);
|
|
||||||
}
|
|
||||||
- SKIP(3);
|
|
||||||
+ if ((ctxt-> instate != XML_PARSER_EOF) &&
|
|
||||||
+ ((ctxt->input->cur + 3) < ctxt->input->end))
|
|
||||||
+ SKIP(3);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
cgit v0.11.2
|
|
||||||
|
|
@ -1,30 +0,0 @@
|
|||||||
From 41ac9049a27f52e7a1f3b341f8714149fc88d450 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daniel Veillard <veillard@redhat.com>
|
|
||||||
Date: Tue, 27 Oct 2015 10:53:44 +0800
|
|
||||||
Subject: Fix an error in previous Conditional section patch
|
|
||||||
|
|
||||||
an off by one mistake in the change, led to error on correct
|
|
||||||
document where the end of the included entity was exactly
|
|
||||||
the end of the conditional section, leading to regtest failure
|
|
||||||
|
|
||||||
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
|
|
||||||
---
|
|
||||||
parser.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/parser.c b/parser.c
|
|
||||||
index b9217ff..d67b300 100644
|
|
||||||
--- a/parser.c
|
|
||||||
+++ b/parser.c
|
|
||||||
@@ -6916,7 +6916,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
|
|
||||||
NULL, NULL);
|
|
||||||
}
|
|
||||||
if ((ctxt-> instate != XML_PARSER_EOF) &&
|
|
||||||
- ((ctxt->input->cur + 3) < ctxt->input->end))
|
|
||||||
+ ((ctxt->input->cur + 3) <= ctxt->input->end))
|
|
||||||
SKIP(3);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
--
|
|
||||||
cgit v0.11.2
|
|
||||||
|
|
@ -1,33 +0,0 @@
|
|||||||
From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daniel Veillard <veillard@redhat.com>
|
|
||||||
Date: Tue, 3 Nov 2015 15:31:25 +0800
|
|
||||||
Subject: CVE-2015-8035 Fix XZ compression support loop
|
|
||||||
|
|
||||||
For https://bugzilla.gnome.org/show_bug.cgi?id=757466
|
|
||||||
DoS when parsing specially crafted XML document if XZ support
|
|
||||||
is compiled in (which wasn't the case for 2.9.2 and master since
|
|
||||||
Nov 2013, fixed in next commit !)
|
|
||||||
|
|
||||||
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
|
|
||||||
---
|
|
||||||
xzlib.c | 4 ++++
|
|
||||||
1 file changed, 4 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/xzlib.c b/xzlib.c
|
|
||||||
index 0dcb9f4..1fab546 100644
|
|
||||||
--- a/xzlib.c
|
|
||||||
+++ b/xzlib.c
|
|
||||||
@@ -581,6 +581,10 @@ xz_decomp(xz_statep state)
|
|
||||||
xz_error(state, LZMA_DATA_ERROR, "compressed data error");
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
+ if (ret == LZMA_PROG_ERROR) {
|
|
||||||
+ xz_error(state, LZMA_PROG_ERROR, "compression error");
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
} while (strm->avail_out && ret != LZMA_STREAM_END);
|
|
||||||
|
|
||||||
/* update available output and crc check value */
|
|
||||||
--
|
|
||||||
cgit v0.11.2
|
|
||||||
|
|
@ -1,2 +1,2 @@
|
|||||||
# Locally calculated after checking pgp signature
|
# Locally calculated after checking pgp signature
|
||||||
sha256 5178c30b151d044aefb1b08bf54c3003a0ac55c59c866763997529d60770d5bc libxml2-2.9.2.tar.gz
|
sha256 4de9e31f46b44d34871c22f54bfc54398ef124d6f7cafb1f4a5958fbcd3ba12d libxml2-2.9.3.tar.gz
|
||||||
|
@ -4,7 +4,7 @@
|
|||||||
#
|
#
|
||||||
################################################################################
|
################################################################################
|
||||||
|
|
||||||
LIBXML2_VERSION = 2.9.2
|
LIBXML2_VERSION = 2.9.3
|
||||||
LIBXML2_SITE = ftp://xmlsoft.org/libxml2
|
LIBXML2_SITE = ftp://xmlsoft.org/libxml2
|
||||||
LIBXML2_INSTALL_STAGING = YES
|
LIBXML2_INSTALL_STAGING = YES
|
||||||
LIBXML2_AUTORECONF = YES
|
LIBXML2_AUTORECONF = YES
|
||||||
|
Loading…
x
Reference in New Issue
Block a user