diff options
author | Max Rees <maxcrees@me.com> | 2020-03-03 14:33:49 +0000 |
---|---|---|
committer | Max Rees <maxcrees@me.com> | 2020-03-09 21:27:48 -0500 |
commit | 1ca9f51b0901a84b56258b19a78acf4c01f93eb5 (patch) | |
tree | 41c58a426fab16eb544dbd1a017d152c502a800b | |
parent | 680d3d2f67370934c1aff033819eef438bcb6f94 (diff) | |
download | packages-1ca9f51b0901a84b56258b19a78acf4c01f93eb5.tar.gz packages-1ca9f51b0901a84b56258b19a78acf4c01f93eb5.tar.bz2 packages-1ca9f51b0901a84b56258b19a78acf4c01f93eb5.tar.xz packages-1ca9f51b0901a84b56258b19a78acf4c01f93eb5.zip |
system/libxml2: patch CVE-2019-20388 and CVE-2020-7595 (#234)
-rw-r--r-- | system/libxml2/APKBUILD | 11 | ||||
-rw-r--r-- | system/libxml2/CVE-2019-20388.patch | 33 | ||||
-rw-r--r-- | system/libxml2/CVE-2020-7595.patch | 32 |
3 files changed, 74 insertions, 2 deletions
diff --git a/system/libxml2/APKBUILD b/system/libxml2/APKBUILD index 1d1664047..73b6eb2a0 100644 --- a/system/libxml2/APKBUILD +++ b/system/libxml2/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=libxml2 pkgver=2.9.10 -pkgrel=0 +pkgrel=1 pkgdesc="XML parsing library" url="http://www.xmlsoft.org/" arch="all" @@ -16,6 +16,8 @@ subpackages="$pkgname-doc $pkgname-dev py-libxml2:py" provides="$pkgname-utils=$pkgver-r$pkgrel" source="ftp://ftp.xmlsoft.org/${pkgname}/${pkgname}-${pkgver}.tar.gz python-segfault-fix.patch + CVE-2019-20388.patch + CVE-2020-7595.patch " # secfixes: @@ -25,6 +27,9 @@ source="ftp://ftp.xmlsoft.org/${pkgname}/${pkgname}-${pkgver}.tar.gz # - CVE-2016-9318 # 2.9.4-r4: # - CVE-2017-5969 +# 2.9.10-r1: +# - CVE-2019-20388 +# - CVE-2020-7595 prepare() { default_prepare @@ -62,4 +67,6 @@ py() { } sha512sums="0adfd12bfde89cbd6296ba6e66b6bed4edb814a74b4265bda34d95c41d9d92c696ee7adb0c737aaf9cc6e10426a31a35079b2a23d26c074e299858da12c072ed libxml2-2.9.10.tar.gz -384b3d2031cd8f77528190bbb7652faa9ccb22bc604bcf4927e59046d38830dac38010828fe1568b6514976f725981a6d3ac1aa595d31477a36db2afe491452c python-segfault-fix.patch" +384b3d2031cd8f77528190bbb7652faa9ccb22bc604bcf4927e59046d38830dac38010828fe1568b6514976f725981a6d3ac1aa595d31477a36db2afe491452c python-segfault-fix.patch +48ea30bd8035f3b60825ce24185fbec1e7423e683f64626405fd96daaaa14011e7f7c180a7a87d7ff8f73983b0e221974cbce619d04b932c1db2110a13be014e CVE-2019-20388.patch +90db832e60c700e971669f57a54fdb297660c42602089b4e77e013a7051c880f380f0c98c059d9f54de99855b2d9be78fcf0639443f3765a925b52fc093fb4d9 CVE-2020-7595.patch" diff --git a/system/libxml2/CVE-2019-20388.patch b/system/libxml2/CVE-2019-20388.patch new file mode 100644 index 000000000..49ff6fbe0 --- /dev/null +++ b/system/libxml2/CVE-2019-20388.patch @@ -0,0 +1,33 @@ +From 7ffcd44d7e6c46704f8af0321d9314cd26e0e18a Mon Sep 17 00:00:00 2001 +From: Zhipeng Xie <xiezhipeng1@huawei.com> +Date: Tue, 20 Aug 2019 16:33:06 +0800 +Subject: [PATCH] Fix memory leak in xmlSchemaValidateStream + +When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun +alloc a new schema for ctxt->schema and set vctxt->xsiAssemble +to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize +vctxt->xsiAssemble to 0 again which cause the alloced schema +can not be freed anymore. + +Found with libFuzzer. + +Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com> +--- + xmlschemas.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/xmlschemas.c b/xmlschemas.c +index 301c8449..39d92182 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -28090,7 +28090,6 @@ xmlSchemaPreRun(xmlSchemaValidCtxtPtr vctxt) { + vctxt->nberrors = 0; + vctxt->depth = -1; + vctxt->skipDepth = -1; +- vctxt->xsiAssemble = 0; + vctxt->hasKeyrefs = 0; + #ifdef ENABLE_IDC_NODE_TABLES_TEST + vctxt->createIDCNodeTables = 1; +-- +2.24.1 + diff --git a/system/libxml2/CVE-2020-7595.patch b/system/libxml2/CVE-2020-7595.patch new file mode 100644 index 000000000..3dd677497 --- /dev/null +++ b/system/libxml2/CVE-2020-7595.patch @@ -0,0 +1,32 @@ +From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001 +From: Zhipeng Xie <xiezhipeng1@huawei.com> +Date: Thu, 12 Dec 2019 17:30:55 +0800 +Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities + +When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef +return NULL which cause a infinite loop in xmlStringLenDecodeEntities + +Found with libFuzzer. + +Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com> +--- + parser.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index d1c31963..a34bb6cd 100644 +--- a/parser.c ++++ b/parser.c +@@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + else + c = 0; + while ((c != 0) && (c != end) && /* non input consuming loop */ +- (c != end2) && (c != end3)) { ++ (c != end2) && (c != end3) && ++ (ctxt->instate != XML_PARSER_EOF)) { + + if (c == 0) break; + if ((c == '&') && (str[1] == '#')) { +-- +2.24.1 + |