[PATCH] gnu: libxml2: Fix CVE-2017-{0663, 7375, 7376, 9047, 9048, 9049, 9050}.

DoneSubmitted by Alex Vong.
Details
2 participants
  • Alex Vong
  • Marius Bakke
Owner
unassigned
Severity
important
A
A
Alex Vong wrote on 30 Aug 2017 15:31
(address . guix-patches@gnu.org)
87inh5uqpd.fsf@gmail.com
Severity: importantTags: patch security
Hi,
This patch fixes CVEs of libxml2. The changes to 'runtest.c' in'libxml2-CVE-2017-9049+CVE-2017-9050.patch are removed since theyintroduce test failure. The changes only enable new tests so it shouldbe fine to remove them.
From 69182d050016889ee11d0c2459dcae1212f7579e Mon Sep 17 00:00:00 2001From: Alex Vong <alexvong1995@gmail.com>Date: Wed, 30 Aug 2017 21:21:21 +0800Subject: [PATCH] gnu: libxml2: Fix CVE-2017-{0663,7375,7376,9047,9048,9049,9050}.
* gnu/packages/patches/libxml2-CVE-2017-0663.patch,gnu/packages/patches/libxml2-CVE-2017-7375.patch,gnu/packages/patches/libxml2-CVE-2017-7376.patch,gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch,gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch* gnu/local.mk (dist_patch_DATA): Add them.* gnu/packages/xml.scm (libxml2)[source]: Use them.--- gnu/local.mk | 5 + gnu/packages/patches/libxml2-CVE-2017-0663.patch | 53 ++++ gnu/packages/patches/libxml2-CVE-2017-7375.patch | 45 +++ gnu/packages/patches/libxml2-CVE-2017-7376.patch | 41 +++ .../libxml2-CVE-2017-9047+CVE-2017-9048.patch | 130 +++++++++ .../libxml2-CVE-2017-9049+CVE-2017-9050.patch | 319 +++++++++++++++++++++ gnu/packages/xml.scm | 10 +- 7 files changed, 601 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/libxml2-CVE-2017-0663.patch create mode 100644 gnu/packages/patches/libxml2-CVE-2017-7375.patch create mode 100644 gnu/packages/patches/libxml2-CVE-2017-7376.patch create mode 100644 gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch create mode 100644 gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch
Toggle diff (657 lines)diff --git a/gnu/local.mk b/gnu/local.mkindex 10d4ab114..9baaa1687 100644--- a/gnu/local.mk+++ b/gnu/local.mk@@ -804,6 +804,11 @@ dist_patch_DATA = \ %D%/packages/patches/libxcb-python-3.5-compat.patch \ %D%/packages/patches/libxml2-CVE-2016-4658.patch \ %D%/packages/patches/libxml2-CVE-2016-5131.patch \+ %D%/packages/patches/libxml2-CVE-2017-0663.patch \+ %D%/packages/patches/libxml2-CVE-2017-7375.patch \+ %D%/packages/patches/libxml2-CVE-2017-7376.patch \+ %D%/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch\+ %D%/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch\ %D%/packages/patches/libxslt-generated-ids.patch \ %D%/packages/patches/libxslt-CVE-2016-4738.patch \ %D%/packages/patches/libxt-guix-search-paths.patch \diff --git a/gnu/packages/patches/libxml2-CVE-2017-0663.patch b/gnu/packages/patches/libxml2-CVE-2017-0663.patchnew file mode 100644index 000000000..b0277a2d2--- /dev/null+++ b/gnu/packages/patches/libxml2-CVE-2017-0663.patch@@ -0,0 +1,53 @@+Fix CVE-2017-0663:++https://bugzilla.gnome.org/show_bug.cgi?id=780228 (not yet public)+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0663+https://security-tracker.debian.org/tracker/CVE-2017-0663++Patch copied from upstream source repository:++https://git.gnome.org/browse/libxml2/commit/?id=92b9e8c8b3787068565a1820ba575d042f9eec66++From 92b9e8c8b3787068565a1820ba575d042f9eec66 Mon Sep 17 00:00:00 2001+From: Nick Wellnhofer <wellnhofer@aevum.de>+Date: Tue, 6 Jun 2017 12:56:28 +0200+Subject: [PATCH] Fix type confusion in xmlValidateOneNamespace++Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types on+namespace declarations make no practical sense anyway.++Fixes bug 780228.++Found with libFuzzer and ASan.+---+ valid.c | 7 ++++++++ 1 file changed, 7 insertions(+)++diff --git a/valid.c b/valid.c+index 8075d3a0..c51ea290 100644+--- a/valid.c++++ b/valid.c+@@ -4627,6 +4627,12 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {+ }+ }+ ++ /*++ * Casting ns to xmlAttrPtr is wrong. We'd need separate functions++ * xmlAddID and xmlAddRef for namespace declarations, but it makes++ * no practical sense to use ID types anyway.++ */++#if 0+ /* Validity Constraint: ID uniqueness */+ if (attrDecl->atype == XML_ATTRIBUTE_ID) {+ if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)+@@ -4638,6 +4644,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {+ if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)+ ret = 0;+ }++#endif+ + /* Validity Constraint: Notation Attributes */+ if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) {+-- +2.14.1+diff --git a/gnu/packages/patches/libxml2-CVE-2017-7375.patch b/gnu/packages/patches/libxml2-CVE-2017-7375.patchnew file mode 100644index 000000000..32af1ff6b--- /dev/null+++ b/gnu/packages/patches/libxml2-CVE-2017-7375.patch@@ -0,0 +1,45 @@+Fix CVE-2017-7375:++https://bugzilla.gnome.org/show_bug.cgi?id=780691 (not yet public)+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7375+https://security-tracker.debian.org/tracker/CVE-2017-7375++Patch copied from upstream source repository:++https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e++From 90ccb58242866b0ba3edbef8fe44214a101c2b3e Mon Sep 17 00:00:00 2001+From: Neel Mehta <nmehta@google.com>+Date: Fri, 7 Apr 2017 17:43:02 +0200+Subject: [PATCH] Prevent unwanted external entity reference++For https://bugzilla.gnome.org/show_bug.cgi?id=780691++* parser.c: add a specific check to avoid PE reference+---+ parser.c | 9 ++++++++++ 1 file changed, 9 insertions(+)++diff --git a/parser.c b/parser.c+index 609a2703..c2c812de 100644+--- a/parser.c++++ b/parser.c+@@ -8123,6 +8123,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)+ if (xmlPushInput(ctxt, input) < 0)+ return;+ } else {++ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&++ ((ctxt->options & XML_PARSE_NOENT) == 0) &&++ ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&++ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) &&++ ((ctxt->options & XML_PARSE_DTDATTR) == 0) &&++ (ctxt->replaceEntities == 0) &&++ (ctxt->validate == 0))++ return;+++ /*+ * TODO !!!+ * handle the extra spaces added before and after+-- +2.14.1+diff --git a/gnu/packages/patches/libxml2-CVE-2017-7376.patch b/gnu/packages/patches/libxml2-CVE-2017-7376.patchnew file mode 100644index 000000000..5b9e45bd8--- /dev/null+++ b/gnu/packages/patches/libxml2-CVE-2017-7376.patch@@ -0,0 +1,41 @@+Fix CVE-2017-7376:++https://bugzilla.gnome.org/show_bug.cgi?id=780690 (not yet public)+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7376+https://security-tracker.debian.org/tracker/CVE-2017-7376++Patch copied from upstream source repository:++https://git.gnome.org/browse/libxml2/commit/?id=5dca9eea1bd4263bfa4d037ab2443de1cd730f7e++From 5dca9eea1bd4263bfa4d037ab2443de1cd730f7e Mon Sep 17 00:00:00 2001+From: Daniel Veillard <veillard@redhat.com>+Date: Fri, 7 Apr 2017 17:13:28 +0200+Subject: [PATCH] Increase buffer space for port in HTTP redirect support++For https://bugzilla.gnome.org/show_bug.cgi?id=780690++nanohttp.c: the code wrongly assumed a short int port value.+---+ nanohttp.c | 4 ++--+ 1 file changed, 2 insertions(+), 2 deletions(-)++diff --git a/nanohttp.c b/nanohttp.c+index e109ad75..373425de 100644+--- a/nanohttp.c++++ b/nanohttp.c+@@ -1423,9 +1423,9 @@ retry:+ if (ctxt->port != 80) {+ /* reserve space for ':xxxxx', incl. potential proxy */+ if (proxy)+- blen += 12;++ blen += 17;+ else+- blen += 6;++ blen += 11;+ }+ bp = (char*)xmlMallocAtomic(blen);+ if ( bp == NULL ) {+-- +2.14.1+diff --git a/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch b/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patchnew file mode 100644index 000000000..0a0e6d34c--- /dev/null+++ b/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch@@ -0,0 +1,130 @@+Fix CVE-2017-{9047,9048}:++https://bugzilla.gnome.org/show_bug.cgi?id=781333 (not yet public)+https://bugzilla.gnome.org/show_bug.cgi?id=781701 (not yet public)+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9047+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9048+http://www.openwall.com/lists/oss-security/2017/05/15/1+https://security-tracker.debian.org/tracker/CVE-2017-9047+https://security-tracker.debian.org/tracker/CVE-2017-9048++Patch copied from upstream source repository:++https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74++From 932cc9896ab41475d4aa429c27d9afd175959d74 Mon Sep 17 00:00:00 2001+From: Nick Wellnhofer <wellnhofer@aevum.de>+Date: Sat, 3 Jun 2017 02:01:29 +0200+Subject: [PATCH] Fix buffer size checks in xmlSnprintfElementContent+MIME-Version: 1.0+Content-Type: text/plain; charset=UTF-8+Content-Transfer-Encoding: 8bit++xmlSnprintfElementContent failed to correctly check the available+buffer space in two locations.++Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048).++Thanks to Marcel Böhme and Thuan Pham for the report.+---+ result/valid/781333.xml | 5 ++++++ result/valid/781333.xml.err | 3 ++++ result/valid/781333.xml.err.rdr | 6 +++++++ test/valid/781333.xml | 4 +++++ valid.c | 20 +++++++++++---------+ 5 files changed, 29 insertions(+), 9 deletions(-)+ create mode 100644 result/valid/781333.xml+ create mode 100644 result/valid/781333.xml.err+ create mode 100644 result/valid/781333.xml.err.rdr+ create mode 100644 test/valid/781333.xml++diff --git a/result/valid/781333.xml b/result/valid/781333.xml+new file mode 100644+index 00000000..45dc451d+--- /dev/null++++ b/result/valid/781333.xml+@@ -0,0 +1,5 @@++<?xml version="1.0"?>++<!DOCTYPE a [++<!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll)>++]>++<a/>+diff --git a/result/valid/781333.xml.err b/result/valid/781333.xml.err+new file mode 100644+index 00000000..b401b49a+--- /dev/null++++ b/result/valid/781333.xml.err+@@ -0,0 +1,3 @@++./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got ++<a/>++ ^+diff --git a/result/valid/781333.xml.err.rdr b/result/valid/781333.xml.err.rdr+new file mode 100644+index 00000000..5ff56992+--- /dev/null++++ b/result/valid/781333.xml.err.rdr+@@ -0,0 +1,6 @@++./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got ++<a/>++ ^++./test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more child++++^+diff --git a/test/valid/781333.xml b/test/valid/781333.xml+new file mode 100644+index 00000000..b29e5a68+--- /dev/null++++ b/test/valid/781333.xml+@@ -0,0 +1,4 @@++<!DOCTYPE a [++ <!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll)>++]>++<a/>+diff --git a/valid.c b/valid.c+index 19f84b82..9b2df56a 100644+--- a/valid.c++++ b/valid.c+@@ -1262,22 +1262,23 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int+ case XML_ELEMENT_CONTENT_PCDATA:+ strcat(buf, "#PCDATA");+ break;+- case XML_ELEMENT_CONTENT_ELEMENT:++ case XML_ELEMENT_CONTENT_ELEMENT: {++ int qnameLen = xmlStrlen(content->name);++++ if (content->prefix != NULL)++ qnameLen += xmlStrlen(content->prefix) + 1;++ if (size - len < qnameLen + 10) {++ strcat(buf, " ...");++ return;++ }+ if (content->prefix != NULL) {+- if (size - len < xmlStrlen(content->prefix) + 10) {+- strcat(buf, " ...");+- return;+- }+ strcat(buf, (char *) content->prefix);+ strcat(buf, ":");+ }+- if (size - len < xmlStrlen(content->name) + 10) {+- strcat(buf, " ...");+- return;+- }+ if (content->name != NULL)+ strcat(buf, (char *) content->name);+ break;++ }+ case XML_ELEMENT_CONTENT_SEQ:+ if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ))+@@ -1319,6 +1320,7 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int+ xmlSnprintfElementContent(buf, size, content->c2, 0);+ break;+ }++ if (size - strlen(buf) <= 2) return;+ if (englob)+ strcat(buf, ")");+ switch (content->ocur) {+-- +2.14.1+diff --git a/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch b/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patchnew file mode 100644index 000000000..890e9c228--- /dev/null+++ b/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch@@ -0,0 +1,319 @@+Fix CVE-2017-{9049,9050}:++https://bugzilla.gnome.org/show_bug.cgi?id=781205 (not yet public)+https://bugzilla.gnome.org/show_bug.cgi?id=781361 (not yet public)+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9049+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050+http://www.openwall.com/lists/oss-security/2017/05/15/1+https://security-tracker.debian.org/tracker/CVE-2017-9049+https://security-tracker.debian.org/tracker/CVE-2017-9050++Patch copied from upstream source repository:++https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3++Changes to 'runtest.c' are removed since they introduce test failure+when applying to libxml2 2.9.4 release tarball.++From e26630548e7d138d2c560844c43820b6767251e3 Mon Sep 17 00:00:00 2001+From: Nick Wellnhofer <wellnhofer@aevum.de>+Date: Mon, 5 Jun 2017 15:37:17 +0200+Subject: [PATCH] Fix handling of parameter-entity references+MIME-Version: 1.0+Content-Type: text/plain; charset=UTF-8+Content-Transfer-Encoding: 8bit++There were two bugs where parameter-entity references could lead to an+unexpected change of the input buffer in xmlParseNameComplex and+xmlDictLookup being called with an invalid pointer.++Percent sign in DTD Names+=========================++The NEXTL macro used to call xmlParserHandlePEReference. When parsing+"complex" names inside the DTD, this could result in entity expansion+which created a new input buffer. The fix is to simply remove the call+to xmlParserHandlePEReference from the NEXTL macro. This is safe because+no users of the macro require expansion of parameter entities.++- xmlParseNameComplex+- xmlParseNCNameComplex+- xmlParseNmtoken++The percent sign is not allowed in names, which are grammatical tokens.++- xmlParseEntityValue++Parameter-entity references in entity values are expanded but this+happens in a separate step in this function.++- xmlParseSystemLiteral++Parameter-entity references are ignored in the system literal.++- xmlParseAttValueComplex+- xmlParseCharDataComplex+- xmlParseCommentComplex+- xmlParsePI+- xmlParseCDSect++Parameter-entity references are ignored outside the DTD.++- xmlLoadEntityContent++This function is only called from xmlStringLenDecodeEntities and+entities are replaced in a separate step immediately after the function+call.++This bug could also be triggered with an internal subset and double+entity expansion.++This fixes bug 766956 initially reported by Wei Lei and independently by+Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone+involved.++xmlParseNameComplex with XML_PARSE_OLD10+========================================++When parsing Names inside an expanded parameter entity with the+XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the+GROW macro if the input buffer was exhausted. At the end of the+parameter entity's replacement text, this function would then call+xmlPopInput which invalidated the input buffer.++There should be no need to invoke GROW in this situation because the+buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and,+at least for UTF-8, in xmlCurrentChar. This also matches the code path+executed when XML_PARSE_OLD10 is not set.++This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).+Thanks to Marcel Böhme and Thuan Pham for the report.++Additional hardening+====================++A separate check was added in xmlParseNameComplex to validate the+buffer size.+---+ Makefile.am | 18 +++++++++++++++++++ parser.c | 18 ++++++++++--------+ result/errors10/781205.xml | 0+ result/errors10/781205.xml.err | 21 ++++++++++++++++++++++ result/errors10/781361.xml | 0+ result/errors10/781361.xml.err | 13 ++++++++++++++ result/valid/766956.xml | 0+ result/valid/766956.xml.err | 9 ++++++++++ result/valid/766956.xml.err.rdr | 10 +++++++++++ runtest.c | 3 ++++ test/errors10/781205.xml | 3 ++++ test/errors10/781361.xml | 3 ++++ test/valid/766956.xml | 2 +++ test/valid/dtds/766956.dtd | 2 +++ 14 files changed, 94 insertions(+), 8 deletions(-)+ create mode 100644 result/errors10/781205.xml+ create mode 100644 result/errors10/781205.xml.err+ create mode 100644 result/errors10/781361.xml+ create mode 100644 result/errors10/781361.xml.err+ create mode 100644 result/valid/766956.xml+ create mode 100644 result/valid/766956.xml.err+ create mode 100644 result/valid/766956.xml.err.rdr+ create mode 100644 test/errors10/781205.xml+ create mode 100644 test/errors10/781361.xml+ create mode 100644 test/valid/766956.xml+ create mode 100644 test/valid/dtds/766956.dtd++diff --git a/Makefile.am b/Makefile.am+index 6fc8ffa9..10e716a5 100644+--- a/Makefile.am++++ b/Makefile.am+@@ -427,6 +427,24 @@ Errtests : xmllint$(EXEEXT)+ if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \+ rm result.$$name error.$$name ; \+ fi ; fi ; done)++ @echo "## Error cases regression tests (old 1.0)"++ -@(for i in $(srcdir)/test/errors10/*.xml ; do \++ name=`basename $$i`; \++ if [ ! -d $$i ] ; then \++ if [ ! -f $(srcdir)/result/errors10/$$name ] ; then \++ echo New test file $$name ; \++ $(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i \++ 2> $(srcdir)/result/errors10/$$name.err \++ > $(srcdir)/result/errors10/$$name ; \++ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \++ else \++ log=`$(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i 2> error.$$name > result.$$name ; \++ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \++ diff $(srcdir)/result/errors10/$$name result.$$name ; \++ diff $(srcdir)/result/errors10/$$name.err error.$$name` ; \++ if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \++ rm result.$$name error.$$name ; \++ fi ; fi ; done)+ @echo "## Error cases stream regression tests"+ -@(for i in $(srcdir)/test/errors/*.xml ; do \+ name=`basename $$i`; \+diff --git a/parser.c b/parser.c+index df2efa55..a175ac4e 100644+--- a/parser.c++++ b/parser.c+@@ -2121,7 +2121,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {+ ctxt->input->line++; ctxt->input->col = 1; \+ } else ctxt->input->col++; \+ ctxt->input->cur += l; \+- if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt); \+ } while (0)+ + #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l)+@@ -3412,13 +3411,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {+ len += l;+ NEXTL(l);+ c = CUR_CHAR(l);+- if (c == 0) {+- count = 0;+- GROW;+- if (ctxt->instate == XML_PARSER_EOF)+- return(NULL);+- c = CUR_CHAR(l);+- }+ }+ }+ if ((len > XML_MAX_NAME_LENGTH) &&+@@ -3426,6 +3418,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");+ return(NULL);+ }++ if (ctxt->input->cur - ctxt->input->base < len) {++ /*++ * There were a couple of bugs where PERefs lead to to a change++ * of the buffer. Check the buffer size to avoid passing an invalid++ * pointer to xmlDictLookup.++ */++ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,++ "unexpected change of input buffer");++ return (NULL);++ }+ if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r'))+ return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len));+ return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));+diff --git a/result/errors10/781205.xml b/result/errors10/781205.xml+new file mode 100644+index 00000000..e69de29b+diff --git a/result/errors10/781205.xml.err b/result/errors10/781205.xml.err+new file mode 100644+index 00000000..da15c3f7+--- /dev/null++++ b/result/errors10/781205.xml.err+@@ -0,0 +1,21 @@++Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration++++ %a; ++ ^++Entity: line 1: ++<:0000++^++Entity: line 1: parser error : DOCTYPE improperly terminated++ %a; ++ ^++Entity: line 1: ++<:0000++^++namespace error : Failed to parse QName ':0000'++ %a; ++ ^++<:0000++ ^++./test/errors10/781205.xml:4: parser error : Couldn't find end of Start Tag :0000 line 1++++^+diff --git a/result/errors10/781361.xml b/result/errors10/781361.xml+new file mode 100644+index 00000000..e69de29b+diff --git a/result/errors10/781361.xml.err b/result/errors10/781361.xml.err+new file mode 100644+index 00000000..655f41a2+--- /dev/null++++ b/result/errors10/781361.xml.err+@@ -0,0 +1,13 @@++./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY', 'ANY' or '(' expected++++^++./test/errors10/781361.xml:4: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration++++++^++./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated++++^++./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not found++++^+diff --git a/result/valid/766956.xml b/result/valid/766956.xml+new file mode 100644+index 00000000..e69de29b+diff --git a/result/valid/766956.xml.err b/result/valid/766956.xml.err+new file mode 100644+index 00000000..34b1dae6+--- /dev/null++++ b/result/valid/766956.xml.err+@@ -0,0 +1,9 @@++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'++%ä%ent;++ ^++Entity: line 1: parser error : Content error in the external subset++ %ent; ++ ^++Entity: line 1: ++value++^+diff --git a/result/valid/766956.xml.err.rdr b/result/valid/766956.xml.err.rdr+new file mode 100644+index 00000000..77603462+--- /dev/null++++ b/result/valid/766956.xml.err.rdr+@@ -0,0 +1,10 @@++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'++%ä%ent;++ ^++Entity: line 1: parser error : Content error in the external subset++ %ent; ++ ^++Entity: line 1: ++value++^++./test/valid/766956.xml : failed to parse+diff --git a/test/errors10/781205.xml b/test/errors10/781205.xml+new file mode 100644+index 00000000..d9e9e839+--- /dev/null++++ b/test/errors10/781205.xml+@@ -0,0 +1,3 @@++<!DOCTYPE D [++ <!ENTITY % a "<:0000">++ %a;+diff --git a/test/errors10/781361.xml b/test/errors10/781361.xml+new file mode 100644+index 00000000..67476bcb+--- /dev/null++++ b/test/errors10/781361.xml+@@ -0,0 +1,3 @@++<!DOCTYPE doc [++ <!ENTITY % elem "<!ELEMENT e0000000000">++ %elem;+diff --git a/test/valid/766956.xml b/test/valid/766956.xml+new file mode 100644+index 00000000..19a95a0e+--- /dev/null++++ b/test/valid/766956.xml+@@ -0,0 +1,2 @@++<!DOCTYPE test SYSTEM "dtds/766956.dtd">++<test/>+diff --git a/test/valid/dtds/766956.dtd b/test/valid/dtds/766956.dtd+new file mode 100644+index 00000000..dddde68b+--- /dev/null++++ b/test/valid/dtds/766956.dtd+@@ -0,0 +1,2 @@++<!ENTITY % ent "value">++%ä%ent;+-- +2.14.1+diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scmindex dd229ba73..30ecbe72d 100644--- a/gnu/packages/xml.scm+++ b/gnu/packages/xml.scm@@ -114,8 +114,14 @@ hierarchical form with variable field lengths.") (method url-fetch) (uri (string-append "ftp://xmlsoft.org/libxml2/libxml2-" version ".tar.gz"))- (patches (search-patches "libxml2-CVE-2016-4658.patch"- "libxml2-CVE-2016-5131.patch"))+ (patches+ (search-patches "libxml2-CVE-2016-4658.patch"+ "libxml2-CVE-2016-5131.patch"+ "libxml2-CVE-2017-0663.patch"+ "libxml2-CVE-2017-7375.patch"+ "libxml2-CVE-2017-7376.patch"+ "libxml2-CVE-2017-9047+CVE-2017-9048.patch"+ "libxml2-CVE-2017-9049+CVE-2017-9050.patch")) (sha256 (base32 "0g336cr0bw6dax1q48bblphmchgihx9p1pjmxdnrd6sh3qci3fgz"))))-- 2.14.1
Cheers,Alex
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlmmvk8ACgkQxYq4eRf1Ea48CxAAn1QJe2xZqi31Y99F2lsAygsYKg0n11V2oQh5mTGxuqn0MdTq00roScx0x30liZKse1Rw6FjAFXxxk+S8I/mJiDHZbiijPin2Inn5GfsJOZsZ8ZjgzwQpcAqTslJUdFP3wRAewkvi47DylaZArdko2DhioEUzD30voD09bni2UIMxdpLjwtjOVwO/y3fhVxerboDSewf5YXYCLUxPd5qC0GbWnH9NQzHJ9x9TtrWE1lMjkFlBaV2rV8y4NefD1qJFfxlr5eez59c/3dshtx5B+Y7fnVNPmXW3HDCEw2zcG/MNX+GxbLf/dtxORZ6xVomXJ4odaycy4hrUFwCEQ3UGza3G/IGlFjXGWeneYsdFP9N1PP2wTy6bmvgRirT3sCsxmhtYg4d26UwiQZ1aHj8kYKTq6KZ6VQvFP7J4fv831OwGQHHEDaBS943OBelikIylCLQZCorJ40dlc4jksksvAfjAokKTDeyxYf+R1LGp/z+dUEV4wA4clRQPEGZYG1FHXZrAIQ0SBPI4Z33EMj0VfM7rlJ0aezYBL5ea6l6zudOgnUorMwGAmJSIq6/GvIDLCtaEZT9z2kvrxp92HXua2CT8cvNdKZItFF5ITQcGtX+OEmusJVRnD9udItbY1wfsVodOLBQj/jhiJFOegUmpgnKcyWJAwyhDL8l4eU5nx+0==+xeu-----END PGP SIGNATURE-----
M
M
Marius Bakke wrote on 30 Aug 2017 20:57
87inh4lw7y.fsf@fastmail.com
Alex Vong <alexvong1995@gmail.com> writes:
Toggle quote (10 lines)> Severity: important> Tags: patch security>> Hi,>> This patch fixes CVEs of libxml2. The changes to 'runtest.c' in> 'libxml2-CVE-2017-9049+CVE-2017-9050.patch are removed since they> introduce test failure. The changes only enable new tests so it should> be fine to remove them.
Thanks for this! I think we have to graft this fix since changing'libxml2' would rebuild 2/3 of the tree. Can you try that?
PS: Do you have a Savannah account? I'm sure Ludo or someone can addyou given the steady rate of quality commits.
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlmnCqEACgkQoqBt8qM6VPpgUAgAt8wF7MOg7CNzSWdo75yanqUCZizJmlk8hOCRZuXCWbOLoZw7eRQcmL8WLolnv1HfuW12ds1pBV2b0LT97CsFvA1fYpncogvIdRDBexQGYcYXNOqB/AhQoTjI8hscQ0edaoAjNXOx3lnYbxH5JcxpQhhYbQlks0xHz1VzTTnqfduOI+FMNhve79dmuqr0i85zdfNfDgGA9H4/bTgyd6ghN6K9UZHbrkyDJFOapGrp9y14rlbd29iPz6xAwLZPucdvyBcEq9r+alc8F/xPdmyxTvk0qujWmGJcX/cKAcxaFQXhmnwcH9bXemCo2gAyVjR0A9Xn9xedci2achKvMLlK2A===s9Cq-----END PGP SIGNATURE-----
A
A
Alex Vong wrote on 31 Aug 2017 12:40
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 28294@debbugs.gnu.org)
87y3q0ow9h.fsf@gmail.com
Marius Bakke <mbakke@fastmail.com> writes:
Toggle quote (18 lines)> Alex Vong <alexvong1995@gmail.com> writes:>>> Severity: important>> Tags: patch security>>>> Hi,>>>> This patch fixes CVEs of libxml2. The changes to 'runtest.c' in>> 'libxml2-CVE-2017-9049+CVE-2017-9050.patch are removed since they>> introduce test failure. The changes only enable new tests so it should>> be fine to remove them.>> Thanks for this! I think we have to graft this fix since changing> 'libxml2' would rebuild 2/3 of the tree. Can you try that?>> PS: Do you have a Savannah account? I'm sure Ludo or someone can add> you given the steady rate of quality commits.
Sure, here is the new patch:
From b20f6c0ef6ed8577cec87517579012a0ce7d9991 Mon Sep 17 00:00:00 2001From: Alex Vong <alexvong1995@gmail.com>Date: Wed, 30 Aug 2017 21:21:21 +0800Subject: [PATCH] gnu: libxml2: Fix CVE-2017-{0663,7375,7376,9047,9048,9049,9050}.
* gnu/packages/patches/libxml2-CVE-2017-0663.patch,gnu/packages/patches/libxml2-CVE-2017-7375.patch,gnu/packages/patches/libxml2-CVE-2017-7376.patch,gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch,gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch: New files.* gnu/local.mk (dist_patch_DATA): Add them.* gnu/packages/xml.scm (libxml2)[replacement]: New field.(libxml2/fixed): New variable.--- gnu/local.mk | 5 + gnu/packages/patches/libxml2-CVE-2017-0663.patch | 53 ++++ gnu/packages/patches/libxml2-CVE-2017-7375.patch | 45 +++ gnu/packages/patches/libxml2-CVE-2017-7376.patch | 41 +++ .../libxml2-CVE-2017-9047+CVE-2017-9048.patch | 130 +++++++++ .../libxml2-CVE-2017-9049+CVE-2017-9050.patch | 319 +++++++++++++++++++++ gnu/packages/xml.scm | 15 + 7 files changed, 608 insertions(+) create mode 100644 gnu/packages/patches/libxml2-CVE-2017-0663.patch create mode 100644 gnu/packages/patches/libxml2-CVE-2017-7375.patch create mode 100644 gnu/packages/patches/libxml2-CVE-2017-7376.patch create mode 100644 gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch create mode 100644 gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch
Toggle diff (676 lines)diff --git a/gnu/local.mk b/gnu/local.mkindex 10d4ab114..9baaa1687 100644--- a/gnu/local.mk+++ b/gnu/local.mk@@ -804,6 +804,11 @@ dist_patch_DATA = \ %D%/packages/patches/libxcb-python-3.5-compat.patch \ %D%/packages/patches/libxml2-CVE-2016-4658.patch \ %D%/packages/patches/libxml2-CVE-2016-5131.patch \+ %D%/packages/patches/libxml2-CVE-2017-0663.patch \+ %D%/packages/patches/libxml2-CVE-2017-7375.patch \+ %D%/packages/patches/libxml2-CVE-2017-7376.patch \+ %D%/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch\+ %D%/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch\ %D%/packages/patches/libxslt-generated-ids.patch \ %D%/packages/patches/libxslt-CVE-2016-4738.patch \ %D%/packages/patches/libxt-guix-search-paths.patch \diff --git a/gnu/packages/patches/libxml2-CVE-2017-0663.patch b/gnu/packages/patches/libxml2-CVE-2017-0663.patchnew file mode 100644index 000000000..b0277a2d2--- /dev/null+++ b/gnu/packages/patches/libxml2-CVE-2017-0663.patch@@ -0,0 +1,53 @@+Fix CVE-2017-0663:++https://bugzilla.gnome.org/show_bug.cgi?id=780228 (not yet public)+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0663+https://security-tracker.debian.org/tracker/CVE-2017-0663++Patch copied from upstream source repository:++https://git.gnome.org/browse/libxml2/commit/?id=92b9e8c8b3787068565a1820ba575d042f9eec66++From 92b9e8c8b3787068565a1820ba575d042f9eec66 Mon Sep 17 00:00:00 2001+From: Nick Wellnhofer <wellnhofer@aevum.de>+Date: Tue, 6 Jun 2017 12:56:28 +0200+Subject: [PATCH] Fix type confusion in xmlValidateOneNamespace++Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types on+namespace declarations make no practical sense anyway.++Fixes bug 780228.++Found with libFuzzer and ASan.+---+ valid.c | 7 ++++++++ 1 file changed, 7 insertions(+)++diff --git a/valid.c b/valid.c+index 8075d3a0..c51ea290 100644+--- a/valid.c++++ b/valid.c+@@ -4627,6 +4627,12 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {+ }+ }+ ++ /*++ * Casting ns to xmlAttrPtr is wrong. We'd need separate functions++ * xmlAddID and xmlAddRef for namespace declarations, but it makes++ * no practical sense to use ID types anyway.++ */++#if 0+ /* Validity Constraint: ID uniqueness */+ if (attrDecl->atype == XML_ATTRIBUTE_ID) {+ if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)+@@ -4638,6 +4644,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {+ if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)+ ret = 0;+ }++#endif+ + /* Validity Constraint: Notation Attributes */+ if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) {+-- +2.14.1+diff --git a/gnu/packages/patches/libxml2-CVE-2017-7375.patch b/gnu/packages/patches/libxml2-CVE-2017-7375.patchnew file mode 100644index 000000000..32af1ff6b--- /dev/null+++ b/gnu/packages/patches/libxml2-CVE-2017-7375.patch@@ -0,0 +1,45 @@+Fix CVE-2017-7375:++https://bugzilla.gnome.org/show_bug.cgi?id=780691 (not yet public)+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7375+https://security-tracker.debian.org/tracker/CVE-2017-7375++Patch copied from upstream source repository:++https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e++From 90ccb58242866b0ba3edbef8fe44214a101c2b3e Mon Sep 17 00:00:00 2001+From: Neel Mehta <nmehta@google.com>+Date: Fri, 7 Apr 2017 17:43:02 +0200+Subject: [PATCH] Prevent unwanted external entity reference++For https://bugzilla.gnome.org/show_bug.cgi?id=780691++* parser.c: add a specific check to avoid PE reference+---+ parser.c | 9 ++++++++++ 1 file changed, 9 insertions(+)++diff --git a/parser.c b/parser.c+index 609a2703..c2c812de 100644+--- a/parser.c++++ b/parser.c+@@ -8123,6 +8123,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)+ if (xmlPushInput(ctxt, input) < 0)+ return;+ } else {++ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&++ ((ctxt->options & XML_PARSE_NOENT) == 0) &&++ ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&++ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) &&++ ((ctxt->options & XML_PARSE_DTDATTR) == 0) &&++ (ctxt->replaceEntities == 0) &&++ (ctxt->validate == 0))++ return;+++ /*+ * TODO !!!+ * handle the extra spaces added before and after+-- +2.14.1+diff --git a/gnu/packages/patches/libxml2-CVE-2017-7376.patch b/gnu/packages/patches/libxml2-CVE-2017-7376.patchnew file mode 100644index 000000000..5b9e45bd8--- /dev/null+++ b/gnu/packages/patches/libxml2-CVE-2017-7376.patch@@ -0,0 +1,41 @@+Fix CVE-2017-7376:++https://bugzilla.gnome.org/show_bug.cgi?id=780690 (not yet public)+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7376+https://security-tracker.debian.org/tracker/CVE-2017-7376++Patch copied from upstream source repository:++https://git.gnome.org/browse/libxml2/commit/?id=5dca9eea1bd4263bfa4d037ab2443de1cd730f7e++From 5dca9eea1bd4263bfa4d037ab2443de1cd730f7e Mon Sep 17 00:00:00 2001+From: Daniel Veillard <veillard@redhat.com>+Date: Fri, 7 Apr 2017 17:13:28 +0200+Subject: [PATCH] Increase buffer space for port in HTTP redirect support++For https://bugzilla.gnome.org/show_bug.cgi?id=780690++nanohttp.c: the code wrongly assumed a short int port value.+---+ nanohttp.c | 4 ++--+ 1 file changed, 2 insertions(+), 2 deletions(-)++diff --git a/nanohttp.c b/nanohttp.c+index e109ad75..373425de 100644+--- a/nanohttp.c++++ b/nanohttp.c+@@ -1423,9 +1423,9 @@ retry:+ if (ctxt->port != 80) {+ /* reserve space for ':xxxxx', incl. potential proxy */+ if (proxy)+- blen += 12;++ blen += 17;+ else+- blen += 6;++ blen += 11;+ }+ bp = (char*)xmlMallocAtomic(blen);+ if ( bp == NULL ) {+-- +2.14.1+diff --git a/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch b/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patchnew file mode 100644index 000000000..0a0e6d34c--- /dev/null+++ b/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch@@ -0,0 +1,130 @@+Fix CVE-2017-{9047,9048}:++https://bugzilla.gnome.org/show_bug.cgi?id=781333 (not yet public)+https://bugzilla.gnome.org/show_bug.cgi?id=781701 (not yet public)+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9047+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9048+http://www.openwall.com/lists/oss-security/2017/05/15/1+https://security-tracker.debian.org/tracker/CVE-2017-9047+https://security-tracker.debian.org/tracker/CVE-2017-9048++Patch copied from upstream source repository:++https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74++From 932cc9896ab41475d4aa429c27d9afd175959d74 Mon Sep 17 00:00:00 2001+From: Nick Wellnhofer <wellnhofer@aevum.de>+Date: Sat, 3 Jun 2017 02:01:29 +0200+Subject: [PATCH] Fix buffer size checks in xmlSnprintfElementContent+MIME-Version: 1.0+Content-Type: text/plain; charset=UTF-8+Content-Transfer-Encoding: 8bit++xmlSnprintfElementContent failed to correctly check the available+buffer space in two locations.++Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048).++Thanks to Marcel Böhme and Thuan Pham for the report.+---+ result/valid/781333.xml | 5 ++++++ result/valid/781333.xml.err | 3 ++++ result/valid/781333.xml.err.rdr | 6 +++++++ test/valid/781333.xml | 4 +++++ valid.c | 20 +++++++++++---------+ 5 files changed, 29 insertions(+), 9 deletions(-)+ create mode 100644 result/valid/781333.xml+ create mode 100644 result/valid/781333.xml.err+ create mode 100644 result/valid/781333.xml.err.rdr+ create mode 100644 test/valid/781333.xml++diff --git a/result/valid/781333.xml b/result/valid/781333.xml+new file mode 100644+index 00000000..45dc451d+--- /dev/null++++ b/result/valid/781333.xml+@@ -0,0 +1,5 @@++<?xml version="1.0"?>++<!DOCTYPE a [++<!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll)>++]>++<a/>+diff --git a/result/valid/781333.xml.err b/result/valid/781333.xml.err+new file mode 100644+index 00000000..b401b49a+--- /dev/null++++ b/result/valid/781333.xml.err+@@ -0,0 +1,3 @@++./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got ++<a/>++ ^+diff --git a/result/valid/781333.xml.err.rdr b/result/valid/781333.xml.err.rdr+new file mode 100644+index 00000000..5ff56992+--- /dev/null++++ b/result/valid/781333.xml.err.rdr+@@ -0,0 +1,6 @@++./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got ++<a/>++ ^++./test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more child++++^+diff --git a/test/valid/781333.xml b/test/valid/781333.xml+new file mode 100644+index 00000000..b29e5a68+--- /dev/null++++ b/test/valid/781333.xml+@@ -0,0 +1,4 @@++<!DOCTYPE a [++ <!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll)>++]>++<a/>+diff --git a/valid.c b/valid.c+index 19f84b82..9b2df56a 100644+--- a/valid.c++++ b/valid.c+@@ -1262,22 +1262,23 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int+ case XML_ELEMENT_CONTENT_PCDATA:+ strcat(buf, "#PCDATA");+ break;+- case XML_ELEMENT_CONTENT_ELEMENT:++ case XML_ELEMENT_CONTENT_ELEMENT: {++ int qnameLen = xmlStrlen(content->name);++++ if (content->prefix != NULL)++ qnameLen += xmlStrlen(content->prefix) + 1;++ if (size - len < qnameLen + 10) {++ strcat(buf, " ...");++ return;++ }+ if (content->prefix != NULL) {+- if (size - len < xmlStrlen(content->prefix) + 10) {+- strcat(buf, " ...");+- return;+- }+ strcat(buf, (char *) content->prefix);+ strcat(buf, ":");+ }+- if (size - len < xmlStrlen(content->name) + 10) {+- strcat(buf, " ...");+- return;+- }+ if (content->name != NULL)+ strcat(buf, (char *) content->name);+ break;++ }+ case XML_ELEMENT_CONTENT_SEQ:+ if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ))+@@ -1319,6 +1320,7 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int+ xmlSnprintfElementContent(buf, size, content->c2, 0);+ break;+ }++ if (size - strlen(buf) <= 2) return;+ if (englob)+ strcat(buf, ")");+ switch (content->ocur) {+-- +2.14.1+diff --git a/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch b/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patchnew file mode 100644index 000000000..890e9c228--- /dev/null+++ b/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch@@ -0,0 +1,319 @@+Fix CVE-2017-{9049,9050}:++https://bugzilla.gnome.org/show_bug.cgi?id=781205 (not yet public)+https://bugzilla.gnome.org/show_bug.cgi?id=781361 (not yet public)+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9049+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050+http://www.openwall.com/lists/oss-security/2017/05/15/1+https://security-tracker.debian.org/tracker/CVE-2017-9049+https://security-tracker.debian.org/tracker/CVE-2017-9050++Patch copied from upstream source repository:++https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3++Changes to 'runtest.c' are removed since they introduce test failure+when applying to libxml2 2.9.4 release tarball.++From e26630548e7d138d2c560844c43820b6767251e3 Mon Sep 17 00:00:00 2001+From: Nick Wellnhofer <wellnhofer@aevum.de>+Date: Mon, 5 Jun 2017 15:37:17 +0200+Subject: [PATCH] Fix handling of parameter-entity references+MIME-Version: 1.0+Content-Type: text/plain; charset=UTF-8+Content-Transfer-Encoding: 8bit++There were two bugs where parameter-entity references could lead to an+unexpected change of the input buffer in xmlParseNameComplex and+xmlDictLookup being called with an invalid pointer.++Percent sign in DTD Names+=========================++The NEXTL macro used to call xmlParserHandlePEReference. When parsing+"complex" names inside the DTD, this could result in entity expansion+which created a new input buffer. The fix is to simply remove the call+to xmlParserHandlePEReference from the NEXTL macro. This is safe because+no users of the macro require expansion of parameter entities.++- xmlParseNameComplex+- xmlParseNCNameComplex+- xmlParseNmtoken++The percent sign is not allowed in names, which are grammatical tokens.++- xmlParseEntityValue++Parameter-entity references in entity values are expanded but this+happens in a separate step in this function.++- xmlParseSystemLiteral++Parameter-entity references are ignored in the system literal.++- xmlParseAttValueComplex+- xmlParseCharDataComplex+- xmlParseCommentComplex+- xmlParsePI+- xmlParseCDSect++Parameter-entity references are ignored outside the DTD.++- xmlLoadEntityContent++This function is only called from xmlStringLenDecodeEntities and+entities are replaced in a separate step immediately after the function+call.++This bug could also be triggered with an internal subset and double+entity expansion.++This fixes bug 766956 initially reported by Wei Lei and independently by+Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone+involved.++xmlParseNameComplex with XML_PARSE_OLD10+========================================++When parsing Names inside an expanded parameter entity with the+XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the+GROW macro if the input buffer was exhausted. At the end of the+parameter entity's replacement text, this function would then call+xmlPopInput which invalidated the input buffer.++There should be no need to invoke GROW in this situation because the+buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and,+at least for UTF-8, in xmlCurrentChar. This also matches the code path+executed when XML_PARSE_OLD10 is not set.++This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).+Thanks to Marcel Böhme and Thuan Pham for the report.++Additional hardening+====================++A separate check was added in xmlParseNameComplex to validate the+buffer size.+---+ Makefile.am | 18 +++++++++++++++++++ parser.c | 18 ++++++++++--------+ result/errors10/781205.xml | 0+ result/errors10/781205.xml.err | 21 ++++++++++++++++++++++ result/errors10/781361.xml | 0+ result/errors10/781361.xml.err | 13 ++++++++++++++ result/valid/766956.xml | 0+ result/valid/766956.xml.err | 9 ++++++++++ result/valid/766956.xml.err.rdr | 10 +++++++++++ runtest.c | 3 ++++ test/errors10/781205.xml | 3 ++++ test/errors10/781361.xml | 3 ++++ test/valid/766956.xml | 2 +++ test/valid/dtds/766956.dtd | 2 +++ 14 files changed, 94 insertions(+), 8 deletions(-)+ create mode 100644 result/errors10/781205.xml+ create mode 100644 result/errors10/781205.xml.err+ create mode 100644 result/errors10/781361.xml+ create mode 100644 result/errors10/781361.xml.err+ create mode 100644 result/valid/766956.xml+ create mode 100644 result/valid/766956.xml.err+ create mode 100644 result/valid/766956.xml.err.rdr+ create mode 100644 test/errors10/781205.xml+ create mode 100644 test/errors10/781361.xml+ create mode 100644 test/valid/766956.xml+ create mode 100644 test/valid/dtds/766956.dtd++diff --git a/Makefile.am b/Makefile.am+index 6fc8ffa9..10e716a5 100644+--- a/Makefile.am++++ b/Makefile.am+@@ -427,6 +427,24 @@ Errtests : xmllint$(EXEEXT)+ if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \+ rm result.$$name error.$$name ; \+ fi ; fi ; done)++ @echo "## Error cases regression tests (old 1.0)"++ -@(for i in $(srcdir)/test/errors10/*.xml ; do \++ name=`basename $$i`; \++ if [ ! -d $$i ] ; then \++ if [ ! -f $(srcdir)/result/errors10/$$name ] ; then \++ echo New test file $$name ; \++ $(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i \++ 2> $(srcdir)/result/errors10/$$name.err \++ > $(srcdir)/result/errors10/$$name ; \++ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \++ else \++ log=`$(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i 2> error.$$name > result.$$name ; \++ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \++ diff $(srcdir)/result/errors10/$$name result.$$name ; \++ diff $(srcdir)/result/errors10/$$name.err error.$$name` ; \++ if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \++ rm result.$$name error.$$name ; \++ fi ; fi ; done)+ @echo "## Error cases stream regression tests"+ -@(for i in $(srcdir)/test/errors/*.xml ; do \+ name=`basename $$i`; \+diff --git a/parser.c b/parser.c+index df2efa55..a175ac4e 100644+--- a/parser.c++++ b/parser.c+@@ -2121,7 +2121,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {+ ctxt->input->line++; ctxt->input->col = 1; \+ } else ctxt->input->col++; \+ ctxt->input->cur += l; \+- if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt); \+ } while (0)+ + #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l)+@@ -3412,13 +3411,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {+ len += l;+ NEXTL(l);+ c = CUR_CHAR(l);+- if (c == 0) {+- count = 0;+- GROW;+- if (ctxt->instate == XML_PARSER_EOF)+- return(NULL);+- c = CUR_CHAR(l);+- }+ }+ }+ if ((len > XML_MAX_NAME_LENGTH) &&+@@ -3426,6 +3418,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");+ return(NULL);+ }++ if (ctxt->input->cur - ctxt->input->base < len) {++ /*++ * There were a couple of bugs where PERefs lead to to a change++ * of the buffer. Check the buffer size to avoid passing an invalid++ * pointer to xmlDictLookup.++ */++ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,++ "unexpected change of input buffer");++ return (NULL);++ }+ if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r'))+ return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len));+ return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));+diff --git a/result/errors10/781205.xml b/result/errors10/781205.xml+new file mode 100644+index 00000000..e69de29b+diff --git a/result/errors10/781205.xml.err b/result/errors10/781205.xml.err+new file mode 100644+index 00000000..da15c3f7+--- /dev/null++++ b/result/errors10/781205.xml.err+@@ -0,0 +1,21 @@++Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration++++ %a; ++ ^++Entity: line 1: ++<:0000++^++Entity: line 1: parser error : DOCTYPE improperly terminated++ %a; ++ ^++Entity: line 1: ++<:0000++^++namespace error : Failed to parse QName ':0000'++ %a; ++ ^++<:0000++ ^++./test/errors10/781205.xml:4: parser error : Couldn't find end of Start Tag :0000 line 1++++^+diff --git a/result/errors10/781361.xml b/result/errors10/781361.xml+new file mode 100644+index 00000000..e69de29b+diff --git a/result/errors10/781361.xml.err b/result/errors10/781361.xml.err+new file mode 100644+index 00000000..655f41a2+--- /dev/null++++ b/result/errors10/781361.xml.err+@@ -0,0 +1,13 @@++./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY', 'ANY' or '(' expected++++^++./test/errors10/781361.xml:4: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration++++++^++./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated++++^++./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not found++++^+diff --git a/result/valid/766956.xml b/result/valid/766956.xml+new file mode 100644+index 00000000..e69de29b+diff --git a/result/valid/766956.xml.err b/result/valid/766956.xml.err+new file mode 100644+index 00000000..34b1dae6+--- /dev/null++++ b/result/valid/766956.xml.err+@@ -0,0 +1,9 @@++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'++%ä%ent;++ ^++Entity: line 1: parser error : Content error in the external subset++ %ent; ++ ^++Entity: line 1: ++value++^+diff --git a/result/valid/766956.xml.err.rdr b/result/valid/766956.xml.err.rdr+new file mode 100644+index 00000000..77603462+--- /dev/null++++ b/result/valid/766956.xml.err.rdr+@@ -0,0 +1,10 @@++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'++%ä%ent;++ ^++Entity: line 1: parser error : Content error in the external subset++ %ent; ++ ^++Entity: line 1: ++value++^++./test/valid/766956.xml : failed to parse+diff --git a/test/errors10/781205.xml b/test/errors10/781205.xml+new file mode 100644+index 00000000..d9e9e839+--- /dev/null++++ b/test/errors10/781205.xml+@@ -0,0 +1,3 @@++<!DOCTYPE D [++ <!ENTITY % a "<:0000">++ %a;+diff --git a/test/errors10/781361.xml b/test/errors10/781361.xml+new file mode 100644+index 00000000..67476bcb+--- /dev/null++++ b/test/errors10/781361.xml+@@ -0,0 +1,3 @@++<!DOCTYPE doc [++ <!ENTITY % elem "<!ELEMENT e0000000000">++ %elem;+diff --git a/test/valid/766956.xml b/test/valid/766956.xml+new file mode 100644+index 00000000..19a95a0e+--- /dev/null++++ b/test/valid/766956.xml+@@ -0,0 +1,2 @@++<!DOCTYPE test SYSTEM "dtds/766956.dtd">++<test/>+diff --git a/test/valid/dtds/766956.dtd b/test/valid/dtds/766956.dtd+new file mode 100644+index 00000000..dddde68b+--- /dev/null++++ b/test/valid/dtds/766956.dtd+@@ -0,0 +1,2 @@++<!ENTITY % ent "value">++%ä%ent;+-- +2.14.1+diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scmindex dd229ba73..b4aa89e88 100644--- a/gnu/packages/xml.scm+++ b/gnu/packages/xml.scm@@ -16,6 +16,7 @@ ;;; Copyright © 2016, 2017 Marius Bakke <mbakke@fastmail.com> ;;; Copyright © 2017 Adriano Peluso <catonano@gmail.com> ;;; Copyright © 2017 Gregor Giesen <giesen@zaehlwerk.net>+;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com> ;;; ;;; This file is part of GNU Guix. ;;;@@ -110,6 +111,7 @@ hierarchical form with variable field lengths.") (package (name "libxml2") (version "2.9.4")+ (replacement libxml2/fixed) (source (origin (method url-fetch) (uri (string-append "ftp://xmlsoft.org/libxml2/libxml2-"@@ -138,6 +140,19 @@ hierarchical form with variable field lengths.") project (but it is usable outside of the Gnome platform).") (license license:x11))) +(define libxml2/fixed+ (package+ (inherit libxml2)+ (source+ (origin+ (inherit (package-source libxml2))+ (patches+ (search-patches "libxml2-CVE-2017-0663.patch"+ "libxml2-CVE-2017-7375.patch"+ "libxml2-CVE-2017-7376.patch"+ "libxml2-CVE-2017-9047+CVE-2017-9048.patch"+ "libxml2-CVE-2017-9049+CVE-2017-9050.patch"))))))+ (define-public python-libxml2 (package (inherit libxml2) (name "python-libxml2")-- 2.14.1
Previously, I had a Savannah account, but then I deleted it, since Ididn't use it. Now I realize I cannot create a new account with the sameusername... I am asking for help from the Savannah admin.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlmn56oACgkQxYq4eRf1Ea7xgA/+MhiG/BuZpS8bph3ZTDLlAwknUBvffetoxuvdyEDO0dBS62RLcQ/8xzSHHavuSjOAimbbZ7Z41F4gQflhVOtO+3E4n8tetgiZXK/fdacOA/tzgVFOiXk+bl8tcCN31MYN8vjTBbXVjeIODTMSdaIHmPFbtmjKB5B2sgeeSO9pZgnIrxL9LziYOjHrNkqg3fQJFDHPeiSju4KO+gkxzIpQLcPLpVCmFd6GNy4ChR/Ai91hChC0CvqzmQBZCqFcT0paJfwbIX5032mNZHXt1wg1CQ8uFXljCXoOmgA0pCBq6qPw/CbdjdlUDRyyYAcc/vVgasAnOEYV5nPMfR47ukK3IkCgwzXxKkim0Qt1wJnAk4YoZyesFUo0uShtuo7VIYxrVgtclhicXRlMProalAGO3S3P+aDQ/rCMoOKzlEUX+xfmKEOF+vDSM6OUNQlurq0RYOHZ1AH65L7fQCMXtgM6y2dujSYnVQVtaVGfzYuvX4pE5PnpvCaW2i6YxrwdvYRBuLTOHdkySYBKFW9dRPypEkr4TU6/biJGF3QxTI0bAqmTdzXaXnZmF04uF1mBiEIqyZZay3Gefzz+l361TF/8oj3dAOnd72dA+0O20Gcrpd4OZrpkVU1UCoeBliphHaSit1SAFN7dUiQG4DVgTcnkK3OzcU+DXzxbNu3zPoimrQk==ajFD-----END PGP SIGNATURE-----
M
M
Marius Bakke wrote on 31 Aug 2017 21:52
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 28294-done@debbugs.gnu.org)
87k21jjyzy.fsf@fastmail.com
Alex Vong <alexvong1995@gmail.com> writes:
Toggle quote (22 lines)> Marius Bakke <mbakke@fastmail.com> writes:>>> Alex Vong <alexvong1995@gmail.com> writes:>>>>> Severity: important>>> Tags: patch security>>>>>> Hi,>>>>>> This patch fixes CVEs of libxml2. The changes to 'runtest.c' in>>> 'libxml2-CVE-2017-9049+CVE-2017-9050.patch are removed since they>>> introduce test failure. The changes only enable new tests so it should>>> be fine to remove them.>>>> Thanks for this! I think we have to graft this fix since changing>> 'libxml2' would rebuild 2/3 of the tree. Can you try that?>>>> PS: Do you have a Savannah account? I'm sure Ludo or someone can add>> you given the steady rate of quality commits.>> Sure, here is the new patch:
Pushed, thanks! I added tabs before the line breaks in gnu/local.mk,but otherwise untouched.
Side note: I think we should start adding patches as origins instead ofcopying them wholesale, to try and keep the git repository slim.
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlmoaRIACgkQoqBt8qM6VPpsYAf/Y02dcsAJHQm5cl+xuYVxoplU82N55Xgl+wr6LwcnhNsntBtCqsAnlhqdW/8nDw87P+j4SlD2kXjGPDtu2taxYIskpqr82nNH9613dOnGO5Q3G2ZIWUXiRehHew0OiKkBLakEj09caeUIef5ckjjFt4wqxuvRIpktaaA04r45Cik1iehru8CLlLHr1r+ffZE7todyYqcTA3+qdP8Hw5CT0pWjLc2Eds/hMsEUXdmpP3i9wk6+LwrfKHdFNJAcpTYS/nB9EnD5x/grjzM0+ZNc/xl5MxMJThl1XmzQz0TUsCDdtceWzr85hXHH9zPDL6Ur9z0Yntxd8WZpQOi68GP0FA===7x2G-----END PGP SIGNATURE-----
Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 28294@debbugs.gnu.org