rpms/libxml/F-10 libxml-1.8.17-CAN-2004-0110.patch, NONE, 1.1 libxml-1.8.17-ficora-245608.patch, NONE, 1.1 libxml.spec, 1.11, 1.12

Paul Howarth pghmcfc at fedoraproject.org
Wed Aug 12 12:52:53 UTC 2009


Author: pghmcfc

Update of /cvs/pkgs/rpms/libxml/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv22633/F-10

Modified Files:
	libxml.spec 
Added Files:
	libxml-1.8.17-CAN-2004-0110.patch 
	libxml-1.8.17-ficora-245608.patch 
Log Message:
Add security patches from EL-3:

- add patch for CAN-2004-0110 and CAN-2004-0989 (#139090)
  (arbitrary code execution via a long URL)

- add patch for CVE-2009-2414 and CVE-2009-2416 (#515195, #515205)
  (CVE-2009-2414: stack consumption DoS vulnerabilities)
  (CVE-2009-2416: use-after-free DoS vulnerabilities)



libxml-1.8.17-CAN-2004-0110.patch:
 nanoftp.c.orig  |   30 ++++-!!!!!!!!!!!!!!!!!!!!!!!!!
 nanohttp.c.orig |   17 -!!!!!!!!!!!!!!!!
 2 files changed, 4 insertions(+), 2 deletions(-), 41 modifications(!)

--- NEW FILE libxml-1.8.17-CAN-2004-0110.patch ---
*** libxml-1.8.17/nanoftp.c.orig	2004-11-17 16:05:18.000000000 +0100
--- libxml-1.8.17/nanoftp.c	2004-11-17 16:22:03.000000000 +0100
*************** xmlNanoFTPScanURL(void *ctx, const char 
*** 221,227 ****
      }
      if (URL == NULL) return;
      buf[index] = 0;
!     while (*cur != 0) {
          if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
  	    buf[index] = 0;
  	    ctxt->protocol = xmlMemStrdup(buf);
--- 221,227 ----
      }
      if (URL == NULL) return;
      buf[index] = 0;
!     while ((*cur != 0) && (index < 4090)) {
          if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
  	    buf[index] = 0;
  	    ctxt->protocol = xmlMemStrdup(buf);
*************** xmlNanoFTPScanURL(void *ctx, const char 
*** 231,240 ****
  	}
  	buf[index++] = *cur++;
      }
!     if (*cur == 0) return;
  
      buf[index] = 0;
!     while (1) {
          if (cur[0] == ':') {
  	    buf[index] = 0;
  	    ctxt->hostname = xmlMemStrdup(buf);
--- 231,240 ----
  	}
  	buf[index++] = *cur++;
      }
!     if ((*cur == 0) || (index >= 4090)) return;
  
      buf[index] = 0;
!     while (index < 4090) {
          if (cur[0] == ':') {
  	    buf[index] = 0;
  	    ctxt->hostname = xmlMemStrdup(buf);
*************** xmlNanoFTPScanURL(void *ctx, const char 
*** 258,269 ****
  	}
  	buf[index++] = *cur++;
      }
!     if (*cur == 0) 
          ctxt->path = xmlMemStrdup("/");
      else {
          index = 0;
          buf[index] = 0;
! 	while (*cur != 0)
  	    buf[index++] = *cur++;
  	buf[index] = 0;
  	ctxt->path = xmlMemStrdup(buf);
--- 258,269 ----
  	}
  	buf[index++] = *cur++;
      }
!     if ((*cur == 0) || (index >= 4090))
          ctxt->path = xmlMemStrdup("/");
      else {
          index = 0;
          buf[index] = 0;
! 	while ((*cur != 0) && (index < 4090))
  	    buf[index++] = *cur++;
  	buf[index] = 0;
  	ctxt->path = xmlMemStrdup(buf);
*************** xmlNanoFTPUpdateURL(void *ctx, const cha
*** 301,307 ****
      if (ctxt->hostname == NULL)
  	return(-1);
      buf[index] = 0;
!     while (*cur != 0) {
          if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
  	    buf[index] = 0;
  	    if (strcmp(ctxt->protocol, buf))
--- 301,307 ----
      if (ctxt->hostname == NULL)
  	return(-1);
      buf[index] = 0;
!     while ((*cur != 0) && (index < 4090)) {
          if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
  	    buf[index] = 0;
  	    if (strcmp(ctxt->protocol, buf))
*************** xmlNanoFTPUpdateURL(void *ctx, const cha
*** 312,322 ****
  	}
  	buf[index++] = *cur++;
      }
!     if (*cur == 0)
  	return(-1);
  
      buf[index] = 0;
!     while (1) {
          if (cur[0] == ':') {
  	    buf[index] = 0;
  	    if (strcmp(ctxt->hostname, buf))
--- 312,322 ----
  	}
  	buf[index++] = *cur++;
      }
!     if ((*cur == 0) || (index >= 4090))
  	return(-1);
  
      buf[index] = 0;
!     while (index < 4090) {
          if (cur[0] == ':') {
  	    buf[index] = 0;
  	    if (strcmp(ctxt->hostname, buf))
*************** xmlNanoFTPUpdateURL(void *ctx, const cha
*** 348,359 ****
  	ctxt->path = NULL;
      }
  
!     if (*cur == 0) 
          ctxt->path = xmlMemStrdup("/");
      else {
          index = 0;
          buf[index] = 0;
! 	while (*cur != 0)
  	    buf[index++] = *cur++;
  	buf[index] = 0;
  	ctxt->path = xmlMemStrdup(buf);
--- 348,359 ----
  	ctxt->path = NULL;
      }
  
!     if ((*cur == 0) || (index >= 4090))
          ctxt->path = xmlMemStrdup("/");
      else {
          index = 0;
          buf[index] = 0;
! 	while ((*cur != 0) && (index < 4090))
  	    buf[index++] = *cur++;
  	buf[index] = 0;
  	ctxt->path = xmlMemStrdup(buf);
*************** xmlNanoFTPScanProxy(const char *URL) {
*** 393,399 ****
  #endif
      if (URL == NULL) return;
      buf[index] = 0;
!     while (*cur != 0) {
          if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
  	    buf[index] = 0;
  	    index = 0;
--- 393,399 ----
  #endif
      if (URL == NULL) return;
      buf[index] = 0;
!     while ((*cur != 0) && (index < 4090)) {
          if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
  	    buf[index] = 0;
  	    index = 0;
*************** xmlNanoFTPScanProxy(const char *URL) {
*** 402,411 ****
  	}
  	buf[index++] = *cur++;
      }
!     if (*cur == 0) return;
  
      buf[index] = 0;
!     while (1) {
          if (cur[0] == ':') {
  	    buf[index] = 0;
  	    proxy = xmlMemStrdup(buf);
--- 402,411 ----
  	}
  	buf[index++] = *cur++;
      }
!     if ((*cur == 0) || (index >= 4090)) return;
  
      buf[index] = 0;
!     while (index < 4090) {
          if (cur[0] == ':') {
  	    buf[index] = 0;
  	    proxy = xmlMemStrdup(buf);
*************** xmlNanoFTPConnect(void *ctx) {
*** 827,832 ****
--- 827,836 ----
  	hp = gethostbyname(ctxt->hostname);
      if (hp == NULL)
          return(-1);
+     if (hp->h_length >
+         sizeof(((struct sockaddr_in *)&ctxt->ftpAddr)->sin_addr)) {
+         return(-1);
+     }
  
      /*
       * Prepare the socket
*** libxml-1.8.17/nanohttp.c.orig	2004-11-17 16:05:31.000000000 +0100
--- libxml-1.8.17/nanohttp.c	2004-11-17 16:26:18.000000000 +0100
*************** xmlNanoHTTPScanURL(xmlNanoHTTPCtxtPtr ct
*** 177,183 ****
      }
      if (URL == NULL) return;
      buf[index] = 0;
!     while (*cur != 0) {
          if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
  	    buf[index] = 0;
  	    ctxt->protocol = xmlMemStrdup(buf);
--- 177,183 ----
      }
      if (URL == NULL) return;
      buf[index] = 0;
!     while ((*cur != 0) || (index < 4090)) {
          if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
  	    buf[index] = 0;
  	    ctxt->protocol = xmlMemStrdup(buf);
*************** xmlNanoHTTPScanURL(xmlNanoHTTPCtxtPtr ct
*** 187,196 ****
  	}
  	buf[index++] = *cur++;
      }
!     if (*cur == 0) return;
  
      buf[index] = 0;
!     while (1) {
          if (cur[0] == ':') {
  	    buf[index] = 0;
  	    ctxt->hostname = xmlMemStrdup(buf);
--- 187,196 ----
  	}
  	buf[index++] = *cur++;
      }
!     if ((*cur == 0) || (index >= 4090)) return;
  
      buf[index] = 0;
!     while (index < 4090) {
          if (cur[0] == ':') {
  	    buf[index] = 0;
  	    ctxt->hostname = xmlMemStrdup(buf);
*************** xmlNanoHTTPScanURL(xmlNanoHTTPCtxtPtr ct
*** 214,225 ****
  	}
  	buf[index++] = *cur++;
      }
!     if (*cur == 0) 
          ctxt->path = xmlMemStrdup("/");
      else {
          index = 0;
          buf[index] = 0;
! 	while (*cur != 0)
  	    buf[index++] = *cur++;
  	buf[index] = 0;
  	ctxt->path = xmlMemStrdup(buf);
--- 214,225 ----
  	}
  	buf[index++] = *cur++;
      }
!     if ((*cur == 0) || (index >= 4090))
          ctxt->path = xmlMemStrdup("/");
      else {
          index = 0;
          buf[index] = 0;
! 	while ((*cur != 0) && (index < 4090))
  	    buf[index++] = *cur++;
  	buf[index] = 0;
  	ctxt->path = xmlMemStrdup(buf);
*************** xmlNanoHTTPScanProxy(const char *URL) {
*** 258,264 ****
  #endif
      if (URL == NULL) return;
      buf[index] = 0;
!     while (*cur != 0) {
          if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
  	    buf[index] = 0;
  	    index = 0;
--- 258,264 ----
  #endif
      if (URL == NULL) return;
      buf[index] = 0;
!     while ((*cur != 0) && (index < 4090)) {
          if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
  	    buf[index] = 0;
  	    index = 0;
*************** xmlNanoHTTPScanProxy(const char *URL) {
*** 267,276 ****
  	}
  	buf[index++] = *cur++;
      }
!     if (*cur == 0) return;
  
      buf[index] = 0;
!     while (1) {
          if (cur[0] == ':') {
  	    buf[index] = 0;
  	    proxy = xmlMemStrdup(buf);
--- 267,276 ----
  	}
  	buf[index++] = *cur++;
      }
!     if ((*cur == 0) || (index >= 4090)) return;
  
      buf[index] = 0;
!     while (index < 4090) {
          if (cur[0] == ':') {
  	    buf[index] = 0;
  	    proxy = xmlMemStrdup(buf);

libxml-1.8.17-ficora-245608.patch:
 parser.c |   38 ++++++++++++++++++++++++++++++--------
 1 file changed, 30 insertions(+), 8 deletions(-)

--- NEW FILE libxml-1.8.17-ficora-245608.patch ---
--- parser.c.orig	2001-09-14 16:09:41.000000000 +0200
+++ parser.c	2009-08-03 17:02:24.000000000 +0200
@@ -5164,11 +5164,15 @@ xmlParseNotationType(xmlParserCtxtPtr ct
 		                 "Name expected in NOTATION declaration\n");
 	    ctxt->wellFormed = 0;
 	    ctxt->disableSAX = 1;
-	    return(ret);
+            xmlFreeEnumeration(ret);
+	    return(NULL);
 	}
 	cur = xmlCreateEnumeration(name);
 	xmlFree(name);
-	if (cur == NULL) return(ret);
+	if (cur == NULL) {
+            xmlFreeEnumeration(ret);
+            return(NULL);
+        }
 	if (last == NULL) ret = last = cur;
 	else {
 	    last->next = cur;
@@ -5183,9 +5187,8 @@ xmlParseNotationType(xmlParserCtxtPtr ct
 	                     "')' required to finish NOTATION declaration\n");
 	ctxt->wellFormed = 0;
 	ctxt->disableSAX = 1;
-	if ((last != NULL) && (last != ret))
-	    xmlFreeEnumeration(last);
-	return(ret);
+        xmlFreeEnumeration(ret);
+        return(NULL);
     }
     NEXT;
     return(ret);
@@ -5232,11 +5235,15 @@ xmlParseEnumerationType(xmlParserCtxtPtr
 		                 "NmToken expected in ATTLIST enumeration\n");
 	    ctxt->wellFormed = 0;
 	    ctxt->disableSAX = 1;
-	    return(ret);
+            xmlFreeEnumeration(ret);
+            return(NULL);
 	}
 	cur = xmlCreateEnumeration(name);
 	xmlFree(name);
-	if (cur == NULL) return(ret);
+	if (cur == NULL) {
+            xmlFreeEnumeration(ret);
+            return(NULL);
+        }
 	if (last == NULL) ret = last = cur;
 	else {
 	    last->next = cur;
@@ -5251,7 +5258,8 @@ xmlParseEnumerationType(xmlParserCtxtPtr
 	                     "')' required to finish ATTLIST enumeration\n");
 	ctxt->wellFormed = 0;
 	ctxt->disableSAX = 1;
-	return(ret);
+        xmlFreeEnumeration(ret);
+        return(NULL);
     }
     NEXT;
     return(ret);
@@ -5715,13 +5723,25 @@ xmlParseElementChildrenContentDecl
     xmlChar *elem;
     xmlChar type = 0;
 
+    if (ctxt->depth > 128) {
+        ctxt->errNo = XML_ERR_ELEMCONTENT_NOT_FINISHED;
+        if ((ctxt->sax != NULL) && (ctxt->sax->error != NULL))
+            ctxt->sax->error(ctxt->userData, 
+                "xmlParseElementChildrenContentDecl : depth %d too deep\n",
+                             ctxt->depth);
+        ctxt->wellFormed = 0;
+        ctxt->disableSAX = 1;
+	return(NULL);
+    }
     SKIP_BLANKS;
     GROW;
     if (RAW == '(') {
         /* Recurse on first child */
 	NEXT;
 	SKIP_BLANKS;
+        ctxt->depth++;
         cur = ret = xmlParseElementChildrenContentDecl(ctxt);
+        ctxt->depth--;
 	SKIP_BLANKS;
 	GROW;
     } else {
@@ -5865,7 +5885,9 @@ xmlParseElementChildrenContentDecl
 	    /* Recurse on second child */
 	    NEXT;
 	    SKIP_BLANKS;
+            ctxt->depth++;
 	    last = xmlParseElementChildrenContentDecl(ctxt);
+            ctxt->depth--;
 	    SKIP_BLANKS;
 	} else {
 	    elem = xmlParseNameComplex(ctxt);


Index: libxml.spec
===================================================================
RCS file: /cvs/pkgs/rpms/libxml/F-10/libxml.spec,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -p -r1.11 -r1.12
--- libxml.spec	21 Apr 2009 12:22:51 -0000	1.11
+++ libxml.spec	12 Aug 2009 12:52:53 -0000	1.12
@@ -2,15 +2,17 @@ Name:		libxml
 Summary:	Old XML library for Gnome-1 application compatibility
 Epoch:		1
 Version:	1.8.17
-Release:	22%{?dist}
+Release:	24%{?dist}
 License:	LGPLv2+ or W3C
 Group:		Development/Libraries
 URL:		http://veillard.com/XML/
 Source:		ftp://xmlsoft.org/libxml/old/libxml-%{version}.tar.gz
-Patch0:		libxml-1.8.17-open-mode.patch
-Patch1:		libxml-1.8.17-multiarch.patch
-Patch2:		libxml-1.8.17-declarations.patch
-Patch3:		libxml-1.8.17-ppc64-config.patch
+Patch0:		libxml-1.8.17-CAN-2004-0110.patch
+Patch1:		libxml-1.8.17-ficora-245608.patch
+Patch10:	libxml-1.8.17-open-mode.patch
+Patch11:	libxml-1.8.17-multiarch.patch
+Patch12:	libxml-1.8.17-declarations.patch
+Patch13:	libxml-1.8.17-ppc64-config.patch
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %description
@@ -26,10 +28,27 @@ Libraries, includes, etc. to build old l
 
 %prep
 %setup -q
+
+# fix CAN-2004-0110 & CAN-2004-0989 (arbitrary code execution via a long URL)
 %patch0 -p1
-%patch1 -p1
-%patch2 -p1 -b .decl
-%patch3 -p1
+
+# fix CVE-2009-2414 (stack consumption DoS vulnerabilities)
+# fix CVE-2009-2416 (use-after-free DoS vulnerabilities)
+%patch1 -p0
+
+# open() with O_CREAT must have 3 arguments
+%patch10 -p1
+
+# make xml-config script arch-independent for multiarch compatibility
+%patch11 -p1
+
+# silence warnings about implicit function declarations
+%patch12 -p1 -b .decl
+
+# fix ppc64 builds
+%patch13 -p1
+
+# recode ChangeLog as UTF-8
 /usr/bin/iconv -f iso-8859-1 -t utf-8 < ChangeLog > ChangeLog.utf-8
 %{__mv} -f ChangeLog.utf-8 ChangeLog
 
@@ -71,10 +90,18 @@ fi
 %exclude %{_libdir}/libxml.la
 
 %changelog
+* Wed Aug 12 2009 Paul Howarth <paul at city-fan.org> 1:1.8.17-24
+- renumber existing patches to free up low-numbered patches for EL-3 patches
+- add patch for CAN-2004-0110 and CAN-2004-0989 (#139090)
+- add patch for CVE-2009-2414 and CVE-2009-2416 (#515195, #515205)
+
+* Sat Jul 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> 1:1.8.17-23
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
 * Mon Apr 20 2009 Paul Howarth <paul at city-fan.org> 1:1.8.17-22
 - rebuild for %%{_isa} provides/requires
 
-* Wed Feb 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1:1.8.17-21
+* Wed Feb 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> 1:1.8.17-21
 - rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
 
 * Wed May 21 2008 Paul Howarth <paul at city-fan.org> 1:1.8.17-20




More information about the fedora-extras-commits mailing list