rpms/libxml/F-10 libxml-1.8.17-CAN-2004-0110.patch, NONE, 1.1 libxml-1.8.17-ficora-245608.patch, NONE, 1.1 libxml.spec, 1.11, 1.12
Paul Howarth
pghmcfc at fedoraproject.org
Wed Aug 12 12:52:53 UTC 2009
- Previous message (by thread): rpms/trac-customfieldadmin-plugin/devel trac-customfieldadmin-plugin.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Next message (by thread): rpms/libxml/F-11 libxml-1.8.17-CAN-2004-0110.patch, NONE, 1.1 libxml-1.8.17-ficora-245608.patch, NONE, 1.1 libxml.spec, 1.12, 1.13
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: pghmcfc
Update of /cvs/pkgs/rpms/libxml/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv22633/F-10
Modified Files:
libxml.spec
Added Files:
libxml-1.8.17-CAN-2004-0110.patch
libxml-1.8.17-ficora-245608.patch
Log Message:
Add security patches from EL-3:
- add patch for CAN-2004-0110 and CAN-2004-0989 (#139090)
(arbitrary code execution via a long URL)
- add patch for CVE-2009-2414 and CVE-2009-2416 (#515195, #515205)
(CVE-2009-2414: stack consumption DoS vulnerabilities)
(CVE-2009-2416: use-after-free DoS vulnerabilities)
libxml-1.8.17-CAN-2004-0110.patch:
nanoftp.c.orig | 30 ++++-!!!!!!!!!!!!!!!!!!!!!!!!!
nanohttp.c.orig | 17 -!!!!!!!!!!!!!!!!
2 files changed, 4 insertions(+), 2 deletions(-), 41 modifications(!)
--- NEW FILE libxml-1.8.17-CAN-2004-0110.patch ---
*** libxml-1.8.17/nanoftp.c.orig 2004-11-17 16:05:18.000000000 +0100
--- libxml-1.8.17/nanoftp.c 2004-11-17 16:22:03.000000000 +0100
*************** xmlNanoFTPScanURL(void *ctx, const char
*** 221,227 ****
}
if (URL == NULL) return;
buf[index] = 0;
! while (*cur != 0) {
if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
buf[index] = 0;
ctxt->protocol = xmlMemStrdup(buf);
--- 221,227 ----
}
if (URL == NULL) return;
buf[index] = 0;
! while ((*cur != 0) && (index < 4090)) {
if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
buf[index] = 0;
ctxt->protocol = xmlMemStrdup(buf);
*************** xmlNanoFTPScanURL(void *ctx, const char
*** 231,240 ****
}
buf[index++] = *cur++;
}
! if (*cur == 0) return;
buf[index] = 0;
! while (1) {
if (cur[0] == ':') {
buf[index] = 0;
ctxt->hostname = xmlMemStrdup(buf);
--- 231,240 ----
}
buf[index++] = *cur++;
}
! if ((*cur == 0) || (index >= 4090)) return;
buf[index] = 0;
! while (index < 4090) {
if (cur[0] == ':') {
buf[index] = 0;
ctxt->hostname = xmlMemStrdup(buf);
*************** xmlNanoFTPScanURL(void *ctx, const char
*** 258,269 ****
}
buf[index++] = *cur++;
}
! if (*cur == 0)
ctxt->path = xmlMemStrdup("/");
else {
index = 0;
buf[index] = 0;
! while (*cur != 0)
buf[index++] = *cur++;
buf[index] = 0;
ctxt->path = xmlMemStrdup(buf);
--- 258,269 ----
}
buf[index++] = *cur++;
}
! if ((*cur == 0) || (index >= 4090))
ctxt->path = xmlMemStrdup("/");
else {
index = 0;
buf[index] = 0;
! while ((*cur != 0) && (index < 4090))
buf[index++] = *cur++;
buf[index] = 0;
ctxt->path = xmlMemStrdup(buf);
*************** xmlNanoFTPUpdateURL(void *ctx, const cha
*** 301,307 ****
if (ctxt->hostname == NULL)
return(-1);
buf[index] = 0;
! while (*cur != 0) {
if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
buf[index] = 0;
if (strcmp(ctxt->protocol, buf))
--- 301,307 ----
if (ctxt->hostname == NULL)
return(-1);
buf[index] = 0;
! while ((*cur != 0) && (index < 4090)) {
if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
buf[index] = 0;
if (strcmp(ctxt->protocol, buf))
*************** xmlNanoFTPUpdateURL(void *ctx, const cha
*** 312,322 ****
}
buf[index++] = *cur++;
}
! if (*cur == 0)
return(-1);
buf[index] = 0;
! while (1) {
if (cur[0] == ':') {
buf[index] = 0;
if (strcmp(ctxt->hostname, buf))
--- 312,322 ----
}
buf[index++] = *cur++;
}
! if ((*cur == 0) || (index >= 4090))
return(-1);
buf[index] = 0;
! while (index < 4090) {
if (cur[0] == ':') {
buf[index] = 0;
if (strcmp(ctxt->hostname, buf))
*************** xmlNanoFTPUpdateURL(void *ctx, const cha
*** 348,359 ****
ctxt->path = NULL;
}
! if (*cur == 0)
ctxt->path = xmlMemStrdup("/");
else {
index = 0;
buf[index] = 0;
! while (*cur != 0)
buf[index++] = *cur++;
buf[index] = 0;
ctxt->path = xmlMemStrdup(buf);
--- 348,359 ----
ctxt->path = NULL;
}
! if ((*cur == 0) || (index >= 4090))
ctxt->path = xmlMemStrdup("/");
else {
index = 0;
buf[index] = 0;
! while ((*cur != 0) && (index < 4090))
buf[index++] = *cur++;
buf[index] = 0;
ctxt->path = xmlMemStrdup(buf);
*************** xmlNanoFTPScanProxy(const char *URL) {
*** 393,399 ****
#endif
if (URL == NULL) return;
buf[index] = 0;
! while (*cur != 0) {
if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
buf[index] = 0;
index = 0;
--- 393,399 ----
#endif
if (URL == NULL) return;
buf[index] = 0;
! while ((*cur != 0) && (index < 4090)) {
if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
buf[index] = 0;
index = 0;
*************** xmlNanoFTPScanProxy(const char *URL) {
*** 402,411 ****
}
buf[index++] = *cur++;
}
! if (*cur == 0) return;
buf[index] = 0;
! while (1) {
if (cur[0] == ':') {
buf[index] = 0;
proxy = xmlMemStrdup(buf);
--- 402,411 ----
}
buf[index++] = *cur++;
}
! if ((*cur == 0) || (index >= 4090)) return;
buf[index] = 0;
! while (index < 4090) {
if (cur[0] == ':') {
buf[index] = 0;
proxy = xmlMemStrdup(buf);
*************** xmlNanoFTPConnect(void *ctx) {
*** 827,832 ****
--- 827,836 ----
hp = gethostbyname(ctxt->hostname);
if (hp == NULL)
return(-1);
+ if (hp->h_length >
+ sizeof(((struct sockaddr_in *)&ctxt->ftpAddr)->sin_addr)) {
+ return(-1);
+ }
/*
* Prepare the socket
*** libxml-1.8.17/nanohttp.c.orig 2004-11-17 16:05:31.000000000 +0100
--- libxml-1.8.17/nanohttp.c 2004-11-17 16:26:18.000000000 +0100
*************** xmlNanoHTTPScanURL(xmlNanoHTTPCtxtPtr ct
*** 177,183 ****
}
if (URL == NULL) return;
buf[index] = 0;
! while (*cur != 0) {
if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
buf[index] = 0;
ctxt->protocol = xmlMemStrdup(buf);
--- 177,183 ----
}
if (URL == NULL) return;
buf[index] = 0;
! while ((*cur != 0) || (index < 4090)) {
if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
buf[index] = 0;
ctxt->protocol = xmlMemStrdup(buf);
*************** xmlNanoHTTPScanURL(xmlNanoHTTPCtxtPtr ct
*** 187,196 ****
}
buf[index++] = *cur++;
}
! if (*cur == 0) return;
buf[index] = 0;
! while (1) {
if (cur[0] == ':') {
buf[index] = 0;
ctxt->hostname = xmlMemStrdup(buf);
--- 187,196 ----
}
buf[index++] = *cur++;
}
! if ((*cur == 0) || (index >= 4090)) return;
buf[index] = 0;
! while (index < 4090) {
if (cur[0] == ':') {
buf[index] = 0;
ctxt->hostname = xmlMemStrdup(buf);
*************** xmlNanoHTTPScanURL(xmlNanoHTTPCtxtPtr ct
*** 214,225 ****
}
buf[index++] = *cur++;
}
! if (*cur == 0)
ctxt->path = xmlMemStrdup("/");
else {
index = 0;
buf[index] = 0;
! while (*cur != 0)
buf[index++] = *cur++;
buf[index] = 0;
ctxt->path = xmlMemStrdup(buf);
--- 214,225 ----
}
buf[index++] = *cur++;
}
! if ((*cur == 0) || (index >= 4090))
ctxt->path = xmlMemStrdup("/");
else {
index = 0;
buf[index] = 0;
! while ((*cur != 0) && (index < 4090))
buf[index++] = *cur++;
buf[index] = 0;
ctxt->path = xmlMemStrdup(buf);
*************** xmlNanoHTTPScanProxy(const char *URL) {
*** 258,264 ****
#endif
if (URL == NULL) return;
buf[index] = 0;
! while (*cur != 0) {
if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
buf[index] = 0;
index = 0;
--- 258,264 ----
#endif
if (URL == NULL) return;
buf[index] = 0;
! while ((*cur != 0) && (index < 4090)) {
if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
buf[index] = 0;
index = 0;
*************** xmlNanoHTTPScanProxy(const char *URL) {
*** 267,276 ****
}
buf[index++] = *cur++;
}
! if (*cur == 0) return;
buf[index] = 0;
! while (1) {
if (cur[0] == ':') {
buf[index] = 0;
proxy = xmlMemStrdup(buf);
--- 267,276 ----
}
buf[index++] = *cur++;
}
! if ((*cur == 0) || (index >= 4090)) return;
buf[index] = 0;
! while (index < 4090) {
if (cur[0] == ':') {
buf[index] = 0;
proxy = xmlMemStrdup(buf);
libxml-1.8.17-ficora-245608.patch:
parser.c | 38 ++++++++++++++++++++++++++++++--------
1 file changed, 30 insertions(+), 8 deletions(-)
--- NEW FILE libxml-1.8.17-ficora-245608.patch ---
--- parser.c.orig 2001-09-14 16:09:41.000000000 +0200
+++ parser.c 2009-08-03 17:02:24.000000000 +0200
@@ -5164,11 +5164,15 @@ xmlParseNotationType(xmlParserCtxtPtr ct
"Name expected in NOTATION declaration\n");
ctxt->wellFormed = 0;
ctxt->disableSAX = 1;
- return(ret);
+ xmlFreeEnumeration(ret);
+ return(NULL);
}
cur = xmlCreateEnumeration(name);
xmlFree(name);
- if (cur == NULL) return(ret);
+ if (cur == NULL) {
+ xmlFreeEnumeration(ret);
+ return(NULL);
+ }
if (last == NULL) ret = last = cur;
else {
last->next = cur;
@@ -5183,9 +5187,8 @@ xmlParseNotationType(xmlParserCtxtPtr ct
"')' required to finish NOTATION declaration\n");
ctxt->wellFormed = 0;
ctxt->disableSAX = 1;
- if ((last != NULL) && (last != ret))
- xmlFreeEnumeration(last);
- return(ret);
+ xmlFreeEnumeration(ret);
+ return(NULL);
}
NEXT;
return(ret);
@@ -5232,11 +5235,15 @@ xmlParseEnumerationType(xmlParserCtxtPtr
"NmToken expected in ATTLIST enumeration\n");
ctxt->wellFormed = 0;
ctxt->disableSAX = 1;
- return(ret);
+ xmlFreeEnumeration(ret);
+ return(NULL);
}
cur = xmlCreateEnumeration(name);
xmlFree(name);
- if (cur == NULL) return(ret);
+ if (cur == NULL) {
+ xmlFreeEnumeration(ret);
+ return(NULL);
+ }
if (last == NULL) ret = last = cur;
else {
last->next = cur;
@@ -5251,7 +5258,8 @@ xmlParseEnumerationType(xmlParserCtxtPtr
"')' required to finish ATTLIST enumeration\n");
ctxt->wellFormed = 0;
ctxt->disableSAX = 1;
- return(ret);
+ xmlFreeEnumeration(ret);
+ return(NULL);
}
NEXT;
return(ret);
@@ -5715,13 +5723,25 @@ xmlParseElementChildrenContentDecl
xmlChar *elem;
xmlChar type = 0;
+ if (ctxt->depth > 128) {
+ ctxt->errNo = XML_ERR_ELEMCONTENT_NOT_FINISHED;
+ if ((ctxt->sax != NULL) && (ctxt->sax->error != NULL))
+ ctxt->sax->error(ctxt->userData,
+ "xmlParseElementChildrenContentDecl : depth %d too deep\n",
+ ctxt->depth);
+ ctxt->wellFormed = 0;
+ ctxt->disableSAX = 1;
+ return(NULL);
+ }
SKIP_BLANKS;
GROW;
if (RAW == '(') {
/* Recurse on first child */
NEXT;
SKIP_BLANKS;
+ ctxt->depth++;
cur = ret = xmlParseElementChildrenContentDecl(ctxt);
+ ctxt->depth--;
SKIP_BLANKS;
GROW;
} else {
@@ -5865,7 +5885,9 @@ xmlParseElementChildrenContentDecl
/* Recurse on second child */
NEXT;
SKIP_BLANKS;
+ ctxt->depth++;
last = xmlParseElementChildrenContentDecl(ctxt);
+ ctxt->depth--;
SKIP_BLANKS;
} else {
elem = xmlParseNameComplex(ctxt);
Index: libxml.spec
===================================================================
RCS file: /cvs/pkgs/rpms/libxml/F-10/libxml.spec,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -p -r1.11 -r1.12
--- libxml.spec 21 Apr 2009 12:22:51 -0000 1.11
+++ libxml.spec 12 Aug 2009 12:52:53 -0000 1.12
@@ -2,15 +2,17 @@ Name: libxml
Summary: Old XML library for Gnome-1 application compatibility
Epoch: 1
Version: 1.8.17
-Release: 22%{?dist}
+Release: 24%{?dist}
License: LGPLv2+ or W3C
Group: Development/Libraries
URL: http://veillard.com/XML/
Source: ftp://xmlsoft.org/libxml/old/libxml-%{version}.tar.gz
-Patch0: libxml-1.8.17-open-mode.patch
-Patch1: libxml-1.8.17-multiarch.patch
-Patch2: libxml-1.8.17-declarations.patch
-Patch3: libxml-1.8.17-ppc64-config.patch
+Patch0: libxml-1.8.17-CAN-2004-0110.patch
+Patch1: libxml-1.8.17-ficora-245608.patch
+Patch10: libxml-1.8.17-open-mode.patch
+Patch11: libxml-1.8.17-multiarch.patch
+Patch12: libxml-1.8.17-declarations.patch
+Patch13: libxml-1.8.17-ppc64-config.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%description
@@ -26,10 +28,27 @@ Libraries, includes, etc. to build old l
%prep
%setup -q
+
+# fix CAN-2004-0110 & CAN-2004-0989 (arbitrary code execution via a long URL)
%patch0 -p1
-%patch1 -p1
-%patch2 -p1 -b .decl
-%patch3 -p1
+
+# fix CVE-2009-2414 (stack consumption DoS vulnerabilities)
+# fix CVE-2009-2416 (use-after-free DoS vulnerabilities)
+%patch1 -p0
+
+# open() with O_CREAT must have 3 arguments
+%patch10 -p1
+
+# make xml-config script arch-independent for multiarch compatibility
+%patch11 -p1
+
+# silence warnings about implicit function declarations
+%patch12 -p1 -b .decl
+
+# fix ppc64 builds
+%patch13 -p1
+
+# recode ChangeLog as UTF-8
/usr/bin/iconv -f iso-8859-1 -t utf-8 < ChangeLog > ChangeLog.utf-8
%{__mv} -f ChangeLog.utf-8 ChangeLog
@@ -71,10 +90,18 @@ fi
%exclude %{_libdir}/libxml.la
%changelog
+* Wed Aug 12 2009 Paul Howarth <paul at city-fan.org> 1:1.8.17-24
+- renumber existing patches to free up low-numbered patches for EL-3 patches
+- add patch for CAN-2004-0110 and CAN-2004-0989 (#139090)
+- add patch for CVE-2009-2414 and CVE-2009-2416 (#515195, #515205)
+
+* Sat Jul 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> 1:1.8.17-23
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
* Mon Apr 20 2009 Paul Howarth <paul at city-fan.org> 1:1.8.17-22
- rebuild for %%{_isa} provides/requires
-* Wed Feb 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1:1.8.17-21
+* Wed Feb 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> 1:1.8.17-21
- rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
* Wed May 21 2008 Paul Howarth <paul at city-fan.org> 1:1.8.17-20
- Previous message (by thread): rpms/trac-customfieldadmin-plugin/devel trac-customfieldadmin-plugin.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Next message (by thread): rpms/libxml/F-11 libxml-1.8.17-CAN-2004-0110.patch, NONE, 1.1 libxml-1.8.17-ficora-245608.patch, NONE, 1.1 libxml.spec, 1.12, 1.13
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list