Accepting request 503950 from home:pmonrealgonzalez:branches:devel:libraries:c_c++

- Security fix: * libxml2-CVE-2017-0663.patch [bsc#1044337, CVE-2017-0663] * Fix Heap buffer overflow in xmlAddID OBS-URL: https://build.opensuse.org/request/show/503950 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libxml2?expand=0&rev=115
2017-06-16 10:34:52 +00:00
parent 58ef9a1d66
commit cf7f5fa7e1
3 changed files with 50 additions and 0 deletions
--- a/libxml2-CVE-2017-0663.patch
+++ b/libxml2-CVE-2017-0663.patch
@@ -0,0 +1,40 @@
+From 92b9e8c8b3787068565a1820ba575d042f9eec66 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 6 Jun 2017 12:56:28 +0200
+Subject: Fix type confusion in xmlValidateOneNamespace
+
+Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types on
+namespace declarations make no practical sense anyway.
+
+Fixes bug 780228.
+
+Found with libFuzzer and ASan.
+---
+ valid.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+Index: libxml2-2.9.4/valid.c
+===================================================================
+--- libxml2-2.9.4.orig/valid.c
+++ libxml2-2.9.4/valid.c
+@@ -4627,6 +4627,12 @@ xmlNodePtr elem, const xmlChar *prefix,
+ 	}
+     }
+ 
+    /*
+     * Casting ns to xmlAttrPtr is wrong. We'd need separate functions
+     * xmlAddID and xmlAddRef for namespace declarations, but it makes
+     * no practical sense to use ID types anyway.
+     */
+#if 0
+     /* Validity Constraint: ID uniqueness */
+     if (attrDecl->atype == XML_ATTRIBUTE_ID) {
+         if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
+@@ -4638,6 +4644,7 @@ xmlNodePtr elem, const xmlChar *prefix,
+         if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
+ 	    ret = 0;
+     }
+#endif
+ 
+     /* Validity Constraint: Notation Attributes */
+     if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) {
--- a/libxml2.changes
+++ b/libxml2.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Jun 15 13:12:25 UTC 2017 - pmonrealgonzalez@suse.com
+
+- Security fix:
+  * libxml2-CVE-2017-0663.patch [bsc#1044337, CVE-2017-0663]
+    * Fix Heap buffer overflow in xmlAddID
+
 -------------------------------------------------------------------
 Wed Jun 14 14:15:38 UTC 2017 - pmonrealgonzalez@suse.com

--- a/libxml2.spec
+++ b/libxml2.spec
@@ -41,6 +41,8 @@ Patch4:         libxml2-CVE-2017-9048.patch
 Patch5:         libxml2-CVE-2017-9049.patch
 # PATCH-FIX-UPSTREAM bnc#1024989 pmonrealgonzalez@suse.com -- CVE-2017-5969 NULL pointer derefence parsing xml file
 Patch6:         libxml2-CVE-2017-5969.patch
+# PATCH-FIX-UPSTREAM bnc#1044337 pmonrealgonzalez@suse.com -- CVE-2017-0663: libxml2: Heap buffer overflow in xmlAddID
+Patch7:         libxml2-CVE-2017-0663.patch

 BuildRequires:  fdupes
 BuildRequires:  pkg-config
@@ -143,6 +145,7 @@ progress.
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1

 %build
 %configure --disable-static \