From cf7f5fa7e1b5adecf19164adda15cba396d9fa278c302f719e3e8d911eb8dc79 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Fri, 16 Jun 2017 10:34:52 +0000 Subject: [PATCH] Accepting request 503950 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ - Security fix: * libxml2-CVE-2017-0663.patch [bsc#1044337, CVE-2017-0663] * Fix Heap buffer overflow in xmlAddID OBS-URL: https://build.opensuse.org/request/show/503950 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libxml2?expand=0&rev=115 --- libxml2-CVE-2017-0663.patch | 40 +++++++++++++++++++++++++++++++++++++ libxml2.changes | 7 +++++++ libxml2.spec | 3 +++ 3 files changed, 50 insertions(+) create mode 100644 libxml2-CVE-2017-0663.patch diff --git a/libxml2-CVE-2017-0663.patch b/libxml2-CVE-2017-0663.patch new file mode 100644 index 0000000..ce600cb --- /dev/null +++ b/libxml2-CVE-2017-0663.patch @@ -0,0 +1,40 @@ +From 92b9e8c8b3787068565a1820ba575d042f9eec66 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 6 Jun 2017 12:56:28 +0200 +Subject: Fix type confusion in xmlValidateOneNamespace + +Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types on +namespace declarations make no practical sense anyway. + +Fixes bug 780228. + +Found with libFuzzer and ASan. +--- + valid.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +Index: libxml2-2.9.4/valid.c +=================================================================== +--- libxml2-2.9.4.orig/valid.c ++++ libxml2-2.9.4/valid.c +@@ -4627,6 +4627,12 @@ xmlNodePtr elem, const xmlChar *prefix, + } + } + ++ /* ++ * Casting ns to xmlAttrPtr is wrong. We'd need separate functions ++ * xmlAddID and xmlAddRef for namespace declarations, but it makes ++ * no practical sense to use ID types anyway. ++ */ ++#if 0 + /* Validity Constraint: ID uniqueness */ + if (attrDecl->atype == XML_ATTRIBUTE_ID) { + if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL) +@@ -4638,6 +4644,7 @@ xmlNodePtr elem, const xmlChar *prefix, + if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL) + ret = 0; + } ++#endif + + /* Validity Constraint: Notation Attributes */ + if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) { diff --git a/libxml2.changes b/libxml2.changes index 9bf66db..98fb49e 100644 --- a/libxml2.changes +++ b/libxml2.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Jun 15 13:12:25 UTC 2017 - pmonrealgonzalez@suse.com + +- Security fix: + * libxml2-CVE-2017-0663.patch [bsc#1044337, CVE-2017-0663] + * Fix Heap buffer overflow in xmlAddID + ------------------------------------------------------------------- Wed Jun 14 14:15:38 UTC 2017 - pmonrealgonzalez@suse.com diff --git a/libxml2.spec b/libxml2.spec index 499c579..3ff80d6 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -41,6 +41,8 @@ Patch4: libxml2-CVE-2017-9048.patch Patch5: libxml2-CVE-2017-9049.patch # PATCH-FIX-UPSTREAM bnc#1024989 pmonrealgonzalez@suse.com -- CVE-2017-5969 NULL pointer derefence parsing xml file Patch6: libxml2-CVE-2017-5969.patch +# PATCH-FIX-UPSTREAM bnc#1044337 pmonrealgonzalez@suse.com -- CVE-2017-0663: libxml2: Heap buffer overflow in xmlAddID +Patch7: libxml2-CVE-2017-0663.patch BuildRequires: fdupes BuildRequires: pkg-config @@ -143,6 +145,7 @@ progress. %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 %build %configure --disable-static \