diff options
Diffstat (limited to 'dev-libs/libxml2')
11 files changed, 0 insertions, 948 deletions
diff --git a/dev-libs/libxml2/Manifest b/dev-libs/libxml2/Manifest index e6476b15524f..6f58df842327 100644 --- a/dev-libs/libxml2/Manifest +++ b/dev-libs/libxml2/Manifest @@ -4,18 +4,8 @@ AUX libxml2-2.9.2-disable-tests.patch 2121 BLAKE2B 37525dfe53c7d62a6a3ae92445795 AUX libxml2-2.9.2-python-ABIFLAG.patch 728 BLAKE2B d81b042b5000717d5aa88ac4cebf78749f5a4ef661c227537171c5695d97a16ca75c790c8b540e3481a54dc2d935112b46e0a23509c887e16e3f2886c08f1d69 SHA512 2f801329ad4e13dc70450d41f7659a510fe429b3aa9b66859fed25c4e3d95381d6f253f3a60a54002a16999296d3bd2adaca5e4cca92186492bfc7de3ac84426 AUX libxml2-2.9.4-CVE-2016-4658.patch 7318 BLAKE2B c1a011fbe68d2825b1fb3d9b029596e99fc8e4fe9176aa2a01cd6a4944da5d9893f9091905827f4bed66169dff57d4bb158492ea6c419dd1f29f068655f0b1d5 SHA512 7dc42ad219397a6be0b4e50c61d1aa4b44e06b4c0af5f1a63996fa257e6831c624729428ea66ef02118a81ca8360b07f923ad436870364de1081f8a3505d94fc AUX libxml2-2.9.4-CVE-2016-5131.patch 5038 BLAKE2B 25d2f612d9e103f39d749fad03d8399a6a222f2c8b55f186d4543d4b51fe74bea580886633be898d2e366fa776ebb007eca9c5c1d3fad5ee0387fd18e984c2bb SHA512 c92cda9851fdf8af6cb21aa80f39b474cddef8c749298f5b51f76f871160ac9749fdaac3fa406cc0c75a666f7627983fce0e90fb2919f3a8c778e1148583be33 -AUX libxml2-2.9.4-CVE-2016-9318.patch 7669 BLAKE2B ccd8334efb5c482e000d5599a3a06fda09946077287cc235ab4adf349eccdac11fef8fb6ff29bad9f985612b9f045172950a70898572f29f58bc43629a44646e SHA512 cf5aa17b5b7b71b87cb95de2a7fd4f4cfb660f1915cb8b9d025c829fb46f0ade4ea9062dfe98c0439b0a57656ec437b13c6e769ad3efcbcd454de46584b0657e -AUX libxml2-2.9.4-CVE-2017-0663.patch 1348 BLAKE2B 6999dc87edecc247d7b3a53f1524a9a96315269144d99d2325f04f3d65b5ef9f01a1c9e20d2f63780015278b137d69302adacd9235b4133c7077823c44dfeda5 SHA512 297e4753286fab09350c50f7aaa842a97ea4f2ccc514ec58a357ba9ec90c8cfb1bd57c419aae1bbf293789d9d0b11b85f511c960064834b7b118732268af97c7 -AUX libxml2-2.9.4-CVE-2017-5969.patch 2562 BLAKE2B ce427979042f7005acface6f89a4cc043876a4edf238f5e82b4adb6f2977afe7ce5a1b47857871edf6d37e95f04760ec52d5a46f92e3a9b54e1a2dfbe72f121f SHA512 55370e931d9735c91d6e4fed6ddb3dfff6a51e730ecc19baea9fbc3021593c40730e2f63bcd997eca6be2ff4ab23e5b459eff218b25ab50fcc84f61bb66d6f8a -AUX libxml2-2.9.4-CVE-2017-7375.patch 1039 BLAKE2B baa0d526b2ca751e8939d70217db68ec922b7fc7507b56d3b8785bd8967383e71f5a28706dcfd33998b49ed675feafb715d16e2f878abfd13f30159a1de42b35 SHA512 12a4960ae1bda874594025e42ecdbd127d42dd69c96dc675d82e66e001eefd855aa61954c639848f58829de7ee42b11736f09327e1fc8b29a9af61197e8fd64a -AUX libxml2-2.9.4-CVE-2017-7376.patch 815 BLAKE2B 34c8a66b3e4df1b5c9fe96d5320c19dc85fdfb2ce358ba11159494a5bc585728d0fc880549fdd0e7bcda7937fd3cc20dcbef5a79d813e96fbc5010d6a9f8a8a9 SHA512 bcaecc025258ea34f2bf0c58139983a58a031a473b1d4b221c86977e2dc92251698aaa2cb75137afe312403bc77acb78723f279d80dd0b2957df10db68774101 -AUX libxml2-2.9.4-CVE-2017-9047-9048.patch 15683 BLAKE2B e7c125d2f0e1761b977badfe010e8fe696963daec34cd58a10282926fe23b36b8f0bcbc135790a7f256b6ff2a8f1ac9ccc98984d2cc2c78f555505524307dab3 SHA512 fbea60fc9dbbcd52f9052fedfd74de44c6dd14faec02de9b28c8af8f6234ca58eb640330c6db78481c45d50559b70c34911711a8853e34e2ec09f34de84632bc -AUX libxml2-2.9.4-CVE-2017-9049-9050.patch 10716 BLAKE2B 6809f176743aa0afa64bdde5b76cd4adc0abb8e6c371e76fd7a6081b8dd6626c3556cecc4e1b34e58fdb25965d89f45cf31a03c6f77b6083224c59f67e184170 SHA512 b287881f68f8d7eaaad48a069afa0ac92b42ff07dd3b7e383d1b4811bc1544d81e87c308a67a7fb9eaf3e38e97eb4c0b0f4a5c64f0d80cffe4d2618af4c176bc -AUX libxml2-2.9.4-fix-root-node-cmp.patch 940 BLAKE2B 64cda3dc5ccd86135ac66a66ac5d88751ce9b6c354ba9d6e35cf20b40a93562c49ac6a47a7ca248002020ef69e9ec5940c121c5bd97a0742642eb6da9c712507 SHA512 70419883fc1f521eafae4a203504cd2ddbc81028b78018684930aa0cbade5ac4ebcba17429ea417a1ed79f4f22b84c5854761c3326a04bb2bda03820e8679576 -AUX libxml2-2.9.4-heap-buffer-overflow.patch 893 BLAKE2B 721ca34b42980e25d03ebdeee947f3266f1c35a3fb7a256895107f127314287901cd33dc3254b4a82de9874ae0e1ad5a8e6dce6c61209b68e4e4ddc2da8e78cf SHA512 76e13a70d1d69c3bced3bc4d74215767a57c76fd69d57fe44af660eb3b095de212f0f9a050cd63576cb9a7845abefa9aa19ae1f7bef553d6e138bd5644f39c3d AUX libxml2-2.9.4-nullptrderef.patch 1577 BLAKE2B 49200d8569d65c44d8cc644d445591803d0199c1e1c3c4f8c18b8f0660aafd14e7d94fe6743413b6c041b26aea9be4e77b5c4e451bf51ca77295d050b0287a66 SHA512 4882c75fd13807a842b57771242a3dc10ac9db36f10b7f2b3e96f7e4d1a59127779f73a5062305d80719053d94f6044a0ffd51447fb77fca393738fd1635bfc0 AUX libxml2-2.9.4-nullptrderef2.patch 1785 BLAKE2B 0a4ef54d7a61c5cbbc3fc308e06e41347a9c840411acf13b5471a2aaa74a6801c6f01ff455230076154cd51c47f42102368bade10ab9625075673803a9c78411 SHA512 406379a787c1bd45f1b3c128c94182250e4200d5a577ae15dab574ce590857124bda896fd677bce1950658a1ff7b4ea6fc95b52a9ea31daf47ab5c66e03460d5 -AUX libxml2-2.9.4-osd-validation.patch 2318 BLAKE2B 65f4dd532286a7a2d0ee620d297f4ea9210910fc21985c7c9ed68ccf339bce5a4715f3282a0bba2681567669a4b23fe4a8278df42a9c198a793d5379b6dd5260 SHA512 cbe2c2a2faef1013a185a9c5ed750c4e98c81b7749fcc208748f84acd1c4035e5e01c95b7895f40d01dc7928f0ce3ef70eb0d1e2a096d389b0683a2050d8ceb3 DIST libxml2-2.9.4.tar.gz 5374830 BLAKE2B eb0df2310a7a92084475ccd9bf538cc1c85861b2a8c766e91267b671c18eae3113016abd7bb198b6a239230cb2b9b908b9618fec11d36db10fd5cf6eac03ad3f SHA512 f5174ab1a3a0ec0037a47f47aa47def36674e02bfb42b57f609563f84c6247c585dbbb133c056953a5adb968d328f18cbc102eb0d00d48eb7c95478389e5daf9 DIST libxml2-2.9.6.tar.gz 5469624 BLAKE2B cb8fc74044876b2ddf9742a4a84d685ce6cd1e41a991ee79fd70a9175c54d2a9a3d3a2c3229a4ce177fcd4e30b0cee08c7cf3a36fef68b179db0ce521fbbf3b0 SHA512 5ef80f895374bd5dd3bcd5f00c715795f026bf45d998f8f762c0cdb739b8755e01de40cf853d98a3826eacef95c4adebe4777db11020e8d98d0bda921f55a0ed DIST libxml2-2.9.7.tar.gz 5467389 BLAKE2B e15082fb87fb41a7aab6f39120b1d1bbd0325af8009bb3b74c69a98bf7347a39f59055762df157dcf223a79ac84f17535cb40af0a9a461ee3d2c1d55f4832e1b SHA512 da06cb7c5032ef4b7c8e902fabb9d2c74634c42c161be07a7c66a00d53a68029f89b0d4de32a6b9d4ff338c2d1d9c4e53aefb9cf50cb1c2d6c6b06b442ef42d5 diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2016-9318.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2016-9318.patch deleted file mode 100644 index 5d1adb014a0e..000000000000 --- a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2016-9318.patch +++ /dev/null @@ -1,202 +0,0 @@ -From 292be65a52ab9e0eb3a53b4e0be5a57bc6de59d3 Mon Sep 17 00:00:00 2001 -From: Doran Moppert <dmoppert@redhat.com> -Date: Fri, 7 Apr 2017 16:45:56 +0200 -Subject: [PATCH 6/7] Add an XML_PARSE_NOXXE flag to block all entities loading - even local - -For https://bugzilla.gnome.org/show_bug.cgi?id=772726 - -* include/libxml/parser.h: Add a new parser flag XML_PARSE_NOXXE -* elfgcchack.h, xmlIO.h, xmlIO.c: associated loading routine -* include/libxml/xmlerror.h: new error raised -* xmllint.c: adds --noxxe flag to activate the option ---- - elfgcchack.h | 10 ++++++++++ - include/libxml/parser.h | 3 ++- - include/libxml/xmlIO.h | 8 ++++++++ - include/libxml/xmlerror.h | 1 + - parser.c | 4 ++++ - xmlIO.c | 40 +++++++++++++++++++++++++++++++++++----- - xmllint.c | 5 +++++ - 7 files changed, 65 insertions(+), 6 deletions(-) - -diff --git a/elfgcchack.h b/elfgcchack.h -index 8c52884a..1b81dcde 100644 ---- a/elfgcchack.h -+++ b/elfgcchack.h -@@ -6547,6 +6547,16 @@ extern __typeof (xmlNoNetExternalEntityLoader) xmlNoNetExternalEntityLoader__int - #endif - #endif - -+#ifdef bottom_xmlIO -+#undef xmlNoXxeExternalEntityLoader -+extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader __attribute((alias("xmlNoXxeExternalEntityLoader__internal_alias"))); -+#else -+#ifndef xmlNoXxeExternalEntityLoader -+extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader__internal_alias __attribute((visibility("hidden"))); -+#define xmlNoXxeExternalEntityLoader xmlNoXxeExternalEntityLoader__internal_alias -+#endif -+#endif -+ - #ifdef bottom_tree - #undef xmlNodeAddContent - extern __typeof (xmlNodeAddContent) xmlNodeAddContent __attribute((alias("xmlNodeAddContent__internal_alias"))); -diff --git a/include/libxml/parser.h b/include/libxml/parser.h -index 47fbec03..63ca1b97 100644 ---- a/include/libxml/parser.h -+++ b/include/libxml/parser.h -@@ -1111,7 +1111,8 @@ typedef enum { - XML_PARSE_HUGE = 1<<19,/* relax any hardcoded limit from the parser */ - XML_PARSE_OLDSAX = 1<<20,/* parse using SAX2 interface before 2.7.0 */ - XML_PARSE_IGNORE_ENC= 1<<21,/* ignore internal document encoding hint */ -- XML_PARSE_BIG_LINES = 1<<22 /* Store big lines numbers in text PSVI field */ -+ XML_PARSE_BIG_LINES = 1<<22,/* Store big lines numbers in text PSVI field */ -+ XML_PARSE_NOXXE = 1<<23 /* Forbid any external entity loading */ - } xmlParserOption; - - XMLPUBFUN void XMLCALL -diff --git a/include/libxml/xmlIO.h b/include/libxml/xmlIO.h -index 3e41744d..8d3fdef5 100644 ---- a/include/libxml/xmlIO.h -+++ b/include/libxml/xmlIO.h -@@ -299,6 +299,14 @@ XMLPUBFUN xmlParserInputPtr XMLCALL - const char *ID, - xmlParserCtxtPtr ctxt); - -+/* -+ * A predefined entity loader external entity expansion -+ */ -+XMLPUBFUN xmlParserInputPtr XMLCALL -+ xmlNoXxeExternalEntityLoader (const char *URL, -+ const char *ID, -+ xmlParserCtxtPtr ctxt); -+ - /* - * xmlNormalizeWindowsPath is obsolete, don't use it. - * Check xmlCanonicPath in uri.h for a better alternative. -diff --git a/include/libxml/xmlerror.h b/include/libxml/xmlerror.h -index 037c16d5..3036062d 100644 ---- a/include/libxml/xmlerror.h -+++ b/include/libxml/xmlerror.h -@@ -470,6 +470,7 @@ typedef enum { - XML_IO_EADDRINUSE, /* 1554 */ - XML_IO_EALREADY, /* 1555 */ - XML_IO_EAFNOSUPPORT, /* 1556 */ -+ XML_IO_ILLEGAL_XXE, /* 1557 */ - XML_XINCLUDE_RECURSION=1600, - XML_XINCLUDE_PARSE_VALUE, /* 1601 */ - XML_XINCLUDE_ENTITY_DEF_MISMATCH, /* 1602 */ -diff --git a/parser.c b/parser.c -index b832406a..8e11c127 100644 ---- a/parser.c -+++ b/parser.c -@@ -15352,6 +15352,10 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi - ctxt->options |= XML_PARSE_NONET; - options -= XML_PARSE_NONET; - } -+ if (options & XML_PARSE_NOXXE) { -+ ctxt->options |= XML_PARSE_NOXXE; -+ options -= XML_PARSE_NOXXE; -+ } - if (options & XML_PARSE_COMPACT) { - ctxt->options |= XML_PARSE_COMPACT; - options -= XML_PARSE_COMPACT; -diff --git a/xmlIO.c b/xmlIO.c -index 6e61f45a..34881461 100644 ---- a/xmlIO.c -+++ b/xmlIO.c -@@ -212,6 +212,7 @@ static const char *IOerr[] = { - "adddress in use", /* EADDRINUSE */ - "already in use", /* EALREADY */ - "unknown address familly", /* EAFNOSUPPORT */ -+ "Attempt to load external entity %s", /* XML_IO_ILLEGAL_XXE */ - }; - - #if defined(_WIN32) || defined (__DJGPP__) && !defined (__CYGWIN__) -@@ -4057,13 +4058,22 @@ xmlDefaultExternalEntityLoader(const char *URL, const char *ID, - xmlGenericError(xmlGenericErrorContext, - "xmlDefaultExternalEntityLoader(%s, xxx)\n", URL); - #endif -- if ((ctxt != NULL) && (ctxt->options & XML_PARSE_NONET)) { -+ if (ctxt != NULL) { - int options = ctxt->options; - -- ctxt->options -= XML_PARSE_NONET; -- ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt); -- ctxt->options = options; -- return(ret); -+ if (options & XML_PARSE_NOXXE) { -+ ctxt->options -= XML_PARSE_NOXXE; -+ ret = xmlNoXxeExternalEntityLoader(URL, ID, ctxt); -+ ctxt->options = options; -+ return(ret); -+ } -+ -+ if (options & XML_PARSE_NONET) { -+ ctxt->options -= XML_PARSE_NONET; -+ ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt); -+ ctxt->options = options; -+ return(ret); -+ } - } - #ifdef LIBXML_CATALOG_ENABLED - resource = xmlResolveResourceFromCatalog(URL, ID, ctxt); -@@ -4164,6 +4174,13 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID, - xmlParserInputPtr input = NULL; - xmlChar *resource = NULL; - -+ if (ctxt == NULL) { -+ return(NULL); -+ } -+ if (ctxt->input_id == 1) { -+ return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt); -+ } -+ - #ifdef LIBXML_CATALOG_ENABLED - resource = xmlResolveResourceFromCatalog(URL, ID, ctxt); - #endif -@@ -4186,5 +4203,18 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID, - return(input); - } - -+xmlParserInputPtr -+xmlNoXxeExternalEntityLoader(const char *URL, const char *ID, -+ xmlParserCtxtPtr ctxt) { -+ if (ctxt == NULL) { -+ return(NULL); -+ } -+ if (ctxt->input_id == 1) { -+ return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt); -+ } -+ xmlIOErr(XML_IO_ILLEGAL_XXE, (const char *) URL); -+ return(NULL); -+} -+ - #define bottom_xmlIO - #include "elfgcchack.h" -diff --git a/xmllint.c b/xmllint.c -index f8eb7ec4..8f304cda 100644 ---- a/xmllint.c -+++ b/xmllint.c -@@ -3019,6 +3019,7 @@ static void usage(const char *name) { - printf("\t--path 'paths': provide a set of paths for resources\n"); - printf("\t--load-trace : print trace of all external entities loaded\n"); - printf("\t--nonet : refuse to fetch DTDs or entities over network\n"); -+ printf("\t--noxxe : forbid any external entity loading\n"); - printf("\t--nocompact : do not generate compact text nodes\n"); - printf("\t--htmlout : output results as HTML\n"); - printf("\t--nowrap : do not put HTML doc wrapper\n"); -@@ -3461,6 +3462,10 @@ main(int argc, char **argv) { - (!strcmp(argv[i], "--nonet"))) { - options |= XML_PARSE_NONET; - xmlSetExternalEntityLoader(xmlNoNetExternalEntityLoader); -+ } else if ((!strcmp(argv[i], "-noxxe")) || -+ (!strcmp(argv[i], "--noxxe"))) { -+ options |= XML_PARSE_NOXXE; -+ xmlSetExternalEntityLoader(xmlNoXxeExternalEntityLoader); - } else if ((!strcmp(argv[i], "-nocompact")) || - (!strcmp(argv[i], "--nocompact"))) { - options &= ~XML_PARSE_COMPACT; --- -2.14.1 - diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-0663.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-0663.patch deleted file mode 100644 index 517e178a533e..000000000000 --- a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-0663.patch +++ /dev/null @@ -1,43 +0,0 @@ -From d815758b6a8c9dee8155268e49b5ef3b80135a14 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer <wellnhofer@aevum.de> -Date: Tue, 6 Jun 2017 12:56:28 +0200 -Subject: [PATCH 1/3] Fix type confusion in xmlValidateOneNamespace - -Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types on -namespace declarations make no practical sense anyway. - -Fixes bug 780228. - -Found with libFuzzer and ASan. ---- - valid.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/valid.c b/valid.c -index 8075d3a0..c51ea290 100644 ---- a/valid.c -+++ b/valid.c -@@ -4627,6 +4627,12 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) { - } - } - -+ /* -+ * Casting ns to xmlAttrPtr is wrong. We'd need separate functions -+ * xmlAddID and xmlAddRef for namespace declarations, but it makes -+ * no practical sense to use ID types anyway. -+ */ -+#if 0 - /* Validity Constraint: ID uniqueness */ - if (attrDecl->atype == XML_ATTRIBUTE_ID) { - if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL) -@@ -4638,6 +4644,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) { - if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL) - ret = 0; - } -+#endif - - /* Validity Constraint: Notation Attributes */ - if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) { --- -2.14.1 - diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-5969.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-5969.patch deleted file mode 100644 index 4d1362f2f934..000000000000 --- a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-5969.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 8952ce48a5fa1d3de1f087f10e8b6e47bb59f4e3 Mon Sep 17 00:00:00 2001 -From: Daniel Veillard <veillard@redhat.com> -Date: Wed, 7 Jun 2017 16:47:36 +0200 -Subject: [PATCH 1/7] Fix NULL pointer deref in xmlDumpElementContent - -Can only be triggered in recovery mode. - -Fixes bug 758422 (CVE-2017-5969). ---- - valid.c | 24 ++++++++++++++---------- - 1 file changed, 14 insertions(+), 10 deletions(-) - -diff --git a/valid.c b/valid.c -index 19f84b82..0a8e58ab 100644 ---- a/valid.c -+++ b/valid.c -@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob) - xmlBufferWriteCHAR(buf, content->name); - break; - case XML_ELEMENT_CONTENT_SEQ: -- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || -- (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) -+ if ((content->c1 != NULL) && -+ ((content->c1->type == XML_ELEMENT_CONTENT_OR) || -+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ))) - xmlDumpElementContent(buf, content->c1, 1); - else - xmlDumpElementContent(buf, content->c1, 0); - xmlBufferWriteChar(buf, " , "); -- if ((content->c2->type == XML_ELEMENT_CONTENT_OR) || -- ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) && -- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))) -+ if ((content->c2 != NULL) && -+ ((content->c2->type == XML_ELEMENT_CONTENT_OR) || -+ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) && -+ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))) - xmlDumpElementContent(buf, content->c2, 1); - else - xmlDumpElementContent(buf, content->c2, 0); - break; - case XML_ELEMENT_CONTENT_OR: -- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || -- (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) -+ if ((content->c1 != NULL) && -+ ((content->c1->type == XML_ELEMENT_CONTENT_OR) || -+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ))) - xmlDumpElementContent(buf, content->c1, 1); - else - xmlDumpElementContent(buf, content->c1, 0); - xmlBufferWriteChar(buf, " | "); -- if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) || -- ((content->c2->type == XML_ELEMENT_CONTENT_OR) && -- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))) -+ if ((content->c2 != NULL) && -+ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) || -+ ((content->c2->type == XML_ELEMENT_CONTENT_OR) && -+ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))) - xmlDumpElementContent(buf, content->c2, 1); - else - xmlDumpElementContent(buf, content->c2, 0); --- -2.14.1 - diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7375.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7375.patch deleted file mode 100644 index db9d597ad73e..000000000000 --- a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7375.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 9ea49a06b9421b6a3a9c243fb1ec23b19bd6b049 Mon Sep 17 00:00:00 2001 -From: Neel Mehta <nmehta@google.com> -Date: Fri, 7 Apr 2017 17:43:02 +0200 -Subject: [PATCH 7/7] Prevent unwanted external entity reference - -For https://bugzilla.gnome.org/show_bug.cgi?id=780691 - -* parser.c: add a specific check to avoid PE reference ---- - parser.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/parser.c b/parser.c -index 8e11c127..e8e962bb 100644 ---- a/parser.c -+++ b/parser.c -@@ -8125,6 +8125,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) - if (xmlPushInput(ctxt, input) < 0) - return; - } else { -+ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && -+ ((ctxt->options & XML_PARSE_NOENT) == 0) && -+ ((ctxt->options & XML_PARSE_DTDVALID) == 0) && -+ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) && -+ ((ctxt->options & XML_PARSE_DTDATTR) == 0) && -+ (ctxt->replaceEntities == 0) && -+ (ctxt->validate == 0)) -+ return; -+ - /* - * TODO !!! - * handle the extra spaces added before and after --- -2.14.1 - diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7376.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7376.patch deleted file mode 100644 index 14ec773608b6..000000000000 --- a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7376.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 43cd3b6222bda2332e963eb1c9ead78f29912b0a Mon Sep 17 00:00:00 2001 -From: Daniel Veillard <veillard@redhat.com> -Date: Fri, 7 Apr 2017 17:13:28 +0200 -Subject: [PATCH 2/3] Increase buffer space for port in HTTP redirect support - -For https://bugzilla.gnome.org/show_bug.cgi?id=780690 - -nanohttp.c: the code wrongly assumed a short int port value. ---- - nanohttp.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/nanohttp.c b/nanohttp.c -index 26e4290e..9c17530e 100644 ---- a/nanohttp.c -+++ b/nanohttp.c -@@ -1423,9 +1423,9 @@ retry: - if (ctxt->port != 80) { - /* reserve space for ':xxxxx', incl. potential proxy */ - if (proxy) -- blen += 12; -+ blen += 17; - else -- blen += 6; -+ blen += 11; - } - bp = (char*)xmlMallocAtomic(blen); - if ( bp == NULL ) { --- -2.14.1 - diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9047-9048.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9047-9048.patch deleted file mode 100644 index f7c48cd877d7..000000000000 --- a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9047-9048.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 839b89e678b5265a0e6b0477410e64fac669d578 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer <wellnhofer@aevum.de> -Date: Sat, 3 Jun 2017 02:01:29 +0200 -Subject: [PATCH 4/7] Fix buffer size checks in xmlSnprintfElementContent -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -xmlSnprintfElementContent failed to correctly check the available -buffer space in two locations. - -Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048). - -Thanks to Marcel Böhme and Thuan Pham for the report. ---- - result/valid/781333.xml | 5 +++++ - result/valid/781333.xml.err | 3 +++ - result/valid/781333.xml.err.rdr | 6 ++++++ - test/valid/781333.xml | 4 ++++ - valid.c | 20 +++++++++++--------- - 5 files changed, 29 insertions(+), 9 deletions(-) - create mode 100644 result/valid/781333.xml - create mode 100644 result/valid/781333.xml.err - create mode 100644 result/valid/781333.xml.err.rdr - create mode 100644 test/valid/781333.xml - -diff --git a/result/valid/781333.xml b/result/valid/781333.xml -new file mode 100644 -index 00000000..45dc451d ---- /dev/null -+++ b/result/valid/781333.xml -@@ -0,0 +1,5 @@ -+<?xml version="1.0"?> -+<!DOCTYPE a [ -+<!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll)> -+]> -+<a/> -diff --git a/result/valid/781333.xml.err b/result/valid/781333.xml.err -new file mode 100644 -index 00000000..b401b49a ---- /dev/null -+++ b/result/valid/781333.xml.err -@@ -0,0 +1,3 @@ -+./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got -+<a/> -+ ^ -diff --git a/result/valid/781333.xml.err.rdr b/result/valid/781333.xml.err.rdr -new file mode 100644 -index 00000000..5ff56992 ---- /dev/null -+++ b/result/valid/781333.xml.err.rdr -@@ -0,0 +1,6 @@ -+./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got -+<a/> -+ ^ -+./test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more child -+ -+^ -diff --git a/test/valid/781333.xml b/test/valid/781333.xml -new file mode 100644 -index 00000000..b29e5a68 ---- /dev/null -+++ b/test/valid/781333.xml -@@ -0,0 +1,4 @@ -+<!DOCTYPE a [ -+ <!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll)> -+]> -+<a/> -diff --git a/valid.c b/valid.c -index 0a8e58ab..8075d3a0 100644 ---- a/valid.c -+++ b/valid.c -@@ -1266,22 +1266,23 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int - case XML_ELEMENT_CONTENT_PCDATA: - strcat(buf, "#PCDATA"); - break; -- case XML_ELEMENT_CONTENT_ELEMENT: -+ case XML_ELEMENT_CONTENT_ELEMENT: { -+ int qnameLen = xmlStrlen(content->name); -+ -+ if (content->prefix != NULL) -+ qnameLen += xmlStrlen(content->prefix) + 1; -+ if (size - len < qnameLen + 10) { -+ strcat(buf, " ..."); -+ return; -+ } - if (content->prefix != NULL) { -- if (size - len < xmlStrlen(content->prefix) + 10) { -- strcat(buf, " ..."); -- return; -- } - strcat(buf, (char *) content->prefix); - strcat(buf, ":"); - } -- if (size - len < xmlStrlen(content->name) + 10) { -- strcat(buf, " ..."); -- return; -- } - if (content->name != NULL) - strcat(buf, (char *) content->name); - break; -+ } - case XML_ELEMENT_CONTENT_SEQ: - if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || - (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) -@@ -1323,6 +1324,7 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int - xmlSnprintfElementContent(buf, size, content->c2, 0); - break; - } -+ if (size - strlen(buf) <= 2) return; - if (englob) - strcat(buf, ")"); - switch (content->ocur) { --- -2.14.1 - diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9049-9050.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9049-9050.patch deleted file mode 100644 index abf43ef9815d..000000000000 --- a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9049-9050.patch +++ /dev/null @@ -1,316 +0,0 @@ -From 9c95d1b7f3951efe09df66ec41d7b19d6283084d Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer <wellnhofer@aevum.de> -Date: Mon, 5 Jun 2017 15:37:17 +0200 -Subject: [PATCH 3/7] Fix handling of parameter-entity references -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -There were two bugs where parameter-entity references could lead to an -unexpected change of the input buffer in xmlParseNameComplex and -xmlDictLookup being called with an invalid pointer. - -Percent sign in DTD Names -========================= - -The NEXTL macro used to call xmlParserHandlePEReference. When parsing -"complex" names inside the DTD, this could result in entity expansion -which created a new input buffer. The fix is to simply remove the call -to xmlParserHandlePEReference from the NEXTL macro. This is safe because -no users of the macro require expansion of parameter entities. - -- xmlParseNameComplex -- xmlParseNCNameComplex -- xmlParseNmtoken - -The percent sign is not allowed in names, which are grammatical tokens. - -- xmlParseEntityValue - -Parameter-entity references in entity values are expanded but this -happens in a separate step in this function. - -- xmlParseSystemLiteral - -Parameter-entity references are ignored in the system literal. - -- xmlParseAttValueComplex -- xmlParseCharDataComplex -- xmlParseCommentComplex -- xmlParsePI -- xmlParseCDSect - -Parameter-entity references are ignored outside the DTD. - -- xmlLoadEntityContent - -This function is only called from xmlStringLenDecodeEntities and -entities are replaced in a separate step immediately after the function -call. - -This bug could also be triggered with an internal subset and double -entity expansion. - -This fixes bug 766956 initially reported by Wei Lei and independently by -Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone -involved. - -xmlParseNameComplex with XML_PARSE_OLD10 -======================================== - -When parsing Names inside an expanded parameter entity with the -XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the -GROW macro if the input buffer was exhausted. At the end of the -parameter entity's replacement text, this function would then call -xmlPopInput which invalidated the input buffer. - -There should be no need to invoke GROW in this situation because the -buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and, -at least for UTF-8, in xmlCurrentChar. This also matches the code path -executed when XML_PARSE_OLD10 is not set. - -This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050). -Thanks to Marcel Böhme and Thuan Pham for the report. - -Additional hardening -==================== - -A separate check was added in xmlParseNameComplex to validate the -buffer size. ---- - Makefile.am | 18 ++++++++++++++++++ - parser.c | 18 ++++++++++-------- - result/errors10/781205.xml | 0 - result/errors10/781205.xml.err | 21 +++++++++++++++++++++ - result/errors10/781361.xml | 0 - result/errors10/781361.xml.err | 13 +++++++++++++ - result/valid/766956.xml | 0 - result/valid/766956.xml.err | 9 +++++++++ - result/valid/766956.xml.err.rdr | 10 ++++++++++ - runtest.c | 3 +++ - test/errors10/781205.xml | 3 +++ - test/errors10/781361.xml | 3 +++ - test/valid/766956.xml | 2 ++ - test/valid/dtds/766956.dtd | 2 ++ - 14 files changed, 94 insertions(+), 8 deletions(-) - create mode 100644 result/errors10/781205.xml - create mode 100644 result/errors10/781205.xml.err - create mode 100644 result/errors10/781361.xml - create mode 100644 result/errors10/781361.xml.err - create mode 100644 result/valid/766956.xml - create mode 100644 result/valid/766956.xml.err - create mode 100644 result/valid/766956.xml.err.rdr - create mode 100644 test/errors10/781205.xml - create mode 100644 test/errors10/781361.xml - create mode 100644 test/valid/766956.xml - create mode 100644 test/valid/dtds/766956.dtd - -diff --git a/Makefile.am b/Makefile.am -index 3b52bae7..bf20124e 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -422,6 +422,24 @@ Errtests : xmllint$(EXEEXT) - if [ -n "$$log" ] ; then echo $$name result ; echo $$log ; fi ; \ - rm result.$$name error.$$name ; \ - fi ; fi ; done) -+ @echo "## Error cases regression tests (old 1.0)" -+ -@(for i in $(srcdir)/test/errors10/*.xml ; do \ -+ name=`basename $$i`; \ -+ if [ ! -d $$i ] ; then \ -+ if [ ! -f $(srcdir)/result/errors10/$$name ] ; then \ -+ echo New test file $$name ; \ -+ $(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i \ -+ 2> $(srcdir)/result/errors10/$$name.err \ -+ > $(srcdir)/result/errors10/$$name ; \ -+ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \ -+ else \ -+ log=`$(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i 2> error.$$name > result.$$name ; \ -+ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \ -+ diff $(srcdir)/result/errors10/$$name result.$$name ; \ -+ diff $(srcdir)/result/errors10/$$name.err error.$$name` ; \ -+ if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \ -+ rm result.$$name error.$$name ; \ -+ fi ; fi ; done) - @echo "## Error cases stream regression tests" - -@(for i in $(srcdir)/test/errors/*.xml ; do \ - name=`basename $$i`; \ -diff --git a/parser.c b/parser.c -index 53a6b7f0..b832406a 100644 ---- a/parser.c -+++ b/parser.c -@@ -2115,7 +2115,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) { - ctxt->input->line++; ctxt->input->col = 1; \ - } else ctxt->input->col++; \ - ctxt->input->cur += l; \ -- if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt); \ - } while (0) - - #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l) -@@ -3406,13 +3405,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { - len += l; - NEXTL(l); - c = CUR_CHAR(l); -- if (c == 0) { -- count = 0; -- GROW; -- if (ctxt->instate == XML_PARSER_EOF) -- return(NULL); -- c = CUR_CHAR(l); -- } - } - } - if ((len > XML_MAX_NAME_LENGTH) && -@@ -3420,6 +3412,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { - xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); - return(NULL); - } -+ if (ctxt->input->cur - ctxt->input->base < len) { -+ /* -+ * There were a couple of bugs where PERefs lead to to a change -+ * of the buffer. Check the buffer size to avoid passing an invalid -+ * pointer to xmlDictLookup. -+ */ -+ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, -+ "unexpected change of input buffer"); -+ return (NULL); -+ } - if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r')) - return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len)); - return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); -diff --git a/result/errors10/781205.xml b/result/errors10/781205.xml -new file mode 100644 -index 00000000..e69de29b -diff --git a/result/errors10/781205.xml.err b/result/errors10/781205.xml.err -new file mode 100644 -index 00000000..da15c3f7 ---- /dev/null -+++ b/result/errors10/781205.xml.err -@@ -0,0 +1,21 @@ -+Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration -+ -+ %a; -+ ^ -+Entity: line 1: -+<:0000 -+^ -+Entity: line 1: parser error : DOCTYPE improperly terminated -+ %a; -+ ^ -+Entity: line 1: -+<:0000 -+^ -+namespace error : Failed to parse QName ':0000' -+ %a; -+ ^ -+<:0000 -+ ^ -+./test/errors10/781205.xml:4: parser error : Couldn't find end of Start Tag :0000 line 1 -+ -+^ -diff --git a/result/errors10/781361.xml b/result/errors10/781361.xml -new file mode 100644 -index 00000000..e69de29b -diff --git a/result/errors10/781361.xml.err b/result/errors10/781361.xml.err -new file mode 100644 -index 00000000..655f41a2 ---- /dev/null -+++ b/result/errors10/781361.xml.err -@@ -0,0 +1,13 @@ -+./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY', 'ANY' or '(' expected -+ -+^ -+./test/errors10/781361.xml:4: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration -+ -+ -+^ -+./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated -+ -+^ -+./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not found -+ -+^ -diff --git a/result/valid/766956.xml b/result/valid/766956.xml -new file mode 100644 -index 00000000..e69de29b -diff --git a/result/valid/766956.xml.err b/result/valid/766956.xml.err -new file mode 100644 -index 00000000..34b1dae6 ---- /dev/null -+++ b/result/valid/766956.xml.err -@@ -0,0 +1,9 @@ -+test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';' -+%ä%ent; -+ ^ -+Entity: line 1: parser error : Content error in the external subset -+ %ent; -+ ^ -+Entity: line 1: -+value -+^ -diff --git a/result/valid/766956.xml.err.rdr b/result/valid/766956.xml.err.rdr -new file mode 100644 -index 00000000..77603462 ---- /dev/null -+++ b/result/valid/766956.xml.err.rdr -@@ -0,0 +1,10 @@ -+test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';' -+%ä%ent; -+ ^ -+Entity: line 1: parser error : Content error in the external subset -+ %ent; -+ ^ -+Entity: line 1: -+value -+^ -+./test/valid/766956.xml : failed to parse -diff --git a/runtest.c b/runtest.c -index 7d030bdc..cd233da9 100644 ---- a/runtest.c -+++ b/runtest.c -@@ -4202,6 +4202,9 @@ testDesc testDescriptions[] = { - { "Error cases regression tests", - errParseTest, "./test/errors/*.xml", "result/errors/", "", ".err", - 0 }, -+ { "Error cases regression tests (old 1.0)", -+ errParseTest, "./test/errors10/*.xml", "result/errors10/", "", ".err", -+ XML_PARSE_OLD10 }, - #ifdef LIBXML_READER_ENABLED - { "Error cases stream regression tests", - streamParseTest, "./test/errors/*.xml", "result/errors/", NULL, ".str", -diff --git a/test/errors10/781205.xml b/test/errors10/781205.xml -new file mode 100644 -index 00000000..d9e9e839 ---- /dev/null -+++ b/test/errors10/781205.xml -@@ -0,0 +1,3 @@ -+<!DOCTYPE D [ -+ <!ENTITY % a "<:0000"> -+ %a; -diff --git a/test/errors10/781361.xml b/test/errors10/781361.xml -new file mode 100644 -index 00000000..67476bcb ---- /dev/null -+++ b/test/errors10/781361.xml -@@ -0,0 +1,3 @@ -+<!DOCTYPE doc [ -+ <!ENTITY % elem "<!ELEMENT e0000000000"> -+ %elem; -diff --git a/test/valid/766956.xml b/test/valid/766956.xml -new file mode 100644 -index 00000000..19a95a0e ---- /dev/null -+++ b/test/valid/766956.xml -@@ -0,0 +1,2 @@ -+<!DOCTYPE test SYSTEM "dtds/766956.dtd"> -+<test/> -diff --git a/test/valid/dtds/766956.dtd b/test/valid/dtds/766956.dtd -new file mode 100644 -index 00000000..dddde68b ---- /dev/null -+++ b/test/valid/dtds/766956.dtd -@@ -0,0 +1,2 @@ -+<!ENTITY % ent "value"> -+%ä%ent; --- -2.14.1 - diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-fix-root-node-cmp.patch b/dev-libs/libxml2/files/libxml2-2.9.4-fix-root-node-cmp.patch deleted file mode 100644 index 224d60ff052f..000000000000 --- a/dev-libs/libxml2/files/libxml2-2.9.4-fix-root-node-cmp.patch +++ /dev/null @@ -1,34 +0,0 @@ -From a1fb9a4f511d89f0738b62cabd6d92bfd9eb94a9 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer <wellnhofer@aevum.de> -Date: Tue, 28 Jun 2016 14:19:58 +0200 -Subject: [PATCH 3/3] Fix comparison with root node in xmlXPathCmpNodes - -This change has already been made in xmlXPathCmpNodesExt but not in -xmlXPathCmpNodes. ---- - xpath.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/xpath.c b/xpath.c -index 67afbca5..5a01b1b3 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -3342,13 +3342,13 @@ xmlXPathCmpNodes(xmlNodePtr node1, xmlNodePtr node2) { - * compute depth to root - */ - for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) { -- if (cur == node1) -+ if (cur->parent == node1) - return(1); - depth2++; - } - root = cur; - for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) { -- if (cur == node2) -+ if (cur->parent == node2) - return(-1); - depth1++; - } --- -2.14.1 - diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-heap-buffer-overflow.patch b/dev-libs/libxml2/files/libxml2-2.9.4-heap-buffer-overflow.patch deleted file mode 100644 index 770a1832b190..000000000000 --- a/dev-libs/libxml2/files/libxml2-2.9.4-heap-buffer-overflow.patch +++ /dev/null @@ -1,32 +0,0 @@ -From df4f9bdc7a37908ded8bd1fec4f75509eaa156de Mon Sep 17 00:00:00 2001 -From: David Kilzer <ddkilzer@apple.com> -Date: Tue, 4 Jul 2017 18:38:03 +0200 -Subject: [PATCH 5/7] Heap-buffer-overflow read of size 1 in - xmlFAParsePosCharGroup - -Credit to OSS-Fuzz. - -Add a check to xmlFAParseCharRange() for the end of the buffer -to prevent reading past the end of it. - -This fixes Bug 784017. ---- - xmlregexp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/xmlregexp.c b/xmlregexp.c -index ca3b4f46..6676c2a8 100644 ---- a/xmlregexp.c -+++ b/xmlregexp.c -@@ -5051,7 +5051,7 @@ xmlFAParseCharRange(xmlRegParserCtxtPtr ctxt) { - return; - } - len = 1; -- } else if ((cur != 0x5B) && (cur != 0x5D)) { -+ } else if ((cur != '\0') && (cur != 0x5B) && (cur != 0x5D)) { - end = CUR_SCHAR(ctxt->cur, len); - } else { - ERROR("Expecting the end of a char range"); --- -2.14.1 - diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-osd-validation.patch b/dev-libs/libxml2/files/libxml2-2.9.4-osd-validation.patch deleted file mode 100644 index 9d1a03346f67..000000000000 --- a/dev-libs/libxml2/files/libxml2-2.9.4-osd-validation.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 8bc6baccc7da291c2338b8d95953ea487b0b3ca1 Mon Sep 17 00:00:00 2001 -From: Alex Henrie <alexhenrie24@gmail.com> -Date: Thu, 26 May 2016 17:38:35 -0600 -Subject: [PATCH 2/7] Fix attribute decoding during XML schema validation - -For https://bugzilla.gnome.org/show_bug.cgi?id=766834 - -vctxt->parserCtxt is always NULL in xmlSchemaSAXHandleStartElementNs, -so this function can't call xmlStringLenDecodeEntities to decode the -entities. ---- - xmlschemas.c | 30 +++++++++++++++++++++++++----- - 1 file changed, 25 insertions(+), 5 deletions(-) - -diff --git a/xmlschemas.c b/xmlschemas.c -index e1b3a4f0..59535e5c 100644 ---- a/xmlschemas.c -+++ b/xmlschemas.c -@@ -27391,6 +27391,7 @@ xmlSchemaSAXHandleStartElementNs(void *ctx, - * attributes yet. - */ - if (nb_attributes != 0) { -+ int valueLen, k, l; - xmlChar *value; - - for (j = 0, i = 0; i < nb_attributes; i++, j += 5) { -@@ -27400,12 +27401,31 @@ xmlSchemaSAXHandleStartElementNs(void *ctx, - * libxml2 differs from normal SAX here in that it escapes all ampersands - * as & instead of delivering the raw converted string. Changing the - * behavior at this point would break applications that use this API, so -- * we are forced to work around it. There is no danger of accidentally -- * decoding some entity other than & in this step because without -- * unescaped ampersands there can be no other entities in the string. -+ * we are forced to work around it. - */ -- value = xmlStringLenDecodeEntities(vctxt->parserCtxt, attributes[j+3], -- attributes[j+4] - attributes[j+3], XML_SUBSTITUTE_REF, 0, 0, 0); -+ valueLen = attributes[j+4] - attributes[j+3]; -+ value = xmlMallocAtomic(valueLen + 1); -+ if (value == NULL) { -+ xmlSchemaVErrMemory(vctxt, -+ "allocating string for decoded attribute", -+ NULL); -+ goto internal_error; -+ } -+ for (k = 0, l = 0; k < valueLen; l++) { -+ if (k < valueLen - 4 && -+ attributes[j+3][k+0] == '&' && -+ attributes[j+3][k+1] == '#' && -+ attributes[j+3][k+2] == '3' && -+ attributes[j+3][k+3] == '8' && -+ attributes[j+3][k+4] == ';') { -+ value[l] = '&'; -+ k += 5; -+ } else { -+ value[l] = attributes[j+3][k]; -+ k++; -+ } -+ } -+ value[l] = '\0'; - /* - * TODO: Set the node line. - */ --- -2.14.1 - |