Bug#460292: libxml2: CVE-2007-6284 denial of service via crafted UTF-8 sequence

Sun, 13 Jan 2008 06:31:21 -0800 

Hi,
attached is a patch for an NMU.
It will be also archived on:
http://people.debian.org/~nion/nmu-diff/libxml2-2.6.30.dfsg-3_2.6.30.dfsg-3.1.patch

Please ping me in case you have no time to do an upload in 
reasonable time.
Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

diff -u libxml2-2.6.30.dfsg/debian/changelog libxml2-2.6.30.dfsg/debian/changelog
--- libxml2-2.6.30.dfsg/debian/changelog
+++ libxml2-2.6.30.dfsg/debian/changelog
@@ -1,3 +1,13 @@
+libxml2 (2.6.30.dfsg-3.1) unstable; urgency=high
+
+  * Non-maintainer upload by security team.
+  * This update addresses the following security issue:
+    - CVE-2007-6284: The xmlCurrentChar function allows context-dependent
+      attackers to cause a denial of service (infinite loop) via XML
+      containing invalid UTF-8 sequences (Closes: #460292).
+
+ -- Nico Golde <[EMAIL PROTECTED]>  Sun, 13 Jan 2008 15:15:04 +0100
+
 libxml2 (2.6.30.dfsg-3) unstable; urgency=low
 
   * debian/libxml2.symbols: Add a symbols file to benefit from the new
only in patch2:
unchanged:
--- libxml2-2.6.30.dfsg.orig/parserInternals.c
+++ libxml2-2.6.30.dfsg/parserInternals.c
@@ -638,14 +638,13 @@
 
 	c = *cur;
 	if (c & 0x80) {
-	    if (c == 0xC0)
+	    if (((c & 0x40) == 0) || (c == 0xC0))
 		goto encoding_error;
 	    if (cur[1] == 0)
 		xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
 	    if ((cur[1] & 0xc0) != 0x80)
 		goto encoding_error;
 	    if ((c & 0xe0) == 0xe0) {
-
 		if (cur[2] == 0)
 		    xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
 		if ((cur[2] & 0xc0) != 0x80)
@@ -662,18 +661,24 @@
 		    val |= (cur[1] & 0x3f) << 12;
 		    val |= (cur[2] & 0x3f) << 6;
 		    val |= cur[3] & 0x3f;
+		    if (val < 0x10000)
+			goto encoding_error;
 		} else {
 		  /* 3-byte code */
 		    *len = 3;
 		    val = (cur[0] & 0xf) << 12;
 		    val |= (cur[1] & 0x3f) << 6;
 		    val |= cur[2] & 0x3f;
+		    if (val < 0x800)
+			goto encoding_error;
 		}
 	    } else {
 	      /* 2-byte code */
 		*len = 2;
 		val = (cur[0] & 0x1f) << 6;
 		val |= cur[1] & 0x3f;
+		if (val < 0x80)
+		    goto encoding_error;
 	    }
 	    if (!IS_CHAR(val)) {
 	        xmlErrEncodingInt(ctxt, XML_ERR_INVALID_CHAR,
@@ -683,6 +688,13 @@
 	} else {
 	    /* 1-byte code */
 	    *len = 1;
+	    if (*ctxt->input->cur == 0)
+		xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+	    if ((*ctxt->input->cur == 0) &&
+	        (ctxt->input->end > ctxt->input->cur)) {
+	        xmlErrEncodingInt(ctxt, XML_ERR_INVALID_CHAR,
+				  "Char 0x%X out of allowed range\n", val);
+	    }
 	    if (*ctxt->input->cur == 0xD) {
 		if (ctxt->input->cur[1] == 0xA) {
 		    ctxt->nbChars++;

Attachment: pgp1Hm2qToAqo.pgp
Description: PGP signature

Reply via email to