Hi,
On Fri, Sep 19, 2008 at 09:24:30PM +0200, Mike Hommey wrote:
> On Mon, Sep 15, 2008 at 08:55:10AM -0700, Kees Cook wrote:
> > As far as I know, this patch matches the upstream changes for the
> > problem. Please see:
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=460396
>
> Actually there are differences between upstream and ubuntu changes:
> (a is ubuntu, b is upstream)
>
> diff -u a/parser.c b/parser.c
> --- a/parser.c
> +++ b/parser.c
> @@ -2390,7 +2390,6 @@
> */
> #define growBuffer(buffer) { \
> xmlChar *tmp; \
> - buffer##_size += XML_PARSER_BUFFER_SIZE ;
> \
> buffer##_size *= 2;
> \
> tmp = (xmlChar *)
> \
> xmlRealloc(buffer, buffer##_size * sizeof(xmlChar)); \
> @@ -3451,7 +3450,7 @@
> * Just output the reference
> */
> buf[len++] = '&';
> - while (len > buf_size - i - 10) {
> + if (len > buf_size - i - 10) {
> growBuffer(buf);
> }
> for (;i > 0;i--)
The above changes are for CVE-2008-3529. BTW, would it be possible to
add a patch system to libxml2? It's much easier to split up the patches
over time, and is nice for anyone doing post-release updates. :)
> @@ -6476,8 +6475,6 @@
> } else if (list != NULL) {
> xmlFreeNodeList(list);
> list = NULL;
> - } else if (ent->owner != 1) {
> - ctxt->nbentities += ent->owner;
> }
> }
> ent->checked = 1;
> @@ -6668,6 +6665,8 @@
> ctxt->nodelen = 0;
> return;
> }
> + } else if (ent->owner != 1) {
> + ctxt->nbentities += ent->owner;
> }
> } else {
> val = ent->content;
Was this just interdiff output? There were some changes to this area of
code that needed some by-hand backporting, so the versions used to
compare might not end up looking clean. Or, I could have messed up the
backport, but I put them through a bunch of xml regression tests and
things seemed to be behaving.
-Kees
--
Kees Cook
Ubuntu Security Team
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
