Hi,
In libxml2 were some more CVEs.
The patches attached fix these:
CVE-2017-9663:
>From 92b9e8c8b3787068565a1820ba575d042f9eec66 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnho...@aevum.de>
Date: Tue, 6 Jun 2017 12:56:28 +0200
Subject: Fix type confusion in xmlValidateOneNamespace
Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types on
namespace declarations make no practical sense anyway.
Fixes bug 780228.
Found with libFuzzer and ASan.
---
valid.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/valid.c b/valid.c
index 8075d3a..c51ea29 100644
--- a/valid.c
+++ b/valid.c
@@ -4627,6 +4627,12 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns,
const xmlChar *value) {
}
}
+ /*
+ * Casting ns to xmlAttrPtr is wrong. We'd need separate functions
+ * xmlAddID and xmlAddRef for namespace declarations, but it makes
+ * no practical sense to use ID types anyway.
+ */
+#if 0
/* Validity Constraint: ID uniqueness */
if (attrDecl->atype == XML_ATTRIBUTE_ID) {
if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
@@ -4638,6 +4644,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns,
const xmlChar *value) {
if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
ret = 0;
}
+#endif
/* Validity Constraint: Notation Attributes */
if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) {
--
cgit v0.12
--------------------------------------------------------------------------------
CVE-2017-7375:
>From 90ccb58242866b0ba3edbef8fe44214a101c2b3e Mon Sep 17 00:00:00 2001
From: Neel Mehta <nme...@google.com>
Date: Fri, 7 Apr 2017 17:43:02 +0200
Subject: Prevent unwanted external entity reference
For https://bugzilla.gnome.org/show_bug.cgi?id=780691
* parser.c: add a specific check to avoid PE reference
---
parser.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/parser.c b/parser.c
index 609a270..c2c812d 100644
--- parser.c
+++ parser.c
@@ -8123,6 +8123,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
if (xmlPushInput(ctxt, input) < 0)
return;
} else {
+ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
+ ((ctxt->options & XML_PARSE_NOENT) == 0) &&
+ ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
+ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) &&
+ ((ctxt->options & XML_PARSE_DTDATTR) == 0) &&
+ (ctxt->replaceEntities == 0) &&
+ (ctxt->validate == 0))
+ return;
+
/*
* TODO !!!
* handle the extra spaces added before and after
--
cgit v0.12
--------------------------------------------------------------------------------
CVE-2017-7376:
>From 5dca9eea1bd4263bfa4d037ab2443de1cd730f7e Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veill...@redhat.com>
Date: Fri, 7 Apr 2017 17:13:28 +0200
Subject: Increase buffer space for port in HTTP redirect support
For https://bugzilla.gnome.org/show_bug.cgi?id=780690
nanohttp.c: the code wrongly assumed a short int port value.
---
nanohttp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/nanohttp.c b/nanohttp.c
index e109ad7..373425d 100644
--- nanohttp.c
+++ nanohttp.c
@@ -1423,9 +1423,9 @@ retry:
if (ctxt->port != 80) {
/* reserve space for ':xxxxx', incl. potential proxy */
if (proxy)
- blen += 12;
+ blen += 17;
else
- blen += 6;
+ blen += 11;
}
bp = (char*)xmlMallocAtomic(blen);
if ( bp == NULL ) {
--
cgit v0.12
--------------------------------------------------------------------------------
Greetings,
Matthias
--
genua GmbH
Domagkstrasse 7, 85551 Kirchheim bei Muenchen
tel +49 89 991950-0, fax -999, www.genublog.de, www.genua.de
Geschaeftsfuehrer: Dr. Magnus Harlander, Bernhard Schneck,
Marc Tesch. Amtsgericht Muenchen HRB 98238
genua ist ein Unternehmen der Bundesdruckerei-Gruppe.
