Bug#460666: patch for NMU

Mon, 14 Jan 2008 05:30:22 -0800 

Hi Mike,
attached is the ported version of the patch.
Not much to port apart from raising an error because 
xmlErrEncodingInt does not exist in libxml1.

Attached is the patch that I will upload now.
It will be also available on:
http://people.debian.org/~nion/nmu-diff/libxml-1.8.17-14_1.8.17-14.1.patch

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

diff -u libxml-1.8.17/debian/changelog libxml-1.8.17/debian/changelog
--- libxml-1.8.17/debian/changelog
+++ libxml-1.8.17/debian/changelog
@@ -1,3 +1,13 @@
+libxml (1:1.8.17-14.1) unstable; urgency=high
+
+  * Non-maintainer upload by security team.
+  * This update addresses the following security issue:
+    - CVE-2007-6284: The xmlCurrentChar function allows context-dependent
+      attackers to cause a denial of service (infinite loop) via XML
+      containing invalid UTF-8 sequences (Closes: #460666).
+
+ -- Nico Golde <[EMAIL PROTECTED]>  Mon, 14 Jan 2008 13:34:19 +0100
+
 libxml (1:1.8.17-14) unstable; urgency=low
 
   * debian/control: Bumped Standards-Version to 3.7.2.1. No changes needed.
only in patch2:
unchanged:
--- libxml-1.8.17.orig/parser.c
+++ libxml-1.8.17/parser.c
@@ -881,6 +881,8 @@
 
 	c = *cur;
 	if (c & 0x80) {
+	    if (((c & 0x40) == 0) || (c == 0xC0))
+	        goto encoding_error;
 	    if (cur[1] == 0)
 		xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
 	    if ((cur[1] & 0xc0) != 0x80)
@@ -903,18 +905,25 @@
 		    val |= (cur[1] & 0x3f) << 12;
 		    val |= (cur[2] & 0x3f) << 6;
 		    val |= cur[3] & 0x3f;
+		    if (val < 0x10000)
+		        goto encoding_error;
 		} else {
 		  /* 3-byte code */
 		    *len = 3;
 		    val = (cur[0] & 0xf) << 12;
 		    val |= (cur[1] & 0x3f) << 6;
 		    val |= cur[2] & 0x3f;
+		    if (val < 0x800)
+		        goto encoding_error;
+
 		}
 	    } else {
 	      /* 2-byte code */
 		*len = 2;
 		val = (cur[0] & 0x1f) << 6;
 		val |= cur[1] & 0x3f;
+		if (val < 0x80)
+			goto encoding_error;
 	    }
 	    if (!IS_CHAR(val)) {
 		if ((ctxt->sax != NULL) &&
@@ -927,6 +936,13 @@
 	} else {
 	    /* 1-byte code */
 	    *len = 1;
+	    if (*ctxt->input->cur == 0)
+		xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+	    if ((*ctxt->input->cur == 0) &&
+	        (ctxt->input->end > ctxt->input->cur)) {
+	        ctxt->sax->error(ctxt->userData, "Char 0x%X out of allowed range\n", val);
+            goto encoding_error;
+	    }
 	    if (*ctxt->input->cur == 0xD) {
 		if (ctxt->input->cur[1] == 0xA) {
 		    ctxt->nbChars++;

Attachment: pgpFnxTCjJ3oO.pgp
Description: PGP signature

Reply via email to