Hello community,
here is the log from the commit of package libxml2 for openSUSE:Factory checked
in at 2013-03-22 11:56:15
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libxml2 (Old)
and /work/SRC/openSUSE:Factory/.libxml2.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libxml2", Maintainer is "vci...@suse.com"
Changes:
--------
--- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2012-12-19
11:14:13.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.libxml2.new/libxml2.changes 2013-03-22
11:56:16.000000000 +0100
@@ -1,0 +2,6 @@
+Thu Mar 7 13:28:59 UTC 2013 - vci...@suse.com
+
+- fix for CVE-2013-0338 (bnc#805233)
+
libxml2-CVE-2013-0338-Detect-excessive-entities-expansion-upon-replacement.patch
+
+-------------------------------------------------------------------
New:
----
libxml2-CVE-2013-0338-Detect-excessive-entities-expansion-upon-replacement.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libxml2.spec ++++++
--- /var/tmp/diff_new_pack.Oz8PoD/_old 2013-03-22 11:56:18.000000000 +0100
+++ /var/tmp/diff_new_pack.Oz8PoD/_new 2013-03-22 11:56:18.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package libxml2
#
-# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -31,6 +31,7 @@
Patch0: fix-perl.diff
# PATCH-FIX-UPSTREAM CVE-2012-5134 (bnc#793334)
Patch1: libxml2-2.9.0-CVE-2012-5134.patch
+Patch4:
libxml2-CVE-2013-0338-Detect-excessive-entities-expansion-upon-replacement.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: pkg-config
BuildRequires: readline-devel
@@ -126,6 +127,7 @@
%setup -q
%patch0
%patch1 -p1
+%patch4 -p1
%build
%configure --disable-static \
++++++ python-libxml2.spec ++++++
--- /var/tmp/diff_new_pack.Oz8PoD/_old 2013-03-22 11:56:18.000000000 +0100
+++ /var/tmp/diff_new_pack.Oz8PoD/_new 2013-03-22 11:56:18.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package python-libxml2
#
-# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
++++++
libxml2-CVE-2013-0338-Detect-excessive-entities-expansion-upon-replacement.patch
++++++
>From 23f05e0c33987d6605387b300c4be5da2120a7ab Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veill...@redhat.com>
Date: Tue, 19 Feb 2013 10:21:49 +0800
Subject: [PATCH] Detect excessive entities expansion upon replacement
If entities expansion in the XML parser is asked for,
it is possble to craft relatively small input document leading
to excessive on-the-fly content generation.
This patch accounts for those replacement and stop parsing
after a given threshold. it can be bypassed as usual with the
HUGE parser option.
---
include/libxml/parser.h | 1 +
parser.c | 44 ++++++++++++++++++++++++++++++++++++++------
parserInternals.c | 2 ++
3 files changed, 41 insertions(+), 6 deletions(-)
diff --git a/include/libxml/parser.h b/include/libxml/parser.h
index e1346e4..3f5730d 100644
--- a/include/libxml/parser.h
+++ b/include/libxml/parser.h
@@ -310,6 +310,7 @@ struct _xmlParserCtxt {
xmlParserNodeInfo *nodeInfoTab; /* array of nodeInfos */
int input_id; /* we need to label inputs */
+ unsigned long sizeentcopy; /* volume of entity copy */
};
/**
diff --git a/parser.c b/parser.c
index 91f8c90..ddf3b5b 100644
--- a/parser.c
+++ b/parser.c
@@ -122,7 +122,7 @@ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const
xmlChar *ID,
*/
static int
xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
- xmlEntityPtr ent)
+ xmlEntityPtr ent, size_t replacement)
{
size_t consumed = 0;
@@ -130,7 +130,24 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
return (0);
if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
return (1);
- if (size != 0) {
+ if (replacement != 0) {
+ if (replacement < XML_MAX_TEXT_LENGTH)
+ return(0);
+
+ /*
+ * If the volume of entity copy reaches 10 times the
+ * amount of parsed data and over the large text threshold
+ * then that's very likely to be an abuse.
+ */
+ if (ctxt->input != NULL) {
+ consumed = ctxt->input->consumed +
+ (ctxt->input->cur - ctxt->input->base);
+ }
+ consumed += ctxt->sizeentities;
+
+ if (replacement < XML_PARSER_NON_LINEAR * consumed)
+ return(0);
+ } else if (size != 0) {
/*
* Do the check based on the replacement size of the entity
*/
@@ -176,7 +193,6 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
*/
return (0);
}
-
xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
return (1);
}
@@ -2743,7 +2759,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const
xmlChar *str, int len,
while (*current != 0) { /* non input consuming loop */
buffer[nbchars++] = *current++;
if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
- if (xmlParserEntityCheck(ctxt, nbchars, ent))
+ if (xmlParserEntityCheck(ctxt, nbchars, ent, 0))
goto int_error;
growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
}
@@ -2785,7 +2801,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const
xmlChar *str, int len,
while (*current != 0) { /* non input consuming loop */
buffer[nbchars++] = *current++;
if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
- if (xmlParserEntityCheck(ctxt, nbchars, ent))
+ if (xmlParserEntityCheck(ctxt, nbchars, ent, 0))
goto int_error;
growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
}
@@ -7203,7 +7219,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
xmlFreeNodeList(list);
return;
}
- if (xmlParserEntityCheck(ctxt, 0, ent)) {
+ if (xmlParserEntityCheck(ctxt, 0, ent, 0)) {
xmlFreeNodeList(list);
return;
}
@@ -7361,6 +7377,13 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
xmlNodePtr nw = NULL, cur, firstChild = NULL;
/*
+ * We are copying here, make sure there is no abuse
+ */
+ ctxt->sizeentcopy += ent->length;
+ if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))
+ return;
+
+ /*
* when operating on a reader, the entities definitions
* are always owning the entities subtree.
if (ctxt->parseMode == XML_PARSE_READER)
@@ -7400,6 +7423,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
} else if ((list == NULL) || (ctxt->inputNr > 0)) {
xmlNodePtr nw = NULL, cur, next, last,
firstChild = NULL;
+
+ /*
+ * We are copying here, make sure there is no abuse
+ */
+ ctxt->sizeentcopy += ent->length;
+ if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))
+ return;
+
/*
* Copy the entity child list and make it the new
* entity child list. The goal is to make sure any
@@ -14767,6 +14798,7 @@ xmlCtxtReset(xmlParserCtxtPtr ctxt)
ctxt->catalogs = NULL;
ctxt->nbentities = 0;
ctxt->sizeentities = 0;
+ ctxt->sizeentcopy = 0;
xmlInitNodeInfoSeq(&ctxt->node_seq);
if (ctxt->attsDefault != NULL) {
diff --git a/parserInternals.c b/parserInternals.c
index 02032d5..f8a7041 100644
--- a/parserInternals.c
+++ b/parserInternals.c
@@ -1719,6 +1719,8 @@ xmlInitParserCtxt(xmlParserCtxtPtr ctxt)
ctxt->charset = XML_CHAR_ENCODING_UTF8;
ctxt->catalogs = NULL;
ctxt->nbentities = 0;
+ ctxt->sizeentities = 0;
+ ctxt->sizeentcopy = 0;
ctxt->input_id = 1;
xmlInitNodeInfoSeq(&ctxt->node_seq);
return(0);
--
1.7.10.4
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
