head 1.6; access; symbols pkgsrc-2013Q2:1.6.0.10 pkgsrc-2013Q2-base:1.6 pkgsrc-2012Q4:1.6.0.8 pkgsrc-2012Q4-base:1.6 pkgsrc-2011Q4:1.6.0.6 pkgsrc-2011Q4-base:1.6 pkgsrc-2011Q2:1.6.0.4 pkgsrc-2011Q2-base:1.6 pkgsrc-2009Q4:1.6.0.2 pkgsrc-2009Q4-base:1.6 pkgsrc-2009Q3:1.5.0.4 pkgsrc-2009Q3-base:1.5 pkgsrc-2009Q2:1.5.0.2 pkgsrc-2008Q4:1.3.0.2 pkgsrc-2008Q4-base:1.3 pkgsrc-2008Q3:1.1.0.2; locks; strict; comment @# @; 1.6 date 2009.10.21.14.55.32; author drochner; state dead; branches; next 1.5; 1.5 date 2009.08.26.10.20.57; author tron; state Exp; branches 1.5.2.1; next 1.4; 1.4 date 2009.02.21.13.58.49; author wiz; state dead; branches; next 1.3; 1.3 date 2008.11.24.13.59.16; author tron; state Exp; branches; next 1.2; 1.2 date 2008.10.16.13.31.57; author drochner; state dead; branches; next 1.1; 1.1 date 2008.10.09.15.01.27; author tron; state Exp; branches 1.1.2.1; next ; 1.5.2.1 date 2009.08.26.10.20.57; author spz; state dead; branches; next 1.5.2.2; 1.5.2.2 date 2009.08.28.07.43.14; author spz; state Exp; branches; next ; 1.1.2.1 date 2008.10.09.15.01.27; author rtr; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2008.10.12.12.09.10; author rtr; state Exp; branches; next 1.1.2.3; 1.1.2.3 date 2008.11.26.11.12.10; author rtr; state Exp; branches; next ; desc @@ 1.6 log @update to 2.7.6 changes: -bugfixes -portability and documentation improvements -cleanup pkgsrc note: added some tweaks to EBCDIC support, both to fix non- portable assumptions in the code and to work around NetBSD deficiencies; now it needs only a little fix to CP273 (newline conversion) to make the selftest succeed on NetBSD @ text @$NetBSD: patch-af,v 1.5 2009/08/26 10:20:57 tron Exp $ Fix for CVE-2009-2414 and CVE-2009-2416 taken from here: http://download.fedora.redhat.com/pub/fedora/linux/updates/11/SRPMS/libxml2-2.7.3-3.fc11.src.rpm --- parser.c.orig 2009-01-17 13:45:35.000000000 +0000 +++ parser.c 2009-08-26 11:06:38.000000000 +0100 @@@@ -5306,7 +5306,8 @@@@ if (name == NULL) { xmlFatalErrMsg(ctxt, XML_ERR_NAME_REQUIRED, "Name expected in NOTATION declaration\n"); - return(ret); + xmlFreeEnumeration(ret); + return(NULL); } tmp = ret; while (tmp != NULL) { @@@@ -5322,7 +5323,10 @@@@ } if (tmp == NULL) { cur = xmlCreateEnumeration(name); - if (cur == NULL) return(ret); + if (cur == NULL) { + xmlFreeEnumeration(ret); + return(NULL); + } if (last == NULL) ret = last = cur; else { last->next = cur; @@@@ -5333,9 +5337,8 @@@@ } while (RAW == '|'); if (RAW != ')') { xmlFatalErr(ctxt, XML_ERR_NOTATION_NOT_FINISHED, NULL); - if ((last != NULL) && (last != ret)) - xmlFreeEnumeration(last); - return(ret); + xmlFreeEnumeration(ret); + return(NULL); } NEXT; return(ret); @@@@ -5390,7 +5393,10 @@@@ cur = xmlCreateEnumeration(name); if (!xmlDictOwns(ctxt->dict, name)) xmlFree(name); - if (cur == NULL) return(ret); + if (cur == NULL) { + xmlFreeEnumeration(ret); + return(NULL); + } if (last == NULL) ret = last = cur; else { last->next = cur; @@@@ -5758,9 +5764,10 @@@@ } /** - * xmlParseElementChildrenContentDecl: + * xmlParseElementChildrenContentDeclPriv: * @@ctxt: an XML parser context * @@inputchk: the input used for the current entity, needed for boundary checks + * @@depth: the level of recursion * * parse the declaration for a Mixed Element content * The leading '(' and spaces have been skipped in xmlParseElementContentDecl @@@@ -5788,12 +5795,20 @@@@ * Returns the tree of xmlElementContentPtr describing the element * hierarchy. */ -xmlElementContentPtr -xmlParseElementChildrenContentDecl (xmlParserCtxtPtr ctxt, int inputchk) { +static xmlElementContentPtr +xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk, + int depth) { xmlElementContentPtr ret = NULL, cur = NULL, last = NULL, op = NULL; const xmlChar *elem; xmlChar type = 0; + if (((depth > 128) && ((ctxt->options & XML_PARSE_HUGE) == 0)) || + (depth > 2048)) { + xmlFatalErrMsgInt(ctxt, XML_ERR_ELEMCONTENT_NOT_FINISHED, +"xmlParseElementChildrenContentDecl : depth %d too deep, use XML_PARSE_HUGE\n", + depth); + return(NULL); + } SKIP_BLANKS; GROW; if (RAW == '(') { @@@@ -5802,7 +5817,8 @@@@ /* Recurse on first child */ NEXT; SKIP_BLANKS; - cur = ret = xmlParseElementChildrenContentDecl(ctxt, inputid); + cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, + depth + 1); SKIP_BLANKS; GROW; } else { @@@@ -5934,7 +5950,8 @@@@ /* Recurse on second child */ NEXT; SKIP_BLANKS; - last = xmlParseElementChildrenContentDecl(ctxt, inputid); + last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, + depth + 1); SKIP_BLANKS; } else { elem = xmlParseName(ctxt); @@@@ -6045,6 +6062,44 @@@@ } /** + * + * xmlParseElementChildrenContentDecl: + * @@ctxt: an XML parser context + * @@inputchk: the input used for the current entity, needed for boundary checks + * @@depth: the level of recursion + * + * parse the declaration for a Mixed Element content + * The leading '(' and spaces have been skipped in xmlParseElementContentDecl + * + * [47] children ::= (choice | seq) ('?' | '*' | '+')? + * + * [48] cp ::= (Name | choice | seq) ('?' | '*' | '+')? + * + * [49] choice ::= '(' S? cp ( S? '|' S? cp )* S? ')' + * + * [50] seq ::= '(' S? cp ( S? ',' S? cp )* S? ')' + * + * [ VC: Proper Group/PE Nesting ] applies to [49] and [50] + * TODO Parameter-entity replacement text must be properly nested + * with parenthesized groups. That is to say, if either of the + * opening or closing parentheses in a choice, seq, or Mixed + * construct is contained in the replacement text for a parameter + * entity, both must be contained in the same replacement text. For + * interoperability, if a parameter-entity reference appears in a + * choice, seq, or Mixed construct, its replacement text should not + * be empty, and neither the first nor last non-blank character of + * the replacement text should be a connector (| or ,). + * + * Returns the tree of xmlElementContentPtr describing the element + * hierarchy. + */ +xmlElementContentPtr +xmlParseElementChildrenContentDecl(xmlParserCtxtPtr ctxt, int inputchk) { + /* stub left for API/ABI compat */ + return(xmlParseElementChildrenContentDeclPriv(ctxt, inputchk, 1)); +} + +/** * xmlParseElementContentDecl: * @@ctxt: an XML parser context * @@name: the name of the element being defined. @@@@ -6080,7 +6135,7 @@@@ tree = xmlParseElementMixedContentDecl(ctxt, inputid); res = XML_ELEMENT_TYPE_MIXED; } else { - tree = xmlParseElementChildrenContentDecl(ctxt, inputid); + tree = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, 1); res = XML_ELEMENT_TYPE_ELEMENT; } SKIP_BLANKS; @ 1.5 log @Add patch to fix the security vulnerabilites reported in CVE-2009-2414 and CVE-2009-2416. The patch was taken from the latest Fedora 11 "libxml2" source RPM. @ text @d1 1 a1 1 $NetBSD$ @ 1.5.2.1 log @file patch-af was added on branch pkgsrc-2009Q2 on 2009-08-28 07:43:14 +0000 @ text @d1 162 @ 1.5.2.2 log @Pullup ticket 2873 - requested by tron security update Revisions pulled up: - pkgsrc/textproc/libxml2/Makefile 1.101 - pkgsrc/textproc/libxml2/distinfo 1.72 Files added: pkgsrc/textproc/libxml2/patches/patch-af 1.5 Module Name: pkgsrc Committed By: tron Date: Wed Aug 26 10:20:57 UTC 2009 Modified Files: pkgsrc/textproc/libxml2: Makefile distinfo Added Files: pkgsrc/textproc/libxml2/patches: patch-af Log Message: Add patch to fix the security vulnerabilites reported in CVE-2009-2414 and CVE-2009-2416. The patch was taken from the latest Fedora 11 "libxml2" source RPM. To generate a diff of this commit: cvs rdiff -u -r1.100 -r1.101 pkgsrc/textproc/libxml2/Makefile cvs rdiff -u -r1.71 -r1.72 pkgsrc/textproc/libxml2/distinfo cvs rdiff -u -r0 -r1.5 pkgsrc/textproc/libxml2/patches/patch-af @ text @a0 162 $NetBSD: patch-af,v 1.5 2009/08/26 10:20:57 tron Exp $ Fix for CVE-2009-2414 and CVE-2009-2416 taken from here: http://download.fedora.redhat.com/pub/fedora/linux/updates/11/SRPMS/libxml2-2.7.3-3.fc11.src.rpm --- parser.c.orig 2009-01-17 13:45:35.000000000 +0000 +++ parser.c 2009-08-26 11:06:38.000000000 +0100 @@@@ -5306,7 +5306,8 @@@@ if (name == NULL) { xmlFatalErrMsg(ctxt, XML_ERR_NAME_REQUIRED, "Name expected in NOTATION declaration\n"); - return(ret); + xmlFreeEnumeration(ret); + return(NULL); } tmp = ret; while (tmp != NULL) { @@@@ -5322,7 +5323,10 @@@@ } if (tmp == NULL) { cur = xmlCreateEnumeration(name); - if (cur == NULL) return(ret); + if (cur == NULL) { + xmlFreeEnumeration(ret); + return(NULL); + } if (last == NULL) ret = last = cur; else { last->next = cur; @@@@ -5333,9 +5337,8 @@@@ } while (RAW == '|'); if (RAW != ')') { xmlFatalErr(ctxt, XML_ERR_NOTATION_NOT_FINISHED, NULL); - if ((last != NULL) && (last != ret)) - xmlFreeEnumeration(last); - return(ret); + xmlFreeEnumeration(ret); + return(NULL); } NEXT; return(ret); @@@@ -5390,7 +5393,10 @@@@ cur = xmlCreateEnumeration(name); if (!xmlDictOwns(ctxt->dict, name)) xmlFree(name); - if (cur == NULL) return(ret); + if (cur == NULL) { + xmlFreeEnumeration(ret); + return(NULL); + } if (last == NULL) ret = last = cur; else { last->next = cur; @@@@ -5758,9 +5764,10 @@@@ } /** - * xmlParseElementChildrenContentDecl: + * xmlParseElementChildrenContentDeclPriv: * @@ctxt: an XML parser context * @@inputchk: the input used for the current entity, needed for boundary checks + * @@depth: the level of recursion * * parse the declaration for a Mixed Element content * The leading '(' and spaces have been skipped in xmlParseElementContentDecl @@@@ -5788,12 +5795,20 @@@@ * Returns the tree of xmlElementContentPtr describing the element * hierarchy. */ -xmlElementContentPtr -xmlParseElementChildrenContentDecl (xmlParserCtxtPtr ctxt, int inputchk) { +static xmlElementContentPtr +xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk, + int depth) { xmlElementContentPtr ret = NULL, cur = NULL, last = NULL, op = NULL; const xmlChar *elem; xmlChar type = 0; + if (((depth > 128) && ((ctxt->options & XML_PARSE_HUGE) == 0)) || + (depth > 2048)) { + xmlFatalErrMsgInt(ctxt, XML_ERR_ELEMCONTENT_NOT_FINISHED, +"xmlParseElementChildrenContentDecl : depth %d too deep, use XML_PARSE_HUGE\n", + depth); + return(NULL); + } SKIP_BLANKS; GROW; if (RAW == '(') { @@@@ -5802,7 +5817,8 @@@@ /* Recurse on first child */ NEXT; SKIP_BLANKS; - cur = ret = xmlParseElementChildrenContentDecl(ctxt, inputid); + cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, + depth + 1); SKIP_BLANKS; GROW; } else { @@@@ -5934,7 +5950,8 @@@@ /* Recurse on second child */ NEXT; SKIP_BLANKS; - last = xmlParseElementChildrenContentDecl(ctxt, inputid); + last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, + depth + 1); SKIP_BLANKS; } else { elem = xmlParseName(ctxt); @@@@ -6045,6 +6062,44 @@@@ } /** + * + * xmlParseElementChildrenContentDecl: + * @@ctxt: an XML parser context + * @@inputchk: the input used for the current entity, needed for boundary checks + * @@depth: the level of recursion + * + * parse the declaration for a Mixed Element content + * The leading '(' and spaces have been skipped in xmlParseElementContentDecl + * + * [47] children ::= (choice | seq) ('?' | '*' | '+')? + * + * [48] cp ::= (Name | choice | seq) ('?' | '*' | '+')? + * + * [49] choice ::= '(' S? cp ( S? '|' S? cp )* S? ')' + * + * [50] seq ::= '(' S? cp ( S? ',' S? cp )* S? ')' + * + * [ VC: Proper Group/PE Nesting ] applies to [49] and [50] + * TODO Parameter-entity replacement text must be properly nested + * with parenthesized groups. That is to say, if either of the + * opening or closing parentheses in a choice, seq, or Mixed + * construct is contained in the replacement text for a parameter + * entity, both must be contained in the same replacement text. For + * interoperability, if a parameter-entity reference appears in a + * choice, seq, or Mixed construct, its replacement text should not + * be empty, and neither the first nor last non-blank character of + * the replacement text should be a connector (| or ,). + * + * Returns the tree of xmlElementContentPtr describing the element + * hierarchy. + */ +xmlElementContentPtr +xmlParseElementChildrenContentDecl(xmlParserCtxtPtr ctxt, int inputchk) { + /* stub left for API/ABI compat */ + return(xmlParseElementChildrenContentDeclPriv(ctxt, inputchk, 1)); +} + +/** * xmlParseElementContentDecl: * @@ctxt: an XML parser context * @@name: the name of the element being defined. @@@@ -6080,7 +6135,7 @@@@ tree = xmlParseElementMixedContentDecl(ctxt, inputid); res = XML_ELEMENT_TYPE_MIXED; } else { - tree = xmlParseElementChildrenContentDecl(ctxt, inputid); + tree = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, 1); res = XML_ELEMENT_TYPE_ELEMENT; } SKIP_BLANKS; @ 1.4 log @Update to 2.7.3: 2.7.3: Jan 18 2009 * Build fix: fix build when HTML support is not included. * Bug fixes: avoid memory overflow in gigantic text nodes, indentation problem on the writed (Rob Richards), xmlAddChildList pointer problem (Rob Richards and Kevin Milburn), xmlAddChild problem with attribute (Rob Richards and Kris Breuker), avoid a memory leak in an edge case (Daniel Zimmermann), deallocate some pthread data (Alex Ott). * Improvements: configure option to avoid rebuilding docs (Adrian Bunk), limit text nodes to 10MB max by default, add element traversal APIs, add a parser option to enable pre 2.7 SAX behavior (Rob Richards), add gcc malloc checking (Marcus Meissner), add gcc printf like functions parameters checking (Marcus Meissner). @ text @d1 1 a1 1 $NetBSD: patch-af,v 1.3 2008/11/24 13:59:16 tron Exp $ d3 53 a55 13 --- SAX2.c.orig 2008-08-25 10:02:32.000000000 +0100 +++ SAX2.c 2008-11-24 13:25:21.000000000 +0000 @@@@ -11,6 +11,7 @@@@ #include "libxml.h" #include #include +#include #include #include #include @@@@ -26,6 +27,11 @@@@ #include #include d57 21 a77 7 +/* Define SIZE_T_MAX unless defined through . */ +#ifndef SIZE_T_MAX +# define SIZE_T_MAX ((size_t)-1) +#endif /* !SIZE_T_MAX */ + /* #define DEBUG_SAX2 */ /* #define DEBUG_SAX2_TREE */ d79 32 a110 13 @@@@ -2455,9 +2461,14 @@@@ (xmlDictOwns(ctxt->dict, lastChild->content))) { lastChild->content = xmlStrdup(lastChild->content); } + if ((size_t)ctxt->nodelen > SIZE_T_MAX - (size_t)len || + (size_t)ctxt->nodemem + (size_t)len > SIZE_T_MAX / 2) { + xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented"); + return; + } if (ctxt->nodelen + len >= ctxt->nodemem) { xmlChar *newbuf; - int size; + size_t size; d112 51 a162 2 size = ctxt->nodemem + len; size *= 2; @ 1.3 log @Add fixes for security vulnerabilities reported in CVE-2008-4225 and CVE-2008-4226 from "libxml2" SVN repository. Bump package revision. @ text @d1 1 a1 1 $NetBSD$ @ 1.2 log @update to 2.7.2 changes: -Portability fix: fix solaris compilation problem, fix compilation if XPath is not configured in -Bug fixes: nasty entity bug introduced in 2.7.0, restore old behaviour when saving an HTML doc with an xml dump function, HTML UTF-8 parsing bug, fix reader custom error handlers -Improvement: xmlSave options for more flexibility to save as XML/HTML/XHTML, handle leading BOM in HTML documents cvs: ---------------------------------------------------------------------- @ text @d1 1 a1 1 $NetBSD: patch-af,v 1.1 2008/10/09 15:01:27 tron Exp $ d3 35 a37 16 Patch for CVE-2008-4409 taken from here: http://bugzilla.gnome.org/show_bug.cgi?id=554660 http://bugzilla.gnome.org/attachment.cgi?id=119824 --- parser.c.orig 2008-09-01 07:22:40.000000000 +0100 +++ parser.c 2008-10-09 15:22:55.000000000 +0100 @@@@ -7225,8 +7225,10 @@@@ * Predefined entites override any extra definition */ ent = xmlGetPredefinedEntity(name); - if (ent != NULL) + if (ent != NULL) { + *str = ptr; return(ent); + } d39 2 a40 2 /* * Increate the number of entity references parsed @ 1.1 log @Add a fix for CVE-2008-4409 (also known as CVE-2008-4422) from the GNOME bugzilla. Bump package revision. @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-af was added on branch pkgsrc-2008Q3 on 2008-10-12 12:09:10 +0000 @ text @d1 21 @ 1.1.2.2 log @pullup ticket #2553 - requested by tron libxml2: security fix revisions pulled up: pkgsrc/textproc/libxml2/Makefile 1.95 pkgsrc/textproc/libxml2/distinfo 1.67 pkgsrc/textproc/libxml2/patches/patch-af 1.1 Module Name: pkgsrc Committed By: tron Date: Thu Oct 9 15:01:27 UTC 2008 Modified Files: pkgsrc/textproc/libxml2: Makefile distinfo Added Files: pkgsrc/textproc/libxml2/patches: patch-af Log Message: Add a fix for CVE-2008-4409 (also known as CVE-2008-4422) from the GNOME bugzilla. Bump package revision. @ text @a0 21 $NetBSD: patch-af,v 1.1 2008/10/09 15:01:27 tron Exp $ Patch for CVE-2008-4409 taken from here: http://bugzilla.gnome.org/show_bug.cgi?id=554660 http://bugzilla.gnome.org/attachment.cgi?id=119824 --- parser.c.orig 2008-09-01 07:22:40.000000000 +0100 +++ parser.c 2008-10-09 15:22:55.000000000 +0100 @@@@ -7225,8 +7225,10 @@@@ * Predefined entites override any extra definition */ ent = xmlGetPredefinedEntity(name); - if (ent != NULL) + if (ent != NULL) { + *str = ptr; return(ent); + } /* * Increate the number of entity references parsed @ 1.1.2.3 log @pullup ticket #2596 - requested by tron libxml2: update and patch package for security fixes revisions pulled up: pkgsrc/textproc/libxml2/Makefile 1.97,1.98,1.99 pkgsrc/textproc/libxml2/distinfo 1.69,1.70 pkgsrc/textproc/libxml2/patches/patch-af r0,1.3 pkgsrc/textproc/libxml2/patches/patch-ag r0,1.5 pkgsrc/textproc/libxml2/patches/patch-ah 1.3 Module Name: pkgsrc Committed By: drochner Date: Thu Oct 16 13:31:57 UTC 2008 Modified Files: pkgsrc/textproc/libxml2: Makefile distinfo Removed Files: pkgsrc/textproc/libxml2/patches: patch-af patch-ag Log Message: update to 2.7.2 changes: -Portability fix: fix solaris compilation problem, fix compilation if XPath is not configured in -Bug fixes: nasty entity bug introduced in 2.7.0, restore old behaviour when saving an HTML doc with an xml dump function, HTML UTF-8 parsing bug, fix reader custom error handlers -Improvement: xmlSave options for more flexibility to save as XML/HTML/XHTML, handle leading BOM in HTML documents ------------------------------------------------------------------------ Module Name: pkgsrc Committed By: drochner Date: Fri Oct 17 16:06:04 UTC 2008 Modified Files: pkgsrc/textproc/libxml2: Makefile Log Message: restore the without-threads config arg which I accidentally commented out in the last update, bump PKGREVISION fixes PR pkg/39755 by David A. Holland ------------------------------------------------------------------------ Module Name: pkgsrc Committed By: tron Date: Mon Nov 24 13:59:16 UTC 2008 Modified Files: pkgsrc/textproc/libxml2: Makefile distinfo Added Files: pkgsrc/textproc/libxml2/patches: patch-af patch-ag patch-ah Log Message: Add fixes for security vulnerabilities reported in CVE-2008-4225 and CVE-2008-4226 from "libxml2" SVN repository. Bump package revision. @ text @d1 1 a1 1 $NetBSD: patch-af,v 1.1.2.2 2008/10/12 12:09:10 rtr Exp $ d3 16 a18 35 --- SAX2.c.orig 2008-08-25 10:02:32.000000000 +0100 +++ SAX2.c 2008-11-24 13:25:21.000000000 +0000 @@@@ -11,6 +11,7 @@@@ #include "libxml.h" #include #include +#include #include #include #include @@@@ -26,6 +27,11 @@@@ #include #include +/* Define SIZE_T_MAX unless defined through . */ +#ifndef SIZE_T_MAX +# define SIZE_T_MAX ((size_t)-1) +#endif /* !SIZE_T_MAX */ + /* #define DEBUG_SAX2 */ /* #define DEBUG_SAX2_TREE */ @@@@ -2455,9 +2461,14 @@@@ (xmlDictOwns(ctxt->dict, lastChild->content))) { lastChild->content = xmlStrdup(lastChild->content); } + if ((size_t)ctxt->nodelen > SIZE_T_MAX - (size_t)len || + (size_t)ctxt->nodemem + (size_t)len > SIZE_T_MAX / 2) { + xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented"); + return; + } if (ctxt->nodelen + len >= ctxt->nodemem) { xmlChar *newbuf; - int size; + size_t size; d20 2 a21 2 size = ctxt->nodemem + len; size *= 2; @