head 1.2; access; symbols pkgsrc-2016Q1:1.1.0.2; locks; strict; comment @# @; 1.2 date 2016.06.22.15.39.09; author drochner; state dead; branches; next 1.1; commitid tM7iRE08pmw3Atbz; 1.1 date 2016.05.17.19.15.01; author drochner; state Exp; branches 1.1.2.1; next ; commitid WLDPkHM3kKUJTR6z; 1.1.2.1 date 2016.05.17.19.15.01; author bsiegert; state dead; branches; next 1.1.2.2; commitid aEoftv3KBty5On7z; 1.1.2.2 date 2016.05.21.19.13.45; author bsiegert; state Exp; branches; next ; commitid aEoftv3KBty5On7z; desc @@ 1.2 log @update to 2.2.0 changes: -security patches which we already had in pkgsrc are integrated -Use more entropy for hash initialization than the original fix to CVE-2012-0876 -Resolve troublesome internal call to srand that was introduced with Expat 2.1.0 when addressing CVE-2012-0876 @ text @$NetBSD: patch-CVE-2016-0718-1,v 1.1 2016/05/17 19:15:01 drochner Exp $ also fixes issues with the fix for CVE-2015-1283 (part of expat-2.1.1): possible undefined compiler behaviour on signed integer overflows (upstream commit f0bec73b018caa07d3e75ec8dd967f3785d71bde) --- lib/xmlparse.c.orig 2016-03-12 03:21:09.000000000 +0000 +++ lib/xmlparse.c @@@@ -1693,7 +1693,8 @@@@ XML_GetBuffer(XML_Parser parser, int len } if (len > bufferLim - bufferEnd) { - int neededSize = len + (int)(bufferEnd - bufferPtr); + /* Do not invoke signed arithmetic overflow: */ + int neededSize = (int) ((unsigned)len + (unsigned)(bufferEnd - bufferPtr)); if (neededSize < 0) { errorCode = XML_ERROR_NO_MEMORY; return NULL; @@@@ -1725,7 +1726,8 @@@@ XML_GetBuffer(XML_Parser parser, int len if (bufferSize == 0) bufferSize = INIT_BUFFER_SIZE; do { - bufferSize *= 2; + /* Do not invoke signed arithmetic overflow: */ + bufferSize = (int) (2U * (unsigned) bufferSize); } while (bufferSize < neededSize && bufferSize > 0); if (bufferSize <= 0) { errorCode = XML_ERROR_NO_MEMORY; @@@@ -2426,11 +2428,11 @@@@ doContent(XML_Parser parser, for (;;) { int bufSize; int convLen; - XmlConvert(enc, + const enum XML_Convert_Result convert_res = XmlConvert(enc, &fromPtr, rawNameEnd, (ICHAR **)&toPtr, (ICHAR *)tag->bufEnd - 1); convLen = (int)(toPtr - (XML_Char *)tag->buf); - if (fromPtr == rawNameEnd) { + if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) { tag->name.strLen = convLen; break; } @@@@ -2651,11 +2653,11 @@@@ doContent(XML_Parser parser, if (MUST_CONVERT(enc, s)) { for (;;) { ICHAR *dataPtr = (ICHAR *)dataBuf; - XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd); + const enum XML_Convert_Result convert_res = XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd); *eventEndPP = s; charDataHandler(handlerArg, dataBuf, (int)(dataPtr - (ICHAR *)dataBuf)); - if (s == next) + if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) break; *eventPP = s; } @@@@ -3261,11 +3263,11 @@@@ doCdataSection(XML_Parser parser, if (MUST_CONVERT(enc, s)) { for (;;) { ICHAR *dataPtr = (ICHAR *)dataBuf; - XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd); + const enum XML_Convert_Result convert_res = XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd); *eventEndPP = next; charDataHandler(handlerArg, dataBuf, (int)(dataPtr - (ICHAR *)dataBuf)); - if (s == next) + if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) break; *eventPP = s; } @@@@ -5342,6 +5344,7 @@@@ reportDefault(XML_Parser parser, const E const char *s, const char *end) { if (MUST_CONVERT(enc, s)) { + enum XML_Convert_Result convert_res; const char **eventPP; const char **eventEndPP; if (enc == encoding) { @@@@ -5354,11 +5357,11 @@@@ reportDefault(XML_Parser parser, const E } do { ICHAR *dataPtr = (ICHAR *)dataBuf; - XmlConvert(enc, &s, end, &dataPtr, (ICHAR *)dataBufEnd); + convert_res = XmlConvert(enc, &s, end, &dataPtr, (ICHAR *)dataBufEnd); *eventEndPP = s; defaultHandler(handlerArg, dataBuf, (int)(dataPtr - (ICHAR *)dataBuf)); *eventPP = s; - } while (s != end); + } while ((convert_res != XML_CONVERT_COMPLETED) && (convert_res != XML_CONVERT_INPUT_INCOMPLETE)); } else defaultHandler(handlerArg, (XML_Char *)s, (int)((XML_Char *)end - (XML_Char *)s)); @@@@ -6163,8 +6166,8 @@@@ poolAppend(STRING_POOL *pool, const ENCO if (!pool->ptr && !poolGrow(pool)) return NULL; for (;;) { - XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end); - if (ptr == end) + const enum XML_Convert_Result convert_res = XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end); + if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) break; if (!poolGrow(pool)) return NULL; @@@@ -6248,8 +6251,13 @@@@ poolGrow(STRING_POOL *pool) } } if (pool->blocks && pool->start == pool->blocks->s) { - int blockSize = (int)(pool->end - pool->start)*2; - BLOCK *temp = (BLOCK *) + BLOCK *temp; + int blockSize = (int)((unsigned)(pool->end - pool->start)*2U); + + if (blockSize < 0) + return XML_FALSE; + + temp = (BLOCK *) pool->mem->realloc_fcn(pool->blocks, (offsetof(BLOCK, s) + blockSize * sizeof(XML_Char))); @@@@ -6264,6 +6272,10 @@@@ poolGrow(STRING_POOL *pool) else { BLOCK *tem; int blockSize = (int)(pool->end - pool->start); + + if (blockSize < 0) + return XML_FALSE; + if (blockSize < INIT_BLOCK_SIZE) blockSize = INIT_BLOCK_SIZE; else @ 1.1 log @add patches from upstream to fix possible crashes and memory corruption on malformed input (CVE-2016-0718) Description: The Expat XML parser mishandles certain kinds of malformed input documents, resulting in buffer overflows during processing and error reporting. The overflows can manifest as a segmentation fault or as memory corruption during a parse operation. The bugs allow for a denial of service attack in many applications by an unauthenticated attacker, and could conceivably result in remote code execution. bump PKGREV also add an improvement to the fix for CVE-2015-1283 which was part of the 2.1.1 release -- don't rely on defined behaviour on overflows of signed integer operations, from upstream git: https://sourceforge.net/p/expat/code_git/ci/f0bec73b018caa07d3e75ec8dd967f3785d71bde/ pkgsrc change: add a hint how to run the pkg's selftest (not enabled permanently because this would add a dependency on C++) @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-CVE-2016-0718-1 was added on branch pkgsrc-2016Q1 on 2016-05-21 19:13:45 +0000 @ text @d1 130 @ 1.1.2.2 log @Pullup ticket #5026 - requested by drochner textproc/expat: security fix Revisions pulled up: - textproc/expat/Makefile 1.32 - textproc/expat/distinfo 1.25 - textproc/expat/patches/patch-CVE-2016-0718-1 1.1 - textproc/expat/patches/patch-CVE-2016-0718-2 1.1 - textproc/expat/patches/patch-CVE-2016-0718-3 1.1 - textproc/expat/patches/patch-CVE-2016-0718-4 1.1 --- Module Name: pkgsrc Committed By: drochner Date: Tue May 17 19:15:01 UTC 2016 Modified Files: pkgsrc/textproc/expat: Makefile distinfo Added Files: pkgsrc/textproc/expat/patches: patch-CVE-2016-0718-1 patch-CVE-2016-0718-2 patch-CVE-2016-0718-3 patch-CVE-2016-0718-4 Log Message: add patches from upstream to fix possible crashes and memory corruption on malformed input (CVE-2016-0718) Description: The Expat XML parser mishandles certain kinds of malformed input documents, resulting in buffer overflows during processing and error reporting. The overflows can manifest as a segmentation fault or as memory corruption during a parse operation. The bugs allow for a denial of service attack in many applications by an unauthenticated attacker, and could conceivably result in remote code execution. bump PKGREV also add an improvement to the fix for CVE-2015-1283 which was part of the 2.1.1 release -- don't rely on defined behaviour on overflows of signed integer operations, from upstream git: https://sourceforge.net/p/expat/code_git/ci/f0bec73b018caa07d3e75ec8dd967f3785d71bde/ pkgsrc change: add a hint how to run the pkg's selftest (not enabled permanently because this would add a dependency on C++) @ text @a0 130 $NetBSD$ also fixes issues with the fix for CVE-2015-1283 (part of expat-2.1.1): possible undefined compiler behaviour on signed integer overflows (upstream commit f0bec73b018caa07d3e75ec8dd967f3785d71bde) --- lib/xmlparse.c.orig 2016-03-12 03:21:09.000000000 +0000 +++ lib/xmlparse.c @@@@ -1693,7 +1693,8 @@@@ XML_GetBuffer(XML_Parser parser, int len } if (len > bufferLim - bufferEnd) { - int neededSize = len + (int)(bufferEnd - bufferPtr); + /* Do not invoke signed arithmetic overflow: */ + int neededSize = (int) ((unsigned)len + (unsigned)(bufferEnd - bufferPtr)); if (neededSize < 0) { errorCode = XML_ERROR_NO_MEMORY; return NULL; @@@@ -1725,7 +1726,8 @@@@ XML_GetBuffer(XML_Parser parser, int len if (bufferSize == 0) bufferSize = INIT_BUFFER_SIZE; do { - bufferSize *= 2; + /* Do not invoke signed arithmetic overflow: */ + bufferSize = (int) (2U * (unsigned) bufferSize); } while (bufferSize < neededSize && bufferSize > 0); if (bufferSize <= 0) { errorCode = XML_ERROR_NO_MEMORY; @@@@ -2426,11 +2428,11 @@@@ doContent(XML_Parser parser, for (;;) { int bufSize; int convLen; - XmlConvert(enc, + const enum XML_Convert_Result convert_res = XmlConvert(enc, &fromPtr, rawNameEnd, (ICHAR **)&toPtr, (ICHAR *)tag->bufEnd - 1); convLen = (int)(toPtr - (XML_Char *)tag->buf); - if (fromPtr == rawNameEnd) { + if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) { tag->name.strLen = convLen; break; } @@@@ -2651,11 +2653,11 @@@@ doContent(XML_Parser parser, if (MUST_CONVERT(enc, s)) { for (;;) { ICHAR *dataPtr = (ICHAR *)dataBuf; - XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd); + const enum XML_Convert_Result convert_res = XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd); *eventEndPP = s; charDataHandler(handlerArg, dataBuf, (int)(dataPtr - (ICHAR *)dataBuf)); - if (s == next) + if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) break; *eventPP = s; } @@@@ -3261,11 +3263,11 @@@@ doCdataSection(XML_Parser parser, if (MUST_CONVERT(enc, s)) { for (;;) { ICHAR *dataPtr = (ICHAR *)dataBuf; - XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd); + const enum XML_Convert_Result convert_res = XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd); *eventEndPP = next; charDataHandler(handlerArg, dataBuf, (int)(dataPtr - (ICHAR *)dataBuf)); - if (s == next) + if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) break; *eventPP = s; } @@@@ -5342,6 +5344,7 @@@@ reportDefault(XML_Parser parser, const E const char *s, const char *end) { if (MUST_CONVERT(enc, s)) { + enum XML_Convert_Result convert_res; const char **eventPP; const char **eventEndPP; if (enc == encoding) { @@@@ -5354,11 +5357,11 @@@@ reportDefault(XML_Parser parser, const E } do { ICHAR *dataPtr = (ICHAR *)dataBuf; - XmlConvert(enc, &s, end, &dataPtr, (ICHAR *)dataBufEnd); + convert_res = XmlConvert(enc, &s, end, &dataPtr, (ICHAR *)dataBufEnd); *eventEndPP = s; defaultHandler(handlerArg, dataBuf, (int)(dataPtr - (ICHAR *)dataBuf)); *eventPP = s; - } while (s != end); + } while ((convert_res != XML_CONVERT_COMPLETED) && (convert_res != XML_CONVERT_INPUT_INCOMPLETE)); } else defaultHandler(handlerArg, (XML_Char *)s, (int)((XML_Char *)end - (XML_Char *)s)); @@@@ -6163,8 +6166,8 @@@@ poolAppend(STRING_POOL *pool, const ENCO if (!pool->ptr && !poolGrow(pool)) return NULL; for (;;) { - XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end); - if (ptr == end) + const enum XML_Convert_Result convert_res = XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end); + if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) break; if (!poolGrow(pool)) return NULL; @@@@ -6248,8 +6251,13 @@@@ poolGrow(STRING_POOL *pool) } } if (pool->blocks && pool->start == pool->blocks->s) { - int blockSize = (int)(pool->end - pool->start)*2; - BLOCK *temp = (BLOCK *) + BLOCK *temp; + int blockSize = (int)((unsigned)(pool->end - pool->start)*2U); + + if (blockSize < 0) + return XML_FALSE; + + temp = (BLOCK *) pool->mem->realloc_fcn(pool->blocks, (offsetof(BLOCK, s) + blockSize * sizeof(XML_Char))); @@@@ -6264,6 +6272,10 @@@@ poolGrow(STRING_POOL *pool) else { BLOCK *tem; int blockSize = (int)(pool->end - pool->start); + + if (blockSize < 0) + return XML_FALSE; + if (blockSize < INIT_BLOCK_SIZE) blockSize = INIT_BLOCK_SIZE; else @