head 1.2; access; symbols pkgsrc-2013Q2:1.2.0.2 pkgsrc-2013Q2-base:1.2 pkgsrc-2013Q1:1.1.0.4 pkgsrc-2013Q1-base:1.1 pkgsrc-2012Q4:1.1.0.2; locks; strict; comment @# @; 1.2 date 2013.05.26.09.22.14; author adam; state dead; branches; next 1.1; commitid ibcHMEBYnQfAA7Rw; 1.1 date 2013.03.08.23.59.31; author tez; state Exp; branches 1.1.2.1; next ; 1.1.2.1 date 2013.03.08.23.59.31; author tron; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2013.03.17.11.22.03; author tron; state Exp; branches; next ; desc @@ 1.2 log @Changes 2.9.1: Features: Support for Python3, Add xmlXPathSetContextNode and xmlXPathNodeEval Documentation: Add documentation for xmllint --xpath Fix the URL of the SAX documentation from James Fix spelling of "length" Portability: Fix python bindings with versions older than 2.7 rebuild docs:Makefile.am elfgcchack.h after rebuild in doc elfgcchack for buf module Fix a uneeded and wrong extra link parameter Few cleanup patches for Windows Fix rpmbuild --nocheck Fix for win32/configure.js and WITH_THREAD_ALLOC Fix Broken multi-arch support in xml2-config Fix a portability issue for GCC < 3.4.0 Windows build fixes Fix a thread portability problem Downgrade autoconf requirement to 2.63 Bug Fixes: Fix a linking error for python bindings Fix a couple of return without value Improve the hashing functions Improve handling of xmlStopParser() Remove risk of lockup in dictionary initialization Activate detection of encoding in external subset Fix an output buffer flushing conversion bug Fix an old bug in xmlSchemaValidateOneElement Fix configure cannot remove messages fix schema validation in combination with xsi:nil xmlCtxtReadFile doesn't work with literal IPv6 URLs Fix a few problems with setEntityLoader Detect excessive entities expansion upon replacement Fix the flushing out of raw buffers on encoding conversions Fix some buffer conversion issues When calling xmlNodeDump make sure we grow the buffer quickly Fix an error in the progressive DTD parsing code xmllint should not load DTD by default when using the reader Try IBM-037 when looking for EBCDIC handlers Fix potential out of bound access Fix large parse of file from memory Fix a bug in the nsclean option of the parser Fix a regression in 2.9.0 breaking validation while streaming Remove potential calls to exit() Improvements: Regenerated API, and testapi, rebuild documentation Fix tree iterators broken by 2to3 script update all tests for Python3 and Python2 A few more fixes for python 3 affecting libxml2.py Fix compilation on Python3 Converting apibuild.py to python3 First pass at starting porting to python3 updated configure.in for python3 Add support for xpathRegisterVariable in Python Added a regression tests from bug 694228 data Cache presence of '<' in entities content Avoid extra processing on entities Python binding for xmlRegisterInputCallback Python bindings: DOM casts everything to xmlNode Define LIBXML_THREAD_ALLOC_ENABLED via xmlversion.h Adding streaming validation to runtest checks Add a --pushsmall option to xmllint Cleanups: Switched comment in file to UTF-8 encoding Extend gitignore Silent the new python test on input Cleanup of a duplicate test Cleanup on duplicate test expressions Fix compiler warning after 153cf15905cf4ec080612ada6703757d10caba1e Spec cleanups and a fix for multiarch support Silence a clang warning Cleanup the Copyright to be pure MIT Licence wording rand_seed should be static in dict.c Fix typos in parser comments @ text @$NetBSD: patch-CVE-2013-0338-CVE-2013-0339,v 1.1 2013/03/08 23:59:31 tez Exp $ Fix for CVE-2013-0338 & CVE-2013-0339 From 23f05e0c33987d6605387b300c4be5da2120a7ab Mon Sep 17 00:00:00 2001 From: Daniel Veillard Date: Tue, 19 Feb 2013 02:21:49 +0000 Subject: Detect excessive entities expansion upon replacement If entities expansion in the XML parser is asked for, it is possble to craft relatively small input document leading to excessive on-the-fly content generation. This patch accounts for those replacement and stop parsing after a given threshold. it can be bypassed as usual with the HUGE parser option. --- include/libxml/parser.h +++ include/libxml/parser.h @@@@ -310,6 +310,7 @@@@ struct _xmlParserCtxt { xmlParserNodeInfo *nodeInfoTab; /* array of nodeInfos */ int input_id; /* we need to label inputs */ + unsigned long sizeentcopy; /* volume of entity copy */ }; /** --- parser.c +++ parser.c @@@@ -122,7 +122,7 @@@@ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID, */ static int xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, - xmlEntityPtr ent) + xmlEntityPtr ent, size_t replacement) { size_t consumed = 0; @@@@ -130,7 +130,24 @@@@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, return (0); if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) return (1); - if (size != 0) { + if (replacement != 0) { + if (replacement < XML_MAX_TEXT_LENGTH) + return(0); + + /* + * If the volume of entity copy reaches 10 times the + * amount of parsed data and over the large text threshold + * then that's very likely to be an abuse. + */ + if (ctxt->input != NULL) { + consumed = ctxt->input->consumed + + (ctxt->input->cur - ctxt->input->base); + } + consumed += ctxt->sizeentities; + + if (replacement < XML_PARSER_NON_LINEAR * consumed) + return(0); + } else if (size != 0) { /* * Do the check based on the replacement size of the entity */ @@@@ -176,7 +193,6 @@@@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, */ return (0); } - xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); return (1); } @@@@ -2743,7 +2759,7 @@@@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, while (*current != 0) { /* non input consuming loop */ buffer[nbchars++] = *current++; if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { - if (xmlParserEntityCheck(ctxt, nbchars, ent)) + if (xmlParserEntityCheck(ctxt, nbchars, ent, 0)) goto int_error; growBuffer(buffer, XML_PARSER_BUFFER_SIZE); } @@@@ -2785,7 +2801,7 @@@@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, while (*current != 0) { /* non input consuming loop */ buffer[nbchars++] = *current++; if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { - if (xmlParserEntityCheck(ctxt, nbchars, ent)) + if (xmlParserEntityCheck(ctxt, nbchars, ent, 0)) goto int_error; growBuffer(buffer, XML_PARSER_BUFFER_SIZE); } @@@@ -7203,7 +7219,7 @@@@ xmlParseReference(xmlParserCtxtPtr ctxt) { xmlFreeNodeList(list); return; } - if (xmlParserEntityCheck(ctxt, 0, ent)) { + if (xmlParserEntityCheck(ctxt, 0, ent, 0)) { xmlFreeNodeList(list); return; } @@@@ -7361,6 +7377,13 @@@@ xmlParseReference(xmlParserCtxtPtr ctxt) { xmlNodePtr nw = NULL, cur, firstChild = NULL; /* + * We are copying here, make sure there is no abuse + */ + ctxt->sizeentcopy += ent->length; + if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) + return; + + /* * when operating on a reader, the entities definitions * are always owning the entities subtree. if (ctxt->parseMode == XML_PARSE_READER) @@@@ -7400,6 +7423,14 @@@@ xmlParseReference(xmlParserCtxtPtr ctxt) { } else if ((list == NULL) || (ctxt->inputNr > 0)) { xmlNodePtr nw = NULL, cur, next, last, firstChild = NULL; + + /* + * We are copying here, make sure there is no abuse + */ + ctxt->sizeentcopy += ent->length; + if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) + return; + /* * Copy the entity child list and make it the new * entity child list. The goal is to make sure any @@@@ -14767,6 +14798,7 @@@@ xmlCtxtReset(xmlParserCtxtPtr ctxt) ctxt->catalogs = NULL; ctxt->nbentities = 0; ctxt->sizeentities = 0; + ctxt->sizeentcopy = 0; xmlInitNodeInfoSeq(&ctxt->node_seq); if (ctxt->attsDefault != NULL) { --- parserInternals.c +++ parserInternals.c @@@@ -1719,6 +1719,8 @@@@ xmlInitParserCtxt(xmlParserCtxtPtr ctxt) ctxt->charset = XML_CHAR_ENCODING_UTF8; ctxt->catalogs = NULL; ctxt->nbentities = 0; + ctxt->sizeentities = 0; + ctxt->sizeentcopy = 0; ctxt->input_id = 1; xmlInitNodeInfoSeq(&ctxt->node_seq); return(0); @ 1.1 log @Fix for CVE-2013-0338 & CVE-2013-0339 from https://git.gnome.org/browse/libxml2/commit/?id=23f05e0c33987d6605387b300c4be5da2120a7ab bump PKGREVISION @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-CVE-2013-0338-CVE-2013-0339 was added on branch pkgsrc-2012Q4 on 2013-03-17 11:22:03 +0000 @ text @d1 151 @ 1.1.2.2 log @Pullup ticket #4101 - requested by tez textproc/libxml2: security patch Revisions pulled up: - textproc/libxml2/Makefile 1.123 - textproc/libxml2/distinfo 1.98 - textproc/libxml2/patches/patch-CVE-2013-0338-CVE-2013-0339 1.1 --- Module Name: pkgsrc Committed By: tez Date: Fri Mar 8 23:59:31 UTC 2013 Modified Files: pkgsrc/textproc/libxml2: Makefile distinfo Added Files: pkgsrc/textproc/libxml2/ patches: patch-CVE-2013-0338-CVE-2013-0339 Log Message: Fix for CVE-2013-0338 & CVE-2013-0339 from https://git.gnome.org/browse/libxml2/commit/?id=23f05e0c33987d6605387b300c4be5da2120a7ab bump PKGREVISION @ text @a0 151 $NetBSD$ Fix for CVE-2013-0338 & CVE-2013-0339 From 23f05e0c33987d6605387b300c4be5da2120a7ab Mon Sep 17 00:00:00 2001 From: Daniel Veillard Date: Tue, 19 Feb 2013 02:21:49 +0000 Subject: Detect excessive entities expansion upon replacement If entities expansion in the XML parser is asked for, it is possble to craft relatively small input document leading to excessive on-the-fly content generation. This patch accounts for those replacement and stop parsing after a given threshold. it can be bypassed as usual with the HUGE parser option. --- include/libxml/parser.h +++ include/libxml/parser.h @@@@ -310,6 +310,7 @@@@ struct _xmlParserCtxt { xmlParserNodeInfo *nodeInfoTab; /* array of nodeInfos */ int input_id; /* we need to label inputs */ + unsigned long sizeentcopy; /* volume of entity copy */ }; /** --- parser.c +++ parser.c @@@@ -122,7 +122,7 @@@@ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID, */ static int xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, - xmlEntityPtr ent) + xmlEntityPtr ent, size_t replacement) { size_t consumed = 0; @@@@ -130,7 +130,24 @@@@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, return (0); if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) return (1); - if (size != 0) { + if (replacement != 0) { + if (replacement < XML_MAX_TEXT_LENGTH) + return(0); + + /* + * If the volume of entity copy reaches 10 times the + * amount of parsed data and over the large text threshold + * then that's very likely to be an abuse. + */ + if (ctxt->input != NULL) { + consumed = ctxt->input->consumed + + (ctxt->input->cur - ctxt->input->base); + } + consumed += ctxt->sizeentities; + + if (replacement < XML_PARSER_NON_LINEAR * consumed) + return(0); + } else if (size != 0) { /* * Do the check based on the replacement size of the entity */ @@@@ -176,7 +193,6 @@@@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, */ return (0); } - xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); return (1); } @@@@ -2743,7 +2759,7 @@@@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, while (*current != 0) { /* non input consuming loop */ buffer[nbchars++] = *current++; if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { - if (xmlParserEntityCheck(ctxt, nbchars, ent)) + if (xmlParserEntityCheck(ctxt, nbchars, ent, 0)) goto int_error; growBuffer(buffer, XML_PARSER_BUFFER_SIZE); } @@@@ -2785,7 +2801,7 @@@@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, while (*current != 0) { /* non input consuming loop */ buffer[nbchars++] = *current++; if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { - if (xmlParserEntityCheck(ctxt, nbchars, ent)) + if (xmlParserEntityCheck(ctxt, nbchars, ent, 0)) goto int_error; growBuffer(buffer, XML_PARSER_BUFFER_SIZE); } @@@@ -7203,7 +7219,7 @@@@ xmlParseReference(xmlParserCtxtPtr ctxt) { xmlFreeNodeList(list); return; } - if (xmlParserEntityCheck(ctxt, 0, ent)) { + if (xmlParserEntityCheck(ctxt, 0, ent, 0)) { xmlFreeNodeList(list); return; } @@@@ -7361,6 +7377,13 @@@@ xmlParseReference(xmlParserCtxtPtr ctxt) { xmlNodePtr nw = NULL, cur, firstChild = NULL; /* + * We are copying here, make sure there is no abuse + */ + ctxt->sizeentcopy += ent->length; + if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) + return; + + /* * when operating on a reader, the entities definitions * are always owning the entities subtree. if (ctxt->parseMode == XML_PARSE_READER) @@@@ -7400,6 +7423,14 @@@@ xmlParseReference(xmlParserCtxtPtr ctxt) { } else if ((list == NULL) || (ctxt->inputNr > 0)) { xmlNodePtr nw = NULL, cur, next, last, firstChild = NULL; + + /* + * We are copying here, make sure there is no abuse + */ + ctxt->sizeentcopy += ent->length; + if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) + return; + /* * Copy the entity child list and make it the new * entity child list. The goal is to make sure any @@@@ -14767,6 +14798,7 @@@@ xmlCtxtReset(xmlParserCtxtPtr ctxt) ctxt->catalogs = NULL; ctxt->nbentities = 0; ctxt->sizeentities = 0; + ctxt->sizeentcopy = 0; xmlInitNodeInfoSeq(&ctxt->node_seq); if (ctxt->attsDefault != NULL) { --- parserInternals.c +++ parserInternals.c @@@@ -1719,6 +1719,8 @@@@ xmlInitParserCtxt(xmlParserCtxtPtr ctxt) ctxt->charset = XML_CHAR_ENCODING_UTF8; ctxt->catalogs = NULL; ctxt->nbentities = 0; + ctxt->sizeentities = 0; + ctxt->sizeentcopy = 0; ctxt->input_id = 1; xmlInitNodeInfoSeq(&ctxt->node_seq); return(0); @