Date: Thu, 20 Aug 2009 08:20:49 +0900 (JST) From: Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp> To: FreeBSD-gnats-submit@FreeBSD.org Cc: turutani@scphys.kyoto-u.ac.jp Subject: ports/137980: fix for textprox/libxml2 Message-ID: <200908192320.n7JNKnZO081982@h120.65.226.10.32118.vlan.kuins.net> Resent-Message-ID: <200908192330.n7JNU5Q8062525@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 137980 >Category: ports >Synopsis: fix for textprox/libxml2 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Aug 19 23:30:04 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Tsurutani Naoki >Release: FreeBSD 7.2-STABLE i386 >Organization: >Environment: System: FreeBSD h120.65.226.10.32118.vlan.kuins.net 7.2-STABLE FreeBSD 7.2-STABLE #19: Sun Jun 21 20:36:09 JST 2009 turutani@h120.65.226.10.32118.vlan.kuins.net:/usr/local/work/usr/obj/usr/src/sys/POLYMER i386 >Description: CVE-2009-2414, CVE-2009-2416 are issued. some fixes are required to textproc/libxml2. >How-To-Repeat: >Fix: here is a patch, taken from Debian: --- parser.c.orig +++ parser.c @@ -5306,7 +5306,8 @@ if (name == NULL) { xmlFatalErrMsg(ctxt, XML_ERR_NAME_REQUIRED, "Name expected in NOTATION declaration\n"); - return(ret); + xmlFreeEnumeration(ret); + return(NULL); } tmp = ret; while (tmp != NULL) { @@ -5322,7 +5323,10 @@ } if (tmp == NULL) { cur = xmlCreateEnumeration(name); - if (cur == NULL) return(ret); + if (cur == NULL) { + xmlFreeEnumeration(ret); + return(NULL); + } if (last == NULL) ret = last = cur; else { last->next = cur; @@ -5334,8 +5338,8 @@ if (RAW != ')') { xmlFatalErr(ctxt, XML_ERR_NOTATION_NOT_FINISHED, NULL); if ((last != NULL) && (last != ret)) - xmlFreeEnumeration(last); - return(ret); + xmlFreeEnumeration(ret); + return(NULL); } NEXT; return(ret); @@ -5390,7 +5394,10 @@ cur = xmlCreateEnumeration(name); if (!xmlDictOwns(ctxt->dict, name)) xmlFree(name); - if (cur == NULL) return(ret); + if (cur == NULL){ + xmlFreeEnumeration(ret); + return(NULL); + } if (last == NULL) ret = last = cur; else { last->next = cur; @@ -5794,6 +5801,11 @@ const xmlChar *elem; xmlChar type = 0; + if (ctxt->depth > 128) { + xmlFatalErrMsgInt(ctxt, XML_ERR_ELEMCONTENT_NOT_FINISHED, "xmlParseElementChildrenContentDecl : depth %d too deep\n", ctxt->depth); + return(NULL); + } + SKIP_BLANKS; GROW; if (RAW == '(') { @@ -5802,7 +5814,9 @@ /* Recurse on first child */ NEXT; SKIP_BLANKS; + ctxt->depth++; cur = ret = xmlParseElementChildrenContentDecl(ctxt, inputid); + ctxt->depth--; SKIP_BLANKS; GROW; } else { @@ -5934,7 +5948,9 @@ /* Recurse on second child */ NEXT; SKIP_BLANKS; + ctxt->depth++; last = xmlParseElementChildrenContentDecl(ctxt, inputid); + ctxt->depth--; SKIP_BLANKS; } else { elem = xmlParseName(ctxt); >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200908192320.n7JNKnZO081982>