From owner-svn-src-releng@freebsd.org Tue Aug 18 19:30:38 2015 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4D4959BCBCF; Tue, 18 Aug 2015 19:30:38 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3CC0D1E79; Tue, 18 Aug 2015 19:30:38 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id t7IJUcLW089596; Tue, 18 Aug 2015 19:30:38 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id t7IJUagT089590; Tue, 18 Aug 2015 19:30:36 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201508181930.t7IJUagT089590@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Tue, 18 Aug 2015 19:30:36 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r286902 - in releng: 10.1 10.1/contrib/expat/lib 10.1/sys/conf 9.3 9.3/contrib/expat/lib 9.3/sys/conf X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Aug 2015 19:30:38 -0000 Author: delphij Date: Tue Aug 18 19:30:35 2015 New Revision: 286902 URL: https://svnweb.freebsd.org/changeset/base/286902 Log: Fix multiple integer overflows in expat. Security: CVE-2015-1283 Security: FreeBSD-SA-15:20.expat Approved by: so Modified: releng/10.1/UPDATING releng/10.1/contrib/expat/lib/xmlparse.c releng/10.1/sys/conf/newvers.sh releng/9.3/UPDATING releng/9.3/contrib/expat/lib/xmlparse.c releng/9.3/sys/conf/newvers.sh Modified: releng/10.1/UPDATING ============================================================================== --- releng/10.1/UPDATING Tue Aug 18 19:30:17 2015 (r286901) +++ releng/10.1/UPDATING Tue Aug 18 19:30:35 2015 (r286902) @@ -16,6 +16,11 @@ from older versions of FreeBSD, try WITH stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20150818: p1 FreeBSD-SA-15:20.expat + + Fix multiple integer overflows in expat (libbsdxml) XML parser. + [SA-15:20] + 20150805: p17 FreeBSD-SA-15:18.bsdpatch FreeBSD-SA-15:19.routed Modified: releng/10.1/contrib/expat/lib/xmlparse.c ============================================================================== --- releng/10.1/contrib/expat/lib/xmlparse.c Tue Aug 18 19:30:17 2015 (r286901) +++ releng/10.1/contrib/expat/lib/xmlparse.c Tue Aug 18 19:30:35 2015 (r286902) @@ -1678,6 +1678,12 @@ XML_ParseBuffer(XML_Parser parser, int l void * XMLCALL XML_GetBuffer(XML_Parser parser, int len) { +/* BEGIN MOZILLA CHANGE (sanity check len) */ + if (len < 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } +/* END MOZILLA CHANGE */ switch (ps_parsing) { case XML_SUSPENDED: errorCode = XML_ERROR_SUSPENDED; @@ -1689,8 +1695,13 @@ XML_GetBuffer(XML_Parser parser, int len } if (len > bufferLim - bufferEnd) { - /* FIXME avoid integer overflow */ int neededSize = len + (int)(bufferEnd - bufferPtr); +/* BEGIN MOZILLA CHANGE (sanity check neededSize) */ + if (neededSize < 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } +/* END MOZILLA CHANGE */ #ifdef XML_CONTEXT_BYTES int keep = (int)(bufferPtr - buffer); @@ -1719,7 +1730,15 @@ XML_GetBuffer(XML_Parser parser, int len bufferSize = INIT_BUFFER_SIZE; do { bufferSize *= 2; - } while (bufferSize < neededSize); +/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */ + } while (bufferSize < neededSize && bufferSize > 0); +/* END MOZILLA CHANGE */ +/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */ + if (bufferSize <= 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } +/* END MOZILLA CHANGE */ newBuf = (char *)MALLOC(bufferSize); if (newBuf == 0) { errorCode = XML_ERROR_NO_MEMORY; Modified: releng/10.1/sys/conf/newvers.sh ============================================================================== --- releng/10.1/sys/conf/newvers.sh Tue Aug 18 19:30:17 2015 (r286901) +++ releng/10.1/sys/conf/newvers.sh Tue Aug 18 19:30:35 2015 (r286902) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.1" -BRANCH="RELEASE-p17" +BRANCH="RELEASE-p18" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/9.3/UPDATING ============================================================================== --- releng/9.3/UPDATING Tue Aug 18 19:30:17 2015 (r286901) +++ releng/9.3/UPDATING Tue Aug 18 19:30:35 2015 (r286902) @@ -11,6 +11,11 @@ handbook: Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20150818: p23 FreeBSD-SA-15:20.expat + + Fix multiple integer overflows in expat (libbsdxml) XML parser. + [SA-15:20] + 20150805: p22 FreeBSD-SA-15:19.routed Fix routed remote denial of service vulnerability. Modified: releng/9.3/contrib/expat/lib/xmlparse.c ============================================================================== --- releng/9.3/contrib/expat/lib/xmlparse.c Tue Aug 18 19:30:17 2015 (r286901) +++ releng/9.3/contrib/expat/lib/xmlparse.c Tue Aug 18 19:30:35 2015 (r286902) @@ -1678,6 +1678,12 @@ XML_ParseBuffer(XML_Parser parser, int l void * XMLCALL XML_GetBuffer(XML_Parser parser, int len) { +/* BEGIN MOZILLA CHANGE (sanity check len) */ + if (len < 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } +/* END MOZILLA CHANGE */ switch (ps_parsing) { case XML_SUSPENDED: errorCode = XML_ERROR_SUSPENDED; @@ -1689,8 +1695,13 @@ XML_GetBuffer(XML_Parser parser, int len } if (len > bufferLim - bufferEnd) { - /* FIXME avoid integer overflow */ int neededSize = len + (int)(bufferEnd - bufferPtr); +/* BEGIN MOZILLA CHANGE (sanity check neededSize) */ + if (neededSize < 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } +/* END MOZILLA CHANGE */ #ifdef XML_CONTEXT_BYTES int keep = (int)(bufferPtr - buffer); @@ -1719,7 +1730,15 @@ XML_GetBuffer(XML_Parser parser, int len bufferSize = INIT_BUFFER_SIZE; do { bufferSize *= 2; - } while (bufferSize < neededSize); +/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */ + } while (bufferSize < neededSize && bufferSize > 0); +/* END MOZILLA CHANGE */ +/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */ + if (bufferSize <= 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } +/* END MOZILLA CHANGE */ newBuf = (char *)MALLOC(bufferSize); if (newBuf == 0) { errorCode = XML_ERROR_NO_MEMORY; Modified: releng/9.3/sys/conf/newvers.sh ============================================================================== --- releng/9.3/sys/conf/newvers.sh Tue Aug 18 19:30:17 2015 (r286901) +++ releng/9.3/sys/conf/newvers.sh Tue Aug 18 19:30:35 2015 (r286902) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.3" -BRANCH="RELEASE-p22" +BRANCH="RELEASE-p23" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi