Fix for CVE-2008-4225 - possible infinite loop. Fix for CVE-2008-4226 - possible integer overflow leading to memory corruption and potential arbitrary code execution with huge XML files. Bug 245960

(Portage version: 2.2_rc14/cvs/Linux 2.6.27-gentoo-r2 x86_64)
author: Mart Raudsepp <leio@gentoo.org> 2008-11-18 01:23:39 +0000
committer: Mart Raudsepp <leio@gentoo.org> 2008-11-18 01:23:39 +0000
commit: b69841e7b837370a453af4ea39e545466b360b14 (patch)
tree: 59542e1496c1797921f292688c6f4a5d6aa32440 /dev-libs/libxml2
parent: Version bump (diff)
download: gentoo-2-b69841e7b837370a453af4ea39e545466b360b14.tar.gz
gentoo-2-b69841e7b837370a453af4ea39e545466b360b14.tar.bz2
gentoo-2-b69841e7b837370a453af4ea39e545466b360b14.zip
3 files changed, 233 insertions, 1 deletions
diff --git a/dev-libs/libxml2/ChangeLog b/dev-libs/libxml2/ChangeLog
index 1e444d989ee4..d32eba94ce75 100644
--- a/dev-libs/libxml2/ChangeLog
+++ b/dev-libs/libxml2/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for dev-libs/libxml2
 # Copyright 2002-2008 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/dev-libs/libxml2/ChangeLog,v 1.235 2008/11/13 18:55:33 ranger Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-libs/libxml2/ChangeLog,v 1.236 2008/11/18 01:23:38 leio Exp $
+
+*libxml2-2.7.2-r1 (18 Nov 2008)
+
+  18 Nov 2008; Mart Raudsepp <leio@gentoo.org>
+  +files/libxml2-2.7.2-CVE-2008-422x.patch, +libxml2-2.7.2-r1.ebuild:
+  Fix for CVE-2008-4225 - possible infinite loop. Fix for CVE-2008-4226 -
+  possible integer overflow leading to memory corruption and potential
+  arbitrary code execution with huge XML files. Bug 245960
 
   13 Nov 2008; Brent Baude <ranger@gentoo.org> libxml2-2.6.32.ebuild:
   Marking libxml2-2.6.32 ppc64 stable for bug 236971
diff --git a/dev-libs/libxml2/files/libxml2-2.7.2-CVE-2008-422x.patch b/dev-libs/libxml2/files/libxml2-2.7.2-CVE-2008-422x.patch
new file mode 100644
index 000000000000..cbfbc9ea87e3
--- /dev/null
+++ b/dev-libs/libxml2/files/libxml2-2.7.2-CVE-2008-422x.patch
@@ -0,0 +1,100 @@
+Mon Nov 17 16:56:18 CET 2008 Daniel Veillard <daniel@...> (upstream revision 3803)
+
+	* SAX2.c parser.c: fix for CVE-2008-4226, a memory overflow
+	  when building gigantic text nodes, and a bit of cleanup
+	  to better handled out of memory problem in that code.
+	* tree.c: fix for CVE-2008-4225, lack of testing leads to
+	  a busy loop test assuming one have enough core memory.
+
+Index: SAX2.c
+===================================================================
+--- SAX2.c	(revision 3802)
++++ SAX2.c	(revision 3803)
+@@ -11,6 +11,7 @@
+ #include "libxml.h"
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+ #include <libxml/xmlmemory.h>
+ #include <libxml/tree.h>
+ #include <libxml/parser.h>
+@@ -26,6 +27,11 @@
+ #include <libxml/HTMLtree.h>
+ #include <libxml/globals.h>
+ 
++/* Define SIZE_T_MAX unless defined through <limits.h>. */
++#ifndef SIZE_T_MAX
++# define SIZE_T_MAX     ((size_t)-1)
++#endif /* !SIZE_T_MAX */
++
+ /* #define DEBUG_SAX2 */
+ /* #define DEBUG_SAX2_TREE */
+ 
+@@ -2455,9 +2461,14 @@
+ 	               (xmlDictOwns(ctxt->dict, lastChild->content))) {
+ 		lastChild->content = xmlStrdup(lastChild->content);
+ 	    }
++	    if ((size_t)ctxt->nodelen > SIZE_T_MAX - (size_t)len || 
++	        (size_t)ctxt->nodemem + (size_t)len > SIZE_T_MAX / 2) {
++	            xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented");
++	            return;
++	    }
+ 	    if (ctxt->nodelen + len >= ctxt->nodemem) {
+ 		xmlChar *newbuf;
+-		int size;
++		size_t size;
+ 
+ 		size = ctxt->nodemem + len;
+ 		size *= 2;
+Index: tree.c
+===================================================================
+--- tree.c	(revision 3802)
++++ tree.c	(revision 3803)
+@@ -14,7 +14,7 @@
+ #include "libxml.h"
+ 
+ #include <string.h> /* for memset() only ! */
+-
++#include <limits.h>
+ #ifdef HAVE_CTYPE_H
+ #include <ctype.h>
+ #endif
+@@ -6996,7 +6996,13 @@
+ 	case XML_BUFFER_ALLOC_DOUBLEIT:
+ 	    /*take care of empty case*/
+ 	    newSize = (buf->size ? buf->size*2 : size + 10);
+-	    while (size > newSize) newSize *= 2;
++	    while (size > newSize) {
++	        if (newSize > UINT_MAX / 2) {
++	            xmlTreeErrMemory("growing buffer");
++	            return 0;
++	        }
++	        newSize *= 2;
++	    }
+ 	    break;
+ 	case XML_BUFFER_ALLOC_EXACT:
+ 	    newSize = size+10;
+Index: parser.c
+===================================================================
+--- parser.c	(revision 3802)
++++ parser.c	(revision 3803)
+@@ -4142,6 +4142,9 @@
+                     line = ctxt->input->line;
+                     col = ctxt->input->col;
+ 		}
++                /* something really bad happened in the SAX callback */
++                if (ctxt->instate != XML_PARSER_CONTENT)
++                    return;
+ 	    }
+ 	    ctxt->input->cur = in;
+ 	    if (*in == 0xD) {
+@@ -4222,6 +4225,9 @@
+ 		}
+ 	    }
+ 	    nbchar = 0;
++            /* something really bad happened in the SAX callback */
++            if (ctxt->instate != XML_PARSER_CONTENT)
++                return;
+ 	}
+ 	count++;
+ 	if (count > 50) {
diff --git a/dev-libs/libxml2/libxml2-2.7.2-r1.ebuild b/dev-libs/libxml2/libxml2-2.7.2-r1.ebuild
new file mode 100644
index 000000000000..95f0ae3d538f
--- /dev/null
+++ b/dev-libs/libxml2/libxml2-2.7.2-r1.ebuild
@@ -0,0 +1,124 @@
+# Copyright 1999-2008 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/dev-libs/libxml2/libxml2-2.7.2-r1.ebuild,v 1.1 2008/11/18 01:23:38 leio Exp $
+
+inherit libtool flag-o-matic eutils
+
+DESCRIPTION="Version 2 of the library to manipulate XML files"
+HOMEPAGE="http://www.xmlsoft.org/"
+
+LICENSE="MIT"
+SLOT="2"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~sparc-fbsd ~x86 ~x86-fbsd"
+IUSE="bootstrap build debug doc examples ipv6 python readline test"
+
+XSTS_HOME="http://www.w3.org/XML/2004/xml-schema-test-suite"
+XSTS_NAME_1="xmlschema2002-01-16"
+XSTS_NAME_2="xmlschema2004-01-14"
+XSTS_TARBALL_1="xsts-2002-01-16.tar.gz"
+XSTS_TARBALL_2="xsts-2004-01-14.tar.gz"
+
+SRC_URI="ftp://xmlsoft.org/${PN}/${P}.tar.gz
+	test? (
+		${XSTS_HOME}/${XSTS_NAME_1}/${XSTS_TARBALL_1}
+		${XSTS_HOME}/${XSTS_NAME_2}/${XSTS_TARBALL_2} )"
+
+RDEPEND="sys-libs/zlib
+	python?   ( dev-lang/python )
+	readline? ( sys-libs/readline )"
+
+DEPEND="${RDEPEND}
+	hppa? ( >=sys-devel/binutils-2.15.92.0.2 )"
+
+src_unpack() {
+	unpack ${P}.tar.gz
+	cd "${S}"
+
+	# Fix for CVE-2008-4225 and CVE-2008-4226, bug 245960
+	epatch "${FILESDIR}/${P}-CVE-2008-422x.patch"
+
+	if use test; then
+		cp "${DISTDIR}/${XSTS_TARBALL_1}" \
+			"${DISTDIR}/${XSTS_TARBALL_2}" \
+			"${S}"/xstc/ \
+			|| die "Failed to install test tarballs"
+	fi
+
+	epunt_cxx
+}
+
+src_compile() {
+	# USE zlib support breaks gnome2
+	# (libgnomeprint for instance fails to compile with
+	# fresh install, and existing) - <azarah@gentoo.org> (22 Dec 2002).
+
+	# The meaning of the 'debug' USE flag does not apply to the --with-debug
+	# switch (enabling the libxml2 debug module). See bug #100898.
+
+	# --with-mem-debug causes unusual segmentation faults (bug #105120).
+
+	local myconf="--with-zlib \
+		$(use_with debug run-debug)  \
+		$(use_with python)           \
+		$(use_with readline)         \
+		$(use_with readline history) \
+		$(use_enable ipv6)"
+
+	# Please do not remove, as else we get references to PORTAGE_TMPDIR
+	# in /usr/lib/python?.?/site-packages/libxml2mod.la among things.
+	elibtoolize
+
+	# filter seemingly problematic CFLAGS (#26320)
+	filter-flags -fprefetch-loop-arrays -funroll-loops
+
+	econf $myconf || die "Configuration failed"
+
+	# Patching the Makefiles to respect get_libdir
+	# Fixes BUG #86766, please keep this.
+	# Danny van Dyk <kugelfang@gentoo.org> 2005/03/26
+	for x in $(find "${S}" -name "Makefile") ; do
+		sed \
+			-e "s|^\(PYTHON_SITE_PACKAGES\ =\ \/usr\/\).*\(\/python.*\)|\1$(get_libdir)\2|g" \
+			-i ${x} \
+			|| die "sed failed"
+	done
+
+	emake || die "Compilation failed"
+}
+
+src_install() {
+	emake DESTDIR="${D}" install || die "Installation failed"
+
+	dodoc AUTHORS ChangeLog Copyright NEWS README* TODO*
+
+	if ! use doc; then
+		rm -rf "${D}"/usr/share/gtk-doc
+		rm -rf "${D}"/usr/share/doc/${P}/html
+	fi
+
+	if ! use examples; then
+		rm -rf "${D}/usr/share/doc/${P}/examples"
+		rm -rf "${D}/usr/share/doc/${PN}-python-${PV}/examples"
+	fi
+}
+
+pkg_postinst() {
+	# We don't want to do the xmlcatalog during stage1, as xmlcatalog will not
+	# be in / and stage1 builds to ROOT=/tmp/stage1root. This fixes bug #208887.
+	if [[ "${ROOT}" != "/" ]]
+	then
+		elog "Skipping XML catalog creation for stage building (bug #208887)."
+	else
+		# need an XML catalog, so no-one writes to a non-existent one
+		CATALOG="${ROOT}etc/xml/catalog"
+
+		# we dont want to clobber an existing catalog though,
+		# only ensure that one is there
+		# <obz@gentoo.org>
+		if [ ! -e ${CATALOG} ]; then
+			[ -d "${ROOT}etc/xml" ] || mkdir -p "${ROOT}etc/xml"
+			/usr/bin/xmlcatalog --create > ${CATALOG}
+			einfo "Created XML catalog in ${CATALOG}"
+		fi
+	fi
+}
author	Mart Raudsepp <leio@gentoo.org>	2008-11-18 01:23:39 +0000
committer	Mart Raudsepp <leio@gentoo.org>	2008-11-18 01:23:39 +0000
commit	b69841e7b837370a453af4ea39e545466b360b14 (patch)
tree	59542e1496c1797921f292688c6f4a5d6aa32440 /dev-libs/libxml2
parent	Version bump (diff)
download	gentoo-2-b69841e7b837370a453af4ea39e545466b360b14.tar.gz gentoo-2-b69841e7b837370a453af4ea39e545466b360b14.tar.bz2 gentoo-2-b69841e7b837370a453af4ea39e545466b360b14.zip