libxml2: security bump to version 2.9.3

From dd6125f4b58fe7bc270e51bc3fcf41cd228d22fc Mon Sep 17 00:00:00 2001

From: Samuel Martin <s.martin49@gmail.com>

Date: Mon, 29 Dec 2014 20:40:18 +0100

Subject: [PATCH] libxml2-config.cmake.in: update include directories

Align the include directories on those from the pkg-config module.

Signed-off-by: Samuel Martin <s.martin49@gmail.com>

---

 libxml2-config.cmake.in | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libxml2-config.cmake.in b/libxml2-config.cmake.in

index ac29329..6b16fc2 100644

--- a/libxml2-config.cmake.in

+++ b/libxml2-config.cmake.in

@@ -21,7 +21,7 @@ set(LIBXML2_VERSION_MINOR  @LIBXML_MINOR_VERSION@)

 set(LIBXML2_VERSION_MICRO  @LIBXML_MICRO_VERSION@)

 set(LIBXML2_VERSION_STRING "@VERSION@")

 set(LIBXML2_INSTALL_PREFIX ${_libxml2_rootdir})

-set(LIBXML2_INCLUDE_DIRS   ${_libxml2_rootdir}/include)

+set(LIBXML2_INCLUDE_DIRS   ${_libxml2_rootdir}/include ${_libxml2_rootdir}/include/libxml2)

 set(LIBXML2_LIBRARY_DIR    ${_libxml2_rootdir}/lib)

 set(LIBXML2_LIBRARIES      -L${LIBXML2_LIBRARY_DIR} -lxml2)

-- 

2.2.1

Fix musl compile

Downloaded from upstream commit

https://git.gnome.org/browse/libxml2/commit/?id=fff8a6b87e05200a0ad0af6f86c2e859c7de9172

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>

---

From fff8a6b87e05200a0ad0af6f86c2e859c7de9172 Mon Sep 17 00:00:00 2001

From: Michael Heimpold <mhei@heimpold.de>

Date: Mon, 22 Dec 2014 11:12:12 +0800

Subject: threads: use forward declarations only for glibc

Fixes bug #704908

The declarations of pthread functions, used to generate weak references

to them, fail to suppress macros. Thus, if any pthread function has

been provided as a macro, compiling threads.c will fail.

This breaks on musl libc, which defines pthread_equal as a macro (in

addition to providing the function, as required).

Prevent the declarations for e.g. musl libc by refining the condition.

The idea for this solution was borrowed from the alpine linux guys, see

http://git.alpinelinux.org/cgit/aports/tree/main/libxml2/libxml2-pthread.patch

Signed-off-by: Michael Heimpold <mhei@heimpold.de>

diff --git a/threads.c b/threads.c

index 8921204..78006a2 100644

--- a/threads.c

+++ b/threads.c

@@ -47,7 +47,7 @@

 #ifdef HAVE_PTHREAD_H

 static int libxml_is_threaded = -1;

-#ifdef __GNUC__

+#if defined(__GNUC__) && defined(__GLIBC__)

 #ifdef linux

 #if (__GNUC__ == 3 && __GNUC_MINOR__ >= 3) || (__GNUC__ > 3)

 extern int pthread_once (pthread_once_t *__once_control,

@@ -89,7 +89,7 @@ extern int pthread_cond_signal ()

 	   __attribute((weak));

 #endif

 #endif /* linux */

-#endif /* __GNUC__ */

+#endif /* defined(__GNUC__) && defined(__GLIBC__) */

 #endif /* HAVE_PTHREAD_H */

 /*

-- 

cgit v0.10.2

From 213f1fe0d76d30eaed6e5853057defc43e6df2c9 Mon Sep 17 00:00:00 2001

From: Daniel Veillard <veillard@redhat.com>

Date: Tue, 14 Apr 2015 17:41:48 +0800

Subject: CVE-2015-1819 Enforce the reader to run in constant memory

One of the operation on the reader could resolve entities

leading to the classic expansion issue. Make sure the

buffer used for xmlreader operation is bounded.

Introduce a new allocation type for the buffers for this effect.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>

---

 buf.c                 | 43 ++++++++++++++++++++++++++++++++++++++++++-

 include/libxml/tree.h |  3 ++-

 xmlreader.c           | 20 +++++++++++++++++++-

 3 files changed, 63 insertions(+), 3 deletions(-)

diff --git a/buf.c b/buf.c

index 6efc7b6..07922ff 100644

--- a/buf.c

+++ b/buf.c

@@ -27,6 +27,7 @@

 #include <libxml/tree.h>

 #include <libxml/globals.h>

 #include <libxml/tree.h>

+#include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */

 #include "buf.h"

 #define WITH_BUFFER_COMPAT

@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf,

     if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) ||

         (scheme == XML_BUFFER_ALLOC_EXACT) ||

         (scheme == XML_BUFFER_ALLOC_HYBRID) ||

-        (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) {

+        (scheme == XML_BUFFER_ALLOC_IMMUTABLE) ||

+	(scheme == XML_BUFFER_ALLOC_BOUNDED)) {

 	buf->alloc = scheme;

         if (buf->buffer)

             buf->buffer->alloc = scheme;

@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) {

     size = buf->use + len + 100;

 #endif

+    if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {

+        /*

+	 * Used to provide parsing limits

+	 */

+        if ((buf->use + len >= XML_MAX_TEXT_LENGTH) ||

+	    (buf->size >= XML_MAX_TEXT_LENGTH)) {

+	    xmlBufMemoryError(buf, "buffer error: text too long\n");

+	    return(0);

+	}

+	if (size >= XML_MAX_TEXT_LENGTH)

+	    size = XML_MAX_TEXT_LENGTH;

+    }

     if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {

         size_t start_buf = buf->content - buf->contentIO;

@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size)

     CHECK_COMPAT(buf)

     if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);

+    if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {

+        /*

+	 * Used to provide parsing limits

+	 */

+        if (size >= XML_MAX_TEXT_LENGTH) {

+	    xmlBufMemoryError(buf, "buffer error: text too long\n");

+	    return(0);

+	}

+    }

     /* Don't resize if we don't have to */

     if (size < buf->size)

@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {

     needSize = buf->use + len + 2;

     if (needSize > buf->size){

+	if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {

+	    /*

+	     * Used to provide parsing limits

+	     */

+	    if (needSize >= XML_MAX_TEXT_LENGTH) {

+		xmlBufMemoryError(buf, "buffer error: text too long\n");

+		return(-1);

+	    }

+	}

         if (!xmlBufResize(buf, needSize)){

 	    xmlBufMemoryError(buf, "growing buffer");

             return XML_ERR_NO_MEMORY;

@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) {

     }

     needSize = buf->use + len + 2;

     if (needSize > buf->size){

+	if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {

+	    /*

+	     * Used to provide parsing limits

+	     */

+	    if (needSize >= XML_MAX_TEXT_LENGTH) {

+		xmlBufMemoryError(buf, "buffer error: text too long\n");

+		return(-1);

+	    }

+	}

         if (!xmlBufResize(buf, needSize)){

 	    xmlBufMemoryError(buf, "growing buffer");

             return XML_ERR_NO_MEMORY;

diff --git a/include/libxml/tree.h b/include/libxml/tree.h

index 2f90717..4a9b3bc 100644

--- a/include/libxml/tree.h

+++ b/include/libxml/tree.h

@@ -76,7 +76,8 @@ typedef enum {

     XML_BUFFER_ALLOC_EXACT,	/* grow only to the minimal size */

     XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */

     XML_BUFFER_ALLOC_IO,	/* special allocation scheme used for I/O */

-    XML_BUFFER_ALLOC_HYBRID	/* exact up to a threshold, and doubleit thereafter */

+    XML_BUFFER_ALLOC_HYBRID,	/* exact up to a threshold, and doubleit thereafter */

+    XML_BUFFER_ALLOC_BOUNDED	/* limit the upper size of the buffer */

 } xmlBufferAllocationScheme;

 /**

diff --git a/xmlreader.c b/xmlreader.c

index f19e123..471e7e2 100644

--- a/xmlreader.c

+++ b/xmlreader.c

@@ -2091,6 +2091,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) {

 		"xmlNewTextReader : malloc failed\n");

 	return(NULL);

     }

+    /* no operation on a reader should require a huge buffer */

+    xmlBufSetAllocationScheme(ret->buffer,

+			      XML_BUFFER_ALLOC_BOUNDED);

     ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));

     if (ret->sax == NULL) {

 	xmlBufFree(ret->buffer);

@@ -3616,6 +3619,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {

 	    return(((xmlNsPtr) node)->href);

         case XML_ATTRIBUTE_NODE:{

 	    xmlAttrPtr attr = (xmlAttrPtr) node;

+	    const xmlChar *ret;

 	    if ((attr->children != NULL) &&

 	        (attr->children->type == XML_TEXT_NODE) &&

@@ -3629,10 +3633,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {

                                         "xmlTextReaderSetup : malloc failed\n");

                         return (NULL);

                     }

+		    xmlBufSetAllocationScheme(reader->buffer,

+		                              XML_BUFFER_ALLOC_BOUNDED);

                 } else

                     xmlBufEmpty(reader->buffer);

 	        xmlBufGetNodeContent(reader->buffer, node);

-		return(xmlBufContent(reader->buffer));

+		ret = xmlBufContent(reader->buffer);

+		if (ret == NULL) {

+		    /* error on the buffer best to reallocate */

+		    xmlBufFree(reader->buffer);

+		    reader->buffer = xmlBufCreateSize(100);

+		    xmlBufSetAllocationScheme(reader->buffer,

+		                              XML_BUFFER_ALLOC_BOUNDED);

+		    ret = BAD_CAST "";

+		}

+		return(ret);

 	    }

 	    break;

 	}

@@ -5131,6 +5146,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader,

                         "xmlTextReaderSetup : malloc failed\n");

         return (-1);

     }

+    /* no operation on a reader should require a huge buffer */

+    xmlBufSetAllocationScheme(reader->buffer,

+			      XML_BUFFER_ALLOC_BOUNDED);

     if (reader->sax == NULL)

 	reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));

     if (reader->sax == NULL) {

-- 

cgit v0.11.2

From a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 Mon Sep 17 00:00:00 2001

From: Daniel Veillard <veillard@redhat.com>

Date: Mon, 23 Feb 2015 11:17:35 +0800

Subject: Stop parsing on entities boundaries errors

For https://bugzilla.gnome.org/show_bug.cgi?id=744980

There are times, like on unterminated entities that it's preferable to

stop parsing, even if that means less error reporting. Entities are

feeding the parser on further processing, and if they are ill defined

then it's possible to get the parser to bug. Also do the same on

Conditional Sections if the input is broken, as the structure of

the document can't be guessed.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>

---

 parser.c | 1 +

 1 file changed, 1 insertion(+)

diff --git a/parser.c b/parser.c

index a8d1b67..bbe97eb 100644

--- a/parser.c

+++ b/parser.c

@@ -5658,6 +5658,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) {

 	if (RAW != '>') {

 	    xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED,

 	            "xmlParseEntityDecl: entity %s not terminated\n", name);

+	    xmlStopParser(ctxt);

 	} else {

 	    if (input != ctxt->input) {

 		xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,

-- 

cgit v0.11.2

From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001

From: Daniel Veillard <veillard@redhat.com>

Date: Mon, 23 Feb 2015 11:29:20 +0800

Subject: Cleanup conditional section error handling

For https://bugzilla.gnome.org/show_bug.cgi?id=744980

The error handling of Conditional Section also need to be

straightened as the structure of the document can't be

guessed on a failure there and it's better to stop parsing

as further errors are likely to be irrelevant.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>

---

 parser.c | 6 ++++++

 1 file changed, 6 insertions(+)

diff --git a/parser.c b/parser.c

index bbe97eb..fe603ac 100644

--- a/parser.c

+++ b/parser.c

@@ -6770,6 +6770,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {

 	SKIP_BLANKS;

 	if (RAW != '[') {

 	    xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);

+	    xmlStopParser(ctxt);

+	    return;

 	} else {

 	    if (ctxt->input->id != id) {

 		xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,

@@ -6830,6 +6832,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {

 	SKIP_BLANKS;

 	if (RAW != '[') {

 	    xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);

+	    xmlStopParser(ctxt);

+	    return;

 	} else {

 	    if (ctxt->input->id != id) {

 		xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,

@@ -6885,6 +6889,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {

     } else {

 	xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);

+	xmlStopParser(ctxt);

+	return;

     }

     if (RAW == 0)

-- 

cgit v0.11.2