From c9f16c34d6906021849b9488b718b4922e6c726b Mon Sep 17 00:00:00 2001 From: Michael Mair-Keimberger Date: Fri, 2 Feb 2018 16:42:14 +0100 Subject: dev-libs/libxml2: remove unused patches Closes: https://github.com/gentoo/gentoo/pull/7025 --- .../files/libxml2-2.9.4-CVE-2016-9318.patch | 202 ------------- .../files/libxml2-2.9.4-CVE-2017-0663.patch | 43 --- .../files/libxml2-2.9.4-CVE-2017-5969.patch | 63 ---- .../files/libxml2-2.9.4-CVE-2017-7375.patch | 35 --- .../files/libxml2-2.9.4-CVE-2017-7376.patch | 31 -- .../files/libxml2-2.9.4-CVE-2017-9047-9048.patch | 116 -------- .../files/libxml2-2.9.4-CVE-2017-9049-9050.patch | 316 --------------------- .../files/libxml2-2.9.4-fix-root-node-cmp.patch | 34 --- .../files/libxml2-2.9.4-heap-buffer-overflow.patch | 32 --- .../files/libxml2-2.9.4-osd-validation.patch | 66 ----- 10 files changed, 938 deletions(-) delete mode 100644 dev-libs/libxml2/files/libxml2-2.9.4-CVE-2016-9318.patch delete mode 100644 dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-0663.patch delete mode 100644 dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-5969.patch delete mode 100644 dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7375.patch delete mode 100644 dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7376.patch delete mode 100644 dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9047-9048.patch delete mode 100644 dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9049-9050.patch delete mode 100644 dev-libs/libxml2/files/libxml2-2.9.4-fix-root-node-cmp.patch delete mode 100644 dev-libs/libxml2/files/libxml2-2.9.4-heap-buffer-overflow.patch delete mode 100644 dev-libs/libxml2/files/libxml2-2.9.4-osd-validation.patch diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2016-9318.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2016-9318.patch deleted file mode 100644 index 5d1adb014a0..00000000000 --- a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2016-9318.patch +++ /dev/null @@ -1,202 +0,0 @@ -From 292be65a52ab9e0eb3a53b4e0be5a57bc6de59d3 Mon Sep 17 00:00:00 2001 -From: Doran Moppert -Date: Fri, 7 Apr 2017 16:45:56 +0200 -Subject: [PATCH 6/7] Add an XML_PARSE_NOXXE flag to block all entities loading - even local - -For https://bugzilla.gnome.org/show_bug.cgi?id=772726 - -* include/libxml/parser.h: Add a new parser flag XML_PARSE_NOXXE -* elfgcchack.h, xmlIO.h, xmlIO.c: associated loading routine -* include/libxml/xmlerror.h: new error raised -* xmllint.c: adds --noxxe flag to activate the option ---- - elfgcchack.h | 10 ++++++++++ - include/libxml/parser.h | 3 ++- - include/libxml/xmlIO.h | 8 ++++++++ - include/libxml/xmlerror.h | 1 + - parser.c | 4 ++++ - xmlIO.c | 40 +++++++++++++++++++++++++++++++++++----- - xmllint.c | 5 +++++ - 7 files changed, 65 insertions(+), 6 deletions(-) - -diff --git a/elfgcchack.h b/elfgcchack.h -index 8c52884a..1b81dcde 100644 ---- a/elfgcchack.h -+++ b/elfgcchack.h -@@ -6547,6 +6547,16 @@ extern __typeof (xmlNoNetExternalEntityLoader) xmlNoNetExternalEntityLoader__int - #endif - #endif - -+#ifdef bottom_xmlIO -+#undef xmlNoXxeExternalEntityLoader -+extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader __attribute((alias("xmlNoXxeExternalEntityLoader__internal_alias"))); -+#else -+#ifndef xmlNoXxeExternalEntityLoader -+extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader__internal_alias __attribute((visibility("hidden"))); -+#define xmlNoXxeExternalEntityLoader xmlNoXxeExternalEntityLoader__internal_alias -+#endif -+#endif -+ - #ifdef bottom_tree - #undef xmlNodeAddContent - extern __typeof (xmlNodeAddContent) xmlNodeAddContent __attribute((alias("xmlNodeAddContent__internal_alias"))); -diff --git a/include/libxml/parser.h b/include/libxml/parser.h -index 47fbec03..63ca1b97 100644 ---- a/include/libxml/parser.h -+++ b/include/libxml/parser.h -@@ -1111,7 +1111,8 @@ typedef enum { - XML_PARSE_HUGE = 1<<19,/* relax any hardcoded limit from the parser */ - XML_PARSE_OLDSAX = 1<<20,/* parse using SAX2 interface before 2.7.0 */ - XML_PARSE_IGNORE_ENC= 1<<21,/* ignore internal document encoding hint */ -- XML_PARSE_BIG_LINES = 1<<22 /* Store big lines numbers in text PSVI field */ -+ XML_PARSE_BIG_LINES = 1<<22,/* Store big lines numbers in text PSVI field */ -+ XML_PARSE_NOXXE = 1<<23 /* Forbid any external entity loading */ - } xmlParserOption; - - XMLPUBFUN void XMLCALL -diff --git a/include/libxml/xmlIO.h b/include/libxml/xmlIO.h -index 3e41744d..8d3fdef5 100644 ---- a/include/libxml/xmlIO.h -+++ b/include/libxml/xmlIO.h -@@ -299,6 +299,14 @@ XMLPUBFUN xmlParserInputPtr XMLCALL - const char *ID, - xmlParserCtxtPtr ctxt); - -+/* -+ * A predefined entity loader external entity expansion -+ */ -+XMLPUBFUN xmlParserInputPtr XMLCALL -+ xmlNoXxeExternalEntityLoader (const char *URL, -+ const char *ID, -+ xmlParserCtxtPtr ctxt); -+ - /* - * xmlNormalizeWindowsPath is obsolete, don't use it. - * Check xmlCanonicPath in uri.h for a better alternative. -diff --git a/include/libxml/xmlerror.h b/include/libxml/xmlerror.h -index 037c16d5..3036062d 100644 ---- a/include/libxml/xmlerror.h -+++ b/include/libxml/xmlerror.h -@@ -470,6 +470,7 @@ typedef enum { - XML_IO_EADDRINUSE, /* 1554 */ - XML_IO_EALREADY, /* 1555 */ - XML_IO_EAFNOSUPPORT, /* 1556 */ -+ XML_IO_ILLEGAL_XXE, /* 1557 */ - XML_XINCLUDE_RECURSION=1600, - XML_XINCLUDE_PARSE_VALUE, /* 1601 */ - XML_XINCLUDE_ENTITY_DEF_MISMATCH, /* 1602 */ -diff --git a/parser.c b/parser.c -index b832406a..8e11c127 100644 ---- a/parser.c -+++ b/parser.c -@@ -15352,6 +15352,10 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi - ctxt->options |= XML_PARSE_NONET; - options -= XML_PARSE_NONET; - } -+ if (options & XML_PARSE_NOXXE) { -+ ctxt->options |= XML_PARSE_NOXXE; -+ options -= XML_PARSE_NOXXE; -+ } - if (options & XML_PARSE_COMPACT) { - ctxt->options |= XML_PARSE_COMPACT; - options -= XML_PARSE_COMPACT; -diff --git a/xmlIO.c b/xmlIO.c -index 6e61f45a..34881461 100644 ---- a/xmlIO.c -+++ b/xmlIO.c -@@ -212,6 +212,7 @@ static const char *IOerr[] = { - "adddress in use", /* EADDRINUSE */ - "already in use", /* EALREADY */ - "unknown address familly", /* EAFNOSUPPORT */ -+ "Attempt to load external entity %s", /* XML_IO_ILLEGAL_XXE */ - }; - - #if defined(_WIN32) || defined (__DJGPP__) && !defined (__CYGWIN__) -@@ -4057,13 +4058,22 @@ xmlDefaultExternalEntityLoader(const char *URL, const char *ID, - xmlGenericError(xmlGenericErrorContext, - "xmlDefaultExternalEntityLoader(%s, xxx)\n", URL); - #endif -- if ((ctxt != NULL) && (ctxt->options & XML_PARSE_NONET)) { -+ if (ctxt != NULL) { - int options = ctxt->options; - -- ctxt->options -= XML_PARSE_NONET; -- ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt); -- ctxt->options = options; -- return(ret); -+ if (options & XML_PARSE_NOXXE) { -+ ctxt->options -= XML_PARSE_NOXXE; -+ ret = xmlNoXxeExternalEntityLoader(URL, ID, ctxt); -+ ctxt->options = options; -+ return(ret); -+ } -+ -+ if (options & XML_PARSE_NONET) { -+ ctxt->options -= XML_PARSE_NONET; -+ ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt); -+ ctxt->options = options; -+ return(ret); -+ } - } - #ifdef LIBXML_CATALOG_ENABLED - resource = xmlResolveResourceFromCatalog(URL, ID, ctxt); -@@ -4164,6 +4174,13 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID, - xmlParserInputPtr input = NULL; - xmlChar *resource = NULL; - -+ if (ctxt == NULL) { -+ return(NULL); -+ } -+ if (ctxt->input_id == 1) { -+ return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt); -+ } -+ - #ifdef LIBXML_CATALOG_ENABLED - resource = xmlResolveResourceFromCatalog(URL, ID, ctxt); - #endif -@@ -4186,5 +4203,18 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID, - return(input); - } - -+xmlParserInputPtr -+xmlNoXxeExternalEntityLoader(const char *URL, const char *ID, -+ xmlParserCtxtPtr ctxt) { -+ if (ctxt == NULL) { -+ return(NULL); -+ } -+ if (ctxt->input_id == 1) { -+ return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt); -+ } -+ xmlIOErr(XML_IO_ILLEGAL_XXE, (const char *) URL); -+ return(NULL); -+} -+ - #define bottom_xmlIO - #include "elfgcchack.h" -diff --git a/xmllint.c b/xmllint.c -index f8eb7ec4..8f304cda 100644 ---- a/xmllint.c -+++ b/xmllint.c -@@ -3019,6 +3019,7 @@ static void usage(const char *name) { - printf("\t--path 'paths': provide a set of paths for resources\n"); - printf("\t--load-trace : print trace of all external entities loaded\n"); - printf("\t--nonet : refuse to fetch DTDs or entities over network\n"); -+ printf("\t--noxxe : forbid any external entity loading\n"); - printf("\t--nocompact : do not generate compact text nodes\n"); - printf("\t--htmlout : output results as HTML\n"); - printf("\t--nowrap : do not put HTML doc wrapper\n"); -@@ -3461,6 +3462,10 @@ main(int argc, char **argv) { - (!strcmp(argv[i], "--nonet"))) { - options |= XML_PARSE_NONET; - xmlSetExternalEntityLoader(xmlNoNetExternalEntityLoader); -+ } else if ((!strcmp(argv[i], "-noxxe")) || -+ (!strcmp(argv[i], "--noxxe"))) { -+ options |= XML_PARSE_NOXXE; -+ xmlSetExternalEntityLoader(xmlNoXxeExternalEntityLoader); - } else if ((!strcmp(argv[i], "-nocompact")) || - (!strcmp(argv[i], "--nocompact"))) { - options &= ~XML_PARSE_COMPACT; --- -2.14.1 - diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-0663.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-0663.patch deleted file mode 100644 index 517e178a533..00000000000 --- a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-0663.patch +++ /dev/null @@ -1,43 +0,0 @@ -From d815758b6a8c9dee8155268e49b5ef3b80135a14 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 6 Jun 2017 12:56:28 +0200 -Subject: [PATCH 1/3] Fix type confusion in xmlValidateOneNamespace - -Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types on -namespace declarations make no practical sense anyway. - -Fixes bug 780228. - -Found with libFuzzer and ASan. ---- - valid.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/valid.c b/valid.c -index 8075d3a0..c51ea290 100644 ---- a/valid.c -+++ b/valid.c -@@ -4627,6 +4627,12 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) { - } - } - -+ /* -+ * Casting ns to xmlAttrPtr is wrong. We'd need separate functions -+ * xmlAddID and xmlAddRef for namespace declarations, but it makes -+ * no practical sense to use ID types anyway. -+ */ -+#if 0 - /* Validity Constraint: ID uniqueness */ - if (attrDecl->atype == XML_ATTRIBUTE_ID) { - if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL) -@@ -4638,6 +4644,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) { - if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL) - ret = 0; - } -+#endif - - /* Validity Constraint: Notation Attributes */ - if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) { --- -2.14.1 - diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-5969.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-5969.patch deleted file mode 100644 index 4d1362f2f93..00000000000 --- a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-5969.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 8952ce48a5fa1d3de1f087f10e8b6e47bb59f4e3 Mon Sep 17 00:00:00 2001 -From: Daniel Veillard -Date: Wed, 7 Jun 2017 16:47:36 +0200 -Subject: [PATCH 1/7] Fix NULL pointer deref in xmlDumpElementContent - -Can only be triggered in recovery mode. - -Fixes bug 758422 (CVE-2017-5969). ---- - valid.c | 24 ++++++++++++++---------- - 1 file changed, 14 insertions(+), 10 deletions(-) - -diff --git a/valid.c b/valid.c -index 19f84b82..0a8e58ab 100644 ---- a/valid.c -+++ b/valid.c -@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob) - xmlBufferWriteCHAR(buf, content->name); - break; - case XML_ELEMENT_CONTENT_SEQ: -- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || -- (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) -+ if ((content->c1 != NULL) && -+ ((content->c1->type == XML_ELEMENT_CONTENT_OR) || -+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ))) - xmlDumpElementContent(buf, content->c1, 1); - else - xmlDumpElementContent(buf, content->c1, 0); - xmlBufferWriteChar(buf, " , "); -- if ((content->c2->type == XML_ELEMENT_CONTENT_OR) || -- ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) && -- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))) -+ if ((content->c2 != NULL) && -+ ((content->c2->type == XML_ELEMENT_CONTENT_OR) || -+ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) && -+ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))) - xmlDumpElementContent(buf, content->c2, 1); - else - xmlDumpElementContent(buf, content->c2, 0); - break; - case XML_ELEMENT_CONTENT_OR: -- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || -- (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) -+ if ((content->c1 != NULL) && -+ ((content->c1->type == XML_ELEMENT_CONTENT_OR) || -+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ))) - xmlDumpElementContent(buf, content->c1, 1); - else - xmlDumpElementContent(buf, content->c1, 0); - xmlBufferWriteChar(buf, " | "); -- if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) || -- ((content->c2->type == XML_ELEMENT_CONTENT_OR) && -- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))) -+ if ((content->c2 != NULL) && -+ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) || -+ ((content->c2->type == XML_ELEMENT_CONTENT_OR) && -+ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))) - xmlDumpElementContent(buf, content->c2, 1); - else - xmlDumpElementContent(buf, content->c2, 0); --- -2.14.1 - diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7375.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7375.patch deleted file mode 100644 index db9d597ad73..00000000000 --- a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7375.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 9ea49a06b9421b6a3a9c243fb1ec23b19bd6b049 Mon Sep 17 00:00:00 2001 -From: Neel Mehta -Date: Fri, 7 Apr 2017 17:43:02 +0200 -Subject: [PATCH 7/7] Prevent unwanted external entity reference - -For https://bugzilla.gnome.org/show_bug.cgi?id=780691 - -* parser.c: add a specific check to avoid PE reference ---- - parser.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/parser.c b/parser.c -index 8e11c127..e8e962bb 100644 ---- a/parser.c -+++ b/parser.c -@@ -8125,6 +8125,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) - if (xmlPushInput(ctxt, input) < 0) - return; - } else { -+ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && -+ ((ctxt->options & XML_PARSE_NOENT) == 0) && -+ ((ctxt->options & XML_PARSE_DTDVALID) == 0) && -+ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) && -+ ((ctxt->options & XML_PARSE_DTDATTR) == 0) && -+ (ctxt->replaceEntities == 0) && -+ (ctxt->validate == 0)) -+ return; -+ - /* - * TODO !!! - * handle the extra spaces added before and after --- -2.14.1 - diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7376.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7376.patch deleted file mode 100644 index 14ec773608b..00000000000 --- a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7376.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 43cd3b6222bda2332e963eb1c9ead78f29912b0a Mon Sep 17 00:00:00 2001 -From: Daniel Veillard -Date: Fri, 7 Apr 2017 17:13:28 +0200 -Subject: [PATCH 2/3] Increase buffer space for port in HTTP redirect support - -For https://bugzilla.gnome.org/show_bug.cgi?id=780690 - -nanohttp.c: the code wrongly assumed a short int port value. ---- - nanohttp.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/nanohttp.c b/nanohttp.c -index 26e4290e..9c17530e 100644 ---- a/nanohttp.c -+++ b/nanohttp.c -@@ -1423,9 +1423,9 @@ retry: - if (ctxt->port != 80) { - /* reserve space for ':xxxxx', incl. potential proxy */ - if (proxy) -- blen += 12; -+ blen += 17; - else -- blen += 6; -+ blen += 11; - } - bp = (char*)xmlMallocAtomic(blen); - if ( bp == NULL ) { --- -2.14.1 - diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9047-9048.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9047-9048.patch deleted file mode 100644 index f7c48cd877d..00000000000 --- a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9047-9048.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 839b89e678b5265a0e6b0477410e64fac669d578 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sat, 3 Jun 2017 02:01:29 +0200 -Subject: [PATCH 4/7] Fix buffer size checks in xmlSnprintfElementContent -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -xmlSnprintfElementContent failed to correctly check the available -buffer space in two locations. - -Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048). - -Thanks to Marcel Böhme and Thuan Pham for the report. ---- - result/valid/781333.xml | 5 +++++ - result/valid/781333.xml.err | 3 +++ - result/valid/781333.xml.err.rdr | 6 ++++++ - test/valid/781333.xml | 4 ++++ - valid.c | 20 +++++++++++--------- - 5 files changed, 29 insertions(+), 9 deletions(-) - create mode 100644 result/valid/781333.xml - create mode 100644 result/valid/781333.xml.err - create mode 100644 result/valid/781333.xml.err.rdr - create mode 100644 test/valid/781333.xml - -diff --git a/result/valid/781333.xml b/result/valid/781333.xml -new file mode 100644 -index 00000000..45dc451d ---- /dev/null -+++ b/result/valid/781333.xml -@@ -0,0 +1,5 @@ -+ -+ -+]> -+ -diff --git a/result/valid/781333.xml.err b/result/valid/781333.xml.err -new file mode 100644 -index 00000000..b401b49a ---- /dev/null -+++ b/result/valid/781333.xml.err -@@ -0,0 +1,3 @@ -+./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got -+ -+ ^ -diff --git a/result/valid/781333.xml.err.rdr b/result/valid/781333.xml.err.rdr -new file mode 100644 -index 00000000..5ff56992 ---- /dev/null -+++ b/result/valid/781333.xml.err.rdr -@@ -0,0 +1,6 @@ -+./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got -+ -+ ^ -+./test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more child -+ -+^ -diff --git a/test/valid/781333.xml b/test/valid/781333.xml -new file mode 100644 -index 00000000..b29e5a68 ---- /dev/null -+++ b/test/valid/781333.xml -@@ -0,0 +1,4 @@ -+ -+]> -+ -diff --git a/valid.c b/valid.c -index 0a8e58ab..8075d3a0 100644 ---- a/valid.c -+++ b/valid.c -@@ -1266,22 +1266,23 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int - case XML_ELEMENT_CONTENT_PCDATA: - strcat(buf, "#PCDATA"); - break; -- case XML_ELEMENT_CONTENT_ELEMENT: -+ case XML_ELEMENT_CONTENT_ELEMENT: { -+ int qnameLen = xmlStrlen(content->name); -+ -+ if (content->prefix != NULL) -+ qnameLen += xmlStrlen(content->prefix) + 1; -+ if (size - len < qnameLen + 10) { -+ strcat(buf, " ..."); -+ return; -+ } - if (content->prefix != NULL) { -- if (size - len < xmlStrlen(content->prefix) + 10) { -- strcat(buf, " ..."); -- return; -- } - strcat(buf, (char *) content->prefix); - strcat(buf, ":"); - } -- if (size - len < xmlStrlen(content->name) + 10) { -- strcat(buf, " ..."); -- return; -- } - if (content->name != NULL) - strcat(buf, (char *) content->name); - break; -+ } - case XML_ELEMENT_CONTENT_SEQ: - if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || - (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) -@@ -1323,6 +1324,7 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int - xmlSnprintfElementContent(buf, size, content->c2, 0); - break; - } -+ if (size - strlen(buf) <= 2) return; - if (englob) - strcat(buf, ")"); - switch (content->ocur) { --- -2.14.1 - diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9049-9050.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9049-9050.patch deleted file mode 100644 index abf43ef9815..00000000000 --- a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9049-9050.patch +++ /dev/null @@ -1,316 +0,0 @@ -From 9c95d1b7f3951efe09df66ec41d7b19d6283084d Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Mon, 5 Jun 2017 15:37:17 +0200 -Subject: [PATCH 3/7] Fix handling of parameter-entity references -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -There were two bugs where parameter-entity references could lead to an -unexpected change of the input buffer in xmlParseNameComplex and -xmlDictLookup being called with an invalid pointer. - -Percent sign in DTD Names -========================= - -The NEXTL macro used to call xmlParserHandlePEReference. When parsing -"complex" names inside the DTD, this could result in entity expansion -which created a new input buffer. The fix is to simply remove the call -to xmlParserHandlePEReference from the NEXTL macro. This is safe because -no users of the macro require expansion of parameter entities. - -- xmlParseNameComplex -- xmlParseNCNameComplex -- xmlParseNmtoken - -The percent sign is not allowed in names, which are grammatical tokens. - -- xmlParseEntityValue - -Parameter-entity references in entity values are expanded but this -happens in a separate step in this function. - -- xmlParseSystemLiteral - -Parameter-entity references are ignored in the system literal. - -- xmlParseAttValueComplex -- xmlParseCharDataComplex -- xmlParseCommentComplex -- xmlParsePI -- xmlParseCDSect - -Parameter-entity references are ignored outside the DTD. - -- xmlLoadEntityContent - -This function is only called from xmlStringLenDecodeEntities and -entities are replaced in a separate step immediately after the function -call. - -This bug could also be triggered with an internal subset and double -entity expansion. - -This fixes bug 766956 initially reported by Wei Lei and independently by -Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone -involved. - -xmlParseNameComplex with XML_PARSE_OLD10 -======================================== - -When parsing Names inside an expanded parameter entity with the -XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the -GROW macro if the input buffer was exhausted. At the end of the -parameter entity's replacement text, this function would then call -xmlPopInput which invalidated the input buffer. - -There should be no need to invoke GROW in this situation because the -buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and, -at least for UTF-8, in xmlCurrentChar. This also matches the code path -executed when XML_PARSE_OLD10 is not set. - -This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050). -Thanks to Marcel Böhme and Thuan Pham for the report. - -Additional hardening -==================== - -A separate check was added in xmlParseNameComplex to validate the -buffer size. ---- - Makefile.am | 18 ++++++++++++++++++ - parser.c | 18 ++++++++++-------- - result/errors10/781205.xml | 0 - result/errors10/781205.xml.err | 21 +++++++++++++++++++++ - result/errors10/781361.xml | 0 - result/errors10/781361.xml.err | 13 +++++++++++++ - result/valid/766956.xml | 0 - result/valid/766956.xml.err | 9 +++++++++ - result/valid/766956.xml.err.rdr | 10 ++++++++++ - runtest.c | 3 +++ - test/errors10/781205.xml | 3 +++ - test/errors10/781361.xml | 3 +++ - test/valid/766956.xml | 2 ++ - test/valid/dtds/766956.dtd | 2 ++ - 14 files changed, 94 insertions(+), 8 deletions(-) - create mode 100644 result/errors10/781205.xml - create mode 100644 result/errors10/781205.xml.err - create mode 100644 result/errors10/781361.xml - create mode 100644 result/errors10/781361.xml.err - create mode 100644 result/valid/766956.xml - create mode 100644 result/valid/766956.xml.err - create mode 100644 result/valid/766956.xml.err.rdr - create mode 100644 test/errors10/781205.xml - create mode 100644 test/errors10/781361.xml - create mode 100644 test/valid/766956.xml - create mode 100644 test/valid/dtds/766956.dtd - -diff --git a/Makefile.am b/Makefile.am -index 3b52bae7..bf20124e 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -422,6 +422,24 @@ Errtests : xmllint$(EXEEXT) - if [ -n "$$log" ] ; then echo $$name result ; echo $$log ; fi ; \ - rm result.$$name error.$$name ; \ - fi ; fi ; done) -+ @echo "## Error cases regression tests (old 1.0)" -+ -@(for i in $(srcdir)/test/errors10/*.xml ; do \ -+ name=`basename $$i`; \ -+ if [ ! -d $$i ] ; then \ -+ if [ ! -f $(srcdir)/result/errors10/$$name ] ; then \ -+ echo New test file $$name ; \ -+ $(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i \ -+ 2> $(srcdir)/result/errors10/$$name.err \ -+ > $(srcdir)/result/errors10/$$name ; \ -+ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \ -+ else \ -+ log=`$(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i 2> error.$$name > result.$$name ; \ -+ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \ -+ diff $(srcdir)/result/errors10/$$name result.$$name ; \ -+ diff $(srcdir)/result/errors10/$$name.err error.$$name` ; \ -+ if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \ -+ rm result.$$name error.$$name ; \ -+ fi ; fi ; done) - @echo "## Error cases stream regression tests" - -@(for i in $(srcdir)/test/errors/*.xml ; do \ - name=`basename $$i`; \ -diff --git a/parser.c b/parser.c -index 53a6b7f0..b832406a 100644 ---- a/parser.c -+++ b/parser.c -@@ -2115,7 +2115,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) { - ctxt->input->line++; ctxt->input->col = 1; \ - } else ctxt->input->col++; \ - ctxt->input->cur += l; \ -- if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt); \ - } while (0) - - #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l) -@@ -3406,13 +3405,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { - len += l; - NEXTL(l); - c = CUR_CHAR(l); -- if (c == 0) { -- count = 0; -- GROW; -- if (ctxt->instate == XML_PARSER_EOF) -- return(NULL); -- c = CUR_CHAR(l); -- } - } - } - if ((len > XML_MAX_NAME_LENGTH) && -@@ -3420,6 +3412,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { - xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); - return(NULL); - } -+ if (ctxt->input->cur - ctxt->input->base < len) { -+ /* -+ * There were a couple of bugs where PERefs lead to to a change -+ * of the buffer. Check the buffer size to avoid passing an invalid -+ * pointer to xmlDictLookup. -+ */ -+ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, -+ "unexpected change of input buffer"); -+ return (NULL); -+ } - if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r')) - return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len)); - return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); -diff --git a/result/errors10/781205.xml b/result/errors10/781205.xml -new file mode 100644 -index 00000000..e69de29b -diff --git a/result/errors10/781205.xml.err b/result/errors10/781205.xml.err -new file mode 100644 -index 00000000..da15c3f7 ---- /dev/null -+++ b/result/errors10/781205.xml.err -@@ -0,0 +1,21 @@ -+Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration -+ -+ %a; -+ ^ -+Entity: line 1: -+<:0000 -+^ -+Entity: line 1: parser error : DOCTYPE improperly terminated -+ %a; -+ ^ -+Entity: line 1: -+<:0000 -+^ -+namespace error : Failed to parse QName ':0000' -+ %a; -+ ^ -+<:0000 -+ ^ -+./test/errors10/781205.xml:4: parser error : Couldn't find end of Start Tag :0000 line 1 -+ -+^ -diff --git a/result/errors10/781361.xml b/result/errors10/781361.xml -new file mode 100644 -index 00000000..e69de29b -diff --git a/result/errors10/781361.xml.err b/result/errors10/781361.xml.err -new file mode 100644 -index 00000000..655f41a2 ---- /dev/null -+++ b/result/errors10/781361.xml.err -@@ -0,0 +1,13 @@ -+./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY', 'ANY' or '(' expected -+ -+^ -+./test/errors10/781361.xml:4: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration -+ -+ -+^ -+./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated -+ -+^ -+./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not found -+ -+^ -diff --git a/result/valid/766956.xml b/result/valid/766956.xml -new file mode 100644 -index 00000000..e69de29b -diff --git a/result/valid/766956.xml.err b/result/valid/766956.xml.err -new file mode 100644 -index 00000000..34b1dae6 ---- /dev/null -+++ b/result/valid/766956.xml.err -@@ -0,0 +1,9 @@ -+test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';' -+%ä%ent; -+ ^ -+Entity: line 1: parser error : Content error in the external subset -+ %ent; -+ ^ -+Entity: line 1: -+value -+^ -diff --git a/result/valid/766956.xml.err.rdr b/result/valid/766956.xml.err.rdr -new file mode 100644 -index 00000000..77603462 ---- /dev/null -+++ b/result/valid/766956.xml.err.rdr -@@ -0,0 +1,10 @@ -+test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';' -+%ä%ent; -+ ^ -+Entity: line 1: parser error : Content error in the external subset -+ %ent; -+ ^ -+Entity: line 1: -+value -+^ -+./test/valid/766956.xml : failed to parse -diff --git a/runtest.c b/runtest.c -index 7d030bdc..cd233da9 100644 ---- a/runtest.c -+++ b/runtest.c -@@ -4202,6 +4202,9 @@ testDesc testDescriptions[] = { - { "Error cases regression tests", - errParseTest, "./test/errors/*.xml", "result/errors/", "", ".err", - 0 }, -+ { "Error cases regression tests (old 1.0)", -+ errParseTest, "./test/errors10/*.xml", "result/errors10/", "", ".err", -+ XML_PARSE_OLD10 }, - #ifdef LIBXML_READER_ENABLED - { "Error cases stream regression tests", - streamParseTest, "./test/errors/*.xml", "result/errors/", NULL, ".str", -diff --git a/test/errors10/781205.xml b/test/errors10/781205.xml -new file mode 100644 -index 00000000..d9e9e839 ---- /dev/null -+++ b/test/errors10/781205.xml -@@ -0,0 +1,3 @@ -+ -+ %a; -diff --git a/test/errors10/781361.xml b/test/errors10/781361.xml -new file mode 100644 -index 00000000..67476bcb ---- /dev/null -+++ b/test/errors10/781361.xml -@@ -0,0 +1,3 @@ -+ -+ %elem; -diff --git a/test/valid/766956.xml b/test/valid/766956.xml -new file mode 100644 -index 00000000..19a95a0e ---- /dev/null -+++ b/test/valid/766956.xml -@@ -0,0 +1,2 @@ -+ -+ -diff --git a/test/valid/dtds/766956.dtd b/test/valid/dtds/766956.dtd -new file mode 100644 -index 00000000..dddde68b ---- /dev/null -+++ b/test/valid/dtds/766956.dtd -@@ -0,0 +1,2 @@ -+ -+%ä%ent; --- -2.14.1 - diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-fix-root-node-cmp.patch b/dev-libs/libxml2/files/libxml2-2.9.4-fix-root-node-cmp.patch deleted file mode 100644 index 224d60ff052..00000000000 --- a/dev-libs/libxml2/files/libxml2-2.9.4-fix-root-node-cmp.patch +++ /dev/null @@ -1,34 +0,0 @@ -From a1fb9a4f511d89f0738b62cabd6d92bfd9eb94a9 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 28 Jun 2016 14:19:58 +0200 -Subject: [PATCH 3/3] Fix comparison with root node in xmlXPathCmpNodes - -This change has already been made in xmlXPathCmpNodesExt but not in -xmlXPathCmpNodes. ---- - xpath.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/xpath.c b/xpath.c -index 67afbca5..5a01b1b3 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -3342,13 +3342,13 @@ xmlXPathCmpNodes(xmlNodePtr node1, xmlNodePtr node2) { - * compute depth to root - */ - for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) { -- if (cur == node1) -+ if (cur->parent == node1) - return(1); - depth2++; - } - root = cur; - for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) { -- if (cur == node2) -+ if (cur->parent == node2) - return(-1); - depth1++; - } --- -2.14.1 - diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-heap-buffer-overflow.patch b/dev-libs/libxml2/files/libxml2-2.9.4-heap-buffer-overflow.patch deleted file mode 100644 index 770a1832b19..00000000000 --- a/dev-libs/libxml2/files/libxml2-2.9.4-heap-buffer-overflow.patch +++ /dev/null @@ -1,32 +0,0 @@ -From df4f9bdc7a37908ded8bd1fec4f75509eaa156de Mon Sep 17 00:00:00 2001 -From: David Kilzer -Date: Tue, 4 Jul 2017 18:38:03 +0200 -Subject: [PATCH 5/7] Heap-buffer-overflow read of size 1 in - xmlFAParsePosCharGroup - -Credit to OSS-Fuzz. - -Add a check to xmlFAParseCharRange() for the end of the buffer -to prevent reading past the end of it. - -This fixes Bug 784017. ---- - xmlregexp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/xmlregexp.c b/xmlregexp.c -index ca3b4f46..6676c2a8 100644 ---- a/xmlregexp.c -+++ b/xmlregexp.c -@@ -5051,7 +5051,7 @@ xmlFAParseCharRange(xmlRegParserCtxtPtr ctxt) { - return; - } - len = 1; -- } else if ((cur != 0x5B) && (cur != 0x5D)) { -+ } else if ((cur != '\0') && (cur != 0x5B) && (cur != 0x5D)) { - end = CUR_SCHAR(ctxt->cur, len); - } else { - ERROR("Expecting the end of a char range"); --- -2.14.1 - diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-osd-validation.patch b/dev-libs/libxml2/files/libxml2-2.9.4-osd-validation.patch deleted file mode 100644 index 9d1a03346f6..00000000000 --- a/dev-libs/libxml2/files/libxml2-2.9.4-osd-validation.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 8bc6baccc7da291c2338b8d95953ea487b0b3ca1 Mon Sep 17 00:00:00 2001 -From: Alex Henrie -Date: Thu, 26 May 2016 17:38:35 -0600 -Subject: [PATCH 2/7] Fix attribute decoding during XML schema validation - -For https://bugzilla.gnome.org/show_bug.cgi?id=766834 - -vctxt->parserCtxt is always NULL in xmlSchemaSAXHandleStartElementNs, -so this function can't call xmlStringLenDecodeEntities to decode the -entities. ---- - xmlschemas.c | 30 +++++++++++++++++++++++++----- - 1 file changed, 25 insertions(+), 5 deletions(-) - -diff --git a/xmlschemas.c b/xmlschemas.c -index e1b3a4f0..59535e5c 100644 ---- a/xmlschemas.c -+++ b/xmlschemas.c -@@ -27391,6 +27391,7 @@ xmlSchemaSAXHandleStartElementNs(void *ctx, - * attributes yet. - */ - if (nb_attributes != 0) { -+ int valueLen, k, l; - xmlChar *value; - - for (j = 0, i = 0; i < nb_attributes; i++, j += 5) { -@@ -27400,12 +27401,31 @@ xmlSchemaSAXHandleStartElementNs(void *ctx, - * libxml2 differs from normal SAX here in that it escapes all ampersands - * as & instead of delivering the raw converted string. Changing the - * behavior at this point would break applications that use this API, so -- * we are forced to work around it. There is no danger of accidentally -- * decoding some entity other than & in this step because without -- * unescaped ampersands there can be no other entities in the string. -+ * we are forced to work around it. - */ -- value = xmlStringLenDecodeEntities(vctxt->parserCtxt, attributes[j+3], -- attributes[j+4] - attributes[j+3], XML_SUBSTITUTE_REF, 0, 0, 0); -+ valueLen = attributes[j+4] - attributes[j+3]; -+ value = xmlMallocAtomic(valueLen + 1); -+ if (value == NULL) { -+ xmlSchemaVErrMemory(vctxt, -+ "allocating string for decoded attribute", -+ NULL); -+ goto internal_error; -+ } -+ for (k = 0, l = 0; k < valueLen; l++) { -+ if (k < valueLen - 4 && -+ attributes[j+3][k+0] == '&' && -+ attributes[j+3][k+1] == '#' && -+ attributes[j+3][k+2] == '3' && -+ attributes[j+3][k+3] == '8' && -+ attributes[j+3][k+4] == ';') { -+ value[l] = '&'; -+ k += 5; -+ } else { -+ value[l] = attributes[j+3][k]; -+ k++; -+ } -+ } -+ value[l] = '\0'; - /* - * TODO: Set the node line. - */ --- -2.14.1 - -- cgit v1.2.1