From e87a6790bce08d476b5c03207965eb20b1442d10 Mon Sep 17 00:00:00 2001 From: Tomas Bzatek Date: Wed, 2 Dec 2009 13:56:11 +0000 Subject: [PATCH] - Patch security hole in embedded neon (CVE-2009-2473) --- gnome-vfs-2.24.3-CVE-2009-2473.patch | 68 ++++++++++++++++++++++++++++ gnome-vfs2.spec | 10 +++- 2 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 gnome-vfs-2.24.3-CVE-2009-2473.patch diff --git a/gnome-vfs-2.24.3-CVE-2009-2473.patch b/gnome-vfs-2.24.3-CVE-2009-2473.patch new file mode 100644 index 0000000..b6ad664 --- /dev/null +++ b/gnome-vfs-2.24.3-CVE-2009-2473.patch @@ -0,0 +1,68 @@ +Index: gnome-vfs-2.24.2/imported/neon/ne_xml.c +=================================================================== +--- gnome-vfs-2.24.2/imported/neon/ne_xml.c (revision 1687) ++++ gnome-vfs-2.24.2/imported/neon/ne_xml.c (revision 1688) +@@ -405,6 +405,28 @@ + destroy_element(elm); + } + ++#if defined(HAVE_EXPAT) && XML_MAJOR_VERSION > 1 ++/* Stop the parser if an entity declaration is hit. */ ++static void entity_declaration(void *userData, const XML_Char *entityName, ++ int is_parameter_entity, const XML_Char *value, ++ int value_length, const XML_Char *base, ++ const XML_Char *systemId, const XML_Char *publicId, ++ const XML_Char *notationName) ++{ ++ ne_xml_parser *parser = userData; ++ ++ NE_DEBUG(NE_DBG_XMLPARSE, "XML: entity declaration [%s]. Failing.\n", ++ entityName); ++ ++ XML_StopParser(parser->parser, XML_FALSE); ++} ++#elif defined(HAVE_EXPAT) ++/* A noop default_handler. */ ++static void default_handler(void *userData, const XML_Char *s, int len) ++{ ++} ++#endif ++ + /* Find a namespace definition for 'prefix' in given element, where + * length of prefix is 'pfxlen'. Returns the URI or NULL. */ + static const char *resolve_nspace(const struct element *elm, +@@ -459,14 +481,34 @@ + XML_SetCharacterDataHandler(p->parser, char_data); + XML_SetUserData(p->parser, (void *) p); + XML_SetXmlDeclHandler(p->parser, decl_handler); ++ ++ /* Prevent the "billion laughs" attack against expat by disabling ++ * internal entity expansion. With 2.x, forcibly stop the parser ++ * if an entity is declared - this is safer and a more obvious ++ * failure mode. With older versions, installing a noop ++ * DefaultHandler means that internal entities will be expanded as ++ * the empty string, which is also sufficient to prevent the ++ * attack. */ ++#if XML_MAJOR_VERSION > 1 ++ XML_SetEntityDeclHandler(p->parser, entity_declaration); + #else ++ XML_SetDefaultHandler(p->parser, default_handler); ++#endif ++ ++#else /* HAVE_LIBXML */ + p->parser = xmlCreatePushParserCtxt(&sax_handler, + (void *)p, NULL, 0, NULL); + if (p->parser == NULL) { + abort(); + } ++#if LIBXML_VERSION < 20602 + p->parser->replaceEntities = 1; ++#else ++ /* Enable expansion of entities, and disable network access. */ ++ xmlCtxtUseOptions(p->parser, XML_PARSE_NOENT | XML_PARSE_NONET); + #endif ++ ++#endif /* HAVE_LIBXML || HAVE_EXPAT */ + return p; + } + diff --git a/gnome-vfs2.spec b/gnome-vfs2.spec index 4c38cef..b99da68 100644 --- a/gnome-vfs2.spec +++ b/gnome-vfs2.spec @@ -14,7 +14,7 @@ Summary: The GNOME virtual file-system libraries Name: gnome-vfs2 Version: 2.24.2 -Release: 2%{?dist} +Release: 3%{?dist} License: LGPLv2+ and GPLv2+ # the daemon and the library are LGPLv2+ # the modules are LGPLv2+ and GPLv2+ @@ -59,6 +59,10 @@ Patch3: gnome-vfs-2.9.90-modules-conf.patch # remove gnome-mime-data dependency Patch4: gnome-vfs-2.24.1-disable-gnome-mime-data.patch +# CVE-2009-2473 neon, gnome-vfs2 embedded neon: billion laughs DoS attack +# https://bugzilla.redhat.com/show_bug.cgi?id=518215 +Patch5: gnome-vfs-2.24.3-CVE-2009-2473.patch + # send to upstream Patch101: gnome-vfs-2.8.2-schema_about_for_upstream.patch @@ -126,6 +130,7 @@ shares (SMB) to applications using GNOME VFS. %patch3 -p1 -b .modules-conf %patch4 -p1 -b .mime-data +%patch5 -p1 -b .CVE-2009-2473 %patch6 -p1 -b .mailto-command @@ -261,6 +266,9 @@ fi %config %{_sysconfdir}/gnome-vfs-2.0/modules/smb-module.conf %changelog +* Wed Dec 2 2009 Tomas Bzatek - 2.24.2-3 +- Patch security hole in embedded neon (CVE-2009-2473) + * Wed Nov 04 2009 Bastien Nocera 2.24.2-2 - Set a default media player application in the schemas