- Patch security hole in embedded neon (CVE-2009-2473)

15 years ago · e87a6790bc
parent 2c1caebb9c
commit e87a6790bc
2 changed files with 77 additions and 1 deletions
--- a/gnome-vfs-2.24.3-CVE-2009-2473.patch
+++ b/gnome-vfs-2.24.3-CVE-2009-2473.patch
@ -0,0 +1,68 @@
+Index: gnome-vfs-2.24.2/imported/neon/ne_xml.c
+===================================================================
+--- gnome-vfs-2.24.2/imported/neon/ne_xml.c	(revision 1687)
+++ gnome-vfs-2.24.2/imported/neon/ne_xml.c	(revision 1688)
+@@ -405,6 +405,28 @@
+     destroy_element(elm);
+ }
+ 
+#if defined(HAVE_EXPAT) && XML_MAJOR_VERSION > 1
+/* Stop the parser if an entity declaration is hit. */
+static void entity_declaration(void *userData, const XML_Char *entityName,
+                              int is_parameter_entity, const XML_Char *value,
+                              int value_length, const XML_Char *base,
+                              const XML_Char *systemId, const XML_Char *publicId,
+                              const XML_Char *notationName)
+{
+    ne_xml_parser *parser = userData;
+    
+    NE_DEBUG(NE_DBG_XMLPARSE, "XML: entity declaration [%s]. Failing.\n",
+             entityName);
+
+    XML_StopParser(parser->parser, XML_FALSE);
+}
+#elif defined(HAVE_EXPAT)
+/* A noop default_handler. */
+static void default_handler(void *userData, const XML_Char *s, int len)
+{
+}
+#endif
+
+ /* Find a namespace definition for 'prefix' in given element, where
+  * length of prefix is 'pfxlen'.  Returns the URI or NULL. */
+ static const char *resolve_nspace(const struct element *elm, 
+@@ -459,14 +481,34 @@
+     XML_SetCharacterDataHandler(p->parser, char_data);
+     XML_SetUserData(p->parser, (void *) p);
+     XML_SetXmlDeclHandler(p->parser, decl_handler);
+
+    /* Prevent the "billion laughs" attack against expat by disabling
+     * internal entity expansion.  With 2.x, forcibly stop the parser
+     * if an entity is declared - this is safer and a more obvious
+     * failure mode.  With older versions, installing a noop
+     * DefaultHandler means that internal entities will be expanded as
+     * the empty string, which is also sufficient to prevent the
+     * attack. */
+#if XML_MAJOR_VERSION > 1
+    XML_SetEntityDeclHandler(p->parser, entity_declaration);
+ #else
+    XML_SetDefaultHandler(p->parser, default_handler);
+#endif
+
+#else /* HAVE_LIBXML */
+     p->parser = xmlCreatePushParserCtxt(&sax_handler, 
+ 					(void *)p, NULL, 0, NULL);
+     if (p->parser == NULL) {
+ 	abort();
+     }
+#if LIBXML_VERSION < 20602
+     p->parser->replaceEntities = 1;
+#else
+    /* Enable expansion of entities, and disable network access. */
+    xmlCtxtUseOptions(p->parser, XML_PARSE_NOENT | XML_PARSE_NONET);
+ #endif
+
+#endif /* HAVE_LIBXML || HAVE_EXPAT */
+     return p;
+ }
+ 
--- a/gnome-vfs2.spec
+++ b/gnome-vfs2.spec
@ -14,7 +14,7 @@
 Summary: The GNOME virtual file-system libraries
 Name: gnome-vfs2
 Version: 2.24.2
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: LGPLv2+ and GPLv2+
 # the daemon and the library are LGPLv2+
 # the modules are LGPLv2+ and GPLv2+ 
@ -59,6 +59,10 @@ Patch3: gnome-vfs-2.9.90-modules-conf.patch
 # remove gnome-mime-data dependency
 Patch4: gnome-vfs-2.24.1-disable-gnome-mime-data.patch

+# CVE-2009-2473 neon, gnome-vfs2 embedded neon: billion laughs DoS attack
+# https://bugzilla.redhat.com/show_bug.cgi?id=518215
+Patch5: gnome-vfs-2.24.3-CVE-2009-2473.patch
+
 # send to upstream
 Patch101:	gnome-vfs-2.8.2-schema_about_for_upstream.patch

@ -126,6 +130,7 @@ shares (SMB) to applications using GNOME VFS.

 %patch3 -p1 -b .modules-conf
 %patch4 -p1 -b .mime-data
+%patch5 -p1 -b .CVE-2009-2473

 %patch6 -p1 -b .mailto-command

@ -261,6 +266,9 @@ fi
 %config %{_sysconfdir}/gnome-vfs-2.0/modules/smb-module.conf

 %changelog
+* Wed Dec  2 2009 Tomas Bzatek <tbzatek@redhat.com> - 2.24.2-3
+- Patch security hole in embedded neon (CVE-2009-2473)
+
 * Wed Nov 04 2009 Bastien Nocera <bnocera@redhat.com> 2.24.2-2
 - Set a default media player application in the schemas