rpms
/
mingw-libxml2
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add correct fix for CVE-2020-24977 (RHBZ#1877788), thanks: Jan de Groot.

Browse Source 
(cherry picked from commit 36ce67f6dcbbc1ac6fca872b99dab9675813c10d)
epel9
Richard W.M. Jones 4 years ago
parent 4a4dfe850e
commit c1929c8a1a
3 changed files with 74 additions and 34 deletions
Show Stats Download Patch File Download Diff File

61
libxml2-2.9.10-CVE-2020-24977.patch
Unescape View File

@ -1,41 +1,36 @@
From 8e7c20a1af8776677d7890f30b7a180567701a49 Mon Sep 17 00:00:00 2001 From 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de> From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 3 Aug 2020 17:30:41 +0200 Date: Fri, 7 Aug 2020 21:54:27 +0200
Subject: [PATCH] Fix integer overflow when comparing schema dates Subject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout'
Found by OSS-Fuzz. Make sure that truncated UTF-8 sequences don't cause an out-of-bounds
array access.
Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for
the report.
Fixes #178.
--- ---
xmlschemastypes.c | 10 ++++++++++ xmllint.c | 6 ++++++
1 file changed, 10 insertions(+) 1 file changed, 6 insertions(+)
diff --git a/xmlschemastypes.c b/xmlschemastypes.c diff --git a/xmllint.c b/xmllint.c
index 4249d700..d6b9f924 100644 index f6a8e463..c647486f 100644
--- a/xmlschemastypes.c --- a/xmllint.c
+++ b/xmlschemastypes.c +++ b/xmllint.c
@@ -3691,6 +3691,8 @@ xmlSchemaCompareDurations(xmlSchemaValPtr x, xmlSchemaValPtr y) @@ -528,6 +528,12 @@ static void
minday = 0; xmlHTMLEncodeSend(void) {
maxday = 0; char *result;
} else {
+ if (myear > LONG_MAX / 366)
+ return -2;
/* FIXME: This doesn't take leap year exceptions every 100/400 years
into account. */
maxday = 365 * myear + (myear + 3) / 4;
@@ -4079,6 +4081,14 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y)
if ((x == NULL) || (y == NULL))
return -2;
+ if ((x->value.date.year > LONG_MAX / 366) ||
+ (x->value.date.year < LONG_MIN / 366) ||
+ (y->value.date.year > LONG_MAX / 366) ||
+ (y->value.date.year < LONG_MIN / 366)) {
+ /* Possible overflow when converting to days. */
+ return -2;
+ }
+
if (x->value.date.tz_flag) {
if (!y->value.date.tz_flag) { + /*
+ * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might
+ * end with a truncated UTF-8 sequence. This is a hack to at least avoid
+ * an out-of-bounds read.
+ */
+ memset(&buffer[sizeof(buffer)-4], 0, 4);
result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer);
if (result) {
xmlGenericError(xmlGenericErrorContext, "%s", result);
-- --
2.28.0.rc2 2.28.0.rc2

41
libxml2-2.9.10-fix-integer-overflow.patch
Unescape View File

@ -0,0 +1,41 @@
From 8e7c20a1af8776677d7890f30b7a180567701a49 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 3 Aug 2020 17:30:41 +0200
Subject: [PATCH] Fix integer overflow when comparing schema dates
Found by OSS-Fuzz.
---
xmlschemastypes.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/xmlschemastypes.c b/xmlschemastypes.c
index 4249d700..d6b9f924 100644
--- a/xmlschemastypes.c
+++ b/xmlschemastypes.c
@@ -3691,6 +3691,8 @@ xmlSchemaCompareDurations(xmlSchemaValPtr x, xmlSchemaValPtr y)
minday = 0;
maxday = 0;
} else {
+ if (myear > LONG_MAX / 366)
+ return -2;
/* FIXME: This doesn't take leap year exceptions every 100/400 years
into account. */
maxday = 365 * myear + (myear + 3) / 4;
@@ -4079,6 +4081,14 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y)
if ((x == NULL) || (y == NULL))
return -2;
+ if ((x->value.date.year > LONG_MAX / 366) ||
+ (x->value.date.year < LONG_MIN / 366) ||
+ (y->value.date.year > LONG_MAX / 366) ||
+ (y->value.date.year < LONG_MIN / 366)) {
+ /* Possible overflow when converting to days. */
+ return -2;
+ }
+
if (x->value.date.tz_flag) {
if (!y->value.date.tz_flag) {
--
2.28.0.rc2

6
mingw-libxml2.spec
Unescape View File

@ -18,8 +18,9 @@ Patch2: mingw-libxml2-2.9.10-fix-relaxed-approach-to-nested-documents.pa
Patch3: mingw-libxml2-2.9.10-CVE-2019-20388.patch Patch3: mingw-libxml2-2.9.10-CVE-2019-20388.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1799788 # https://bugzilla.redhat.com/show_bug.cgi?id=1799788
Patch4: mingw-libxml2-2.9.10-CVE-2020-7595.patch Patch4: mingw-libxml2-2.9.10-CVE-2020-7595.patch
Patch6: libxml2-2.9.10-fix-integer-overflow.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1877788 # https://bugzilla.redhat.com/show_bug.cgi?id=1877788
Patch6: libxml2-2.9.10-CVE-2020-24977.patch Patch7: libxml2-2.9.10-CVE-2020-24977.patch
BuildArch: noarch BuildArch: noarch
@ -151,6 +152,9 @@ find $RPM_BUILD_ROOT -name "*.la" -delete
%changelog %changelog
* Wed Nov 11 2020 Richard W.M. Jones <rjones@redhat.com> - 2.9.10-8
- Add correct fix for CVE-2020-24977 (RHBZ#1877788), thanks: Jan de Groot.
* Fri Sep 11 2020 Richard W.M. Jones <rjones@redhat.com> - 2.9.10-7 * Fri Sep 11 2020 Richard W.M. Jones <rjones@redhat.com> - 2.9.10-7
- Add fix for CVE-2020-24977 (RHBZ#1877788, RHBZ#1877789). - Add fix for CVE-2020-24977 (RHBZ#1877788, RHBZ#1877789).

Write Preview
Loading…
Cancel
Save