From owner-freebsd-ports-bugs@FreeBSD.ORG Wed Aug 19 23:30:05 2009 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A6D941065696 for ; Wed, 19 Aug 2009 23:30:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 802D98FC59 for ; Wed, 19 Aug 2009 23:30:05 +0000 (UTC) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n7JNU5Tv062526 for ; Wed, 19 Aug 2009 23:30:05 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n7JNU5Q8062525; Wed, 19 Aug 2009 23:30:05 GMT (envelope-from gnats) Resent-Date: Wed, 19 Aug 2009 23:30:05 GMT Resent-Message-Id: <200908192330.n7JNU5Q8062525@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Tsurutani Naoki Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 05E5E1065691 for ; Wed, 19 Aug 2009 23:20:58 +0000 (UTC) (envelope-from turutani@scphys.kyoto-u.ac.jp) Received: from smtp-auth.kuins.kyoto-u.ac.jp (smtp-auth.kuins.kyoto-u.ac.jp [130.54.120.65]) by mx1.freebsd.org (Postfix) with ESMTP id 4D21D8FC51 for ; Wed, 19 Aug 2009 23:20:56 +0000 (UTC) Received: from h120.65.226.10.32118.vlan.kuins.net (wd229.AFL1.vectant.ne.jp [220.247.106.229]) by smtp-auth.kuins.kyoto-u.ac.jp (Postfix) with ESMTP id 0279BA9006B; Thu, 20 Aug 2009 08:20:54 +0900 (JST) Received: from h120.65.226.10.32118.vlan.kuins.net (localhost [127.0.0.1]) by h120.65.226.10.32118.vlan.kuins.net (8.14.3/8.14.3/20071004-1) with ESMTP id n7JNKnkN081985; Thu, 20 Aug 2009 08:20:49 +0900 (JST) (envelope-from turutani@h120.65.226.10.32118.vlan.kuins.net) Received: (from turutani@localhost) by h120.65.226.10.32118.vlan.kuins.net (8.14.3/8.14.3/Submit) id n7JNKnZO081982; Thu, 20 Aug 2009 08:20:49 +0900 (JST) (envelope-from turutani) Message-Id: <200908192320.n7JNKnZO081982@h120.65.226.10.32118.vlan.kuins.net> Date: Thu, 20 Aug 2009 08:20:49 +0900 (JST) From: Tsurutani Naoki To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: turutani@scphys.kyoto-u.ac.jp Subject: ports/137980: fix for textprox/libxml2 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Tsurutani Naoki List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Aug 2009 23:30:05 -0000 >Number: 137980 >Category: ports >Synopsis: fix for textprox/libxml2 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Aug 19 23:30:04 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Tsurutani Naoki >Release: FreeBSD 7.2-STABLE i386 >Organization: >Environment: System: FreeBSD h120.65.226.10.32118.vlan.kuins.net 7.2-STABLE FreeBSD 7.2-STABLE #19: Sun Jun 21 20:36:09 JST 2009 turutani@h120.65.226.10.32118.vlan.kuins.net:/usr/local/work/usr/obj/usr/src/sys/POLYMER i386 >Description: CVE-2009-2414, CVE-2009-2416 are issued. some fixes are required to textproc/libxml2. >How-To-Repeat: >Fix: here is a patch, taken from Debian: --- parser.c.orig +++ parser.c @@ -5306,7 +5306,8 @@ if (name == NULL) { xmlFatalErrMsg(ctxt, XML_ERR_NAME_REQUIRED, "Name expected in NOTATION declaration\n"); - return(ret); + xmlFreeEnumeration(ret); + return(NULL); } tmp = ret; while (tmp != NULL) { @@ -5322,7 +5323,10 @@ } if (tmp == NULL) { cur = xmlCreateEnumeration(name); - if (cur == NULL) return(ret); + if (cur == NULL) { + xmlFreeEnumeration(ret); + return(NULL); + } if (last == NULL) ret = last = cur; else { last->next = cur; @@ -5334,8 +5338,8 @@ if (RAW != ')') { xmlFatalErr(ctxt, XML_ERR_NOTATION_NOT_FINISHED, NULL); if ((last != NULL) && (last != ret)) - xmlFreeEnumeration(last); - return(ret); + xmlFreeEnumeration(ret); + return(NULL); } NEXT; return(ret); @@ -5390,7 +5394,10 @@ cur = xmlCreateEnumeration(name); if (!xmlDictOwns(ctxt->dict, name)) xmlFree(name); - if (cur == NULL) return(ret); + if (cur == NULL){ + xmlFreeEnumeration(ret); + return(NULL); + } if (last == NULL) ret = last = cur; else { last->next = cur; @@ -5794,6 +5801,11 @@ const xmlChar *elem; xmlChar type = 0; + if (ctxt->depth > 128) { + xmlFatalErrMsgInt(ctxt, XML_ERR_ELEMCONTENT_NOT_FINISHED, "xmlParseElementChildrenContentDecl : depth %d too deep\n", ctxt->depth); + return(NULL); + } + SKIP_BLANKS; GROW; if (RAW == '(') { @@ -5802,7 +5814,9 @@ /* Recurse on first child */ NEXT; SKIP_BLANKS; + ctxt->depth++; cur = ret = xmlParseElementChildrenContentDecl(ctxt, inputid); + ctxt->depth--; SKIP_BLANKS; GROW; } else { @@ -5934,7 +5948,9 @@ /* Recurse on second child */ NEXT; SKIP_BLANKS; + ctxt->depth++; last = xmlParseElementChildrenContentDecl(ctxt, inputid); + ctxt->depth--; SKIP_BLANKS; } else { elem = xmlParseName(ctxt); >Release-Note: >Audit-Trail: >Unformatted: