diff options
Diffstat (limited to 'libxml2/libxml2-2.6.31.patch')
-rw-r--r-- | libxml2/libxml2-2.6.31.patch | 128 |
1 files changed, 128 insertions, 0 deletions
diff --git a/libxml2/libxml2-2.6.31.patch b/libxml2/libxml2-2.6.31.patch index 53f35c1915ee..cba8f23e9663 100644 --- a/libxml2/libxml2-2.6.31.patch +++ b/libxml2/libxml2-2.6.31.patch @@ -282,3 +282,131 @@ #define LIBXML_DEBUG_RUNTIME #endif +diff -r -cN misc/libxml2-2.6.31/changelog misc/build/libxml2-2.6.31/changelog +*** misc/libxml2-2.6.31/changelog +--- misc/build/libxml2-2.6.31/changelog +*************** +*** 0 **** +--- 1,10 ---- ++ libxml2 (2.6.32.dfsg-5+lenny1) stable-security; urgency=high ++ ++ * Non-maintainer upload by the Security Team. ++ * Fix multiple use-after-free flaws when parsing notation and ++ enumeration attribute types (CVE-2009-2416). ++ * Fix stack overflow when parsing root XML document element DTD ++ definition (CVE-2009-2414). ++ ++ -- Nico Golde <nion@debian.org> Thu, 06 Aug 2009 13:04:00 +0000 ++ +diff -r -cN misc/libxml2-2.6.31/parser.c misc/build/libxml2-2.6.31/parser.c +*** misc/libxml2-2.6.31/parser.c +--- misc/build/libxml2-2.6.31/parser.c +*************** +*** 4752,4761 **** + if (name == NULL) { + xmlFatalErrMsg(ctxt, XML_ERR_NAME_REQUIRED, + "Name expected in NOTATION declaration\n"); +! return(ret); + } + cur = xmlCreateEnumeration(name); +! if (cur == NULL) return(ret); + if (last == NULL) ret = last = cur; + else { + last->next = cur; +--- 4752,4766 ---- + if (name == NULL) { + xmlFatalErrMsg(ctxt, XML_ERR_NAME_REQUIRED, + "Name expected in NOTATION declaration\n"); +! xmlFreeEnumeration(ret); +! return(NULL); + } + cur = xmlCreateEnumeration(name); +! if (cur == NULL) { +! xmlFreeEnumeration(ret); +! return(NULL); +! } +! + if (last == NULL) ret = last = cur; + else { + last->next = cur; +*************** +*** 4765,4773 **** + } while (RAW == '|'); + if (RAW != ')') { + xmlFatalErr(ctxt, XML_ERR_NOTATION_NOT_FINISHED, NULL); +! if ((last != NULL) && (last != ret)) +! xmlFreeEnumeration(last); +! return(ret); + } + NEXT; + return(ret); +--- 4770,4777 ---- + } while (RAW == '|'); + if (RAW != ')') { + xmlFatalErr(ctxt, XML_ERR_NOTATION_NOT_FINISHED, NULL); +! xmlFreeEnumeration(ret); +! return(NULL); + } + NEXT; + return(ret); +*************** +*** 4808,4814 **** + } + cur = xmlCreateEnumeration(name); + xmlFree(name); +! if (cur == NULL) return(ret); + if (last == NULL) ret = last = cur; + else { + last->next = cur; +--- 4812,4822 ---- + } + cur = xmlCreateEnumeration(name); + xmlFree(name); +! if (cur == NULL) { +! xmlFreeEnumeration(ret); +! return(NULL); +! } +! + if (last == NULL) ret = last = cur; + else { + last->next = cur; +*************** +*** 5206,5211 **** +--- 5214,5226 ---- + const xmlChar *elem; + xmlChar type = 0; + ++ if (ctxt->depth > 128) { ++ xmlFatalErrMsgInt(ctxt, XML_ERR_ELEMCONTENT_NOT_FINISHED, ++ "xmlParseElementChildrenContentDecl : depth %d too deep\n", ++ ctxt->depth); ++ return(NULL); ++ } ++ + SKIP_BLANKS; + GROW; + if (RAW == '(') { +*************** +*** 5214,5220 **** +--- 5229,5237 ---- + /* Recurse on first child */ + NEXT; + SKIP_BLANKS; ++ ctxt->depth++; + cur = ret = xmlParseElementChildrenContentDecl(ctxt, inputid); ++ ctxt->depth--; + SKIP_BLANKS; + GROW; + } else { +*************** +*** 5344,5350 **** +--- 5361,5369 ---- + /* Recurse on second child */ + NEXT; + SKIP_BLANKS; ++ ctxt->depth++; + last = xmlParseElementChildrenContentDecl(ctxt, inputid); ++ ctxt->depth--; + SKIP_BLANKS; + } else { + elem = xmlParseName(ctxt); |