Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:42.3:Staging:A
libxml2
libxml2-CVE-2016-9318.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File libxml2-CVE-2016-9318.patch of Package libxml2
Index: libxml2-2.9.4/elfgcchack.h =================================================================== --- libxml2-2.9.4.orig/elfgcchack.h +++ libxml2-2.9.4/elfgcchack.h @@ -6547,6 +6547,16 @@ extern __typeof (xmlNoNetExternalEntityL #endif #endif +#ifdef bottom_xmlIO +#undef xmlNoXxeExternalEntityLoader +extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader __attribute((alias("xmlNoXxeExternalEntityLoader__internal_alias"))); +#else +#ifndef xmlNoXxeExternalEntityLoader +extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader__internal_alias __attribute((visibility("hidden"))); +#define xmlNoXxeExternalEntityLoader xmlNoXxeExternalEntityLoader__internal_alias +#endif +#endif + #ifdef bottom_tree #undef xmlNodeAddContent extern __typeof (xmlNodeAddContent) xmlNodeAddContent __attribute((alias("xmlNodeAddContent__internal_alias"))); Index: libxml2-2.9.4/include/libxml/parser.h =================================================================== --- libxml2-2.9.4.orig/include/libxml/parser.h +++ libxml2-2.9.4/include/libxml/parser.h @@ -1111,7 +1111,8 @@ typedef enum { XML_PARSE_HUGE = 1<<19,/* relax any hardcoded limit from the parser */ XML_PARSE_OLDSAX = 1<<20,/* parse using SAX2 interface before 2.7.0 */ XML_PARSE_IGNORE_ENC= 1<<21,/* ignore internal document encoding hint */ - XML_PARSE_BIG_LINES = 1<<22 /* Store big lines numbers in text PSVI field */ + XML_PARSE_BIG_LINES = 1<<22,/* Store big lines numbers in text PSVI field */ + XML_PARSE_NOXXE = 1<<23 /* Forbid any external entity substitution */ } xmlParserOption; XMLPUBFUN void XMLCALL Index: libxml2-2.9.4/include/libxml/xmlIO.h =================================================================== --- libxml2-2.9.4.orig/include/libxml/xmlIO.h +++ libxml2-2.9.4/include/libxml/xmlIO.h @@ -300,6 +300,14 @@ XMLPUBFUN xmlParserInputPtr XMLCALL xmlParserCtxtPtr ctxt); /* + * A predefined entity loader external entity expansion + */ +XMLPUBFUN xmlParserInputPtr XMLCALL + xmlNoXxeExternalEntityLoader (const char *URL, + const char *ID, + xmlParserCtxtPtr ctxt); + +/* * xmlNormalizeWindowsPath is obsolete, don't use it. * Check xmlCanonicPath in uri.h for a better alternative. */ Index: libxml2-2.9.4/include/libxml/xmlerror.h =================================================================== --- libxml2-2.9.4.orig/include/libxml/xmlerror.h +++ libxml2-2.9.4/include/libxml/xmlerror.h @@ -470,6 +470,7 @@ typedef enum { XML_IO_EADDRINUSE, /* 1554 */ XML_IO_EALREADY, /* 1555 */ XML_IO_EAFNOSUPPORT, /* 1556 */ + XML_IO_ILLEGAL_XXE, /* 1557 */ XML_XINCLUDE_RECURSION=1600, XML_XINCLUDE_PARSE_VALUE, /* 1601 */ XML_XINCLUDE_ENTITY_DEF_MISMATCH, /* 1602 */ Index: libxml2-2.9.4/parser.c =================================================================== --- libxml2-2.9.4.orig/parser.c +++ libxml2-2.9.4/parser.c @@ -15358,6 +15358,10 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtP ctxt->options |= XML_PARSE_NONET; options -= XML_PARSE_NONET; } + if (options & XML_PARSE_NOXXE) { + ctxt->options |= XML_PARSE_NOXXE; + options -= XML_PARSE_NOXXE; + } if (options & XML_PARSE_COMPACT) { ctxt->options |= XML_PARSE_COMPACT; options -= XML_PARSE_COMPACT; Index: libxml2-2.9.4/xmlIO.c =================================================================== --- libxml2-2.9.4.orig/xmlIO.c +++ libxml2-2.9.4/xmlIO.c @@ -210,6 +210,7 @@ static const char *IOerr[] = { "adddress in use", /* EADDRINUSE */ "already in use", /* EALREADY */ "unknown address familly", /* EAFNOSUPPORT */ + "Attempt to load external entity %s", /* XML_IO_ILLEGAL_XXE */ }; #if defined(_WIN32) || defined (__DJGPP__) && !defined (__CYGWIN__) @@ -4053,13 +4054,22 @@ xmlDefaultExternalEntityLoader(const cha xmlGenericError(xmlGenericErrorContext, "xmlDefaultExternalEntityLoader(%s, xxx)\n", URL); #endif - if ((ctxt != NULL) && (ctxt->options & XML_PARSE_NONET)) { + if (ctxt != NULL) { int options = ctxt->options; - ctxt->options -= XML_PARSE_NONET; - ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt); - ctxt->options = options; - return(ret); + if (options & XML_PARSE_NOXXE) { + ctxt->options -= XML_PARSE_NOXXE; + ret = xmlNoXxeExternalEntityLoader(URL, ID, ctxt); + ctxt->options = options; + return(ret); + } + + if (options & XML_PARSE_NONET) { + ctxt->options -= XML_PARSE_NONET; + ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt); + ctxt->options = options; + return(ret); + } } #ifdef LIBXML_CATALOG_ENABLED resource = xmlResolveResourceFromCatalog(URL, ID, ctxt); @@ -4160,6 +4170,13 @@ xmlNoNetExternalEntityLoader(const char xmlParserInputPtr input = NULL; xmlChar *resource = NULL; + if (ctxt == NULL) { + return(NULL); + } + if (ctxt->input_id == 1) { + return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt); + } + #ifdef LIBXML_CATALOG_ENABLED resource = xmlResolveResourceFromCatalog(URL, ID, ctxt); #endif @@ -4182,5 +4199,18 @@ xmlNoNetExternalEntityLoader(const char return(input); } +xmlParserInputPtr +xmlNoXxeExternalEntityLoader(const char *URL, const char *ID, + xmlParserCtxtPtr ctxt) { + if (ctxt == NULL) { + return(NULL); + } + if (ctxt->input_id == 1) { + return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt); + } + xmlIOErr(XML_IO_ILLEGAL_XXE, (const char *) URL); + return(NULL); +} + #define bottom_xmlIO #include "elfgcchack.h" Index: libxml2-2.9.4/xmllint.c =================================================================== --- libxml2-2.9.4.orig/xmllint.c +++ libxml2-2.9.4/xmllint.c @@ -3019,6 +3019,7 @@ static void usage(const char *name) { printf("\t--path 'paths': provide a set of paths for resources\n"); printf("\t--load-trace : print trace of all external entities loaded\n"); printf("\t--nonet : refuse to fetch DTDs or entities over network\n"); + printf("\t--noxxe : forbid any external entity substitution\n"); printf("\t--nocompact : do not generate compact text nodes\n"); printf("\t--htmlout : output results as HTML\n"); printf("\t--nowrap : do not put HTML doc wrapper\n"); @@ -3461,6 +3462,10 @@ main(int argc, char **argv) { (!strcmp(argv[i], "--nonet"))) { options |= XML_PARSE_NONET; xmlSetExternalEntityLoader(xmlNoNetExternalEntityLoader); + } else if ((!strcmp(argv[i], "-noxxe")) || + (!strcmp(argv[i], "--noxxe"))) { + options |= XML_PARSE_NOXXE; + xmlSetExternalEntityLoader(xmlNoXxeExternalEntityLoader); } else if ((!strcmp(argv[i], "-nocompact")) || (!strcmp(argv[i], "--nocompact"))) { options &= ~XML_PARSE_COMPACT;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor