libxml2 for LTS

Thorsten Alteholz Sun, 13 Jul 2014 13:31:32 -0700

Hi,

this is my debdiff for CVE-2014-0191 in libxml2.


I used the patch for wheezy as template.

  Thorsten


diff -u libxml2-2.7.8.dfsg/parser.c libxml2-2.7.8.dfsg/parser.c
--- libxml2-2.7.8.dfsg/parser.c
+++ libxml2-2.7.8.dfsg/parser.c
@@ -2554,6 +2554,23 @@
                    xmlChar start[4];
                    xmlCharEncoding enc;

+                    /*
+                     * Note: external parameter entities will not be loaded, it
+                     * is not required for a non-validating parser, unless the
+                     * option of validating, or substituting entities were
+                     * given. Doing so is far more secure as the parser will
+                     * only process data coming from the document entity by
+                     * default.
+                     */
+                     if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
+                        ((ctxt->options & XML_PARSE_NOENT) == 0) &&
+                        ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
+                        ((ctxt->options & XML_PARSE_DTDLOAD) == 0) &&
+                        ((ctxt->options & XML_PARSE_DTDATTR) == 0) &&
+                        (ctxt->replaceEntities == 0) &&
+                        (ctxt->validate == 0))
+                        return;
+
                    /*
                     * handle the extra spaces added before and after
                     * c.f. http://www.w3.org/TR/REC-xml#as-PE
@@ -12302,6 +12319,12 @@
        return(NULL);
     }

+    /* We are loading a DTD */
+    ctxt->options |= XML_PARSE_DTDLOAD;
+
+    /* We are loading a DTD */
+    ctxt->options |= XML_PARSE_DTDLOAD;
+
     /*
      * Set-up the SAX context
      */
diff -u libxml2-2.7.8.dfsg/debian/changelog libxml2-2.7.8.dfsg/debian/changelog
--- libxml2-2.7.8.dfsg/debian/changelog
+++ libxml2-2.7.8.dfsg/debian/changelog
@@ -1,3 +1,13 @@
+libxml2 (2.7.8.dfsg-2+squeeze9) squeeze-lts; urgency=high
+

+ * libxml2 could be made to consume resources if it processed+ a specially crafted file.

+    (CVE-2014-0191)

+ patch for parser.c copied from debian/patches/cve-2014-0191.patch+ for Wheezy+

+ -- Thorsten Alteholz <deb...@alteholz.de>  Sun, 13 Jul 2014 18:00:28 +0200
+
 libxml2 (2.7.8.dfsg-2+squeeze8) oldstable-security; urgency=high

   * Non-maintainer upload by the Security Team.


--
To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/alpine.deb.2.02.1407132223420.17...@jupiter.server.alteholz.net

libxml2 for LTS

Reply via email to