[libxml] Add patch for CVE-2011-1944 (#709751)
Paul Howarth
pghmcfc at fedoraproject.org
Thu Jun 2 17:45:04 UTC 2011
commit 1fd8897726bcf1f913736e5b1a4024d7fefa35d9
Author: Paul Howarth <paul at city-fan.org>
Date: Thu Jun 2 18:43:07 2011 +0100
Add patch for CVE-2011-1944 (#709751)
Fix CVE-2011-1944 (heap-based buffer overflow by adding new
namespace node to an existing nodeset or merging nodesets)
libxml-1.8.17-CVE-2011-1944.patch | 35 +++++++++++++++++++++++++++++++++++
libxml.spec | 6 ++++++
2 files changed, 41 insertions(+), 0 deletions(-)
---
diff --git a/libxml-1.8.17-CVE-2011-1944.patch b/libxml-1.8.17-CVE-2011-1944.patch
new file mode 100644
index 0000000..4310381
--- /dev/null
+++ b/libxml-1.8.17-CVE-2011-1944.patch
@@ -0,0 +1,35 @@
+--- libxml-1.8.17/xpath.c.orig 2000-06-28 19:33:51.000000000 +0100
++++ libxml-1.8.17/xpath.c 2011-06-02 16:20:16.095097371 +0100
+@@ -179,13 +179,13 @@
+ #define PUSH_AND_POP(type, name) \
+ extern int name##Push(xmlXPathParserContextPtr ctxt, type value) { \
+ if (ctxt->name##Nr >= ctxt->name##Max) { \
+- ctxt->name##Max *= 2; \
+ ctxt->name##Tab = (void *) xmlRealloc(ctxt->name##Tab, \
+- ctxt->name##Max * sizeof(ctxt->name##Tab[0])); \
++ ctxt->name##Max * 2 * sizeof(ctxt->name##Tab[0])); \
+ if (ctxt->name##Tab == NULL) { \
+ fprintf(xmlXPathDebug, "realloc failed !\n"); \
+ return(0); \
+ } \
++ ctxt->name##Max *= 2; \
+ } \
+ ctxt->name##Tab[ctxt->name##Nr] = value; \
+ ctxt->name = value; \
+@@ -418,14 +418,14 @@
+ } else if (cur->nodeNr == cur->nodeMax) {
+ xmlNodePtr *temp;
+
+- cur->nodeMax *= 2;
+- temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax *
++ temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax * 2 *
+ sizeof(xmlNodePtr));
+ if (temp == NULL) {
+ fprintf(xmlXPathDebug, "xmlXPathNodeSetAdd: out of memory\n");
+ return;
+ }
+ cur->nodeTab = temp;
++ cur->nodeMax *= 2;
+ }
+ cur->nodeTab[cur->nodeNr++] = val;
+ }
diff --git a/libxml.spec b/libxml.spec
index aa2c92f..1ea3ed0 100644
--- a/libxml.spec
+++ b/libxml.spec
@@ -9,6 +9,7 @@ URL: http://veillard.com/XML/
Source: ftp://xmlsoft.org/libxml/old/libxml-%{version}.tar.gz
Patch0: libxml-1.8.17-CAN-2004-0110.patch
Patch1: libxml-1.8.17-ficora-245608.patch
+Patch2: libxml-1.8.17-CVE-2011-1944.patch
Patch10: libxml-1.8.17-open-mode.patch
Patch11: libxml-1.8.17-multiarch.patch
Patch12: libxml-1.8.17-declarations.patch
@@ -36,6 +37,10 @@ Libraries, includes, etc. to build old libxml-based applications.
# fix CVE-2009-2416 (use-after-free DoS vulnerabilities)
%patch1 -p0
+# fix CVE-2011-1944 (heap-based buffer overflow by adding new namespace node to
+# an existing nodeset or merging nodesets)
+%patch2 -p1
+
# open() with O_CREAT must have 3 arguments
%patch10 -p1
@@ -94,6 +99,7 @@ rm -rf %{buildroot}
%changelog
* Thu Jun 2 2011 Paul Howarth <paul at city-fan.org> 1:1.8.17-26
+- add patch for CVE-2011-1944 (#709751)
- add %%check section and run regression tests (note that diffs appearing in
the output do not cause the build to fail)
- nobody else likes macros for commands
More information about the scm-commits
mailing list