[jabberd/el5] backported patch to fix the billion laughs issue from 2.2.14 (#700390, CVE-2011-1755)
Dominic Hopf
dmaphy at fedoraproject.org
Thu Jun 2 12:33:13 UTC 2011
commit e20f89bea27aae15b3f762e983718efc726a3f17
Author: Dominic Hopf <dmaphy at fedoraproject.org>
Date: Thu Jun 2 14:30:40 2011 +0200
backported patch to fix the billion laughs issue from 2.2.14 (#700390, CVE-2011-1755)
jabberd-fix-billion-laughs.patch | 120 ++++++++++++++++++++++++++++++++++++++
jabberd.spec | 11 +++-
2 files changed, 130 insertions(+), 1 deletions(-)
---
diff --git a/jabberd-fix-billion-laughs.patch b/jabberd-fix-billion-laughs.patch
new file mode 100644
index 0000000..8112224
--- /dev/null
+++ b/jabberd-fix-billion-laughs.patch
@@ -0,0 +1,120 @@
+--- sx/sx.h (revision 936)
++++ sx/sx.h (revision 937)
+@@ -191,6 +191,13 @@
+ JABBERD2_API void _sx_element_end(void *arg, const char *name);
+ JABBERD2_API void _sx_cdata(void *arg, const char *str, int len);
+ JABBERD2_API void _sx_namespace_start(void *arg, const char *prefix, const char *uri);
++#ifdef HAVE_XML_STOPPARSER
++JABBERD2_API void _sx_entity_declaration(void *arg, const char *entityName,
++ int is_parameter_entity, const char *value,
++ int value_length, const char *base,
++ const char *systemId, const char *publicId,
++ const char *notationName);
++#endif
+
+ /** processor for incoming wire data */
+ JABBERD2_API void _sx_process_read(sx_t s, sx_buf_t buf);
+--- sx/sx.c (revision 936)
++++ sx/sx.c (revision 937)
+@@ -36,6 +36,16 @@
+ s->expat = XML_ParserCreateNS(NULL, '|');
+ XML_SetReturnNSTriplet(s->expat, 1);
+ XML_SetUserData(s->expat, (void *) s);
++ /* Prevent the "billion laughs" attack against expat by disabling
++ * internal entity expansion. With 2.x, forcibly stop the parser
++ * if an entity is declared - this is safer and a more obvious
++ * failure mode. With older versions, simply prevent expenansion
++ * of such entities. */
++#ifdef HAVE_XML_STOPPARSER
++ XML_SetEntityDeclHandler(s->expat, (void *) _sx_entity_declaration);
++#else
++ XML_SetDefaultHandler(s->expat, NULL);
++#endif
+
+ s->wbufq = jqueue_new();
+ s->rnadq = jqueue_new();
+--- sx/callback.c (revision 936)
++++ sx/callback.c (revision 937)
+@@ -158,3 +158,17 @@
+ s->nad->scope = ns;
+ }
+
++#ifdef HAVE_XML_STOPPARSER
++/* Stop the parser if an entity declaration is hit. */
++void _sx_entity_declaration(void *arg, const char *entityName,
++ int is_parameter_entity, const char *value,
++ int value_length, const char *base,
++ const char *systemId, const char *publicId,
++ const char *notationName)
++{
++ sx_t s = (sx_t) arg;
++
++ XML_StopParser(s->expat, XML_FALSE);
++}
++#endif
++
+--- util/util.h (revision 936)
++++ util/util.h (revision 937)
+@@ -440,6 +440,11 @@
+ }
+ #endif
+
++#if XML_MAJOR_VERSION > 1
++/* XML_StopParser is present in expat 2.x */
++#define HAVE_XML_STOPPARSER
++#endif
++
+ #endif /* INCL_UTIL_H */
+
+
+--- util/nad.c (revision 936)
++++ util/nad.c (revision 937)
+@@ -1217,6 +1217,7 @@
+ struct build_data {
+ nad_t nad;
+ int depth;
++ XML_Parser p;
+ };
+
+ static void _nad_parse_element_start(void *arg, const char *name, const char **atts) {
+@@ -1319,6 +1320,20 @@
+ bd->nad->scope = ns;
+ }
+
++#ifdef HAVE_XML_STOPPARSER
++/* Stop the parser if an entity declaration is hit. */
++static void _nad_parse_entity_declaration(void *arg, const char *entityName,
++ int is_parameter_entity, const char *value,
++ int value_length, const char *base,
++ const char *systemId, const char *publicId,
++ const char *notationName)
++{
++ struct build_data *bd = (struct build_data *) arg;
++
++ XML_StopParser(bd->p, XML_FALSE);
++}
++#endif
++
+ nad_t nad_parse(const char *buf, int len) {
+ struct build_data bd;
+ XML_Parser p;
+@@ -1329,8 +1344,19 @@
+ p = XML_ParserCreateNS(NULL, '|');
+ if(p == NULL)
+ return NULL;
++ bd.p = p;
+
+ XML_SetReturnNSTriplet(p, 1);
++ /* Prevent the "billion laughs" attack against expat by disabling
++ * internal entity expansion. With 2.x, forcibly stop the parser
++ * if an entity is declared - this is safer and a more obvious
++ * failure mode. With older versions, simply prevent expenansion
++ * of such entities. */
++#ifdef HAVE_XML_STOPPARSER
++ XML_SetEntityDeclHandler(p, (void *) _nad_parse_entity_declaration);
++#else
++ XML_SetDefaultHandler(p, NULL);
++#endif
+
+ bd.nad = nad_new();
+ bd.depth = 0;
diff --git a/jabberd.spec b/jabberd.spec
index 49ba14f..ca7562e 100644
--- a/jabberd.spec
+++ b/jabberd.spec
@@ -1,13 +1,17 @@
Summary: OpenSource server implementation of the Jabber protocols
Name: jabberd
Version: 2.2.11
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Daemons
Source0: http://ftp.xiaoka.com/jabberd2/releases/jabberd-%{version}.tar.bz2
Source1: jabberd.init
Source2: jabberd.sysconfig
Source3: jabberd.pam
+
+# Fixes RHBZ#700390, CVE-2011-1755, patch is backported from upstream 2.2.14
+Patch0: jabberd-fix-billion-laughs.patch
+
URL: http://codex.xiaoka.com/wiki/jabberd2:start
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: openssl-devel libidn-devel expat-devel
@@ -41,6 +45,8 @@ This package defaults to use pam and sqlite.
%prep
%setup -q
+%patch0 -p0
+
%build
export CFLAGS="%{optflags}"
%configure \
@@ -197,6 +203,9 @@ fi
%attr(700, jabber, jabber) %{_var}/lib/%{name}
%changelog
+* Thu Jun 02 2011 Dominic Hopf <dmaphy at fedoraproject.org> - 2.2.11-3
+- backported patch to fix the billion laughs issue from 2.2.14 (#700390, CVE-2011-1755)
+
* Tue Nov 09 2010 Dominic Hopf <dmaphy at fedoraproject.org> - 2.2.11-2
- re-add the server.pem ghost as %%config(noreplace) to prevent the
file from being deleted when updating to this package
More information about the scm-commits
mailing list