[xerces-c/f21] Fix CVE-2015-0252
Kalev Lember
kalev at fedoraproject.org
Fri Mar 20 11:20:14 UTC 2015
commit 14282e0da099ce0758a2e0f84b932d1a142706f8
Author: Kalev Lember <kalevlember at gmail.com>
Date: Fri Mar 20 10:16:21 2015 +0100
Fix CVE-2015-0252
xerces-c-3.1.1-CVE-2015-0252.patch | 56 ++++++++++++++++++++++++++++++++++++++
xerces-c.spec | 8 +++++-
2 files changed, 63 insertions(+), 1 deletion(-)
---
diff --git a/xerces-c-3.1.1-CVE-2015-0252.patch b/xerces-c-3.1.1-CVE-2015-0252.patch
new file mode 100644
index 0000000..3a50126
--- /dev/null
+++ b/xerces-c-3.1.1-CVE-2015-0252.patch
@@ -0,0 +1,56 @@
+--- xerces/c/branches/xerces-3.1/src/xercesc/internal/XMLReader.cpp 2015/03/02 18:07:34 1663380
++++ xerces/c/branches/xerces-3.1/src/xercesc/internal/XMLReader.cpp 2015/03/19 20:56:46 1667870
+@@ -1459,6 +1459,17 @@
+
+ while (fRawBufIndex < fRawBytesAvail)
+ {
++ // Security fix: make sure there are at least sizeof(UCS4Ch) bytes to consume.
++ if (fRawBufIndex + sizeof(UCS4Ch) > fRawBytesAvail) {
++ ThrowXMLwithMemMgr1
++ (
++ TranscodingException
++ , XMLExcepts::Reader_CouldNotDecodeFirstLine
++ , fSystemId
++ , fMemoryManager
++ );
++ }
++
+ // Get out the current 4 byte value and inc our raw buf index
+ UCS4Ch curVal = *asUCS++;
+ fRawBufIndex += sizeof(UCS4Ch);
+@@ -1618,6 +1629,17 @@
+
+ while (fRawBufIndex < fRawBytesAvail)
+ {
++ // Security fix: make sure there are at least sizeof(UTF16Ch) bytes to consume.
++ if (fRawBufIndex + sizeof(UTF16Ch) > fRawBytesAvail) {
++ ThrowXMLwithMemMgr1
++ (
++ TranscodingException
++ , XMLExcepts::Reader_CouldNotDecodeFirstLine
++ , fSystemId
++ , fMemoryManager
++ );
++ }
++
+ // Get out the current 2 byte value
+ UTF16Ch curVal = *asUTF16++;
+ fRawBufIndex += sizeof(UTF16Ch);
+@@ -1707,6 +1729,17 @@
+ //
+ void XMLReader::refreshRawBuffer()
+ {
++ // Security fix: make sure we don't underflow on the subtraction.
++ if (fRawBufIndex > fRawBytesAvail) {
++ ThrowXMLwithMemMgr1
++ (
++ RuntimeException
++ , XMLExcepts::Str_StartIndexPastEnd
++ , fSystemId
++ , fMemoryManager
++ );
++ }
++
+ //
+ // If there are any bytes left, move them down to the start. There
+ // should only ever be (max bytes per char - 1) at the most.
diff --git a/xerces-c.spec b/xerces-c.spec
index 0069f80..97d909f 100644
--- a/xerces-c.spec
+++ b/xerces-c.spec
@@ -1,11 +1,12 @@
Summary: Validating XML Parser
Name: xerces-c
Version: 3.1.1
-Release: 7%{?dist}
+Release: 8%{?dist}
License: ASL 2.0
Group: System Environment/Libraries
URL: http://xml.apache.org/xerces-c/
Source0: http://archive.apache.org/dist/xerces/c/3/sources/xerces-c-%{version}.tar.gz
+Patch0: xerces-c-3.1.1-CVE-2015-0252.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: dos2unix
@@ -47,6 +48,8 @@ manipulating, and validating XML documents.
%prep
%setup -q
+%patch0 -p4 -b .CVE-2015-0252
+
# Copy samples before build to avoid including built binaries in -doc package
mkdir -p _docs
cp -a samples/ _docs/
@@ -96,6 +99,9 @@ rm -rf $RPM_BUILD_ROOT
%doc README LICENSE NOTICE CREDITS doc _docs/*
%changelog
+* Fri Mar 20 2015 Kalev Lember <kalevlember at gmail.com> - 3.1.1-8
+- Fix CVE-2015-0252
+
* Mon Aug 18 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 3.1.1-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
More information about the scm-commits
mailing list