[mingw-xerces-c/f21] Fix CVE-2015-0252
Kalev Lember
kalev at fedoraproject.org
Fri Mar 20 11:46:45 UTC 2015
commit a5b35178f31560e8662e32cfe6c87c0aa6cd01a0
Author: Kalev Lember <kalevlember at gmail.com>
Date: Fri Mar 20 10:45:46 2015 +0100
Fix CVE-2015-0252
mingw-xerces-c.spec | 7 ++++-
xerces-c-3.1.1-CVE-2015-0252.patch | 56 ++++++++++++++++++++++++++++++++++++++
2 files changed, 62 insertions(+), 1 deletion(-)
---
diff --git a/mingw-xerces-c.spec b/mingw-xerces-c.spec
index a8423c2..9db547c 100644
--- a/mingw-xerces-c.spec
+++ b/mingw-xerces-c.spec
@@ -2,7 +2,7 @@
Name: mingw-xerces-c
Version: 3.1.1
-Release: 10%{?dist}
+Release: 11%{?dist}
Summary: MingGW Windows validating XML parser
Group: Development/Libraries
@@ -10,6 +10,7 @@ License: ASL 2.0
URL: http://xml.apache.org/xerces-c/
Source0: http://www.apache.org/dist/xerces/c/3/sources/xerces-c-%{version}.tar.gz
Patch0: xerces-c-3.0.1-fix-libtool-compatibility.patch
+Patch1: xerces-c-3.1.1-CVE-2015-0252.patch
BuildArch: noarch
@@ -63,6 +64,7 @@ faithful to the XML 1.0 recommendation and associated standards (DOM
%prep
%setup -q -n xerces-c-%{version}
%patch0 -p0 -b .libtool
+%patch1 -p4 -b .CVE-2015-0252
%build
@@ -98,6 +100,9 @@ find $RPM_BUILD_ROOT -name "*.la" -delete
%changelog
+* Fri Mar 20 2015 Kalev Lember <kalevlember at gmail.com> - 3.1.1-11
+- Fix CVE-2015-0252
+
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 3.1.1-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
diff --git a/xerces-c-3.1.1-CVE-2015-0252.patch b/xerces-c-3.1.1-CVE-2015-0252.patch
new file mode 100644
index 0000000..3a50126
--- /dev/null
+++ b/xerces-c-3.1.1-CVE-2015-0252.patch
@@ -0,0 +1,56 @@
+--- xerces/c/branches/xerces-3.1/src/xercesc/internal/XMLReader.cpp 2015/03/02 18:07:34 1663380
++++ xerces/c/branches/xerces-3.1/src/xercesc/internal/XMLReader.cpp 2015/03/19 20:56:46 1667870
+@@ -1459,6 +1459,17 @@
+
+ while (fRawBufIndex < fRawBytesAvail)
+ {
++ // Security fix: make sure there are at least sizeof(UCS4Ch) bytes to consume.
++ if (fRawBufIndex + sizeof(UCS4Ch) > fRawBytesAvail) {
++ ThrowXMLwithMemMgr1
++ (
++ TranscodingException
++ , XMLExcepts::Reader_CouldNotDecodeFirstLine
++ , fSystemId
++ , fMemoryManager
++ );
++ }
++
+ // Get out the current 4 byte value and inc our raw buf index
+ UCS4Ch curVal = *asUCS++;
+ fRawBufIndex += sizeof(UCS4Ch);
+@@ -1618,6 +1629,17 @@
+
+ while (fRawBufIndex < fRawBytesAvail)
+ {
++ // Security fix: make sure there are at least sizeof(UTF16Ch) bytes to consume.
++ if (fRawBufIndex + sizeof(UTF16Ch) > fRawBytesAvail) {
++ ThrowXMLwithMemMgr1
++ (
++ TranscodingException
++ , XMLExcepts::Reader_CouldNotDecodeFirstLine
++ , fSystemId
++ , fMemoryManager
++ );
++ }
++
+ // Get out the current 2 byte value
+ UTF16Ch curVal = *asUTF16++;
+ fRawBufIndex += sizeof(UTF16Ch);
+@@ -1707,6 +1729,17 @@
+ //
+ void XMLReader::refreshRawBuffer()
+ {
++ // Security fix: make sure we don't underflow on the subtraction.
++ if (fRawBufIndex > fRawBytesAvail) {
++ ThrowXMLwithMemMgr1
++ (
++ RuntimeException
++ , XMLExcepts::Str_StartIndexPastEnd
++ , fSystemId
++ , fMemoryManager
++ );
++ }
++
+ //
+ // If there are any bytes left, move them down to the start. There
+ // should only ever be (max bytes per char - 1) at the most.
More information about the scm-commits
mailing list