Document and fix a off-by-one vulnability in libxml2.

Obtained from:	libxml upstream
Security:	b8ae4659-a0da-11e1-a294-bcaec565249c
This commit is contained in:
Koop Mast 2012-05-18 11:51:18 +00:00
parent 3e58589ebd
commit b7e1fac56a
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=296901
3 changed files with 79 additions and 3 deletions

View file

@ -52,6 +52,42 @@ Note: Please add new entries to the beginning of this file.
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
<vuln vid="b8ae4659-a0da-11e1-a294-bcaec565249c">
<topic>libxml2 -- An off-by-one out-of-bounds write by XPointer</topic>
<affects>
<package>
<name>libxml2</name>
<range><lt>2.7.8_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google chrome team reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/2012/05/stable-channel-update.html">
<p>An off-by-one out-of-bounds write flaw was found in the way libxml, a library
for providing XML and HTML support, evaluated certain XPointer parts (XPointer
is used by libxml to include only the part from the returned XML document, that
can be accessed using the XPath expression given with the XPointer). A remote
attacker could provide a specially-crafted XML file, which once opened in an
application, linked against libxml, would lead to that application crash, or,
potentially arbitrary code execution with the privileges of the user running
the application.</p>
<p>Note: The flaw to be exploited requires the particular application, linked
against libxml, to use the XPointer evaluation functionality.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3201</cvename>
<url>http://googlechromereleases.blogspot.com/2012/05/stable-channel-update.html</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3102</url>
</references>
<dates>
<discovery>2012-05-15</discovery>
<entry>2012-05-18</entry>
</dates>
</vuln>
<vuln vid="f5f00804-a03b-11e1-a284-0023ae8e59f0">
<topic>inspircd -- buffer overflow</topic>
<affects>

View file

@ -13,10 +13,9 @@
PORTNAME= libxml2
PORTVERSION= 2.7.8
PORTREVISION?= 2
PORTREVISION?= 3
CATEGORIES?= textproc gnome
MASTER_SITES= ftp://fr.rpmfind.net/pub/libxml/ \
ftp://gd.tuwien.ac.at/pub/libxml/ \
MASTER_SITES= ftp://gd.tuwien.ac.at/pub/libxml/ \
ftp://xmlsoft.org/libxml2/
DIST_SUBDIR= gnome2

View file

@ -0,0 +1,41 @@
From d8e1faeaa99c7a7c07af01c1c72de352eb590a3e Mon Sep 17 00:00:00 2001
From: Jüri Aedla <asd@ut.ee>
Date: Mon, 07 May 2012 07:06:56 +0000
Subject: Fix an off by one pointer access
getting out of the range of memory allocated for xpointer decoding
CVE-2011-3102
---
diff --git a/xpointer.c b/xpointer.c
index 37afa3a..0b463dd 100644
--- xpointer.c
+++ xpointer.c
@@ -1007,21 +1007,14 @@ xmlXPtrEvalXPtrPart(xmlXPathParserContextPtr ctxt, xmlChar *name) {
NEXT;
break;
}
- *cur++ = CUR;
} else if (CUR == '(') {
level++;
- *cur++ = CUR;
} else if (CUR == '^') {
- NEXT;
- if ((CUR == ')') || (CUR == '(') || (CUR == '^')) {
- *cur++ = CUR;
- } else {
- *cur++ = '^';
- *cur++ = CUR;
- }
- } else {
- *cur++ = CUR;
+ if ((NXT(1) == ')') || (NXT(1) == '(') || (NXT(1) == '^')) {
+ NEXT;
+ }
}
+ *cur++ = CUR;
NEXT;
}
*cur = 0;
--
cgit v0.9.0.2