Document and fix a off-by-one vulnability in libxml2.
Obtained from: libxml upstream Security: b8ae4659-a0da-11e1-a294-bcaec565249c
This commit is contained in:
parent
3e58589ebd
commit
b7e1fac56a
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=296901
3 changed files with 79 additions and 3 deletions
|
@ -52,6 +52,42 @@ Note: Please add new entries to the beginning of this file.
|
|||
|
||||
-->
|
||||
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
|
||||
<vuln vid="b8ae4659-a0da-11e1-a294-bcaec565249c">
|
||||
<topic>libxml2 -- An off-by-one out-of-bounds write by XPointer</topic>
|
||||
<affects>
|
||||
<package>
|
||||
<name>libxml2</name>
|
||||
<range><lt>2.7.8_3</lt></range>
|
||||
</package>
|
||||
</affects>
|
||||
<description>
|
||||
<body xmlns="http://www.w3.org/1999/xhtml">
|
||||
<p>Google chrome team reports:</p>
|
||||
<blockquote cite="http://googlechromereleases.blogspot.com/2012/05/stable-channel-update.html">
|
||||
<p>An off-by-one out-of-bounds write flaw was found in the way libxml, a library
|
||||
for providing XML and HTML support, evaluated certain XPointer parts (XPointer
|
||||
is used by libxml to include only the part from the returned XML document, that
|
||||
can be accessed using the XPath expression given with the XPointer). A remote
|
||||
attacker could provide a specially-crafted XML file, which once opened in an
|
||||
application, linked against libxml, would lead to that application crash, or,
|
||||
potentially arbitrary code execution with the privileges of the user running
|
||||
the application.</p>
|
||||
<p>Note: The flaw to be exploited requires the particular application, linked
|
||||
against libxml, to use the XPointer evaluation functionality.</p>
|
||||
</blockquote>
|
||||
</body>
|
||||
</description>
|
||||
<references>
|
||||
<cvename>CVE-2011-3201</cvename>
|
||||
<url>http://googlechromereleases.blogspot.com/2012/05/stable-channel-update.html</url>
|
||||
<url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3102</url>
|
||||
</references>
|
||||
<dates>
|
||||
<discovery>2012-05-15</discovery>
|
||||
<entry>2012-05-18</entry>
|
||||
</dates>
|
||||
</vuln>
|
||||
|
||||
<vuln vid="f5f00804-a03b-11e1-a284-0023ae8e59f0">
|
||||
<topic>inspircd -- buffer overflow</topic>
|
||||
<affects>
|
||||
|
|
|
@ -13,10 +13,9 @@
|
|||
|
||||
PORTNAME= libxml2
|
||||
PORTVERSION= 2.7.8
|
||||
PORTREVISION?= 2
|
||||
PORTREVISION?= 3
|
||||
CATEGORIES?= textproc gnome
|
||||
MASTER_SITES= ftp://fr.rpmfind.net/pub/libxml/ \
|
||||
ftp://gd.tuwien.ac.at/pub/libxml/ \
|
||||
MASTER_SITES= ftp://gd.tuwien.ac.at/pub/libxml/ \
|
||||
ftp://xmlsoft.org/libxml2/
|
||||
DIST_SUBDIR= gnome2
|
||||
|
||||
|
|
41
textproc/libxml2/files/patch-xpointer.c
Normal file
41
textproc/libxml2/files/patch-xpointer.c
Normal file
|
@ -0,0 +1,41 @@
|
|||
From d8e1faeaa99c7a7c07af01c1c72de352eb590a3e Mon Sep 17 00:00:00 2001
|
||||
From: Jüri Aedla <asd@ut.ee>
|
||||
Date: Mon, 07 May 2012 07:06:56 +0000
|
||||
Subject: Fix an off by one pointer access
|
||||
|
||||
getting out of the range of memory allocated for xpointer decoding
|
||||
CVE-2011-3102
|
||||
|
||||
---
|
||||
diff --git a/xpointer.c b/xpointer.c
|
||||
index 37afa3a..0b463dd 100644
|
||||
--- xpointer.c
|
||||
+++ xpointer.c
|
||||
@@ -1007,21 +1007,14 @@ xmlXPtrEvalXPtrPart(xmlXPathParserContextPtr ctxt, xmlChar *name) {
|
||||
NEXT;
|
||||
break;
|
||||
}
|
||||
- *cur++ = CUR;
|
||||
} else if (CUR == '(') {
|
||||
level++;
|
||||
- *cur++ = CUR;
|
||||
} else if (CUR == '^') {
|
||||
- NEXT;
|
||||
- if ((CUR == ')') || (CUR == '(') || (CUR == '^')) {
|
||||
- *cur++ = CUR;
|
||||
- } else {
|
||||
- *cur++ = '^';
|
||||
- *cur++ = CUR;
|
||||
- }
|
||||
- } else {
|
||||
- *cur++ = CUR;
|
||||
+ if ((NXT(1) == ')') || (NXT(1) == '(') || (NXT(1) == '^')) {
|
||||
+ NEXT;
|
||||
+ }
|
||||
}
|
||||
+ *cur++ = CUR;
|
||||
NEXT;
|
||||
}
|
||||
*cur = 0;
|
||||
--
|
||||
cgit v0.9.0.2
|
Loading…
Reference in a new issue