Document and fix a off-by-one vulnability in libxml2.

Obtained from: libxml upstream Security: b8ae4659-a0da-11e1-a294-bcaec565249c
svn path=/head/; revision=296901
2012-05-18 11:51:18 +00:00 · 2012-05-18 11:51:18 +00:00 · b7e1fac56a · 2021-03-31 03:12:20 +00:00
commit b7e1fac56a
parent 3e58589ebd
3 changed files with 79 additions and 3 deletions
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@ -52,6 +52,42 @@ Note:  Please add new entries to the beginning of this file.

 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="b8ae4659-a0da-11e1-a294-bcaec565249c">
+    <topic>libxml2 -- An off-by-one out-of-bounds write by XPointer</topic>
+    <affects>
+      <package>
+	<name>libxml2</name>
+	<range><lt>2.7.8_3</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Google chrome team reports:</p>
+	<blockquote cite="http://googlechromereleases.blogspot.com/2012/05/stable-channel-update.html">
+	  <p>An off-by-one out-of-bounds write flaw was found in the way libxml, a library
+	     for providing XML and HTML support, evaluated certain XPointer parts (XPointer
+	     is used by libxml to include only the part from the returned XML document, that
+	     can be accessed using the XPath expression given with the XPointer). A remote
+	     attacker could provide a specially-crafted XML file, which once opened in an
+	     application, linked against libxml, would lead to that application crash, or,
+	     potentially arbitrary code execution with the privileges of the user running
+	     the application.</p>
+	     <p>Note: The flaw to be exploited requires the particular application, linked
+	     against libxml, to use the XPointer evaluation functionality.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2011-3201</cvename>
+      <url>http://googlechromereleases.blogspot.com/2012/05/stable-channel-update.html</url>
+      <url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3102</url>
+    </references>
+    <dates>
+      <discovery>2012-05-15</discovery>
+      <entry>2012-05-18</entry>
+    </dates>
+  </vuln>
+
  <vuln vid="f5f00804-a03b-11e1-a284-0023ae8e59f0">
    <topic>inspircd -- buffer overflow</topic>
    <affects>
--- a/textproc/libxml2/Makefile
+++ b/textproc/libxml2/Makefile
@ -13,10 +13,9 @@

 PORTNAME=	libxml2
 PORTVERSION=	2.7.8
-PORTREVISION?=	2
+PORTREVISION?=	3
 CATEGORIES?=	textproc gnome
-MASTER_SITES=	ftp://fr.rpmfind.net/pub/libxml/ \
-		ftp://gd.tuwien.ac.at/pub/libxml/ \
+MASTER_SITES=	ftp://gd.tuwien.ac.at/pub/libxml/ \
 		ftp://xmlsoft.org/libxml2/
 DIST_SUBDIR=	gnome2

--- a/textproc/libxml2/files/patch-xpointer.c
+++ b/textproc/libxml2/files/patch-xpointer.c
@ -0,0 +1,41 @@
+From d8e1faeaa99c7a7c07af01c1c72de352eb590a3e Mon Sep 17 00:00:00 2001
+From: Jüri Aedla <asd@ut.ee>
+Date: Mon, 07 May 2012 07:06:56 +0000
+Subject: Fix an off by one pointer access
+
+getting out of the range of memory allocated for xpointer decoding
+CVE-2011-3102
+
+---
+diff --git a/xpointer.c b/xpointer.c
+index 37afa3a..0b463dd 100644
+--- xpointer.c
+++ xpointer.c
+@@ -1007,21 +1007,14 @@ xmlXPtrEvalXPtrPart(xmlXPathParserContextPtr ctxt, xmlChar *name) {
+ 		NEXT;
+ 		break;
+ 	    }
+-	    *cur++ = CUR;
+ 	} else if (CUR == '(') {
+ 	    level++;
+-	    *cur++ = CUR;
+ 	} else if (CUR == '^') {
+-	    NEXT;
+-	    if ((CUR == ')') || (CUR == '(') || (CUR == '^')) {
+-		*cur++ = CUR;
+-	    } else {
+-		*cur++ = '^';
+-		*cur++ = CUR;
+-	    }
+-	} else {
+-	    *cur++ = CUR;
+            if ((NXT(1) == ')') || (NXT(1) == '(') || (NXT(1) == '^')) {
+                NEXT;
+            }
+ 	}
+        *cur++ = CUR;
+ 	NEXT;
+     }
+     *cur = 0;
+--
+cgit v0.9.0.2