[ooo-build-commit] Branch 'ooo/OOO310' - libxml2/libxml2-2.6.31.patch

Jan Holesovsky kendy at kemper.freedesktop.org
Tue Aug 18 18:51:31 PDT 2009


 libxml2/libxml2-2.6.31.patch |  128 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 128 insertions(+)

New commits:
commit 139d7bf5ba47d7e46d0126a00f6a59a2a5262b80
Author: Kurt Zenker <kz at openoffice.org>
Date:   Tue Aug 18 09:48:55 2009 +0000

    CWS-TOOLING: integrate CWS sb114
    2009-08-12 09:02:01 +0200 sb  r274880 : #i104149# missing PATCH flag
    2009-08-11 16:39:16 +0200 sb  r274864 : #i104149# merged in difference between <http://ftp.debian.org/debian/pool/main/libx/libxml2/libxml2_2.6.32.dfsg-5.diff.gz> and <http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny1.diff.gz> (which appears to also apply cleanly to the libxml2 2.6.31 source base checked into OOo)

diff --git a/libxml2/libxml2-2.6.31.patch b/libxml2/libxml2-2.6.31.patch
index 53f35c1..cba8f23 100644
--- a/libxml2/libxml2-2.6.31.patch
+++ b/libxml2/libxml2-2.6.31.patch
@@ -282,3 +282,131 @@
   #define LIBXML_DEBUG_RUNTIME
   #endif
   
+diff -r -cN misc/libxml2-2.6.31/changelog misc/build/libxml2-2.6.31/changelog
+*** misc/libxml2-2.6.31/changelog
+--- misc/build/libxml2-2.6.31/changelog
+***************
+*** 0 ****
+--- 1,10 ----
++ libxml2 (2.6.32.dfsg-5+lenny1) stable-security; urgency=high
++ 
++   * Non-maintainer upload by the Security Team.
++   * Fix multiple use-after-free flaws when parsing notation and
++     enumeration attribute types (CVE-2009-2416).
++   * Fix stack overflow when parsing root XML document element DTD
++     definition (CVE-2009-2414).
++ 
++  -- Nico Golde <nion at debian.org>  Thu, 06 Aug 2009 13:04:00 +0000
++ 
+diff -r -cN misc/libxml2-2.6.31/parser.c misc/build/libxml2-2.6.31/parser.c
+*** misc/libxml2-2.6.31/parser.c
+--- misc/build/libxml2-2.6.31/parser.c
+***************
+*** 4752,4761 ****
+  	if (name == NULL) {
+  	    xmlFatalErrMsg(ctxt, XML_ERR_NAME_REQUIRED,
+  			   "Name expected in NOTATION declaration\n");
+! 	    return(ret);
+  	}
+  	cur = xmlCreateEnumeration(name);
+! 	if (cur == NULL) return(ret);
+  	if (last == NULL) ret = last = cur;
+  	else {
+  	    last->next = cur;
+--- 4752,4766 ----
+  	if (name == NULL) {
+  	    xmlFatalErrMsg(ctxt, XML_ERR_NAME_REQUIRED,
+  			   "Name expected in NOTATION declaration\n");
+! 	    xmlFreeEnumeration(ret);
+! 	    return(NULL);
+  	}
+  	cur = xmlCreateEnumeration(name);
+!         if (cur == NULL) {
+!              xmlFreeEnumeration(ret);
+!              return(NULL);
+!          }
+! 
+  	if (last == NULL) ret = last = cur;
+  	else {
+  	    last->next = cur;
+***************
+*** 4765,4773 ****
+      } while (RAW == '|');
+      if (RAW != ')') {
+  	xmlFatalErr(ctxt, XML_ERR_NOTATION_NOT_FINISHED, NULL);
+! 	if ((last != NULL) && (last != ret))
+! 	    xmlFreeEnumeration(last);
+! 	return(ret);
+      }
+      NEXT;
+      return(ret);
+--- 4770,4777 ----
+      } while (RAW == '|');
+      if (RAW != ')') {
+  	xmlFatalErr(ctxt, XML_ERR_NOTATION_NOT_FINISHED, NULL);
+!         xmlFreeEnumeration(ret);
+!         return(NULL);
+      }
+      NEXT;
+      return(ret);
+***************
+*** 4808,4814 ****
+  	}
+  	cur = xmlCreateEnumeration(name);
+  	xmlFree(name);
+! 	if (cur == NULL) return(ret);
+  	if (last == NULL) ret = last = cur;
+  	else {
+  	    last->next = cur;
+--- 4812,4822 ----
+  	}
+  	cur = xmlCreateEnumeration(name);
+  	xmlFree(name);
+!         if (cur == NULL) {
+!              xmlFreeEnumeration(ret);
+!              return(NULL);
+!          }
+! 
+  	if (last == NULL) ret = last = cur;
+  	else {
+  	    last->next = cur;
+***************
+*** 5206,5211 ****
+--- 5214,5226 ----
+      const xmlChar *elem;
+      xmlChar type = 0;
+  
++     if (ctxt->depth > 128) {
++         xmlFatalErrMsgInt(ctxt, XML_ERR_ELEMCONTENT_NOT_FINISHED,
++                 "xmlParseElementChildrenContentDecl : depth %d too deep\n",
++                           ctxt->depth);
++        return(NULL);
++     }
++ 
+      SKIP_BLANKS;
+      GROW;
+      if (RAW == '(') {
+***************
+*** 5214,5220 ****
+--- 5229,5237 ----
+          /* Recurse on first child */
+  	NEXT;
+  	SKIP_BLANKS;
++ 	ctxt->depth++;
+          cur = ret = xmlParseElementChildrenContentDecl(ctxt, inputid);
++ 	ctxt->depth--;
+  	SKIP_BLANKS;
+  	GROW;
+      } else {
+***************
+*** 5344,5350 ****
+--- 5361,5369 ----
+  	    /* Recurse on second child */
+  	    NEXT;
+  	    SKIP_BLANKS;
++ 	    ctxt->depth++;
+  	    last = xmlParseElementChildrenContentDecl(ctxt, inputid);
++ 	    ctxt->depth--;
+  	    SKIP_BLANKS;
+  	} else {
+  	    elem = xmlParseName(ctxt);


More information about the ooo-build-commit mailing list