[ooo-build-commit] Branch 'ooo/OOO310' - libxml2/libxml2-2.6.31.patch
Jan Holesovsky
kendy at kemper.freedesktop.org
Tue Aug 18 18:51:31 PDT 2009
libxml2/libxml2-2.6.31.patch | 128 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 128 insertions(+)
New commits:
commit 139d7bf5ba47d7e46d0126a00f6a59a2a5262b80
Author: Kurt Zenker <kz at openoffice.org>
Date: Tue Aug 18 09:48:55 2009 +0000
CWS-TOOLING: integrate CWS sb114
2009-08-12 09:02:01 +0200 sb r274880 : #i104149# missing PATCH flag
2009-08-11 16:39:16 +0200 sb r274864 : #i104149# merged in difference between <http://ftp.debian.org/debian/pool/main/libx/libxml2/libxml2_2.6.32.dfsg-5.diff.gz> and <http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny1.diff.gz> (which appears to also apply cleanly to the libxml2 2.6.31 source base checked into OOo)
diff --git a/libxml2/libxml2-2.6.31.patch b/libxml2/libxml2-2.6.31.patch
index 53f35c1..cba8f23 100644
--- a/libxml2/libxml2-2.6.31.patch
+++ b/libxml2/libxml2-2.6.31.patch
@@ -282,3 +282,131 @@
#define LIBXML_DEBUG_RUNTIME
#endif
+diff -r -cN misc/libxml2-2.6.31/changelog misc/build/libxml2-2.6.31/changelog
+*** misc/libxml2-2.6.31/changelog
+--- misc/build/libxml2-2.6.31/changelog
+***************
+*** 0 ****
+--- 1,10 ----
++ libxml2 (2.6.32.dfsg-5+lenny1) stable-security; urgency=high
++
++ * Non-maintainer upload by the Security Team.
++ * Fix multiple use-after-free flaws when parsing notation and
++ enumeration attribute types (CVE-2009-2416).
++ * Fix stack overflow when parsing root XML document element DTD
++ definition (CVE-2009-2414).
++
++ -- Nico Golde <nion at debian.org> Thu, 06 Aug 2009 13:04:00 +0000
++
+diff -r -cN misc/libxml2-2.6.31/parser.c misc/build/libxml2-2.6.31/parser.c
+*** misc/libxml2-2.6.31/parser.c
+--- misc/build/libxml2-2.6.31/parser.c
+***************
+*** 4752,4761 ****
+ if (name == NULL) {
+ xmlFatalErrMsg(ctxt, XML_ERR_NAME_REQUIRED,
+ "Name expected in NOTATION declaration\n");
+! return(ret);
+ }
+ cur = xmlCreateEnumeration(name);
+! if (cur == NULL) return(ret);
+ if (last == NULL) ret = last = cur;
+ else {
+ last->next = cur;
+--- 4752,4766 ----
+ if (name == NULL) {
+ xmlFatalErrMsg(ctxt, XML_ERR_NAME_REQUIRED,
+ "Name expected in NOTATION declaration\n");
+! xmlFreeEnumeration(ret);
+! return(NULL);
+ }
+ cur = xmlCreateEnumeration(name);
+! if (cur == NULL) {
+! xmlFreeEnumeration(ret);
+! return(NULL);
+! }
+!
+ if (last == NULL) ret = last = cur;
+ else {
+ last->next = cur;
+***************
+*** 4765,4773 ****
+ } while (RAW == '|');
+ if (RAW != ')') {
+ xmlFatalErr(ctxt, XML_ERR_NOTATION_NOT_FINISHED, NULL);
+! if ((last != NULL) && (last != ret))
+! xmlFreeEnumeration(last);
+! return(ret);
+ }
+ NEXT;
+ return(ret);
+--- 4770,4777 ----
+ } while (RAW == '|');
+ if (RAW != ')') {
+ xmlFatalErr(ctxt, XML_ERR_NOTATION_NOT_FINISHED, NULL);
+! xmlFreeEnumeration(ret);
+! return(NULL);
+ }
+ NEXT;
+ return(ret);
+***************
+*** 4808,4814 ****
+ }
+ cur = xmlCreateEnumeration(name);
+ xmlFree(name);
+! if (cur == NULL) return(ret);
+ if (last == NULL) ret = last = cur;
+ else {
+ last->next = cur;
+--- 4812,4822 ----
+ }
+ cur = xmlCreateEnumeration(name);
+ xmlFree(name);
+! if (cur == NULL) {
+! xmlFreeEnumeration(ret);
+! return(NULL);
+! }
+!
+ if (last == NULL) ret = last = cur;
+ else {
+ last->next = cur;
+***************
+*** 5206,5211 ****
+--- 5214,5226 ----
+ const xmlChar *elem;
+ xmlChar type = 0;
+
++ if (ctxt->depth > 128) {
++ xmlFatalErrMsgInt(ctxt, XML_ERR_ELEMCONTENT_NOT_FINISHED,
++ "xmlParseElementChildrenContentDecl : depth %d too deep\n",
++ ctxt->depth);
++ return(NULL);
++ }
++
+ SKIP_BLANKS;
+ GROW;
+ if (RAW == '(') {
+***************
+*** 5214,5220 ****
+--- 5229,5237 ----
+ /* Recurse on first child */
+ NEXT;
+ SKIP_BLANKS;
++ ctxt->depth++;
+ cur = ret = xmlParseElementChildrenContentDecl(ctxt, inputid);
++ ctxt->depth--;
+ SKIP_BLANKS;
+ GROW;
+ } else {
+***************
+*** 5344,5350 ****
+--- 5361,5369 ----
+ /* Recurse on second child */
+ NEXT;
+ SKIP_BLANKS;
++ ctxt->depth++;
+ last = xmlParseElementChildrenContentDecl(ctxt, inputid);
++ ctxt->depth--;
+ SKIP_BLANKS;
+ } else {
+ elem = xmlParseName(ctxt);
More information about the ooo-build-commit
mailing list