libexpat: add patches from expat 2.1.0-6+deb8u2.

c049cb63 · Kazuhiko Shiozaki · 615502f7 · c049cb63 · c049cb63 · c049cb63
Commit c049cb63 authored May 18, 2016 by Kazuhiko Shiozaki
4 changed files
--- a/component/libexpat/CVE-2015-1283-refix.patch
+++ b/component/libexpat/CVE-2015-1283-refix.patch
+From 29a11774d8ebbafe8418b4a5ffb4cc1160b194a1 Mon Sep 17 00:00:00 2001
+From: Pascal Cuoq <cuoq@trust-in-soft.com>
+Date: Sun, 15 May 2016 09:05:46 +0200
+Subject: [PATCH] Avoid relying on undefined behavior in CVE-2015-1283 fix. It
+ does not really work: https://godbolt.org/g/Zl8gdF
+---
+ expat/lib/xmlparse.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 13e080d..cdb12ef 100644
+--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
+@@ -1695,7 +1695,8 @@ XML_GetBuffer(XML_Parser parser, int len
+   }
+   if (len > bufferLim - bufferEnd) {
+-    int neededSize = len + (int)(bufferEnd - bufferPtr);
+    /* Do not invoke signed arithmetic overflow: */
+    int neededSize = (int) ((unsigned)len + (unsigned)(bufferEnd - bufferPtr));
+ /* BEGIN MOZILLA CHANGE (sanity check neededSize) */
+     if (neededSize < 0) {
+       errorCode = XML_ERROR_NO_MEMORY;
+@@ -1729,7 +1730,8 @@ XML_GetBuffer(XML_Parser parser, int len
+       if (bufferSize == 0)
+         bufferSize = INIT_BUFFER_SIZE;
+       do {
+-        bufferSize *= 2;
+        /* Do not invoke signed arithmetic overflow: */
+        bufferSize = (int) (2U * (unsigned) bufferSize);
+ /* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
+       } while (bufferSize < neededSize && bufferSize > 0);
+ /* END MOZILLA CHANGE */
+-- 
+2.8.2
--- a/component/libexpat/CVE-2015-1283.patch
+++ b/component/libexpat/CVE-2015-1283.patch
+Description: fix multiple integer overflows in the XML_GetBuffer function
+ Multiple integer overflows in the XML_GetBuffer function in Expat through
+ 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products,
+ allow remote attackers to cause a denial of service (heap-based buffer
+ overflow) or possibly have unspecified other impact via crafted XML data,
+ a related issue to CVE-2015-2716.
+Origin: Mozilla, https://hg.mozilla.org/releases/mozilla-esr31/rev/2f3e78643f5c
+Author: Eric Rahm <erahm@mozilla.com>
+Forwarded: not-needed
+Last-Update: 2015-07-24
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
+@@ -1673,29 +1673,40 @@ XML_ParseBuffer(XML_Parser parser, int l
+   XmlUpdatePosition(encoding, positionPtr, bufferPtr, &position);
+   positionPtr = bufferPtr;
+   return result;
+ }
+ void * XMLCALL
+ XML_GetBuffer(XML_Parser parser, int len)
+ {
+/* BEGIN MOZILLA CHANGE (sanity check len) */
+  if (len < 0) {
+    errorCode = XML_ERROR_NO_MEMORY;
+    return NULL;
+  }
+/* END MOZILLA CHANGE */
+   switch (ps_parsing) {
+   case XML_SUSPENDED:
+     errorCode = XML_ERROR_SUSPENDED;
+     return NULL;
+   case XML_FINISHED:
+     errorCode = XML_ERROR_FINISHED;
+     return NULL;
+   default: ;
+   }
+   if (len > bufferLim - bufferEnd) {
+-    /* FIXME avoid integer overflow */
+     int neededSize = len + (int)(bufferEnd - bufferPtr);
+/* BEGIN MOZILLA CHANGE (sanity check neededSize) */
+    if (neededSize < 0) {
+      errorCode = XML_ERROR_NO_MEMORY;
+      return NULL;
+    }
+/* END MOZILLA CHANGE */
+ #ifdef XML_CONTEXT_BYTES
+     int keep = (int)(bufferPtr - buffer);
+     if (keep > XML_CONTEXT_BYTES)
+       keep = XML_CONTEXT_BYTES;
+     neededSize += keep;
+ #endif  /* defined XML_CONTEXT_BYTES */
+     if (neededSize  <= bufferLim - buffer) {
+@@ -1714,17 +1725,25 @@ XML_GetBuffer(XML_Parser parser, int len
+     }
+     else {
+       char *newBuf;
+       int bufferSize = (int)(bufferLim - bufferPtr);
+       if (bufferSize == 0)
+         bufferSize = INIT_BUFFER_SIZE;
+       do {
+         bufferSize *= 2;
+-      } while (bufferSize < neededSize);
+/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
+      } while (bufferSize < neededSize && bufferSize > 0);
+/* END MOZILLA CHANGE */
+/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */
+      if (bufferSize <= 0) {
+        errorCode = XML_ERROR_NO_MEMORY;
+        return NULL;
+      }
+/* END MOZILLA CHANGE */
+       newBuf = (char *)MALLOC(bufferSize);
+       if (newBuf == 0) {
+         errorCode = XML_ERROR_NO_MEMORY;
+         return NULL;
+       }
+       bufferLim = newBuf + bufferSize;
+ #ifdef XML_CONTEXT_BYTES
+       if (bufferPtr) {
--- a/component/libexpat/CVE-2016-0718-v2-2-1.patch
+++ b/component/libexpat/CVE-2016-0718-v2-2-1.patch
--- a/component/libexpat/buildout.cfg
+++ b/component/libexpat/buildout.cfg
@@ -2,9 +2,19 @@
 parts =
  libexpat
+extends =
+  ../patch/buildout.cfg
 [libexpat]
 recipe = slapos.recipe.cmmi
 url = http://downloads.sourceforge.net/project/expat/expat/2.1.0/expat-2.1.0.tar.gz
 md5sum = dd7dab7a5fea97d2a6a43f511449b7cd
 configure-options =
  --disable-static
+patch-options = -p1
+patches =
+  ${:_profile_base_location_}/CVE-2015-1283.patch#44b31d7377035591f37ad94a31a8042b
+  ${:_profile_base_location_}/CVE-2015-1283-refix.patch#47382fe30c9a49724c626cef793ef382
+  ${:_profile_base_location_}/CVE-2016-0718-v2-2-1.patch#4ee57e7a052ada99f2e11fa21a229727
+environment =
+  PATH=${patch:location}/bin:%(PATH)s