Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 200447 Details for
Bug 280617
<dev-libs/libxml2-2.7.3-r2 Multiple DoS vulnerabilities (CVE-2009-{2414,2416})
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
libxml2-2.7.3-CVE-2009-2414,CVE-2009-2416.patch
libxml2-2.7.3-CVE-2009-2414,CVE-2009-2416.patch (text/plain), 2.89 KB, created by
Gilles Dartiguelongue (RETIRED)
on 2009-08-07 00:03:44 UTC
(
hide
)
Description:
libxml2-2.7.3-CVE-2009-2414,CVE-2009-2416.patch
Filename:
MIME Type:
Creator:
Gilles Dartiguelongue (RETIRED)
Created:
2009-08-07 00:03:44 UTC
Size:
2.89 KB
patch
obsolete
>From 587ed8f671eedd54c93dfe3b8bde18549c664255 Mon Sep 17 00:00:00 2001 >From: Gilles Dartiguelongue <eva@gentoo.org> >Date: Fri, 7 Aug 2009 01:48:21 +0200 >Subject: [PATCH] CVE Fixes > > * Multiple pointer use-after-free flaws CVE-2009-2416 > * Stack overflow when parsing recursive XML structures CVE-2009-2414 >--- > parser.c | 28 ++++++++++++++++++++++------ > 1 files changed, 22 insertions(+), 6 deletions(-) > >diff --git a/parser.c b/parser.c >index 9db664f..82e4958 100644 >--- a/parser.c >+++ b/parser.c >@@ -5306,7 +5306,8 @@ xmlParseNotationType(xmlParserCtxtPtr ctxt) { > if (name == NULL) { > xmlFatalErrMsg(ctxt, XML_ERR_NAME_REQUIRED, > "Name expected in NOTATION declaration\n"); >- return(ret); >+ xmlFreeEnumeration(ret); >+ return(NULL); > } > tmp = ret; > while (tmp != NULL) { >@@ -5322,7 +5323,10 @@ xmlParseNotationType(xmlParserCtxtPtr ctxt) { > } > if (tmp == NULL) { > cur = xmlCreateEnumeration(name); >- if (cur == NULL) return(ret); >+ if (cur == NULL) { >+ xmlFreeEnumeration(ret); >+ return(NULL); >+ } > if (last == NULL) ret = last = cur; > else { > last->next = cur; >@@ -5333,9 +5337,8 @@ xmlParseNotationType(xmlParserCtxtPtr ctxt) { > } while (RAW == '|'); > if (RAW != ')') { > xmlFatalErr(ctxt, XML_ERR_NOTATION_NOT_FINISHED, NULL); >- if ((last != NULL) && (last != ret)) >- xmlFreeEnumeration(last); >- return(ret); >+ xmlFreeEnumeration(ret); >+ return(NULL); > } > NEXT; > return(ret); >@@ -5390,7 +5393,10 @@ xmlParseEnumerationType(xmlParserCtxtPtr ctxt) { > cur = xmlCreateEnumeration(name); > if (!xmlDictOwns(ctxt->dict, name)) > xmlFree(name); >- if (cur == NULL) return(ret); >+ if (cur == NULL) { >+ xmlFreeEnumeration(ret); >+ return(NULL); >+ } > if (last == NULL) ret = last = cur; > else { > last->next = cur; >@@ -5794,6 +5800,12 @@ xmlParseElementChildrenContentDecl (xmlParserCtxtPtr ctxt, int inputchk) { > const xmlChar *elem; > xmlChar type = 0; > >+ if (ctxt->depth > 128) { >+ xmlFatalErrMsgInt(ctxt, XML_ERR_ELEMCONTENT_NOT_FINISHED, >+ "xmlParseElementChildrenContentDecl : depth %d too deep\n", >+ ctxt->depth); >+ return(NULL); >+ } > SKIP_BLANKS; > GROW; > if (RAW == '(') { >@@ -5802,7 +5814,9 @@ xmlParseElementChildrenContentDecl (xmlParserCtxtPtr ctxt, int inputchk) { > /* Recurse on first child */ > NEXT; > SKIP_BLANKS; >+ ctxt->depth++; > cur = ret = xmlParseElementChildrenContentDecl(ctxt, inputid); >+ ctxt->depth--; > SKIP_BLANKS; > GROW; > } else { >@@ -5934,7 +5948,9 @@ xmlParseElementChildrenContentDecl (xmlParserCtxtPtr ctxt, int inputchk) { > /* Recurse on second child */ > NEXT; > SKIP_BLANKS; >+ ctxt->depth++; > last = xmlParseElementChildrenContentDecl(ctxt, inputid); >+ ctxt->depth--; > SKIP_BLANKS; > } else { > elem = xmlParseName(ctxt); >-- >1.6.3.3 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 280617
:
200443
| 200447 |
200448