Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 946225 Details for
Bug 1149084
CVE-2014-3660 libxml2: denial of service via recursive entity expansion
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Patch for RHEL-6
CVE-2014-3660-rhel6.patch (text/plain), 4.56 KB, created by
Daniel Veillard
on 2014-10-13 02:56:31 UTC
(
hide
)
Description:
Patch for RHEL-6
Filename:
MIME Type:
Creator:
Daniel Veillard
Created:
2014-10-13 02:56:31 UTC
Size:
4.56 KB
patch
obsolete
>commit c469827a75abc9a55ef2451c21e8b6518594ad98 >Author: Daniel Veillard <veillard@redhat.com> >Date: Thu Oct 2 16:17:09 2014 +0800 > > Fix for CVE-2014-3660 > > Issues related to the billion laugh entity expansion which happened to > escape the initial set of fixes > >diff --git a/parser.c b/parser.c >index 8860503..d311aa1 100644 >--- a/parser.c >+++ b/parser.c >@@ -124,6 +124,29 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, > return (0); > if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) > return (1); >+ >+ /* >+ * This may look absurd but is needed to detect >+ * entities problems >+ */ >+ if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) && >+ (ent->content != NULL) && (ent->checked == 0)) { >+ unsigned long oldnbent = ctxt->nbentities; >+ xmlChar *rep; >+ >+ ent->checked = 1; >+ >+ rep = xmlStringDecodeEntities(ctxt, ent->content, >+ XML_SUBSTITUTE_REF, 0, 0, 0); >+ >+ ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; >+ if (rep != NULL) { >+ if (xmlStrchr(rep, '<')) >+ ent->checked |= 1; >+ xmlFree(rep); >+ rep = NULL; >+ } >+ } > if (replacement != 0) { > if (replacement < XML_MAX_TEXT_LENGTH) > return(0); >@@ -183,9 +206,12 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, > return (0); > } else { > /* >- * strange we got no data for checking just return >+ * strange we got no data for checking > */ >- return (0); >+ if (((ctxt->lastError.code != XML_ERR_UNDECLARED_ENTITY) && >+ (ctxt->lastError.code != XML_WAR_UNDECLARED_ENTITY)) || >+ (ctxt->nbentities <= 10000)) >+ return (0); > } > xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); > return (1); >@@ -2427,6 +2453,7 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) { > name, NULL); > ctxt->valid = 0; > } >+ xmlParserEntityCheck(ctxt, 0, NULL, 0); > } else if (ctxt->input->free != deallocblankswrapper) { > input = xmlNewBlanksWrapperInputStream(ctxt, entity); > if (xmlPushInput(ctxt, input) < 0) >@@ -2597,6 +2624,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, > if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) || > (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR)) > goto int_error; >+ xmlParserEntityCheck(ctxt, 0, ent, 0); > if (ent != NULL) > ctxt->nbentities += ent->checked; > if ((ent != NULL) && >@@ -2648,6 +2676,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, > ent = xmlParseStringPEReference(ctxt, &str); > if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) > goto int_error; >+ xmlParserEntityCheck(ctxt, 0, ent, 0); > if (ent != NULL) > ctxt->nbentities += ent->checked; > if (ent != NULL) { >@@ -7115,6 +7144,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { > (ret != XML_WAR_UNDECLARED_ENTITY)) { > xmlFatalErrMsgStr(ctxt, XML_ERR_UNDECLARED_ENTITY, > "Entity '%s' failed to parse\n", ent->name); >+ xmlParserEntityCheck(ctxt, 0, ent, 0); > } else if (list != NULL) { > xmlFreeNodeList(list); > list = NULL; >@@ -7221,7 +7251,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { > /* > * We are copying here, make sure there is no abuse > */ >- ctxt->sizeentcopy += ent->length; >+ ctxt->sizeentcopy += ent->length + 5; > if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) > return; > >@@ -7269,7 +7299,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { > /* > * We are copying here, make sure there is no abuse > */ >- ctxt->sizeentcopy += ent->length; >+ ctxt->sizeentcopy += ent->length + 5; > if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) > return; > >@@ -7455,6 +7485,7 @@ xmlParseEntityRef(xmlParserCtxtPtr ctxt) { > ctxt->sax->reference(ctxt->userData, name); > } > } >+ xmlParserEntityCheck(ctxt, 0, ent, 0); > ctxt->valid = 0; > } > >@@ -7646,6 +7677,7 @@ xmlParseStringEntityRef(xmlParserCtxtPtr ctxt, const xmlChar ** str) { > "Entity '%s' not defined\n", > name); > } >+ xmlParserEntityCheck(ctxt, 0, ent, 0); > /* TODO ? check regressions ctxt->valid = 0; */ > } > >@@ -7805,6 +7837,7 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) > name, NULL); > ctxt->valid = 0; > } >+ xmlParserEntityCheck(ctxt, 0, NULL, 0); > } else { > /* > * Internal checking in case the entity quest barfed >@@ -8035,6 +8068,7 @@ xmlParseStringPEReference(xmlParserCtxtPtr ctxt, const xmlChar **str) { > name, NULL); > ctxt->valid = 0; > } >+ xmlParserEntityCheck(ctxt, 0, NULL, 0); > } else { > /* > * Internal checking in case the entity quest barfed
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=946225">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1149084
:
944444
|
946196
| 946225 |
946226