From 6e4f18cfdd1bf747e77f81b64497f1c05f57a057 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Wed, 8 Jun 2016 13:29:32 -0400 Subject: gnu: libxml2: Add fix for CVE-2016-1762. * gnu/packages/patches/libxml2-CVE-2016-1762.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/xml.scm (libxml2/fixed)[source]: Add patch. --- gnu/packages/xml.scm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'gnu/packages/xml.scm') diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index dc5c60dca8..40ff3e6b4b 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -116,7 +116,8 @@ project (but it is usable outside of the Gnome platform).") version ".tar.gz")) (sha256 (base32 - "0g336cr0bw6dax1q48bblphmchgihx9p1pjmxdnrd6sh3qci3fgz"))))))) + "0g336cr0bw6dax1q48bblphmchgihx9p1pjmxdnrd6sh3qci3fgz")) + (patches (search-patches "libxml2-CVE-2016-1762.patch"))))))) (define-public python-libxml2 (package (inherit libxml2) -- cgit v1.2.3 From 993b400acb24344d399857010177e7ecaab847b7 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Wed, 8 Jun 2016 18:17:13 -0400 Subject: Revert "gnu: libxml2: Add fix for CVE-2016-1762." This reverts commit 6e4f18cfdd1bf747e77f81b64497f1c05f57a057. --- gnu/local.mk | 1 - gnu/packages/patches/libxml2-CVE-2016-1762.patch | 31 ------------------------ gnu/packages/xml.scm | 3 +-- 3 files changed, 1 insertion(+), 34 deletions(-) delete mode 100644 gnu/packages/patches/libxml2-CVE-2016-1762.patch (limited to 'gnu/packages/xml.scm') diff --git a/gnu/local.mk b/gnu/local.mk index b07aa42f7d..8915c46cdd 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -633,7 +633,6 @@ dist_patch_DATA = \ %D%/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch \ %D%/packages/patches/libwmf-CVE-2015-4695.patch \ %D%/packages/patches/libwmf-CVE-2015-4696.patch \ - %D%/packages/patches/libxml2-CVE-2016-1762.patch \ %D%/packages/patches/libxslt-CVE-2015-7995.patch \ %D%/packages/patches/lirc-localstatedir.patch \ %D%/packages/patches/libpthread-glibc-preparation.patch \ diff --git a/gnu/packages/patches/libxml2-CVE-2016-1762.patch b/gnu/packages/patches/libxml2-CVE-2016-1762.patch deleted file mode 100644 index 15ec6a0aee..0000000000 --- a/gnu/packages/patches/libxml2-CVE-2016-1762.patch +++ /dev/null @@ -1,31 +0,0 @@ -Copied from Debian. - -From a7a94612aa3b16779e2c74e1fa353b5d9786c602 Mon Sep 17 00:00:00 2001 -From: Daniel Veillard -Date: Tue, 9 Feb 2016 12:55:29 +0100 -Subject: [PATCH] Heap-based buffer overread in xmlNextChar - -For https://bugzilla.gnome.org/show_bug.cgi?id=759671 - -when the end of the internal subset isn't properly detected -xmlParseInternalSubset should just return instead of trying -to process input further. - -[carnil: drop patches to testsuite files] ---- - -diff --git a/parser.c b/parser.c -index c5741e3..0677030 100644 ---- a/parser.c -+++ b/parser.c -@@ -8468,6 +8468,7 @@ xmlParseInternalSubset(xmlParserCtxtPtr ctxt) { - */ - if (RAW != '>') { - xmlFatalErr(ctxt, XML_ERR_DOCTYPE_NOT_FINISHED, NULL); -+ return; - } - NEXT; - } --- -2.8.1 - diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index 40ff3e6b4b..dc5c60dca8 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -116,8 +116,7 @@ project (but it is usable outside of the Gnome platform).") version ".tar.gz")) (sha256 (base32 - "0g336cr0bw6dax1q48bblphmchgihx9p1pjmxdnrd6sh3qci3fgz")) - (patches (search-patches "libxml2-CVE-2016-1762.patch"))))))) + "0g336cr0bw6dax1q48bblphmchgihx9p1pjmxdnrd6sh3qci3fgz"))))))) (define-public python-libxml2 (package (inherit libxml2) -- cgit v1.2.3 From 436dd0463668361476a448d88f6e8653981a7346 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Thu, 9 Jun 2016 13:02:11 -0400 Subject: gnu: expat: Fix CVE-2012-6702 and CVE-2016-5300. * gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/xml.scm (expat/fixed): Use it. --- gnu/local.mk | 1 + .../expat-CVE-2012-6702-and-CVE-2016-5300.patch | 142 +++++++++++++++++++++ gnu/packages/xml.scm | 3 +- 3 files changed, 145 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch (limited to 'gnu/packages/xml.scm') diff --git a/gnu/local.mk b/gnu/local.mk index f31e5776d9..73aef0aa8e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -480,6 +480,7 @@ dist_patch_DATA = \ %D%/packages/patches/emacs-source-date-epoch.patch \ %D%/packages/patches/eudev-rules-directory.patch \ %D%/packages/patches/evilwm-lost-focus-bug.patch \ + %D%/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch \ %D%/packages/patches/expat-CVE-2015-1283.patch \ %D%/packages/patches/expat-CVE-2015-1283-refix.patch \ %D%/packages/patches/expat-CVE-2016-0718.patch \ diff --git a/gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch b/gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch new file mode 100644 index 0000000000..edc43f84f1 --- /dev/null +++ b/gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch @@ -0,0 +1,142 @@ +Fix CVE-2012-6702 and CVE-2016-5300. + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5300 + +Patch copied from: +https://sources.debian.net/src/expat/2.1.0-6%2Bdeb8u3/debian/patches/cve-2012-6702-plus-cve-2016-5300-v1.patch/ + +From cb31522769d11a375078a073cba94e7176cb48a4 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Wed, 16 Mar 2016 15:30:12 +0100 +Subject: [PATCH] Resolve call to srand, use more entropy (patch version 1.0) + +Squashed backport against vanilla Expat 2.1.1, addressing: +* CVE-2012-6702 -- unanticipated internal calls to srand +* CVE-2016-5300 -- use of too little entropy + +Since commit e3e81a6d9f0885ea02d3979151c358f314bf3d6d +(released with Expat 2.1.0) Expat called srand by itself +from inside generate_hash_secret_salt for an instance +of XML_Parser if XML_SetHashSalt was either (a) not called +for that instance or if (b) salt 0 was passed to XML_SetHashSalt +prior to parsing. That call to srand passed (rather litle) +entropy extracted from the current time as a seed for srand. + +That call to srand (1) broke repeatability for code calling +srand with a non-random seed prior to parsing with Expat, +and (2) resulted in a rather small set of hashing salts in +Expat in total. + +For a short- to mid-term fix, the new approach avoids calling +srand altogether, extracts more entropy out of the clock and +other sources, too. + +For a long term fix, we may want to read sizeof(long) bytes +from a source like getrandom(..) on Linux, and from similar +sources on other supported architectures. + +https://bugzilla.redhat.com/show_bug.cgi?id=1197087 +--- + CMakeLists.txt | 3 +++ + lib/xmlparse.c | 48 +++++++++++++++++++++++++++++++++++++++++------- + 2 files changed, 44 insertions(+), 7 deletions(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 353627e..524d514 100755 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -41,6 +41,9 @@ include_directories(${CMAKE_BINARY_DIR} ${CMAKE_SOURCE_DIR}/lib) + if(MSVC) + add_definitions(-D_CRT_SECURE_NO_WARNINGS -wd4996) + endif(MSVC) ++if(WIN32) ++ add_definitions(-DCOMPILED_FROM_DSP) ++endif(WIN32) + + set(expat_SRCS + lib/xmlparse.c +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index e308c79..c5f942f 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -6,7 +6,14 @@ + #include /* memset(), memcpy() */ + #include + #include /* UINT_MAX */ +-#include /* time() */ ++ ++#ifdef COMPILED_FROM_DSP ++#define getpid GetCurrentProcessId ++#else ++#include /* gettimeofday() */ ++#include /* getpid() */ ++#include /* getpid() */ ++#endif + + #define XML_BUILDING_EXPAT 1 + +@@ -432,7 +439,7 @@ static ELEMENT_TYPE * + getElementType(XML_Parser parser, const ENCODING *enc, + const char *ptr, const char *end); + +-static unsigned long generate_hash_secret_salt(void); ++static unsigned long generate_hash_secret_salt(XML_Parser parser); + static XML_Bool startParsing(XML_Parser parser); + + static XML_Parser +@@ -691,11 +698,38 @@ static const XML_Char implicitContext[] = { + }; + + static unsigned long +-generate_hash_secret_salt(void) ++gather_time_entropy(void) + { +- unsigned int seed = time(NULL) % UINT_MAX; +- srand(seed); +- return rand(); ++#ifdef COMPILED_FROM_DSP ++ FILETIME ft; ++ GetSystemTimeAsFileTime(&ft); /* never fails */ ++ return ft.dwHighDateTime ^ ft.dwLowDateTime; ++#else ++ struct timeval tv; ++ int gettimeofday_res; ++ ++ gettimeofday_res = gettimeofday(&tv, NULL); ++ assert (gettimeofday_res == 0); ++ ++ /* Microseconds time is <20 bits entropy */ ++ return tv.tv_usec; ++#endif ++} ++ ++static unsigned long ++generate_hash_secret_salt(XML_Parser parser) ++{ ++ /* Process ID is 0 bits entropy if attacker has local access ++ * XML_Parser address is few bits of entropy if attacker has local access */ ++ const unsigned long entropy = ++ gather_time_entropy() ^ getpid() ^ (unsigned long)parser; ++ ++ /* Factors are 2^31-1 and 2^61-1 (Mersenne primes M31 and M61) */ ++ if (sizeof(unsigned long) == 4) { ++ return entropy * 2147483647; ++ } else { ++ return entropy * 2305843009213693951; ++ } + } + + static XML_Bool /* only valid for root parser */ +@@ -703,7 +737,7 @@ startParsing(XML_Parser parser) + { + /* hash functions must be initialized before setContext() is called */ + if (hash_secret_salt == 0) +- hash_secret_salt = generate_hash_secret_salt(); ++ hash_secret_salt = generate_hash_secret_salt(parser); + if (ns) { + /* implicit context only set for root parser, since child + parsers (i.e. external entity parsers) will inherit it +-- +2.8.2 + diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index dc5c60dca8..d5967f7966 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -69,7 +69,8 @@ things the parser might find in the XML document (like start tags).") (inherit expat) (source (origin (inherit (package-source expat)) - (patches (search-patches "expat-CVE-2015-1283.patch" + (patches (search-patches "expat-CVE-2012-6702-and-CVE-2016-5300.patch" + "expat-CVE-2015-1283.patch" "expat-CVE-2015-1283-refix.patch" "expat-CVE-2016-0718.patch")))))) -- cgit v1.2.3 From e4aab734875a40f991b6ecba1247be6fc248f15f Mon Sep 17 00:00:00 2001 From: Ricardo Wurmus Date: Mon, 6 Jun 2016 14:33:58 +0200 Subject: gnu: xmlsec: Enable gnutls support. * gnu/packages/xml.scm (xmlsec)[native-inputs]: Add pkg-config. --- gnu/packages/xml.scm | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'gnu/packages/xml.scm') diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index d5967f7966..e62bfa7e54 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -3,7 +3,7 @@ ;;; Copyright © 2013, 2015 Andreas Enge ;;; Copyright © 2015 Eric Bavier ;;; Copyright © 2015 Sou Bunnbu -;;; Copyright © 2015 Ricardo Wurmus +;;; Copyright © 2015, 2016 Ricardo Wurmus ;;; Copyright © 2015 Mark H Weaver ;;; Copyright © 2015 Efraim Flashner ;;; Copyright © 2015 Raimon Grau @@ -40,7 +40,8 @@ #:use-module (guix build-system gnu) #:use-module (guix build-system perl) #:use-module (guix build-system python) - #:use-module (gnu packages linux)) + #:use-module (gnu packages linux) + #:use-module (gnu packages pkg-config)) (define-public expat (package @@ -636,6 +637,8 @@ XSL-T processor. It also performs any necessary post-processing.") `(("gnutls" ,gnutls) ("libgcrypt" ,libgcrypt) ("libltdl" ,libltdl))) + (native-inputs + `(("pkg-config" ,pkg-config))) (home-page "http://www.libexpat.org/") (synopsis "XML Security Library") (description -- cgit v1.2.3