[libxml-libxml-perl] 01/02: CVE-2017-10672: Use-after-free by controlling the arguments to a replaceChild call
Raphaël Hertzog
hertzog at moszumanska.debian.org
Tue Nov 14 17:06:56 UTC 2017
This is an automated email from the git hooks/post-receive script.
hertzog pushed a commit to branch wheezy
in repository libxml-libxml-perl.
commit 4275f5bfdfa543ceb7e92a6382a7725600ef304b
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Sun Oct 29 13:10:46 2017 +0100
CVE-2017-10672: Use-after-free by controlling the arguments to a replaceChild call
Closes: #866676
---
.../patches/CVE-2017-10672/0001-Update-dom.c.patch | 23 +++++
.../0002-bug-use-after-free-in-replaceChild.patch | 34 ++++++++
.../patches/CVE-2017-10672/0003-Update-ufa.t.patch | 34 ++++++++
.../patches/CVE-2017-10672/0004-Update-ufa.t.patch | 35 ++++++++
.../patches/CVE-2017-10672/0005-Update-ufa.t.patch | 28 +++++++
.../CVE-2017-10672/0006-Fix-replaceChild.patch | 97 ++++++++++++++++++++++
.../patches/CVE-2017-10672/0007-Update-ufa.t.patch | 26 ++++++
.../CVE-2017-10672/0008-fix-replaceChild.patch | 24 ++++++
debian/patches/series | 8 ++
9 files changed, 309 insertions(+)
diff --git a/debian/patches/CVE-2017-10672/0001-Update-dom.c.patch b/debian/patches/CVE-2017-10672/0001-Update-dom.c.patch
new file mode 100644
index 0000000..61966c8
--- /dev/null
+++ b/debian/patches/CVE-2017-10672/0001-Update-dom.c.patch
@@ -0,0 +1,23 @@
+From: sungta <tadinhsung at gmail.com>
+Date: Wed, 12 Jul 2017 16:35:36 +0700
+Subject: [1/8] Update dom.c
+Origin: https://git.kernel.org/linus/729cb0f96a4c7c4d5c885f3d699fe587edb30cab
+Bug-Debian: https://bugs.debian.org/866676
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10672
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=122246
+
+---
+ dom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/dom.c
++++ b/dom.c
+@@ -792,7 +792,7 @@ domReplaceChild( xmlNodePtr self, xmlNod
+ return NULL;
+
+ if ( new == old )
+- return new;
++ return NULL;
+
+ if ( new == NULL ) {
+ /* level2 sais nothing about this case :( */
diff --git a/debian/patches/CVE-2017-10672/0002-bug-use-after-free-in-replaceChild.patch b/debian/patches/CVE-2017-10672/0002-bug-use-after-free-in-replaceChild.patch
new file mode 100644
index 0000000..7a4ea5e
--- /dev/null
+++ b/debian/patches/CVE-2017-10672/0002-bug-use-after-free-in-replaceChild.patch
@@ -0,0 +1,34 @@
+From: sungta <tadinhsung at gmail.com>
+Date: Wed, 12 Jul 2017 17:02:59 +0700
+Subject: [2/8] bug use after free in replaceChild
+Origin: https://git.kernel.org/linus/7188660dba5f9c339005766062305d58fa0f757c
+Bug-Debian: https://bugs.debian.org/866676
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10672
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=122246
+
+test case for use after free in replaceChild
+---
+ t/ufa.t | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+ create mode 100644 t/ufa.t
+
+diff --git a/t/ufa.t b/t/ufa.t
+new file mode 100644
+index 0000000..ef3ce9d
+--- /dev/null
++++ b/t/ufa.t
+@@ -0,0 +1,10 @@
++#test bug use after free in function replaceChild
++use XML::LibXML;
++BEGIN { $| = 1 }
++my $data='<mipu94><pwn4fun><ufanode>-------------------------------------------------------tadinhsung-at-gmail-dot-com-----------------------------------------------------</ufanode></pwn4fun></mipu94>';
++
++my $parser = XML::LibXML->new();
++my $info = $parser->load_xml(string=>$data) or die;
++my $root = $info->findnodes("mipu94")->[0];
++my $ufanode = $root->findnodes("pwn4fun/ufanode")->[0];
++$root->replaceChild($ufanode,$ufanode);
+\ No newline at end of file
+--
+2.15.0.rc2
+
diff --git a/debian/patches/CVE-2017-10672/0003-Update-ufa.t.patch b/debian/patches/CVE-2017-10672/0003-Update-ufa.t.patch
new file mode 100644
index 0000000..7c3dd97
--- /dev/null
+++ b/debian/patches/CVE-2017-10672/0003-Update-ufa.t.patch
@@ -0,0 +1,34 @@
+From: sungta <tadinhsung at gmail.com>
+Date: Wed, 12 Jul 2017 17:35:09 +0700
+Subject: [3/8] Update ufa.t
+Origin: https://git.kernel.org/linus/075f314d1b0e6624127d6cc1573c51c9d1c91bc2
+Bug-Debian: https://bugs.debian.org/866676
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10672
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=122246
+
+---
+ t/ufa.t | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/t/ufa.t b/t/ufa.t
+index ef3ce9d..0ebbbf2 100644
+--- a/t/ufa.t
++++ b/t/ufa.t
+@@ -1,4 +1,7 @@
+ #test bug use after free in function replaceChild
++use strict;
++use warnings;
++use Test::More;
+ use XML::LibXML;
+ BEGIN { $| = 1 }
+ my $data='<mipu94><pwn4fun><ufanode>-------------------------------------------------------tadinhsung-at-gmail-dot-com-----------------------------------------------------</ufanode></pwn4fun></mipu94>';
+@@ -7,4 +10,4 @@ my $parser = XML::LibXML->new();
+ my $info = $parser->load_xml(string=>$data) or die;
+ my $root = $info->findnodes("mipu94")->[0];
+ my $ufanode = $root->findnodes("pwn4fun/ufanode")->[0];
+-$root->replaceChild($ufanode,$ufanode);
+\ No newline at end of file
++ok(!$root->replaceChild($ufanode,$ufanode),"Test UFA in replaceChild");
+--
+2.15.0.rc2
+
diff --git a/debian/patches/CVE-2017-10672/0004-Update-ufa.t.patch b/debian/patches/CVE-2017-10672/0004-Update-ufa.t.patch
new file mode 100644
index 0000000..6a55143
--- /dev/null
+++ b/debian/patches/CVE-2017-10672/0004-Update-ufa.t.patch
@@ -0,0 +1,35 @@
+From: sungta <tadinhsung at gmail.com>
+Date: Wed, 12 Jul 2017 17:42:33 +0700
+Subject: [4/8] Update ufa.t
+Origin: https://git.kernel.org/linus/6c437bef155bf9146ac65be31052b72eda718b11
+Bug-Debian: https://bugs.debian.org/866676
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10672
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=122246
+
+---
+ t/ufa.t | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/t/ufa.t b/t/ufa.t
+index 0ebbbf2..fce4489 100644
+--- a/t/ufa.t
++++ b/t/ufa.t
+@@ -1,13 +1,12 @@
+ #test bug use after free in function replaceChild
+-use strict;
+-use warnings;
+ use Test::More;
+ use XML::LibXML;
++
+ BEGIN { $| = 1 }
+ my $data='<mipu94><pwn4fun><ufanode>-------------------------------------------------------tadinhsung-at-gmail-dot-com-----------------------------------------------------</ufanode></pwn4fun></mipu94>';
+-
+ my $parser = XML::LibXML->new();
+ my $info = $parser->load_xml(string=>$data) or die;
+ my $root = $info->findnodes("mipu94")->[0];
+ my $ufanode = $root->findnodes("pwn4fun/ufanode")->[0];
+ ok(!$root->replaceChild($ufanode,$ufanode),"Test UFA in replaceChild");
++done_testing();
+--
+2.15.0.rc2
+
diff --git a/debian/patches/CVE-2017-10672/0005-Update-ufa.t.patch b/debian/patches/CVE-2017-10672/0005-Update-ufa.t.patch
new file mode 100644
index 0000000..77fe8e3
--- /dev/null
+++ b/debian/patches/CVE-2017-10672/0005-Update-ufa.t.patch
@@ -0,0 +1,28 @@
+From: sungta <tadinhsung at gmail.com>
+Date: Wed, 12 Jul 2017 17:55:56 +0700
+Subject: [5/8] Update ufa.t
+Origin: https://git.kernel.org/linus/91a2b9008c059fb4df3fbee4a5cf7169eb160d7f
+Bug-Debian: https://bugs.debian.org/866676
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10672
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=122246
+
+---
+ t/ufa.t | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/t/ufa.t b/t/ufa.t
+index fce4489..753419e 100644
+--- a/t/ufa.t
++++ b/t/ufa.t
+@@ -1,7 +1,6 @@
+-#test bug use after free in function replaceChild
+ use Test::More;
+ use XML::LibXML;
+-
++#test bug use after free in function replaceChild
+ BEGIN { $| = 1 }
+ my $data='<mipu94><pwn4fun><ufanode>-------------------------------------------------------tadinhsung-at-gmail-dot-com-----------------------------------------------------</ufanode></pwn4fun></mipu94>';
+ my $parser = XML::LibXML->new();
+--
+2.15.0.rc2
+
diff --git a/debian/patches/CVE-2017-10672/0006-Fix-replaceChild.patch b/debian/patches/CVE-2017-10672/0006-Fix-replaceChild.patch
new file mode 100644
index 0000000..67cd28b
--- /dev/null
+++ b/debian/patches/CVE-2017-10672/0006-Fix-replaceChild.patch
@@ -0,0 +1,97 @@
+From: sungta <tadinhsung at gmail.com>
+Date: Mon, 23 Oct 2017 14:04:59 +0700
+Subject: [6/8] Fix replaceChild
+Origin: https://git.kernel.org/linus/a83e805fdd968e6065db1293bfe5f91cc1c5fea6
+Bug-Debian: https://bugs.debian.org/866676
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10672
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=122246
+
+if newNode == oldNode or self == newNode then do nothing, just return nNode.
+---
+ LibXML.xs | 70 ++++++++++++++++++++++++++++++++++-----------------------------
+ 1 file changed, 38 insertions(+), 32 deletions(-)
+
+--- a/LibXML.xs
++++ b/LibXML.xs
+@@ -4690,41 +4690,47 @@ replaceChild( self, nNode, oNode )
+ xmlNodePtr ret = NULL;
+ ProxyNodePtr docfrag = NULL;
+ CODE:
+- if ( self->type == XML_DOCUMENT_NODE ) {
+- switch ( nNode->type ) {
+- case XML_ELEMENT_NODE:
+- warn("replaceChild with an element on a document node not supported yet!");
+- XSRETURN_UNDEF;
+- break;
+- case XML_DOCUMENT_FRAG_NODE:
+- warn("replaceChild with a document fragment node on a document node not supported yet!");
+- XSRETURN_UNDEF;
+- break;
+- case XML_TEXT_NODE:
+- case XML_CDATA_SECTION_NODE:
+- warn("replaceChild with a text node not supported on a document node!");
+- XSRETURN_UNDEF;
+- break;
+- default:
+- break;
+- }
+- }
+- ret = domReplaceChild( self, nNode, oNode );
+- if (ret == NULL) {
+- XSRETURN_UNDEF;
+- }
+- else {
+- docfrag = PmmNewFragment( self->doc );
+- /* create document fragment */
+- xmlAddChild( PmmNODE(docfrag), ret );
+- RETVAL = PmmNodeToSv(ret, docfrag);
++ // if newNode == oldNode or self == newNode then do nothing, just return nNode.
++ if(nNode == oNode || self == nNode ){
++ RETVAL = nNode;
++ }
++ else {
++ if ( self->type == XML_DOCUMENT_NODE ) {
++ switch ( nNode->type ) {
++ case XML_ELEMENT_NODE:
++ warn("replaceChild with an element on a document node not supported yet!");
++ XSRETURN_UNDEF;
++ break;
++ case XML_DOCUMENT_FRAG_NODE:
++ warn("replaceChild with a document fragment node on a document node not supported yet!");
++ XSRETURN_UNDEF;
++ break;
++ case XML_TEXT_NODE:
++ case XML_CDATA_SECTION_NODE:
++ warn("replaceChild with a text node not supported on a document node!");
++ XSRETURN_UNDEF;
++ break;
++ default:
++ break;
++ }
++ }
++ ret = domReplaceChild( self, nNode, oNode );
++ if (ret == NULL) {
++ XSRETURN_UNDEF;
++ }
++ else {
++ docfrag = PmmNewFragment( self->doc );
++ /* create document fragment */
++ xmlAddChild( PmmNODE(docfrag), ret );
++ RETVAL = PmmNodeToSv(ret, docfrag);
+
+- if ( nNode->_private != NULL ) {
+- PmmFixOwner( PmmPROXYNODE(nNode),
+- PmmOWNERPO(PmmPROXYNODE(self)) );
+- }
+- PmmFixOwner( SvPROXYNODE(RETVAL), docfrag );
+- }
++ if ( nNode->_private != NULL ) {
++ PmmFixOwner( PmmPROXYNODE(nNode),
++ PmmOWNERPO(PmmPROXYNODE(self)) );
++ }
++ PmmFixOwner( SvPROXYNODE(RETVAL), docfrag );
++ }
++ }
+ OUTPUT:
+ RETVAL
+
diff --git a/debian/patches/CVE-2017-10672/0007-Update-ufa.t.patch b/debian/patches/CVE-2017-10672/0007-Update-ufa.t.patch
new file mode 100644
index 0000000..f86daa2
--- /dev/null
+++ b/debian/patches/CVE-2017-10672/0007-Update-ufa.t.patch
@@ -0,0 +1,26 @@
+From: sungta <tadinhsung at gmail.com>
+Date: Mon, 23 Oct 2017 14:06:36 +0700
+Subject: [7/8] Update ufa.t
+Origin: https://git.kernel.org/linus/a9d12057647c1df50b42dca1bc35df657354f3f6
+Bug-Debian: https://bugs.debian.org/866676
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10672
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=122246
+
+---
+ t/ufa.t | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/t/ufa.t b/t/ufa.t
+index 753419e..26764f3 100644
+--- a/t/ufa.t
++++ b/t/ufa.t
+@@ -7,5 +7,5 @@ my $parser = XML::LibXML->new();
+ my $info = $parser->load_xml(string=>$data) or die;
+ my $root = $info->findnodes("mipu94")->[0];
+ my $ufanode = $root->findnodes("pwn4fun/ufanode")->[0];
+-ok(!$root->replaceChild($ufanode,$ufanode),"Test UFA in replaceChild");
++ok($root->replaceChild($ufanode,$ufanode),"Test UFA in replaceChild");
+ done_testing();
+--
+2.15.0.rc2
+
diff --git a/debian/patches/CVE-2017-10672/0008-fix-replaceChild.patch b/debian/patches/CVE-2017-10672/0008-fix-replaceChild.patch
new file mode 100644
index 0000000..aab0e49
--- /dev/null
+++ b/debian/patches/CVE-2017-10672/0008-fix-replaceChild.patch
@@ -0,0 +1,24 @@
+From: sungta <tadinhsung at gmail.com>
+Date: Mon, 23 Oct 2017 14:17:01 +0700
+Subject: [8/8] fix replaceChild
+Origin: https://git.kernel.org/linus/85dc8d5d4b905b323a46ef7e611d889b1c3375df
+Bug-Debian: https://bugs.debian.org/866676
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10672
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=122246
+
+---
+ LibXML.xs | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/LibXML.xs
++++ b/LibXML.xs
+@@ -4692,7 +4692,8 @@ replaceChild( self, nNode, oNode )
+ CODE:
+ // if newNode == oldNode or self == newNode then do nothing, just return nNode.
+ if(nNode == oNode || self == nNode ){
+- RETVAL = nNode;
++ ret = nNode;
++ RETVAL = PmmNodeToSv(ret, PmmOWNERPO(PmmPROXYNODE(ret)));
+ }
+ else {
+ if ( self->type == XML_DOCUMENT_NODE ) {
diff --git a/debian/patches/series b/debian/patches/series
index fd61da0..04be32c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,10 @@
fix-spelling-errors.patch
CVE-2015-3451.patch
+CVE-2017-10672/0001-Update-dom.c.patch
+CVE-2017-10672/0002-bug-use-after-free-in-replaceChild.patch
+CVE-2017-10672/0003-Update-ufa.t.patch
+CVE-2017-10672/0004-Update-ufa.t.patch
+CVE-2017-10672/0005-Update-ufa.t.patch
+CVE-2017-10672/0006-Fix-replaceChild.patch
+CVE-2017-10672/0007-Update-ufa.t.patch
+CVE-2017-10672/0008-fix-replaceChild.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libxml-libxml-perl.git
More information about the Pkg-perl-cvs-commits
mailing list