[libxml-libxml-perl] 01/03: CVE-2017-10672: Use-after-free by controlling the arguments to a replaceChild call
Salvatore Bonaccorso
carnil at debian.org
Sun Oct 29 12:41:58 UTC 2017
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch master
in repository libxml-libxml-perl.
commit d67c556fe52a3c76c6105491cc4c546b408f44ed
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Sun Oct 29 13:10:46 2017 +0100
CVE-2017-10672: Use-after-free by controlling the arguments to a replaceChild call
Closes: #866676
---
.../patches/CVE-2017-10672/0001-Update-dom.c.patch | 28 ++++++
.../0002-bug-use-after-free-in-replaceChild.patch | 34 ++++++++
.../patches/CVE-2017-10672/0003-Update-ufa.t.patch | 34 ++++++++
.../patches/CVE-2017-10672/0004-Update-ufa.t.patch | 35 ++++++++
.../patches/CVE-2017-10672/0005-Update-ufa.t.patch | 28 ++++++
.../CVE-2017-10672/0006-Fix-replaceChild.patch | 99 ++++++++++++++++++++++
.../patches/CVE-2017-10672/0007-Update-ufa.t.patch | 26 ++++++
.../CVE-2017-10672/0008-fix-replaceChild.patch | 29 +++++++
debian/patches/series | 8 ++
9 files changed, 321 insertions(+)
diff --git a/debian/patches/CVE-2017-10672/0001-Update-dom.c.patch b/debian/patches/CVE-2017-10672/0001-Update-dom.c.patch
new file mode 100644
index 0000000..17e96c7
--- /dev/null
+++ b/debian/patches/CVE-2017-10672/0001-Update-dom.c.patch
@@ -0,0 +1,28 @@
+From: sungta <tadinhsung at gmail.com>
+Date: Wed, 12 Jul 2017 16:35:36 +0700
+Subject: [1/8] Update dom.c
+Origin: https://git.kernel.org/linus/729cb0f96a4c7c4d5c885f3d699fe587edb30cab
+Bug-Debian: https://bugs.debian.org/866676
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10672
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=122246
+
+---
+ dom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dom.c b/dom.c
+index 87eb61d..10eb33d 100644
+--- a/dom.c
++++ b/dom.c
+@@ -798,7 +798,7 @@ domReplaceChild( xmlNodePtr self, xmlNodePtr new, xmlNodePtr old ) {
+ return NULL;
+
+ if ( new == old )
+- return new;
++ return NULL;
+
+ if ( new == NULL ) {
+ /* level2 sais nothing about this case :( */
+--
+2.15.0.rc2
+
diff --git a/debian/patches/CVE-2017-10672/0002-bug-use-after-free-in-replaceChild.patch b/debian/patches/CVE-2017-10672/0002-bug-use-after-free-in-replaceChild.patch
new file mode 100644
index 0000000..7a4ea5e
--- /dev/null
+++ b/debian/patches/CVE-2017-10672/0002-bug-use-after-free-in-replaceChild.patch
@@ -0,0 +1,34 @@
+From: sungta <tadinhsung at gmail.com>
+Date: Wed, 12 Jul 2017 17:02:59 +0700
+Subject: [2/8] bug use after free in replaceChild
+Origin: https://git.kernel.org/linus/7188660dba5f9c339005766062305d58fa0f757c
+Bug-Debian: https://bugs.debian.org/866676
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10672
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=122246
+
+test case for use after free in replaceChild
+---
+ t/ufa.t | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+ create mode 100644 t/ufa.t
+
+diff --git a/t/ufa.t b/t/ufa.t
+new file mode 100644
+index 0000000..ef3ce9d
+--- /dev/null
++++ b/t/ufa.t
+@@ -0,0 +1,10 @@
++#test bug use after free in function replaceChild
++use XML::LibXML;
++BEGIN { $| = 1 }
++my $data='<mipu94><pwn4fun><ufanode>-------------------------------------------------------tadinhsung-at-gmail-dot-com-----------------------------------------------------</ufanode></pwn4fun></mipu94>';
++
++my $parser = XML::LibXML->new();
++my $info = $parser->load_xml(string=>$data) or die;
++my $root = $info->findnodes("mipu94")->[0];
++my $ufanode = $root->findnodes("pwn4fun/ufanode")->[0];
++$root->replaceChild($ufanode,$ufanode);
+\ No newline at end of file
+--
+2.15.0.rc2
+
diff --git a/debian/patches/CVE-2017-10672/0003-Update-ufa.t.patch b/debian/patches/CVE-2017-10672/0003-Update-ufa.t.patch
new file mode 100644
index 0000000..7c3dd97
--- /dev/null
+++ b/debian/patches/CVE-2017-10672/0003-Update-ufa.t.patch
@@ -0,0 +1,34 @@
+From: sungta <tadinhsung at gmail.com>
+Date: Wed, 12 Jul 2017 17:35:09 +0700
+Subject: [3/8] Update ufa.t
+Origin: https://git.kernel.org/linus/075f314d1b0e6624127d6cc1573c51c9d1c91bc2
+Bug-Debian: https://bugs.debian.org/866676
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10672
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=122246
+
+---
+ t/ufa.t | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/t/ufa.t b/t/ufa.t
+index ef3ce9d..0ebbbf2 100644
+--- a/t/ufa.t
++++ b/t/ufa.t
+@@ -1,4 +1,7 @@
+ #test bug use after free in function replaceChild
++use strict;
++use warnings;
++use Test::More;
+ use XML::LibXML;
+ BEGIN { $| = 1 }
+ my $data='<mipu94><pwn4fun><ufanode>-------------------------------------------------------tadinhsung-at-gmail-dot-com-----------------------------------------------------</ufanode></pwn4fun></mipu94>';
+@@ -7,4 +10,4 @@ my $parser = XML::LibXML->new();
+ my $info = $parser->load_xml(string=>$data) or die;
+ my $root = $info->findnodes("mipu94")->[0];
+ my $ufanode = $root->findnodes("pwn4fun/ufanode")->[0];
+-$root->replaceChild($ufanode,$ufanode);
+\ No newline at end of file
++ok(!$root->replaceChild($ufanode,$ufanode),"Test UFA in replaceChild");
+--
+2.15.0.rc2
+
diff --git a/debian/patches/CVE-2017-10672/0004-Update-ufa.t.patch b/debian/patches/CVE-2017-10672/0004-Update-ufa.t.patch
new file mode 100644
index 0000000..6a55143
--- /dev/null
+++ b/debian/patches/CVE-2017-10672/0004-Update-ufa.t.patch
@@ -0,0 +1,35 @@
+From: sungta <tadinhsung at gmail.com>
+Date: Wed, 12 Jul 2017 17:42:33 +0700
+Subject: [4/8] Update ufa.t
+Origin: https://git.kernel.org/linus/6c437bef155bf9146ac65be31052b72eda718b11
+Bug-Debian: https://bugs.debian.org/866676
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10672
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=122246
+
+---
+ t/ufa.t | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/t/ufa.t b/t/ufa.t
+index 0ebbbf2..fce4489 100644
+--- a/t/ufa.t
++++ b/t/ufa.t
+@@ -1,13 +1,12 @@
+ #test bug use after free in function replaceChild
+-use strict;
+-use warnings;
+ use Test::More;
+ use XML::LibXML;
++
+ BEGIN { $| = 1 }
+ my $data='<mipu94><pwn4fun><ufanode>-------------------------------------------------------tadinhsung-at-gmail-dot-com-----------------------------------------------------</ufanode></pwn4fun></mipu94>';
+-
+ my $parser = XML::LibXML->new();
+ my $info = $parser->load_xml(string=>$data) or die;
+ my $root = $info->findnodes("mipu94")->[0];
+ my $ufanode = $root->findnodes("pwn4fun/ufanode")->[0];
+ ok(!$root->replaceChild($ufanode,$ufanode),"Test UFA in replaceChild");
++done_testing();
+--
+2.15.0.rc2
+
diff --git a/debian/patches/CVE-2017-10672/0005-Update-ufa.t.patch b/debian/patches/CVE-2017-10672/0005-Update-ufa.t.patch
new file mode 100644
index 0000000..77fe8e3
--- /dev/null
+++ b/debian/patches/CVE-2017-10672/0005-Update-ufa.t.patch
@@ -0,0 +1,28 @@
+From: sungta <tadinhsung at gmail.com>
+Date: Wed, 12 Jul 2017 17:55:56 +0700
+Subject: [5/8] Update ufa.t
+Origin: https://git.kernel.org/linus/91a2b9008c059fb4df3fbee4a5cf7169eb160d7f
+Bug-Debian: https://bugs.debian.org/866676
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10672
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=122246
+
+---
+ t/ufa.t | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/t/ufa.t b/t/ufa.t
+index fce4489..753419e 100644
+--- a/t/ufa.t
++++ b/t/ufa.t
+@@ -1,7 +1,6 @@
+-#test bug use after free in function replaceChild
+ use Test::More;
+ use XML::LibXML;
+-
++#test bug use after free in function replaceChild
+ BEGIN { $| = 1 }
+ my $data='<mipu94><pwn4fun><ufanode>-------------------------------------------------------tadinhsung-at-gmail-dot-com-----------------------------------------------------</ufanode></pwn4fun></mipu94>';
+ my $parser = XML::LibXML->new();
+--
+2.15.0.rc2
+
diff --git a/debian/patches/CVE-2017-10672/0006-Fix-replaceChild.patch b/debian/patches/CVE-2017-10672/0006-Fix-replaceChild.patch
new file mode 100644
index 0000000..c37f390
--- /dev/null
+++ b/debian/patches/CVE-2017-10672/0006-Fix-replaceChild.patch
@@ -0,0 +1,99 @@
+From: sungta <tadinhsung at gmail.com>
+Date: Mon, 23 Oct 2017 14:04:59 +0700
+Subject: [6/8] Fix replaceChild
+Origin: https://git.kernel.org/linus/a83e805fdd968e6065db1293bfe5f91cc1c5fea6
+Bug-Debian: https://bugs.debian.org/866676
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10672
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=122246
+
+if newNode == oldNode or self == newNode then do nothing, just return nNode.
+---
+ LibXML.xs | 70 ++++++++++++++++++++++++++++++++++-----------------------------
+ 1 file changed, 38 insertions(+), 32 deletions(-)
+
+diff --git a/LibXML.xs b/LibXML.xs
+index ad415c8..718f7db 100644
+--- a/LibXML.xs
++++ b/LibXML.xs
+@@ -4829,40 +4829,46 @@ replaceChild( self, nNode, oNode )
+ PREINIT:
+ xmlNodePtr ret = NULL;
+ CODE:
+- if ( self->type == XML_DOCUMENT_NODE ) {
+- switch ( nNode->type ) {
+- case XML_ELEMENT_NODE:
+- warn("replaceChild with an element on a document node not supported yet!");
+- XSRETURN_UNDEF;
+- break;
+- case XML_DOCUMENT_FRAG_NODE:
+- warn("replaceChild with a document fragment node on a document node not supported yet!");
+- XSRETURN_UNDEF;
+- break;
+- case XML_TEXT_NODE:
+- case XML_CDATA_SECTION_NODE:
+- warn("replaceChild with a text node not supported on a document node!");
+- XSRETURN_UNDEF;
+- break;
+- default:
+- break;
+- }
+- }
+- ret = domReplaceChild( self, nNode, oNode );
+- if (ret == NULL) {
+- XSRETURN_UNDEF;
+- }
+- else {
+- LibXML_reparent_removed_node(ret);
+- RETVAL = PmmNodeToSv(ret, PmmOWNERPO(PmmPROXYNODE(ret)));
+- if (nNode->type == XML_DTD_NODE) {
+- LibXML_set_int_subset(nNode->doc, nNode);
++ // if newNode == oldNode or self == newNode then do nothing, just return nNode.
++ if(nNode == oNode || self == nNode ){
++ RETVAL = nNode;
++ }
++ else{
++ if ( self->type == XML_DOCUMENT_NODE ) {
++ switch ( nNode->type ) {
++ case XML_ELEMENT_NODE:
++ warn("replaceChild with an element on a document node not supported yet!");
++ XSRETURN_UNDEF;
++ break;
++ case XML_DOCUMENT_FRAG_NODE:
++ warn("replaceChild with a document fragment node on a document node not supported yet!");
++ XSRETURN_UNDEF;
++ break;
++ case XML_TEXT_NODE:
++ case XML_CDATA_SECTION_NODE:
++ warn("replaceChild with a text node not supported on a document node!");
++ XSRETURN_UNDEF;
++ break;
++ default:
++ break;
++ }
+ }
+- if ( nNode->_private != NULL ) {
+- PmmFixOwner( PmmPROXYNODE(nNode),
+- PmmOWNERPO(PmmPROXYNODE(self)) );
++ ret = domReplaceChild( self, nNode, oNode );
++ if (ret == NULL) {
++ XSRETURN_UNDEF;
+ }
+- }
++ else {
++ LibXML_reparent_removed_node(ret);
++ RETVAL = PmmNodeToSv(ret, PmmOWNERPO(PmmPROXYNODE(ret)));
++ if (nNode->type == XML_DTD_NODE) {
++ LibXML_set_int_subset(nNode->doc, nNode);
++ }
++ if ( nNode->_private != NULL ) {
++ PmmFixOwner( PmmPROXYNODE(nNode),
++ PmmOWNERPO(PmmPROXYNODE(self)) );
++ }
++ }
++ }
+ OUTPUT:
+ RETVAL
+
+--
+2.15.0.rc2
+
diff --git a/debian/patches/CVE-2017-10672/0007-Update-ufa.t.patch b/debian/patches/CVE-2017-10672/0007-Update-ufa.t.patch
new file mode 100644
index 0000000..f86daa2
--- /dev/null
+++ b/debian/patches/CVE-2017-10672/0007-Update-ufa.t.patch
@@ -0,0 +1,26 @@
+From: sungta <tadinhsung at gmail.com>
+Date: Mon, 23 Oct 2017 14:06:36 +0700
+Subject: [7/8] Update ufa.t
+Origin: https://git.kernel.org/linus/a9d12057647c1df50b42dca1bc35df657354f3f6
+Bug-Debian: https://bugs.debian.org/866676
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10672
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=122246
+
+---
+ t/ufa.t | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/t/ufa.t b/t/ufa.t
+index 753419e..26764f3 100644
+--- a/t/ufa.t
++++ b/t/ufa.t
+@@ -7,5 +7,5 @@ my $parser = XML::LibXML->new();
+ my $info = $parser->load_xml(string=>$data) or die;
+ my $root = $info->findnodes("mipu94")->[0];
+ my $ufanode = $root->findnodes("pwn4fun/ufanode")->[0];
+-ok(!$root->replaceChild($ufanode,$ufanode),"Test UFA in replaceChild");
++ok($root->replaceChild($ufanode,$ufanode),"Test UFA in replaceChild");
+ done_testing();
+--
+2.15.0.rc2
+
diff --git a/debian/patches/CVE-2017-10672/0008-fix-replaceChild.patch b/debian/patches/CVE-2017-10672/0008-fix-replaceChild.patch
new file mode 100644
index 0000000..5455071
--- /dev/null
+++ b/debian/patches/CVE-2017-10672/0008-fix-replaceChild.patch
@@ -0,0 +1,29 @@
+From: sungta <tadinhsung at gmail.com>
+Date: Mon, 23 Oct 2017 14:17:01 +0700
+Subject: [8/8] fix replaceChild
+Origin: https://git.kernel.org/linus/85dc8d5d4b905b323a46ef7e611d889b1c3375df
+Bug-Debian: https://bugs.debian.org/866676
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10672
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=122246
+
+---
+ LibXML.xs | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/LibXML.xs b/LibXML.xs
+index 718f7db..298ff0d 100644
+--- a/LibXML.xs
++++ b/LibXML.xs
+@@ -4831,7 +4831,8 @@ replaceChild( self, nNode, oNode )
+ CODE:
+ // if newNode == oldNode or self == newNode then do nothing, just return nNode.
+ if(nNode == oNode || self == nNode ){
+- RETVAL = nNode;
++ ret = nNode;
++ RETVAL = PmmNodeToSv(ret, PmmOWNERPO(PmmPROXYNODE(ret)));
+ }
+ else{
+ if ( self->type == XML_DOCUMENT_NODE ) {
+--
+2.15.0.rc2
+
diff --git a/debian/patches/series b/debian/patches/series
index c15e2c3..2825dca 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,10 @@
fail-build-no-libxml2.patch
disable_runtime-version_warning.patch
+CVE-2017-10672/0001-Update-dom.c.patch
+CVE-2017-10672/0002-bug-use-after-free-in-replaceChild.patch
+CVE-2017-10672/0003-Update-ufa.t.patch
+CVE-2017-10672/0004-Update-ufa.t.patch
+CVE-2017-10672/0005-Update-ufa.t.patch
+CVE-2017-10672/0006-Fix-replaceChild.patch
+CVE-2017-10672/0007-Update-ufa.t.patch
+CVE-2017-10672/0008-fix-replaceChild.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libxml-libxml-perl.git
More information about the Pkg-perl-cvs-commits
mailing list