Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Alexandre Rostovtsev (tetromino)" <tetromino@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo-x86 commit in gnome-base/librsvg/files: librsvg-2.36.4-resource-uri-1.patch librsvg-2.36.4-resource-uri-2.patch librsvg-2.36.4-resource-uri-3.patch
Date: Tue, 01 Oct 2013 17:57:32
Message-Id: 20131001175726.6C9E02004E@flycatcher.gentoo.org
1 tetromino 13/10/01 17:57:26
2
3 Added: librsvg-2.36.4-resource-uri-1.patch
4 librsvg-2.36.4-resource-uri-2.patch
5 librsvg-2.36.4-resource-uri-3.patch
6 Log:
7 Fix information disclosure vulnerability (CVE-2013-1881, bug #486600, thanks to Agostino Sarubbo). Drop vulnerable version.
8
9 (Portage version: 2.2.7/cvs/Linux x86_64, signed Manifest commit with key CF0ADD61)
10
11 Revision Changes Path
12 1.1 gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-1.patch
13
14 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-1.patch?rev=1.1&view=markup
15 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-1.patch?rev=1.1&content-type=text/plain
16
17 Index: librsvg-2.36.4-resource-uri-1.patch
18 ===================================================================
19 From 56d0018d911eb5783f22125d9893fce075778c64 Mon Sep 17 00:00:00 2001
20 From: Christian Persch <chpe@×××××.org>
21 Date: Sun, 3 Mar 2013 20:32:09 +0100
22 Subject: [PATCH 1/3] io: Resolve relative URIs
23
24 ---
25 rsvg-base.c | 81 ++++++++++++++++++++++++++++++++++++++++++++++++-------------
26 1 file changed, 64 insertions(+), 17 deletions(-)
27
28 diff --git a/rsvg-base.c b/rsvg-base.c
29 index 6210716..ed383d2 100644
30 --- a/rsvg-base.c
31 +++ b/rsvg-base.c
32 @@ -2154,36 +2154,83 @@ _rsvg_handle_allow_load (RsvgHandle *handle,
33 return TRUE;
34 }
35
36 +static char *
37 +_rsvg_handle_resolve_uri (RsvgHandle *handle,
38 + const char *uri)
39 +{
40 + RsvgHandlePrivate *priv = handle->priv;
41 + char *scheme, *resolved_uri;
42 + GFile *base, *resolved;
43 +
44 + if (uri == NULL)
45 + return NULL;
46 +
47 + scheme = g_uri_parse_scheme (uri);
48 + if (scheme != NULL ||
49 + priv->base_gfile == NULL ||
50 + (base = g_file_get_parent (priv->base_gfile)) == NULL) {
51 + g_free (scheme);
52 + return g_strdup (uri);
53 + }
54 +
55 + resolved = g_file_resolve_relative_path (base, uri);
56 + resolved_uri = g_file_get_uri (resolved);
57 +
58 + g_free (scheme);
59 + g_object_unref (base);
60 + g_object_unref (resolved);
61 +
62 + return resolved_uri;
63 +}
64 +
65 guint8*
66 _rsvg_handle_acquire_data (RsvgHandle *handle,
67 - const char *uri,
68 + const char *url,
69 char **content_type,
70 gsize *len,
71 GError **error)
72 {
73 - if (!_rsvg_handle_allow_load (handle, uri, error))
74 - return NULL;
75 + char *uri;
76 + guint8 *data;
77 +
78 + uri = _rsvg_handle_resolve_uri (handle, url);
79 +
80 + if (_rsvg_handle_allow_load (handle, uri, error)) {
81 + data = _rsvg_io_acquire_data (uri,
82 + rsvg_handle_get_base_uri (handle),
83 + content_type,
84 + len,
85 + handle->priv->cancellable,
86 + error);
87 + } else {
88 + data = NULL;
89 + }
90
91 - return _rsvg_io_acquire_data (uri,
92 - rsvg_handle_get_base_uri (handle),
93 - content_type,
94 - len,
95 - handle->priv->cancellable,
96 - error);
97 + g_free (uri);
98 + return data;
99 }
100
101 GInputStream *
102 _rsvg_handle_acquire_stream (RsvgHandle *handle,
103 - const char *uri,
104 + const char *url,
105 char **content_type,
106 GError **error)
107 {
108 - if (!_rsvg_handle_allow_load (handle, uri, error))
109 - return NULL;
110 + char *uri;
111 + GInputStream *stream;
112 +
113 + uri = _rsvg_handle_resolve_uri (handle, url);
114 +
115 + if (_rsvg_handle_allow_load (handle, uri, error)) {
116 + stream = _rsvg_io_acquire_stream (uri,
117 + rsvg_handle_get_base_uri (handle),
118 + content_type,
119 + handle->priv->cancellable,
120 + error);
121 + } else {
122 + stream = NULL;
123 + }
124
125 - return _rsvg_io_acquire_stream (uri,
126 - rsvg_handle_get_base_uri (handle),
127 - content_type,
128 - handle->priv->cancellable,
129 - error);
130 + g_free (uri);
131 + return stream;
132 }
133 --
134 1.8.3.2
135
136
137
138
139 1.1 gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-2.patch
140
141 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-2.patch?rev=1.1&view=markup
142 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-2.patch?rev=1.1&content-type=text/plain
143
144 Index: librsvg-2.36.4-resource-uri-2.patch
145 ===================================================================
146 From d83e426fff3f6d0fa6042d0930fb70357db24125 Mon Sep 17 00:00:00 2001
147 From: Christian Persch <chpe@×××××.org>
148 Date: Mon, 11 Feb 2013 22:36:30 +0100
149 Subject: [PATCH 2/3] io: Use XML_PARSE_NONET
150
151 We don't want to load resources off the net.
152
153 Bug #691708.
154 ---
155 rsvg-base.c | 3 +++
156 rsvg-css.c | 2 ++
157 2 files changed, 5 insertions(+)
158
159 diff --git a/rsvg-base.c b/rsvg-base.c
160 index ed383d2..1f88479 100644
161 --- a/rsvg-base.c
162 +++ b/rsvg-base.c
163 @@ -572,6 +572,7 @@ rsvg_start_xinclude (RsvgHandle * ctx, RsvgPropertyBag * atts)
164 goto fallback;
165
166 xml_parser = xmlCreatePushParserCtxt (&rsvgSAXHandlerStruct, ctx, NULL, 0, NULL);
167 + xml_parser->options |= XML_PARSE_NONET;
168
169 buffer = _rsvg_xml_input_buffer_new_from_stream (stream, NULL /* cancellable */, XML_CHAR_ENCODING_NONE, &err);
170 g_object_unref (stream);
171 @@ -1111,6 +1112,7 @@ rsvg_handle_write_impl (RsvgHandle * handle, const guchar * buf, gsize count, GE
172 if (handle->priv->ctxt == NULL) {
173 handle->priv->ctxt = xmlCreatePushParserCtxt (&rsvgSAXHandlerStruct, handle, NULL, 0,
174 rsvg_handle_get_base_uri (handle));
175 + handle->priv->ctxt->options |= XML_PARSE_NONET;
176
177 /* if false, external entities work, but internal ones don't. if true, internal entities
178 work, but external ones don't. favor internal entities, in order to not cause a
179 @@ -1767,6 +1769,7 @@ rsvg_handle_read_stream_sync (RsvgHandle *handle,
180 if (priv->ctxt == NULL) {
181 priv->ctxt = xmlCreatePushParserCtxt (&rsvgSAXHandlerStruct, handle, NULL, 0,
182 rsvg_handle_get_base_uri (handle));
183 + priv->ctxt->options |= XML_PARSE_NONET;
184
185 /* if false, external entities work, but internal ones don't. if true, internal entities
186 work, but external ones don't. favor internal entities, in order to not cause a
187 diff --git a/rsvg-css.c b/rsvg-css.c
188 index 7813098..3f703cc 100644
189 --- a/rsvg-css.c
190 +++ b/rsvg-css.c
191 @@ -836,6 +836,8 @@ rsvg_css_parse_xml_attribute_string (const char *attribute_string)
192 xmlSAX2InitDefaultSAXHandler (&handler, 0);
193 handler.serror = rsvg_xml_noerror;
194 parser = xmlCreatePushParserCtxt (&handler, NULL, tag, strlen (tag) + 1, NULL);
195 + parser->options |= XML_PARSE_NONET;
196 +
197 if (xmlParseDocument (parser) != 0)
198 goto done;
199
200 --
201 1.8.3.2
202
203
204
205
206 1.1 gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-3.patch
207
208 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-3.patch?rev=1.1&view=markup
209 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-3.patch?rev=1.1&content-type=text/plain
210
211 Index: librsvg-2.36.4-resource-uri-3.patch
212 ===================================================================
213 From f01aded72c38f0e18bc7ff67dee800e380251c8e Mon Sep 17 00:00:00 2001
214 From: Christian Persch <chpe@×××××.org>
215 Date: Mon, 11 Feb 2013 22:36:58 +0100
216 Subject: [PATCH 3/3] io: Implement strict load policy
217
218 Allow any file to load from data:, and any resource to load from other
219 resources. Only allow file: to load other file: URIs from below the path
220 of the base file. Any other loads are denied.
221
222 Bug #691708.
223 ---
224 rsvg-base.c | 89 ++++++++++++++++++++++++++++++++++++++++++++++++++++------
225 rsvg-io.c | 2 +-
226 rsvg-private.h | 4 +--
227 3 files changed, 84 insertions(+), 11 deletions(-)
228
229 diff --git a/rsvg-base.c b/rsvg-base.c
230 index 1f88479..9d7c1ea 100644
231 --- a/rsvg-base.c
232 +++ b/rsvg-base.c
233 @@ -25,6 +25,7 @@
234 */
235
236 #include "config.h"
237 +#define _GNU_SOURCE 1
238
239 #include "rsvg.h"
240 #include "rsvg-private.h"
241 @@ -1002,6 +1003,7 @@ void
242 rsvg_handle_set_base_uri (RsvgHandle * handle, const char *base_uri)
243 {
244 gchar *uri;
245 + GFile *file;
246
247 g_return_if_fail (handle != NULL);
248
249 @@ -1013,11 +1015,10 @@ rsvg_handle_set_base_uri (RsvgHandle * handle, const char *base_uri)
250 else
251 uri = rsvg_get_base_uri_from_filename (base_uri);
252
253 - if (uri) {
254 - if (handle->priv->base_uri)
255 - g_free (handle->priv->base_uri);
256 - handle->priv->base_uri = uri;
257 - }
258 + file = g_file_new_for_uri (uri ? uri : "data:");
259 + rsvg_handle_set_base_gfile (handle, file);
260 + g_object_unref (file);
261 + g_free (uri);
262 }
263
264 /**
265 @@ -2149,12 +2150,84 @@ _rsvg_handle_allow_load (RsvgHandle *handle,
266 const char *uri,
267 GError **error)
268 {
269 - RsvgLoadPolicy policy = handle->priv->load_policy;
270 + RsvgHandlePrivate *priv = handle->priv;
271 + GFile *base;
272 + char *path, *dir;
273 + char *scheme = NULL, *cpath = NULL, *cdir = NULL;
274
275 - if (policy == RSVG_LOAD_POLICY_ALL_PERMISSIVE)
276 - return TRUE;
277 + g_assert (handle->priv->load_policy == RSVG_LOAD_POLICY_STRICT);
278 +
279 + scheme = g_uri_parse_scheme (uri);
280 +
281 + /* Not a valid URI */
282 + if (scheme == NULL)
283 + goto deny;
284 +
285 + /* Allow loads of data: from any location */
286 + if (g_str_equal (scheme, "data"))
287 + goto allow;
288 +
289 + /* No base to compare to? */
290 + if (priv->base_gfile == NULL)
291 + goto deny;
292 +
293 + /* Deny loads from differing URI schemes */
294 + if (!g_file_has_uri_scheme (priv->base_gfile, scheme))
295 + goto deny;
296 +
297 + /* resource: is allowed to load anything from other resources */
298 + if (g_str_equal (scheme, "resource"))
299 + goto allow;
300 +
301 + /* Non-file: isn't allowed to load anything */
302 + if (!g_str_equal (scheme, "file"))
303 + goto deny;
304 +
305 + base = g_file_get_parent (priv->base_gfile);
306 + if (base == NULL)
307 + goto deny;
308
309 + dir = g_file_get_path (base);
310 + g_object_unref (base);
311 +
312 + /* FIXME portability */
313 + cdir = canonicalize_file_name (dir);
314 + g_free (dir);
315 + if (cdir == NULL)
316 + goto deny;
317 +
318 + path = g_filename_from_uri (uri, NULL, NULL);
319 + if (path == NULL)
320 + goto deny;
321 +
322 + /* FIXME portability */
323 + cpath = canonicalize_file_name (path);
324 + g_free (path);
325 +
326 + if (cpath == NULL)
327 + goto deny;
328 +
329 + /* Now check that @cpath is below @cdir */
330 + if (!g_str_has_prefix (cpath, cdir) ||
331 + cpath[strlen (cdir)] != G_DIR_SEPARATOR)
332 + goto deny;
333 +
334 + /* Allow load! */
335 +
336 + allow:
337 + g_free (scheme);
338 + free (cpath);
339 + free (cdir);
340 return TRUE;
341 +
342 + deny:
343 + g_free (scheme);
344 + free (cpath);
345 + free (cdir);
346 +
347 + g_set_error (error, G_IO_ERROR, G_IO_ERROR_PERMISSION_DENIED,
348 + "File may not link to URI \"%s\"", uri);
349 + return FALSE;
350 }
351
352 static char *
353 diff --git a/rsvg-io.c b/rsvg-io.c
354 index 3d6c8b5..818d2ec 100644
355 --- a/rsvg-io.c
356 +++ b/rsvg-io.c
357 @@ -79,7 +79,7 @@ rsvg_acquire_data_data (const char *uri,
358 gboolean base64 = FALSE;
359
360 g_assert (out_len != NULL);
361 - g_assert (g_str_has_prefix (uri, "data:"));
362 + g_assert (strncmp (uri, "data:", 5) == 0);
363
364 mime_type = NULL;
365 start = uri + 5;
366 diff --git a/rsvg-private.h b/rsvg-private.h
367 index 25283d4..1961eaf 100644
368 --- a/rsvg-private.h
369 +++ b/rsvg-private.h
370 @@ -123,10 +123,10 @@ struct RsvgSaxHandler {
371 };
372
373 typedef enum {
374 - RSVG_LOAD_POLICY_ALL_PERMISSIVE
375 + RSVG_LOAD_POLICY_STRICT
376 } RsvgLoadPolicy;
377
378 -#define RSVG_LOAD_POLICY_DEFAULT (RSVG_LOAD_POLICY_ALL_PERMISSIVE)
379 +#define RSVG_LOAD_POLICY_DEFAULT (RSVG_LOAD_POLICY_STRICT)
380
381 struct RsvgHandlePrivate {
382 RsvgHandleFlags flags;
383 --
384 1.8.3.2
Report Message
Find on MARC Find on Google Groups