1 |
tetromino 13/10/01 17:57:26 |
2 |
|
3 |
Added: librsvg-2.36.4-resource-uri-1.patch |
4 |
librsvg-2.36.4-resource-uri-2.patch |
5 |
librsvg-2.36.4-resource-uri-3.patch |
6 |
Log: |
7 |
Fix information disclosure vulnerability (CVE-2013-1881, bug #486600, thanks to Agostino Sarubbo). Drop vulnerable version. |
8 |
|
9 |
(Portage version: 2.2.7/cvs/Linux x86_64, signed Manifest commit with key CF0ADD61) |
10 |
|
11 |
Revision Changes Path |
12 |
1.1 gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-1.patch |
13 |
|
14 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-1.patch?rev=1.1&view=markup |
15 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-1.patch?rev=1.1&content-type=text/plain |
16 |
|
17 |
Index: librsvg-2.36.4-resource-uri-1.patch |
18 |
=================================================================== |
19 |
From 56d0018d911eb5783f22125d9893fce075778c64 Mon Sep 17 00:00:00 2001 |
20 |
From: Christian Persch <chpe@×××××.org> |
21 |
Date: Sun, 3 Mar 2013 20:32:09 +0100 |
22 |
Subject: [PATCH 1/3] io: Resolve relative URIs |
23 |
|
24 |
--- |
25 |
rsvg-base.c | 81 ++++++++++++++++++++++++++++++++++++++++++++++++------------- |
26 |
1 file changed, 64 insertions(+), 17 deletions(-) |
27 |
|
28 |
diff --git a/rsvg-base.c b/rsvg-base.c |
29 |
index 6210716..ed383d2 100644 |
30 |
--- a/rsvg-base.c |
31 |
+++ b/rsvg-base.c |
32 |
@@ -2154,36 +2154,83 @@ _rsvg_handle_allow_load (RsvgHandle *handle, |
33 |
return TRUE; |
34 |
} |
35 |
|
36 |
+static char * |
37 |
+_rsvg_handle_resolve_uri (RsvgHandle *handle, |
38 |
+ const char *uri) |
39 |
+{ |
40 |
+ RsvgHandlePrivate *priv = handle->priv; |
41 |
+ char *scheme, *resolved_uri; |
42 |
+ GFile *base, *resolved; |
43 |
+ |
44 |
+ if (uri == NULL) |
45 |
+ return NULL; |
46 |
+ |
47 |
+ scheme = g_uri_parse_scheme (uri); |
48 |
+ if (scheme != NULL || |
49 |
+ priv->base_gfile == NULL || |
50 |
+ (base = g_file_get_parent (priv->base_gfile)) == NULL) { |
51 |
+ g_free (scheme); |
52 |
+ return g_strdup (uri); |
53 |
+ } |
54 |
+ |
55 |
+ resolved = g_file_resolve_relative_path (base, uri); |
56 |
+ resolved_uri = g_file_get_uri (resolved); |
57 |
+ |
58 |
+ g_free (scheme); |
59 |
+ g_object_unref (base); |
60 |
+ g_object_unref (resolved); |
61 |
+ |
62 |
+ return resolved_uri; |
63 |
+} |
64 |
+ |
65 |
guint8* |
66 |
_rsvg_handle_acquire_data (RsvgHandle *handle, |
67 |
- const char *uri, |
68 |
+ const char *url, |
69 |
char **content_type, |
70 |
gsize *len, |
71 |
GError **error) |
72 |
{ |
73 |
- if (!_rsvg_handle_allow_load (handle, uri, error)) |
74 |
- return NULL; |
75 |
+ char *uri; |
76 |
+ guint8 *data; |
77 |
+ |
78 |
+ uri = _rsvg_handle_resolve_uri (handle, url); |
79 |
+ |
80 |
+ if (_rsvg_handle_allow_load (handle, uri, error)) { |
81 |
+ data = _rsvg_io_acquire_data (uri, |
82 |
+ rsvg_handle_get_base_uri (handle), |
83 |
+ content_type, |
84 |
+ len, |
85 |
+ handle->priv->cancellable, |
86 |
+ error); |
87 |
+ } else { |
88 |
+ data = NULL; |
89 |
+ } |
90 |
|
91 |
- return _rsvg_io_acquire_data (uri, |
92 |
- rsvg_handle_get_base_uri (handle), |
93 |
- content_type, |
94 |
- len, |
95 |
- handle->priv->cancellable, |
96 |
- error); |
97 |
+ g_free (uri); |
98 |
+ return data; |
99 |
} |
100 |
|
101 |
GInputStream * |
102 |
_rsvg_handle_acquire_stream (RsvgHandle *handle, |
103 |
- const char *uri, |
104 |
+ const char *url, |
105 |
char **content_type, |
106 |
GError **error) |
107 |
{ |
108 |
- if (!_rsvg_handle_allow_load (handle, uri, error)) |
109 |
- return NULL; |
110 |
+ char *uri; |
111 |
+ GInputStream *stream; |
112 |
+ |
113 |
+ uri = _rsvg_handle_resolve_uri (handle, url); |
114 |
+ |
115 |
+ if (_rsvg_handle_allow_load (handle, uri, error)) { |
116 |
+ stream = _rsvg_io_acquire_stream (uri, |
117 |
+ rsvg_handle_get_base_uri (handle), |
118 |
+ content_type, |
119 |
+ handle->priv->cancellable, |
120 |
+ error); |
121 |
+ } else { |
122 |
+ stream = NULL; |
123 |
+ } |
124 |
|
125 |
- return _rsvg_io_acquire_stream (uri, |
126 |
- rsvg_handle_get_base_uri (handle), |
127 |
- content_type, |
128 |
- handle->priv->cancellable, |
129 |
- error); |
130 |
+ g_free (uri); |
131 |
+ return stream; |
132 |
} |
133 |
-- |
134 |
1.8.3.2 |
135 |
|
136 |
|
137 |
|
138 |
|
139 |
1.1 gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-2.patch |
140 |
|
141 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-2.patch?rev=1.1&view=markup |
142 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-2.patch?rev=1.1&content-type=text/plain |
143 |
|
144 |
Index: librsvg-2.36.4-resource-uri-2.patch |
145 |
=================================================================== |
146 |
From d83e426fff3f6d0fa6042d0930fb70357db24125 Mon Sep 17 00:00:00 2001 |
147 |
From: Christian Persch <chpe@×××××.org> |
148 |
Date: Mon, 11 Feb 2013 22:36:30 +0100 |
149 |
Subject: [PATCH 2/3] io: Use XML_PARSE_NONET |
150 |
|
151 |
We don't want to load resources off the net. |
152 |
|
153 |
Bug #691708. |
154 |
--- |
155 |
rsvg-base.c | 3 +++ |
156 |
rsvg-css.c | 2 ++ |
157 |
2 files changed, 5 insertions(+) |
158 |
|
159 |
diff --git a/rsvg-base.c b/rsvg-base.c |
160 |
index ed383d2..1f88479 100644 |
161 |
--- a/rsvg-base.c |
162 |
+++ b/rsvg-base.c |
163 |
@@ -572,6 +572,7 @@ rsvg_start_xinclude (RsvgHandle * ctx, RsvgPropertyBag * atts) |
164 |
goto fallback; |
165 |
|
166 |
xml_parser = xmlCreatePushParserCtxt (&rsvgSAXHandlerStruct, ctx, NULL, 0, NULL); |
167 |
+ xml_parser->options |= XML_PARSE_NONET; |
168 |
|
169 |
buffer = _rsvg_xml_input_buffer_new_from_stream (stream, NULL /* cancellable */, XML_CHAR_ENCODING_NONE, &err); |
170 |
g_object_unref (stream); |
171 |
@@ -1111,6 +1112,7 @@ rsvg_handle_write_impl (RsvgHandle * handle, const guchar * buf, gsize count, GE |
172 |
if (handle->priv->ctxt == NULL) { |
173 |
handle->priv->ctxt = xmlCreatePushParserCtxt (&rsvgSAXHandlerStruct, handle, NULL, 0, |
174 |
rsvg_handle_get_base_uri (handle)); |
175 |
+ handle->priv->ctxt->options |= XML_PARSE_NONET; |
176 |
|
177 |
/* if false, external entities work, but internal ones don't. if true, internal entities |
178 |
work, but external ones don't. favor internal entities, in order to not cause a |
179 |
@@ -1767,6 +1769,7 @@ rsvg_handle_read_stream_sync (RsvgHandle *handle, |
180 |
if (priv->ctxt == NULL) { |
181 |
priv->ctxt = xmlCreatePushParserCtxt (&rsvgSAXHandlerStruct, handle, NULL, 0, |
182 |
rsvg_handle_get_base_uri (handle)); |
183 |
+ priv->ctxt->options |= XML_PARSE_NONET; |
184 |
|
185 |
/* if false, external entities work, but internal ones don't. if true, internal entities |
186 |
work, but external ones don't. favor internal entities, in order to not cause a |
187 |
diff --git a/rsvg-css.c b/rsvg-css.c |
188 |
index 7813098..3f703cc 100644 |
189 |
--- a/rsvg-css.c |
190 |
+++ b/rsvg-css.c |
191 |
@@ -836,6 +836,8 @@ rsvg_css_parse_xml_attribute_string (const char *attribute_string) |
192 |
xmlSAX2InitDefaultSAXHandler (&handler, 0); |
193 |
handler.serror = rsvg_xml_noerror; |
194 |
parser = xmlCreatePushParserCtxt (&handler, NULL, tag, strlen (tag) + 1, NULL); |
195 |
+ parser->options |= XML_PARSE_NONET; |
196 |
+ |
197 |
if (xmlParseDocument (parser) != 0) |
198 |
goto done; |
199 |
|
200 |
-- |
201 |
1.8.3.2 |
202 |
|
203 |
|
204 |
|
205 |
|
206 |
1.1 gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-3.patch |
207 |
|
208 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-3.patch?rev=1.1&view=markup |
209 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-3.patch?rev=1.1&content-type=text/plain |
210 |
|
211 |
Index: librsvg-2.36.4-resource-uri-3.patch |
212 |
=================================================================== |
213 |
From f01aded72c38f0e18bc7ff67dee800e380251c8e Mon Sep 17 00:00:00 2001 |
214 |
From: Christian Persch <chpe@×××××.org> |
215 |
Date: Mon, 11 Feb 2013 22:36:58 +0100 |
216 |
Subject: [PATCH 3/3] io: Implement strict load policy |
217 |
|
218 |
Allow any file to load from data:, and any resource to load from other |
219 |
resources. Only allow file: to load other file: URIs from below the path |
220 |
of the base file. Any other loads are denied. |
221 |
|
222 |
Bug #691708. |
223 |
--- |
224 |
rsvg-base.c | 89 ++++++++++++++++++++++++++++++++++++++++++++++++++++------ |
225 |
rsvg-io.c | 2 +- |
226 |
rsvg-private.h | 4 +-- |
227 |
3 files changed, 84 insertions(+), 11 deletions(-) |
228 |
|
229 |
diff --git a/rsvg-base.c b/rsvg-base.c |
230 |
index 1f88479..9d7c1ea 100644 |
231 |
--- a/rsvg-base.c |
232 |
+++ b/rsvg-base.c |
233 |
@@ -25,6 +25,7 @@ |
234 |
*/ |
235 |
|
236 |
#include "config.h" |
237 |
+#define _GNU_SOURCE 1 |
238 |
|
239 |
#include "rsvg.h" |
240 |
#include "rsvg-private.h" |
241 |
@@ -1002,6 +1003,7 @@ void |
242 |
rsvg_handle_set_base_uri (RsvgHandle * handle, const char *base_uri) |
243 |
{ |
244 |
gchar *uri; |
245 |
+ GFile *file; |
246 |
|
247 |
g_return_if_fail (handle != NULL); |
248 |
|
249 |
@@ -1013,11 +1015,10 @@ rsvg_handle_set_base_uri (RsvgHandle * handle, const char *base_uri) |
250 |
else |
251 |
uri = rsvg_get_base_uri_from_filename (base_uri); |
252 |
|
253 |
- if (uri) { |
254 |
- if (handle->priv->base_uri) |
255 |
- g_free (handle->priv->base_uri); |
256 |
- handle->priv->base_uri = uri; |
257 |
- } |
258 |
+ file = g_file_new_for_uri (uri ? uri : "data:"); |
259 |
+ rsvg_handle_set_base_gfile (handle, file); |
260 |
+ g_object_unref (file); |
261 |
+ g_free (uri); |
262 |
} |
263 |
|
264 |
/** |
265 |
@@ -2149,12 +2150,84 @@ _rsvg_handle_allow_load (RsvgHandle *handle, |
266 |
const char *uri, |
267 |
GError **error) |
268 |
{ |
269 |
- RsvgLoadPolicy policy = handle->priv->load_policy; |
270 |
+ RsvgHandlePrivate *priv = handle->priv; |
271 |
+ GFile *base; |
272 |
+ char *path, *dir; |
273 |
+ char *scheme = NULL, *cpath = NULL, *cdir = NULL; |
274 |
|
275 |
- if (policy == RSVG_LOAD_POLICY_ALL_PERMISSIVE) |
276 |
- return TRUE; |
277 |
+ g_assert (handle->priv->load_policy == RSVG_LOAD_POLICY_STRICT); |
278 |
+ |
279 |
+ scheme = g_uri_parse_scheme (uri); |
280 |
+ |
281 |
+ /* Not a valid URI */ |
282 |
+ if (scheme == NULL) |
283 |
+ goto deny; |
284 |
+ |
285 |
+ /* Allow loads of data: from any location */ |
286 |
+ if (g_str_equal (scheme, "data")) |
287 |
+ goto allow; |
288 |
+ |
289 |
+ /* No base to compare to? */ |
290 |
+ if (priv->base_gfile == NULL) |
291 |
+ goto deny; |
292 |
+ |
293 |
+ /* Deny loads from differing URI schemes */ |
294 |
+ if (!g_file_has_uri_scheme (priv->base_gfile, scheme)) |
295 |
+ goto deny; |
296 |
+ |
297 |
+ /* resource: is allowed to load anything from other resources */ |
298 |
+ if (g_str_equal (scheme, "resource")) |
299 |
+ goto allow; |
300 |
+ |
301 |
+ /* Non-file: isn't allowed to load anything */ |
302 |
+ if (!g_str_equal (scheme, "file")) |
303 |
+ goto deny; |
304 |
+ |
305 |
+ base = g_file_get_parent (priv->base_gfile); |
306 |
+ if (base == NULL) |
307 |
+ goto deny; |
308 |
|
309 |
+ dir = g_file_get_path (base); |
310 |
+ g_object_unref (base); |
311 |
+ |
312 |
+ /* FIXME portability */ |
313 |
+ cdir = canonicalize_file_name (dir); |
314 |
+ g_free (dir); |
315 |
+ if (cdir == NULL) |
316 |
+ goto deny; |
317 |
+ |
318 |
+ path = g_filename_from_uri (uri, NULL, NULL); |
319 |
+ if (path == NULL) |
320 |
+ goto deny; |
321 |
+ |
322 |
+ /* FIXME portability */ |
323 |
+ cpath = canonicalize_file_name (path); |
324 |
+ g_free (path); |
325 |
+ |
326 |
+ if (cpath == NULL) |
327 |
+ goto deny; |
328 |
+ |
329 |
+ /* Now check that @cpath is below @cdir */ |
330 |
+ if (!g_str_has_prefix (cpath, cdir) || |
331 |
+ cpath[strlen (cdir)] != G_DIR_SEPARATOR) |
332 |
+ goto deny; |
333 |
+ |
334 |
+ /* Allow load! */ |
335 |
+ |
336 |
+ allow: |
337 |
+ g_free (scheme); |
338 |
+ free (cpath); |
339 |
+ free (cdir); |
340 |
return TRUE; |
341 |
+ |
342 |
+ deny: |
343 |
+ g_free (scheme); |
344 |
+ free (cpath); |
345 |
+ free (cdir); |
346 |
+ |
347 |
+ g_set_error (error, G_IO_ERROR, G_IO_ERROR_PERMISSION_DENIED, |
348 |
+ "File may not link to URI \"%s\"", uri); |
349 |
+ return FALSE; |
350 |
} |
351 |
|
352 |
static char * |
353 |
diff --git a/rsvg-io.c b/rsvg-io.c |
354 |
index 3d6c8b5..818d2ec 100644 |
355 |
--- a/rsvg-io.c |
356 |
+++ b/rsvg-io.c |
357 |
@@ -79,7 +79,7 @@ rsvg_acquire_data_data (const char *uri, |
358 |
gboolean base64 = FALSE; |
359 |
|
360 |
g_assert (out_len != NULL); |
361 |
- g_assert (g_str_has_prefix (uri, "data:")); |
362 |
+ g_assert (strncmp (uri, "data:", 5) == 0); |
363 |
|
364 |
mime_type = NULL; |
365 |
start = uri + 5; |
366 |
diff --git a/rsvg-private.h b/rsvg-private.h |
367 |
index 25283d4..1961eaf 100644 |
368 |
--- a/rsvg-private.h |
369 |
+++ b/rsvg-private.h |
370 |
@@ -123,10 +123,10 @@ struct RsvgSaxHandler { |
371 |
}; |
372 |
|
373 |
typedef enum { |
374 |
- RSVG_LOAD_POLICY_ALL_PERMISSIVE |
375 |
+ RSVG_LOAD_POLICY_STRICT |
376 |
} RsvgLoadPolicy; |
377 |
|
378 |
-#define RSVG_LOAD_POLICY_DEFAULT (RSVG_LOAD_POLICY_ALL_PERMISSIVE) |
379 |
+#define RSVG_LOAD_POLICY_DEFAULT (RSVG_LOAD_POLICY_STRICT) |
380 |
|
381 |
struct RsvgHandlePrivate { |
382 |
RsvgHandleFlags flags; |
383 |
-- |
384 |
1.8.3.2 |