Add patch from upstream to add hash randomization. Without that, (untrusted) input can fill hash buckets uneven, causing high CPU load. (CVE-2012-0841) To get a patch which is simple enough to get pulled up to the stable pkgsrc branch, I've not touched "configure" but just assumed that the POSIX functions rand(), srand() and time() are present. bump PKGREV

(drochner)

 @@ -1,17 +1,17 @@
-# $NetBSD: Makefile,v 1.113 2012/02/22 11:10:17 drochner Exp $
+# $NetBSD: Makefile,v 1.114 2012/03/09 12:12:27 drochner Exp $
 DISTNAME=	libxml2-2.7.8
-PKGREVISION=	7
+PKGREVISION=	8
 CATEGORIES=	textproc
 MASTER_SITES=	ftp://xmlsoft.org/libxml2/ \
 		http://xmlsoft.org/sources/
 #MASTER_SITES=	${MASTER_SITE_GNOME:=sources/libxml2/2.7/}
 MAINTAINER=	pkgsrc-users@NetBSD.org
 HOMEPAGE=	http://xmlsoft.org/
 COMMENT=	XML parser library from the GNOME project
 LICENSE=	modified-bsd
 PKG_INSTALLATION_TYPES=	overwrite pkgviews
 PKG_DESTDIR_SUPPORT=	user-destdir

 @@ -1,18 +1,21 @@
-$NetBSD: distinfo,v 1.88 2012/02/22 11:10:17 drochner Exp $
+$NetBSD: distinfo,v 1.89 2012/03/09 12:12:27 drochner Exp $
 SHA1 (libxml2-2.7.8.tar.gz) = 859dd535edbb851cc15b64740ee06551a7a17d40
 RMD160 (libxml2-2.7.8.tar.gz) = 30709622cfe3e2175e73d6701b7e19a25ab5ac47
 Size (libxml2-2.7.8.tar.gz) = 4881808 bytes
 SHA1 (patch-CVE-2012-0841-aa) = b5fcb53c69ab808aafbaa81e9a4bef3f69057ff8
 SHA1 (patch-CVE-2012-0841-ab) = 2fd0d1a610bc517c4062f5ba30ec546d153eb5a1
 SHA1 (patch-CVE-2012-0841-ac) = 3ee79a6ecaf498ae0db4f64a10e22cc3e515e1e3
 SHA1 (patch-aa) = 965bfc2226828b5161a4541cf73f5b5ef9a7e88e
 SHA1 (patch-ab) = d8dfd5bd9632d32c7e32e35e4d4735e510fc438f
 SHA1 (patch-ac) = 264c75cf9fff5319105b971c122cdf5fc103c04e
 SHA1 (patch-ad) = cd45da492b02cce9983c46762839f68b8b1e0177
 SHA1 (patch-ae) = b8d8e0275cab3caafd98275ac22b63951fc4b5fd
 SHA1 (patch-ag) = ab4aeeb8ca696b88285274760ab3ef08800773a0
 SHA1 (patch-aj) = 24eb4a08ea4c40be6d75a72cd0bb5280514f73d4
 SHA1 (patch-ak) = 5e0e9807d7ae0bc93a5583a61bb88a49ec1751e8
 SHA1 (patch-al) = 45f984fef5cf5d04c46e940867707897396a9c9f
 SHA1 (patch-am) = ae7ab69b7bba2271d2d996161cc8b9956d0b06fa
 SHA1 (patch-include_libxml_xpath.h) = 3fc74551a7843668cf9ffee19b1f20ccb674e153
 SHA1 (patch-testapi.c) = 63a0a34c8ca98d9214c4d3391e97d9a9ca4569f8
 SHA1 (patch-xpointer.c) = fa720fd515bab3f99bb11bf56320b3ad8e5fb211

$NetBSD: patch-CVE-2012-0841-aa,v 1.1 2012/03/09 12:12:28 drochner Exp $ patch 8973d58b7498fa5100a876815476b81fd1a2412a --- dict.c.orig 2010-10-12 06:25:31.000000000 +0000 +++ dict.c @@ -2,7 +2,7 @@ * dict.c: dictionary of reusable strings, just used to avoid allocation * and freeing operations. * - * Copyright (C) 2003 Daniel Veillard. + * Copyright (C) 2003-2012 Daniel Veillard. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -19,6 +19,28 @@ #define IN_LIBXML #include "libxml.h" +#ifdef HAVE_STDLIB_H +#include <stdlib.h> +#endif +#ifdef HAVE_TIME_H +#include <time.h> +#endif + +/* + * Following http://www.ocert.org/advisories/ocert-2011-003.html + * it seems that having hash randomization might be a good idea + * when using XML with untrusted data + * Note1: that it works correctly only if compiled with WITH_BIG_KEY + * which is the default. + * Note2: the fast function used for a small dict won't protect very + * well but since the attack is based on growing a very big hash + * list we will use the BigKey algo as soon as the hash size grows + * over MIN_DICT_SIZE so this actually works + */ +#if defined(HAVE_RAND) && defined(HAVE_SRAND) && defined(HAVE_TIME) +#define DICT_RANDOMIZATION +#endif + #include <string.h> #ifdef HAVE_STDINT_H #include <stdint.h> @@ -44,23 +66,23 @@ typedef unsigned __int32 uint32_t; #define WITH_BIG_KEY #ifdef WITH_BIG_KEY -#define xmlDictComputeKey(dict, name, len) \ - (((dict)->size == MIN_DICT_SIZE) ? \ - xmlDictComputeFastKey(name, len) : \ - xmlDictComputeBigKey(name, len)) - -#define xmlDictComputeQKey(dict, prefix, plen, name, len) \ - (((prefix) == NULL) ? \ - (xmlDictComputeKey(dict, name, len)) : \ - (((dict)->size == MIN_DICT_SIZE) ? \ - xmlDictComputeFastQKey(prefix, plen, name, len) : \ - xmlDictComputeBigQKey(prefix, plen, name, len))) +#define xmlDictComputeKey(dict, name, len) \ + (((dict)->size == MIN_DICT_SIZE) ? \ + xmlDictComputeFastKey(name, len, (dict)->seed) : \ + xmlDictComputeBigKey(name, len, (dict)->seed)) + +#define xmlDictComputeQKey(dict, prefix, plen, name, len) \ + (((prefix) == NULL) ? \ + (xmlDictComputeKey(dict, name, len)) : \ + (((dict)->size == MIN_DICT_SIZE) ? \ + xmlDictComputeFastQKey(prefix, plen, name, len, (dict)->seed) : \ + xmlDictComputeBigQKey(prefix, plen, name, len, (dict)->seed))) #else /* !WITH_BIG_KEY */ -#define xmlDictComputeKey(dict, name, len) \ - xmlDictComputeFastKey(name, len) -#define xmlDictComputeQKey(dict, prefix, plen, name, len) \ - xmlDictComputeFastQKey(prefix, plen, name, len) +#define xmlDictComputeKey(dict, name, len) \ + xmlDictComputeFastKey(name, len, (dict)->seed) +#define xmlDictComputeQKey(dict, prefix, plen, name, len) \ + xmlDictComputeFastQKey(prefix, plen, name, len, (dict)->seed) #endif /* WITH_BIG_KEY */ /* @@ -98,6 +120,8 @@ struct _xmlDict { xmlDictStringsPtr strings; struct _xmlDict *subdict; + /* used for randomization */ + int seed; }; /* @@ -125,6 +149,9 @@ static int xmlInitializeDict(void) { if ((xmlDictMutex = xmlNewRMutex()) == NULL) return(0); +#ifdef DICT_RANDOMIZATION + srand(time(NULL)); +#endif xmlDictInitialized = 1; return(1); } @@ -277,13 +304,13 @@ found_pool: */ static uint32_t -xmlDictComputeBigKey(const xmlChar* data, int namelen) { +xmlDictComputeBigKey(const xmlChar* data, int namelen, int seed) { uint32_t hash; int i; if (namelen <= 0 || data == NULL) return(0); - hash = 0; + hash = seed; for (i = 0;i < namelen; i++) { hash += data[i]; @@ -310,12 +337,12 @@ xmlDictComputeBigKey(const xmlChar* data */ static unsigned long xmlDictComputeBigQKey(const xmlChar *prefix, int plen, - const xmlChar *name, int len) + const xmlChar *name, int len, int seed) { uint32_t hash; int i; - hash = 0; + hash = seed; for (i = 0;i < plen; i++) { hash += prefix[i]; @@ -346,8 +373,8 @@ xmlDictComputeBigQKey(const xmlChar *pre * for low hash table fill. */ static unsigned long -xmlDictComputeFastKey(const xmlChar *name, int namelen) { - unsigned long value = 0L; +xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) { + unsigned long value = seed; if (name == NULL) return(0); value = *name; @@ -381,9 +408,9 @@ xmlDictComputeFastKey(const xmlChar *nam */ static unsigned long xmlDictComputeFastQKey(const xmlChar *prefix, int plen, - const xmlChar *name, int len) + const xmlChar *name, int len, int seed) { - unsigned long value = 0L; + unsigned long value = (unsigned long) seed; if (plen == 0) value += 30 * (unsigned long) ':'; @@ -460,6 +487,11 @@ xmlDictCreate(void) { dict->subdict = NULL; if (dict->dict) { memset(dict->dict, 0, MIN_DICT_SIZE * sizeof(xmlDictEntry)); +#ifdef DICT_RANDOMIZATION + dict->seed = rand(); +#else + dict->seed = 0; +#endif return(dict); } xmlFree(dict); @@ -486,6 +518,7 @@ xmlDictCreateSub(xmlDictPtr sub) { #ifdef DICT_DEBUG_PATTERNS fprintf(stderr, "R"); #endif + dict->seed = sub->seed; dict->subdict = sub; xmlDictReference(dict->subdict); }

$NetBSD: patch-CVE-2012-0841-ab,v 1.1 2012/03/09 12:12:28 drochner Exp $ patch 8973d58b7498fa5100a876815476b81fd1a2412a --- hash.c.orig 2010-10-12 06:25:32.000000000 +0000 +++ hash.c @@ -3,7 +3,7 @@ * * Reference: Your favorite introductory book on algorithms * - * Copyright (C) 2000 Bjorn Reese and Daniel Veillard. + * Copyright (C) 2000,2012 Bjorn Reese and Daniel Veillard. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -21,6 +21,22 @@ #include "libxml.h" #include <string.h> +#ifdef HAVE_STDLIB_H +#include <stdlib.h> +#endif +#ifdef HAVE_TIME_H +#include <time.h> +#endif + +/* + * Following http://www.ocert.org/advisories/ocert-2011-003.html + * it seems that having hash randomization might be a good idea + * when using XML with untrusted data + */ +#if defined(HAVE_RAND) && defined(HAVE_SRAND) && defined(HAVE_TIME) +#define HASH_RANDOMIZATION +#endif + #include <libxml/parser.h> #include <libxml/hash.h> #include <libxml/xmlmemory.h> @@ -31,6 +47,10 @@ /* #define DEBUG_GROW */ +#ifdef HASH_RANDOMIZATION +static int hash_initialized = 0; +#endif + /* * A single entry in the hash table */ @@ -53,6 +73,9 @@ struct _xmlHashTable { int size; int nbElems; xmlDictPtr dict; +#ifdef HASH_RANDOMIZATION + int random_seed; +#endif }; /* @@ -65,6 +88,9 @@ xmlHashComputeKey(xmlHashTablePtr table, unsigned long value = 0L; char ch; +#ifdef HASH_RANDOMIZATION + value = table->random_seed; +#endif if (name != NULL) { value += 30 * (*name); while ((ch = *name++) != 0) { @@ -92,6 +118,9 @@ xmlHashComputeQKey(xmlHashTablePtr table unsigned long value = 0L; char ch; +#ifdef HASH_RANDOMIZATION + value = table->random_seed; +#endif if (prefix != NULL) value += 30 * (*prefix); else @@ -156,6 +185,13 @@ xmlHashCreate(int size) { table->table = xmlMalloc(size * sizeof(xmlHashEntry)); if (table->table) { memset(table->table, 0, size * sizeof(xmlHashEntry)); +#ifdef HASH_RANDOMIZATION + if (!hash_initialized) { + srand(time(NULL)); + hash_initialized = 1; + } + table->random_seed = rand(); +#endif return(table); } xmlFree(table);

$NetBSD: patch-CVE-2012-0841-ac,v 1.1 2012/03/09 12:12:28 drochner Exp $ avoid to modify "configure", to keep the patch simple --- config.h.in.orig 2010-11-04 17:28:15.000000000 +0000 +++ config.h.in @@ -309,3 +309,8 @@ /* Win32 Std C name mangling work-around */ #undef vsnprintf + +/* XXX assume that POSIX functions are present */ +#define HAVE_RAND 1 +#define HAVE_SRAND 1 +#define HAVE_TIME 1