Fix information disclosure vulnerability (CVE-2013-1881, bug #486600, thanks to Agostino Sarubbo). Drop vulnerable version.

Package-Manager: portage-2.2.7/cvs/Linux x86_64
Manifest-Sign-Key: 0xCF0ADD61

3 files changed, 347 insertions, 0 deletions

diff --git a/gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-1.patch b/gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-1.patch
new file mode 100644
index 000000000000..4cf6efbf1e1e
--- /dev/null
+++ b/gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-1.patch
@@ -0,0 +1,117 @@
+From 56d0018d911eb5783f22125d9893fce075778c64 Mon Sep 17 00:00:00 2001
+From: Christian Persch <chpe@gnome.org>
+Date: Sun, 3 Mar 2013 20:32:09 +0100
+Subject: [PATCH 1/3] io: Resolve relative URIs
+
+---
+ rsvg-base.c | 81 ++++++++++++++++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 64 insertions(+), 17 deletions(-)
+
+diff --git a/rsvg-base.c b/rsvg-base.c
+index 6210716..ed383d2 100644
+--- a/rsvg-base.c
++++ b/rsvg-base.c
+@@ -2154,36 +2154,83 @@ _rsvg_handle_allow_load (RsvgHandle *handle,
+     return TRUE;
+ }
+ 
++static char *
++_rsvg_handle_resolve_uri (RsvgHandle *handle,
++                          const char *uri)
++{
++    RsvgHandlePrivate *priv = handle->priv;
++    char *scheme, *resolved_uri;
++    GFile *base, *resolved;
++
++    if (uri == NULL)
++        return NULL;
++
++    scheme = g_uri_parse_scheme (uri);
++    if (scheme != NULL ||
++        priv->base_gfile == NULL ||
++        (base = g_file_get_parent (priv->base_gfile)) == NULL) {
++        g_free (scheme);
++        return g_strdup (uri);
++    }
++
++    resolved = g_file_resolve_relative_path (base, uri);
++    resolved_uri = g_file_get_uri (resolved);
++
++    g_free (scheme);
++    g_object_unref (base);
++    g_object_unref (resolved);
++
++    return resolved_uri;
++}
++
+ guint8* 
+ _rsvg_handle_acquire_data (RsvgHandle *handle,
+-                           const char *uri,
++                           const char *url,
+                            char **content_type,
+                            gsize *len,
+                            GError **error)
+ {
+-    if (!_rsvg_handle_allow_load (handle, uri, error))
+-        return NULL;
++    char *uri;
++    guint8 *data;
++
++    uri = _rsvg_handle_resolve_uri (handle, url);
++
++    if (_rsvg_handle_allow_load (handle, uri, error)) {
++        data = _rsvg_io_acquire_data (uri, 
++                                      rsvg_handle_get_base_uri (handle), 
++                                      content_type, 
++                                      len, 
++                                      handle->priv->cancellable,
++                                      error);
++    } else {
++        data = NULL;
++    }
+ 
+-    return _rsvg_io_acquire_data (uri, 
+-                                  rsvg_handle_get_base_uri (handle), 
+-                                  content_type, 
+-                                  len, 
+-                                  handle->priv->cancellable,
+-                                  error);
++    g_free (uri);
++    return data;
+ }
+ 
+ GInputStream *
+ _rsvg_handle_acquire_stream (RsvgHandle *handle,
+-                             const char *uri,
++                             const char *url,
+                              char **content_type,
+                              GError **error)
+ {
+-    if (!_rsvg_handle_allow_load (handle, uri, error))
+-        return NULL;
++    char *uri;
++    GInputStream *stream;
++
++    uri = _rsvg_handle_resolve_uri (handle, url);
++
++    if (_rsvg_handle_allow_load (handle, uri, error)) {
++        stream = _rsvg_io_acquire_stream (uri, 
++                                          rsvg_handle_get_base_uri (handle), 
++                                          content_type, 
++                                          handle->priv->cancellable,
++                                          error);
++    } else {
++        stream = NULL;
++    }
+ 
+-    return _rsvg_io_acquire_stream (uri, 
+-                                    rsvg_handle_get_base_uri (handle), 
+-                                    content_type, 
+-                                    handle->priv->cancellable,
+-                                    error);
++    g_free (uri);
++    return stream;
+ }
+-- 
+1.8.3.2
+
diff --git a/gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-2.patch b/gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-2.patch
new file mode 100644
index 000000000000..bd5459fc78af
--- /dev/null
+++ b/gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-2.patch
@@ -0,0 +1,57 @@
+From d83e426fff3f6d0fa6042d0930fb70357db24125 Mon Sep 17 00:00:00 2001
+From: Christian Persch <chpe@gnome.org>
+Date: Mon, 11 Feb 2013 22:36:30 +0100
+Subject: [PATCH 2/3] io: Use XML_PARSE_NONET
+
+We don't want to load resources off the net.
+
+Bug #691708.
+---
+ rsvg-base.c | 3 +++
+ rsvg-css.c  | 2 ++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/rsvg-base.c b/rsvg-base.c
+index ed383d2..1f88479 100644
+--- a/rsvg-base.c
++++ b/rsvg-base.c
+@@ -572,6 +572,7 @@ rsvg_start_xinclude (RsvgHandle * ctx, RsvgPropertyBag * atts)
+             goto fallback;
+ 
+         xml_parser = xmlCreatePushParserCtxt (&rsvgSAXHandlerStruct, ctx, NULL, 0, NULL);
++        xml_parser->options |= XML_PARSE_NONET;
+ 
+         buffer = _rsvg_xml_input_buffer_new_from_stream (stream, NULL /* cancellable */, XML_CHAR_ENCODING_NONE, &err);
+         g_object_unref (stream);
+@@ -1111,6 +1112,7 @@ rsvg_handle_write_impl (RsvgHandle * handle, const guchar * buf, gsize count, GE
+     if (handle->priv->ctxt == NULL) {
+         handle->priv->ctxt = xmlCreatePushParserCtxt (&rsvgSAXHandlerStruct, handle, NULL, 0,
+                                                       rsvg_handle_get_base_uri (handle));
++        handle->priv->ctxt->options |= XML_PARSE_NONET;
+ 
+         /* if false, external entities work, but internal ones don't. if true, internal entities
+            work, but external ones don't. favor internal entities, in order to not cause a
+@@ -1767,6 +1769,7 @@ rsvg_handle_read_stream_sync (RsvgHandle   *handle,
+     if (priv->ctxt == NULL) {
+         priv->ctxt = xmlCreatePushParserCtxt (&rsvgSAXHandlerStruct, handle, NULL, 0,
+                                               rsvg_handle_get_base_uri (handle));
++        priv->ctxt->options |= XML_PARSE_NONET;
+ 
+         /* if false, external entities work, but internal ones don't. if true, internal entities
+            work, but external ones don't. favor internal entities, in order to not cause a
+diff --git a/rsvg-css.c b/rsvg-css.c
+index 7813098..3f703cc 100644
+--- a/rsvg-css.c
++++ b/rsvg-css.c
+@@ -836,6 +836,8 @@ rsvg_css_parse_xml_attribute_string (const char *attribute_string)
+     xmlSAX2InitDefaultSAXHandler (&handler, 0);
+     handler.serror = rsvg_xml_noerror;
+     parser = xmlCreatePushParserCtxt (&handler, NULL, tag, strlen (tag) + 1, NULL);
++    parser->options |= XML_PARSE_NONET;
++
+     if (xmlParseDocument (parser) != 0)
+         goto done;
+ 
+-- 
+1.8.3.2
+
diff --git a/gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-3.patch b/gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-3.patch
new file mode 100644
index 000000000000..cb3b46f1c054
--- /dev/null
+++ b/gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-3.patch
@@ -0,0 +1,173 @@
+From f01aded72c38f0e18bc7ff67dee800e380251c8e Mon Sep 17 00:00:00 2001
+From: Christian Persch <chpe@gnome.org>
+Date: Mon, 11 Feb 2013 22:36:58 +0100
+Subject: [PATCH 3/3] io: Implement strict load policy
+
+Allow any file to load from data:, and any resource to load from other
+resources. Only allow file: to load other file: URIs from below the path
+of the base file. Any other loads are denied.
+
+Bug #691708.
+---
+ rsvg-base.c    | 89 ++++++++++++++++++++++++++++++++++++++++++++++++++++------
+ rsvg-io.c      |  2 +-
+ rsvg-private.h |  4 +--
+ 3 files changed, 84 insertions(+), 11 deletions(-)
+
+diff --git a/rsvg-base.c b/rsvg-base.c
+index 1f88479..9d7c1ea 100644
+--- a/rsvg-base.c
++++ b/rsvg-base.c
+@@ -25,6 +25,7 @@
+ */
+ 
+ #include "config.h"
++#define _GNU_SOURCE 1
+ 
+ #include "rsvg.h"
+ #include "rsvg-private.h"
+@@ -1002,6 +1003,7 @@ void
+ rsvg_handle_set_base_uri (RsvgHandle * handle, const char *base_uri)
+ {
+     gchar *uri;
++    GFile *file;
+ 
+     g_return_if_fail (handle != NULL);
+ 
+@@ -1013,11 +1015,10 @@ rsvg_handle_set_base_uri (RsvgHandle * handle, const char *base_uri)
+     else
+         uri = rsvg_get_base_uri_from_filename (base_uri);
+ 
+-    if (uri) {
+-        if (handle->priv->base_uri)
+-            g_free (handle->priv->base_uri);
+-        handle->priv->base_uri = uri;
+-    }
++    file = g_file_new_for_uri (uri ? uri : "data:");
++    rsvg_handle_set_base_gfile (handle, file);
++    g_object_unref (file);
++    g_free (uri);
+ }
+ 
+ /**
+@@ -2149,12 +2150,84 @@ _rsvg_handle_allow_load (RsvgHandle *handle,
+                          const char *uri,
+                          GError **error)
+ {
+-    RsvgLoadPolicy policy = handle->priv->load_policy;
++    RsvgHandlePrivate *priv = handle->priv;
++    GFile *base;
++    char *path, *dir;
++    char *scheme = NULL, *cpath = NULL, *cdir = NULL;
+ 
+-    if (policy == RSVG_LOAD_POLICY_ALL_PERMISSIVE)
+-        return TRUE;
++    g_assert (handle->priv->load_policy == RSVG_LOAD_POLICY_STRICT);
++
++    scheme = g_uri_parse_scheme (uri);
++
++    /* Not a valid URI */
++    if (scheme == NULL)
++        goto deny;
++
++    /* Allow loads of data: from any location */
++    if (g_str_equal (scheme, "data"))
++        goto allow;
++
++    /* No base to compare to? */
++    if (priv->base_gfile == NULL)
++        goto deny;
++
++    /* Deny loads from differing URI schemes */
++    if (!g_file_has_uri_scheme (priv->base_gfile, scheme))
++        goto deny;
++
++    /* resource: is allowed to load anything from other resources */
++    if (g_str_equal (scheme, "resource"))
++        goto allow;
++
++    /* Non-file: isn't allowed to load anything */
++    if (!g_str_equal (scheme, "file"))
++        goto deny;
++
++    base = g_file_get_parent (priv->base_gfile);
++    if (base == NULL)
++        goto deny;
+ 
++    dir = g_file_get_path (base);
++    g_object_unref (base);
++
++    /* FIXME portability */
++    cdir = canonicalize_file_name (dir);
++    g_free (dir);
++    if (cdir == NULL)
++        goto deny;
++
++    path = g_filename_from_uri (uri, NULL, NULL);
++    if (path == NULL)
++        goto deny;
++
++    /* FIXME portability */
++    cpath = canonicalize_file_name (path);
++    g_free (path);
++
++    if (cpath == NULL)
++        goto deny;
++
++    /* Now check that @cpath is below @cdir */
++    if (!g_str_has_prefix (cpath, cdir) ||
++        cpath[strlen (cdir)] != G_DIR_SEPARATOR)
++        goto deny;
++
++    /* Allow load! */
++
++ allow:
++    g_free (scheme);
++    free (cpath);
++    free (cdir);
+     return TRUE;
++
++ deny:
++    g_free (scheme);
++    free (cpath);
++    free (cdir);
++
++    g_set_error (error, G_IO_ERROR, G_IO_ERROR_PERMISSION_DENIED,
++                 "File may not link to URI \"%s\"", uri);
++    return FALSE;
+ }
+ 
+ static char *
+diff --git a/rsvg-io.c b/rsvg-io.c
+index 3d6c8b5..818d2ec 100644
+--- a/rsvg-io.c
++++ b/rsvg-io.c
+@@ -79,7 +79,7 @@ rsvg_acquire_data_data (const char *uri,
+     gboolean base64 = FALSE;
+ 
+     g_assert (out_len != NULL);
+-    g_assert (g_str_has_prefix (uri, "data:"));
++    g_assert (strncmp (uri, "data:", 5) == 0);
+ 
+     mime_type = NULL;
+     start = uri + 5;
+diff --git a/rsvg-private.h b/rsvg-private.h
+index 25283d4..1961eaf 100644
+--- a/rsvg-private.h
++++ b/rsvg-private.h
+@@ -123,10 +123,10 @@ struct RsvgSaxHandler {
+ };
+ 
+ typedef enum {
+-    RSVG_LOAD_POLICY_ALL_PERMISSIVE
++    RSVG_LOAD_POLICY_STRICT
+ } RsvgLoadPolicy;
+ 
+-#define RSVG_LOAD_POLICY_DEFAULT (RSVG_LOAD_POLICY_ALL_PERMISSIVE)
++#define RSVG_LOAD_POLICY_DEFAULT (RSVG_LOAD_POLICY_STRICT)
+ 
+ struct RsvgHandlePrivate {
+     RsvgHandleFlags flags;
+-- 
+1.8.3.2
+