Merge "libxml2: Fix CVEs" into pyro

author: Dan Andresan <Dan.Andresan@enea.com> 2018-10-29 11:59:00 +0100
committer: Gerrit Code Review <gerrit2@sestogerrit02> 2018-10-29 11:59:00 +0100
commit: 46437cbe8f955087c14d5c83ee7eccb9e81fefe0 (patch)
tree: dec4828ad419c31c664b82bfba10533eaeafd4ea
parent: ef2a4c85d4e3db75f8a09f355f61ca38c1e3d148 (diff)
parent: 2057b91933875959294f823b12938d6cba6ea62b (diff)
download: meta-el-common-46437cbe8f955087c14d5c83ee7eccb9e81fefe0.tar.gz
5 files changed, 257 insertions, 0 deletions
diff --git a/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch b/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch
new file mode 100644
index 0000000..9a94344
--- /dev/null
+++ b/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch
@@ -0,0 +1,106 @@
+From 899a5d9f0ed13b8e32449a08a361e0de127dd961 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 25 Jul 2017 14:59:49 +0200
+Subject: [PATCH] Detect infinite recursion in parameter entities
+When expanding a parameter entity in a DTD, infinite recursion could
+lead to an infinite loop or memory exhaustion.
+Thanks to Wei Lei for the first of many reports.
+Fixes bug 759579.
+CVE: CVE-2017-16932  
+Upstream-Status: Backport [https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961]
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ parser.c                     | 11 ++++++++++-
+ result/errors/759579.xml     |  0
+ result/errors/759579.xml.err |  6 ++++++
+ result/errors/759579.xml.str |  7 +++++++
+ test/errors/759579.xml       | 11 +++++++++++
+ 5 files changed, 34 insertions(+), 1 deletion(-)
+ create mode 100644 result/errors/759579.xml
+ create mode 100644 result/errors/759579.xml.err
+ create mode 100644 result/errors/759579.xml.str
+ create mode 100644 test/errors/759579.xml
+diff --git a/parser.c b/parser.c
+index 6286cad..51452a2 100644
+--- a/parser.c
+++ b/parser.c
+@@ -2250,6 +2250,13 @@ xmlPushInput(xmlParserCtxtPtr ctxt, xmlParserInputPtr input) {
+        xmlGenericError(xmlGenericErrorContext,
+                "Pushing input %d : %.30s\n", ctxt->inputNr+1, input->cur);
+     }
+    if (((ctxt->inputNr > 40) && ((ctxt->options & XML_PARSE_HUGE) == 0)) ||
+        (ctxt->inputNr > 1024)) {
+        xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
+        while (ctxt->inputNr > 1)
+            xmlFreeInputStream(inputPop(ctxt));
+       return(-1);
+    }
+     ret = inputPush(ctxt, input);
+     if (ctxt->instate == XML_PARSER_EOF)
+         return(-1);
+@@ -7916,8 +7923,10 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+             * c.f. http://www.w3.org/TR/REC-xml#as-PE
+             */
+            input = xmlNewEntityInputStream(ctxt, entity);
+-           if (xmlPushInput(ctxt, input) < 0)
+           if (xmlPushInput(ctxt, input) < 0) {
+                xmlFreeInputStream(input);
+                return;
+            } 
+            if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
+                (CMP5(CUR_PTR, '<', '?', 'x', 'm', 'l')) &&
+                (IS_BLANK_CH(NXT(5)))) {
+diff --git a/result/errors/759579.xml b/result/errors/759579.xml
+new file mode 100644
+index 0000000..e69de29
+diff --git a/result/errors/759579.xml.err b/result/errors/759579.xml.err
+new file mode 100644
+index 0000000..288026e
+--- /dev/null
+++ b/result/errors/759579.xml.err
+@@ -0,0 +1,6 @@
+Entity: line 2: parser error : Detected an entity reference loop
+        %z; %z; %z; %z; %z;
+           ^
+Entity: line 2: 
+        %z; %z; %z; %z; %z;
+           ^
+diff --git a/result/errors/759579.xml.str b/result/errors/759579.xml.str
+new file mode 100644
+index 0000000..09408f5
+--- /dev/null
+++ b/result/errors/759579.xml.str
+@@ -0,0 +1,7 @@
+Entity: line 2: parser error : Detected an entity reference loop
+        %z; %z; %z; %z; %z;
+           ^
+Entity: line 2: 
+        %z; %z; %z; %z; %z;
+           ^
+./test/errors/759579.xml : failed to parse
+diff --git a/test/errors/759579.xml b/test/errors/759579.xml
+new file mode 100644
+index 0000000..7fadd70
+--- /dev/null
+++ b/test/errors/759579.xml
+@@ -0,0 +1,11 @@
+<!DOCTYPE doc [
+    <!ENTITY % z '
+        &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
+        &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
+        &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
+        &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
+        &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
+    '>
+    %z;
+]>
+<doc/>
+-- 
+2.7.4
diff --git a/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch b/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch
new file mode 100644
index 0000000..e072ef1
--- /dev/null
+++ b/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch
@@ -0,0 +1,66 @@
+From 897dffbae322b46b83f99a607d527058a72c51ed Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 6 Jun 2017 13:21:14 +0200
+Subject: [PATCH] Check for integer overflow in memory debug code
+Fixes bug 783026.
+Thanks to Pranjal Jumde for the report.
+CVE: CVE-2017-5130
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/897dffbae322b46b83f99a607d527058a72c51ed]
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ xmlmemory.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+diff --git a/xmlmemory.c b/xmlmemory.c
+index f08c8c3..c53141f 100644
+--- a/xmlmemory.c
+++ b/xmlmemory.c
+@@ -172,6 +172,13 @@ xmlMallocLoc(size_t size, const char * file, int line)
+ 
+     TEST_POINT
+ 
+    if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
+       xmlGenericError(xmlGenericErrorContext,
+               "xmlMallocLoc : Unsigned overflow\n");
+       xmlMemoryDump();
+       return(NULL);
+    }
+
+     p = (MEMHDR *) malloc(RESERVE_SIZE+size);
+ 
+     if (!p) {
+@@ -352,6 +359,13 @@ xmlReallocLoc(void *ptr,size_t size, const char * file, int line)
+ #endif
+     xmlMutexUnlock(xmlMemMutex);
+ 
+    if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
+       xmlGenericError(xmlGenericErrorContext,
+               "xmlMallocLoc : Unsigned overflow\n");
+       xmlMemoryDump();
+       return(NULL);
+    }
+
+     tmp = (MEMHDR *) realloc(p,RESERVE_SIZE+size);
+     if (!tmp) {
+         free(p);
+@@ -499,6 +513,13 @@ xmlMemStrdupLoc(const char *str, const char *file, int line)
+     if (!xmlMemInitialized) xmlInitMemory();
+     TEST_POINT
+ 
+    if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
+       xmlGenericError(xmlGenericErrorContext,
+               "xmlMallocLoc : Unsigned overflow\n");
+       xmlMemoryDump();
+       return(NULL);
+    }
+
+     p = (MEMHDR *) malloc(RESERVE_SIZE+size);
+     if (!p) {
+       goto error;
+-- 
+2.7.4
diff --git a/recipes-core/libxml/libxml2/CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch b/recipes-core/libxml/libxml2/CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch
new file mode 100644
index 0000000..252929c
--- /dev/null
+++ b/recipes-core/libxml/libxml2/CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch
@@ -0,0 +1,40 @@
+From 90ccb58242866b0ba3edbef8fe44214a101c2b3e Mon Sep 17 00:00:00 2001
+From: Neel Mehta <nmehta@google.com>
+Date: Fri, 7 Apr 2017 17:43:02 +0200
+Subject: [PATCH] Prevent unwanted external entity reference
+For https://bugzilla.gnome.org/show_bug.cgi?id=780691
+* parser.c: add a specific check to avoid PE reference
+CVE: CVE-2018-7375
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/90ccb58242866b0ba3edbef8fe44214a101c2b3e]
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ parser.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+diff --git a/parser.c b/parser.c
+index 609a270..c2c812d 100644
+--- a/parser.c
+++ b/parser.c
+@@ -8123,6 +8123,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+            if (xmlPushInput(ctxt, input) < 0)
+                return;
+        } else {
+           if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
+               ((ctxt->options & XML_PARSE_NOENT) == 0) &&
+               ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
+               ((ctxt->options & XML_PARSE_DTDLOAD) == 0) &&
+               ((ctxt->options & XML_PARSE_DTDATTR) == 0) &&
+               (ctxt->replaceEntities == 0) &&
+               (ctxt->validate == 0))
+               return;
+
+            /*
+             * TODO !!!
+             * handle the extra spaces added before and after
+-- 
+2.7.4
diff --git a/recipes-core/libxml/libxml2/CVE-2017-7376-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch b/recipes-core/libxml/libxml2/CVE-2017-7376-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch
new file mode 100644
index 0000000..aae956d
--- /dev/null
+++ b/recipes-core/libxml/libxml2/CVE-2017-7376-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch
@@ -0,0 +1,36 @@
+From 5dca9eea1bd4263bfa4d037ab2443de1cd730f7e Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 7 Apr 2017 17:13:28 +0200
+Subject: [PATCH] Increase buffer space for port in HTTP redirect support
+For https://bugzilla.gnome.org/show_bug.cgi?id=780690
+nanohttp.c: the code wrongly assumed a short int port value.
+CVE: CVE-2017-7376
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/5dca9eea1bd4263bfa4d037ab2443de1cd730f7e]
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ nanohttp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/nanohttp.c b/nanohttp.c
+index e109ad7..373425d 100644
+--- a/nanohttp.c
+++ b/nanohttp.c
+@@ -1423,9 +1423,9 @@ retry:
+     if (ctxt->port != 80) {
+        /* reserve space for ':xxxxx', incl. potential proxy */
+        if (proxy)
+-           blen += 12;
+           blen += 17;
+        else
+-           blen += 6;
+           blen += 11;
+     }
+     bp = (char*)xmlMallocAtomic(blen);
+     if ( bp == NULL ) {
+-- 
+2.7.4
diff --git a/recipes-core/libxml/libxml2_2.9.4.bbappend b/recipes-core/libxml/libxml2_2.9.4.bbappend
new file mode 100644
index 0000000..dbf9709
--- /dev/null
+++ b/recipes-core/libxml/libxml2_2.9.4.bbappend
@@ -0,0 +1,9 @@
+# look for files in the layer first
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+SRC_URI += " \
+        file://CVE-2017-7376-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch \
+        file://CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch \
+        file://CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch \
+        file://CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch \
+        "
author	Dan Andresan <Dan.Andresan@enea.com>	2018-10-29 11:59:00 +0100
committer	Gerrit Code Review <gerrit2@sestogerrit02>	2018-10-29 11:59:00 +0100
commit	46437cbe8f955087c14d5c83ee7eccb9e81fefe0 (patch)
tree	dec4828ad419c31c664b82bfba10533eaeafd4ea
parent	ef2a4c85d4e3db75f8a09f355f61ca38c1e3d148 (diff)
parent	2057b91933875959294f823b12938d6cba6ea62b (diff)
download	meta-el-common-46437cbe8f955087c14d5c83ee7eccb9e81fefe0.tar.gz

diff --git a/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch b/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch new file mode 100644 index 0000000..9a94344 --- /dev/null +++ b/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch
@@ -0,0 +1,106 @@
	1	From 899a5d9f0ed13b8e32449a08a361e0de127dd961 Mon Sep 17 00:00:00 2001
	2	From: Nick Wellnhofer <wellnhofer@aevum.de>
	3	Date: Tue, 25 Jul 2017 14:59:49 +0200
	4	Subject: [PATCH] Detect infinite recursion in parameter entities
	5
	6	When expanding a parameter entity in a DTD, infinite recursion could
	7	lead to an infinite loop or memory exhaustion.
	8
	9	Thanks to Wei Lei for the first of many reports.
	10
	11	Fixes bug 759579.
	12
	13	CVE: CVE-2017-16932
	14	Upstream-Status: Backport [https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961]
	15
	16	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	17	---
	18	parser.c \| 11 ++++++++++-
	19	result/errors/759579.xml \| 0
	20	result/errors/759579.xml.err \| 6 ++++++
	21	result/errors/759579.xml.str \| 7 +++++++
	22	test/errors/759579.xml \| 11 +++++++++++
	23	5 files changed, 34 insertions(+), 1 deletion(-)
	24	create mode 100644 result/errors/759579.xml
	25	create mode 100644 result/errors/759579.xml.err
	26	create mode 100644 result/errors/759579.xml.str
	27	create mode 100644 test/errors/759579.xml
	28
	29	diff --git a/parser.c b/parser.c
	30	index 6286cad..51452a2 100644
	31	--- a/parser.c
	32	+++ b/parser.c
	33	@@ -2250,6 +2250,13 @@ xmlPushInput(xmlParserCtxtPtr ctxt, xmlParserInputPtr input) {
	34	xmlGenericError(xmlGenericErrorContext,
	35	"Pushing input %d : %.30s\n", ctxt->inputNr+1, input->cur);
	36	}
	37	+ if (((ctxt->inputNr > 40) && ((ctxt->options & XML_PARSE_HUGE) == 0)) \|\|
	38	+ (ctxt->inputNr > 1024)) {
	39	+ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
	40	+ while (ctxt->inputNr > 1)
	41	+ xmlFreeInputStream(inputPop(ctxt));
	42	+ return(-1);
	43	+ }
	44	ret = inputPush(ctxt, input);
	45	if (ctxt->instate == XML_PARSER_EOF)
	46	return(-1);
	47	@@ -7916,8 +7923,10 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
	48	* c.f. http://www.w3.org/TR/REC-xml#as-PE
	49	*/
	50	input = xmlNewEntityInputStream(ctxt, entity);
	51	- if (xmlPushInput(ctxt, input) < 0)
	52	+ if (xmlPushInput(ctxt, input) < 0) {
	53	+ xmlFreeInputStream(input);
	54	return;
	55	+ }
	56	if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
	57	(CMP5(CUR_PTR, '<', '?', 'x', 'm', 'l')) &&
	58	(IS_BLANK_CH(NXT(5)))) {
	59	diff --git a/result/errors/759579.xml b/result/errors/759579.xml
	60	new file mode 100644
	61	index 0000000..e69de29
	62	diff --git a/result/errors/759579.xml.err b/result/errors/759579.xml.err
	63	new file mode 100644
	64	index 0000000..288026e
	65	--- /dev/null
	66	+++ b/result/errors/759579.xml.err
	67	@@ -0,0 +1,6 @@
	68	+Entity: line 2: parser error : Detected an entity reference loop
	69	+ %z; %z; %z; %z; %z;
	70	+ ^
	71	+Entity: line 2:
	72	+ %z; %z; %z; %z; %z;
	73	+ ^
	74	diff --git a/result/errors/759579.xml.str b/result/errors/759579.xml.str
	75	new file mode 100644
	76	index 0000000..09408f5
	77	--- /dev/null
	78	+++ b/result/errors/759579.xml.str
	79	@@ -0,0 +1,7 @@
	80	+Entity: line 2: parser error : Detected an entity reference loop
	81	+ %z; %z; %z; %z; %z;
	82	+ ^
	83	+Entity: line 2:
	84	+ %z; %z; %z; %z; %z;
	85	+ ^
	86	+./test/errors/759579.xml : failed to parse
	87	diff --git a/test/errors/759579.xml b/test/errors/759579.xml
	88	new file mode 100644
	89	index 0000000..7fadd70
	90	--- /dev/null
	91	+++ b/test/errors/759579.xml
	92	@@ -0,0 +1,11 @@
	93	+<!DOCTYPE doc [
	94	+ <!ENTITY % z '
	95	+ %z; %z; %z; %z; %z;
	96	+ %z; %z; %z; %z; %z;
	97	+ %z; %z; %z; %z; %z;
	98	+ %z; %z; %z; %z; %z;
	99	+ %z; %z; %z; %z; %z;
	100	+ '>
	101	+ %z;
	102	+]>
	103	+<doc/>
	104	--
	105	2.7.4
	106


diff --git a/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch b/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch new file mode 100644 index 0000000..e072ef1 --- /dev/null +++ b/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch
@@ -0,0 +1,66 @@
	1	From 897dffbae322b46b83f99a607d527058a72c51ed Mon Sep 17 00:00:00 2001
	2	From: Nick Wellnhofer <wellnhofer@aevum.de>
	3	Date: Tue, 6 Jun 2017 13:21:14 +0200
	4	Subject: [PATCH] Check for integer overflow in memory debug code
	5
	6	Fixes bug 783026.
	7
	8	Thanks to Pranjal Jumde for the report.
	9
	10	CVE: CVE-2017-5130
	11	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/897dffbae322b46b83f99a607d527058a72c51ed]
	12
	13	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	14	---
	15	xmlmemory.c \| 21 +++++++++++++++++++++
	16	1 file changed, 21 insertions(+)
	17
	18	diff --git a/xmlmemory.c b/xmlmemory.c
	19	index f08c8c3..c53141f 100644
	20	--- a/xmlmemory.c
	21	+++ b/xmlmemory.c
	22	@@ -172,6 +172,13 @@ xmlMallocLoc(size_t size, const char * file, int line)
	23
	24	TEST_POINT
	25
	26	+ if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
	27	+ xmlGenericError(xmlGenericErrorContext,
	28	+ "xmlMallocLoc : Unsigned overflow\n");
	29	+ xmlMemoryDump();
	30	+ return(NULL);
	31	+ }
	32	+
	33	p = (MEMHDR *) malloc(RESERVE_SIZE+size);
	34
	35	if (!p) {
	36	@@ -352,6 +359,13 @@ xmlReallocLoc(void ptr,size_t size, const char file, int line)
	37	#endif
	38	xmlMutexUnlock(xmlMemMutex);
	39
	40	+ if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
	41	+ xmlGenericError(xmlGenericErrorContext,
	42	+ "xmlMallocLoc : Unsigned overflow\n");
	43	+ xmlMemoryDump();
	44	+ return(NULL);
	45	+ }
	46	+
	47	tmp = (MEMHDR *) realloc(p,RESERVE_SIZE+size);
	48	if (!tmp) {
	49	free(p);
	50	@@ -499,6 +513,13 @@ xmlMemStrdupLoc(const char str, const char file, int line)
	51	if (!xmlMemInitialized) xmlInitMemory();
	52	TEST_POINT
	53
	54	+ if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
	55	+ xmlGenericError(xmlGenericErrorContext,
	56	+ "xmlMallocLoc : Unsigned overflow\n");
	57	+ xmlMemoryDump();
	58	+ return(NULL);
	59	+ }
	60	+
	61	p = (MEMHDR *) malloc(RESERVE_SIZE+size);
	62	if (!p) {
	63	goto error;
	64	--
	65	2.7.4
	66


diff --git a/recipes-core/libxml/libxml2/CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch b/recipes-core/libxml/libxml2/CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch new file mode 100644 index 0000000..252929c --- /dev/null +++ b/recipes-core/libxml/libxml2/CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch
@@ -0,0 +1,40 @@
	1	From 90ccb58242866b0ba3edbef8fe44214a101c2b3e Mon Sep 17 00:00:00 2001
	2	From: Neel Mehta <nmehta@google.com>
	3	Date: Fri, 7 Apr 2017 17:43:02 +0200
	4	Subject: [PATCH] Prevent unwanted external entity reference
	5
	6	For https://bugzilla.gnome.org/show_bug.cgi?id=780691
	7
	8	* parser.c: add a specific check to avoid PE reference
	9
	10	CVE: CVE-2018-7375
	11	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/90ccb58242866b0ba3edbef8fe44214a101c2b3e]
	12
	13	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	14	---
	15	parser.c \| 9 +++++++++
	16	1 file changed, 9 insertions(+)
	17
	18	diff --git a/parser.c b/parser.c
	19	index 609a270..c2c812d 100644
	20	--- a/parser.c
	21	+++ b/parser.c
	22	@@ -8123,6 +8123,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
	23	if (xmlPushInput(ctxt, input) < 0)
	24	return;
	25	} else {
	26	+ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
	27	+ ((ctxt->options & XML_PARSE_NOENT) == 0) &&
	28	+ ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
	29	+ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) &&
	30	+ ((ctxt->options & XML_PARSE_DTDATTR) == 0) &&
	31	+ (ctxt->replaceEntities == 0) &&
	32	+ (ctxt->validate == 0))
	33	+ return;
	34	+
	35	/*
	36	* TODO !!!
	37	* handle the extra spaces added before and after
	38	--
	39	2.7.4
	40


diff --git a/recipes-core/libxml/libxml2/CVE-2017-7376-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch b/recipes-core/libxml/libxml2/CVE-2017-7376-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch new file mode 100644 index 0000000..aae956d --- /dev/null +++ b/recipes-core/libxml/libxml2/CVE-2017-7376-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch
@@ -0,0 +1,36 @@
	1	From 5dca9eea1bd4263bfa4d037ab2443de1cd730f7e Mon Sep 17 00:00:00 2001
	2	From: Daniel Veillard <veillard@redhat.com>
	3	Date: Fri, 7 Apr 2017 17:13:28 +0200
	4	Subject: [PATCH] Increase buffer space for port in HTTP redirect support
	5
	6	For https://bugzilla.gnome.org/show_bug.cgi?id=780690
	7
	8	nanohttp.c: the code wrongly assumed a short int port value.
	9
	10	CVE: CVE-2017-7376
	11	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/5dca9eea1bd4263bfa4d037ab2443de1cd730f7e]
	12
	13	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	14	---
	15	nanohttp.c \| 4 ++--
	16	1 file changed, 2 insertions(+), 2 deletions(-)
	17
	18	diff --git a/nanohttp.c b/nanohttp.c
	19	index e109ad7..373425d 100644
	20	--- a/nanohttp.c
	21	+++ b/nanohttp.c
	22	@@ -1423,9 +1423,9 @@ retry:
	23	if (ctxt->port != 80) {
	24	/* reserve space for ':xxxxx', incl. potential proxy */
	25	if (proxy)
	26	- blen += 12;
	27	+ blen += 17;
	28	else
	29	- blen += 6;
	30	+ blen += 11;
	31	}
	32	bp = (char*)xmlMallocAtomic(blen);
	33	if ( bp == NULL ) {
	34	--
	35	2.7.4
	36


diff --git a/recipes-core/libxml/libxml2_2.9.4.bbappend b/recipes-core/libxml/libxml2_2.9.4.bbappend new file mode 100644 index 0000000..dbf9709 --- /dev/null +++ b/recipes-core/libxml/libxml2_2.9.4.bbappend
@@ -0,0 +1,9 @@
	1	# look for files in the layer first
	2	FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
	3
	4	SRC_URI += " \
	5	file://CVE-2017-7376-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch \
	6	file://CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch \
	7	file://CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch \
	8	file://CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch \
	9	"