diff options
| author | Adrian Dudau <adrian.dudau@enea.com> | 2017-11-22 10:33:21 +0100 |
|---|---|---|
| committer | Adrian Dudau <adrian.dudau@enea.com> | 2017-11-24 15:06:10 +0100 |
| commit | 1b0e3b30bc27a98468c0f3e19e985e5fd992c650 (patch) | |
| tree | 203559079f00f3c1ceeb5ef67e5dd0f88d1d4437 | |
| parent | 0df8e030c3028584d32c3d25ec3d1430553b5deb (diff) | |
| download | meta-el-common-1b0e3b30bc27a98468c0f3e19e985e5fd992c650.tar.gz | |
libxml: Remove CVE fixes
These have been fixed already in upstream poky/pyro.
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
| -rw-r--r-- | recipes-core/libxml/libxml2/CVE-2017-0663.patch | 47 | ||||
| -rw-r--r-- | recipes-core/libxml/libxml2/CVE-2017-5969.patch | 68 | ||||
| -rw-r--r-- | recipes-core/libxml/libxml2/CVE-2017-9047_CVE-2017-9048.patch | 118 | ||||
| -rw-r--r-- | recipes-core/libxml/libxml2/CVE-2017-9049_CVE-2017-9050.patch | 321 | ||||
| -rw-r--r-- | recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch | 41 | ||||
| -rw-r--r-- | recipes-core/libxml/libxml2_%.bbappend | 10 |
6 files changed, 0 insertions, 605 deletions
diff --git a/recipes-core/libxml/libxml2/CVE-2017-0663.patch b/recipes-core/libxml/libxml2/CVE-2017-0663.patch deleted file mode 100644 index a4f88b6..0000000 --- a/recipes-core/libxml/libxml2/CVE-2017-0663.patch +++ /dev/null | |||
| @@ -1,47 +0,0 @@ | |||
| 1 | From 92b9e8c8b3787068565a1820ba575d042f9eec66 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
| 3 | Date: Tue, 6 Jun 2017 12:56:28 +0200 | ||
| 4 | Subject: Fix type confusion in xmlValidateOneNamespace | ||
| 5 | |||
| 6 | Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types on | ||
| 7 | namespace declarations make no practical sense anyway. | ||
| 8 | |||
| 9 | Fixes bug 780228. | ||
| 10 | |||
| 11 | Found with libFuzzer and ASan. | ||
| 12 | CVE: CVE-2017-0663 | ||
| 13 | Upstream-Status: Backport [https://git.gnome.org/browse/libxml2/commit/?id=92b9e8c8b3787068565a1820ba575d042f9eec66] | ||
| 14 | |||
| 15 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
| 16 | --- | ||
| 17 | valid.c | 7 +++++++ | ||
| 18 | 1 file changed, 7 insertions(+) | ||
| 19 | |||
| 20 | diff --git a/valid.c b/valid.c | ||
| 21 | index 8075d3a..c51ea29 100644 | ||
| 22 | --- a/valid.c | ||
| 23 | +++ b/valid.c | ||
| 24 | @@ -4627,6 +4627,12 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) { | ||
| 25 | } | ||
| 26 | } | ||
| 27 | |||
| 28 | + /* | ||
| 29 | + * Casting ns to xmlAttrPtr is wrong. We'd need separate functions | ||
| 30 | + * xmlAddID and xmlAddRef for namespace declarations, but it makes | ||
| 31 | + * no practical sense to use ID types anyway. | ||
| 32 | + */ | ||
| 33 | +#if 0 | ||
| 34 | /* Validity Constraint: ID uniqueness */ | ||
| 35 | if (attrDecl->atype == XML_ATTRIBUTE_ID) { | ||
| 36 | if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL) | ||
| 37 | @@ -4638,6 +4644,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) { | ||
| 38 | if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL) | ||
| 39 | ret = 0; | ||
| 40 | } | ||
| 41 | +#endif | ||
| 42 | |||
| 43 | /* Validity Constraint: Notation Attributes */ | ||
| 44 | if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) { | ||
| 45 | -- | ||
| 46 | cgit v0.12 | ||
| 47 | |||
diff --git a/recipes-core/libxml/libxml2/CVE-2017-5969.patch b/recipes-core/libxml/libxml2/CVE-2017-5969.patch deleted file mode 100644 index 0c5efbe..0000000 --- a/recipes-core/libxml/libxml2/CVE-2017-5969.patch +++ /dev/null | |||
| @@ -1,68 +0,0 @@ | |||
| 1 | From 94691dc884d1a8ada39f073408b4bb92fe7fe882 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Daniel Veillard <veillard@redhat.com> | ||
| 3 | Date: Wed, 7 Jun 2017 16:47:36 +0200 | ||
| 4 | Subject: [PATCH] Fix NULL pointer deref in xmlDumpElementContent | ||
| 5 | |||
| 6 | Can only be triggered in recovery mode. | ||
| 7 | |||
| 8 | Fixes bug 758422 (CVE-2017-5969). | ||
| 9 | |||
| 10 | CVE: CVE-2017-5969 | ||
| 11 | Upstream-Status: Backport | ||
| 12 | |||
| 13 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
| 14 | --- | ||
| 15 | valid.c | 24 ++++++++++++++---------- | ||
| 16 | 1 file changed, 14 insertions(+), 10 deletions(-) | ||
| 17 | |||
| 18 | diff --git a/valid.c b/valid.c | ||
| 19 | index 9b2df56..8075d3a 100644 | ||
| 20 | --- a/valid.c | ||
| 21 | +++ b/valid.c | ||
| 22 | @@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob) | ||
| 23 | xmlBufferWriteCHAR(buf, content->name); | ||
| 24 | break; | ||
| 25 | case XML_ELEMENT_CONTENT_SEQ: | ||
| 26 | - if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || | ||
| 27 | - (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) | ||
| 28 | + if ((content->c1 != NULL) && | ||
| 29 | + ((content->c1->type == XML_ELEMENT_CONTENT_OR) || | ||
| 30 | + (content->c1->type == XML_ELEMENT_CONTENT_SEQ))) | ||
| 31 | xmlDumpElementContent(buf, content->c1, 1); | ||
| 32 | else | ||
| 33 | xmlDumpElementContent(buf, content->c1, 0); | ||
| 34 | xmlBufferWriteChar(buf, " , "); | ||
| 35 | - if ((content->c2->type == XML_ELEMENT_CONTENT_OR) || | ||
| 36 | - ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) && | ||
| 37 | - (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))) | ||
| 38 | + if ((content->c2 != NULL) && | ||
| 39 | + ((content->c2->type == XML_ELEMENT_CONTENT_OR) || | ||
| 40 | + ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) && | ||
| 41 | + (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))) | ||
| 42 | xmlDumpElementContent(buf, content->c2, 1); | ||
| 43 | else | ||
| 44 | xmlDumpElementContent(buf, content->c2, 0); | ||
| 45 | break; | ||
| 46 | case XML_ELEMENT_CONTENT_OR: | ||
| 47 | - if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || | ||
| 48 | - (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) | ||
| 49 | + if ((content->c1 != NULL) && | ||
| 50 | + ((content->c1->type == XML_ELEMENT_CONTENT_OR) || | ||
| 51 | + (content->c1->type == XML_ELEMENT_CONTENT_SEQ))) | ||
| 52 | xmlDumpElementContent(buf, content->c1, 1); | ||
| 53 | else | ||
| 54 | xmlDumpElementContent(buf, content->c1, 0); | ||
| 55 | xmlBufferWriteChar(buf, " | "); | ||
| 56 | - if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) || | ||
| 57 | - ((content->c2->type == XML_ELEMENT_CONTENT_OR) && | ||
| 58 | - (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))) | ||
| 59 | + if ((content->c2 != NULL) && | ||
| 60 | + ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) || | ||
| 61 | + ((content->c2->type == XML_ELEMENT_CONTENT_OR) && | ||
| 62 | + (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))) | ||
| 63 | xmlDumpElementContent(buf, content->c2, 1); | ||
| 64 | else | ||
| 65 | xmlDumpElementContent(buf, content->c2, 0); | ||
| 66 | -- | ||
| 67 | 1.9.1 | ||
| 68 | |||
diff --git a/recipes-core/libxml/libxml2/CVE-2017-9047_CVE-2017-9048.patch b/recipes-core/libxml/libxml2/CVE-2017-9047_CVE-2017-9048.patch deleted file mode 100644 index d26d5c5..0000000 --- a/recipes-core/libxml/libxml2/CVE-2017-9047_CVE-2017-9048.patch +++ /dev/null | |||
| @@ -1,118 +0,0 @@ | |||
| 1 | From 932cc9896ab41475d4aa429c27d9afd175959d74 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
| 3 | Date: Sat, 3 Jun 2017 02:01:29 +0200 | ||
| 4 | Subject: [PATCH] Fix buffer size checks in xmlSnprintfElementContent | ||
| 5 | |||
| 6 | xmlSnprintfElementContent failed to correctly check the available | ||
| 7 | buffer space in two locations. | ||
| 8 | |||
| 9 | Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048). | ||
| 10 | |||
| 11 | Thanks to Marcel Böhme and Thuan Pham for the report. | ||
| 12 | |||
| 13 | CVE: CVE-2017-9047 CVE-2017-9048 | ||
| 14 | Upstream-Status: Backport | ||
| 15 | |||
| 16 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
| 17 | --- | ||
| 18 | result/valid/781333.xml | 5 +++++ | ||
| 19 | result/valid/781333.xml.err | 3 +++ | ||
| 20 | result/valid/781333.xml.err.rdr | 6 ++++++ | ||
| 21 | test/valid/781333.xml | 4 ++++ | ||
| 22 | valid.c | 20 +++++++++++--------- | ||
| 23 | 5 files changed, 29 insertions(+), 9 deletions(-) | ||
| 24 | create mode 100644 result/valid/781333.xml | ||
| 25 | create mode 100644 result/valid/781333.xml.err | ||
| 26 | create mode 100644 result/valid/781333.xml.err.rdr | ||
| 27 | create mode 100644 test/valid/781333.xml | ||
| 28 | |||
| 29 | diff --git a/result/valid/781333.xml b/result/valid/781333.xml | ||
| 30 | new file mode 100644 | ||
| 31 | index 0000000..45dc451 | ||
| 32 | --- /dev/null | ||
| 33 | +++ b/result/valid/781333.xml | ||
| 34 | @@ -0,0 +1,5 @@ | ||
| 35 | +<?xml version="1.0"?> | ||
| 36 | +<!DOCTYPE a [ | ||
| 37 | +<!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll)> | ||
| 38 | +]> | ||
| 39 | +<a/> | ||
| 40 | diff --git a/result/valid/781333.xml.err b/result/valid/781333.xml.err | ||
| 41 | new file mode 100644 | ||
| 42 | index 0000000..b401b49 | ||
| 43 | --- /dev/null | ||
| 44 | +++ b/result/valid/781333.xml.err | ||
| 45 | @@ -0,0 +1,3 @@ | ||
| 46 | +./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got | ||
| 47 | +<a/> | ||
| 48 | + ^ | ||
| 49 | diff --git a/result/valid/781333.xml.err.rdr b/result/valid/781333.xml.err.rdr | ||
| 50 | new file mode 100644 | ||
| 51 | index 0000000..5ff5699 | ||
| 52 | --- /dev/null | ||
| 53 | +++ b/result/valid/781333.xml.err.rdr | ||
| 54 | @@ -0,0 +1,6 @@ | ||
| 55 | +./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got | ||
| 56 | +<a/> | ||
| 57 | + ^ | ||
| 58 | +./test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more child | ||
| 59 | + | ||
| 60 | +^ | ||
| 61 | diff --git a/test/valid/781333.xml b/test/valid/781333.xml | ||
| 62 | new file mode 100644 | ||
| 63 | index 0000000..b29e5a6 | ||
| 64 | --- /dev/null | ||
| 65 | +++ b/test/valid/781333.xml | ||
| 66 | @@ -0,0 +1,4 @@ | ||
| 67 | +<!DOCTYPE a [ | ||
| 68 | + <!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll)> | ||
| 69 | +]> | ||
| 70 | +<a/> | ||
| 71 | diff --git a/valid.c b/valid.c | ||
| 72 | index 19f84b8..9b2df56 100644 | ||
| 73 | --- a/valid.c | ||
| 74 | +++ b/valid.c | ||
| 75 | @@ -1262,22 +1262,23 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int | ||
| 76 | case XML_ELEMENT_CONTENT_PCDATA: | ||
| 77 | strcat(buf, "#PCDATA"); | ||
| 78 | break; | ||
| 79 | - case XML_ELEMENT_CONTENT_ELEMENT: | ||
| 80 | + case XML_ELEMENT_CONTENT_ELEMENT: { | ||
| 81 | + int qnameLen = xmlStrlen(content->name); | ||
| 82 | + | ||
| 83 | + if (content->prefix != NULL) | ||
| 84 | + qnameLen += xmlStrlen(content->prefix) + 1; | ||
| 85 | + if (size - len < qnameLen + 10) { | ||
| 86 | + strcat(buf, " ..."); | ||
| 87 | + return; | ||
| 88 | + } | ||
| 89 | if (content->prefix != NULL) { | ||
| 90 | - if (size - len < xmlStrlen(content->prefix) + 10) { | ||
| 91 | - strcat(buf, " ..."); | ||
| 92 | - return; | ||
| 93 | - } | ||
| 94 | strcat(buf, (char *) content->prefix); | ||
| 95 | strcat(buf, ":"); | ||
| 96 | } | ||
| 97 | - if (size - len < xmlStrlen(content->name) + 10) { | ||
| 98 | - strcat(buf, " ..."); | ||
| 99 | - return; | ||
| 100 | - } | ||
| 101 | if (content->name != NULL) | ||
| 102 | strcat(buf, (char *) content->name); | ||
| 103 | break; | ||
| 104 | + } | ||
| 105 | case XML_ELEMENT_CONTENT_SEQ: | ||
| 106 | if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || | ||
| 107 | (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) | ||
| 108 | @@ -1319,6 +1320,7 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int | ||
| 109 | xmlSnprintfElementContent(buf, size, content->c2, 0); | ||
| 110 | break; | ||
| 111 | } | ||
| 112 | + if (size - strlen(buf) <= 2) return; | ||
| 113 | if (englob) | ||
| 114 | strcat(buf, ")"); | ||
| 115 | switch (content->ocur) { | ||
| 116 | -- | ||
| 117 | 1.9.1 | ||
| 118 | |||
diff --git a/recipes-core/libxml/libxml2/CVE-2017-9049_CVE-2017-9050.patch b/recipes-core/libxml/libxml2/CVE-2017-9049_CVE-2017-9050.patch deleted file mode 100644 index c9ad71d..0000000 --- a/recipes-core/libxml/libxml2/CVE-2017-9049_CVE-2017-9050.patch +++ /dev/null | |||
| @@ -1,321 +0,0 @@ | |||
| 1 | From e26630548e7d138d2c560844c43820b6767251e3 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
| 3 | Date: Mon, 5 Jun 2017 15:37:17 +0200 | ||
| 4 | Subject: [PATCH] Fix handling of parameter-entity references | ||
| 5 | MIME-Version: 1.0 | ||
| 6 | Content-Type: text/plain; charset=UTF-8 | ||
| 7 | Content-Transfer-Encoding: 8bit | ||
| 8 | |||
| 9 | There were two bugs where parameter-entity references could lead to an | ||
| 10 | unexpected change of the input buffer in xmlParseNameComplex and | ||
| 11 | xmlDictLookup being called with an invalid pointer. | ||
| 12 | |||
| 13 | Percent sign in DTD Names | ||
| 14 | ========================= | ||
| 15 | |||
| 16 | The NEXTL macro used to call xmlParserHandlePEReference. When parsing | ||
| 17 | "complex" names inside the DTD, this could result in entity expansion | ||
| 18 | which created a new input buffer. The fix is to simply remove the call | ||
| 19 | to xmlParserHandlePEReference from the NEXTL macro. This is safe because | ||
| 20 | no users of the macro require expansion of parameter entities. | ||
| 21 | |||
| 22 | - xmlParseNameComplex | ||
| 23 | - xmlParseNCNameComplex | ||
| 24 | - xmlParseNmtoken | ||
| 25 | |||
| 26 | The percent sign is not allowed in names, which are grammatical tokens. | ||
| 27 | |||
| 28 | - xmlParseEntityValue | ||
| 29 | |||
| 30 | Parameter-entity references in entity values are expanded but this | ||
| 31 | happens in a separate step in this function. | ||
| 32 | |||
| 33 | - xmlParseSystemLiteral | ||
| 34 | |||
| 35 | Parameter-entity references are ignored in the system literal. | ||
| 36 | |||
| 37 | - xmlParseAttValueComplex | ||
| 38 | - xmlParseCharDataComplex | ||
| 39 | - xmlParseCommentComplex | ||
| 40 | - xmlParsePI | ||
| 41 | - xmlParseCDSect | ||
| 42 | |||
| 43 | Parameter-entity references are ignored outside the DTD. | ||
| 44 | |||
| 45 | - xmlLoadEntityContent | ||
| 46 | |||
| 47 | This function is only called from xmlStringLenDecodeEntities and | ||
| 48 | entities are replaced in a separate step immediately after the function | ||
| 49 | call. | ||
| 50 | |||
| 51 | This bug could also be triggered with an internal subset and double | ||
| 52 | entity expansion. | ||
| 53 | |||
| 54 | This fixes bug 766956 initially reported by Wei Lei and independently by | ||
| 55 | Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone | ||
| 56 | involved. | ||
| 57 | |||
| 58 | xmlParseNameComplex with XML_PARSE_OLD10 | ||
| 59 | ======================================== | ||
| 60 | |||
| 61 | When parsing Names inside an expanded parameter entity with the | ||
| 62 | XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the | ||
| 63 | GROW macro if the input buffer was exhausted. At the end of the | ||
| 64 | parameter entity's replacement text, this function would then call | ||
| 65 | xmlPopInput which invalidated the input buffer. | ||
| 66 | |||
| 67 | There should be no need to invoke GROW in this situation because the | ||
| 68 | buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and, | ||
| 69 | at least for UTF-8, in xmlCurrentChar. This also matches the code path | ||
| 70 | executed when XML_PARSE_OLD10 is not set. | ||
| 71 | |||
| 72 | This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050). | ||
| 73 | Thanks to Marcel Böhme and Thuan Pham for the report. | ||
| 74 | |||
| 75 | Additional hardening | ||
| 76 | ==================== | ||
| 77 | |||
| 78 | A separate check was added in xmlParseNameComplex to validate the | ||
| 79 | buffer size. | ||
| 80 | |||
| 81 | CVE: CVE-2017-9049 CVE-2017-9050 | ||
| 82 | Upstream-Status: Backport | ||
| 83 | |||
| 84 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
| 85 | --- | ||
| 86 | Makefile.am | 18 ++++++++++++++++++ | ||
| 87 | parser.c | 18 ++++++++++-------- | ||
| 88 | result/errors10/781205.xml | 0 | ||
| 89 | result/errors10/781205.xml.err | 21 +++++++++++++++++++++ | ||
| 90 | result/errors10/781361.xml | 0 | ||
| 91 | result/errors10/781361.xml.err | 13 +++++++++++++ | ||
| 92 | result/valid/766956.xml | 0 | ||
| 93 | result/valid/766956.xml.err | 9 +++++++++ | ||
| 94 | result/valid/766956.xml.err.rdr | 10 ++++++++++ | ||
| 95 | runtest.c | 3 +++ | ||
| 96 | test/errors10/781205.xml | 3 +++ | ||
| 97 | test/errors10/781361.xml | 3 +++ | ||
| 98 | test/valid/766956.xml | 2 ++ | ||
| 99 | test/valid/dtds/766956.dtd | 2 ++ | ||
| 100 | 14 files changed, 94 insertions(+), 8 deletions(-) | ||
| 101 | create mode 100644 result/errors10/781205.xml | ||
| 102 | create mode 100644 result/errors10/781205.xml.err | ||
| 103 | create mode 100644 result/errors10/781361.xml | ||
| 104 | create mode 100644 result/errors10/781361.xml.err | ||
| 105 | create mode 100644 result/valid/766956.xml | ||
| 106 | create mode 100644 result/valid/766956.xml.err | ||
| 107 | create mode 100644 result/valid/766956.xml.err.rdr | ||
| 108 | create mode 100644 test/errors10/781205.xml | ||
| 109 | create mode 100644 test/errors10/781361.xml | ||
| 110 | create mode 100644 test/valid/766956.xml | ||
| 111 | create mode 100644 test/valid/dtds/766956.dtd | ||
| 112 | |||
| 113 | diff --git a/Makefile.am b/Makefile.am | ||
| 114 | index 6fc8ffa..10e716a 100644 | ||
| 115 | --- a/Makefile.am | ||
| 116 | +++ b/Makefile.am | ||
| 117 | @@ -427,6 +427,24 @@ Errtests : xmllint$(EXEEXT) | ||
| 118 | if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \ | ||
| 119 | rm result.$$name error.$$name ; \ | ||
| 120 | fi ; fi ; done) | ||
| 121 | + @echo "## Error cases regression tests (old 1.0)" | ||
| 122 | + -@(for i in $(srcdir)/test/errors10/*.xml ; do \ | ||
| 123 | + name=`basename $$i`; \ | ||
| 124 | + if [ ! -d $$i ] ; then \ | ||
| 125 | + if [ ! -f $(srcdir)/result/errors10/$$name ] ; then \ | ||
| 126 | + echo New test file $$name ; \ | ||
| 127 | + $(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i \ | ||
| 128 | + 2> $(srcdir)/result/errors10/$$name.err \ | ||
| 129 | + > $(srcdir)/result/errors10/$$name ; \ | ||
| 130 | + grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \ | ||
| 131 | + else \ | ||
| 132 | + log=`$(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i 2> error.$$name > result.$$name ; \ | ||
| 133 | + grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \ | ||
| 134 | + diff $(srcdir)/result/errors10/$$name result.$$name ; \ | ||
| 135 | + diff $(srcdir)/result/errors10/$$name.err error.$$name` ; \ | ||
| 136 | + if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \ | ||
| 137 | + rm result.$$name error.$$name ; \ | ||
| 138 | + fi ; fi ; done) | ||
| 139 | @echo "## Error cases stream regression tests" | ||
| 140 | -@(for i in $(srcdir)/test/errors/*.xml ; do \ | ||
| 141 | name=`basename $$i`; \ | ||
| 142 | diff --git a/parser.c b/parser.c | ||
| 143 | index df2efa5..a175ac4 100644 | ||
| 144 | --- a/parser.c | ||
| 145 | +++ b/parser.c | ||
| 146 | @@ -2121,7 +2121,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) { | ||
| 147 | ctxt->input->line++; ctxt->input->col = 1; \ | ||
| 148 | } else ctxt->input->col++; \ | ||
| 149 | ctxt->input->cur += l; \ | ||
| 150 | - if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt); \ | ||
| 151 | } while (0) | ||
| 152 | |||
| 153 | #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l) | ||
| 154 | @@ -3412,13 +3411,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { | ||
| 155 | len += l; | ||
| 156 | NEXTL(l); | ||
| 157 | c = CUR_CHAR(l); | ||
| 158 | - if (c == 0) { | ||
| 159 | - count = 0; | ||
| 160 | - GROW; | ||
| 161 | - if (ctxt->instate == XML_PARSER_EOF) | ||
| 162 | - return(NULL); | ||
| 163 | - c = CUR_CHAR(l); | ||
| 164 | - } | ||
| 165 | } | ||
| 166 | } | ||
| 167 | if ((len > XML_MAX_NAME_LENGTH) && | ||
| 168 | @@ -3426,6 +3418,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { | ||
| 169 | xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); | ||
| 170 | return(NULL); | ||
| 171 | } | ||
| 172 | + if (ctxt->input->cur - ctxt->input->base < len) { | ||
| 173 | + /* | ||
| 174 | + * There were a couple of bugs where PERefs lead to to a change | ||
| 175 | + * of the buffer. Check the buffer size to avoid passing an invalid | ||
| 176 | + * pointer to xmlDictLookup. | ||
| 177 | + */ | ||
| 178 | + xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, | ||
| 179 | + "unexpected change of input buffer"); | ||
| 180 | + return (NULL); | ||
| 181 | + } | ||
| 182 | if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r')) | ||
| 183 | return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len)); | ||
| 184 | return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); | ||
| 185 | diff --git a/result/errors10/781205.xml b/result/errors10/781205.xml | ||
| 186 | new file mode 100644 | ||
| 187 | index 0000000..e69de29 | ||
| 188 | diff --git a/result/errors10/781205.xml.err b/result/errors10/781205.xml.err | ||
| 189 | new file mode 100644 | ||
| 190 | index 0000000..da15c3f | ||
| 191 | --- /dev/null | ||
| 192 | +++ b/result/errors10/781205.xml.err | ||
| 193 | @@ -0,0 +1,21 @@ | ||
| 194 | +Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration | ||
| 195 | + | ||
| 196 | + %a; | ||
| 197 | + ^ | ||
| 198 | +Entity: line 1: | ||
| 199 | +<:0000 | ||
| 200 | +^ | ||
| 201 | +Entity: line 1: parser error : DOCTYPE improperly terminated | ||
| 202 | + %a; | ||
| 203 | + ^ | ||
| 204 | +Entity: line 1: | ||
| 205 | +<:0000 | ||
| 206 | +^ | ||
| 207 | +namespace error : Failed to parse QName ':0000' | ||
| 208 | + %a; | ||
| 209 | + ^ | ||
| 210 | +<:0000 | ||
| 211 | + ^ | ||
| 212 | +./test/errors10/781205.xml:4: parser error : Couldn't find end of Start Tag :0000 line 1 | ||
| 213 | + | ||
| 214 | +^ | ||
| 215 | diff --git a/result/errors10/781361.xml b/result/errors10/781361.xml | ||
| 216 | new file mode 100644 | ||
| 217 | index 0000000..e69de29 | ||
| 218 | diff --git a/result/errors10/781361.xml.err b/result/errors10/781361.xml.err | ||
| 219 | new file mode 100644 | ||
| 220 | index 0000000..655f41a | ||
| 221 | --- /dev/null | ||
| 222 | +++ b/result/errors10/781361.xml.err | ||
| 223 | @@ -0,0 +1,13 @@ | ||
| 224 | +./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY', 'ANY' or '(' expected | ||
| 225 | + | ||
| 226 | +^ | ||
| 227 | +./test/errors10/781361.xml:4: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration | ||
| 228 | + | ||
| 229 | + | ||
| 230 | +^ | ||
| 231 | +./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated | ||
| 232 | + | ||
| 233 | +^ | ||
| 234 | +./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not found | ||
| 235 | + | ||
| 236 | +^ | ||
| 237 | diff --git a/result/valid/766956.xml b/result/valid/766956.xml | ||
| 238 | new file mode 100644 | ||
| 239 | index 0000000..e69de29 | ||
| 240 | diff --git a/result/valid/766956.xml.err b/result/valid/766956.xml.err | ||
| 241 | new file mode 100644 | ||
| 242 | index 0000000..34b1dae | ||
| 243 | --- /dev/null | ||
| 244 | +++ b/result/valid/766956.xml.err | ||
| 245 | @@ -0,0 +1,9 @@ | ||
| 246 | +test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';' | ||
| 247 | +%ä%ent; | ||
| 248 | + ^ | ||
| 249 | +Entity: line 1: parser error : Content error in the external subset | ||
| 250 | + %ent; | ||
| 251 | + ^ | ||
| 252 | +Entity: line 1: | ||
| 253 | +value | ||
| 254 | +^ | ||
| 255 | diff --git a/result/valid/766956.xml.err.rdr b/result/valid/766956.xml.err.rdr | ||
| 256 | new file mode 100644 | ||
| 257 | index 0000000..7760346 | ||
| 258 | --- /dev/null | ||
| 259 | +++ b/result/valid/766956.xml.err.rdr | ||
| 260 | @@ -0,0 +1,10 @@ | ||
| 261 | +test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';' | ||
| 262 | +%ä%ent; | ||
| 263 | + ^ | ||
| 264 | +Entity: line 1: parser error : Content error in the external subset | ||
| 265 | + %ent; | ||
| 266 | + ^ | ||
| 267 | +Entity: line 1: | ||
| 268 | +value | ||
| 269 | +^ | ||
| 270 | +./test/valid/766956.xml : failed to parse | ||
| 271 | diff --git a/runtest.c b/runtest.c | ||
| 272 | index b2ce693..378b38e 100644 | ||
| 273 | --- a/runtest.c | ||
| 274 | +++ b/runtest.c | ||
| 275 | @@ -4214,6 +4214,9 @@ testDesc testDescriptions[] = { | ||
| 276 | { "Error cases regression tests", | ||
| 277 | errParseTest, "./test/errors/*.xml", "result/errors/", "", ".err", | ||
| 278 | 0 }, | ||
| 279 | + { "Error cases regression tests (old 1.0)", | ||
| 280 | + errParseTest, "./test/errors10/*.xml", "result/errors10/", "", ".err", | ||
| 281 | + XML_PARSE_OLD10 }, | ||
| 282 | #ifdef LIBXML_READER_ENABLED | ||
| 283 | { "Error cases stream regression tests", | ||
| 284 | streamParseTest, "./test/errors/*.xml", "result/errors/", NULL, ".str", | ||
| 285 | diff --git a/test/errors10/781205.xml b/test/errors10/781205.xml | ||
| 286 | new file mode 100644 | ||
| 287 | index 0000000..d9e9e83 | ||
| 288 | --- /dev/null | ||
| 289 | +++ b/test/errors10/781205.xml | ||
| 290 | @@ -0,0 +1,3 @@ | ||
| 291 | +<!DOCTYPE D [ | ||
| 292 | + <!ENTITY % a "<:0000"> | ||
| 293 | + %a; | ||
| 294 | diff --git a/test/errors10/781361.xml b/test/errors10/781361.xml | ||
| 295 | new file mode 100644 | ||
| 296 | index 0000000..67476bc | ||
| 297 | --- /dev/null | ||
| 298 | +++ b/test/errors10/781361.xml | ||
| 299 | @@ -0,0 +1,3 @@ | ||
| 300 | +<!DOCTYPE doc [ | ||
| 301 | + <!ENTITY % elem "<!ELEMENT e0000000000"> | ||
| 302 | + %elem; | ||
| 303 | diff --git a/test/valid/766956.xml b/test/valid/766956.xml | ||
| 304 | new file mode 100644 | ||
| 305 | index 0000000..19a95a0 | ||
| 306 | --- /dev/null | ||
| 307 | +++ b/test/valid/766956.xml | ||
| 308 | @@ -0,0 +1,2 @@ | ||
| 309 | +<!DOCTYPE test SYSTEM "dtds/766956.dtd"> | ||
| 310 | +<test/> | ||
| 311 | diff --git a/test/valid/dtds/766956.dtd b/test/valid/dtds/766956.dtd | ||
| 312 | new file mode 100644 | ||
| 313 | index 0000000..dddde68 | ||
| 314 | --- /dev/null | ||
| 315 | +++ b/test/valid/dtds/766956.dtd | ||
| 316 | @@ -0,0 +1,2 @@ | ||
| 317 | +<!ENTITY % ent "value"> | ||
| 318 | +%ä%ent; | ||
| 319 | -- | ||
| 320 | 1.9.1 | ||
| 321 | |||
diff --git a/recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch b/recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch deleted file mode 100644 index 6319280..0000000 --- a/recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch +++ /dev/null | |||
| @@ -1,41 +0,0 @@ | |||
| 1 | From d2f873a541c72b0f67e15562819bf98b884b30b7 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Hongxu Jia <hongxu.jia@windriver.com> | ||
| 3 | Date: Wed, 23 Aug 2017 16:04:49 +0800 | ||
| 4 | Subject: [PATCH] fix CVE-2017-8872 | ||
| 5 | |||
| 6 | this makes xmlHaltParser "empty" the buffer, as it resets cur and ava | ||
| 7 | il too here. | ||
| 8 | |||
| 9 | this seems to cure this specific issue, and also passes the testsuite | ||
| 10 | |||
| 11 | Signed-off-by: Marcus Meissner <meissner@suse.de> | ||
| 12 | |||
| 13 | https://bugzilla.gnome.org/show_bug.cgi?id=775200 | ||
| 14 | |||
| 15 | CVE: CVE-2017-8872 | ||
| 16 | Upstream-Status: Backport [https://bugzilla.gnome.org/attachment.cgi?id=355527&action=diff] | ||
| 17 | |||
| 18 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> | ||
| 19 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
| 20 | --- | ||
| 21 | parser.c | 4 ++++ | ||
| 22 | 1 file changed, 4 insertions(+) | ||
| 23 | |||
| 24 | diff --git a/parser.c b/parser.c | ||
| 25 | index 9506ead..6c07ffd 100644 | ||
| 26 | --- a/parser.c | ||
| 27 | +++ b/parser.c | ||
| 28 | @@ -12664,6 +12664,10 @@ xmlHaltParser(xmlParserCtxtPtr ctxt) { | ||
| 29 | } | ||
| 30 | ctxt->input->cur = BAD_CAST""; | ||
| 31 | ctxt->input->base = ctxt->input->cur; | ||
| 32 | + if (ctxt->input->buf) { | ||
| 33 | + xmlBufEmpty (ctxt->input->buf->buffer); | ||
| 34 | + } else | ||
| 35 | + ctxt->input->length = 0; | ||
| 36 | } | ||
| 37 | } | ||
| 38 | |||
| 39 | -- | ||
| 40 | 2.7.4 | ||
| 41 | |||
diff --git a/recipes-core/libxml/libxml2_%.bbappend b/recipes-core/libxml/libxml2_%.bbappend deleted file mode 100644 index b4f5d38..0000000 --- a/recipes-core/libxml/libxml2_%.bbappend +++ /dev/null | |||
| @@ -1,10 +0,0 @@ | |||
| 1 | # look for files in the layer first | ||
| 2 | FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" | ||
| 3 | |||
| 4 | SRC_URI += "file://CVE-2017-0663.patch \ | ||
| 5 | file://CVE-2017-5969.patch \ | ||
| 6 | file://CVE-2017-9047_CVE-2017-9048.patch \ | ||
| 7 | file://CVE-2017-9049_CVE-2017-9050.patch \ | ||
| 8 | file://libxml2-CVE-2017-8872.patch \ | ||
| 9 | " | ||
| 10 | |||