libxml2: Fix CVEs

CVE: CVE-2017-16932 CVE-2017-5130 CVE-2017-7375 CVE-2017-7376 Libxml2 in the upstream pyro is 2.9.4 CVE-2017-7376: For the stable distribution (stretch), these problems have been fixed in version 2.9.4+dfsg1-2.2+deb9u1 CVE-2017-7375: stretch (security) 2.9.4+dfsg1-2.2+deb9u2 Reference: CVE-2017-16932 https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961 CVE-2017-5130 https://gitlab.gnome.org/GNOME/libxml2/commit/897dffbae322b46b83f99a607d527058a72c51ed CVE-2017-7375 https://gitlab.gnome.org/GNOME/libxml2/commit/90ccb58242866b0ba3edbef8fe44214a101c2b3e CVE-2017-7376 https://gitlab.gnome.org/GNOME/libxml2/commit/5dca9eea1bd4263bfa4d037ab2443de1cd730f7e Change-Id: Icf68eea8e0916be2bc9f3e844f7d38f6fae75300 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> Signed-off-by: Adrian Mangeac <adrian.mangeac@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2018-09-11 10:09:27 +0200
committer: Dan Andresan <Dan.Andresan@enea.com> 2018-10-25 13:54:59 +0200
commit: 2057b91933875959294f823b12938d6cba6ea62b (patch)
tree: 357f87df7c8b037498a13094d39d6d77d2db35f5 /recipes-core/libxml/libxml2/CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch
parent: 5b8928cd5f01d83ae27824bb5d411723cabc3108 (diff)
download: meta-el-common-2057b91933875959294f823b12938d6cba6ea62b.tar.gz
1 files changed, 40 insertions, 0 deletions
diff --git a/recipes-core/libxml/libxml2/CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch b/recipes-core/libxml/libxml2/CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch
new file mode 100644
index 0000000..252929c
--- /dev/null
+++ b/recipes-core/libxml/libxml2/CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch
@@ -0,0 +1,40 @@
+From 90ccb58242866b0ba3edbef8fe44214a101c2b3e Mon Sep 17 00:00:00 2001
+From: Neel Mehta <nmehta@google.com>
+Date: Fri, 7 Apr 2017 17:43:02 +0200
+Subject: [PATCH] Prevent unwanted external entity reference
+For https://bugzilla.gnome.org/show_bug.cgi?id=780691
+* parser.c: add a specific check to avoid PE reference
+CVE: CVE-2018-7375
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/90ccb58242866b0ba3edbef8fe44214a101c2b3e]
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ parser.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+diff --git a/parser.c b/parser.c
+index 609a270..c2c812d 100644
+--- a/parser.c
+++ b/parser.c
+@@ -8123,6 +8123,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+            if (xmlPushInput(ctxt, input) < 0)
+                return;
+        } else {
+           if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
+               ((ctxt->options & XML_PARSE_NOENT) == 0) &&
+               ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
+               ((ctxt->options & XML_PARSE_DTDLOAD) == 0) &&
+               ((ctxt->options & XML_PARSE_DTDATTR) == 0) &&
+               (ctxt->replaceEntities == 0) &&
+               (ctxt->validate == 0))
+               return;
+
+            /*
+             * TODO !!!
+             * handle the extra spaces added before and after
+-- 
+2.7.4
author	Andreas Wellving <andreas.wellving@enea.com>	2018-09-11 10:09:27 +0200
committer	Dan Andresan <Dan.Andresan@enea.com>	2018-10-25 13:54:59 +0200
commit	2057b91933875959294f823b12938d6cba6ea62b (patch)
tree	357f87df7c8b037498a13094d39d6d77d2db35f5 /recipes-core/libxml/libxml2/CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch
parent	5b8928cd5f01d83ae27824bb5d411723cabc3108 (diff)
download	meta-el-common-2057b91933875959294f823b12938d6cba6ea62b.tar.gz

diff --git a/recipes-core/libxml/libxml2/CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch b/recipes-core/libxml/libxml2/CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch new file mode 100644 index 0000000..252929c --- /dev/null +++ b/recipes-core/libxml/libxml2/CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch
@@ -0,0 +1,40 @@
	1	From 90ccb58242866b0ba3edbef8fe44214a101c2b3e Mon Sep 17 00:00:00 2001
	2	From: Neel Mehta <nmehta@google.com>
	3	Date: Fri, 7 Apr 2017 17:43:02 +0200
	4	Subject: [PATCH] Prevent unwanted external entity reference
	5
	6	For https://bugzilla.gnome.org/show_bug.cgi?id=780691
	7
	8	* parser.c: add a specific check to avoid PE reference
	9
	10	CVE: CVE-2018-7375
	11	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/90ccb58242866b0ba3edbef8fe44214a101c2b3e]
	12
	13	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	14	---
	15	parser.c \| 9 +++++++++
	16	1 file changed, 9 insertions(+)
	17
	18	diff --git a/parser.c b/parser.c
	19	index 609a270..c2c812d 100644
	20	--- a/parser.c
	21	+++ b/parser.c
	22	@@ -8123,6 +8123,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
	23	if (xmlPushInput(ctxt, input) < 0)
	24	return;
	25	} else {
	26	+ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
	27	+ ((ctxt->options & XML_PARSE_NOENT) == 0) &&
	28	+ ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
	29	+ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) &&
	30	+ ((ctxt->options & XML_PARSE_DTDATTR) == 0) &&
	31	+ (ctxt->replaceEntities == 0) &&
	32	+ (ctxt->validate == 0))
	33	+ return;
	34	+
	35	/*
	36	* TODO !!!
	37	* handle the extra spaces added before and after
	38	--
	39	2.7.4
	40