diff options
9 files changed, 587 insertions, 0 deletions
diff --git a/recipes-connectivity/openssl/openssl/CVE-2018-0732-reject-excessively-large-primes-in-DH-key-generation.patch b/recipes-connectivity/openssl/openssl/CVE-2018-0732-reject-excessively-large-primes-in-DH-key-generation.patch new file mode 100644 index 0000000..e3da5f3 --- /dev/null +++ b/recipes-connectivity/openssl/openssl/CVE-2018-0732-reject-excessively-large-primes-in-DH-key-generation.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | From: Guido Vranken <guidovranken@gmail.com> | ||
2 | Date: Mon, 11 Jun 2018 17:38:54 +0000 (+0200) | ||
3 | Subject: Reject excessively large primes in DH key generation. | ||
4 | X-Git-Tag: OpenSSL_1_0_2p~40 | ||
5 | X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=3984ef0b72831da8b3ece4745cac4f8575b19098 | ||
6 | |||
7 | Reject excessively large primes in DH key generation. | ||
8 | |||
9 | CVE-2018-0732 | ||
10 | |||
11 | Signed-off-by: Guido Vranken <guidovranken@gmail.com> | ||
12 | |||
13 | (cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe) | ||
14 | |||
15 | Reviewed-by: Tim Hudson <tjh@openssl.org> | ||
16 | Reviewed-by: Matt Caswell <matt@openssl.org> | ||
17 | (Merged from https://github.com/openssl/openssl/pull/6457) | ||
18 | |||
19 | CVE: CVE-2018-0732 | ||
20 | Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=3984ef0b72831da8b3ece4745cac4f8575b19098] | ||
21 | |||
22 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
23 | --- | ||
24 | crypto/dh/dh_key.c | 7 ++++++- | ||
25 | 1 file changed, 6 insertions(+), 1 deletion(-) | ||
26 | |||
27 | diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c | ||
28 | index 387558f..f235e0d 100644 | ||
29 | --- a/crypto/dh/dh_key.c | ||
30 | +++ b/crypto/dh/dh_key.c | ||
31 | @@ -130,10 +130,15 @@ static int generate_key(DH *dh) | ||
32 | int ok = 0; | ||
33 | int generate_new_key = 0; | ||
34 | unsigned l; | ||
35 | - BN_CTX *ctx; | ||
36 | + BN_CTX *ctx = NULL; | ||
37 | BN_MONT_CTX *mont = NULL; | ||
38 | BIGNUM *pub_key = NULL, *priv_key = NULL; | ||
39 | |||
40 | + if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { | ||
41 | + DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); | ||
42 | + return 0; | ||
43 | + } | ||
44 | + | ||
45 | ctx = BN_CTX_new(); | ||
46 | if (ctx == NULL) | ||
47 | goto err; | ||
48 | -- | ||
49 | 2.7.4 | ||
50 | |||
diff --git a/recipes-connectivity/openssl/openssl/CVE-2018-0737-ensure-BN_mod_inverse-and-BN_mod_exp_mont-both-get-called.patch b/recipes-connectivity/openssl/openssl/CVE-2018-0737-ensure-BN_mod_inverse-and-BN_mod_exp_mont-both-get-called.patch new file mode 100644 index 0000000..aa92d75 --- /dev/null +++ b/recipes-connectivity/openssl/openssl/CVE-2018-0737-ensure-BN_mod_inverse-and-BN_mod_exp_mont-both-get-called.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From 337da9779c4ef107a4b7bbaaa198824a489a10ed Mon Sep 17 00:00:00 2001 | ||
2 | From: Andreas Wellving <andreas.wellving@enea.com> | ||
3 | Date: Mon, 22 Oct 2018 12:43:16 +0200 | ||
4 | Subject: RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont both get called with... | ||
5 | X-Git-Tag: OpenSSL_1_0_2p~87 | ||
6 | X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=349a41da1ad88ad87825414752a8ff5fdd6a6c3f | ||
7 | |||
8 | RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont both get called with BN_FLG_CONSTTIME flag set. | ||
9 | |||
10 | CVE-2018-0737 | ||
11 | |||
12 | Reviewed-by: Rich Salz <rsalz@openssl.org> | ||
13 | Reviewed-by: Matt Caswell <matt@openssl.org> | ||
14 | (cherry picked from commit 6939eab03a6e23d2bd2c3f5e34fe1d48e542e787) | ||
15 | |||
16 | CVE: CVE-2018-0737 | ||
17 | Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=349a41da1ad88ad87825414752a8ff5fdd6a6c3f] | ||
18 | |||
19 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
20 | --- | ||
21 | crypto/rsa/rsa_gen.c | 2 ++ | ||
22 | 1 file changed, 2 insertions(+) | ||
23 | |||
24 | diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c | ||
25 | index a85493d..f5914c0 100644 | ||
26 | --- a/crypto/rsa/rsa_gen.c | ||
27 | +++ b/crypto/rsa/rsa_gen.c | ||
28 | @@ -155,6 +155,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, | ||
29 | if (BN_copy(rsa->e, e_value) == NULL) | ||
30 | goto err; | ||
31 | |||
32 | + BN_set_flags(rsa->p, BN_FLG_CONSTTIME); | ||
33 | + BN_set_flags(rsa->q, BN_FLG_CONSTTIME); | ||
34 | /* generate p and q */ | ||
35 | for (;;) { | ||
36 | if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb)) | ||
diff --git a/recipes-connectivity/openssl/openssl/CVE-2018-0739-limit-ASN.1-constructed-types-recursive-definition-depth.patch b/recipes-connectivity/openssl/openssl/CVE-2018-0739-limit-ASN.1-constructed-types-recursive-definition-depth.patch new file mode 100644 index 0000000..8062031 --- /dev/null +++ b/recipes-connectivity/openssl/openssl/CVE-2018-0739-limit-ASN.1-constructed-types-recursive-definition-depth.patch | |||
@@ -0,0 +1,237 @@ | |||
1 | From 9310d45087ae546e27e61ddf8f6367f29848220d Mon Sep 17 00:00:00 2001 | ||
2 | From: Matt Caswell <matt@openssl.org> | ||
3 | Date: Thu, 22 Mar 2018 10:05:40 +0000 | ||
4 | Subject: [PATCH] Limit ASN.1 constructed types recursive definition depth | ||
5 | |||
6 | Constructed types with a recursive definition (such as can be found in | ||
7 | PKCS7) could eventually exceed the stack given malicious input with | ||
8 | excessive recursion. Therefore we limit the stack depth. | ||
9 | |||
10 | CVE-2018-0739 | ||
11 | Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=9310d45087ae546e27e61ddf8f6367f29848220d] | ||
12 | |||
13 | Credit to OSSFuzz for finding this issue. | ||
14 | |||
15 | Reviewed-by: Rich Salz <rsalz@openssl.org> | ||
16 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
17 | --- | ||
18 | crypto/asn1/asn1.h | 1 + | ||
19 | crypto/asn1/asn1_err.c | 3 ++- | ||
20 | crypto/asn1/tasn_dec.c | 62 +++++++++++++++++++++++++++++++++----------------- | ||
21 | 3 files changed, 44 insertions(+), 22 deletions(-) | ||
22 | |||
23 | diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h | ||
24 | index 68e791f..35a2b2a 100644 | ||
25 | --- a/crypto/asn1/asn1.h | ||
26 | +++ b/crypto/asn1/asn1.h | ||
27 | @@ -1365,6 +1365,7 @@ void ERR_load_ASN1_strings(void); | ||
28 | # define ASN1_R_MSTRING_NOT_UNIVERSAL 139 | ||
29 | # define ASN1_R_MSTRING_WRONG_TAG 140 | ||
30 | # define ASN1_R_NESTED_ASN1_STRING 197 | ||
31 | +# define ASN1_R_NESTED_TOO_DEEP 219 | ||
32 | # define ASN1_R_NON_HEX_CHARACTERS 141 | ||
33 | # define ASN1_R_NOT_ASCII_FORMAT 190 | ||
34 | # define ASN1_R_NOT_ENOUGH_DATA 142 | ||
35 | diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c | ||
36 | index fd4ac8d..cfc1512 100644 | ||
37 | --- a/crypto/asn1/asn1_err.c | ||
38 | +++ b/crypto/asn1/asn1_err.c | ||
39 | @@ -1,6 +1,6 @@ | ||
40 | /* crypto/asn1/asn1_err.c */ | ||
41 | /* ==================================================================== | ||
42 | - * Copyright (c) 1999-2014 The OpenSSL Project. All rights reserved. | ||
43 | + * Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved. | ||
44 | * | ||
45 | * Redistribution and use in source and binary forms, with or without | ||
46 | * modification, are permitted provided that the following conditions | ||
47 | @@ -279,6 +279,7 @@ static ERR_STRING_DATA ASN1_str_reasons[] = { | ||
48 | {ERR_REASON(ASN1_R_MSTRING_NOT_UNIVERSAL), "mstring not universal"}, | ||
49 | {ERR_REASON(ASN1_R_MSTRING_WRONG_TAG), "mstring wrong tag"}, | ||
50 | {ERR_REASON(ASN1_R_NESTED_ASN1_STRING), "nested asn1 string"}, | ||
51 | + {ERR_REASON(ASN1_R_NESTED_TOO_DEEP), "nested too deep"}, | ||
52 | {ERR_REASON(ASN1_R_NON_HEX_CHARACTERS), "non hex characters"}, | ||
53 | {ERR_REASON(ASN1_R_NOT_ASCII_FORMAT), "not ascii format"}, | ||
54 | {ERR_REASON(ASN1_R_NOT_ENOUGH_DATA), "not enough data"}, | ||
55 | diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c | ||
56 | index d49a5d5..78126e9 100644 | ||
57 | --- a/crypto/asn1/tasn_dec.c | ||
58 | +++ b/crypto/asn1/tasn_dec.c | ||
59 | @@ -65,6 +65,14 @@ | ||
60 | #include <openssl/buffer.h> | ||
61 | #include <openssl/err.h> | ||
62 | |||
63 | +/* | ||
64 | + * Constructed types with a recursive definition (such as can be found in PKCS7) | ||
65 | + * could eventually exceed the stack given malicious input with excessive | ||
66 | + * recursion. Therefore we limit the stack depth. This is the maximum number of | ||
67 | + * recursive invocations of asn1_item_embed_d2i(). | ||
68 | + */ | ||
69 | +#define ASN1_MAX_CONSTRUCTED_NEST 30 | ||
70 | + | ||
71 | static int asn1_check_eoc(const unsigned char **in, long len); | ||
72 | static int asn1_find_end(const unsigned char **in, long len, char inf); | ||
73 | |||
74 | @@ -81,11 +89,11 @@ static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, | ||
75 | static int asn1_template_ex_d2i(ASN1_VALUE **pval, | ||
76 | const unsigned char **in, long len, | ||
77 | const ASN1_TEMPLATE *tt, char opt, | ||
78 | - ASN1_TLC *ctx); | ||
79 | + ASN1_TLC *ctx, int depth); | ||
80 | static int asn1_template_noexp_d2i(ASN1_VALUE **val, | ||
81 | const unsigned char **in, long len, | ||
82 | const ASN1_TEMPLATE *tt, char opt, | ||
83 | - ASN1_TLC *ctx); | ||
84 | + ASN1_TLC *ctx, int depth); | ||
85 | static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, | ||
86 | const unsigned char **in, long len, | ||
87 | const ASN1_ITEM *it, | ||
88 | @@ -154,17 +162,16 @@ int ASN1_template_d2i(ASN1_VALUE **pval, | ||
89 | { | ||
90 | ASN1_TLC c; | ||
91 | asn1_tlc_clear_nc(&c); | ||
92 | - return asn1_template_ex_d2i(pval, in, len, tt, 0, &c); | ||
93 | + return asn1_template_ex_d2i(pval, in, len, tt, 0, &c, 0); | ||
94 | } | ||
95 | |||
96 | /* | ||
97 | * Decode an item, taking care of IMPLICIT tagging, if any. If 'opt' set and | ||
98 | * tag mismatch return -1 to handle OPTIONAL | ||
99 | */ | ||
100 | - | ||
101 | -int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, | ||
102 | - const ASN1_ITEM *it, | ||
103 | - int tag, int aclass, char opt, ASN1_TLC *ctx) | ||
104 | +static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, | ||
105 | + long len, const ASN1_ITEM *it, int tag, int aclass, | ||
106 | + char opt, ASN1_TLC *ctx, int depth) | ||
107 | { | ||
108 | const ASN1_TEMPLATE *tt, *errtt = NULL; | ||
109 | const ASN1_COMPAT_FUNCS *cf; | ||
110 | @@ -189,6 +196,11 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, | ||
111 | else | ||
112 | asn1_cb = 0; | ||
113 | |||
114 | + if (++depth > ASN1_MAX_CONSTRUCTED_NEST) { | ||
115 | + ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_NESTED_TOO_DEEP); | ||
116 | + goto err; | ||
117 | + } | ||
118 | + | ||
119 | switch (it->itype) { | ||
120 | case ASN1_ITYPE_PRIMITIVE: | ||
121 | if (it->templates) { | ||
122 | @@ -204,7 +216,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, | ||
123 | goto err; | ||
124 | } | ||
125 | return asn1_template_ex_d2i(pval, in, len, | ||
126 | - it->templates, opt, ctx); | ||
127 | + it->templates, opt, ctx, depth); | ||
128 | } | ||
129 | return asn1_d2i_ex_primitive(pval, in, len, it, | ||
130 | tag, aclass, opt, ctx); | ||
131 | @@ -326,7 +338,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, | ||
132 | /* | ||
133 | * We mark field as OPTIONAL so its absence can be recognised. | ||
134 | */ | ||
135 | - ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx); | ||
136 | + ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx, depth); | ||
137 | /* If field not present, try the next one */ | ||
138 | if (ret == -1) | ||
139 | continue; | ||
140 | @@ -444,7 +456,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, | ||
141 | * attempt to read in field, allowing each to be OPTIONAL | ||
142 | */ | ||
143 | |||
144 | - ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx); | ||
145 | + ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx, | ||
146 | + depth); | ||
147 | if (!ret) { | ||
148 | errtt = seqtt; | ||
149 | goto err; | ||
150 | @@ -514,6 +527,13 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, | ||
151 | return 0; | ||
152 | } | ||
153 | |||
154 | +int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, | ||
155 | + const ASN1_ITEM *it, | ||
156 | + int tag, int aclass, char opt, ASN1_TLC *ctx) | ||
157 | +{ | ||
158 | + return asn1_item_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx, 0); | ||
159 | +} | ||
160 | + | ||
161 | /* | ||
162 | * Templates are handled with two separate functions. One handles any | ||
163 | * EXPLICIT tag and the other handles the rest. | ||
164 | @@ -522,7 +542,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, | ||
165 | static int asn1_template_ex_d2i(ASN1_VALUE **val, | ||
166 | const unsigned char **in, long inlen, | ||
167 | const ASN1_TEMPLATE *tt, char opt, | ||
168 | - ASN1_TLC *ctx) | ||
169 | + ASN1_TLC *ctx, int depth) | ||
170 | { | ||
171 | int flags, aclass; | ||
172 | int ret; | ||
173 | @@ -557,7 +577,7 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val, | ||
174 | return 0; | ||
175 | } | ||
176 | /* We've found the field so it can't be OPTIONAL now */ | ||
177 | - ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx); | ||
178 | + ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx, depth); | ||
179 | if (!ret) { | ||
180 | ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_NESTED_ASN1_ERROR); | ||
181 | return 0; | ||
182 | @@ -581,7 +601,7 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val, | ||
183 | } | ||
184 | } | ||
185 | } else | ||
186 | - return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx); | ||
187 | + return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx, depth); | ||
188 | |||
189 | *in = p; | ||
190 | return 1; | ||
191 | @@ -594,7 +614,7 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val, | ||
192 | static int asn1_template_noexp_d2i(ASN1_VALUE **val, | ||
193 | const unsigned char **in, long len, | ||
194 | const ASN1_TEMPLATE *tt, char opt, | ||
195 | - ASN1_TLC *ctx) | ||
196 | + ASN1_TLC *ctx, int depth) | ||
197 | { | ||
198 | int flags, aclass; | ||
199 | int ret; | ||
200 | @@ -665,8 +685,8 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val, | ||
201 | break; | ||
202 | } | ||
203 | skfield = NULL; | ||
204 | - if (!ASN1_item_ex_d2i(&skfield, &p, len, | ||
205 | - ASN1_ITEM_ptr(tt->item), -1, 0, 0, ctx)) { | ||
206 | + if (!asn1_item_ex_d2i(&skfield, &p, len, ASN1_ITEM_ptr(tt->item), | ||
207 | + -1, 0, 0, ctx, depth)) { | ||
208 | ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, | ||
209 | ERR_R_NESTED_ASN1_ERROR); | ||
210 | goto err; | ||
211 | @@ -684,9 +704,8 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val, | ||
212 | } | ||
213 | } else if (flags & ASN1_TFLG_IMPTAG) { | ||
214 | /* IMPLICIT tagging */ | ||
215 | - ret = ASN1_item_ex_d2i(val, &p, len, | ||
216 | - ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt, | ||
217 | - ctx); | ||
218 | + ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), tt->tag, | ||
219 | + aclass, opt, ctx, depth); | ||
220 | if (!ret) { | ||
221 | ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); | ||
222 | goto err; | ||
223 | @@ -694,8 +713,9 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val, | ||
224 | return -1; | ||
225 | } else { | ||
226 | /* Nothing special */ | ||
227 | - ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), | ||
228 | - -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx); | ||
229 | + ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), | ||
230 | + -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx, | ||
231 | + depth); | ||
232 | if (!ret) { | ||
233 | ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); | ||
234 | goto err; | ||
235 | -- | ||
236 | 1.9.1 | ||
237 | |||
diff --git a/recipes-connectivity/openssl/openssl_1.0.2n.bbappend b/recipes-connectivity/openssl/openssl_1.0.2n.bbappend new file mode 100644 index 0000000..6f2625f --- /dev/null +++ b/recipes-connectivity/openssl/openssl_1.0.2n.bbappend | |||
@@ -0,0 +1,7 @@ | |||
1 | FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" | ||
2 | |||
3 | SRC_URI += " \ | ||
4 | file://CVE-2018-0732-reject-excessively-large-primes-in-DH-key-generation.patch \ | ||
5 | file://CVE-2018-0737-ensure-BN_mod_inverse-and-BN_mod_exp_mont-both-get-called.patch \ | ||
6 | file://CVE-2018-0739-limit-ASN.1-constructed-types-recursive-definition-depth.patch \ | ||
7 | " | ||
diff --git a/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch b/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch new file mode 100644 index 0000000..9a94344 --- /dev/null +++ b/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch | |||
@@ -0,0 +1,106 @@ | |||
1 | From 899a5d9f0ed13b8e32449a08a361e0de127dd961 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Tue, 25 Jul 2017 14:59:49 +0200 | ||
4 | Subject: [PATCH] Detect infinite recursion in parameter entities | ||
5 | |||
6 | When expanding a parameter entity in a DTD, infinite recursion could | ||
7 | lead to an infinite loop or memory exhaustion. | ||
8 | |||
9 | Thanks to Wei Lei for the first of many reports. | ||
10 | |||
11 | Fixes bug 759579. | ||
12 | |||
13 | CVE: CVE-2017-16932 | ||
14 | Upstream-Status: Backport [https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961] | ||
15 | |||
16 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
17 | --- | ||
18 | parser.c | 11 ++++++++++- | ||
19 | result/errors/759579.xml | 0 | ||
20 | result/errors/759579.xml.err | 6 ++++++ | ||
21 | result/errors/759579.xml.str | 7 +++++++ | ||
22 | test/errors/759579.xml | 11 +++++++++++ | ||
23 | 5 files changed, 34 insertions(+), 1 deletion(-) | ||
24 | create mode 100644 result/errors/759579.xml | ||
25 | create mode 100644 result/errors/759579.xml.err | ||
26 | create mode 100644 result/errors/759579.xml.str | ||
27 | create mode 100644 test/errors/759579.xml | ||
28 | |||
29 | diff --git a/parser.c b/parser.c | ||
30 | index 6286cad..51452a2 100644 | ||
31 | --- a/parser.c | ||
32 | +++ b/parser.c | ||
33 | @@ -2250,6 +2250,13 @@ xmlPushInput(xmlParserCtxtPtr ctxt, xmlParserInputPtr input) { | ||
34 | xmlGenericError(xmlGenericErrorContext, | ||
35 | "Pushing input %d : %.30s\n", ctxt->inputNr+1, input->cur); | ||
36 | } | ||
37 | + if (((ctxt->inputNr > 40) && ((ctxt->options & XML_PARSE_HUGE) == 0)) || | ||
38 | + (ctxt->inputNr > 1024)) { | ||
39 | + xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); | ||
40 | + while (ctxt->inputNr > 1) | ||
41 | + xmlFreeInputStream(inputPop(ctxt)); | ||
42 | + return(-1); | ||
43 | + } | ||
44 | ret = inputPush(ctxt, input); | ||
45 | if (ctxt->instate == XML_PARSER_EOF) | ||
46 | return(-1); | ||
47 | @@ -7916,8 +7923,10 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) | ||
48 | * c.f. http://www.w3.org/TR/REC-xml#as-PE | ||
49 | */ | ||
50 | input = xmlNewEntityInputStream(ctxt, entity); | ||
51 | - if (xmlPushInput(ctxt, input) < 0) | ||
52 | + if (xmlPushInput(ctxt, input) < 0) { | ||
53 | + xmlFreeInputStream(input); | ||
54 | return; | ||
55 | + } | ||
56 | if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && | ||
57 | (CMP5(CUR_PTR, '<', '?', 'x', 'm', 'l')) && | ||
58 | (IS_BLANK_CH(NXT(5)))) { | ||
59 | diff --git a/result/errors/759579.xml b/result/errors/759579.xml | ||
60 | new file mode 100644 | ||
61 | index 0000000..e69de29 | ||
62 | diff --git a/result/errors/759579.xml.err b/result/errors/759579.xml.err | ||
63 | new file mode 100644 | ||
64 | index 0000000..288026e | ||
65 | --- /dev/null | ||
66 | +++ b/result/errors/759579.xml.err | ||
67 | @@ -0,0 +1,6 @@ | ||
68 | +Entity: line 2: parser error : Detected an entity reference loop | ||
69 | + %z; %z; %z; %z; %z; | ||
70 | + ^ | ||
71 | +Entity: line 2: | ||
72 | + %z; %z; %z; %z; %z; | ||
73 | + ^ | ||
74 | diff --git a/result/errors/759579.xml.str b/result/errors/759579.xml.str | ||
75 | new file mode 100644 | ||
76 | index 0000000..09408f5 | ||
77 | --- /dev/null | ||
78 | +++ b/result/errors/759579.xml.str | ||
79 | @@ -0,0 +1,7 @@ | ||
80 | +Entity: line 2: parser error : Detected an entity reference loop | ||
81 | + %z; %z; %z; %z; %z; | ||
82 | + ^ | ||
83 | +Entity: line 2: | ||
84 | + %z; %z; %z; %z; %z; | ||
85 | + ^ | ||
86 | +./test/errors/759579.xml : failed to parse | ||
87 | diff --git a/test/errors/759579.xml b/test/errors/759579.xml | ||
88 | new file mode 100644 | ||
89 | index 0000000..7fadd70 | ||
90 | --- /dev/null | ||
91 | +++ b/test/errors/759579.xml | ||
92 | @@ -0,0 +1,11 @@ | ||
93 | +<!DOCTYPE doc [ | ||
94 | + <!ENTITY % z ' | ||
95 | + %z; %z; %z; %z; %z; | ||
96 | + %z; %z; %z; %z; %z; | ||
97 | + %z; %z; %z; %z; %z; | ||
98 | + %z; %z; %z; %z; %z; | ||
99 | + %z; %z; %z; %z; %z; | ||
100 | + '> | ||
101 | + %z; | ||
102 | +]> | ||
103 | +<doc/> | ||
104 | -- | ||
105 | 2.7.4 | ||
106 | |||
diff --git a/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch b/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch new file mode 100644 index 0000000..e072ef1 --- /dev/null +++ b/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch | |||
@@ -0,0 +1,66 @@ | |||
1 | From 897dffbae322b46b83f99a607d527058a72c51ed Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Tue, 6 Jun 2017 13:21:14 +0200 | ||
4 | Subject: [PATCH] Check for integer overflow in memory debug code | ||
5 | |||
6 | Fixes bug 783026. | ||
7 | |||
8 | Thanks to Pranjal Jumde for the report. | ||
9 | |||
10 | CVE: CVE-2017-5130 | ||
11 | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/897dffbae322b46b83f99a607d527058a72c51ed] | ||
12 | |||
13 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
14 | --- | ||
15 | xmlmemory.c | 21 +++++++++++++++++++++ | ||
16 | 1 file changed, 21 insertions(+) | ||
17 | |||
18 | diff --git a/xmlmemory.c b/xmlmemory.c | ||
19 | index f08c8c3..c53141f 100644 | ||
20 | --- a/xmlmemory.c | ||
21 | +++ b/xmlmemory.c | ||
22 | @@ -172,6 +172,13 @@ xmlMallocLoc(size_t size, const char * file, int line) | ||
23 | |||
24 | TEST_POINT | ||
25 | |||
26 | + if (size > (MAX_SIZE_T - RESERVE_SIZE)) { | ||
27 | + xmlGenericError(xmlGenericErrorContext, | ||
28 | + "xmlMallocLoc : Unsigned overflow\n"); | ||
29 | + xmlMemoryDump(); | ||
30 | + return(NULL); | ||
31 | + } | ||
32 | + | ||
33 | p = (MEMHDR *) malloc(RESERVE_SIZE+size); | ||
34 | |||
35 | if (!p) { | ||
36 | @@ -352,6 +359,13 @@ xmlReallocLoc(void *ptr,size_t size, const char * file, int line) | ||
37 | #endif | ||
38 | xmlMutexUnlock(xmlMemMutex); | ||
39 | |||
40 | + if (size > (MAX_SIZE_T - RESERVE_SIZE)) { | ||
41 | + xmlGenericError(xmlGenericErrorContext, | ||
42 | + "xmlMallocLoc : Unsigned overflow\n"); | ||
43 | + xmlMemoryDump(); | ||
44 | + return(NULL); | ||
45 | + } | ||
46 | + | ||
47 | tmp = (MEMHDR *) realloc(p,RESERVE_SIZE+size); | ||
48 | if (!tmp) { | ||
49 | free(p); | ||
50 | @@ -499,6 +513,13 @@ xmlMemStrdupLoc(const char *str, const char *file, int line) | ||
51 | if (!xmlMemInitialized) xmlInitMemory(); | ||
52 | TEST_POINT | ||
53 | |||
54 | + if (size > (MAX_SIZE_T - RESERVE_SIZE)) { | ||
55 | + xmlGenericError(xmlGenericErrorContext, | ||
56 | + "xmlMallocLoc : Unsigned overflow\n"); | ||
57 | + xmlMemoryDump(); | ||
58 | + return(NULL); | ||
59 | + } | ||
60 | + | ||
61 | p = (MEMHDR *) malloc(RESERVE_SIZE+size); | ||
62 | if (!p) { | ||
63 | goto error; | ||
64 | -- | ||
65 | 2.7.4 | ||
66 | |||
diff --git a/recipes-core/libxml/libxml2/CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch b/recipes-core/libxml/libxml2/CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch new file mode 100644 index 0000000..252929c --- /dev/null +++ b/recipes-core/libxml/libxml2/CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | From 90ccb58242866b0ba3edbef8fe44214a101c2b3e Mon Sep 17 00:00:00 2001 | ||
2 | From: Neel Mehta <nmehta@google.com> | ||
3 | Date: Fri, 7 Apr 2017 17:43:02 +0200 | ||
4 | Subject: [PATCH] Prevent unwanted external entity reference | ||
5 | |||
6 | For https://bugzilla.gnome.org/show_bug.cgi?id=780691 | ||
7 | |||
8 | * parser.c: add a specific check to avoid PE reference | ||
9 | |||
10 | CVE: CVE-2018-7375 | ||
11 | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/90ccb58242866b0ba3edbef8fe44214a101c2b3e] | ||
12 | |||
13 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
14 | --- | ||
15 | parser.c | 9 +++++++++ | ||
16 | 1 file changed, 9 insertions(+) | ||
17 | |||
18 | diff --git a/parser.c b/parser.c | ||
19 | index 609a270..c2c812d 100644 | ||
20 | --- a/parser.c | ||
21 | +++ b/parser.c | ||
22 | @@ -8123,6 +8123,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) | ||
23 | if (xmlPushInput(ctxt, input) < 0) | ||
24 | return; | ||
25 | } else { | ||
26 | + if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && | ||
27 | + ((ctxt->options & XML_PARSE_NOENT) == 0) && | ||
28 | + ((ctxt->options & XML_PARSE_DTDVALID) == 0) && | ||
29 | + ((ctxt->options & XML_PARSE_DTDLOAD) == 0) && | ||
30 | + ((ctxt->options & XML_PARSE_DTDATTR) == 0) && | ||
31 | + (ctxt->replaceEntities == 0) && | ||
32 | + (ctxt->validate == 0)) | ||
33 | + return; | ||
34 | + | ||
35 | /* | ||
36 | * TODO !!! | ||
37 | * handle the extra spaces added before and after | ||
38 | -- | ||
39 | 2.7.4 | ||
40 | |||
diff --git a/recipes-core/libxml/libxml2/CVE-2017-7376-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch b/recipes-core/libxml/libxml2/CVE-2017-7376-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch new file mode 100644 index 0000000..aae956d --- /dev/null +++ b/recipes-core/libxml/libxml2/CVE-2017-7376-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From 5dca9eea1bd4263bfa4d037ab2443de1cd730f7e Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Veillard <veillard@redhat.com> | ||
3 | Date: Fri, 7 Apr 2017 17:13:28 +0200 | ||
4 | Subject: [PATCH] Increase buffer space for port in HTTP redirect support | ||
5 | |||
6 | For https://bugzilla.gnome.org/show_bug.cgi?id=780690 | ||
7 | |||
8 | nanohttp.c: the code wrongly assumed a short int port value. | ||
9 | |||
10 | CVE: CVE-2017-7376 | ||
11 | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/5dca9eea1bd4263bfa4d037ab2443de1cd730f7e] | ||
12 | |||
13 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
14 | --- | ||
15 | nanohttp.c | 4 ++-- | ||
16 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
17 | |||
18 | diff --git a/nanohttp.c b/nanohttp.c | ||
19 | index e109ad7..373425d 100644 | ||
20 | --- a/nanohttp.c | ||
21 | +++ b/nanohttp.c | ||
22 | @@ -1423,9 +1423,9 @@ retry: | ||
23 | if (ctxt->port != 80) { | ||
24 | /* reserve space for ':xxxxx', incl. potential proxy */ | ||
25 | if (proxy) | ||
26 | - blen += 12; | ||
27 | + blen += 17; | ||
28 | else | ||
29 | - blen += 6; | ||
30 | + blen += 11; | ||
31 | } | ||
32 | bp = (char*)xmlMallocAtomic(blen); | ||
33 | if ( bp == NULL ) { | ||
34 | -- | ||
35 | 2.7.4 | ||
36 | |||
diff --git a/recipes-core/libxml/libxml2_2.9.4.bbappend b/recipes-core/libxml/libxml2_2.9.4.bbappend new file mode 100644 index 0000000..dbf9709 --- /dev/null +++ b/recipes-core/libxml/libxml2_2.9.4.bbappend | |||
@@ -0,0 +1,9 @@ | |||
1 | # look for files in the layer first | ||
2 | FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" | ||
3 | |||
4 | SRC_URI += " \ | ||
5 | file://CVE-2017-7376-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch \ | ||
6 | file://CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch \ | ||
7 | file://CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch \ | ||
8 | file://CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch \ | ||
9 | " | ||