summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--recipes-connectivity/openssl/openssl/CVE-2018-0732-reject-excessively-large-primes-in-DH-key-generation.patch50
-rw-r--r--recipes-connectivity/openssl/openssl/CVE-2018-0737-ensure-BN_mod_inverse-and-BN_mod_exp_mont-both-get-called.patch36
-rw-r--r--recipes-connectivity/openssl/openssl/CVE-2018-0739-limit-ASN.1-constructed-types-recursive-definition-depth.patch237
-rw-r--r--recipes-connectivity/openssl/openssl_1.0.2n.bbappend7
-rw-r--r--recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch106
-rw-r--r--recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch66
-rw-r--r--recipes-core/libxml/libxml2/CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch40
-rw-r--r--recipes-core/libxml/libxml2/CVE-2017-7376-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch36
-rw-r--r--recipes-core/libxml/libxml2_2.9.4.bbappend9
9 files changed, 587 insertions, 0 deletions
diff --git a/recipes-connectivity/openssl/openssl/CVE-2018-0732-reject-excessively-large-primes-in-DH-key-generation.patch b/recipes-connectivity/openssl/openssl/CVE-2018-0732-reject-excessively-large-primes-in-DH-key-generation.patch
new file mode 100644
index 0000000..e3da5f3
--- /dev/null
+++ b/recipes-connectivity/openssl/openssl/CVE-2018-0732-reject-excessively-large-primes-in-DH-key-generation.patch
@@ -0,0 +1,50 @@
1From: Guido Vranken <guidovranken@gmail.com>
2Date: Mon, 11 Jun 2018 17:38:54 +0000 (+0200)
3Subject: Reject excessively large primes in DH key generation.
4X-Git-Tag: OpenSSL_1_0_2p~40
5X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=3984ef0b72831da8b3ece4745cac4f8575b19098
6
7Reject excessively large primes in DH key generation.
8
9CVE-2018-0732
10
11Signed-off-by: Guido Vranken <guidovranken@gmail.com>
12
13(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe)
14
15Reviewed-by: Tim Hudson <tjh@openssl.org>
16Reviewed-by: Matt Caswell <matt@openssl.org>
17(Merged from https://github.com/openssl/openssl/pull/6457)
18
19CVE: CVE-2018-0732
20Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=3984ef0b72831da8b3ece4745cac4f8575b19098]
21
22Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
23---
24 crypto/dh/dh_key.c | 7 ++++++-
25 1 file changed, 6 insertions(+), 1 deletion(-)
26
27diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
28index 387558f..f235e0d 100644
29--- a/crypto/dh/dh_key.c
30+++ b/crypto/dh/dh_key.c
31@@ -130,10 +130,15 @@ static int generate_key(DH *dh)
32 int ok = 0;
33 int generate_new_key = 0;
34 unsigned l;
35- BN_CTX *ctx;
36+ BN_CTX *ctx = NULL;
37 BN_MONT_CTX *mont = NULL;
38 BIGNUM *pub_key = NULL, *priv_key = NULL;
39
40+ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
41+ DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
42+ return 0;
43+ }
44+
45 ctx = BN_CTX_new();
46 if (ctx == NULL)
47 goto err;
48--
492.7.4
50
diff --git a/recipes-connectivity/openssl/openssl/CVE-2018-0737-ensure-BN_mod_inverse-and-BN_mod_exp_mont-both-get-called.patch b/recipes-connectivity/openssl/openssl/CVE-2018-0737-ensure-BN_mod_inverse-and-BN_mod_exp_mont-both-get-called.patch
new file mode 100644
index 0000000..aa92d75
--- /dev/null
+++ b/recipes-connectivity/openssl/openssl/CVE-2018-0737-ensure-BN_mod_inverse-and-BN_mod_exp_mont-both-get-called.patch
@@ -0,0 +1,36 @@
1From 337da9779c4ef107a4b7bbaaa198824a489a10ed Mon Sep 17 00:00:00 2001
2From: Andreas Wellving <andreas.wellving@enea.com>
3Date: Mon, 22 Oct 2018 12:43:16 +0200
4Subject: RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont both get called with...
5X-Git-Tag: OpenSSL_1_0_2p~87
6X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=349a41da1ad88ad87825414752a8ff5fdd6a6c3f
7
8RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont both get called with BN_FLG_CONSTTIME flag set.
9
10CVE-2018-0737
11
12Reviewed-by: Rich Salz <rsalz@openssl.org>
13Reviewed-by: Matt Caswell <matt@openssl.org>
14(cherry picked from commit 6939eab03a6e23d2bd2c3f5e34fe1d48e542e787)
15
16CVE: CVE-2018-0737
17Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=349a41da1ad88ad87825414752a8ff5fdd6a6c3f]
18
19Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
20---
21 crypto/rsa/rsa_gen.c | 2 ++
22 1 file changed, 2 insertions(+)
23
24diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
25index a85493d..f5914c0 100644
26--- a/crypto/rsa/rsa_gen.c
27+++ b/crypto/rsa/rsa_gen.c
28@@ -155,6 +155,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
29 if (BN_copy(rsa->e, e_value) == NULL)
30 goto err;
31
32+ BN_set_flags(rsa->p, BN_FLG_CONSTTIME);
33+ BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
34 /* generate p and q */
35 for (;;) {
36 if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
diff --git a/recipes-connectivity/openssl/openssl/CVE-2018-0739-limit-ASN.1-constructed-types-recursive-definition-depth.patch b/recipes-connectivity/openssl/openssl/CVE-2018-0739-limit-ASN.1-constructed-types-recursive-definition-depth.patch
new file mode 100644
index 0000000..8062031
--- /dev/null
+++ b/recipes-connectivity/openssl/openssl/CVE-2018-0739-limit-ASN.1-constructed-types-recursive-definition-depth.patch
@@ -0,0 +1,237 @@
1From 9310d45087ae546e27e61ddf8f6367f29848220d Mon Sep 17 00:00:00 2001
2From: Matt Caswell <matt@openssl.org>
3Date: Thu, 22 Mar 2018 10:05:40 +0000
4Subject: [PATCH] Limit ASN.1 constructed types recursive definition depth
5
6Constructed types with a recursive definition (such as can be found in
7PKCS7) could eventually exceed the stack given malicious input with
8excessive recursion. Therefore we limit the stack depth.
9
10CVE-2018-0739
11Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=9310d45087ae546e27e61ddf8f6367f29848220d]
12
13Credit to OSSFuzz for finding this issue.
14
15Reviewed-by: Rich Salz <rsalz@openssl.org>
16Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
17---
18 crypto/asn1/asn1.h | 1 +
19 crypto/asn1/asn1_err.c | 3 ++-
20 crypto/asn1/tasn_dec.c | 62 +++++++++++++++++++++++++++++++++-----------------
21 3 files changed, 44 insertions(+), 22 deletions(-)
22
23diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h
24index 68e791f..35a2b2a 100644
25--- a/crypto/asn1/asn1.h
26+++ b/crypto/asn1/asn1.h
27@@ -1365,6 +1365,7 @@ void ERR_load_ASN1_strings(void);
28 # define ASN1_R_MSTRING_NOT_UNIVERSAL 139
29 # define ASN1_R_MSTRING_WRONG_TAG 140
30 # define ASN1_R_NESTED_ASN1_STRING 197
31+# define ASN1_R_NESTED_TOO_DEEP 219
32 # define ASN1_R_NON_HEX_CHARACTERS 141
33 # define ASN1_R_NOT_ASCII_FORMAT 190
34 # define ASN1_R_NOT_ENOUGH_DATA 142
35diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c
36index fd4ac8d..cfc1512 100644
37--- a/crypto/asn1/asn1_err.c
38+++ b/crypto/asn1/asn1_err.c
39@@ -1,6 +1,6 @@
40 /* crypto/asn1/asn1_err.c */
41 /* ====================================================================
42- * Copyright (c) 1999-2014 The OpenSSL Project. All rights reserved.
43+ * Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved.
44 *
45 * Redistribution and use in source and binary forms, with or without
46 * modification, are permitted provided that the following conditions
47@@ -279,6 +279,7 @@ static ERR_STRING_DATA ASN1_str_reasons[] = {
48 {ERR_REASON(ASN1_R_MSTRING_NOT_UNIVERSAL), "mstring not universal"},
49 {ERR_REASON(ASN1_R_MSTRING_WRONG_TAG), "mstring wrong tag"},
50 {ERR_REASON(ASN1_R_NESTED_ASN1_STRING), "nested asn1 string"},
51+ {ERR_REASON(ASN1_R_NESTED_TOO_DEEP), "nested too deep"},
52 {ERR_REASON(ASN1_R_NON_HEX_CHARACTERS), "non hex characters"},
53 {ERR_REASON(ASN1_R_NOT_ASCII_FORMAT), "not ascii format"},
54 {ERR_REASON(ASN1_R_NOT_ENOUGH_DATA), "not enough data"},
55diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
56index d49a5d5..78126e9 100644
57--- a/crypto/asn1/tasn_dec.c
58+++ b/crypto/asn1/tasn_dec.c
59@@ -65,6 +65,14 @@
60 #include <openssl/buffer.h>
61 #include <openssl/err.h>
62
63+/*
64+ * Constructed types with a recursive definition (such as can be found in PKCS7)
65+ * could eventually exceed the stack given malicious input with excessive
66+ * recursion. Therefore we limit the stack depth. This is the maximum number of
67+ * recursive invocations of asn1_item_embed_d2i().
68+ */
69+#define ASN1_MAX_CONSTRUCTED_NEST 30
70+
71 static int asn1_check_eoc(const unsigned char **in, long len);
72 static int asn1_find_end(const unsigned char **in, long len, char inf);
73
74@@ -81,11 +89,11 @@ static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass,
75 static int asn1_template_ex_d2i(ASN1_VALUE **pval,
76 const unsigned char **in, long len,
77 const ASN1_TEMPLATE *tt, char opt,
78- ASN1_TLC *ctx);
79+ ASN1_TLC *ctx, int depth);
80 static int asn1_template_noexp_d2i(ASN1_VALUE **val,
81 const unsigned char **in, long len,
82 const ASN1_TEMPLATE *tt, char opt,
83- ASN1_TLC *ctx);
84+ ASN1_TLC *ctx, int depth);
85 static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
86 const unsigned char **in, long len,
87 const ASN1_ITEM *it,
88@@ -154,17 +162,16 @@ int ASN1_template_d2i(ASN1_VALUE **pval,
89 {
90 ASN1_TLC c;
91 asn1_tlc_clear_nc(&c);
92- return asn1_template_ex_d2i(pval, in, len, tt, 0, &c);
93+ return asn1_template_ex_d2i(pval, in, len, tt, 0, &c, 0);
94 }
95
96 /*
97 * Decode an item, taking care of IMPLICIT tagging, if any. If 'opt' set and
98 * tag mismatch return -1 to handle OPTIONAL
99 */
100-
101-int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
102- const ASN1_ITEM *it,
103- int tag, int aclass, char opt, ASN1_TLC *ctx)
104+static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in,
105+ long len, const ASN1_ITEM *it, int tag, int aclass,
106+ char opt, ASN1_TLC *ctx, int depth)
107 {
108 const ASN1_TEMPLATE *tt, *errtt = NULL;
109 const ASN1_COMPAT_FUNCS *cf;
110@@ -189,6 +196,11 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
111 else
112 asn1_cb = 0;
113
114+ if (++depth > ASN1_MAX_CONSTRUCTED_NEST) {
115+ ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_NESTED_TOO_DEEP);
116+ goto err;
117+ }
118+
119 switch (it->itype) {
120 case ASN1_ITYPE_PRIMITIVE:
121 if (it->templates) {
122@@ -204,7 +216,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
123 goto err;
124 }
125 return asn1_template_ex_d2i(pval, in, len,
126- it->templates, opt, ctx);
127+ it->templates, opt, ctx, depth);
128 }
129 return asn1_d2i_ex_primitive(pval, in, len, it,
130 tag, aclass, opt, ctx);
131@@ -326,7 +338,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
132 /*
133 * We mark field as OPTIONAL so its absence can be recognised.
134 */
135- ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx);
136+ ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx, depth);
137 /* If field not present, try the next one */
138 if (ret == -1)
139 continue;
140@@ -444,7 +456,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
141 * attempt to read in field, allowing each to be OPTIONAL
142 */
143
144- ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx);
145+ ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx,
146+ depth);
147 if (!ret) {
148 errtt = seqtt;
149 goto err;
150@@ -514,6 +527,13 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
151 return 0;
152 }
153
154+int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
155+ const ASN1_ITEM *it,
156+ int tag, int aclass, char opt, ASN1_TLC *ctx)
157+{
158+ return asn1_item_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx, 0);
159+}
160+
161 /*
162 * Templates are handled with two separate functions. One handles any
163 * EXPLICIT tag and the other handles the rest.
164@@ -522,7 +542,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
165 static int asn1_template_ex_d2i(ASN1_VALUE **val,
166 const unsigned char **in, long inlen,
167 const ASN1_TEMPLATE *tt, char opt,
168- ASN1_TLC *ctx)
169+ ASN1_TLC *ctx, int depth)
170 {
171 int flags, aclass;
172 int ret;
173@@ -557,7 +577,7 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val,
174 return 0;
175 }
176 /* We've found the field so it can't be OPTIONAL now */
177- ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx);
178+ ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx, depth);
179 if (!ret) {
180 ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
181 return 0;
182@@ -581,7 +601,7 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val,
183 }
184 }
185 } else
186- return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx);
187+ return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx, depth);
188
189 *in = p;
190 return 1;
191@@ -594,7 +614,7 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val,
192 static int asn1_template_noexp_d2i(ASN1_VALUE **val,
193 const unsigned char **in, long len,
194 const ASN1_TEMPLATE *tt, char opt,
195- ASN1_TLC *ctx)
196+ ASN1_TLC *ctx, int depth)
197 {
198 int flags, aclass;
199 int ret;
200@@ -665,8 +685,8 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
201 break;
202 }
203 skfield = NULL;
204- if (!ASN1_item_ex_d2i(&skfield, &p, len,
205- ASN1_ITEM_ptr(tt->item), -1, 0, 0, ctx)) {
206+ if (!asn1_item_ex_d2i(&skfield, &p, len, ASN1_ITEM_ptr(tt->item),
207+ -1, 0, 0, ctx, depth)) {
208 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
209 ERR_R_NESTED_ASN1_ERROR);
210 goto err;
211@@ -684,9 +704,8 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
212 }
213 } else if (flags & ASN1_TFLG_IMPTAG) {
214 /* IMPLICIT tagging */
215- ret = ASN1_item_ex_d2i(val, &p, len,
216- ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt,
217- ctx);
218+ ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), tt->tag,
219+ aclass, opt, ctx, depth);
220 if (!ret) {
221 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);
222 goto err;
223@@ -694,8 +713,9 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
224 return -1;
225 } else {
226 /* Nothing special */
227- ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
228- -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
229+ ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
230+ -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx,
231+ depth);
232 if (!ret) {
233 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);
234 goto err;
235--
2361.9.1
237
diff --git a/recipes-connectivity/openssl/openssl_1.0.2n.bbappend b/recipes-connectivity/openssl/openssl_1.0.2n.bbappend
new file mode 100644
index 0000000..6f2625f
--- /dev/null
+++ b/recipes-connectivity/openssl/openssl_1.0.2n.bbappend
@@ -0,0 +1,7 @@
1FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
2
3SRC_URI += " \
4 file://CVE-2018-0732-reject-excessively-large-primes-in-DH-key-generation.patch \
5 file://CVE-2018-0737-ensure-BN_mod_inverse-and-BN_mod_exp_mont-both-get-called.patch \
6 file://CVE-2018-0739-limit-ASN.1-constructed-types-recursive-definition-depth.patch \
7 "
diff --git a/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch b/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch
new file mode 100644
index 0000000..9a94344
--- /dev/null
+++ b/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch
@@ -0,0 +1,106 @@
1From 899a5d9f0ed13b8e32449a08a361e0de127dd961 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Tue, 25 Jul 2017 14:59:49 +0200
4Subject: [PATCH] Detect infinite recursion in parameter entities
5
6When expanding a parameter entity in a DTD, infinite recursion could
7lead to an infinite loop or memory exhaustion.
8
9Thanks to Wei Lei for the first of many reports.
10
11Fixes bug 759579.
12
13CVE: CVE-2017-16932
14Upstream-Status: Backport [https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961]
15
16Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
17---
18 parser.c | 11 ++++++++++-
19 result/errors/759579.xml | 0
20 result/errors/759579.xml.err | 6 ++++++
21 result/errors/759579.xml.str | 7 +++++++
22 test/errors/759579.xml | 11 +++++++++++
23 5 files changed, 34 insertions(+), 1 deletion(-)
24 create mode 100644 result/errors/759579.xml
25 create mode 100644 result/errors/759579.xml.err
26 create mode 100644 result/errors/759579.xml.str
27 create mode 100644 test/errors/759579.xml
28
29diff --git a/parser.c b/parser.c
30index 6286cad..51452a2 100644
31--- a/parser.c
32+++ b/parser.c
33@@ -2250,6 +2250,13 @@ xmlPushInput(xmlParserCtxtPtr ctxt, xmlParserInputPtr input) {
34 xmlGenericError(xmlGenericErrorContext,
35 "Pushing input %d : %.30s\n", ctxt->inputNr+1, input->cur);
36 }
37+ if (((ctxt->inputNr > 40) && ((ctxt->options & XML_PARSE_HUGE) == 0)) ||
38+ (ctxt->inputNr > 1024)) {
39+ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
40+ while (ctxt->inputNr > 1)
41+ xmlFreeInputStream(inputPop(ctxt));
42+ return(-1);
43+ }
44 ret = inputPush(ctxt, input);
45 if (ctxt->instate == XML_PARSER_EOF)
46 return(-1);
47@@ -7916,8 +7923,10 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
48 * c.f. http://www.w3.org/TR/REC-xml#as-PE
49 */
50 input = xmlNewEntityInputStream(ctxt, entity);
51- if (xmlPushInput(ctxt, input) < 0)
52+ if (xmlPushInput(ctxt, input) < 0) {
53+ xmlFreeInputStream(input);
54 return;
55+ }
56 if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
57 (CMP5(CUR_PTR, '<', '?', 'x', 'm', 'l')) &&
58 (IS_BLANK_CH(NXT(5)))) {
59diff --git a/result/errors/759579.xml b/result/errors/759579.xml
60new file mode 100644
61index 0000000..e69de29
62diff --git a/result/errors/759579.xml.err b/result/errors/759579.xml.err
63new file mode 100644
64index 0000000..288026e
65--- /dev/null
66+++ b/result/errors/759579.xml.err
67@@ -0,0 +1,6 @@
68+Entity: line 2: parser error : Detected an entity reference loop
69+ %z; %z; %z; %z; %z;
70+ ^
71+Entity: line 2:
72+ %z; %z; %z; %z; %z;
73+ ^
74diff --git a/result/errors/759579.xml.str b/result/errors/759579.xml.str
75new file mode 100644
76index 0000000..09408f5
77--- /dev/null
78+++ b/result/errors/759579.xml.str
79@@ -0,0 +1,7 @@
80+Entity: line 2: parser error : Detected an entity reference loop
81+ %z; %z; %z; %z; %z;
82+ ^
83+Entity: line 2:
84+ %z; %z; %z; %z; %z;
85+ ^
86+./test/errors/759579.xml : failed to parse
87diff --git a/test/errors/759579.xml b/test/errors/759579.xml
88new file mode 100644
89index 0000000..7fadd70
90--- /dev/null
91+++ b/test/errors/759579.xml
92@@ -0,0 +1,11 @@
93+<!DOCTYPE doc [
94+ <!ENTITY % z '
95+ &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
96+ &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
97+ &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
98+ &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
99+ &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
100+ '>
101+ %z;
102+]>
103+<doc/>
104--
1052.7.4
106
diff --git a/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch b/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch
new file mode 100644
index 0000000..e072ef1
--- /dev/null
+++ b/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch
@@ -0,0 +1,66 @@
1From 897dffbae322b46b83f99a607d527058a72c51ed Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Tue, 6 Jun 2017 13:21:14 +0200
4Subject: [PATCH] Check for integer overflow in memory debug code
5
6Fixes bug 783026.
7
8Thanks to Pranjal Jumde for the report.
9
10CVE: CVE-2017-5130
11Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/897dffbae322b46b83f99a607d527058a72c51ed]
12
13Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
14---
15 xmlmemory.c | 21 +++++++++++++++++++++
16 1 file changed, 21 insertions(+)
17
18diff --git a/xmlmemory.c b/xmlmemory.c
19index f08c8c3..c53141f 100644
20--- a/xmlmemory.c
21+++ b/xmlmemory.c
22@@ -172,6 +172,13 @@ xmlMallocLoc(size_t size, const char * file, int line)
23
24 TEST_POINT
25
26+ if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
27+ xmlGenericError(xmlGenericErrorContext,
28+ "xmlMallocLoc : Unsigned overflow\n");
29+ xmlMemoryDump();
30+ return(NULL);
31+ }
32+
33 p = (MEMHDR *) malloc(RESERVE_SIZE+size);
34
35 if (!p) {
36@@ -352,6 +359,13 @@ xmlReallocLoc(void *ptr,size_t size, const char * file, int line)
37 #endif
38 xmlMutexUnlock(xmlMemMutex);
39
40+ if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
41+ xmlGenericError(xmlGenericErrorContext,
42+ "xmlMallocLoc : Unsigned overflow\n");
43+ xmlMemoryDump();
44+ return(NULL);
45+ }
46+
47 tmp = (MEMHDR *) realloc(p,RESERVE_SIZE+size);
48 if (!tmp) {
49 free(p);
50@@ -499,6 +513,13 @@ xmlMemStrdupLoc(const char *str, const char *file, int line)
51 if (!xmlMemInitialized) xmlInitMemory();
52 TEST_POINT
53
54+ if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
55+ xmlGenericError(xmlGenericErrorContext,
56+ "xmlMallocLoc : Unsigned overflow\n");
57+ xmlMemoryDump();
58+ return(NULL);
59+ }
60+
61 p = (MEMHDR *) malloc(RESERVE_SIZE+size);
62 if (!p) {
63 goto error;
64--
652.7.4
66
diff --git a/recipes-core/libxml/libxml2/CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch b/recipes-core/libxml/libxml2/CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch
new file mode 100644
index 0000000..252929c
--- /dev/null
+++ b/recipes-core/libxml/libxml2/CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch
@@ -0,0 +1,40 @@
1From 90ccb58242866b0ba3edbef8fe44214a101c2b3e Mon Sep 17 00:00:00 2001
2From: Neel Mehta <nmehta@google.com>
3Date: Fri, 7 Apr 2017 17:43:02 +0200
4Subject: [PATCH] Prevent unwanted external entity reference
5
6For https://bugzilla.gnome.org/show_bug.cgi?id=780691
7
8* parser.c: add a specific check to avoid PE reference
9
10CVE: CVE-2018-7375
11Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/90ccb58242866b0ba3edbef8fe44214a101c2b3e]
12
13Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
14---
15 parser.c | 9 +++++++++
16 1 file changed, 9 insertions(+)
17
18diff --git a/parser.c b/parser.c
19index 609a270..c2c812d 100644
20--- a/parser.c
21+++ b/parser.c
22@@ -8123,6 +8123,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
23 if (xmlPushInput(ctxt, input) < 0)
24 return;
25 } else {
26+ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
27+ ((ctxt->options & XML_PARSE_NOENT) == 0) &&
28+ ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
29+ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) &&
30+ ((ctxt->options & XML_PARSE_DTDATTR) == 0) &&
31+ (ctxt->replaceEntities == 0) &&
32+ (ctxt->validate == 0))
33+ return;
34+
35 /*
36 * TODO !!!
37 * handle the extra spaces added before and after
38--
392.7.4
40
diff --git a/recipes-core/libxml/libxml2/CVE-2017-7376-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch b/recipes-core/libxml/libxml2/CVE-2017-7376-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch
new file mode 100644
index 0000000..aae956d
--- /dev/null
+++ b/recipes-core/libxml/libxml2/CVE-2017-7376-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch
@@ -0,0 +1,36 @@
1From 5dca9eea1bd4263bfa4d037ab2443de1cd730f7e Mon Sep 17 00:00:00 2001
2From: Daniel Veillard <veillard@redhat.com>
3Date: Fri, 7 Apr 2017 17:13:28 +0200
4Subject: [PATCH] Increase buffer space for port in HTTP redirect support
5
6For https://bugzilla.gnome.org/show_bug.cgi?id=780690
7
8nanohttp.c: the code wrongly assumed a short int port value.
9
10CVE: CVE-2017-7376
11Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/5dca9eea1bd4263bfa4d037ab2443de1cd730f7e]
12
13Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
14---
15 nanohttp.c | 4 ++--
16 1 file changed, 2 insertions(+), 2 deletions(-)
17
18diff --git a/nanohttp.c b/nanohttp.c
19index e109ad7..373425d 100644
20--- a/nanohttp.c
21+++ b/nanohttp.c
22@@ -1423,9 +1423,9 @@ retry:
23 if (ctxt->port != 80) {
24 /* reserve space for ':xxxxx', incl. potential proxy */
25 if (proxy)
26- blen += 12;
27+ blen += 17;
28 else
29- blen += 6;
30+ blen += 11;
31 }
32 bp = (char*)xmlMallocAtomic(blen);
33 if ( bp == NULL ) {
34--
352.7.4
36
diff --git a/recipes-core/libxml/libxml2_2.9.4.bbappend b/recipes-core/libxml/libxml2_2.9.4.bbappend
new file mode 100644
index 0000000..dbf9709
--- /dev/null
+++ b/recipes-core/libxml/libxml2_2.9.4.bbappend
@@ -0,0 +1,9 @@
1# look for files in the layer first
2FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
3
4SRC_URI += " \
5 file://CVE-2017-7376-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch \
6 file://CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch \
7 file://CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch \
8 file://CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch \
9 "
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-23 09:14:51 +0000