diff options
Diffstat (limited to 'recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch')
| -rw-r--r-- | recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch | 106 |
1 files changed, 106 insertions, 0 deletions
diff --git a/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch b/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch new file mode 100644 index 0000000..9a94344 --- /dev/null +++ b/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch | |||
| @@ -0,0 +1,106 @@ | |||
| 1 | From 899a5d9f0ed13b8e32449a08a361e0de127dd961 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
| 3 | Date: Tue, 25 Jul 2017 14:59:49 +0200 | ||
| 4 | Subject: [PATCH] Detect infinite recursion in parameter entities | ||
| 5 | |||
| 6 | When expanding a parameter entity in a DTD, infinite recursion could | ||
| 7 | lead to an infinite loop or memory exhaustion. | ||
| 8 | |||
| 9 | Thanks to Wei Lei for the first of many reports. | ||
| 10 | |||
| 11 | Fixes bug 759579. | ||
| 12 | |||
| 13 | CVE: CVE-2017-16932 | ||
| 14 | Upstream-Status: Backport [https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961] | ||
| 15 | |||
| 16 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
| 17 | --- | ||
| 18 | parser.c | 11 ++++++++++- | ||
| 19 | result/errors/759579.xml | 0 | ||
| 20 | result/errors/759579.xml.err | 6 ++++++ | ||
| 21 | result/errors/759579.xml.str | 7 +++++++ | ||
| 22 | test/errors/759579.xml | 11 +++++++++++ | ||
| 23 | 5 files changed, 34 insertions(+), 1 deletion(-) | ||
| 24 | create mode 100644 result/errors/759579.xml | ||
| 25 | create mode 100644 result/errors/759579.xml.err | ||
| 26 | create mode 100644 result/errors/759579.xml.str | ||
| 27 | create mode 100644 test/errors/759579.xml | ||
| 28 | |||
| 29 | diff --git a/parser.c b/parser.c | ||
| 30 | index 6286cad..51452a2 100644 | ||
| 31 | --- a/parser.c | ||
| 32 | +++ b/parser.c | ||
| 33 | @@ -2250,6 +2250,13 @@ xmlPushInput(xmlParserCtxtPtr ctxt, xmlParserInputPtr input) { | ||
| 34 | xmlGenericError(xmlGenericErrorContext, | ||
| 35 | "Pushing input %d : %.30s\n", ctxt->inputNr+1, input->cur); | ||
| 36 | } | ||
| 37 | + if (((ctxt->inputNr > 40) && ((ctxt->options & XML_PARSE_HUGE) == 0)) || | ||
| 38 | + (ctxt->inputNr > 1024)) { | ||
| 39 | + xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); | ||
| 40 | + while (ctxt->inputNr > 1) | ||
| 41 | + xmlFreeInputStream(inputPop(ctxt)); | ||
| 42 | + return(-1); | ||
| 43 | + } | ||
| 44 | ret = inputPush(ctxt, input); | ||
| 45 | if (ctxt->instate == XML_PARSER_EOF) | ||
| 46 | return(-1); | ||
| 47 | @@ -7916,8 +7923,10 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) | ||
| 48 | * c.f. http://www.w3.org/TR/REC-xml#as-PE | ||
| 49 | */ | ||
| 50 | input = xmlNewEntityInputStream(ctxt, entity); | ||
| 51 | - if (xmlPushInput(ctxt, input) < 0) | ||
| 52 | + if (xmlPushInput(ctxt, input) < 0) { | ||
| 53 | + xmlFreeInputStream(input); | ||
| 54 | return; | ||
| 55 | + } | ||
| 56 | if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && | ||
| 57 | (CMP5(CUR_PTR, '<', '?', 'x', 'm', 'l')) && | ||
| 58 | (IS_BLANK_CH(NXT(5)))) { | ||
| 59 | diff --git a/result/errors/759579.xml b/result/errors/759579.xml | ||
| 60 | new file mode 100644 | ||
| 61 | index 0000000..e69de29 | ||
| 62 | diff --git a/result/errors/759579.xml.err b/result/errors/759579.xml.err | ||
| 63 | new file mode 100644 | ||
| 64 | index 0000000..288026e | ||
| 65 | --- /dev/null | ||
| 66 | +++ b/result/errors/759579.xml.err | ||
| 67 | @@ -0,0 +1,6 @@ | ||
| 68 | +Entity: line 2: parser error : Detected an entity reference loop | ||
| 69 | + %z; %z; %z; %z; %z; | ||
| 70 | + ^ | ||
| 71 | +Entity: line 2: | ||
| 72 | + %z; %z; %z; %z; %z; | ||
| 73 | + ^ | ||
| 74 | diff --git a/result/errors/759579.xml.str b/result/errors/759579.xml.str | ||
| 75 | new file mode 100644 | ||
| 76 | index 0000000..09408f5 | ||
| 77 | --- /dev/null | ||
| 78 | +++ b/result/errors/759579.xml.str | ||
| 79 | @@ -0,0 +1,7 @@ | ||
| 80 | +Entity: line 2: parser error : Detected an entity reference loop | ||
| 81 | + %z; %z; %z; %z; %z; | ||
| 82 | + ^ | ||
| 83 | +Entity: line 2: | ||
| 84 | + %z; %z; %z; %z; %z; | ||
| 85 | + ^ | ||
| 86 | +./test/errors/759579.xml : failed to parse | ||
| 87 | diff --git a/test/errors/759579.xml b/test/errors/759579.xml | ||
| 88 | new file mode 100644 | ||
| 89 | index 0000000..7fadd70 | ||
| 90 | --- /dev/null | ||
| 91 | +++ b/test/errors/759579.xml | ||
| 92 | @@ -0,0 +1,11 @@ | ||
| 93 | +<!DOCTYPE doc [ | ||
| 94 | + <!ENTITY % z ' | ||
| 95 | + %z; %z; %z; %z; %z; | ||
| 96 | + %z; %z; %z; %z; %z; | ||
| 97 | + %z; %z; %z; %z; %z; | ||
| 98 | + %z; %z; %z; %z; %z; | ||
| 99 | + %z; %z; %z; %z; %z; | ||
| 100 | + '> | ||
| 101 | + %z; | ||
| 102 | +]> | ||
| 103 | +<doc/> | ||
| 104 | -- | ||
| 105 | 2.7.4 | ||
| 106 | |||