diff options
Diffstat (limited to 'recipes-core/libxml/libxml2/CVE-2017-9049_CVE-2017-9050.patch')
-rw-r--r-- | recipes-core/libxml/libxml2/CVE-2017-9049_CVE-2017-9050.patch | 321 |
1 files changed, 0 insertions, 321 deletions
diff --git a/recipes-core/libxml/libxml2/CVE-2017-9049_CVE-2017-9050.patch b/recipes-core/libxml/libxml2/CVE-2017-9049_CVE-2017-9050.patch deleted file mode 100644 index c9ad71d..0000000 --- a/recipes-core/libxml/libxml2/CVE-2017-9049_CVE-2017-9050.patch +++ /dev/null | |||
@@ -1,321 +0,0 @@ | |||
1 | From e26630548e7d138d2c560844c43820b6767251e3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Mon, 5 Jun 2017 15:37:17 +0200 | ||
4 | Subject: [PATCH] Fix handling of parameter-entity references | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | There were two bugs where parameter-entity references could lead to an | ||
10 | unexpected change of the input buffer in xmlParseNameComplex and | ||
11 | xmlDictLookup being called with an invalid pointer. | ||
12 | |||
13 | Percent sign in DTD Names | ||
14 | ========================= | ||
15 | |||
16 | The NEXTL macro used to call xmlParserHandlePEReference. When parsing | ||
17 | "complex" names inside the DTD, this could result in entity expansion | ||
18 | which created a new input buffer. The fix is to simply remove the call | ||
19 | to xmlParserHandlePEReference from the NEXTL macro. This is safe because | ||
20 | no users of the macro require expansion of parameter entities. | ||
21 | |||
22 | - xmlParseNameComplex | ||
23 | - xmlParseNCNameComplex | ||
24 | - xmlParseNmtoken | ||
25 | |||
26 | The percent sign is not allowed in names, which are grammatical tokens. | ||
27 | |||
28 | - xmlParseEntityValue | ||
29 | |||
30 | Parameter-entity references in entity values are expanded but this | ||
31 | happens in a separate step in this function. | ||
32 | |||
33 | - xmlParseSystemLiteral | ||
34 | |||
35 | Parameter-entity references are ignored in the system literal. | ||
36 | |||
37 | - xmlParseAttValueComplex | ||
38 | - xmlParseCharDataComplex | ||
39 | - xmlParseCommentComplex | ||
40 | - xmlParsePI | ||
41 | - xmlParseCDSect | ||
42 | |||
43 | Parameter-entity references are ignored outside the DTD. | ||
44 | |||
45 | - xmlLoadEntityContent | ||
46 | |||
47 | This function is only called from xmlStringLenDecodeEntities and | ||
48 | entities are replaced in a separate step immediately after the function | ||
49 | call. | ||
50 | |||
51 | This bug could also be triggered with an internal subset and double | ||
52 | entity expansion. | ||
53 | |||
54 | This fixes bug 766956 initially reported by Wei Lei and independently by | ||
55 | Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone | ||
56 | involved. | ||
57 | |||
58 | xmlParseNameComplex with XML_PARSE_OLD10 | ||
59 | ======================================== | ||
60 | |||
61 | When parsing Names inside an expanded parameter entity with the | ||
62 | XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the | ||
63 | GROW macro if the input buffer was exhausted. At the end of the | ||
64 | parameter entity's replacement text, this function would then call | ||
65 | xmlPopInput which invalidated the input buffer. | ||
66 | |||
67 | There should be no need to invoke GROW in this situation because the | ||
68 | buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and, | ||
69 | at least for UTF-8, in xmlCurrentChar. This also matches the code path | ||
70 | executed when XML_PARSE_OLD10 is not set. | ||
71 | |||
72 | This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050). | ||
73 | Thanks to Marcel Böhme and Thuan Pham for the report. | ||
74 | |||
75 | Additional hardening | ||
76 | ==================== | ||
77 | |||
78 | A separate check was added in xmlParseNameComplex to validate the | ||
79 | buffer size. | ||
80 | |||
81 | CVE: CVE-2017-9049 CVE-2017-9050 | ||
82 | Upstream-Status: Backport | ||
83 | |||
84 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
85 | --- | ||
86 | Makefile.am | 18 ++++++++++++++++++ | ||
87 | parser.c | 18 ++++++++++-------- | ||
88 | result/errors10/781205.xml | 0 | ||
89 | result/errors10/781205.xml.err | 21 +++++++++++++++++++++ | ||
90 | result/errors10/781361.xml | 0 | ||
91 | result/errors10/781361.xml.err | 13 +++++++++++++ | ||
92 | result/valid/766956.xml | 0 | ||
93 | result/valid/766956.xml.err | 9 +++++++++ | ||
94 | result/valid/766956.xml.err.rdr | 10 ++++++++++ | ||
95 | runtest.c | 3 +++ | ||
96 | test/errors10/781205.xml | 3 +++ | ||
97 | test/errors10/781361.xml | 3 +++ | ||
98 | test/valid/766956.xml | 2 ++ | ||
99 | test/valid/dtds/766956.dtd | 2 ++ | ||
100 | 14 files changed, 94 insertions(+), 8 deletions(-) | ||
101 | create mode 100644 result/errors10/781205.xml | ||
102 | create mode 100644 result/errors10/781205.xml.err | ||
103 | create mode 100644 result/errors10/781361.xml | ||
104 | create mode 100644 result/errors10/781361.xml.err | ||
105 | create mode 100644 result/valid/766956.xml | ||
106 | create mode 100644 result/valid/766956.xml.err | ||
107 | create mode 100644 result/valid/766956.xml.err.rdr | ||
108 | create mode 100644 test/errors10/781205.xml | ||
109 | create mode 100644 test/errors10/781361.xml | ||
110 | create mode 100644 test/valid/766956.xml | ||
111 | create mode 100644 test/valid/dtds/766956.dtd | ||
112 | |||
113 | diff --git a/Makefile.am b/Makefile.am | ||
114 | index 6fc8ffa..10e716a 100644 | ||
115 | --- a/Makefile.am | ||
116 | +++ b/Makefile.am | ||
117 | @@ -427,6 +427,24 @@ Errtests : xmllint$(EXEEXT) | ||
118 | if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \ | ||
119 | rm result.$$name error.$$name ; \ | ||
120 | fi ; fi ; done) | ||
121 | + @echo "## Error cases regression tests (old 1.0)" | ||
122 | + -@(for i in $(srcdir)/test/errors10/*.xml ; do \ | ||
123 | + name=`basename $$i`; \ | ||
124 | + if [ ! -d $$i ] ; then \ | ||
125 | + if [ ! -f $(srcdir)/result/errors10/$$name ] ; then \ | ||
126 | + echo New test file $$name ; \ | ||
127 | + $(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i \ | ||
128 | + 2> $(srcdir)/result/errors10/$$name.err \ | ||
129 | + > $(srcdir)/result/errors10/$$name ; \ | ||
130 | + grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \ | ||
131 | + else \ | ||
132 | + log=`$(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i 2> error.$$name > result.$$name ; \ | ||
133 | + grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \ | ||
134 | + diff $(srcdir)/result/errors10/$$name result.$$name ; \ | ||
135 | + diff $(srcdir)/result/errors10/$$name.err error.$$name` ; \ | ||
136 | + if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \ | ||
137 | + rm result.$$name error.$$name ; \ | ||
138 | + fi ; fi ; done) | ||
139 | @echo "## Error cases stream regression tests" | ||
140 | -@(for i in $(srcdir)/test/errors/*.xml ; do \ | ||
141 | name=`basename $$i`; \ | ||
142 | diff --git a/parser.c b/parser.c | ||
143 | index df2efa5..a175ac4 100644 | ||
144 | --- a/parser.c | ||
145 | +++ b/parser.c | ||
146 | @@ -2121,7 +2121,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) { | ||
147 | ctxt->input->line++; ctxt->input->col = 1; \ | ||
148 | } else ctxt->input->col++; \ | ||
149 | ctxt->input->cur += l; \ | ||
150 | - if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt); \ | ||
151 | } while (0) | ||
152 | |||
153 | #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l) | ||
154 | @@ -3412,13 +3411,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { | ||
155 | len += l; | ||
156 | NEXTL(l); | ||
157 | c = CUR_CHAR(l); | ||
158 | - if (c == 0) { | ||
159 | - count = 0; | ||
160 | - GROW; | ||
161 | - if (ctxt->instate == XML_PARSER_EOF) | ||
162 | - return(NULL); | ||
163 | - c = CUR_CHAR(l); | ||
164 | - } | ||
165 | } | ||
166 | } | ||
167 | if ((len > XML_MAX_NAME_LENGTH) && | ||
168 | @@ -3426,6 +3418,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { | ||
169 | xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); | ||
170 | return(NULL); | ||
171 | } | ||
172 | + if (ctxt->input->cur - ctxt->input->base < len) { | ||
173 | + /* | ||
174 | + * There were a couple of bugs where PERefs lead to to a change | ||
175 | + * of the buffer. Check the buffer size to avoid passing an invalid | ||
176 | + * pointer to xmlDictLookup. | ||
177 | + */ | ||
178 | + xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, | ||
179 | + "unexpected change of input buffer"); | ||
180 | + return (NULL); | ||
181 | + } | ||
182 | if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r')) | ||
183 | return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len)); | ||
184 | return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); | ||
185 | diff --git a/result/errors10/781205.xml b/result/errors10/781205.xml | ||
186 | new file mode 100644 | ||
187 | index 0000000..e69de29 | ||
188 | diff --git a/result/errors10/781205.xml.err b/result/errors10/781205.xml.err | ||
189 | new file mode 100644 | ||
190 | index 0000000..da15c3f | ||
191 | --- /dev/null | ||
192 | +++ b/result/errors10/781205.xml.err | ||
193 | @@ -0,0 +1,21 @@ | ||
194 | +Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration | ||
195 | + | ||
196 | + %a; | ||
197 | + ^ | ||
198 | +Entity: line 1: | ||
199 | +<:0000 | ||
200 | +^ | ||
201 | +Entity: line 1: parser error : DOCTYPE improperly terminated | ||
202 | + %a; | ||
203 | + ^ | ||
204 | +Entity: line 1: | ||
205 | +<:0000 | ||
206 | +^ | ||
207 | +namespace error : Failed to parse QName ':0000' | ||
208 | + %a; | ||
209 | + ^ | ||
210 | +<:0000 | ||
211 | + ^ | ||
212 | +./test/errors10/781205.xml:4: parser error : Couldn't find end of Start Tag :0000 line 1 | ||
213 | + | ||
214 | +^ | ||
215 | diff --git a/result/errors10/781361.xml b/result/errors10/781361.xml | ||
216 | new file mode 100644 | ||
217 | index 0000000..e69de29 | ||
218 | diff --git a/result/errors10/781361.xml.err b/result/errors10/781361.xml.err | ||
219 | new file mode 100644 | ||
220 | index 0000000..655f41a | ||
221 | --- /dev/null | ||
222 | +++ b/result/errors10/781361.xml.err | ||
223 | @@ -0,0 +1,13 @@ | ||
224 | +./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY', 'ANY' or '(' expected | ||
225 | + | ||
226 | +^ | ||
227 | +./test/errors10/781361.xml:4: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration | ||
228 | + | ||
229 | + | ||
230 | +^ | ||
231 | +./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated | ||
232 | + | ||
233 | +^ | ||
234 | +./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not found | ||
235 | + | ||
236 | +^ | ||
237 | diff --git a/result/valid/766956.xml b/result/valid/766956.xml | ||
238 | new file mode 100644 | ||
239 | index 0000000..e69de29 | ||
240 | diff --git a/result/valid/766956.xml.err b/result/valid/766956.xml.err | ||
241 | new file mode 100644 | ||
242 | index 0000000..34b1dae | ||
243 | --- /dev/null | ||
244 | +++ b/result/valid/766956.xml.err | ||
245 | @@ -0,0 +1,9 @@ | ||
246 | +test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';' | ||
247 | +%ä%ent; | ||
248 | + ^ | ||
249 | +Entity: line 1: parser error : Content error in the external subset | ||
250 | + %ent; | ||
251 | + ^ | ||
252 | +Entity: line 1: | ||
253 | +value | ||
254 | +^ | ||
255 | diff --git a/result/valid/766956.xml.err.rdr b/result/valid/766956.xml.err.rdr | ||
256 | new file mode 100644 | ||
257 | index 0000000..7760346 | ||
258 | --- /dev/null | ||
259 | +++ b/result/valid/766956.xml.err.rdr | ||
260 | @@ -0,0 +1,10 @@ | ||
261 | +test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';' | ||
262 | +%ä%ent; | ||
263 | + ^ | ||
264 | +Entity: line 1: parser error : Content error in the external subset | ||
265 | + %ent; | ||
266 | + ^ | ||
267 | +Entity: line 1: | ||
268 | +value | ||
269 | +^ | ||
270 | +./test/valid/766956.xml : failed to parse | ||
271 | diff --git a/runtest.c b/runtest.c | ||
272 | index b2ce693..378b38e 100644 | ||
273 | --- a/runtest.c | ||
274 | +++ b/runtest.c | ||
275 | @@ -4214,6 +4214,9 @@ testDesc testDescriptions[] = { | ||
276 | { "Error cases regression tests", | ||
277 | errParseTest, "./test/errors/*.xml", "result/errors/", "", ".err", | ||
278 | 0 }, | ||
279 | + { "Error cases regression tests (old 1.0)", | ||
280 | + errParseTest, "./test/errors10/*.xml", "result/errors10/", "", ".err", | ||
281 | + XML_PARSE_OLD10 }, | ||
282 | #ifdef LIBXML_READER_ENABLED | ||
283 | { "Error cases stream regression tests", | ||
284 | streamParseTest, "./test/errors/*.xml", "result/errors/", NULL, ".str", | ||
285 | diff --git a/test/errors10/781205.xml b/test/errors10/781205.xml | ||
286 | new file mode 100644 | ||
287 | index 0000000..d9e9e83 | ||
288 | --- /dev/null | ||
289 | +++ b/test/errors10/781205.xml | ||
290 | @@ -0,0 +1,3 @@ | ||
291 | +<!DOCTYPE D [ | ||
292 | + <!ENTITY % a "<:0000"> | ||
293 | + %a; | ||
294 | diff --git a/test/errors10/781361.xml b/test/errors10/781361.xml | ||
295 | new file mode 100644 | ||
296 | index 0000000..67476bc | ||
297 | --- /dev/null | ||
298 | +++ b/test/errors10/781361.xml | ||
299 | @@ -0,0 +1,3 @@ | ||
300 | +<!DOCTYPE doc [ | ||
301 | + <!ENTITY % elem "<!ELEMENT e0000000000"> | ||
302 | + %elem; | ||
303 | diff --git a/test/valid/766956.xml b/test/valid/766956.xml | ||
304 | new file mode 100644 | ||
305 | index 0000000..19a95a0 | ||
306 | --- /dev/null | ||
307 | +++ b/test/valid/766956.xml | ||
308 | @@ -0,0 +1,2 @@ | ||
309 | +<!DOCTYPE test SYSTEM "dtds/766956.dtd"> | ||
310 | +<test/> | ||
311 | diff --git a/test/valid/dtds/766956.dtd b/test/valid/dtds/766956.dtd | ||
312 | new file mode 100644 | ||
313 | index 0000000..dddde68 | ||
314 | --- /dev/null | ||
315 | +++ b/test/valid/dtds/766956.dtd | ||
316 | @@ -0,0 +1,2 @@ | ||
317 | +<!ENTITY % ent "value"> | ||
318 | +%ä%ent; | ||
319 | -- | ||
320 | 1.9.1 | ||
321 | |||