diff options
Diffstat (limited to 'recipes-core/libxml/libxml2')
4 files changed, 248 insertions, 0 deletions
diff --git a/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch b/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch new file mode 100644 index 0000000..9a94344 --- /dev/null +++ b/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch | |||
@@ -0,0 +1,106 @@ | |||
1 | From 899a5d9f0ed13b8e32449a08a361e0de127dd961 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Tue, 25 Jul 2017 14:59:49 +0200 | ||
4 | Subject: [PATCH] Detect infinite recursion in parameter entities | ||
5 | |||
6 | When expanding a parameter entity in a DTD, infinite recursion could | ||
7 | lead to an infinite loop or memory exhaustion. | ||
8 | |||
9 | Thanks to Wei Lei for the first of many reports. | ||
10 | |||
11 | Fixes bug 759579. | ||
12 | |||
13 | CVE: CVE-2017-16932 | ||
14 | Upstream-Status: Backport [https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961] | ||
15 | |||
16 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
17 | --- | ||
18 | parser.c | 11 ++++++++++- | ||
19 | result/errors/759579.xml | 0 | ||
20 | result/errors/759579.xml.err | 6 ++++++ | ||
21 | result/errors/759579.xml.str | 7 +++++++ | ||
22 | test/errors/759579.xml | 11 +++++++++++ | ||
23 | 5 files changed, 34 insertions(+), 1 deletion(-) | ||
24 | create mode 100644 result/errors/759579.xml | ||
25 | create mode 100644 result/errors/759579.xml.err | ||
26 | create mode 100644 result/errors/759579.xml.str | ||
27 | create mode 100644 test/errors/759579.xml | ||
28 | |||
29 | diff --git a/parser.c b/parser.c | ||
30 | index 6286cad..51452a2 100644 | ||
31 | --- a/parser.c | ||
32 | +++ b/parser.c | ||
33 | @@ -2250,6 +2250,13 @@ xmlPushInput(xmlParserCtxtPtr ctxt, xmlParserInputPtr input) { | ||
34 | xmlGenericError(xmlGenericErrorContext, | ||
35 | "Pushing input %d : %.30s\n", ctxt->inputNr+1, input->cur); | ||
36 | } | ||
37 | + if (((ctxt->inputNr > 40) && ((ctxt->options & XML_PARSE_HUGE) == 0)) || | ||
38 | + (ctxt->inputNr > 1024)) { | ||
39 | + xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); | ||
40 | + while (ctxt->inputNr > 1) | ||
41 | + xmlFreeInputStream(inputPop(ctxt)); | ||
42 | + return(-1); | ||
43 | + } | ||
44 | ret = inputPush(ctxt, input); | ||
45 | if (ctxt->instate == XML_PARSER_EOF) | ||
46 | return(-1); | ||
47 | @@ -7916,8 +7923,10 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) | ||
48 | * c.f. http://www.w3.org/TR/REC-xml#as-PE | ||
49 | */ | ||
50 | input = xmlNewEntityInputStream(ctxt, entity); | ||
51 | - if (xmlPushInput(ctxt, input) < 0) | ||
52 | + if (xmlPushInput(ctxt, input) < 0) { | ||
53 | + xmlFreeInputStream(input); | ||
54 | return; | ||
55 | + } | ||
56 | if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && | ||
57 | (CMP5(CUR_PTR, '<', '?', 'x', 'm', 'l')) && | ||
58 | (IS_BLANK_CH(NXT(5)))) { | ||
59 | diff --git a/result/errors/759579.xml b/result/errors/759579.xml | ||
60 | new file mode 100644 | ||
61 | index 0000000..e69de29 | ||
62 | diff --git a/result/errors/759579.xml.err b/result/errors/759579.xml.err | ||
63 | new file mode 100644 | ||
64 | index 0000000..288026e | ||
65 | --- /dev/null | ||
66 | +++ b/result/errors/759579.xml.err | ||
67 | @@ -0,0 +1,6 @@ | ||
68 | +Entity: line 2: parser error : Detected an entity reference loop | ||
69 | + %z; %z; %z; %z; %z; | ||
70 | + ^ | ||
71 | +Entity: line 2: | ||
72 | + %z; %z; %z; %z; %z; | ||
73 | + ^ | ||
74 | diff --git a/result/errors/759579.xml.str b/result/errors/759579.xml.str | ||
75 | new file mode 100644 | ||
76 | index 0000000..09408f5 | ||
77 | --- /dev/null | ||
78 | +++ b/result/errors/759579.xml.str | ||
79 | @@ -0,0 +1,7 @@ | ||
80 | +Entity: line 2: parser error : Detected an entity reference loop | ||
81 | + %z; %z; %z; %z; %z; | ||
82 | + ^ | ||
83 | +Entity: line 2: | ||
84 | + %z; %z; %z; %z; %z; | ||
85 | + ^ | ||
86 | +./test/errors/759579.xml : failed to parse | ||
87 | diff --git a/test/errors/759579.xml b/test/errors/759579.xml | ||
88 | new file mode 100644 | ||
89 | index 0000000..7fadd70 | ||
90 | --- /dev/null | ||
91 | +++ b/test/errors/759579.xml | ||
92 | @@ -0,0 +1,11 @@ | ||
93 | +<!DOCTYPE doc [ | ||
94 | + <!ENTITY % z ' | ||
95 | + %z; %z; %z; %z; %z; | ||
96 | + %z; %z; %z; %z; %z; | ||
97 | + %z; %z; %z; %z; %z; | ||
98 | + %z; %z; %z; %z; %z; | ||
99 | + %z; %z; %z; %z; %z; | ||
100 | + '> | ||
101 | + %z; | ||
102 | +]> | ||
103 | +<doc/> | ||
104 | -- | ||
105 | 2.7.4 | ||
106 | |||
diff --git a/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch b/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch new file mode 100644 index 0000000..e072ef1 --- /dev/null +++ b/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch | |||
@@ -0,0 +1,66 @@ | |||
1 | From 897dffbae322b46b83f99a607d527058a72c51ed Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Tue, 6 Jun 2017 13:21:14 +0200 | ||
4 | Subject: [PATCH] Check for integer overflow in memory debug code | ||
5 | |||
6 | Fixes bug 783026. | ||
7 | |||
8 | Thanks to Pranjal Jumde for the report. | ||
9 | |||
10 | CVE: CVE-2017-5130 | ||
11 | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/897dffbae322b46b83f99a607d527058a72c51ed] | ||
12 | |||
13 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
14 | --- | ||
15 | xmlmemory.c | 21 +++++++++++++++++++++ | ||
16 | 1 file changed, 21 insertions(+) | ||
17 | |||
18 | diff --git a/xmlmemory.c b/xmlmemory.c | ||
19 | index f08c8c3..c53141f 100644 | ||
20 | --- a/xmlmemory.c | ||
21 | +++ b/xmlmemory.c | ||
22 | @@ -172,6 +172,13 @@ xmlMallocLoc(size_t size, const char * file, int line) | ||
23 | |||
24 | TEST_POINT | ||
25 | |||
26 | + if (size > (MAX_SIZE_T - RESERVE_SIZE)) { | ||
27 | + xmlGenericError(xmlGenericErrorContext, | ||
28 | + "xmlMallocLoc : Unsigned overflow\n"); | ||
29 | + xmlMemoryDump(); | ||
30 | + return(NULL); | ||
31 | + } | ||
32 | + | ||
33 | p = (MEMHDR *) malloc(RESERVE_SIZE+size); | ||
34 | |||
35 | if (!p) { | ||
36 | @@ -352,6 +359,13 @@ xmlReallocLoc(void *ptr,size_t size, const char * file, int line) | ||
37 | #endif | ||
38 | xmlMutexUnlock(xmlMemMutex); | ||
39 | |||
40 | + if (size > (MAX_SIZE_T - RESERVE_SIZE)) { | ||
41 | + xmlGenericError(xmlGenericErrorContext, | ||
42 | + "xmlMallocLoc : Unsigned overflow\n"); | ||
43 | + xmlMemoryDump(); | ||
44 | + return(NULL); | ||
45 | + } | ||
46 | + | ||
47 | tmp = (MEMHDR *) realloc(p,RESERVE_SIZE+size); | ||
48 | if (!tmp) { | ||
49 | free(p); | ||
50 | @@ -499,6 +513,13 @@ xmlMemStrdupLoc(const char *str, const char *file, int line) | ||
51 | if (!xmlMemInitialized) xmlInitMemory(); | ||
52 | TEST_POINT | ||
53 | |||
54 | + if (size > (MAX_SIZE_T - RESERVE_SIZE)) { | ||
55 | + xmlGenericError(xmlGenericErrorContext, | ||
56 | + "xmlMallocLoc : Unsigned overflow\n"); | ||
57 | + xmlMemoryDump(); | ||
58 | + return(NULL); | ||
59 | + } | ||
60 | + | ||
61 | p = (MEMHDR *) malloc(RESERVE_SIZE+size); | ||
62 | if (!p) { | ||
63 | goto error; | ||
64 | -- | ||
65 | 2.7.4 | ||
66 | |||
diff --git a/recipes-core/libxml/libxml2/CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch b/recipes-core/libxml/libxml2/CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch new file mode 100644 index 0000000..252929c --- /dev/null +++ b/recipes-core/libxml/libxml2/CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | From 90ccb58242866b0ba3edbef8fe44214a101c2b3e Mon Sep 17 00:00:00 2001 | ||
2 | From: Neel Mehta <nmehta@google.com> | ||
3 | Date: Fri, 7 Apr 2017 17:43:02 +0200 | ||
4 | Subject: [PATCH] Prevent unwanted external entity reference | ||
5 | |||
6 | For https://bugzilla.gnome.org/show_bug.cgi?id=780691 | ||
7 | |||
8 | * parser.c: add a specific check to avoid PE reference | ||
9 | |||
10 | CVE: CVE-2018-7375 | ||
11 | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/90ccb58242866b0ba3edbef8fe44214a101c2b3e] | ||
12 | |||
13 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
14 | --- | ||
15 | parser.c | 9 +++++++++ | ||
16 | 1 file changed, 9 insertions(+) | ||
17 | |||
18 | diff --git a/parser.c b/parser.c | ||
19 | index 609a270..c2c812d 100644 | ||
20 | --- a/parser.c | ||
21 | +++ b/parser.c | ||
22 | @@ -8123,6 +8123,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) | ||
23 | if (xmlPushInput(ctxt, input) < 0) | ||
24 | return; | ||
25 | } else { | ||
26 | + if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && | ||
27 | + ((ctxt->options & XML_PARSE_NOENT) == 0) && | ||
28 | + ((ctxt->options & XML_PARSE_DTDVALID) == 0) && | ||
29 | + ((ctxt->options & XML_PARSE_DTDLOAD) == 0) && | ||
30 | + ((ctxt->options & XML_PARSE_DTDATTR) == 0) && | ||
31 | + (ctxt->replaceEntities == 0) && | ||
32 | + (ctxt->validate == 0)) | ||
33 | + return; | ||
34 | + | ||
35 | /* | ||
36 | * TODO !!! | ||
37 | * handle the extra spaces added before and after | ||
38 | -- | ||
39 | 2.7.4 | ||
40 | |||
diff --git a/recipes-core/libxml/libxml2/CVE-2017-7376-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch b/recipes-core/libxml/libxml2/CVE-2017-7376-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch new file mode 100644 index 0000000..aae956d --- /dev/null +++ b/recipes-core/libxml/libxml2/CVE-2017-7376-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From 5dca9eea1bd4263bfa4d037ab2443de1cd730f7e Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Veillard <veillard@redhat.com> | ||
3 | Date: Fri, 7 Apr 2017 17:13:28 +0200 | ||
4 | Subject: [PATCH] Increase buffer space for port in HTTP redirect support | ||
5 | |||
6 | For https://bugzilla.gnome.org/show_bug.cgi?id=780690 | ||
7 | |||
8 | nanohttp.c: the code wrongly assumed a short int port value. | ||
9 | |||
10 | CVE: CVE-2017-7376 | ||
11 | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/5dca9eea1bd4263bfa4d037ab2443de1cd730f7e] | ||
12 | |||
13 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
14 | --- | ||
15 | nanohttp.c | 4 ++-- | ||
16 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
17 | |||
18 | diff --git a/nanohttp.c b/nanohttp.c | ||
19 | index e109ad7..373425d 100644 | ||
20 | --- a/nanohttp.c | ||
21 | +++ b/nanohttp.c | ||
22 | @@ -1423,9 +1423,9 @@ retry: | ||
23 | if (ctxt->port != 80) { | ||
24 | /* reserve space for ':xxxxx', incl. potential proxy */ | ||
25 | if (proxy) | ||
26 | - blen += 12; | ||
27 | + blen += 17; | ||
28 | else | ||
29 | - blen += 6; | ||
30 | + blen += 11; | ||
31 | } | ||
32 | bp = (char*)xmlMallocAtomic(blen); | ||
33 | if ( bp == NULL ) { | ||
34 | -- | ||
35 | 2.7.4 | ||
36 | |||