From 2057b91933875959294f823b12938d6cba6ea62b Mon Sep 17 00:00:00 2001 From: Andreas Wellving Date: Tue, 11 Sep 2018 10:09:27 +0200 Subject: libxml2: Fix CVEs CVE: CVE-2017-16932 CVE-2017-5130 CVE-2017-7375 CVE-2017-7376 Libxml2 in the upstream pyro is 2.9.4 CVE-2017-7376: For the stable distribution (stretch), these problems have been fixed in version 2.9.4+dfsg1-2.2+deb9u1 CVE-2017-7375: stretch (security) 2.9.4+dfsg1-2.2+deb9u2 Reference: CVE-2017-16932 https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961 CVE-2017-5130 https://gitlab.gnome.org/GNOME/libxml2/commit/897dffbae322b46b83f99a607d527058a72c51ed CVE-2017-7375 https://gitlab.gnome.org/GNOME/libxml2/commit/90ccb58242866b0ba3edbef8fe44214a101c2b3e CVE-2017-7376 https://gitlab.gnome.org/GNOME/libxml2/commit/5dca9eea1bd4263bfa4d037ab2443de1cd730f7e Change-Id: Icf68eea8e0916be2bc9f3e844f7d38f6fae75300 Signed-off-by: Andreas Wellving Signed-off-by: Adrian Mangeac --- ...-infinite-recursion-in-parameter-entities.patch | 106 +++++++++++++++++++++ ...for-integer-overflow-in-memory-debug-code.patch | 66 +++++++++++++ ...revent-unwanted-external-entity-reference.patch | 40 ++++++++ ...ffer-space-for-port-in-HTTP-redirect-supp.patch | 36 +++++++ recipes-core/libxml/libxml2_2.9.4.bbappend | 9 ++ 5 files changed, 257 insertions(+) create mode 100644 recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch create mode 100644 recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch create mode 100644 recipes-core/libxml/libxml2/CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch create mode 100644 recipes-core/libxml/libxml2/CVE-2017-7376-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch create mode 100644 recipes-core/libxml/libxml2_2.9.4.bbappend diff --git a/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch b/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch new file mode 100644 index 0000000..9a94344 --- /dev/null +++ b/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch @@ -0,0 +1,106 @@ +From 899a5d9f0ed13b8e32449a08a361e0de127dd961 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 25 Jul 2017 14:59:49 +0200 +Subject: [PATCH] Detect infinite recursion in parameter entities + +When expanding a parameter entity in a DTD, infinite recursion could +lead to an infinite loop or memory exhaustion. + +Thanks to Wei Lei for the first of many reports. + +Fixes bug 759579. + +CVE: CVE-2017-16932 +Upstream-Status: Backport [https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961] + +Signed-off-by: Andreas Wellving +--- + parser.c | 11 ++++++++++- + result/errors/759579.xml | 0 + result/errors/759579.xml.err | 6 ++++++ + result/errors/759579.xml.str | 7 +++++++ + test/errors/759579.xml | 11 +++++++++++ + 5 files changed, 34 insertions(+), 1 deletion(-) + create mode 100644 result/errors/759579.xml + create mode 100644 result/errors/759579.xml.err + create mode 100644 result/errors/759579.xml.str + create mode 100644 test/errors/759579.xml + +diff --git a/parser.c b/parser.c +index 6286cad..51452a2 100644 +--- a/parser.c ++++ b/parser.c +@@ -2250,6 +2250,13 @@ xmlPushInput(xmlParserCtxtPtr ctxt, xmlParserInputPtr input) { + xmlGenericError(xmlGenericErrorContext, + "Pushing input %d : %.30s\n", ctxt->inputNr+1, input->cur); + } ++ if (((ctxt->inputNr > 40) && ((ctxt->options & XML_PARSE_HUGE) == 0)) || ++ (ctxt->inputNr > 1024)) { ++ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); ++ while (ctxt->inputNr > 1) ++ xmlFreeInputStream(inputPop(ctxt)); ++ return(-1); ++ } + ret = inputPush(ctxt, input); + if (ctxt->instate == XML_PARSER_EOF) + return(-1); +@@ -7916,8 +7923,10 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) + * c.f. http://www.w3.org/TR/REC-xml#as-PE + */ + input = xmlNewEntityInputStream(ctxt, entity); +- if (xmlPushInput(ctxt, input) < 0) ++ if (xmlPushInput(ctxt, input) < 0) { ++ xmlFreeInputStream(input); + return; ++ } + if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && + (CMP5(CUR_PTR, '<', '?', 'x', 'm', 'l')) && + (IS_BLANK_CH(NXT(5)))) { +diff --git a/result/errors/759579.xml b/result/errors/759579.xml +new file mode 100644 +index 0000000..e69de29 +diff --git a/result/errors/759579.xml.err b/result/errors/759579.xml.err +new file mode 100644 +index 0000000..288026e +--- /dev/null ++++ b/result/errors/759579.xml.err +@@ -0,0 +1,6 @@ ++Entity: line 2: parser error : Detected an entity reference loop ++ %z; %z; %z; %z; %z; ++ ^ ++Entity: line 2: ++ %z; %z; %z; %z; %z; ++ ^ +diff --git a/result/errors/759579.xml.str b/result/errors/759579.xml.str +new file mode 100644 +index 0000000..09408f5 +--- /dev/null ++++ b/result/errors/759579.xml.str +@@ -0,0 +1,7 @@ ++Entity: line 2: parser error : Detected an entity reference loop ++ %z; %z; %z; %z; %z; ++ ^ ++Entity: line 2: ++ %z; %z; %z; %z; %z; ++ ^ ++./test/errors/759579.xml : failed to parse +diff --git a/test/errors/759579.xml b/test/errors/759579.xml +new file mode 100644 +index 0000000..7fadd70 +--- /dev/null ++++ b/test/errors/759579.xml +@@ -0,0 +1,11 @@ ++ ++ %z; ++]> ++ +-- +2.7.4 + diff --git a/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch b/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch new file mode 100644 index 0000000..e072ef1 --- /dev/null +++ b/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch @@ -0,0 +1,66 @@ +From 897dffbae322b46b83f99a607d527058a72c51ed Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 6 Jun 2017 13:21:14 +0200 +Subject: [PATCH] Check for integer overflow in memory debug code + +Fixes bug 783026. + +Thanks to Pranjal Jumde for the report. + +CVE: CVE-2017-5130 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/897dffbae322b46b83f99a607d527058a72c51ed] + +Signed-off-by: Andreas Wellving +--- + xmlmemory.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/xmlmemory.c b/xmlmemory.c +index f08c8c3..c53141f 100644 +--- a/xmlmemory.c ++++ b/xmlmemory.c +@@ -172,6 +172,13 @@ xmlMallocLoc(size_t size, const char * file, int line) + + TEST_POINT + ++ if (size > (MAX_SIZE_T - RESERVE_SIZE)) { ++ xmlGenericError(xmlGenericErrorContext, ++ "xmlMallocLoc : Unsigned overflow\n"); ++ xmlMemoryDump(); ++ return(NULL); ++ } ++ + p = (MEMHDR *) malloc(RESERVE_SIZE+size); + + if (!p) { +@@ -352,6 +359,13 @@ xmlReallocLoc(void *ptr,size_t size, const char * file, int line) + #endif + xmlMutexUnlock(xmlMemMutex); + ++ if (size > (MAX_SIZE_T - RESERVE_SIZE)) { ++ xmlGenericError(xmlGenericErrorContext, ++ "xmlMallocLoc : Unsigned overflow\n"); ++ xmlMemoryDump(); ++ return(NULL); ++ } ++ + tmp = (MEMHDR *) realloc(p,RESERVE_SIZE+size); + if (!tmp) { + free(p); +@@ -499,6 +513,13 @@ xmlMemStrdupLoc(const char *str, const char *file, int line) + if (!xmlMemInitialized) xmlInitMemory(); + TEST_POINT + ++ if (size > (MAX_SIZE_T - RESERVE_SIZE)) { ++ xmlGenericError(xmlGenericErrorContext, ++ "xmlMallocLoc : Unsigned overflow\n"); ++ xmlMemoryDump(); ++ return(NULL); ++ } ++ + p = (MEMHDR *) malloc(RESERVE_SIZE+size); + if (!p) { + goto error; +-- +2.7.4 + diff --git a/recipes-core/libxml/libxml2/CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch b/recipes-core/libxml/libxml2/CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch new file mode 100644 index 0000000..252929c --- /dev/null +++ b/recipes-core/libxml/libxml2/CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch @@ -0,0 +1,40 @@ +From 90ccb58242866b0ba3edbef8fe44214a101c2b3e Mon Sep 17 00:00:00 2001 +From: Neel Mehta +Date: Fri, 7 Apr 2017 17:43:02 +0200 +Subject: [PATCH] Prevent unwanted external entity reference + +For https://bugzilla.gnome.org/show_bug.cgi?id=780691 + +* parser.c: add a specific check to avoid PE reference + +CVE: CVE-2018-7375 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/90ccb58242866b0ba3edbef8fe44214a101c2b3e] + +Signed-off-by: Andreas Wellving +--- + parser.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/parser.c b/parser.c +index 609a270..c2c812d 100644 +--- a/parser.c ++++ b/parser.c +@@ -8123,6 +8123,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) + if (xmlPushInput(ctxt, input) < 0) + return; + } else { ++ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && ++ ((ctxt->options & XML_PARSE_NOENT) == 0) && ++ ((ctxt->options & XML_PARSE_DTDVALID) == 0) && ++ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) && ++ ((ctxt->options & XML_PARSE_DTDATTR) == 0) && ++ (ctxt->replaceEntities == 0) && ++ (ctxt->validate == 0)) ++ return; ++ + /* + * TODO !!! + * handle the extra spaces added before and after +-- +2.7.4 + diff --git a/recipes-core/libxml/libxml2/CVE-2017-7376-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch b/recipes-core/libxml/libxml2/CVE-2017-7376-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch new file mode 100644 index 0000000..aae956d --- /dev/null +++ b/recipes-core/libxml/libxml2/CVE-2017-7376-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch @@ -0,0 +1,36 @@ +From 5dca9eea1bd4263bfa4d037ab2443de1cd730f7e Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 7 Apr 2017 17:13:28 +0200 +Subject: [PATCH] Increase buffer space for port in HTTP redirect support + +For https://bugzilla.gnome.org/show_bug.cgi?id=780690 + +nanohttp.c: the code wrongly assumed a short int port value. + +CVE: CVE-2017-7376 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/5dca9eea1bd4263bfa4d037ab2443de1cd730f7e] + +Signed-off-by: Andreas Wellving +--- + nanohttp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/nanohttp.c b/nanohttp.c +index e109ad7..373425d 100644 +--- a/nanohttp.c ++++ b/nanohttp.c +@@ -1423,9 +1423,9 @@ retry: + if (ctxt->port != 80) { + /* reserve space for ':xxxxx', incl. potential proxy */ + if (proxy) +- blen += 12; ++ blen += 17; + else +- blen += 6; ++ blen += 11; + } + bp = (char*)xmlMallocAtomic(blen); + if ( bp == NULL ) { +-- +2.7.4 + diff --git a/recipes-core/libxml/libxml2_2.9.4.bbappend b/recipes-core/libxml/libxml2_2.9.4.bbappend new file mode 100644 index 0000000..dbf9709 --- /dev/null +++ b/recipes-core/libxml/libxml2_2.9.4.bbappend @@ -0,0 +1,9 @@ +# look for files in the layer first +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +SRC_URI += " \ + file://CVE-2017-7376-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch \ + file://CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch \ + file://CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch \ + file://CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch \ + " -- cgit v1.2.3-54-g00ecf