libxml2: fix CVE-2014-3660

It was discovered that the patch for CVE-2014-0191 for libxml2 is incomplete. It is still possible to have libxml2 incorrectly perform entity substituton even when the application using libxml2 explicitly disables the feature. This can allow a remote denial-of-service attack on systems with libxml2 prior to 2.9.2. References: http://www.openwall.com/lists/oss-security/2014/10/17/7 https://www.ncsc.nl/actueel/nieuwsberichten/kwetsbaarheid-ontdekt-in-libxml2.html (From OE-Core rev: 643597a5c432b2e02033d0cefa3ba4da980d078f) (From OE-Core rev: de7bc57398aaeb84fc9370d025b87f7711986ada) Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Joe MacDonald <joe_macdonald@mentor.com> 2014-10-20 13:51:21 -0400
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-02-11 17:40:04 +0000
commit: 41cca6fbe76206c4909dede4c8b8467e616e0c2b (patch)
tree: 0c38c5514c39f1f5d5704096fa0fcbfdce895fcd
parent: de512045185dd8ac9b2bb2cbb189809d49006189 (diff)
download: poky-41cca6fbe76206c4909dede4c8b8467e616e0c2b.tar.gz
2 files changed, 148 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index bcf9a62ded..c729c199cf 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -21,6 +21,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
           file://libxml2-CVE-2014-0191-fix.patch \
           file://python-sitepackages-dir.patch \
           file://libxml-m4-use-pkgconfig.patch \
+           file://libxml2-CVE-2014-3660.patch \
          "
 BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-3660.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-3660.patch
new file mode 100644
index 0000000000..b9621c93eb
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-3660.patch
@@ -0,0 +1,147 @@
+From be2a7edaf289c5da74a4f9ed3a0b6c733e775230 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Thu, 16 Oct 2014 13:59:47 +0800
+Subject: Fix for CVE-2014-3660
+Issues related to the billion laugh entity expansion which happened to
+escape the initial set of fixes
+Upstream-status: Backport
+Reference: https://git.gnome.org/browse/libxml2/commit/?id=be2a7edaf289c5da74a4f9ed3a0b6c733e775230&context=3&ignorews=0&ss=0
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+diff --git a/parser.c b/parser.c
+index f51e8d2..1d93967 100644
+--- a/parser.c
+++ b/parser.c
+@@ -130,6 +130,29 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+         return (0);
+     if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
+         return (1);
+
+    /*
+     * This may look absurd but is needed to detect
+     * entities problems
+     */
+    if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) &&
+       (ent->content != NULL) && (ent->checked == 0)) {
+       unsigned long oldnbent = ctxt->nbentities;
+       xmlChar *rep;
+
+       ent->checked = 1;
+
+       rep = xmlStringDecodeEntities(ctxt, ent->content,
+                                 XML_SUBSTITUTE_REF, 0, 0, 0);
+
+       ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
+       if (rep != NULL) {
+           if (xmlStrchr(rep, '<'))
+               ent->checked |= 1;
+           xmlFree(rep);
+           rep = NULL;
+       }
+    }
+     if (replacement != 0) {
+        if (replacement < XML_MAX_TEXT_LENGTH)
+            return(0);
+@@ -189,9 +212,12 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+             return (0);
+     } else {
+         /*
+-         * strange we got no data for checking just return
+         * strange we got no data for checking
+          */
+-        return (0);
+       if (((ctxt->lastError.code != XML_ERR_UNDECLARED_ENTITY) &&
+            (ctxt->lastError.code != XML_WAR_UNDECLARED_ENTITY)) ||
+           (ctxt->nbentities <= 10000))
+           return (0);
+     }
+     xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
+     return (1);
+@@ -2589,6 +2615,7 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) {
+                                      name, NULL);
+                    ctxt->valid = 0;
+                }
+               xmlParserEntityCheck(ctxt, 0, NULL, 0);
+            } else if (ctxt->input->free != deallocblankswrapper) {
+                    input = xmlNewBlanksWrapperInputStream(ctxt, entity);
+                    if (xmlPushInput(ctxt, input) < 0)
+@@ -2759,6 +2786,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+            if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) ||
+                (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR))
+                goto int_error;
+           xmlParserEntityCheck(ctxt, 0, ent, 0);
+            if (ent != NULL)
+                ctxt->nbentities += ent->checked / 2;
+            if ((ent != NULL) &&
+@@ -2810,6 +2838,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+            ent = xmlParseStringPEReference(ctxt, &str);
+            if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
+                goto int_error;
+           xmlParserEntityCheck(ctxt, 0, ent, 0);
+            if (ent != NULL)
+                ctxt->nbentities += ent->checked / 2;
+            if (ent != NULL) {
+@@ -7312,6 +7341,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+                   (ret != XML_WAR_UNDECLARED_ENTITY)) {
+            xmlFatalErrMsgStr(ctxt, XML_ERR_UNDECLARED_ENTITY,
+                     "Entity '%s' failed to parse\n", ent->name);
+           xmlParserEntityCheck(ctxt, 0, ent, 0);
+        } else if (list != NULL) {
+            xmlFreeNodeList(list);
+            list = NULL;
+@@ -7418,7 +7448,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+                /*
+                 * We are copying here, make sure there is no abuse
+                 */
+-               ctxt->sizeentcopy += ent->length;
+               ctxt->sizeentcopy += ent->length + 5;
+                if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))
+                    return;
+ 
+@@ -7466,7 +7496,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+                /*
+                 * We are copying here, make sure there is no abuse
+                 */
+-               ctxt->sizeentcopy += ent->length;
+               ctxt->sizeentcopy += ent->length + 5;
+                if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))
+                    return;
+ 
+@@ -7652,6 +7682,7 @@ xmlParseEntityRef(xmlParserCtxtPtr ctxt) {
+                ctxt->sax->reference(ctxt->userData, name);
+            }
+        }
+       xmlParserEntityCheck(ctxt, 0, ent, 0);
+        ctxt->valid = 0;
+     }
+ 
+@@ -7845,6 +7876,7 @@ xmlParseStringEntityRef(xmlParserCtxtPtr ctxt, const xmlChar ** str) {
+                          "Entity '%s' not defined\n",
+                          name);
+        }
+       xmlParserEntityCheck(ctxt, 0, ent, 0);
+        /* TODO ? check regressions ctxt->valid = 0; */
+     }
+ 
+@@ -8004,6 +8036,7 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+                          name, NULL);
+            ctxt->valid = 0;
+        }
+       xmlParserEntityCheck(ctxt, 0, NULL, 0);
+     } else {
+        /*
+         * Internal checking in case the entity quest barfed
+@@ -8243,6 +8276,7 @@ xmlParseStringPEReference(xmlParserCtxtPtr ctxt, const xmlChar **str) {
+                          name, NULL);
+            ctxt->valid = 0;
+        }
+       xmlParserEntityCheck(ctxt, 0, NULL, 0);
+     } else {
+        /*
+         * Internal checking in case the entity quest barfed
+-- 
+cgit v0.10.1
author	Joe MacDonald <joe_macdonald@mentor.com>	2014-10-20 13:51:21 -0400
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-02-11 17:40:04 +0000
commit	41cca6fbe76206c4909dede4c8b8467e616e0c2b (patch)
tree	0c38c5514c39f1f5d5704096fa0fcbfdce895fcd
parent	de512045185dd8ac9b2bb2cbb189809d49006189 (diff)
download	poky-41cca6fbe76206c4909dede4c8b8467e616e0c2b.tar.gz

diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc index bcf9a62ded..c729c199cf 100644 --- a/meta/recipes-core/libxml/libxml2.inc +++ b/meta/recipes-core/libxml/libxml2.inc
@@ -21,6 +21,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
21	file://libxml2-CVE-2014-0191-fix.patch \	21	file://libxml2-CVE-2014-0191-fix.patch \
22	file://python-sitepackages-dir.patch \	22	file://python-sitepackages-dir.patch \
23	file://libxml-m4-use-pkgconfig.patch \	23	file://libxml-m4-use-pkgconfig.patch \
		24	file://libxml2-CVE-2014-3660.patch \
24	"	25	"
25		26
26	BINCONFIG = "${bindir}/xml2-config"	27	BINCONFIG = "${bindir}/xml2-config"


diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-3660.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-3660.patch new file mode 100644 index 0000000000..b9621c93eb --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-3660.patch
@@ -0,0 +1,147 @@
		1	From be2a7edaf289c5da74a4f9ed3a0b6c733e775230 Mon Sep 17 00:00:00 2001
		2	From: Daniel Veillard <veillard@redhat.com>
		3	Date: Thu, 16 Oct 2014 13:59:47 +0800
		4	Subject: Fix for CVE-2014-3660
		5
		6	Issues related to the billion laugh entity expansion which happened to
		7	escape the initial set of fixes
		8
		9	Upstream-status: Backport
		10	Reference: https://git.gnome.org/browse/libxml2/commit/?id=be2a7edaf289c5da74a4f9ed3a0b6c733e775230&context=3&ignorews=0&ss=0
		11
		12	Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
		13
		14	diff --git a/parser.c b/parser.c
		15	index f51e8d2..1d93967 100644
		16	--- a/parser.c
		17	+++ b/parser.c
		18	@@ -130,6 +130,29 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
		19	return (0);
		20	if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
		21	return (1);
		22	+
		23	+ /*
		24	+ * This may look absurd but is needed to detect
		25	+ * entities problems
		26	+ */
		27	+ if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) &&
		28	+ (ent->content != NULL) && (ent->checked == 0)) {
		29	+ unsigned long oldnbent = ctxt->nbentities;
		30	+ xmlChar *rep;
		31	+
		32	+ ent->checked = 1;
		33	+
		34	+ rep = xmlStringDecodeEntities(ctxt, ent->content,
		35	+ XML_SUBSTITUTE_REF, 0, 0, 0);
		36	+
		37	+ ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
		38	+ if (rep != NULL) {
		39	+ if (xmlStrchr(rep, '<'))
		40	+ ent->checked \|= 1;
		41	+ xmlFree(rep);
		42	+ rep = NULL;
		43	+ }
		44	+ }
		45	if (replacement != 0) {
		46	if (replacement < XML_MAX_TEXT_LENGTH)
		47	return(0);
		48	@@ -189,9 +212,12 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
		49	return (0);
		50	} else {
		51	/*
		52	- * strange we got no data for checking just return
		53	+ * strange we got no data for checking
		54	*/
		55	- return (0);
		56	+ if (((ctxt->lastError.code != XML_ERR_UNDECLARED_ENTITY) &&
		57	+ (ctxt->lastError.code != XML_WAR_UNDECLARED_ENTITY)) \|\|
		58	+ (ctxt->nbentities <= 10000))
		59	+ return (0);
		60	}
		61	xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
		62	return (1);
		63	@@ -2589,6 +2615,7 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) {
		64	name, NULL);
		65	ctxt->valid = 0;
		66	}
		67	+ xmlParserEntityCheck(ctxt, 0, NULL, 0);
		68	} else if (ctxt->input->free != deallocblankswrapper) {
		69	input = xmlNewBlanksWrapperInputStream(ctxt, entity);
		70	if (xmlPushInput(ctxt, input) < 0)
		71	@@ -2759,6 +2786,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
		72	if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) \|\|
		73	(ctxt->lastError.code == XML_ERR_INTERNAL_ERROR))
		74	goto int_error;
		75	+ xmlParserEntityCheck(ctxt, 0, ent, 0);
		76	if (ent != NULL)
		77	ctxt->nbentities += ent->checked / 2;
		78	if ((ent != NULL) &&
		79	@@ -2810,6 +2838,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
		80	ent = xmlParseStringPEReference(ctxt, &str);
		81	if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
		82	goto int_error;
		83	+ xmlParserEntityCheck(ctxt, 0, ent, 0);
		84	if (ent != NULL)
		85	ctxt->nbentities += ent->checked / 2;
		86	if (ent != NULL) {
		87	@@ -7312,6 +7341,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
		88	(ret != XML_WAR_UNDECLARED_ENTITY)) {
		89	xmlFatalErrMsgStr(ctxt, XML_ERR_UNDECLARED_ENTITY,
		90	"Entity '%s' failed to parse\n", ent->name);
		91	+ xmlParserEntityCheck(ctxt, 0, ent, 0);
		92	} else if (list != NULL) {
		93	xmlFreeNodeList(list);
		94	list = NULL;
		95	@@ -7418,7 +7448,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
		96	/*
		97	* We are copying here, make sure there is no abuse
		98	*/
		99	- ctxt->sizeentcopy += ent->length;
		100	+ ctxt->sizeentcopy += ent->length + 5;
		101	if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))
		102	return;
		103
		104	@@ -7466,7 +7496,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
		105	/*
		106	* We are copying here, make sure there is no abuse
		107	*/
		108	- ctxt->sizeentcopy += ent->length;
		109	+ ctxt->sizeentcopy += ent->length + 5;
		110	if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))
		111	return;
		112
		113	@@ -7652,6 +7682,7 @@ xmlParseEntityRef(xmlParserCtxtPtr ctxt) {
		114	ctxt->sax->reference(ctxt->userData, name);
		115	}
		116	}
		117	+ xmlParserEntityCheck(ctxt, 0, ent, 0);
		118	ctxt->valid = 0;
		119	}
		120
		121	@@ -7845,6 +7876,7 @@ xmlParseStringEntityRef(xmlParserCtxtPtr ctxt, const xmlChar ** str) {
		122	"Entity '%s' not defined\n",
		123	name);
		124	}
		125	+ xmlParserEntityCheck(ctxt, 0, ent, 0);
		126	/* TODO ? check regressions ctxt->valid = 0; */
		127	}
		128
		129	@@ -8004,6 +8036,7 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
		130	name, NULL);
		131	ctxt->valid = 0;
		132	}
		133	+ xmlParserEntityCheck(ctxt, 0, NULL, 0);
		134	} else {
		135	/*
		136	* Internal checking in case the entity quest barfed
		137	@@ -8243,6 +8276,7 @@ xmlParseStringPEReference(xmlParserCtxtPtr ctxt, const xmlChar **str) {
		138	name, NULL);
		139	ctxt->valid = 0;
		140	}
		141	+ xmlParserEntityCheck(ctxt, 0, NULL, 0);
		142	} else {
		143	/*
		144	* Internal checking in case the entity quest barfed
		145	--
		146	cgit v0.10.1
		147