diff options
author | Joe MacDonald <joe_macdonald@mentor.com> | 2014-10-20 13:51:21 -0400 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-10-24 17:36:16 +0100 |
commit | b05755c6efadd3eb1f7842d4909c6f8752eb0538 (patch) | |
tree | f4fa6fbec8e39a87544f5f0f16d5058cd1cbce5c | |
parent | 0de79a72bf6173b950fc0619b87a8cbe35067f26 (diff) | |
download | poky-b05755c6efadd3eb1f7842d4909c6f8752eb0538.tar.gz |
libxml2: fix CVE-2014-3660
It was discovered that the patch for CVE-2014-0191 for libxml2 is
incomplete. It is still possible to have libxml2 incorrectly perform
entity substituton even when the application using libxml2 explicitly
disables the feature. This can allow a remote denial-of-service attack on
systems with libxml2 prior to 2.9.2.
References:
http://www.openwall.com/lists/oss-security/2014/10/17/7
https://www.ncsc.nl/actueel/nieuwsberichten/kwetsbaarheid-ontdekt-in-libxml2.html
(From OE-Core rev: 643597a5c432b2e02033d0cefa3ba4da980d078f)
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-core/libxml/libxml2.inc | 1 | ||||
-rw-r--r-- | meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-3660.patch | 147 |
2 files changed, 148 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc index bcf9a62ded..c729c199cf 100644 --- a/meta/recipes-core/libxml/libxml2.inc +++ b/meta/recipes-core/libxml/libxml2.inc | |||
@@ -21,6 +21,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \ | |||
21 | file://libxml2-CVE-2014-0191-fix.patch \ | 21 | file://libxml2-CVE-2014-0191-fix.patch \ |
22 | file://python-sitepackages-dir.patch \ | 22 | file://python-sitepackages-dir.patch \ |
23 | file://libxml-m4-use-pkgconfig.patch \ | 23 | file://libxml-m4-use-pkgconfig.patch \ |
24 | file://libxml2-CVE-2014-3660.patch \ | ||
24 | " | 25 | " |
25 | 26 | ||
26 | BINCONFIG = "${bindir}/xml2-config" | 27 | BINCONFIG = "${bindir}/xml2-config" |
diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-3660.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-3660.patch new file mode 100644 index 0000000000..b9621c93eb --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-3660.patch | |||
@@ -0,0 +1,147 @@ | |||
1 | From be2a7edaf289c5da74a4f9ed3a0b6c733e775230 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Veillard <veillard@redhat.com> | ||
3 | Date: Thu, 16 Oct 2014 13:59:47 +0800 | ||
4 | Subject: Fix for CVE-2014-3660 | ||
5 | |||
6 | Issues related to the billion laugh entity expansion which happened to | ||
7 | escape the initial set of fixes | ||
8 | |||
9 | Upstream-status: Backport | ||
10 | Reference: https://git.gnome.org/browse/libxml2/commit/?id=be2a7edaf289c5da74a4f9ed3a0b6c733e775230&context=3&ignorews=0&ss=0 | ||
11 | |||
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
13 | |||
14 | diff --git a/parser.c b/parser.c | ||
15 | index f51e8d2..1d93967 100644 | ||
16 | --- a/parser.c | ||
17 | +++ b/parser.c | ||
18 | @@ -130,6 +130,29 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, | ||
19 | return (0); | ||
20 | if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) | ||
21 | return (1); | ||
22 | + | ||
23 | + /* | ||
24 | + * This may look absurd but is needed to detect | ||
25 | + * entities problems | ||
26 | + */ | ||
27 | + if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) && | ||
28 | + (ent->content != NULL) && (ent->checked == 0)) { | ||
29 | + unsigned long oldnbent = ctxt->nbentities; | ||
30 | + xmlChar *rep; | ||
31 | + | ||
32 | + ent->checked = 1; | ||
33 | + | ||
34 | + rep = xmlStringDecodeEntities(ctxt, ent->content, | ||
35 | + XML_SUBSTITUTE_REF, 0, 0, 0); | ||
36 | + | ||
37 | + ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; | ||
38 | + if (rep != NULL) { | ||
39 | + if (xmlStrchr(rep, '<')) | ||
40 | + ent->checked |= 1; | ||
41 | + xmlFree(rep); | ||
42 | + rep = NULL; | ||
43 | + } | ||
44 | + } | ||
45 | if (replacement != 0) { | ||
46 | if (replacement < XML_MAX_TEXT_LENGTH) | ||
47 | return(0); | ||
48 | @@ -189,9 +212,12 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, | ||
49 | return (0); | ||
50 | } else { | ||
51 | /* | ||
52 | - * strange we got no data for checking just return | ||
53 | + * strange we got no data for checking | ||
54 | */ | ||
55 | - return (0); | ||
56 | + if (((ctxt->lastError.code != XML_ERR_UNDECLARED_ENTITY) && | ||
57 | + (ctxt->lastError.code != XML_WAR_UNDECLARED_ENTITY)) || | ||
58 | + (ctxt->nbentities <= 10000)) | ||
59 | + return (0); | ||
60 | } | ||
61 | xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); | ||
62 | return (1); | ||
63 | @@ -2589,6 +2615,7 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) { | ||
64 | name, NULL); | ||
65 | ctxt->valid = 0; | ||
66 | } | ||
67 | + xmlParserEntityCheck(ctxt, 0, NULL, 0); | ||
68 | } else if (ctxt->input->free != deallocblankswrapper) { | ||
69 | input = xmlNewBlanksWrapperInputStream(ctxt, entity); | ||
70 | if (xmlPushInput(ctxt, input) < 0) | ||
71 | @@ -2759,6 +2786,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, | ||
72 | if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) || | ||
73 | (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR)) | ||
74 | goto int_error; | ||
75 | + xmlParserEntityCheck(ctxt, 0, ent, 0); | ||
76 | if (ent != NULL) | ||
77 | ctxt->nbentities += ent->checked / 2; | ||
78 | if ((ent != NULL) && | ||
79 | @@ -2810,6 +2838,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, | ||
80 | ent = xmlParseStringPEReference(ctxt, &str); | ||
81 | if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) | ||
82 | goto int_error; | ||
83 | + xmlParserEntityCheck(ctxt, 0, ent, 0); | ||
84 | if (ent != NULL) | ||
85 | ctxt->nbentities += ent->checked / 2; | ||
86 | if (ent != NULL) { | ||
87 | @@ -7312,6 +7341,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { | ||
88 | (ret != XML_WAR_UNDECLARED_ENTITY)) { | ||
89 | xmlFatalErrMsgStr(ctxt, XML_ERR_UNDECLARED_ENTITY, | ||
90 | "Entity '%s' failed to parse\n", ent->name); | ||
91 | + xmlParserEntityCheck(ctxt, 0, ent, 0); | ||
92 | } else if (list != NULL) { | ||
93 | xmlFreeNodeList(list); | ||
94 | list = NULL; | ||
95 | @@ -7418,7 +7448,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { | ||
96 | /* | ||
97 | * We are copying here, make sure there is no abuse | ||
98 | */ | ||
99 | - ctxt->sizeentcopy += ent->length; | ||
100 | + ctxt->sizeentcopy += ent->length + 5; | ||
101 | if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) | ||
102 | return; | ||
103 | |||
104 | @@ -7466,7 +7496,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { | ||
105 | /* | ||
106 | * We are copying here, make sure there is no abuse | ||
107 | */ | ||
108 | - ctxt->sizeentcopy += ent->length; | ||
109 | + ctxt->sizeentcopy += ent->length + 5; | ||
110 | if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) | ||
111 | return; | ||
112 | |||
113 | @@ -7652,6 +7682,7 @@ xmlParseEntityRef(xmlParserCtxtPtr ctxt) { | ||
114 | ctxt->sax->reference(ctxt->userData, name); | ||
115 | } | ||
116 | } | ||
117 | + xmlParserEntityCheck(ctxt, 0, ent, 0); | ||
118 | ctxt->valid = 0; | ||
119 | } | ||
120 | |||
121 | @@ -7845,6 +7876,7 @@ xmlParseStringEntityRef(xmlParserCtxtPtr ctxt, const xmlChar ** str) { | ||
122 | "Entity '%s' not defined\n", | ||
123 | name); | ||
124 | } | ||
125 | + xmlParserEntityCheck(ctxt, 0, ent, 0); | ||
126 | /* TODO ? check regressions ctxt->valid = 0; */ | ||
127 | } | ||
128 | |||
129 | @@ -8004,6 +8036,7 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) | ||
130 | name, NULL); | ||
131 | ctxt->valid = 0; | ||
132 | } | ||
133 | + xmlParserEntityCheck(ctxt, 0, NULL, 0); | ||
134 | } else { | ||
135 | /* | ||
136 | * Internal checking in case the entity quest barfed | ||
137 | @@ -8243,6 +8276,7 @@ xmlParseStringPEReference(xmlParserCtxtPtr ctxt, const xmlChar **str) { | ||
138 | name, NULL); | ||
139 | ctxt->valid = 0; | ||
140 | } | ||
141 | + xmlParserEntityCheck(ctxt, 0, NULL, 0); | ||
142 | } else { | ||
143 | /* | ||
144 | * Internal checking in case the entity quest barfed | ||
145 | -- | ||
146 | cgit v0.10.1 | ||
147 | |||