summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2016-02-24 08:39:28 +0100
committerTudor Florea <tudor.florea@enea.com>2016-02-25 12:45:07 +0100
commite39962398625aeb780b2f8a08b194f35ded8b4b8 (patch)
tree841fb06f48867b0e270fb3a8b1514cad4375e5ac
parent04f8b06b024193eb1473458b92dac16809c29e08 (diff)
downloadpoky-e39962398625aeb780b2f8a08b194f35ded8b4b8.tar.gz
libxml2: CVE-2015-7500
Fixes Heap buffer overflow in xmlParseMisc Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7500 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
-rw-r--r--meta/recipes-core/libxml/libxml2.inc2
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch131
-rw-r--r--meta/recipes-core/libxml/libxml2/Fix-a-bug-on-name-parsing-at-the-end-of-current-input.patch138
3 files changed, 271 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index 87aa21e2d3..08d7961241 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -28,6 +28,8 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
28 file://CVE-2015-8241.patch \ 28 file://CVE-2015-8241.patch \
29 file://CVE-2015-8317-Fail-parsing-early-on-if-encoding-conversion-failed.patch \ 29 file://CVE-2015-8317-Fail-parsing-early-on-if-encoding-conversion-failed.patch \
30 file://CVE-2015-8242-Buffer-overead-with-HTML-parser.patch \ 30 file://CVE-2015-8242-Buffer-overead-with-HTML-parser.patch \
31 file://Fix-a-bug-on-name-parsing-at-the-end-of-current-input.patch \
32 file://CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch \
31 " 33 "
32 34
33BINCONFIG = "${bindir}/xml2-config" 35BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch
new file mode 100644
index 0000000000..b4860791bf
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch
@@ -0,0 +1,131 @@
1From f1063fdbe7fa66332bbb76874101c2a7b51b519f Mon Sep 17 00:00:00 2001
2From: Daniel Veillard <veillard@redhat.com>
3Date: Fri, 20 Nov 2015 16:06:59 +0800
4Subject: [PATCH] CVE-2015-7500 Fix memory access error due to incorrect
5 entities boundaries
6
7For https://bugzilla.gnome.org/show_bug.cgi?id=756525
8handle properly the case where we popped out of the current entity
9while processing a start tag
10Reported by Kostya Serebryany @ Google
11
12This slightly modifies the output of 754946 in regression tests
13
14Upstream-Status: Backport
15
16CVE-2015-7500
17
18Signed-off-by: Armin Kuster <akuster@mvista.com>
19
20---
21 parser.c | 28 ++++++++++++++++++++++------
22 result/errors/754946.xml.err | 7 +++++--
23 2 files changed, 27 insertions(+), 8 deletions(-)
24
25diff --git a/parser.c b/parser.c
26index c7e4574..c5741e3 100644
27--- a/parser.c
28+++ b/parser.c
29@@ -9348,7 +9348,7 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref,
30 const xmlChar **atts = ctxt->atts;
31 int maxatts = ctxt->maxatts;
32 int nratts, nbatts, nbdef;
33- int i, j, nbNs, attval, oldline, oldcol;
34+ int i, j, nbNs, attval, oldline, oldcol, inputNr;
35 const xmlChar *base;
36 unsigned long cur;
37 int nsNr = ctxt->nsNr;
38@@ -9367,6 +9367,7 @@ reparse:
39 SHRINK;
40 base = ctxt->input->base;
41 cur = ctxt->input->cur - ctxt->input->base;
42+ inputNr = ctxt->inputNr;
43 oldline = ctxt->input->line;
44 oldcol = ctxt->input->col;
45 nbatts = 0;
46@@ -9392,7 +9393,8 @@ reparse:
47 */
48 SKIP_BLANKS;
49 GROW;
50- if (ctxt->input->base != base) goto base_changed;
51+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
52+ goto base_changed;
53
54 while (((RAW != '>') &&
55 ((RAW != '/') || (NXT(1) != '>')) &&
56@@ -9403,7 +9405,7 @@ reparse:
57
58 attname = xmlParseAttribute2(ctxt, prefix, localname,
59 &aprefix, &attvalue, &len, &alloc);
60- if (ctxt->input->base != base) {
61+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) {
62 if ((attvalue != NULL) && (alloc != 0))
63 xmlFree(attvalue);
64 attvalue = NULL;
65@@ -9552,7 +9554,8 @@ skip_ns:
66 break;
67 }
68 SKIP_BLANKS;
69- if (ctxt->input->base != base) goto base_changed;
70+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
71+ goto base_changed;
72 continue;
73 }
74
75@@ -9589,7 +9592,8 @@ failed:
76 GROW
77 if (ctxt->instate == XML_PARSER_EOF)
78 break;
79- if (ctxt->input->base != base) goto base_changed;
80+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
81+ goto base_changed;
82 if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
83 break;
84 if (!IS_BLANK_CH(RAW)) {
85@@ -9605,7 +9609,8 @@ failed:
86 break;
87 }
88 GROW;
89- if (ctxt->input->base != base) goto base_changed;
90+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
91+ goto base_changed;
92 }
93
94 /*
95@@ -9772,6 +9777,17 @@ base_changed:
96 if ((ctxt->attallocs[j] != 0) && (atts[i] != NULL))
97 xmlFree((xmlChar *) atts[i]);
98 }
99+
100+ /*
101+ * We can't switch from one entity to another in the middle
102+ * of a start tag
103+ */
104+ if (inputNr != ctxt->inputNr) {
105+ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
106+ "Start tag doesn't start and stop in the same entity\n");
107+ return(NULL);
108+ }
109+
110 ctxt->input->cur = ctxt->input->base + cur;
111 ctxt->input->line = oldline;
112 ctxt->input->col = oldcol;
113diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err
114index 423dff5..a75088b 100644
115--- a/result/errors/754946.xml.err
116+++ b/result/errors/754946.xml.err
117@@ -11,6 +11,9 @@ Entity: line 1: parser error : DOCTYPE improperly terminated
118 Entity: line 1:
119 A<lbbbbbbbbbbbbbbbbbbb_
120 ^
121+./test/errors/754946.xml:1: parser error : Start tag doesn't start and stop in the same entity
122+>%SYSTEM;<![
123+ ^
124 ./test/errors/754946.xml:1: parser error : Extra content at the end of the document
125-<!DOCTYPEA[<!ENTITY %
126- ^
127+>%SYSTEM;<![
128+ ^
129--
1302.3.5
131
diff --git a/meta/recipes-core/libxml/libxml2/Fix-a-bug-on-name-parsing-at-the-end-of-current-input.patch b/meta/recipes-core/libxml/libxml2/Fix-a-bug-on-name-parsing-at-the-end-of-current-input.patch
new file mode 100644
index 0000000000..a86b9ee86e
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/Fix-a-bug-on-name-parsing-at-the-end-of-current-input.patch
@@ -0,0 +1,138 @@
1From 51f02b0a03ea1fa6c65b3f9fd88cf60fb5803783 Mon Sep 17 00:00:00 2001
2From: Daniel Veillard <veillard@redhat.com>
3Date: Tue, 15 Sep 2015 16:50:32 +0800
4Subject: [PATCH] Fix a bug on name parsing at the end of current input buffer
5
6For https://bugzilla.gnome.org/show_bug.cgi?id=754946
7
8When hitting the end of the current input buffer while parsing
9a name we could end up loosing the beginning of the name, which
10led to various issues.
11
12Upstream-Status: backport
13
14Depend patch for CVE-2015-7500
15
16Signed-off-by: Armin Kuster <akuster@mvista.com>
17---
18 parser.c | 29 ++++++++++++++++++++---------
19 result/errors/754946.xml | 0
20 result/errors/754946.xml.err | 16 ++++++++++++++++
21 result/errors/754946.xml.str | 4 ++++
22 test/errors/754946.xml | 1 +
23 5 files changed, 41 insertions(+), 9 deletions(-)
24 create mode 100644 result/errors/754946.xml
25 create mode 100644 result/errors/754946.xml.err
26 create mode 100644 result/errors/754946.xml.str
27 create mode 100644 test/errors/754946.xml
28
29diff --git a/parser.c b/parser.c
30index 0edd53b..fd29a39 100644
31--- a/parser.c
32+++ b/parser.c
33@@ -3491,7 +3491,14 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
34 c = CUR_CHAR(l);
35 if (c == 0) {
36 count = 0;
37+ /*
38+ * when shrinking to extend the buffer we really need to preserve
39+ * the part of the name we already parsed. Hence rolling back
40+ * by current lenght.
41+ */
42+ ctxt->input->cur -= l;
43 GROW;
44+ ctxt->input->cur += l;
45 if (ctxt->instate == XML_PARSER_EOF)
46 return(NULL);
47 end = ctxt->input->cur;
48@@ -3523,7 +3530,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
49
50 static const xmlChar *
51 xmlParseNCName(xmlParserCtxtPtr ctxt) {
52- const xmlChar *in;
53+ const xmlChar *in, *e;
54 const xmlChar *ret;
55 int count = 0;
56
57@@ -3535,16 +3542,19 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
58 * Accelerator for simple ASCII names
59 */
60 in = ctxt->input->cur;
61- if (((*in >= 0x61) && (*in <= 0x7A)) ||
62- ((*in >= 0x41) && (*in <= 0x5A)) ||
63- (*in == '_')) {
64+ e = ctxt->input->end;
65+ if ((((*in >= 0x61) && (*in <= 0x7A)) ||
66+ ((*in >= 0x41) && (*in <= 0x5A)) ||
67+ (*in == '_')) && (in < e)) {
68 in++;
69- while (((*in >= 0x61) && (*in <= 0x7A)) ||
70- ((*in >= 0x41) && (*in <= 0x5A)) ||
71- ((*in >= 0x30) && (*in <= 0x39)) ||
72- (*in == '_') || (*in == '-') ||
73- (*in == '.'))
74+ while ((((*in >= 0x61) && (*in <= 0x7A)) ||
75+ ((*in >= 0x41) && (*in <= 0x5A)) ||
76+ ((*in >= 0x30) && (*in <= 0x39)) ||
77+ (*in == '_') || (*in == '-') ||
78+ (*in == '.')) && (in < e))
79 in++;
80+ if (in >= e)
81+ goto complex;
82 if ((*in > 0) && (*in < 0x80)) {
83 count = in - ctxt->input->cur;
84 if ((count > XML_MAX_NAME_LENGTH) &&
85@@ -3562,6 +3572,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
86 return(ret);
87 }
88 }
89+complex:
90 return(xmlParseNCNameComplex(ctxt));
91 }
92
93diff --git a/result/errors/754946.xml b/result/errors/754946.xml
94new file mode 100644
95index 0000000..e69de29
96diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err
97new file mode 100644
98index 0000000..423dff5
99--- /dev/null
100+++ b/result/errors/754946.xml.err
101@@ -0,0 +1,16 @@
102+Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
103+
104+ %SYSTEM;
105+ ^
106+Entity: line 1:
107+A<lbbbbbbbbbbbbbbbbbbb_
108+^
109+Entity: line 1: parser error : DOCTYPE improperly terminated
110+ %SYSTEM;
111+ ^
112+Entity: line 1:
113+A<lbbbbbbbbbbbbbbbbbbb_
114+^
115+./test/errors/754946.xml:1: parser error : Extra content at the end of the document
116+<!DOCTYPEA[<!ENTITY %
117+ ^
118diff --git a/result/errors/754946.xml.str b/result/errors/754946.xml.str
119new file mode 100644
120index 0000000..3b748cc
121--- /dev/null
122+++ b/result/errors/754946.xml.str
123@@ -0,0 +1,4 @@
124+./test/errors/754946.xml:1: parser error : Extra content at the end of the document
125+<!DOCTYPEA[<!ENTITY %
126+ ^
127+./test/errors/754946.xml : failed to parse
128diff --git a/test/errors/754946.xml b/test/errors/754946.xml
129new file mode 100644
130index 0000000..6b5f9b0
131--- /dev/null
132+++ b/test/errors/754946.xml
133@@ -0,0 +1 @@
134+<!DOCTYPEA[<!ENTITY % SYSTEM "A<lbbbbbbbbbbbbbbbbbbb_" >%SYSTEM;<![
135\ No newline at end of file
136--
1372.3.5
138