summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2017-01-16 06:30:00 (GMT)
committerSona Sarmadi <sona.sarmadi@enea.com>2017-02-10 11:21:38 (GMT)
commit88246c60937b662064cc10b3771faf6b73466a5b (patch)
tree361eebf7cf67e56a85d5095b53ee9c7d48c1bfc1
parent5772e2b19d1b0b6e277ade15a3242d583cda90ee (diff)
downloadpoky-88246c60937b662064cc10b3771faf6b73466a5b.tar.gz
expat: CVE-2012-6702, CVE-2016-5300
References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5300 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702 http://www.openwall.com/lists/oss-security/2016/06/04/5 Reference to upstream fix: https://bugzilla.redhat.com/attachment.cgi?id=1165210 Squashed backport against vanilla Expat 2.1.1, addressing: * CVE-2012-6702 -- unanticipated internal calls to srand * CVE-2016-5300 -- use of too little entropy Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r--meta/recipes-core/expat/expat-2.1.0/CVE-2016-5300_CVE-2012-6702.patch123
-rw-r--r--meta/recipes-core/expat/expat_2.1.0.bb4
2 files changed, 127 insertions, 0 deletions
diff --git a/meta/recipes-core/expat/expat-2.1.0/CVE-2016-5300_CVE-2012-6702.patch b/meta/recipes-core/expat/expat-2.1.0/CVE-2016-5300_CVE-2012-6702.patch
new file mode 100644
index 0000000..00cc731
--- /dev/null
+++ b/meta/recipes-core/expat/expat-2.1.0/CVE-2016-5300_CVE-2012-6702.patch
@@ -0,0 +1,123 @@
1From cb31522769d11a375078a073cba94e7176cb48a4 Mon Sep 17 00:00:00 2001
2From: Sebastian Pipping <sebastian@pipping.org>
3Date: Wed, 16 Mar 2016 15:30:12 +0100
4Subject: [PATCH] Resolve call to srand, use more entropy (patch version 1.0)
5
6Squashed backport against vanilla Expat 2.1.1, addressing:
7* CVE-2012-6702 -- unanticipated internal calls to srand
8* CVE-2016-5300 -- use of too little entropy
9
10Since commit e3e81a6d9f0885ea02d3979151c358f314bf3d6d
11(released with Expat 2.1.0) Expat called srand by itself
12from inside generate_hash_secret_salt for an instance
13of XML_Parser if XML_SetHashSalt was either (a) not called
14for that instance or if (b) salt 0 was passed to XML_SetHashSalt
15prior to parsing. That call to srand passed (rather litle)
16entropy extracted from the current time as a seed for srand.
17
18That call to srand (1) broke repeatability for code calling
19srand with a non-random seed prior to parsing with Expat,
20and (2) resulted in a rather small set of hashing salts in
21Expat in total.
22
23For a short- to mid-term fix, the new approach avoids calling
24srand altogether, extracts more entropy out of the clock and
25other sources, too.
26
27For a long term fix, we may want to read sizeof(long) bytes
28from a source like getrandom(..) on Linux, and from similar
29sources on other supported architectures.
30
31https://bugzilla.redhat.com/show_bug.cgi?id=1197087
32
33CVE: CVE-2012-6702
34CVE: CVE-2016-5300
35Upstream-Status: Backport
36
37Removed changes from CMakeLists.txt from original patch, since that code is
38not part of fix for these CVEs.
39Reference to the commit for CMakeLists.txt changes:
40https://sourceforge.net/p/expat/code_git/ci/37f7efb878660d55ff5fd67ad2cda1c103297df6
41
42Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
43---
44diff -Nurp a/lib/xmlparse.c b/lib/xmlparse.c
45--- a/lib/xmlparse.c 2017-01-13 10:16:35.570784710 +0100
46+++ b/lib/xmlparse.c 2017-01-13 11:22:20.522433486 +0100
47@@ -6,7 +6,14 @@
48 #include <string.h> /* memset(), memcpy() */
49 #include <assert.h>
50 #include <limits.h> /* UINT_MAX */
51-#include <time.h> /* time() */
52+
53+#ifdef COMPILED_FROM_DSP
54+#define getpid GetCurrentProcessId
55+#else
56+#include <sys/time.h> /* gettimeofday() */
57+#include <sys/types.h> /* getpid() */
58+#include <unistd.h> /* getpid() */
59+#endif
60
61 #define XML_BUILDING_EXPAT 1
62
63@@ -432,7 +439,7 @@ static ELEMENT_TYPE *
64 getElementType(XML_Parser parser, const ENCODING *enc,
65 const char *ptr, const char *end);
66
67-static unsigned long generate_hash_secret_salt(void);
68+static unsigned long generate_hash_secret_salt(XML_Parser parser);
69 static XML_Bool startParsing(XML_Parser parser);
70
71 static XML_Parser
72@@ -691,11 +698,38 @@ static const XML_Char implicitContext[]
73 };
74
75 static unsigned long
76-generate_hash_secret_salt(void)
77+gather_time_entropy(void)
78+{
79+#ifdef COMPILED_FROM_DSP
80+ FILETIME ft;
81+ GetSystemTimeAsFileTime(&ft); /* never fails */
82+ return ft.dwHighDateTime ^ ft.dwLowDateTime;
83+#else
84+ struct timeval tv;
85+ int gettimeofday_res;
86+
87+ gettimeofday_res = gettimeofday(&tv, NULL);
88+ assert (gettimeofday_res == 0);
89+
90+ /* Microseconds time is <20 bits entropy */
91+ return tv.tv_usec;
92+#endif
93+}
94+
95+static unsigned long
96+generate_hash_secret_salt(XML_Parser parser)
97 {
98- unsigned int seed = time(NULL) % UINT_MAX;
99- srand(seed);
100- return rand();
101+ /* Process ID is 0 bits entropy if attacker has local access
102+ * XML_Parser address is few bits of entropy if attacker has local access */
103+ const unsigned long entropy =
104+ gather_time_entropy() ^ getpid() ^ (unsigned long)parser;
105+
106+ /* Factors are 2^31-1 and 2^61-1 (Mersenne primes M31 and M61) */
107+ if (sizeof(unsigned long) == 4) {
108+ return entropy * 2147483647;
109+ } else {
110+ return entropy * 2305843009213693951;
111+ }
112 }
113
114 static XML_Bool /* only valid for root parser */
115@@ -703,7 +737,7 @@ startParsing(XML_Parser parser)
116 {
117 /* hash functions must be initialized before setContext() is called */
118 if (hash_secret_salt == 0)
119- hash_secret_salt = generate_hash_secret_salt();
120+ hash_secret_salt = generate_hash_secret_salt(parser);
121 if (ns) {
122 /* implicit context only set for root parser, since child
123 parsers (i.e. external entity parsers) will inherit it
diff --git a/meta/recipes-core/expat/expat_2.1.0.bb b/meta/recipes-core/expat/expat_2.1.0.bb
index b958742..f814864 100644
--- a/meta/recipes-core/expat/expat_2.1.0.bb
+++ b/meta/recipes-core/expat/expat_2.1.0.bb
@@ -1,5 +1,9 @@
1require expat.inc 1require expat.inc
2
3FILESEXTRAPATHS_prepend := "${THISDIR}/expat-2.1.0:"
2LIC_FILES_CHKSUM = "file://COPYING;md5=1b71f681713d1256e1c23b0890920874" 4LIC_FILES_CHKSUM = "file://COPYING;md5=1b71f681713d1256e1c23b0890920874"
3 5
6SRC_URI += "file://CVE-2016-5300_CVE-2012-6702.patch \
7 "
4SRC_URI[md5sum] = "dd7dab7a5fea97d2a6a43f511449b7cd" 8SRC_URI[md5sum] = "dd7dab7a5fea97d2a6a43f511449b7cd"
5SRC_URI[sha256sum] = "823705472f816df21c8f6aa026dd162b280806838bb55b3432b0fb1fcca7eb86" 9SRC_URI[sha256sum] = "823705472f816df21c8f6aa026dd162b280806838bb55b3432b0fb1fcca7eb86"