libxml2: Security fix CVE-2016-5131

CVE-2016-5131 libxml2: Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5131 Patch from: https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e (From OE-Core rev: 640bd2b98ff33e49b42f1087650ebe20d92259a4) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yi Zhao <yi.zhao@windriver.com> 2016-11-28 17:55:40 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-11-30 15:48:08 +0000
commit: 685ef239df17c6aae8bf20529e3dacc32e18edb4 (patch)
tree: 3369fbd930cd4530dad6e2e3fb9cb9753a7b00d5
parent: b7deb1f046fc4f5ae2c1e1b3be0dce9b131c2f28 (diff)
download: poky-685ef239df17c6aae8bf20529e3dacc32e18edb4.tar.gz
2 files changed, 181 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-5131.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-5131.patch
new file mode 100644
index 0000000000..9d47d023a9
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-5131.patch
@@ -0,0 +1,180 @@
+From 9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 28 Jun 2016 14:22:23 +0200
+Subject: [PATCH] Fix XPointer paths beginning with range-to
+The old code would invoke the broken xmlXPtrRangeToFunction. range-to
+isn't really a function but a special kind of location step. Remove
+this function and always handle range-to in the XPath code.
+The old xmlXPtrRangeToFunction could also be abused to trigger a
+use-after-free error with the potential for remote code execution.
+Found with afl-fuzz.
+Fixes CVE-2016-5131.
+CVE: CVE-2016-5131
+Upstream-Status: Backport
+https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e
+Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
+---
+ result/XPath/xptr/vidbase | 13 ++++++++
+ test/XPath/xptr/vidbase   |  1 +
+ xpath.c                   |  7 ++++-
+ xpointer.c                | 76 ++++-------------------------------------------
+ 4 files changed, 26 insertions(+), 71 deletions(-)
+diff --git a/result/XPath/xptr/vidbase b/result/XPath/xptr/vidbase
+index 8b9e92d..f19193e 100644
+--- a/result/XPath/xptr/vidbase
+++ b/result/XPath/xptr/vidbase
+@@ -17,3 +17,16 @@ Object is a Location Set:
+   To node
+     ELEMENT p
+ 
+
+========================
+Expression: xpointer(range-to(id('chapter2')))
+Object is a Location Set:
+1 :   Object is a range :
+  From node
+     /
+  To node
+    ELEMENT chapter
+      ATTRIBUTE id
+        TEXT
+          content=chapter2
+
+diff --git a/test/XPath/xptr/vidbase b/test/XPath/xptr/vidbase
+index b146383..884b106 100644
+--- a/test/XPath/xptr/vidbase
+++ b/test/XPath/xptr/vidbase
+@@ -1,2 +1,3 @@
+ xpointer(id('chapter1')/p)
+ xpointer(id('chapter1')/p[1]/range-to(following-sibling::p[2]))
+xpointer(range-to(id('chapter2')))
+diff --git a/xpath.c b/xpath.c
+index d992841..5a01b1b 100644
+--- a/xpath.c
+++ b/xpath.c
+@@ -10691,13 +10691,18 @@ xmlXPathCompPathExpr(xmlXPathParserContextPtr ctxt) {
+                    lc = 1;
+                    break;
+                } else if ((NXT(len) == '(')) {
+-                   /* Note Type or Function */
+                   /* Node Type or Function */
+                    if (xmlXPathIsNodeType(name)) {
+ #ifdef DEBUG_STEP
+                        xmlGenericError(xmlGenericErrorContext,
+                                "PathExpr: Type search\n");
+ #endif
+                        lc = 1;
+#ifdef LIBXML_XPTR_ENABLED
+                    } else if (ctxt->xptr &&
+                               xmlStrEqual(name, BAD_CAST "range-to")) {
+                        lc = 1;
+#endif
+                    } else {
+ #ifdef DEBUG_STEP
+                        xmlGenericError(xmlGenericErrorContext,
+diff --git a/xpointer.c b/xpointer.c
+index 676c510..d74174a 100644
+--- a/xpointer.c
+++ b/xpointer.c
+@@ -1332,8 +1332,6 @@ xmlXPtrNewContext(xmlDocPtr doc, xmlNodePtr here, xmlNodePtr origin) {
+     ret->here = here;
+     ret->origin = origin;
+ 
+-    xmlXPathRegisterFunc(ret, (xmlChar *)"range-to",
+-                        xmlXPtrRangeToFunction);
+     xmlXPathRegisterFunc(ret, (xmlChar *)"range",
+                         xmlXPtrRangeFunction);
+     xmlXPathRegisterFunc(ret, (xmlChar *)"range-inside",
+@@ -2243,76 +2241,14 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) {
+  * @nargs:  the number of args
+  *
+  * Implement the range-to() XPointer function
+ *
+ * Obsolete. range-to is not a real function but a special type of location
+ * step which is handled in xpath.c.
+  */
+ void
+-xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, int nargs) {
+-    xmlXPathObjectPtr range;
+-    const xmlChar *cur;
+-    xmlXPathObjectPtr res, obj;
+-    xmlXPathObjectPtr tmp;
+-    xmlLocationSetPtr newset = NULL;
+-    xmlNodeSetPtr oldset;
+-    int i;
+-
+-    if (ctxt == NULL) return;
+-    CHECK_ARITY(1);
+-    /*
+-     * Save the expression pointer since we will have to evaluate
+-     * it multiple times. Initialize the new set.
+-     */
+-    CHECK_TYPE(XPATH_NODESET);
+-    obj = valuePop(ctxt);
+-    oldset = obj->nodesetval;
+-    ctxt->context->node = NULL;
+-
+-    cur = ctxt->cur;
+-    newset = xmlXPtrLocationSetCreate(NULL);
+-
+-    for (i = 0; i < oldset->nodeNr; i++) {
+-       ctxt->cur = cur;
+-
+-       /*
+-        * Run the evaluation with a node list made of a single item
+-        * in the nodeset.
+-        */
+-       ctxt->context->node = oldset->nodeTab[i];
+-       tmp = xmlXPathNewNodeSet(ctxt->context->node);
+-       valuePush(ctxt, tmp);
+-
+-       xmlXPathEvalExpr(ctxt);
+-       CHECK_ERROR;
+-
+-       /*
+-        * The result of the evaluation need to be tested to
+-        * decided whether the filter succeeded or not
+-        */
+-       res = valuePop(ctxt);
+-       range = xmlXPtrNewRangeNodeObject(oldset->nodeTab[i], res);
+-       if (range != NULL) {
+-           xmlXPtrLocationSetAdd(newset, range);
+-       }
+-
+-       /*
+-        * Cleanup
+-        */
+-       if (res != NULL)
+-           xmlXPathFreeObject(res);
+-       if (ctxt->value == tmp) {
+-           res = valuePop(ctxt);
+-           xmlXPathFreeObject(res);
+-       }
+-
+-       ctxt->context->node = NULL;
+-    }
+-
+-    /*
+-     * The result is used as the new evaluation set.
+-     */
+-    xmlXPathFreeObject(obj);
+-    ctxt->context->node = NULL;
+-    ctxt->context->contextSize = -1;
+-    ctxt->context->proximityPosition = -1;
+-    valuePush(ctxt, xmlXPtrWrapLocationSet(newset));
+xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt,
+                       int nargs ATTRIBUTE_UNUSED) {
+    XP_ERROR(XPATH_EXPR_ERROR);
+ }
+ 
+ /**
+-- 
+2.7.4
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb
index 59874bec2c..1fed90b07e 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -19,6 +19,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
           file://run-ptest \
           file://python-sitepackages-dir.patch \
           file://libxml-m4-use-pkgconfig.patch \
+           file://libxml2-CVE-2016-5131.patch \
          "
 SRC_URI[libtar.md5sum] = "ae249165c173b1ff386ee8ad676815f5"
author	Yi Zhao <yi.zhao@windriver.com>	2016-11-28 17:55:40 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-11-30 15:48:08 +0000
commit	685ef239df17c6aae8bf20529e3dacc32e18edb4 (patch)
tree	3369fbd930cd4530dad6e2e3fb9cb9753a7b00d5
parent	b7deb1f046fc4f5ae2c1e1b3be0dce9b131c2f28 (diff)
download	poky-685ef239df17c6aae8bf20529e3dacc32e18edb4.tar.gz

diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-5131.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-5131.patch new file mode 100644 index 0000000000..9d47d023a9 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-5131.patch
@@ -0,0 +1,180 @@
		1	From 9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Tue, 28 Jun 2016 14:22:23 +0200
		4	Subject: [PATCH] Fix XPointer paths beginning with range-to
		5
		6	The old code would invoke the broken xmlXPtrRangeToFunction. range-to
		7	isn't really a function but a special kind of location step. Remove
		8	this function and always handle range-to in the XPath code.
		9
		10	The old xmlXPtrRangeToFunction could also be abused to trigger a
		11	use-after-free error with the potential for remote code execution.
		12
		13	Found with afl-fuzz.
		14
		15	Fixes CVE-2016-5131.
		16
		17	CVE: CVE-2016-5131
		18	Upstream-Status: Backport
		19	https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e
		20
		21	Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
		22	---
		23	result/XPath/xptr/vidbase \| 13 ++++++++
		24	test/XPath/xptr/vidbase \| 1 +
		25	xpath.c \| 7 ++++-
		26	xpointer.c \| 76 ++++-------------------------------------------
		27	4 files changed, 26 insertions(+), 71 deletions(-)
		28
		29	diff --git a/result/XPath/xptr/vidbase b/result/XPath/xptr/vidbase
		30	index 8b9e92d..f19193e 100644
		31	--- a/result/XPath/xptr/vidbase
		32	+++ b/result/XPath/xptr/vidbase
		33	@@ -17,3 +17,16 @@ Object is a Location Set:
		34	To node
		35	ELEMENT p
		36
		37	+
		38	+========================
		39	+Expression: xpointer(range-to(id('chapter2')))
		40	+Object is a Location Set:
		41	+1 : Object is a range :
		42	+ From node
		43	+ /
		44	+ To node
		45	+ ELEMENT chapter
		46	+ ATTRIBUTE id
		47	+ TEXT
		48	+ content=chapter2
		49	+
		50	diff --git a/test/XPath/xptr/vidbase b/test/XPath/xptr/vidbase
		51	index b146383..884b106 100644
		52	--- a/test/XPath/xptr/vidbase
		53	+++ b/test/XPath/xptr/vidbase
		54	@@ -1,2 +1,3 @@
		55	xpointer(id('chapter1')/p)
		56	xpointer(id('chapter1')/p[1]/range-to(following-sibling::p[2]))
		57	+xpointer(range-to(id('chapter2')))
		58	diff --git a/xpath.c b/xpath.c
		59	index d992841..5a01b1b 100644
		60	--- a/xpath.c
		61	+++ b/xpath.c
		62	@@ -10691,13 +10691,18 @@ xmlXPathCompPathExpr(xmlXPathParserContextPtr ctxt) {
		63	lc = 1;
		64	break;
		65	} else if ((NXT(len) == '(')) {
		66	- /* Note Type or Function */
		67	+ /* Node Type or Function */
		68	if (xmlXPathIsNodeType(name)) {
		69	#ifdef DEBUG_STEP
		70	xmlGenericError(xmlGenericErrorContext,
		71	"PathExpr: Type search\n");
		72	#endif
		73	lc = 1;
		74	+#ifdef LIBXML_XPTR_ENABLED
		75	+ } else if (ctxt->xptr &&
		76	+ xmlStrEqual(name, BAD_CAST "range-to")) {
		77	+ lc = 1;
		78	+#endif
		79	} else {
		80	#ifdef DEBUG_STEP
		81	xmlGenericError(xmlGenericErrorContext,
		82	diff --git a/xpointer.c b/xpointer.c
		83	index 676c510..d74174a 100644
		84	--- a/xpointer.c
		85	+++ b/xpointer.c
		86	@@ -1332,8 +1332,6 @@ xmlXPtrNewContext(xmlDocPtr doc, xmlNodePtr here, xmlNodePtr origin) {
		87	ret->here = here;
		88	ret->origin = origin;
		89
		90	- xmlXPathRegisterFunc(ret, (xmlChar *)"range-to",
		91	- xmlXPtrRangeToFunction);
		92	xmlXPathRegisterFunc(ret, (xmlChar *)"range",
		93	xmlXPtrRangeFunction);
		94	xmlXPathRegisterFunc(ret, (xmlChar *)"range-inside",
		95	@@ -2243,76 +2241,14 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) {
		96	* @nargs: the number of args
		97	*
		98	* Implement the range-to() XPointer function
		99	+ *
		100	+ * Obsolete. range-to is not a real function but a special type of location
		101	+ * step which is handled in xpath.c.
		102	*/
		103	void
		104	-xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, int nargs) {
		105	- xmlXPathObjectPtr range;
		106	- const xmlChar *cur;
		107	- xmlXPathObjectPtr res, obj;
		108	- xmlXPathObjectPtr tmp;
		109	- xmlLocationSetPtr newset = NULL;
		110	- xmlNodeSetPtr oldset;
		111	- int i;
		112	-
		113	- if (ctxt == NULL) return;
		114	- CHECK_ARITY(1);
		115	- /*
		116	- * Save the expression pointer since we will have to evaluate
		117	- * it multiple times. Initialize the new set.
		118	- */
		119	- CHECK_TYPE(XPATH_NODESET);
		120	- obj = valuePop(ctxt);
		121	- oldset = obj->nodesetval;
		122	- ctxt->context->node = NULL;
		123	-
		124	- cur = ctxt->cur;
		125	- newset = xmlXPtrLocationSetCreate(NULL);
		126	-
		127	- for (i = 0; i < oldset->nodeNr; i++) {
		128	- ctxt->cur = cur;
		129	-
		130	- /*
		131	- * Run the evaluation with a node list made of a single item
		132	- * in the nodeset.
		133	- */
		134	- ctxt->context->node = oldset->nodeTab[i];
		135	- tmp = xmlXPathNewNodeSet(ctxt->context->node);
		136	- valuePush(ctxt, tmp);
		137	-
		138	- xmlXPathEvalExpr(ctxt);
		139	- CHECK_ERROR;
		140	-
		141	- /*
		142	- * The result of the evaluation need to be tested to
		143	- * decided whether the filter succeeded or not
		144	- */
		145	- res = valuePop(ctxt);
		146	- range = xmlXPtrNewRangeNodeObject(oldset->nodeTab[i], res);
		147	- if (range != NULL) {
		148	- xmlXPtrLocationSetAdd(newset, range);
		149	- }
		150	-
		151	- /*
		152	- * Cleanup
		153	- */
		154	- if (res != NULL)
		155	- xmlXPathFreeObject(res);
		156	- if (ctxt->value == tmp) {
		157	- res = valuePop(ctxt);
		158	- xmlXPathFreeObject(res);
		159	- }
		160	-
		161	- ctxt->context->node = NULL;
		162	- }
		163	-
		164	- /*
		165	- * The result is used as the new evaluation set.
		166	- */
		167	- xmlXPathFreeObject(obj);
		168	- ctxt->context->node = NULL;
		169	- ctxt->context->contextSize = -1;
		170	- ctxt->context->proximityPosition = -1;
		171	- valuePush(ctxt, xmlXPtrWrapLocationSet(newset));
		172	+xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt,
		173	+ int nargs ATTRIBUTE_UNUSED) {
		174	+ XP_ERROR(XPATH_EXPR_ERROR);
		175	}
		176
		177	/**
		178	--
		179	2.7.4
		180


diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb index 59874bec2c..1fed90b07e 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.4.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -19,6 +19,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
19	file://run-ptest \	19	file://run-ptest \
20	file://python-sitepackages-dir.patch \	20	file://python-sitepackages-dir.patch \
21	file://libxml-m4-use-pkgconfig.patch \	21	file://libxml-m4-use-pkgconfig.patch \
		22	file://libxml2-CVE-2016-5131.patch \
22	"	23	"
23		24
24	SRC_URI[libtar.md5sum] = "ae249165c173b1ff386ee8ad676815f5"	25	SRC_URI[libtar.md5sum] = "ae249165c173b1ff386ee8ad676815f5"