summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJoe MacDonald <joe_macdonald@mentor.com>2014-10-20 13:51:21 -0400
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-02-11 17:40:04 +0000
commit41cca6fbe76206c4909dede4c8b8467e616e0c2b (patch)
tree0c38c5514c39f1f5d5704096fa0fcbfdce895fcd
parentde512045185dd8ac9b2bb2cbb189809d49006189 (diff)
downloadpoky-41cca6fbe76206c4909dede4c8b8467e616e0c2b.tar.gz
libxml2: fix CVE-2014-3660
It was discovered that the patch for CVE-2014-0191 for libxml2 is incomplete. It is still possible to have libxml2 incorrectly perform entity substituton even when the application using libxml2 explicitly disables the feature. This can allow a remote denial-of-service attack on systems with libxml2 prior to 2.9.2. References: http://www.openwall.com/lists/oss-security/2014/10/17/7 https://www.ncsc.nl/actueel/nieuwsberichten/kwetsbaarheid-ontdekt-in-libxml2.html (From OE-Core rev: 643597a5c432b2e02033d0cefa3ba4da980d078f) (From OE-Core rev: de7bc57398aaeb84fc9370d025b87f7711986ada) Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-core/libxml/libxml2.inc1
-rw-r--r--meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-3660.patch147
2 files changed, 148 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index bcf9a62ded..c729c199cf 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -21,6 +21,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
21 file://libxml2-CVE-2014-0191-fix.patch \ 21 file://libxml2-CVE-2014-0191-fix.patch \
22 file://python-sitepackages-dir.patch \ 22 file://python-sitepackages-dir.patch \
23 file://libxml-m4-use-pkgconfig.patch \ 23 file://libxml-m4-use-pkgconfig.patch \
24 file://libxml2-CVE-2014-3660.patch \
24 " 25 "
25 26
26BINCONFIG = "${bindir}/xml2-config" 27BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-3660.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-3660.patch
new file mode 100644
index 0000000000..b9621c93eb
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-3660.patch
@@ -0,0 +1,147 @@
1From be2a7edaf289c5da74a4f9ed3a0b6c733e775230 Mon Sep 17 00:00:00 2001
2From: Daniel Veillard <veillard@redhat.com>
3Date: Thu, 16 Oct 2014 13:59:47 +0800
4Subject: Fix for CVE-2014-3660
5
6Issues related to the billion laugh entity expansion which happened to
7escape the initial set of fixes
8
9Upstream-status: Backport
10Reference: https://git.gnome.org/browse/libxml2/commit/?id=be2a7edaf289c5da74a4f9ed3a0b6c733e775230&context=3&ignorews=0&ss=0
11
12Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
13
14diff --git a/parser.c b/parser.c
15index f51e8d2..1d93967 100644
16--- a/parser.c
17+++ b/parser.c
18@@ -130,6 +130,29 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
19 return (0);
20 if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
21 return (1);
22+
23+ /*
24+ * This may look absurd but is needed to detect
25+ * entities problems
26+ */
27+ if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) &&
28+ (ent->content != NULL) && (ent->checked == 0)) {
29+ unsigned long oldnbent = ctxt->nbentities;
30+ xmlChar *rep;
31+
32+ ent->checked = 1;
33+
34+ rep = xmlStringDecodeEntities(ctxt, ent->content,
35+ XML_SUBSTITUTE_REF, 0, 0, 0);
36+
37+ ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
38+ if (rep != NULL) {
39+ if (xmlStrchr(rep, '<'))
40+ ent->checked |= 1;
41+ xmlFree(rep);
42+ rep = NULL;
43+ }
44+ }
45 if (replacement != 0) {
46 if (replacement < XML_MAX_TEXT_LENGTH)
47 return(0);
48@@ -189,9 +212,12 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
49 return (0);
50 } else {
51 /*
52- * strange we got no data for checking just return
53+ * strange we got no data for checking
54 */
55- return (0);
56+ if (((ctxt->lastError.code != XML_ERR_UNDECLARED_ENTITY) &&
57+ (ctxt->lastError.code != XML_WAR_UNDECLARED_ENTITY)) ||
58+ (ctxt->nbentities <= 10000))
59+ return (0);
60 }
61 xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
62 return (1);
63@@ -2589,6 +2615,7 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) {
64 name, NULL);
65 ctxt->valid = 0;
66 }
67+ xmlParserEntityCheck(ctxt, 0, NULL, 0);
68 } else if (ctxt->input->free != deallocblankswrapper) {
69 input = xmlNewBlanksWrapperInputStream(ctxt, entity);
70 if (xmlPushInput(ctxt, input) < 0)
71@@ -2759,6 +2786,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
72 if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) ||
73 (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR))
74 goto int_error;
75+ xmlParserEntityCheck(ctxt, 0, ent, 0);
76 if (ent != NULL)
77 ctxt->nbentities += ent->checked / 2;
78 if ((ent != NULL) &&
79@@ -2810,6 +2838,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
80 ent = xmlParseStringPEReference(ctxt, &str);
81 if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
82 goto int_error;
83+ xmlParserEntityCheck(ctxt, 0, ent, 0);
84 if (ent != NULL)
85 ctxt->nbentities += ent->checked / 2;
86 if (ent != NULL) {
87@@ -7312,6 +7341,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
88 (ret != XML_WAR_UNDECLARED_ENTITY)) {
89 xmlFatalErrMsgStr(ctxt, XML_ERR_UNDECLARED_ENTITY,
90 "Entity '%s' failed to parse\n", ent->name);
91+ xmlParserEntityCheck(ctxt, 0, ent, 0);
92 } else if (list != NULL) {
93 xmlFreeNodeList(list);
94 list = NULL;
95@@ -7418,7 +7448,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
96 /*
97 * We are copying here, make sure there is no abuse
98 */
99- ctxt->sizeentcopy += ent->length;
100+ ctxt->sizeentcopy += ent->length + 5;
101 if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))
102 return;
103
104@@ -7466,7 +7496,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
105 /*
106 * We are copying here, make sure there is no abuse
107 */
108- ctxt->sizeentcopy += ent->length;
109+ ctxt->sizeentcopy += ent->length + 5;
110 if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))
111 return;
112
113@@ -7652,6 +7682,7 @@ xmlParseEntityRef(xmlParserCtxtPtr ctxt) {
114 ctxt->sax->reference(ctxt->userData, name);
115 }
116 }
117+ xmlParserEntityCheck(ctxt, 0, ent, 0);
118 ctxt->valid = 0;
119 }
120
121@@ -7845,6 +7876,7 @@ xmlParseStringEntityRef(xmlParserCtxtPtr ctxt, const xmlChar ** str) {
122 "Entity '%s' not defined\n",
123 name);
124 }
125+ xmlParserEntityCheck(ctxt, 0, ent, 0);
126 /* TODO ? check regressions ctxt->valid = 0; */
127 }
128
129@@ -8004,6 +8036,7 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
130 name, NULL);
131 ctxt->valid = 0;
132 }
133+ xmlParserEntityCheck(ctxt, 0, NULL, 0);
134 } else {
135 /*
136 * Internal checking in case the entity quest barfed
137@@ -8243,6 +8276,7 @@ xmlParseStringPEReference(xmlParserCtxtPtr ctxt, const xmlChar **str) {
138 name, NULL);
139 ctxt->valid = 0;
140 }
141+ xmlParserEntityCheck(ctxt, 0, NULL, 0);
142 } else {
143 /*
144 * Internal checking in case the entity quest barfed
145--
146cgit v0.10.1
147