libxml2: security fix CVE-2015-7498

(From OE-Core rev: cece10f44c9cceddab17adf1a1debc4b14e50a8d) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2015-12-05 10:57:27 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-01-14 15:18:28 +0000
commit: 332eb1dcced338d9fabe312aed419a6e4194dda0 (patch)
tree: 2c62c9f5397eb6cfe2f3f859f7135a642a0a2768 /meta/recipes-core
parent: cbc4e832d16341f8d10bddb100c3453419a45997 (diff)
download: poky-332eb1dcced338d9fabe312aed419a6e4194dda0.tar.gz
2 files changed, 90 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index bc84656303..389f5cdf40 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -27,6 +27,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
           file://CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch \
           file://CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch \
           file://0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch \
+           file://CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch \
          "
 BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch
new file mode 100644
index 0000000000..47ba8970ee
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch
@@ -0,0 +1,89 @@
+From afd27c21f6b36e22682b7da20d726bce2dcb2f43 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 9 Nov 2015 18:07:18 +0800
+Subject: [PATCH] Avoid processing entities after encoding conversion failures
+For https://bugzilla.gnome.org/show_bug.cgi?id=756527
+and was also raised by Chromium team in the past
+When we hit a convwersion failure when switching encoding
+it is bestter to stop parsing there, this was treated as a
+fatal error but the parser was continuing to process to extract
+more errors, unfortunately that makes little sense as the data
+is obviously corrupt and can potentially lead to unexpected behaviour.
+Upstream-Status: Backport
+CVE-2015-7498
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ parser.c          |  7 +++++--
+ parserInternals.c | 11 ++++++++++-
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+diff --git a/parser.c b/parser.c
+index 134afe7..c79b4e8 100644
+--- a/parser.c
+++ b/parser.c
+@@ -10665,7 +10665,8 @@ xmlParseXMLDecl(xmlParserCtxtPtr ctxt) {
+        xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, "Blank needed here\n");
+     }
+     xmlParseEncodingDecl(ctxt);
+-    if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) {
+    if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) ||
+         (ctxt->instate == XML_PARSER_EOF)) {
+        /*
+         * The XML REC instructs us to stop parsing right here
+         */
+@@ -10789,6 +10790,7 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) {
+ 
+     if (CUR == 0) {
+        xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL);
+       return(-1);
+     }
+ 
+     /*
+@@ -10806,7 +10808,8 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) {
+         * Note that we will switch encoding on the fly.
+         */
+        xmlParseXMLDecl(ctxt);
+-       if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) {
+       if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) ||
+           (ctxt->instate == XML_PARSER_EOF)) {
+            /*
+             * The XML REC instructs us to stop parsing right here
+             */
+diff --git a/parserInternals.c b/parserInternals.c
+index df204fd..c8230c1 100644
+--- a/parserInternals.c
+++ b/parserInternals.c
+@@ -937,6 +937,7 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc)
+ {
+     xmlCharEncodingHandlerPtr handler;
+     int len = -1;
+    int ret;
+ 
+     if (ctxt == NULL) return(-1);
+     switch (enc) {
+@@ -1097,7 +1098,15 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc)
+     if (handler == NULL)
+        return(-1);
+     ctxt->charset = XML_CHAR_ENCODING_UTF8;
+-    return(xmlSwitchToEncodingInt(ctxt, handler, len));
+    ret = xmlSwitchToEncodingInt(ctxt, handler, len);
+    if ((ret < 0) || (ctxt->errNo == XML_I18N_CONV_FAILED)) {
+        /*
+        * on encoding conversion errors, stop the parser
+        */
+        xmlStopParser(ctxt);
+       ctxt->errNo = XML_I18N_CONV_FAILED;
+    }
+    return(ret);
+ }
+ 
+ /**
+-- 
+2.3.5
author	Armin Kuster <akuster@mvista.com>	2015-12-05 10:57:27 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-01-14 15:18:28 +0000
commit	332eb1dcced338d9fabe312aed419a6e4194dda0 (patch)
tree	2c62c9f5397eb6cfe2f3f859f7135a642a0a2768 /meta/recipes-core
parent	cbc4e832d16341f8d10bddb100c3453419a45997 (diff)
download	poky-332eb1dcced338d9fabe312aed419a6e4194dda0.tar.gz

diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc index bc84656303..389f5cdf40 100644 --- a/meta/recipes-core/libxml/libxml2.inc +++ b/meta/recipes-core/libxml/libxml2.inc
@@ -27,6 +27,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
27	file://CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch \	27	file://CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch \
28	file://CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch \	28	file://CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch \
29	file://0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch \	29	file://0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch \
		30	file://CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch \
30	"	31	"
31		32
32	BINCONFIG = "${bindir}/xml2-config"	33	BINCONFIG = "${bindir}/xml2-config"


diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch new file mode 100644 index 0000000000..47ba8970ee --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch
@@ -0,0 +1,89 @@
		1	From afd27c21f6b36e22682b7da20d726bce2dcb2f43 Mon Sep 17 00:00:00 2001
		2	From: Daniel Veillard <veillard@redhat.com>
		3	Date: Mon, 9 Nov 2015 18:07:18 +0800
		4	Subject: [PATCH] Avoid processing entities after encoding conversion failures
		5
		6	For https://bugzilla.gnome.org/show_bug.cgi?id=756527
		7	and was also raised by Chromium team in the past
		8
		9	When we hit a convwersion failure when switching encoding
		10	it is bestter to stop parsing there, this was treated as a
		11	fatal error but the parser was continuing to process to extract
		12	more errors, unfortunately that makes little sense as the data
		13	is obviously corrupt and can potentially lead to unexpected behaviour.
		14
		15	Upstream-Status: Backport
		16
		17	CVE-2015-7498
		18
		19	Signed-off-by: Armin Kuster <akuster@mvista.com>
		20
		21	---
		22	parser.c \| 7 +++++--
		23	parserInternals.c \| 11 ++++++++++-
		24	2 files changed, 15 insertions(+), 3 deletions(-)
		25
		26	diff --git a/parser.c b/parser.c
		27	index 134afe7..c79b4e8 100644
		28	--- a/parser.c
		29	+++ b/parser.c
		30	@@ -10665,7 +10665,8 @@ xmlParseXMLDecl(xmlParserCtxtPtr ctxt) {
		31	xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, "Blank needed here\n");
		32	}
		33	xmlParseEncodingDecl(ctxt);
		34	- if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) {
		35	+ if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) \|\|
		36	+ (ctxt->instate == XML_PARSER_EOF)) {
		37	/*
		38	* The XML REC instructs us to stop parsing right here
		39	*/
		40	@@ -10789,6 +10790,7 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) {
		41
		42	if (CUR == 0) {
		43	xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL);
		44	+ return(-1);
		45	}
		46
		47	/*
		48	@@ -10806,7 +10808,8 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) {
		49	* Note that we will switch encoding on the fly.
		50	*/
		51	xmlParseXMLDecl(ctxt);
		52	- if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) {
		53	+ if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) \|\|
		54	+ (ctxt->instate == XML_PARSER_EOF)) {
		55	/*
		56	* The XML REC instructs us to stop parsing right here
		57	*/
		58	diff --git a/parserInternals.c b/parserInternals.c
		59	index df204fd..c8230c1 100644
		60	--- a/parserInternals.c
		61	+++ b/parserInternals.c
		62	@@ -937,6 +937,7 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc)
		63	{
		64	xmlCharEncodingHandlerPtr handler;
		65	int len = -1;
		66	+ int ret;
		67
		68	if (ctxt == NULL) return(-1);
		69	switch (enc) {
		70	@@ -1097,7 +1098,15 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc)
		71	if (handler == NULL)
		72	return(-1);
		73	ctxt->charset = XML_CHAR_ENCODING_UTF8;
		74	- return(xmlSwitchToEncodingInt(ctxt, handler, len));
		75	+ ret = xmlSwitchToEncodingInt(ctxt, handler, len);
		76	+ if ((ret < 0) \|\| (ctxt->errNo == XML_I18N_CONV_FAILED)) {
		77	+ /*
		78	+ * on encoding conversion errors, stop the parser
		79	+ */
		80	+ xmlStopParser(ctxt);
		81	+ ctxt->errNo = XML_I18N_CONV_FAILED;
		82	+ }
		83	+ return(ret);
		84	}
		85
		86	/**
		87	--
		88	2.3.5
		89