libxml2: security fix CVE-2015-7941

includes: CVE-2015-7941-1 CVE-2015-7941-2 (From OE-Core rev: 48af957147a091550c089423e3a65bac6596c41e) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2015-12-05 10:52:42 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-01-14 15:18:27 +0000
commit: 6fc1109f5db665e306e4c34d6198251675e15969 (patch)
tree: 664237ad41289c61d967306c7c1c64622b30a66b /meta/recipes-core
parent: 9eb4ce0a81dc8b7c820a3a87cba8880ae2b6d356 (diff)
download: poky-6fc1109f5db665e306e4c34d6198251675e15969.tar.gz
3 files changed, 97 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index 1c3c37d509..24b98a6f92 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -21,6 +21,8 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
           file://libxml-m4-use-pkgconfig.patch \
           file://configure.ac-fix-cross-compiling-warning.patch \
           file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \
+           file://CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch \
+           file://CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch \
          "
 BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch
new file mode 100644
index 0000000000..11da9f9bd9
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch
@@ -0,0 +1,39 @@
+From a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 23 Feb 2015 11:17:35 +0800
+Subject: [PATCH] Stop parsing on entities boundaries errors
+For https://bugzilla.gnome.org/show_bug.cgi?id=744980
+There are times, like on unterminated entities that it's preferable to
+stop parsing, even if that means less error reporting. Entities are
+feeding the parser on further processing, and if they are ill defined
+then it's possible to get the parser to bug. Also do the same on
+Conditional Sections if the input is broken, as the structure of
+the document can't be guessed.
+Upstream-Status: Backport
+CVE-2015-7941-1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ parser.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/parser.c b/parser.c
+index a8d1b67..bbe97eb 100644
+--- a/parser.c
+++ b/parser.c
+@@ -5658,6 +5658,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) {
+        if (RAW != '>') {
+            xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
+                    "xmlParseEntityDecl: entity %s not terminated\n", name);
+           xmlStopParser(ctxt);
+        } else {
+            if (input != ctxt->input) {
+                xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
+-- 
+2.3.5
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch
new file mode 100644
index 0000000000..b7bd960531
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch
@@ -0,0 +1,56 @@
+From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 23 Feb 2015 11:29:20 +0800
+Subject: [PATCH] Cleanup conditional section error handling
+For https://bugzilla.gnome.org/show_bug.cgi?id=744980
+The error handling of Conditional Section also need to be
+straightened as the structure of the document can't be
+guessed on a failure there and it's better to stop parsing
+as further errors are likely to be irrelevant.
+Upstream-Status: Backport
+CVE-2015-7941-2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ parser.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+diff --git a/parser.c b/parser.c
+index bbe97eb..fe603ac 100644
+--- a/parser.c
+++ b/parser.c
+@@ -6770,6 +6770,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+        SKIP_BLANKS;
+        if (RAW != '[') {
+            xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
+           xmlStopParser(ctxt);
+           return;
+        } else {
+            if (ctxt->input->id != id) {
+                xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6830,6 +6832,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+        SKIP_BLANKS;
+        if (RAW != '[') {
+            xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
+           xmlStopParser(ctxt);
+           return;
+        } else {
+            if (ctxt->input->id != id) {
+                xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6885,6 +6889,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 
+     } else {
+        xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
+       xmlStopParser(ctxt);
+       return;
+     }
+ 
+     if (RAW == 0)
+-- 
+2.3.5
author	Armin Kuster <akuster@mvista.com>	2015-12-05 10:52:42 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-01-14 15:18:27 +0000
commit	6fc1109f5db665e306e4c34d6198251675e15969 (patch)
tree	664237ad41289c61d967306c7c1c64622b30a66b /meta/recipes-core
parent	9eb4ce0a81dc8b7c820a3a87cba8880ae2b6d356 (diff)
download	poky-6fc1109f5db665e306e4c34d6198251675e15969.tar.gz

diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc index 1c3c37d509..24b98a6f92 100644 --- a/meta/recipes-core/libxml/libxml2.inc +++ b/meta/recipes-core/libxml/libxml2.inc
@@ -21,6 +21,8 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
21	file://libxml-m4-use-pkgconfig.patch \	21	file://libxml-m4-use-pkgconfig.patch \
22	file://configure.ac-fix-cross-compiling-warning.patch \	22	file://configure.ac-fix-cross-compiling-warning.patch \
23	file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \	23	file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \
		24	file://CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch \
		25	file://CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch \
24	"	26	"
25		27
26	BINCONFIG = "${bindir}/xml2-config"	28	BINCONFIG = "${bindir}/xml2-config"


diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch new file mode 100644 index 0000000000..11da9f9bd9 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch
@@ -0,0 +1,39 @@
		1	From a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 Mon Sep 17 00:00:00 2001
		2	From: Daniel Veillard <veillard@redhat.com>
		3	Date: Mon, 23 Feb 2015 11:17:35 +0800
		4	Subject: [PATCH] Stop parsing on entities boundaries errors
		5
		6	For https://bugzilla.gnome.org/show_bug.cgi?id=744980
		7
		8	There are times, like on unterminated entities that it's preferable to
		9	stop parsing, even if that means less error reporting. Entities are
		10	feeding the parser on further processing, and if they are ill defined
		11	then it's possible to get the parser to bug. Also do the same on
		12	Conditional Sections if the input is broken, as the structure of
		13	the document can't be guessed.
		14
		15	Upstream-Status: Backport
		16
		17	CVE-2015-7941-1
		18
		19	Signed-off-by: Armin Kuster <akuster@mvista.com>
		20
		21	---
		22	parser.c \| 1 +
		23	1 file changed, 1 insertion(+)
		24
		25	diff --git a/parser.c b/parser.c
		26	index a8d1b67..bbe97eb 100644
		27	--- a/parser.c
		28	+++ b/parser.c
		29	@@ -5658,6 +5658,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) {
		30	if (RAW != '>') {
		31	xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
		32	"xmlParseEntityDecl: entity %s not terminated\n", name);
		33	+ xmlStopParser(ctxt);
		34	} else {
		35	if (input != ctxt->input) {
		36	xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
		37	--
		38	2.3.5
		39


diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch new file mode 100644 index 0000000000..b7bd960531 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch
@@ -0,0 +1,56 @@
		1	From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001
		2	From: Daniel Veillard <veillard@redhat.com>
		3	Date: Mon, 23 Feb 2015 11:29:20 +0800
		4	Subject: [PATCH] Cleanup conditional section error handling
		5
		6	For https://bugzilla.gnome.org/show_bug.cgi?id=744980
		7
		8	The error handling of Conditional Section also need to be
		9	straightened as the structure of the document can't be
		10	guessed on a failure there and it's better to stop parsing
		11	as further errors are likely to be irrelevant.
		12
		13	Upstream-Status: Backport
		14
		15	CVE-2015-7941-2
		16
		17	Signed-off-by: Armin Kuster <akuster@mvista.com>
		18
		19	---
		20	parser.c \| 6 ++++++
		21	1 file changed, 6 insertions(+)
		22
		23	diff --git a/parser.c b/parser.c
		24	index bbe97eb..fe603ac 100644
		25	--- a/parser.c
		26	+++ b/parser.c
		27	@@ -6770,6 +6770,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
		28	SKIP_BLANKS;
		29	if (RAW != '[') {
		30	xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
		31	+ xmlStopParser(ctxt);
		32	+ return;
		33	} else {
		34	if (ctxt->input->id != id) {
		35	xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
		36	@@ -6830,6 +6832,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
		37	SKIP_BLANKS;
		38	if (RAW != '[') {
		39	xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
		40	+ xmlStopParser(ctxt);
		41	+ return;
		42	} else {
		43	if (ctxt->input->id != id) {
		44	xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
		45	@@ -6885,6 +6889,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
		46
		47	} else {
		48	xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
		49	+ xmlStopParser(ctxt);
		50	+ return;
		51	}
		52
		53	if (RAW == 0)
		54	--
		55	2.3.5
		56