summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core
diff options
context:
space:
mode:
authorYue Tao <Yue.Tao@windriver.com>2015-06-15 09:18:52 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-06-18 09:14:07 +0100
commit8ef99a00dc75c6eed87aa1bc1528614a2a27eddf (patch)
tree909416c3d9a3450f52ce52d64b3eb0cc74a43378 /meta/recipes-core
parent64df52da57440b8d1f97a8f228399954effb7700 (diff)
downloadpoky-8ef99a00dc75c6eed87aa1bc1528614a2a27eddf.tar.gz
libxml2: Security Advisory - libxml2 - CVE-2015-1819
for CVE-2015-1819 Enforce the reader to run in constant memory (From OE-Core rev: 9e67d8ae592a37d7c92d6566466b09c83e9ec6a7) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core')
-rw-r--r--meta/recipes-core/libxml/libxml2.inc1
-rw-r--r--meta/recipes-core/libxml/libxml2/0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch181
2 files changed, 182 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index d337bec0d0..1c3c37d509 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -20,6 +20,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
20 file://python-sitepackages-dir.patch \ 20 file://python-sitepackages-dir.patch \
21 file://libxml-m4-use-pkgconfig.patch \ 21 file://libxml-m4-use-pkgconfig.patch \
22 file://configure.ac-fix-cross-compiling-warning.patch \ 22 file://configure.ac-fix-cross-compiling-warning.patch \
23 file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \
23 " 24 "
24 25
25BINCONFIG = "${bindir}/xml2-config" 26BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch b/meta/recipes-core/libxml/libxml2/0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch
new file mode 100644
index 0000000000..96d58f9dd6
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch
@@ -0,0 +1,181 @@
1From 213f1fe0d76d30eaed6e5853057defc43e6df2c9 Mon Sep 17 00:00:00 2001
2From: Daniel Veillard <veillard@redhat.com>
3Date: Tue, 14 Apr 2015 17:41:48 +0800
4Subject: [PATCH] CVE-2015-1819 Enforce the reader to run in constant memory
5
6One of the operation on the reader could resolve entities
7leading to the classic expansion issue. Make sure the
8buffer used for xmlreader operation is bounded.
9Introduce a new allocation type for the buffers for this effect.
10
11Upstream-Status: Backport
12
13Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
14Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
15---
16 buf.c | 43 ++++++++++++++++++++++++++++++++++++++++++-
17 include/libxml/tree.h | 3 ++-
18 xmlreader.c | 20 +++++++++++++++++++-
19 3 files changed, 63 insertions(+), 3 deletions(-)
20
21diff --git a/buf.c b/buf.c
22index 6efc7b6..07922ff 100644
23--- a/buf.c
24+++ b/buf.c
25@@ -27,6 +27,7 @@
26 #include <libxml/tree.h>
27 #include <libxml/globals.h>
28 #include <libxml/tree.h>
29+#include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */
30 #include "buf.h"
31
32 #define WITH_BUFFER_COMPAT
33@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf,
34 if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) ||
35 (scheme == XML_BUFFER_ALLOC_EXACT) ||
36 (scheme == XML_BUFFER_ALLOC_HYBRID) ||
37- (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) {
38+ (scheme == XML_BUFFER_ALLOC_IMMUTABLE) ||
39+ (scheme == XML_BUFFER_ALLOC_BOUNDED)) {
40 buf->alloc = scheme;
41 if (buf->buffer)
42 buf->buffer->alloc = scheme;
43@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) {
44 size = buf->use + len + 100;
45 #endif
46
47+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
48+ /*
49+ * Used to provide parsing limits
50+ */
51+ if ((buf->use + len >= XML_MAX_TEXT_LENGTH) ||
52+ (buf->size >= XML_MAX_TEXT_LENGTH)) {
53+ xmlBufMemoryError(buf, "buffer error: text too long\n");
54+ return(0);
55+ }
56+ if (size >= XML_MAX_TEXT_LENGTH)
57+ size = XML_MAX_TEXT_LENGTH;
58+ }
59 if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {
60 size_t start_buf = buf->content - buf->contentIO;
61
62@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size)
63 CHECK_COMPAT(buf)
64
65 if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
66+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
67+ /*
68+ * Used to provide parsing limits
69+ */
70+ if (size >= XML_MAX_TEXT_LENGTH) {
71+ xmlBufMemoryError(buf, "buffer error: text too long\n");
72+ return(0);
73+ }
74+ }
75
76 /* Don't resize if we don't have to */
77 if (size < buf->size)
78@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
79
80 needSize = buf->use + len + 2;
81 if (needSize > buf->size){
82+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
83+ /*
84+ * Used to provide parsing limits
85+ */
86+ if (needSize >= XML_MAX_TEXT_LENGTH) {
87+ xmlBufMemoryError(buf, "buffer error: text too long\n");
88+ return(-1);
89+ }
90+ }
91 if (!xmlBufResize(buf, needSize)){
92 xmlBufMemoryError(buf, "growing buffer");
93 return XML_ERR_NO_MEMORY;
94@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) {
95 }
96 needSize = buf->use + len + 2;
97 if (needSize > buf->size){
98+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
99+ /*
100+ * Used to provide parsing limits
101+ */
102+ if (needSize >= XML_MAX_TEXT_LENGTH) {
103+ xmlBufMemoryError(buf, "buffer error: text too long\n");
104+ return(-1);
105+ }
106+ }
107 if (!xmlBufResize(buf, needSize)){
108 xmlBufMemoryError(buf, "growing buffer");
109 return XML_ERR_NO_MEMORY;
110diff --git a/include/libxml/tree.h b/include/libxml/tree.h
111index 2f90717..4a9b3bc 100644
112--- a/include/libxml/tree.h
113+++ b/include/libxml/tree.h
114@@ -76,7 +76,8 @@ typedef enum {
115 XML_BUFFER_ALLOC_EXACT, /* grow only to the minimal size */
116 XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */
117 XML_BUFFER_ALLOC_IO, /* special allocation scheme used for I/O */
118- XML_BUFFER_ALLOC_HYBRID /* exact up to a threshold, and doubleit thereafter */
119+ XML_BUFFER_ALLOC_HYBRID, /* exact up to a threshold, and doubleit thereafter */
120+ XML_BUFFER_ALLOC_BOUNDED /* limit the upper size of the buffer */
121 } xmlBufferAllocationScheme;
122
123 /**
124diff --git a/xmlreader.c b/xmlreader.c
125index f19e123..471e7e2 100644
126--- a/xmlreader.c
127+++ b/xmlreader.c
128@@ -2091,6 +2091,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) {
129 "xmlNewTextReader : malloc failed\n");
130 return(NULL);
131 }
132+ /* no operation on a reader should require a huge buffer */
133+ xmlBufSetAllocationScheme(ret->buffer,
134+ XML_BUFFER_ALLOC_BOUNDED);
135 ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
136 if (ret->sax == NULL) {
137 xmlBufFree(ret->buffer);
138@@ -3616,6 +3619,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
139 return(((xmlNsPtr) node)->href);
140 case XML_ATTRIBUTE_NODE:{
141 xmlAttrPtr attr = (xmlAttrPtr) node;
142+ const xmlChar *ret;
143
144 if ((attr->children != NULL) &&
145 (attr->children->type == XML_TEXT_NODE) &&
146@@ -3629,10 +3633,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
147 "xmlTextReaderSetup : malloc failed\n");
148 return (NULL);
149 }
150+ xmlBufSetAllocationScheme(reader->buffer,
151+ XML_BUFFER_ALLOC_BOUNDED);
152 } else
153 xmlBufEmpty(reader->buffer);
154 xmlBufGetNodeContent(reader->buffer, node);
155- return(xmlBufContent(reader->buffer));
156+ ret = xmlBufContent(reader->buffer);
157+ if (ret == NULL) {
158+ /* error on the buffer best to reallocate */
159+ xmlBufFree(reader->buffer);
160+ reader->buffer = xmlBufCreateSize(100);
161+ xmlBufSetAllocationScheme(reader->buffer,
162+ XML_BUFFER_ALLOC_BOUNDED);
163+ ret = BAD_CAST "";
164+ }
165+ return(ret);
166 }
167 break;
168 }
169@@ -5131,6 +5146,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader,
170 "xmlTextReaderSetup : malloc failed\n");
171 return (-1);
172 }
173+ /* no operation on a reader should require a huge buffer */
174+ xmlBufSetAllocationScheme(reader->buffer,
175+ XML_BUFFER_ALLOC_BOUNDED);
176 if (reader->sax == NULL)
177 reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
178 if (reader->sax == NULL) {
179--
1801.7.9.5
181