diff options
author | Armin Kuster <akuster@mvista.com> | 2015-11-11 14:21:46 -0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-11-25 08:08:08 +0000 |
commit | 8514d21e6a8fef634d6f361bdfd19ef87a3e5567 (patch) | |
tree | 20cbd370438bf21329766267072452ac1121c7e1 /meta | |
parent | e864f71f4cc2e1cedfd36a8b9ab526fdb76fbb7d (diff) | |
download | poky-8514d21e6a8fef634d6f361bdfd19ef87a3e5567.tar.gz |
libxml2: fix CVE-2015-7942 and CVE-2015-8035
CVE-2015-7942 libxml2: heap-based buffer overflow in xmlParseConditionalSections()
CVE-2015-8035 libxml2: DoS when parsing specially crafted XML document if XZ support is enabled
[YOCTO #8641]
(From OE-Core rev: 27de51f4ad21d9b896e7d48041e7cdf20c564a38)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-core/libxml/libxml2.inc | 2 | ||||
-rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch | 55 | ||||
-rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch | 41 |
3 files changed, 98 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc index 1c3c37d509..6ada401385 100644 --- a/meta/recipes-core/libxml/libxml2.inc +++ b/meta/recipes-core/libxml/libxml2.inc | |||
@@ -21,6 +21,8 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \ | |||
21 | file://libxml-m4-use-pkgconfig.patch \ | 21 | file://libxml-m4-use-pkgconfig.patch \ |
22 | file://configure.ac-fix-cross-compiling-warning.patch \ | 22 | file://configure.ac-fix-cross-compiling-warning.patch \ |
23 | file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \ | 23 | file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \ |
24 | file://CVE-2015-7942.patch \ | ||
25 | file://CVE-2015-8035.patch \ | ||
24 | " | 26 | " |
25 | 27 | ||
26 | BINCONFIG = "${bindir}/xml2-config" | 28 | BINCONFIG = "${bindir}/xml2-config" |
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch new file mode 100644 index 0000000000..a5930ed29b --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | libxml2: CVE-2015-7942 | ||
2 | |||
3 | From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001 | ||
4 | From: Daniel Veillard <veillard@redhat.com> | ||
5 | Date: Mon, 23 Feb 2015 11:29:20 +0800 | ||
6 | Subject: Cleanup conditional section error handling | ||
7 | |||
8 | For https://bugzilla.gnome.org/show_bug.cgi?id=744980 | ||
9 | |||
10 | The error handling of Conditional Section also need to be | ||
11 | straightened as the structure of the document can't be | ||
12 | guessed on a failure there and it's better to stop parsing | ||
13 | as further errors are likely to be irrelevant. | ||
14 | |||
15 | Upstream-Status: Backport | ||
16 | https://git.gnome.org/browse/libxml2/patch/?id=9b8512337d14c8ddf662fcb98b0135f225a1c489 | ||
17 | |||
18 | [YOCTO #8641] | ||
19 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
20 | |||
21 | --- | ||
22 | parser.c | 6 ++++++ | ||
23 | 1 file changed, 6 insertions(+) | ||
24 | |||
25 | Index: libxml2-2.9.2/parser.c | ||
26 | =================================================================== | ||
27 | --- libxml2-2.9.2.orig/parser.c | ||
28 | +++ libxml2-2.9.2/parser.c | ||
29 | @@ -6783,6 +6783,8 @@ xmlParseConditionalSections(xmlParserCtx | ||
30 | SKIP_BLANKS; | ||
31 | if (RAW != '[') { | ||
32 | xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); | ||
33 | + xmlStopParser(ctxt); | ||
34 | + return; | ||
35 | } else { | ||
36 | if (ctxt->input->id != id) { | ||
37 | xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, | ||
38 | @@ -6843,6 +6845,8 @@ xmlParseConditionalSections(xmlParserCtx | ||
39 | SKIP_BLANKS; | ||
40 | if (RAW != '[') { | ||
41 | xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); | ||
42 | + xmlStopParser(ctxt); | ||
43 | + return; | ||
44 | } else { | ||
45 | if (ctxt->input->id != id) { | ||
46 | xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, | ||
47 | @@ -6898,6 +6902,8 @@ xmlParseConditionalSections(xmlParserCtx | ||
48 | |||
49 | } else { | ||
50 | xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL); | ||
51 | + xmlStopParser(ctxt); | ||
52 | + return; | ||
53 | } | ||
54 | |||
55 | if (RAW == 0) | ||
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch new file mode 100644 index 0000000000..d175f7453c --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | libxml2: CVE-2015-8035 | ||
2 | |||
3 | From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001 | ||
4 | From: Daniel Veillard <veillard@redhat.com> | ||
5 | Date: Tue, 3 Nov 2015 15:31:25 +0800 | ||
6 | Subject: CVE-2015-8035 Fix XZ compression support loop | ||
7 | |||
8 | For https://bugzilla.gnome.org/show_bug.cgi?id=757466 | ||
9 | DoS when parsing specially crafted XML document if XZ support | ||
10 | is compiled in (which wasn't the case for 2.9.2 and master since | ||
11 | Nov 2013, fixed in next commit !) | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | https://git.gnome.org/browse/libxml2/patch/?id=f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 | ||
15 | |||
16 | [YOCTO #8641] | ||
17 | |||
18 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
19 | |||
20 | --- | ||
21 | xzlib.c | 4 ++++ | ||
22 | 1 file changed, 4 insertions(+) | ||
23 | |||
24 | diff --git a/xzlib.c b/xzlib.c | ||
25 | index 0dcb9f4..1fab546 100644 | ||
26 | --- a/xzlib.c | ||
27 | +++ b/xzlib.c | ||
28 | @@ -581,6 +581,10 @@ xz_decomp(xz_statep state) | ||
29 | xz_error(state, LZMA_DATA_ERROR, "compressed data error"); | ||
30 | return -1; | ||
31 | } | ||
32 | + if (ret == LZMA_PROG_ERROR) { | ||
33 | + xz_error(state, LZMA_PROG_ERROR, "compression error"); | ||
34 | + return -1; | ||
35 | + } | ||
36 | } while (strm->avail_out && ret != LZMA_STREAM_END); | ||
37 | |||
38 | /* update available output and crc check value */ | ||
39 | -- | ||
40 | cgit v0.11.2 | ||
41 | |||