diff options
author | Armin Kuster <akuster@mvista.com> | 2016-07-09 15:12:44 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-07-27 08:29:59 +0100 |
commit | ad7cab35ffda97e753ce87958ce3de049c294f8e (patch) | |
tree | c338ff8ceff0ef57c9cf9c8a47148f6e54d13c5c /meta | |
parent | 4e260c96f4a3535a6874a8361f7e58a2fa1ca7ed (diff) | |
download | poky-ad7cab35ffda97e753ce87958ce3de049c294f8e.tar.gz |
libxml2: Security fix for CVE-2016-4447
Affects libxml2 < 2.9.4
(From OE-Core rev: b817c98017cb64f902cdae514fb162b3199a0a14)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2016-4447.patch | 208 | ||||
-rw-r--r-- | meta/recipes-core/libxml/libxml2_2.9.2.bb | 1 |
2 files changed, 209 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-4447.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-4447.patch new file mode 100644 index 0000000000..5957844433 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2016-4447.patch | |||
@@ -0,0 +1,208 @@ | |||
1 | From 00906759053986b8079985644172085f74331f83 Mon Sep 17 00:00:00 2001 | ||
2 | From: David Kilzer <ddkilzer@apple.com> | ||
3 | Date: Tue, 26 Jan 2016 16:57:03 -0800 | ||
4 | Subject: [PATCH] Heap-based buffer-underreads due to xmlParseName | ||
5 | |||
6 | For https://bugzilla.gnome.org/show_bug.cgi?id=759573 | ||
7 | |||
8 | * parser.c: | ||
9 | (xmlParseElementDecl): Return early on invalid input to fix | ||
10 | non-minimized test case (759573-2.xml). Otherwise the parser | ||
11 | gets into a bad state in SKIP(3) at the end of the function. | ||
12 | (xmlParseConditionalSections): Halt parsing when hitting invalid | ||
13 | input that would otherwise caused xmlParserHandlePEReference() | ||
14 | to recurse unexpectedly. This fixes the minimized test case | ||
15 | (759573.xml). | ||
16 | |||
17 | * result/errors/759573-2.xml: Add. | ||
18 | * result/errors/759573-2.xml.err: Add. | ||
19 | * result/errors/759573-2.xml.str: Add. | ||
20 | * result/errors/759573.xml: Add. | ||
21 | * result/errors/759573.xml.err: Add. | ||
22 | * result/errors/759573.xml.str: Add. | ||
23 | * test/errors/759573-2.xml: Add. | ||
24 | * test/errors/759573.xml: Add. | ||
25 | |||
26 | Upstream-Status: Backport | ||
27 | CVE: CVE-2016-4447 | ||
28 | Signed-off-by: Armin Kuster <akuster@mvist.com> | ||
29 | |||
30 | --- | ||
31 | parser.c | 2 ++ | ||
32 | result/errors/759573-2.xml | 0 | ||
33 | result/errors/759573-2.xml.err | 58 ++++++++++++++++++++++++++++++++++++++++++ | ||
34 | result/errors/759573-2.xml.str | 4 +++ | ||
35 | result/errors/759573.xml | 0 | ||
36 | result/errors/759573.xml.err | 31 ++++++++++++++++++++++ | ||
37 | result/errors/759573.xml.str | 4 +++ | ||
38 | test/errors/759573-2.xml | 9 +++++++ | ||
39 | test/errors/759573.xml | 1 + | ||
40 | 9 files changed, 109 insertions(+) | ||
41 | create mode 100644 result/errors/759573-2.xml | ||
42 | create mode 100644 result/errors/759573-2.xml.err | ||
43 | create mode 100644 result/errors/759573-2.xml.str | ||
44 | create mode 100644 result/errors/759573.xml | ||
45 | create mode 100644 result/errors/759573.xml.err | ||
46 | create mode 100644 result/errors/759573.xml.str | ||
47 | create mode 100644 test/errors/759573-2.xml | ||
48 | create mode 100644 test/errors/759573.xml | ||
49 | |||
50 | Index: libxml2-2.9.2/parser.c | ||
51 | =================================================================== | ||
52 | --- libxml2-2.9.2.orig/parser.c | ||
53 | +++ libxml2-2.9.2/parser.c | ||
54 | @@ -6723,6 +6723,7 @@ xmlParseElementDecl(xmlParserCtxtPtr ctx | ||
55 | if (!IS_BLANK_CH(CUR)) { | ||
56 | xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, | ||
57 | "Space required after 'ELEMENT'\n"); | ||
58 | + return(-1); | ||
59 | } | ||
60 | SKIP_BLANKS; | ||
61 | name = xmlParseName(ctxt); | ||
62 | @@ -6874,6 +6875,7 @@ xmlParseConditionalSections(xmlParserCtx | ||
63 | |||
64 | if ((CUR_PTR == check) && (cons == ctxt->input->consumed)) { | ||
65 | xmlFatalErr(ctxt, XML_ERR_EXT_SUBSET_NOT_FINISHED, NULL); | ||
66 | + xmlHaltParser(ctxt); | ||
67 | break; | ||
68 | } | ||
69 | } | ||
70 | Index: libxml2-2.9.2/result/errors/759573-2.xml.err | ||
71 | =================================================================== | ||
72 | --- /dev/null | ||
73 | +++ libxml2-2.9.2/result/errors/759573-2.xml.err | ||
74 | @@ -0,0 +1,58 @@ | ||
75 | +Entity: line 1: parser error : Space required after '<!ENTITY' | ||
76 | + %zz; | ||
77 | + ^ | ||
78 | +Entity: line 1: | ||
79 | +<!ENTITY<?xDOCTYPEm~?> | ||
80 | + ^ | ||
81 | +Entity: line 1: parser error : xmlParseEntityDecl: no name | ||
82 | + %zz; | ||
83 | + ^ | ||
84 | +Entity: line 1: | ||
85 | +<!ENTITY<?xDOCTYPEm~?> | ||
86 | + ^ | ||
87 | +Entity: line 1: parser error : ParsePI: PI xDOCTYPEm space expected | ||
88 | + %zz; | ||
89 | + ^ | ||
90 | +Entity: line 1: | ||
91 | +<!ENTITY<?xDOCTYPEm~?> | ||
92 | + ^ | ||
93 | +Entity: line 1: parser error : Space required after '<!ENTITY' | ||
94 | + %zz; | ||
95 | + ^ | ||
96 | +Entity: line 1: | ||
97 | +<!ENTITY<?xDOCTYPEm~?> | ||
98 | + ^ | ||
99 | +Entity: line 1: parser error : xmlParseEntityDecl: no name | ||
100 | + %zz; | ||
101 | + ^ | ||
102 | +Entity: line 1: | ||
103 | +<!ENTITY<?xDOCTYPEm~?> | ||
104 | + ^ | ||
105 | +Entity: line 1: parser error : ParsePI: PI xDOCTYPEm space expected | ||
106 | + %zz; | ||
107 | + ^ | ||
108 | +Entity: line 1: | ||
109 | +<!ENTITY<?xDOCTYPEm~?> | ||
110 | + ^ | ||
111 | +Entity: line 1: parser error : Space required after 'ELEMENT' | ||
112 | + %xx; | ||
113 | + ^ | ||
114 | +Entity: line 3: | ||
115 | +%zz;<!ELEMENTD(%MENT%MENTDŹMENTD%zNMT9KENSMYSYSTEM;MENT9%zz; | ||
116 | + ^ | ||
117 | +Entity: line 1: parser error : Content error in the external subset | ||
118 | + %xx; | ||
119 | + ^ | ||
120 | +Entity: line 3: | ||
121 | +%zz;<!ELEMENTD(%MENT%MENTDŹMENTD%zNMT9KENSMYSYSTEM;MENT9%zz; | ||
122 | + ^ | ||
123 | +./test/errors/759573-2.xml:6: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration | ||
124 | + | ||
125 | +%xx;ÿggKENSMYNT#MENTDŴzz;'> | ||
126 | + ^ | ||
127 | +./test/errors/759573-2.xml:6: parser error : DOCTYPE improperly terminated | ||
128 | +%xx;ÿggKENSMYNT#MENTDŴzz;'> | ||
129 | + ^ | ||
130 | +./test/errors/759573-2.xml:6: parser error : Start tag expected, '<' not found | ||
131 | +%xx;ÿggKENSMYNT#MENTDŴzz;'> | ||
132 | + ^ | ||
133 | Index: libxml2-2.9.2/result/errors/759573-2.xml.str | ||
134 | =================================================================== | ||
135 | --- /dev/null | ||
136 | +++ libxml2-2.9.2/result/errors/759573-2.xml.str | ||
137 | @@ -0,0 +1,4 @@ | ||
138 | +./test/errors/759573-2.xml:2: parser error : Extra content at the end of the document | ||
139 | +<!DOCTYPE test [ | ||
140 | + ^ | ||
141 | +./test/errors/759573-2.xml : failed to parse | ||
142 | Index: libxml2-2.9.2/result/errors/759573.xml.err | ||
143 | =================================================================== | ||
144 | --- /dev/null | ||
145 | +++ libxml2-2.9.2/result/errors/759573.xml.err | ||
146 | @@ -0,0 +1,31 @@ | ||
147 | +./test/errors/759573.xml:1: parser error : Space required after '<!ENTITY' | ||
148 | +ELEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITY | ||
149 | + ^ | ||
150 | +./test/errors/759573.xml:1: parser error : Space required after the entity name | ||
151 | +LEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITYz | ||
152 | + ^ | ||
153 | +./test/errors/759573.xml:1: parser error : Entity value required | ||
154 | +LEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITYz | ||
155 | + ^ | ||
156 | +Entity: line 1: parser error : PEReference: no name | ||
157 | + %xx; | ||
158 | + ^ | ||
159 | +Entity: line 1: | ||
160 | +%<![INCLUDE[000%ஸ000%z; | ||
161 | + ^ | ||
162 | +Entity: line 1: parser error : Content error in the external subset | ||
163 | + %xx; | ||
164 | + ^ | ||
165 | +Entity: line 1: | ||
166 | +%<![INCLUDE[000%ஸ000%z; | ||
167 | + ^ | ||
168 | +./test/errors/759573.xml:1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration | ||
169 | + | ||
170 | +T t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITYz>%xx; | ||
171 | + ^ | ||
172 | +./test/errors/759573.xml:1: parser error : DOCTYPE improperly terminated | ||
173 | +T t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITYz>%xx; | ||
174 | + ^ | ||
175 | +./test/errors/759573.xml:1: parser error : Start tag expected, '<' not found | ||
176 | +T t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITYz>%xx; | ||
177 | + ^ | ||
178 | Index: libxml2-2.9.2/result/errors/759573.xml.str | ||
179 | =================================================================== | ||
180 | --- /dev/null | ||
181 | +++ libxml2-2.9.2/result/errors/759573.xml.str | ||
182 | @@ -0,0 +1,4 @@ | ||
183 | +./test/errors/759573.xml:1: parser error : Extra content at the end of the document | ||
184 | +<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ00 | ||
185 | + ^ | ||
186 | +./test/errors/759573.xml : failed to parse | ||
187 | Index: libxml2-2.9.2/test/errors/759573-2.xml | ||
188 | =================================================================== | ||
189 | --- /dev/null | ||
190 | +++ libxml2-2.9.2/test/errors/759573-2.xml | ||
191 | @@ -0,0 +1,9 @@ | ||
192 | +<?xmh ven="1.0"?> | ||
193 | +<!DOCTYPE test [ | ||
194 | +<!ELEMENT test (#PCDATA) > | ||
195 | +<!ENTITY % xx '%zz; <![INCLUDE[ %zz;<!ELEMENTD(%MENT%MENTDŹMENTD%zNMT9KENSMYSYSTEM;MENT9%zz;'> | ||
196 | +<!ENTITY % zz '<!ENTITY<?xDOCTYPEm~?>' > | ||
197 | +%xx;ÿggKENSMYNT#MENTDŴzz;'> | ||
198 | +<!ENBITY % zz '<!EN#3&##37;z ';!EY'#x;g | ||
199 | +<!ENTent ref="bè:b>r.B"/> | ||
200 | +e </ | ||
201 | \ No newline at end of file | ||
202 | Index: libxml2-2.9.2/test/errors/759573.xml | ||
203 | =================================================================== | ||
204 | --- /dev/null | ||
205 | +++ libxml2-2.9.2/test/errors/759573.xml | ||
206 | @@ -0,0 +1 @@ | ||
207 | +<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITYz>%xx; | ||
208 | \ No newline at end of file | ||
diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb index 90f7a7ab79..c7db1de14e 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.2.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb | |||
@@ -17,6 +17,7 @@ SRC_URI += "file://CVE-2016-1762.patch \ | |||
17 | file://CVE-2016-1835.patch \ | 17 | file://CVE-2016-1835.patch \ |
18 | file://CVE-2016-1833.patch \ | 18 | file://CVE-2016-1833.patch \ |
19 | file://CVE-2016-3627.patch \ | 19 | file://CVE-2016-3627.patch \ |
20 | file://CVE-2016-4447.patch \ | ||
20 | " | 21 | " |
21 | 22 | ||
22 | SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788" | 23 | SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788" |