libxml2: fix CVE-2018-9251 and CVE-2018-14567

(From OE-Core rev: b91b276696fb5e0b633b73be408bd750ac4e28ce) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Hongxu Jia <hongxu.jia@windriver.com> 2018-08-17 15:22:41 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-08-20 17:38:23 +0100
commit: e18f891394e7c6dc0917597f394b424d5e47642d (patch)
tree: 5b1e7cc48cf80c6dca1dee821618e5fc803c571d /meta
parent: bd1e1aaf1dfbf00264ebad1ef603d7d3c38465db (diff)
download: poky-e18f891394e7c6dc0917597f394b424d5e47642d.tar.gz
2 files changed, 56 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/0001-Fix-infinite-loop-in-LZMA-decompression.patch b/meta/recipes-core/libxml/libxml2/0001-Fix-infinite-loop-in-LZMA-decompression.patch
new file mode 100644
index 0000000000..16c229574c
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/0001-Fix-infinite-loop-in-LZMA-decompression.patch
@@ -0,0 +1,55 @@
+From 28a9dc642ffd759df1e48be247a114f440a6c16e Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 30 Jul 2018 13:14:11 +0200
+Subject: [PATCH] Fix infinite loop in LZMA decompression
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Check the liblzma error code more thoroughly to avoid infinite loops.
+Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13
+Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914
+This is CVE-2018-9251 and CVE-2018-14567.
+Thanks to Dongliang Mu and Simon Wörner for the reports.
+CVE: CVE-2018-9251
+CVE: CVE-2018-14567
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ xzlib.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+diff --git a/xzlib.c b/xzlib.c
+index a839169..0ba88cf 100644
+--- a/xzlib.c
+++ b/xzlib.c
+@@ -562,6 +562,10 @@ xz_decomp(xz_statep state)
+                          "internal error: inflate stream corrupt");
+                 return -1;
+             }
+            /*
+             * FIXME: Remapping a couple of error codes and falling through
+             * to the LZMA error handling looks fragile.
+             */
+             if (ret == Z_MEM_ERROR)
+                 ret = LZMA_MEM_ERROR;
+             if (ret == Z_DATA_ERROR)
+@@ -587,6 +591,11 @@ xz_decomp(xz_statep state)
+             xz_error(state, LZMA_PROG_ERROR, "compression error");
+             return -1;
+         }
+        if ((state->how != GZIP) &&
+            (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) {
+            xz_error(state, ret, "lzma error");
+            return -1;
+        }
+     } while (strm->avail_out && ret != LZMA_STREAM_END);
+ 
+     /* update available output and crc check value */
+-- 
+2.7.4
diff --git a/meta/recipes-core/libxml/libxml2_2.9.8.bb b/meta/recipes-core/libxml/libxml2_2.9.8.bb
index 4ebd2ef383..f01cb2cd34 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.8.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.8.bb
@@ -22,6 +22,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
           file://fix-execution-of-ptests.patch \
           file://fix-CVE-2017-8872.patch \
           file://fix-CVE-2018-14404.patch \
+           file://0001-Fix-infinite-loop-in-LZMA-decompression.patch \
           "
 SRC_URI[libtar.md5sum] = "b786e353e2aa1b872d70d5d1ca0c740d"
author	Hongxu Jia <hongxu.jia@windriver.com>	2018-08-17 15:22:41 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-08-20 17:38:23 +0100
commit	e18f891394e7c6dc0917597f394b424d5e47642d (patch)
tree	5b1e7cc48cf80c6dca1dee821618e5fc803c571d /meta
parent	bd1e1aaf1dfbf00264ebad1ef603d7d3c38465db (diff)
download	poky-e18f891394e7c6dc0917597f394b424d5e47642d.tar.gz

diff --git a/meta/recipes-core/libxml/libxml2/0001-Fix-infinite-loop-in-LZMA-decompression.patch b/meta/recipes-core/libxml/libxml2/0001-Fix-infinite-loop-in-LZMA-decompression.patch new file mode 100644 index 0000000000..16c229574c --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/0001-Fix-infinite-loop-in-LZMA-decompression.patch
@@ -0,0 +1,55 @@
		1	From 28a9dc642ffd759df1e48be247a114f440a6c16e Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Mon, 30 Jul 2018 13:14:11 +0200
		4	Subject: [PATCH] Fix infinite loop in LZMA decompression
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	Check the liblzma error code more thoroughly to avoid infinite loops.
		10
		11	Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13
		12	Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914
		13
		14	This is CVE-2018-9251 and CVE-2018-14567.
		15
		16	Thanks to Dongliang Mu and Simon Wörner for the reports.
		17
		18	CVE: CVE-2018-9251
		19	CVE: CVE-2018-14567
		20	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74]
		21	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
		22	---
		23	xzlib.c \| 9 +++++++++
		24	1 file changed, 9 insertions(+)
		25
		26	diff --git a/xzlib.c b/xzlib.c
		27	index a839169..0ba88cf 100644
		28	--- a/xzlib.c
		29	+++ b/xzlib.c
		30	@@ -562,6 +562,10 @@ xz_decomp(xz_statep state)
		31	"internal error: inflate stream corrupt");
		32	return -1;
		33	}
		34	+ /*
		35	+ * FIXME: Remapping a couple of error codes and falling through
		36	+ * to the LZMA error handling looks fragile.
		37	+ */
		38	if (ret == Z_MEM_ERROR)
		39	ret = LZMA_MEM_ERROR;
		40	if (ret == Z_DATA_ERROR)
		41	@@ -587,6 +591,11 @@ xz_decomp(xz_statep state)
		42	xz_error(state, LZMA_PROG_ERROR, "compression error");
		43	return -1;
		44	}
		45	+ if ((state->how != GZIP) &&
		46	+ (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) {
		47	+ xz_error(state, ret, "lzma error");
		48	+ return -1;
		49	+ }
		50	} while (strm->avail_out && ret != LZMA_STREAM_END);
		51
		52	/* update available output and crc check value */
		53	--
		54	2.7.4
		55


diff --git a/meta/recipes-core/libxml/libxml2_2.9.8.bb b/meta/recipes-core/libxml/libxml2_2.9.8.bb index 4ebd2ef383..f01cb2cd34 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.8.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.8.bb
@@ -22,6 +22,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
22	file://fix-execution-of-ptests.patch \	22	file://fix-execution-of-ptests.patch \
23	file://fix-CVE-2017-8872.patch \	23	file://fix-CVE-2017-8872.patch \
24	file://fix-CVE-2018-14404.patch \	24	file://fix-CVE-2018-14404.patch \
		25	file://0001-Fix-infinite-loop-in-LZMA-decompression.patch \
25	"	26	"
26		27
27	SRC_URI[libtar.md5sum] = "b786e353e2aa1b872d70d5d1ca0c740d"	28	SRC_URI[libtar.md5sum] = "b786e353e2aa1b872d70d5d1ca0c740d"