diff options
3 files changed, 271 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc index 334d1de165..c0ed2d1a18 100644 --- a/meta/recipes-core/libxml/libxml2.inc +++ b/meta/recipes-core/libxml/libxml2.inc | |||
@@ -33,6 +33,8 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \ | |||
33 | file://0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch \ | 33 | file://0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch \ |
34 | file://CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch \ | 34 | file://CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch \ |
35 | file://CVE-2015-7499-2-Detect-incoherency-on-GROW.patch \ | 35 | file://CVE-2015-7499-2-Detect-incoherency-on-GROW.patch \ |
36 | file://0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch \ | ||
37 | file://0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch \ | ||
36 | " | 38 | " |
37 | 39 | ||
38 | BINCONFIG = "${bindir}/xml2-config" | 40 | BINCONFIG = "${bindir}/xml2-config" |
diff --git a/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch b/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch new file mode 100644 index 0000000000..b4860791bf --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch | |||
@@ -0,0 +1,131 @@ | |||
1 | From f1063fdbe7fa66332bbb76874101c2a7b51b519f Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Veillard <veillard@redhat.com> | ||
3 | Date: Fri, 20 Nov 2015 16:06:59 +0800 | ||
4 | Subject: [PATCH] CVE-2015-7500 Fix memory access error due to incorrect | ||
5 | entities boundaries | ||
6 | |||
7 | For https://bugzilla.gnome.org/show_bug.cgi?id=756525 | ||
8 | handle properly the case where we popped out of the current entity | ||
9 | while processing a start tag | ||
10 | Reported by Kostya Serebryany @ Google | ||
11 | |||
12 | This slightly modifies the output of 754946 in regression tests | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | |||
16 | CVE-2015-7500 | ||
17 | |||
18 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
19 | |||
20 | --- | ||
21 | parser.c | 28 ++++++++++++++++++++++------ | ||
22 | result/errors/754946.xml.err | 7 +++++-- | ||
23 | 2 files changed, 27 insertions(+), 8 deletions(-) | ||
24 | |||
25 | diff --git a/parser.c b/parser.c | ||
26 | index c7e4574..c5741e3 100644 | ||
27 | --- a/parser.c | ||
28 | +++ b/parser.c | ||
29 | @@ -9348,7 +9348,7 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref, | ||
30 | const xmlChar **atts = ctxt->atts; | ||
31 | int maxatts = ctxt->maxatts; | ||
32 | int nratts, nbatts, nbdef; | ||
33 | - int i, j, nbNs, attval, oldline, oldcol; | ||
34 | + int i, j, nbNs, attval, oldline, oldcol, inputNr; | ||
35 | const xmlChar *base; | ||
36 | unsigned long cur; | ||
37 | int nsNr = ctxt->nsNr; | ||
38 | @@ -9367,6 +9367,7 @@ reparse: | ||
39 | SHRINK; | ||
40 | base = ctxt->input->base; | ||
41 | cur = ctxt->input->cur - ctxt->input->base; | ||
42 | + inputNr = ctxt->inputNr; | ||
43 | oldline = ctxt->input->line; | ||
44 | oldcol = ctxt->input->col; | ||
45 | nbatts = 0; | ||
46 | @@ -9392,7 +9393,8 @@ reparse: | ||
47 | */ | ||
48 | SKIP_BLANKS; | ||
49 | GROW; | ||
50 | - if (ctxt->input->base != base) goto base_changed; | ||
51 | + if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) | ||
52 | + goto base_changed; | ||
53 | |||
54 | while (((RAW != '>') && | ||
55 | ((RAW != '/') || (NXT(1) != '>')) && | ||
56 | @@ -9403,7 +9405,7 @@ reparse: | ||
57 | |||
58 | attname = xmlParseAttribute2(ctxt, prefix, localname, | ||
59 | &aprefix, &attvalue, &len, &alloc); | ||
60 | - if (ctxt->input->base != base) { | ||
61 | + if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) { | ||
62 | if ((attvalue != NULL) && (alloc != 0)) | ||
63 | xmlFree(attvalue); | ||
64 | attvalue = NULL; | ||
65 | @@ -9552,7 +9554,8 @@ skip_ns: | ||
66 | break; | ||
67 | } | ||
68 | SKIP_BLANKS; | ||
69 | - if (ctxt->input->base != base) goto base_changed; | ||
70 | + if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) | ||
71 | + goto base_changed; | ||
72 | continue; | ||
73 | } | ||
74 | |||
75 | @@ -9589,7 +9592,8 @@ failed: | ||
76 | GROW | ||
77 | if (ctxt->instate == XML_PARSER_EOF) | ||
78 | break; | ||
79 | - if (ctxt->input->base != base) goto base_changed; | ||
80 | + if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) | ||
81 | + goto base_changed; | ||
82 | if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>')))) | ||
83 | break; | ||
84 | if (!IS_BLANK_CH(RAW)) { | ||
85 | @@ -9605,7 +9609,8 @@ failed: | ||
86 | break; | ||
87 | } | ||
88 | GROW; | ||
89 | - if (ctxt->input->base != base) goto base_changed; | ||
90 | + if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) | ||
91 | + goto base_changed; | ||
92 | } | ||
93 | |||
94 | /* | ||
95 | @@ -9772,6 +9777,17 @@ base_changed: | ||
96 | if ((ctxt->attallocs[j] != 0) && (atts[i] != NULL)) | ||
97 | xmlFree((xmlChar *) atts[i]); | ||
98 | } | ||
99 | + | ||
100 | + /* | ||
101 | + * We can't switch from one entity to another in the middle | ||
102 | + * of a start tag | ||
103 | + */ | ||
104 | + if (inputNr != ctxt->inputNr) { | ||
105 | + xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, | ||
106 | + "Start tag doesn't start and stop in the same entity\n"); | ||
107 | + return(NULL); | ||
108 | + } | ||
109 | + | ||
110 | ctxt->input->cur = ctxt->input->base + cur; | ||
111 | ctxt->input->line = oldline; | ||
112 | ctxt->input->col = oldcol; | ||
113 | diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err | ||
114 | index 423dff5..a75088b 100644 | ||
115 | --- a/result/errors/754946.xml.err | ||
116 | +++ b/result/errors/754946.xml.err | ||
117 | @@ -11,6 +11,9 @@ Entity: line 1: parser error : DOCTYPE improperly terminated | ||
118 | Entity: line 1: | ||
119 | A<lbbbbbbbbbbbbbbbbbbb_ | ||
120 | ^ | ||
121 | +./test/errors/754946.xml:1: parser error : Start tag doesn't start and stop in the same entity | ||
122 | +>%SYSTEM;<![ | ||
123 | + ^ | ||
124 | ./test/errors/754946.xml:1: parser error : Extra content at the end of the document | ||
125 | -<!DOCTYPEA[<!ENTITY % | ||
126 | - ^ | ||
127 | +>%SYSTEM;<![ | ||
128 | + ^ | ||
129 | -- | ||
130 | 2.3.5 | ||
131 | |||
diff --git a/meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch b/meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch new file mode 100644 index 0000000000..a86b9ee86e --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch | |||
@@ -0,0 +1,138 @@ | |||
1 | From 51f02b0a03ea1fa6c65b3f9fd88cf60fb5803783 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Veillard <veillard@redhat.com> | ||
3 | Date: Tue, 15 Sep 2015 16:50:32 +0800 | ||
4 | Subject: [PATCH] Fix a bug on name parsing at the end of current input buffer | ||
5 | |||
6 | For https://bugzilla.gnome.org/show_bug.cgi?id=754946 | ||
7 | |||
8 | When hitting the end of the current input buffer while parsing | ||
9 | a name we could end up loosing the beginning of the name, which | ||
10 | led to various issues. | ||
11 | |||
12 | Upstream-Status: backport | ||
13 | |||
14 | Depend patch for CVE-2015-7500 | ||
15 | |||
16 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
17 | --- | ||
18 | parser.c | 29 ++++++++++++++++++++--------- | ||
19 | result/errors/754946.xml | 0 | ||
20 | result/errors/754946.xml.err | 16 ++++++++++++++++ | ||
21 | result/errors/754946.xml.str | 4 ++++ | ||
22 | test/errors/754946.xml | 1 + | ||
23 | 5 files changed, 41 insertions(+), 9 deletions(-) | ||
24 | create mode 100644 result/errors/754946.xml | ||
25 | create mode 100644 result/errors/754946.xml.err | ||
26 | create mode 100644 result/errors/754946.xml.str | ||
27 | create mode 100644 test/errors/754946.xml | ||
28 | |||
29 | diff --git a/parser.c b/parser.c | ||
30 | index 0edd53b..fd29a39 100644 | ||
31 | --- a/parser.c | ||
32 | +++ b/parser.c | ||
33 | @@ -3491,7 +3491,14 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { | ||
34 | c = CUR_CHAR(l); | ||
35 | if (c == 0) { | ||
36 | count = 0; | ||
37 | + /* | ||
38 | + * when shrinking to extend the buffer we really need to preserve | ||
39 | + * the part of the name we already parsed. Hence rolling back | ||
40 | + * by current lenght. | ||
41 | + */ | ||
42 | + ctxt->input->cur -= l; | ||
43 | GROW; | ||
44 | + ctxt->input->cur += l; | ||
45 | if (ctxt->instate == XML_PARSER_EOF) | ||
46 | return(NULL); | ||
47 | end = ctxt->input->cur; | ||
48 | @@ -3523,7 +3530,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { | ||
49 | |||
50 | static const xmlChar * | ||
51 | xmlParseNCName(xmlParserCtxtPtr ctxt) { | ||
52 | - const xmlChar *in; | ||
53 | + const xmlChar *in, *e; | ||
54 | const xmlChar *ret; | ||
55 | int count = 0; | ||
56 | |||
57 | @@ -3535,16 +3542,19 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) { | ||
58 | * Accelerator for simple ASCII names | ||
59 | */ | ||
60 | in = ctxt->input->cur; | ||
61 | - if (((*in >= 0x61) && (*in <= 0x7A)) || | ||
62 | - ((*in >= 0x41) && (*in <= 0x5A)) || | ||
63 | - (*in == '_')) { | ||
64 | + e = ctxt->input->end; | ||
65 | + if ((((*in >= 0x61) && (*in <= 0x7A)) || | ||
66 | + ((*in >= 0x41) && (*in <= 0x5A)) || | ||
67 | + (*in == '_')) && (in < e)) { | ||
68 | in++; | ||
69 | - while (((*in >= 0x61) && (*in <= 0x7A)) || | ||
70 | - ((*in >= 0x41) && (*in <= 0x5A)) || | ||
71 | - ((*in >= 0x30) && (*in <= 0x39)) || | ||
72 | - (*in == '_') || (*in == '-') || | ||
73 | - (*in == '.')) | ||
74 | + while ((((*in >= 0x61) && (*in <= 0x7A)) || | ||
75 | + ((*in >= 0x41) && (*in <= 0x5A)) || | ||
76 | + ((*in >= 0x30) && (*in <= 0x39)) || | ||
77 | + (*in == '_') || (*in == '-') || | ||
78 | + (*in == '.')) && (in < e)) | ||
79 | in++; | ||
80 | + if (in >= e) | ||
81 | + goto complex; | ||
82 | if ((*in > 0) && (*in < 0x80)) { | ||
83 | count = in - ctxt->input->cur; | ||
84 | if ((count > XML_MAX_NAME_LENGTH) && | ||
85 | @@ -3562,6 +3572,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) { | ||
86 | return(ret); | ||
87 | } | ||
88 | } | ||
89 | +complex: | ||
90 | return(xmlParseNCNameComplex(ctxt)); | ||
91 | } | ||
92 | |||
93 | diff --git a/result/errors/754946.xml b/result/errors/754946.xml | ||
94 | new file mode 100644 | ||
95 | index 0000000..e69de29 | ||
96 | diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err | ||
97 | new file mode 100644 | ||
98 | index 0000000..423dff5 | ||
99 | --- /dev/null | ||
100 | +++ b/result/errors/754946.xml.err | ||
101 | @@ -0,0 +1,16 @@ | ||
102 | +Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration | ||
103 | + | ||
104 | + %SYSTEM; | ||
105 | + ^ | ||
106 | +Entity: line 1: | ||
107 | +A<lbbbbbbbbbbbbbbbbbbb_ | ||
108 | +^ | ||
109 | +Entity: line 1: parser error : DOCTYPE improperly terminated | ||
110 | + %SYSTEM; | ||
111 | + ^ | ||
112 | +Entity: line 1: | ||
113 | +A<lbbbbbbbbbbbbbbbbbbb_ | ||
114 | +^ | ||
115 | +./test/errors/754946.xml:1: parser error : Extra content at the end of the document | ||
116 | +<!DOCTYPEA[<!ENTITY % | ||
117 | + ^ | ||
118 | diff --git a/result/errors/754946.xml.str b/result/errors/754946.xml.str | ||
119 | new file mode 100644 | ||
120 | index 0000000..3b748cc | ||
121 | --- /dev/null | ||
122 | +++ b/result/errors/754946.xml.str | ||
123 | @@ -0,0 +1,4 @@ | ||
124 | +./test/errors/754946.xml:1: parser error : Extra content at the end of the document | ||
125 | +<!DOCTYPEA[<!ENTITY % | ||
126 | + ^ | ||
127 | +./test/errors/754946.xml : failed to parse | ||
128 | diff --git a/test/errors/754946.xml b/test/errors/754946.xml | ||
129 | new file mode 100644 | ||
130 | index 0000000..6b5f9b0 | ||
131 | --- /dev/null | ||
132 | +++ b/test/errors/754946.xml | ||
133 | @@ -0,0 +1 @@ | ||
134 | +<!DOCTYPEA[<!ENTITY % SYSTEM "A<lbbbbbbbbbbbbbbbbbbb_" >%SYSTEM;<![ | ||
135 | \ No newline at end of file | ||
136 | -- | ||
137 | 2.3.5 | ||
138 | |||