2 files changed, 208 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-9318.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-9318.patch
new file mode 100644
index 0000000000..3581ab83df
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-9318.patch
@@ -0,0 +1,207 @@
+From 7fa1cd31552d52d50a9101f07c816ff6dd2d9f19 Mon Sep 17 00:00:00 2001
+From: Doran Moppert <dmoppert@redhat.com>
+Date: Fri, 7 Apr 2017 16:45:56 +0200
+Subject: [PATCH] Add an XML_PARSE_NOXXE flag to block all entities loading
+ even local
+For https://bugzilla.gnome.org/show_bug.cgi?id=772726
+* include/libxml/parser.h: Add a new parser flag XML_PARSE_NOXXE
+* elfgcchack.h, xmlIO.h, xmlIO.c: associated loading routine
+* include/libxml/xmlerror.h: new error raised
+* xmllint.c: adds --noxxe flag to activate the option
+Upstream-Status: Backport
+CVE: CVE-2016-9318
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ elfgcchack.h              | 10 ++++++++++
+ include/libxml/parser.h   |  3 ++-
+ include/libxml/xmlIO.h    |  8 ++++++++
+ include/libxml/xmlerror.h |  1 +
+ parser.c                  |  4 ++++
+ xmlIO.c                   | 40 +++++++++++++++++++++++++++++++++++-----
+ xmllint.c                 |  5 +++++
+ 7 files changed, 65 insertions(+), 6 deletions(-)
+diff --git a/elfgcchack.h b/elfgcchack.h
+index 8c52884..1b81dcd 100644
+--- a/elfgcchack.h
+++ b/elfgcchack.h
+@@ -6547,6 +6547,16 @@ extern __typeof (xmlNoNetExternalEntityLoader) xmlNoNetExternalEntityLoader__int
+ #endif
+ #endif
+ 
+#ifdef bottom_xmlIO
+#undef xmlNoXxeExternalEntityLoader
+extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader __attribute((alias("xmlNoXxeExternalEntityLoader__internal_alias")));
+#else
+#ifndef xmlNoXxeExternalEntityLoader
+extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader__internal_alias __attribute((visibility("hidden")));
+#define xmlNoXxeExternalEntityLoader xmlNoXxeExternalEntityLoader__internal_alias
+#endif
+#endif
+
+ #ifdef bottom_tree
+ #undef xmlNodeAddContent
+ extern __typeof (xmlNodeAddContent) xmlNodeAddContent __attribute((alias("xmlNodeAddContent__internal_alias")));
+diff --git a/include/libxml/parser.h b/include/libxml/parser.h
+index 47fbec0..63ca1b9 100644
+--- a/include/libxml/parser.h
+++ b/include/libxml/parser.h
+@@ -1111,7 +1111,8 @@ typedef enum {
+     XML_PARSE_HUGE      = 1<<19,/* relax any hardcoded limit from the parser */
+     XML_PARSE_OLDSAX    = 1<<20,/* parse using SAX2 interface before 2.7.0 */
+     XML_PARSE_IGNORE_ENC= 1<<21,/* ignore internal document encoding hint */
+-    XML_PARSE_BIG_LINES = 1<<22 /* Store big lines numbers in text PSVI field */
+    XML_PARSE_BIG_LINES = 1<<22,/* Store big lines numbers in text PSVI field */
+    XML_PARSE_NOXXE    = 1<<23 /* Forbid any external entity loading */
+ } xmlParserOption;
+ 
+ XMLPUBFUN void XMLCALL
+diff --git a/include/libxml/xmlIO.h b/include/libxml/xmlIO.h
+index 3e41744..8d3fdef 100644
+--- a/include/libxml/xmlIO.h
+++ b/include/libxml/xmlIO.h
+@@ -300,6 +300,14 @@ XMLPUBFUN xmlParserInputPtr XMLCALL
+                                         xmlParserCtxtPtr ctxt);
+ 
+ /*
+ * A predefined entity loader external entity expansion
+ */
+XMLPUBFUN xmlParserInputPtr XMLCALL
+       xmlNoXxeExternalEntityLoader    (const char *URL,
+                                        const char *ID,
+                                        xmlParserCtxtPtr ctxt);
+
+/*
+  * xmlNormalizeWindowsPath is obsolete, don't use it.
+  * Check xmlCanonicPath in uri.h for a better alternative.
+  */
+diff --git a/include/libxml/xmlerror.h b/include/libxml/xmlerror.h
+index 037c16d..3036062 100644
+--- a/include/libxml/xmlerror.h
+++ b/include/libxml/xmlerror.h
+@@ -470,6 +470,7 @@ typedef enum {
+     XML_IO_EADDRINUSE, /* 1554 */
+     XML_IO_EALREADY, /* 1555 */
+     XML_IO_EAFNOSUPPORT, /* 1556 */
+    XML_IO_ILLEGAL_XXE, /* 1557 */
+     XML_XINCLUDE_RECURSION=1600,
+     XML_XINCLUDE_PARSE_VALUE, /* 1601 */
+     XML_XINCLUDE_ENTITY_DEF_MISMATCH, /* 1602 */
+diff --git a/parser.c b/parser.c
+index 53a6b7f..609a270 100644
+--- a/parser.c
+++ b/parser.c
+@@ -15350,6 +15350,10 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi
+        ctxt->options |= XML_PARSE_NONET;
+         options -= XML_PARSE_NONET;
+     }
+    if (options & XML_PARSE_NOXXE) {
+       ctxt->options |= XML_PARSE_NOXXE;
+        options -= XML_PARSE_NOXXE;
+    }
+     if (options & XML_PARSE_COMPACT) {
+        ctxt->options |= XML_PARSE_COMPACT;
+         options -= XML_PARSE_COMPACT;
+diff --git a/xmlIO.c b/xmlIO.c
+index 1a79c09..304f822 100644
+--- a/xmlIO.c
+++ b/xmlIO.c
+@@ -210,6 +210,7 @@ static const char *IOerr[] = {
+     "adddress in use",         /* EADDRINUSE */
+     "already in use",          /* EALREADY */
+     "unknown address familly", /* EAFNOSUPPORT */
+    "Attempt to load external entity %s", /* XML_IO_ILLEGAL_XXE */
+ };
+ 
+ #if defined(_WIN32) || defined (__DJGPP__) && !defined (__CYGWIN__)
+@@ -4053,13 +4054,22 @@ xmlDefaultExternalEntityLoader(const char *URL, const char *ID,
+     xmlGenericError(xmlGenericErrorContext,
+                     "xmlDefaultExternalEntityLoader(%s, xxx)\n", URL);
+ #endif
+-    if ((ctxt != NULL) && (ctxt->options & XML_PARSE_NONET)) {
+    if (ctxt != NULL) {
+         int options = ctxt->options;
+ 
+-       ctxt->options -= XML_PARSE_NONET;
+-        ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt);
+-       ctxt->options = options;
+-       return(ret);
+        if (options & XML_PARSE_NOXXE) {
+            ctxt->options -= XML_PARSE_NOXXE;
+            ret = xmlNoXxeExternalEntityLoader(URL, ID, ctxt);
+            ctxt->options = options;
+            return(ret);
+        }
+ 
+        if (options & XML_PARSE_NONET) {
+            ctxt->options -= XML_PARSE_NONET;
+            ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt);
+            ctxt->options = options;
+            return(ret);
+        }
+     }
+ #ifdef LIBXML_CATALOG_ENABLED
+     resource = xmlResolveResourceFromCatalog(URL, ID, ctxt);
+@@ -4160,6 +4170,13 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID,
+     xmlParserInputPtr input = NULL;
+     xmlChar *resource = NULL;
+ 
+    if (ctxt == NULL) {
+        return(NULL);
+    }
+    if (ctxt->input_id == 1) {
+        return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt);
+    }
+
+ #ifdef LIBXML_CATALOG_ENABLED
+     resource = xmlResolveResourceFromCatalog(URL, ID, ctxt);
+ #endif
+@@ -4182,5 +4199,18 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID,
+     return(input);
+ }
+ 
+xmlParserInputPtr
+xmlNoXxeExternalEntityLoader(const char *URL, const char *ID,
+                          xmlParserCtxtPtr ctxt) {
+    if (ctxt == NULL) {
+        return(NULL);
+    }
+    if (ctxt->input_id == 1) {
+        return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt);
+    }
+    xmlIOErr(XML_IO_ILLEGAL_XXE, (const char *) URL);
+    return(NULL);
+}
+
+ #define bottom_xmlIO
+ #include "elfgcchack.h"
+diff --git a/xmllint.c b/xmllint.c
+index 67f7adb..d9368c1 100644
+--- a/xmllint.c
+++ b/xmllint.c
+@@ -3019,6 +3019,7 @@ static void usage(const char *name) {
+     printf("\t--path 'paths': provide a set of paths for resources\n");
+     printf("\t--load-trace : print trace of all external entities loaded\n");
+     printf("\t--nonet : refuse to fetch DTDs or entities over network\n");
+    printf("\t--noxxe : forbid any external entity loading\n");
+     printf("\t--nocompact : do not generate compact text nodes\n");
+     printf("\t--htmlout : output results as HTML\n");
+     printf("\t--nowrap : do not put HTML doc wrapper\n");
+@@ -3461,6 +3462,10 @@ main(int argc, char **argv) {
+                    (!strcmp(argv[i], "--nonet"))) {
+            options |= XML_PARSE_NONET;
+            xmlSetExternalEntityLoader(xmlNoNetExternalEntityLoader);
+        } else if ((!strcmp(argv[i], "-noxxe")) ||
+                   (!strcmp(argv[i], "--noxxe"))) {
+           options |= XML_PARSE_NOXXE;
+           xmlSetExternalEntityLoader(xmlNoXxeExternalEntityLoader);
+         } else if ((!strcmp(argv[i], "-nocompact")) ||
+                    (!strcmp(argv[i], "--nocompact"))) {
+            options &= ~XML_PARSE_COMPACT;
+-- 
+2.10.2
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb
index ba08c9c994..c2c3c9326b 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -23,6 +23,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
           file://libxml2-CVE-2016-5131.patch \
           file://libxml2-CVE-2016-4658.patch \
           file://libxml2-fix_NULL_pointer_derefs.patch \
+           file://CVE-2016-9318.patch \
          "
 SRC_URI[libtar.md5sum] = "ae249165c173b1ff386ee8ad676815f5"

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-9318.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-9318.patch new file mode 100644 index 0000000000..3581ab83df --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2016-9318.patch
@@ -0,0 +1,207 @@
		1	From 7fa1cd31552d52d50a9101f07c816ff6dd2d9f19 Mon Sep 17 00:00:00 2001
		2	From: Doran Moppert <dmoppert@redhat.com>
		3	Date: Fri, 7 Apr 2017 16:45:56 +0200
		4	Subject: [PATCH] Add an XML_PARSE_NOXXE flag to block all entities loading
		5	even local
		6
		7	For https://bugzilla.gnome.org/show_bug.cgi?id=772726
		8
		9	* include/libxml/parser.h: Add a new parser flag XML_PARSE_NOXXE
		10	* elfgcchack.h, xmlIO.h, xmlIO.c: associated loading routine
		11	* include/libxml/xmlerror.h: new error raised
		12	* xmllint.c: adds --noxxe flag to activate the option
		13
		14	Upstream-Status: Backport
		15	CVE: CVE-2016-9318
		16
		17	Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
		18	---
		19	elfgcchack.h \| 10 ++++++++++
		20	include/libxml/parser.h \| 3 ++-
		21	include/libxml/xmlIO.h \| 8 ++++++++
		22	include/libxml/xmlerror.h \| 1 +
		23	parser.c \| 4 ++++
		24	xmlIO.c \| 40 +++++++++++++++++++++++++++++++++++-----
		25	xmllint.c \| 5 +++++
		26	7 files changed, 65 insertions(+), 6 deletions(-)
		27
		28	diff --git a/elfgcchack.h b/elfgcchack.h
		29	index 8c52884..1b81dcd 100644
		30	--- a/elfgcchack.h
		31	+++ b/elfgcchack.h
		32	@@ -6547,6 +6547,16 @@ extern __typeof (xmlNoNetExternalEntityLoader) xmlNoNetExternalEntityLoader__int
		33	#endif
		34	#endif
		35
		36	+#ifdef bottom_xmlIO
		37	+#undef xmlNoXxeExternalEntityLoader
		38	+extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader __attribute((alias("xmlNoXxeExternalEntityLoader__internal_alias")));
		39	+#else
		40	+#ifndef xmlNoXxeExternalEntityLoader
		41	+extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader__internal_alias __attribute((visibility("hidden")));
		42	+#define xmlNoXxeExternalEntityLoader xmlNoXxeExternalEntityLoader__internal_alias
		43	+#endif
		44	+#endif
		45	+
		46	#ifdef bottom_tree
		47	#undef xmlNodeAddContent
		48	extern __typeof (xmlNodeAddContent) xmlNodeAddContent __attribute((alias("xmlNodeAddContent__internal_alias")));
		49	diff --git a/include/libxml/parser.h b/include/libxml/parser.h
		50	index 47fbec0..63ca1b9 100644
		51	--- a/include/libxml/parser.h
		52	+++ b/include/libxml/parser.h
		53	@@ -1111,7 +1111,8 @@ typedef enum {
		54	XML_PARSE_HUGE = 1<<19,/* relax any hardcoded limit from the parser */
		55	XML_PARSE_OLDSAX = 1<<20,/* parse using SAX2 interface before 2.7.0 */
		56	XML_PARSE_IGNORE_ENC= 1<<21,/* ignore internal document encoding hint */
		57	- XML_PARSE_BIG_LINES = 1<<22 /* Store big lines numbers in text PSVI field */
		58	+ XML_PARSE_BIG_LINES = 1<<22,/* Store big lines numbers in text PSVI field */
		59	+ XML_PARSE_NOXXE = 1<<23 /* Forbid any external entity loading */
		60	} xmlParserOption;
		61
		62	XMLPUBFUN void XMLCALL
		63	diff --git a/include/libxml/xmlIO.h b/include/libxml/xmlIO.h
		64	index 3e41744..8d3fdef 100644
		65	--- a/include/libxml/xmlIO.h
		66	+++ b/include/libxml/xmlIO.h
		67	@@ -300,6 +300,14 @@ XMLPUBFUN xmlParserInputPtr XMLCALL
		68	xmlParserCtxtPtr ctxt);
		69
		70	/*
		71	+ * A predefined entity loader external entity expansion
		72	+ */
		73	+XMLPUBFUN xmlParserInputPtr XMLCALL
		74	+ xmlNoXxeExternalEntityLoader (const char *URL,
		75	+ const char *ID,
		76	+ xmlParserCtxtPtr ctxt);
		77	+
		78	+/*
		79	* xmlNormalizeWindowsPath is obsolete, don't use it.
		80	* Check xmlCanonicPath in uri.h for a better alternative.
		81	*/
		82	diff --git a/include/libxml/xmlerror.h b/include/libxml/xmlerror.h
		83	index 037c16d..3036062 100644
		84	--- a/include/libxml/xmlerror.h
		85	+++ b/include/libxml/xmlerror.h
		86	@@ -470,6 +470,7 @@ typedef enum {
		87	XML_IO_EADDRINUSE, /* 1554 */
		88	XML_IO_EALREADY, /* 1555 */
		89	XML_IO_EAFNOSUPPORT, /* 1556 */
		90	+ XML_IO_ILLEGAL_XXE, /* 1557 */
		91	XML_XINCLUDE_RECURSION=1600,
		92	XML_XINCLUDE_PARSE_VALUE, /* 1601 */
		93	XML_XINCLUDE_ENTITY_DEF_MISMATCH, /* 1602 */
		94	diff --git a/parser.c b/parser.c
		95	index 53a6b7f..609a270 100644
		96	--- a/parser.c
		97	+++ b/parser.c
		98	@@ -15350,6 +15350,10 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi
		99	ctxt->options \|= XML_PARSE_NONET;
		100	options -= XML_PARSE_NONET;
		101	}
		102	+ if (options & XML_PARSE_NOXXE) {
		103	+ ctxt->options \|= XML_PARSE_NOXXE;
		104	+ options -= XML_PARSE_NOXXE;
		105	+ }
		106	if (options & XML_PARSE_COMPACT) {
		107	ctxt->options \|= XML_PARSE_COMPACT;
		108	options -= XML_PARSE_COMPACT;
		109	diff --git a/xmlIO.c b/xmlIO.c
		110	index 1a79c09..304f822 100644
		111	--- a/xmlIO.c
		112	+++ b/xmlIO.c
		113	@@ -210,6 +210,7 @@ static const char *IOerr[] = {
		114	"adddress in use", /* EADDRINUSE */
		115	"already in use", /* EALREADY */
		116	"unknown address familly", /* EAFNOSUPPORT */
		117	+ "Attempt to load external entity %s", /* XML_IO_ILLEGAL_XXE */
		118	};
		119
		120	#if defined(_WIN32) \|\| defined (__DJGPP__) && !defined (__CYGWIN__)
		121	@@ -4053,13 +4054,22 @@ xmlDefaultExternalEntityLoader(const char URL, const char ID,
		122	xmlGenericError(xmlGenericErrorContext,
		123	"xmlDefaultExternalEntityLoader(%s, xxx)\n", URL);
		124	#endif
		125	- if ((ctxt != NULL) && (ctxt->options & XML_PARSE_NONET)) {
		126	+ if (ctxt != NULL) {
		127	int options = ctxt->options;
		128
		129	- ctxt->options -= XML_PARSE_NONET;
		130	- ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt);
		131	- ctxt->options = options;
		132	- return(ret);
		133	+ if (options & XML_PARSE_NOXXE) {
		134	+ ctxt->options -= XML_PARSE_NOXXE;
		135	+ ret = xmlNoXxeExternalEntityLoader(URL, ID, ctxt);
		136	+ ctxt->options = options;
		137	+ return(ret);
		138	+ }
		139	+
		140	+ if (options & XML_PARSE_NONET) {
		141	+ ctxt->options -= XML_PARSE_NONET;
		142	+ ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt);
		143	+ ctxt->options = options;
		144	+ return(ret);
		145	+ }
		146	}
		147	#ifdef LIBXML_CATALOG_ENABLED
		148	resource = xmlResolveResourceFromCatalog(URL, ID, ctxt);
		149	@@ -4160,6 +4170,13 @@ xmlNoNetExternalEntityLoader(const char URL, const char ID,
		150	xmlParserInputPtr input = NULL;
		151	xmlChar *resource = NULL;
		152
		153	+ if (ctxt == NULL) {
		154	+ return(NULL);
		155	+ }
		156	+ if (ctxt->input_id == 1) {
		157	+ return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt);
		158	+ }
		159	+
		160	#ifdef LIBXML_CATALOG_ENABLED
		161	resource = xmlResolveResourceFromCatalog(URL, ID, ctxt);
		162	#endif
		163	@@ -4182,5 +4199,18 @@ xmlNoNetExternalEntityLoader(const char URL, const char ID,
		164	return(input);
		165	}
		166
		167	+xmlParserInputPtr
		168	+xmlNoXxeExternalEntityLoader(const char URL, const char ID,
		169	+ xmlParserCtxtPtr ctxt) {
		170	+ if (ctxt == NULL) {
		171	+ return(NULL);
		172	+ }
		173	+ if (ctxt->input_id == 1) {
		174	+ return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt);
		175	+ }
		176	+ xmlIOErr(XML_IO_ILLEGAL_XXE, (const char *) URL);
		177	+ return(NULL);
		178	+}
		179	+
		180	#define bottom_xmlIO
		181	#include "elfgcchack.h"
		182	diff --git a/xmllint.c b/xmllint.c
		183	index 67f7adb..d9368c1 100644
		184	--- a/xmllint.c
		185	+++ b/xmllint.c
		186	@@ -3019,6 +3019,7 @@ static void usage(const char *name) {
		187	printf("\t--path 'paths': provide a set of paths for resources\n");
		188	printf("\t--load-trace : print trace of all external entities loaded\n");
		189	printf("\t--nonet : refuse to fetch DTDs or entities over network\n");
		190	+ printf("\t--noxxe : forbid any external entity loading\n");
		191	printf("\t--nocompact : do not generate compact text nodes\n");
		192	printf("\t--htmlout : output results as HTML\n");
		193	printf("\t--nowrap : do not put HTML doc wrapper\n");
		194	@@ -3461,6 +3462,10 @@ main(int argc, char **argv) {
		195	(!strcmp(argv[i], "--nonet"))) {
		196	options \|= XML_PARSE_NONET;
		197	xmlSetExternalEntityLoader(xmlNoNetExternalEntityLoader);
		198	+ } else if ((!strcmp(argv[i], "-noxxe")) \|\|
		199	+ (!strcmp(argv[i], "--noxxe"))) {
		200	+ options \|= XML_PARSE_NOXXE;
		201	+ xmlSetExternalEntityLoader(xmlNoXxeExternalEntityLoader);
		202	} else if ((!strcmp(argv[i], "-nocompact")) \|\|
		203	(!strcmp(argv[i], "--nocompact"))) {
		204	options &= ~XML_PARSE_COMPACT;
		205	--
		206	2.10.2
		207


diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb index ba08c9c994..c2c3c9326b 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.4.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -23,6 +23,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
23	file://libxml2-CVE-2016-5131.patch \	23	file://libxml2-CVE-2016-5131.patch \
24	file://libxml2-CVE-2016-4658.patch \	24	file://libxml2-CVE-2016-4658.patch \
25	file://libxml2-fix_NULL_pointer_derefs.patch \	25	file://libxml2-fix_NULL_pointer_derefs.patch \
		26	file://CVE-2016-9318.patch \
26	"	27	"
27		28
28	SRC_URI[libtar.md5sum] = "ae249165c173b1ff386ee8ad676815f5"	29	SRC_URI[libtar.md5sum] = "ae249165c173b1ff386ee8ad676815f5"