2 files changed, 72 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-3705.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-3705.patch
new file mode 100644
index 0000000000..8587a63498
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-3705.patch
@@ -0,0 +1,71 @@
+From 8f30bdff69edac9075f4663ce3b56b0c52d48ce6 Mon Sep 17 00:00:00 2001
+From: Peter Simons <psimons@suse.com>
+Date: Fri, 15 Apr 2016 11:56:55 +0200
+Subject: [PATCH] Add missing increments of recursion depth counter to XML
+ parser.
+For https://bugzilla.gnome.org/show_bug.cgi?id=765207
+CVE-2016-3705
+The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call
+xmlStringDecodeEntities() in a recursive context without incrementing the
+'depth' counter in the parser context. Because of that omission, the parser
+failed to detect attribute recursions in certain documents before running out
+of stack space.
+Upstream-Status: Backport
+CVE: CVE-2016-3705
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ parser.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+Index: libxml2-2.9.2/parser.c
+===================================================================
+--- libxml2-2.9.2.orig/parser.c
+++ libxml2-2.9.2/parser.c
+@@ -144,8 +144,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ct
+ 
+        ent->checked = 1;
+ 
+        ++ctxt->depth;
+        rep = xmlStringDecodeEntities(ctxt, ent->content,
+                                  XML_SUBSTITUTE_REF, 0, 0, 0);
+        --ctxt->depth;
+ 
+        ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
+        if (rep != NULL) {
+@@ -3978,8 +3980,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctx
+         * an entity declaration, it is bypassed and left as is.
+         * so XML_SUBSTITUTE_REF is not set here.
+         */
+        ++ctxt->depth;
+        ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF,
+                                      0, 0, 0);
+        --ctxt->depth;
+        if (orig != NULL)
+            *orig = buf;
+        else
+@@ -4104,9 +4108,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
+                } else if ((ent != NULL) &&
+                           (ctxt->replaceEntities != 0)) {
+                    if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) {
+                       ++ctxt->depth;
+                        rep = xmlStringDecodeEntities(ctxt, ent->content,
+                                                      XML_SUBSTITUTE_REF,
+                                                      0, 0, 0);
+                       --ctxt->depth;
+                        if (rep != NULL) {
+                            current = rep;
+                            while (*current != 0) { /* non input consuming */
+@@ -4142,8 +4148,10 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
+                        (ent->content != NULL) && (ent->checked == 0)) {
+                        unsigned long oldnbent = ctxt->nbentities;
+ 
+                       ++ctxt->depth;
+                        rep = xmlStringDecodeEntities(ctxt, ent->content,
+                                                  XML_SUBSTITUTE_REF, 0, 0, 0);
+                       --ctxt->depth;
+ 
+                        ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
+                        if (rep != NULL) {
diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb
index 7f2ded76c1..ec6000f794 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.2.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb
@@ -5,6 +5,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar \
            file://0001-threads-Define-pthread-definitions-for-glibc-complia.patch \
           "
 SRC_URI += "file://CVE-2016-1762.patch \
+            file://CVE-2016-3705.patch \
    "
 SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-3705.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-3705.patch new file mode 100644 index 0000000000..8587a63498 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2016-3705.patch
@@ -0,0 +1,71 @@
		1	From 8f30bdff69edac9075f4663ce3b56b0c52d48ce6 Mon Sep 17 00:00:00 2001
		2	From: Peter Simons <psimons@suse.com>
		3	Date: Fri, 15 Apr 2016 11:56:55 +0200
		4	Subject: [PATCH] Add missing increments of recursion depth counter to XML
		5	parser.
		6
		7	For https://bugzilla.gnome.org/show_bug.cgi?id=765207
		8	CVE-2016-3705
		9	The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call
		10	xmlStringDecodeEntities() in a recursive context without incrementing the
		11	'depth' counter in the parser context. Because of that omission, the parser
		12	failed to detect attribute recursions in certain documents before running out
		13	of stack space.
		14
		15	Upstream-Status: Backport
		16	CVE: CVE-2016-3705
		17	Signed-off-by: Armin Kuster <akuster@mvista.com>
		18
		19	---
		20	parser.c \| 8 ++++++++
		21	1 file changed, 8 insertions(+)
		22
		23	Index: libxml2-2.9.2/parser.c
		24	===================================================================
		25	--- libxml2-2.9.2.orig/parser.c
		26	+++ libxml2-2.9.2/parser.c
		27	@@ -144,8 +144,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ct
		28
		29	ent->checked = 1;
		30
		31	+ ++ctxt->depth;
		32	rep = xmlStringDecodeEntities(ctxt, ent->content,
		33	XML_SUBSTITUTE_REF, 0, 0, 0);
		34	+ --ctxt->depth;
		35
		36	ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
		37	if (rep != NULL) {
		38	@@ -3978,8 +3980,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctx
		39	* an entity declaration, it is bypassed and left as is.
		40	* so XML_SUBSTITUTE_REF is not set here.
		41	*/
		42	+ ++ctxt->depth;
		43	ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF,
		44	0, 0, 0);
		45	+ --ctxt->depth;
		46	if (orig != NULL)
		47	*orig = buf;
		48	else
		49	@@ -4104,9 +4108,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
		50	} else if ((ent != NULL) &&
		51	(ctxt->replaceEntities != 0)) {
		52	if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) {
		53	+ ++ctxt->depth;
		54	rep = xmlStringDecodeEntities(ctxt, ent->content,
		55	XML_SUBSTITUTE_REF,
		56	0, 0, 0);
		57	+ --ctxt->depth;
		58	if (rep != NULL) {
		59	current = rep;
		60	while (current != 0) { / non input consuming */
		61	@@ -4142,8 +4148,10 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
		62	(ent->content != NULL) && (ent->checked == 0)) {
		63	unsigned long oldnbent = ctxt->nbentities;
		64
		65	+ ++ctxt->depth;
		66	rep = xmlStringDecodeEntities(ctxt, ent->content,
		67	XML_SUBSTITUTE_REF, 0, 0, 0);
		68	+ --ctxt->depth;
		69
		70	ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
		71	if (rep != NULL) {


diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb index 7f2ded76c1..ec6000f794 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.2.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb
@@ -5,6 +5,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar \
5	file://0001-threads-Define-pthread-definitions-for-glibc-complia.patch \	5	file://0001-threads-Define-pthread-definitions-for-glibc-complia.patch \
6	"	6	"
7	SRC_URI += "file://CVE-2016-1762.patch \	7	SRC_URI += "file://CVE-2016-1762.patch \
		8	file://CVE-2016-3705.patch \
8	"	9	"
9		10
10	SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"	11	SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"