diff options
Diffstat (limited to 'meta/recipes-core/expat/expat-2.1.0/CVE-2016-5300_CVE-2012-6702.patch')
-rw-r--r-- | meta/recipes-core/expat/expat-2.1.0/CVE-2016-5300_CVE-2012-6702.patch | 123 |
1 files changed, 123 insertions, 0 deletions
diff --git a/meta/recipes-core/expat/expat-2.1.0/CVE-2016-5300_CVE-2012-6702.patch b/meta/recipes-core/expat/expat-2.1.0/CVE-2016-5300_CVE-2012-6702.patch new file mode 100644 index 0000000000..00cc731540 --- /dev/null +++ b/meta/recipes-core/expat/expat-2.1.0/CVE-2016-5300_CVE-2012-6702.patch | |||
@@ -0,0 +1,123 @@ | |||
1 | From cb31522769d11a375078a073cba94e7176cb48a4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Sebastian Pipping <sebastian@pipping.org> | ||
3 | Date: Wed, 16 Mar 2016 15:30:12 +0100 | ||
4 | Subject: [PATCH] Resolve call to srand, use more entropy (patch version 1.0) | ||
5 | |||
6 | Squashed backport against vanilla Expat 2.1.1, addressing: | ||
7 | * CVE-2012-6702 -- unanticipated internal calls to srand | ||
8 | * CVE-2016-5300 -- use of too little entropy | ||
9 | |||
10 | Since commit e3e81a6d9f0885ea02d3979151c358f314bf3d6d | ||
11 | (released with Expat 2.1.0) Expat called srand by itself | ||
12 | from inside generate_hash_secret_salt for an instance | ||
13 | of XML_Parser if XML_SetHashSalt was either (a) not called | ||
14 | for that instance or if (b) salt 0 was passed to XML_SetHashSalt | ||
15 | prior to parsing. That call to srand passed (rather litle) | ||
16 | entropy extracted from the current time as a seed for srand. | ||
17 | |||
18 | That call to srand (1) broke repeatability for code calling | ||
19 | srand with a non-random seed prior to parsing with Expat, | ||
20 | and (2) resulted in a rather small set of hashing salts in | ||
21 | Expat in total. | ||
22 | |||
23 | For a short- to mid-term fix, the new approach avoids calling | ||
24 | srand altogether, extracts more entropy out of the clock and | ||
25 | other sources, too. | ||
26 | |||
27 | For a long term fix, we may want to read sizeof(long) bytes | ||
28 | from a source like getrandom(..) on Linux, and from similar | ||
29 | sources on other supported architectures. | ||
30 | |||
31 | https://bugzilla.redhat.com/show_bug.cgi?id=1197087 | ||
32 | |||
33 | CVE: CVE-2012-6702 | ||
34 | CVE: CVE-2016-5300 | ||
35 | Upstream-Status: Backport | ||
36 | |||
37 | Removed changes from CMakeLists.txt from original patch, since that code is | ||
38 | not part of fix for these CVEs. | ||
39 | Reference to the commit for CMakeLists.txt changes: | ||
40 | https://sourceforge.net/p/expat/code_git/ci/37f7efb878660d55ff5fd67ad2cda1c103297df6 | ||
41 | |||
42 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
43 | --- | ||
44 | diff -Nurp a/lib/xmlparse.c b/lib/xmlparse.c | ||
45 | --- a/lib/xmlparse.c 2017-01-13 10:16:35.570784710 +0100 | ||
46 | +++ b/lib/xmlparse.c 2017-01-13 11:22:20.522433486 +0100 | ||
47 | @@ -6,7 +6,14 @@ | ||
48 | #include <string.h> /* memset(), memcpy() */ | ||
49 | #include <assert.h> | ||
50 | #include <limits.h> /* UINT_MAX */ | ||
51 | -#include <time.h> /* time() */ | ||
52 | + | ||
53 | +#ifdef COMPILED_FROM_DSP | ||
54 | +#define getpid GetCurrentProcessId | ||
55 | +#else | ||
56 | +#include <sys/time.h> /* gettimeofday() */ | ||
57 | +#include <sys/types.h> /* getpid() */ | ||
58 | +#include <unistd.h> /* getpid() */ | ||
59 | +#endif | ||
60 | |||
61 | #define XML_BUILDING_EXPAT 1 | ||
62 | |||
63 | @@ -432,7 +439,7 @@ static ELEMENT_TYPE * | ||
64 | getElementType(XML_Parser parser, const ENCODING *enc, | ||
65 | const char *ptr, const char *end); | ||
66 | |||
67 | -static unsigned long generate_hash_secret_salt(void); | ||
68 | +static unsigned long generate_hash_secret_salt(XML_Parser parser); | ||
69 | static XML_Bool startParsing(XML_Parser parser); | ||
70 | |||
71 | static XML_Parser | ||
72 | @@ -691,11 +698,38 @@ static const XML_Char implicitContext[] | ||
73 | }; | ||
74 | |||
75 | static unsigned long | ||
76 | -generate_hash_secret_salt(void) | ||
77 | +gather_time_entropy(void) | ||
78 | +{ | ||
79 | +#ifdef COMPILED_FROM_DSP | ||
80 | + FILETIME ft; | ||
81 | + GetSystemTimeAsFileTime(&ft); /* never fails */ | ||
82 | + return ft.dwHighDateTime ^ ft.dwLowDateTime; | ||
83 | +#else | ||
84 | + struct timeval tv; | ||
85 | + int gettimeofday_res; | ||
86 | + | ||
87 | + gettimeofday_res = gettimeofday(&tv, NULL); | ||
88 | + assert (gettimeofday_res == 0); | ||
89 | + | ||
90 | + /* Microseconds time is <20 bits entropy */ | ||
91 | + return tv.tv_usec; | ||
92 | +#endif | ||
93 | +} | ||
94 | + | ||
95 | +static unsigned long | ||
96 | +generate_hash_secret_salt(XML_Parser parser) | ||
97 | { | ||
98 | - unsigned int seed = time(NULL) % UINT_MAX; | ||
99 | - srand(seed); | ||
100 | - return rand(); | ||
101 | + /* Process ID is 0 bits entropy if attacker has local access | ||
102 | + * XML_Parser address is few bits of entropy if attacker has local access */ | ||
103 | + const unsigned long entropy = | ||
104 | + gather_time_entropy() ^ getpid() ^ (unsigned long)parser; | ||
105 | + | ||
106 | + /* Factors are 2^31-1 and 2^61-1 (Mersenne primes M31 and M61) */ | ||
107 | + if (sizeof(unsigned long) == 4) { | ||
108 | + return entropy * 2147483647; | ||
109 | + } else { | ||
110 | + return entropy * 2305843009213693951; | ||
111 | + } | ||
112 | } | ||
113 | |||
114 | static XML_Bool /* only valid for root parser */ | ||
115 | @@ -703,7 +737,7 @@ startParsing(XML_Parser parser) | ||
116 | { | ||
117 | /* hash functions must be initialized before setContext() is called */ | ||
118 | if (hash_secret_salt == 0) | ||
119 | - hash_secret_salt = generate_hash_secret_salt(); | ||
120 | + hash_secret_salt = generate_hash_secret_salt(parser); | ||
121 | if (ns) { | ||
122 | /* implicit context only set for root parser, since child | ||
123 | parsers (i.e. external entity parsers) will inherit it | ||