1 files changed, 208 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-4448_2.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-4448_2.patch
new file mode 100644
index 0000000000..bfea8fde55
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-4448_2.patch
@@ -0,0 +1,208 @@
+From 502f6a6d08b08c04b3ddfb1cd21b2f699c1b7f5b Mon Sep 17 00:00:00 2001
+From: David Kilzer <ddkilzer@apple.com>
+Date: Mon, 23 May 2016 14:58:41 +0800
+Subject: [PATCH] More format string warnings with possible format string
+ vulnerability
+For https://bugzilla.gnome.org/show_bug.cgi?id=761029
+adds a new xmlEscapeFormatString() function to escape composed format
+strings
+Upstream-Status: Backport
+CVE: CVE-2016-4448 patch #2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ libxml.h     |  3 +++
+ relaxng.c    |  3 ++-
+ xmlschemas.c | 39 ++++++++++++++++++++++++++-------------
+ xmlstring.c  | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 86 insertions(+), 14 deletions(-)
+Index: libxml2-2.9.2/libxml.h
+===================================================================
+--- libxml2-2.9.2.orig/libxml.h
+++ libxml2-2.9.2/libxml.h
+@@ -9,6 +9,8 @@
+ #ifndef __XML_LIBXML_H__
+ #define __XML_LIBXML_H__
+ 
+#include <libxml/xmlstring.h>
+
+ #ifndef NO_LARGEFILE_SOURCE
+ #ifndef _LARGEFILE_SOURCE
+ #define _LARGEFILE_SOURCE
+@@ -96,6 +98,7 @@ int __xmlInitializeDict(void);
+ int __xmlRandom(void);
+ #endif
+ 
+XMLPUBFUN xmlChar * XMLCALL xmlEscapeFormatString(xmlChar **msg);
+ int xmlNop(void);
+ 
+ #ifdef IN_LIBXML
+Index: libxml2-2.9.2/relaxng.c
+===================================================================
+--- libxml2-2.9.2.orig/relaxng.c
+++ libxml2-2.9.2/relaxng.c
+@@ -2215,7 +2215,8 @@ xmlRelaxNGGetErrorString(xmlRelaxNGValid
+         snprintf(msg, 1000, "Unknown error code %d\n", err);
+     }
+     msg[1000 - 1] = 0;
+-    return (xmlStrdup((xmlChar *) msg));
+    xmlChar *result = xmlCharStrdup(msg);
+    return (xmlEscapeFormatString(&result));
+ }
+ 
+ /**
+Index: libxml2-2.9.2/xmlschemas.c
+===================================================================
+--- libxml2-2.9.2.orig/xmlschemas.c
+++ libxml2-2.9.2/xmlschemas.c
+@@ -1769,7 +1769,7 @@ xmlSchemaFormatItemForReport(xmlChar **b
+     }
+     FREE_AND_NULL(str)
+ 
+-    return (*buf);
+    return (xmlEscapeFormatString(buf));
+ }
+ 
+ /**
+@@ -2249,6 +2249,13 @@ xmlSchemaFormatNodeForError(xmlChar ** m
+        TODO
+        return (NULL);
+     }
+
+    /*
+     * xmlSchemaFormatItemForReport() also returns an escaped format
+     * string, so do this before calling it below (in the future).
+     */
+    xmlEscapeFormatString(msg);
+
+     /*
+     * VAL TODO: The output of the given schema component is currently
+     * disabled.
+@@ -2476,11 +2483,13 @@ xmlSchemaSimpleTypeErr(xmlSchemaAbstract
+        msg = xmlStrcat(msg, BAD_CAST " '");
+        if (type->builtInType != 0) {
+            msg = xmlStrcat(msg, BAD_CAST "xs:");
+-           msg = xmlStrcat(msg, type->name);
+-       } else
+-           msg = xmlStrcat(msg,
+-               xmlSchemaFormatQName(&str,
+-                   type->targetNamespace, type->name));
+           str = xmlStrdup(type->name);
+       } else {
+           const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name);
+           if (!str)
+               str = xmlStrdup(qName);
+       }
+       msg = xmlStrcat(msg, xmlEscapeFormatString(&str));
+        msg = xmlStrcat(msg, BAD_CAST "'");
+        FREE_AND_NULL(str);
+     }
+@@ -2617,7 +2626,7 @@ xmlSchemaComplexTypeErr(xmlSchemaAbstrac
+                str = xmlStrcat(str, BAD_CAST ", ");
+        }
+        str = xmlStrcat(str, BAD_CAST " ).\n");
+-       msg = xmlStrcat(msg, BAD_CAST str);
+       msg = xmlStrcat(msg, xmlEscapeFormatString(&str));
+        FREE_AND_NULL(str)
+     } else
+       msg = xmlStrcat(msg, BAD_CAST "\n");
+@@ -3141,11 +3150,13 @@ xmlSchemaPSimpleTypeErr(xmlSchemaParserC
+                msg = xmlStrcat(msg, BAD_CAST " '");
+                if (type->builtInType != 0) {
+                    msg = xmlStrcat(msg, BAD_CAST "xs:");
+-                   msg = xmlStrcat(msg, type->name);
+-               } else
+-                   msg = xmlStrcat(msg,
+-                       xmlSchemaFormatQName(&str,
+-                           type->targetNamespace, type->name));
+                   str = xmlStrdup(type->name);
+               } else {
+                   const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name);
+                   if (!str)
+                       str = xmlStrdup(qName);
+               }
+               msg = xmlStrcat(msg, xmlEscapeFormatString(&str));
+                msg = xmlStrcat(msg, BAD_CAST "'.");
+                FREE_AND_NULL(str);
+            }
+@@ -3158,7 +3169,9 @@ xmlSchemaPSimpleTypeErr(xmlSchemaParserC
+        }
+        if (expected) {
+            msg = xmlStrcat(msg, BAD_CAST " Expected is '");
+-           msg = xmlStrcat(msg, BAD_CAST expected);
+           xmlChar *expectedEscaped = xmlCharStrdup(expected);
+           msg = xmlStrcat(msg, xmlEscapeFormatString(&expectedEscaped));
+           FREE_AND_NULL(expectedEscaped);
+            msg = xmlStrcat(msg, BAD_CAST "'.\n");
+        } else
+            msg = xmlStrcat(msg, BAD_CAST "\n");
+Index: libxml2-2.9.2/xmlstring.c
+===================================================================
+--- libxml2-2.9.2.orig/xmlstring.c
+++ libxml2-2.9.2/xmlstring.c
+@@ -987,5 +987,60 @@ xmlUTF8Strsub(const xmlChar *utf, int st
+     return(xmlUTF8Strndup(utf, len));
+ }
+ 
+/**
+ * xmlEscapeFormatString:
+ * @msg:  a pointer to the string in which to escape '%' characters.
+ * Must be a heap-allocated buffer created by libxml2 that may be
+ * returned, or that may be freed and replaced.
+ *
+ * Replaces the string pointed to by 'msg' with an escaped string.
+ * Returns the same string with all '%' characters escaped.
+ */
+xmlChar *
+xmlEscapeFormatString(xmlChar **msg)
+{
+    xmlChar *msgPtr = NULL;
+    xmlChar *result = NULL;
+    xmlChar *resultPtr = NULL;
+    size_t count = 0;
+    size_t msgLen = 0;
+    size_t resultLen = 0;
+
+    if (!msg || !*msg)
+        return(NULL);
+
+    for (msgPtr = *msg; *msgPtr != '\0'; ++msgPtr) {
+        ++msgLen;
+        if (*msgPtr == '%')
+            ++count;
+    }
+
+    if (count == 0)
+        return(*msg);
+
+    resultLen = msgLen + count + 1;
+    result = (xmlChar *) xmlMallocAtomic(resultLen * sizeof(xmlChar));
+    if (result == NULL) {
+        /* Clear *msg to prevent format string vulnerabilities in
+           out-of-memory situations. */
+        xmlFree(*msg);
+        *msg = NULL;
+        xmlErrMemory(NULL, NULL);
+        return(NULL);
+    }
+
+    for (msgPtr = *msg, resultPtr = result; *msgPtr != '\0'; ++msgPtr, ++resultPtr) {
+        *resultPtr = *msgPtr;
+        if (*msgPtr == '%')
+            *(++resultPtr) = '%';
+    }
+    result[resultLen - 1] = '\0';
+
+    xmlFree(*msg);
+    *msg = result;
+
+    return *msg;
+}
+
+ #define bottom_xmlstring
+ #include "elfgcchack.h"

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-4448_2.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-4448_2.patch new file mode 100644 index 0000000000..bfea8fde55 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2016-4448_2.patch
@@ -0,0 +1,208 @@
	1	From 502f6a6d08b08c04b3ddfb1cd21b2f699c1b7f5b Mon Sep 17 00:00:00 2001
	2	From: David Kilzer <ddkilzer@apple.com>
	3	Date: Mon, 23 May 2016 14:58:41 +0800
	4	Subject: [PATCH] More format string warnings with possible format string
	5	vulnerability
	6
	7	For https://bugzilla.gnome.org/show_bug.cgi?id=761029
	8
	9	adds a new xmlEscapeFormatString() function to escape composed format
	10	strings
	11
	12	Upstream-Status: Backport
	13	CVE: CVE-2016-4448 patch #2
	14
	15	Signed-off-by: Armin Kuster <akuster@mvista.com>
	16
	17	---
	18	libxml.h \| 3 +++
	19	relaxng.c \| 3 ++-
	20	xmlschemas.c \| 39 ++++++++++++++++++++++++++-------------
	21	xmlstring.c \| 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
	22	4 files changed, 86 insertions(+), 14 deletions(-)
	23
	24	Index: libxml2-2.9.2/libxml.h
	25	===================================================================
	26	--- libxml2-2.9.2.orig/libxml.h
	27	+++ libxml2-2.9.2/libxml.h
	28	@@ -9,6 +9,8 @@
	29	#ifndef __XML_LIBXML_H__
	30	#define __XML_LIBXML_H__
	31
	32	+#include <libxml/xmlstring.h>
	33	+
	34	#ifndef NO_LARGEFILE_SOURCE
	35	#ifndef _LARGEFILE_SOURCE
	36	#define _LARGEFILE_SOURCE
	37	@@ -96,6 +98,7 @@ int __xmlInitializeDict(void);
	38	int __xmlRandom(void);
	39	#endif
	40
	41	+XMLPUBFUN xmlChar * XMLCALL xmlEscapeFormatString(xmlChar **msg);
	42	int xmlNop(void);
	43
	44	#ifdef IN_LIBXML
	45	Index: libxml2-2.9.2/relaxng.c
	46	===================================================================
	47	--- libxml2-2.9.2.orig/relaxng.c
	48	+++ libxml2-2.9.2/relaxng.c
	49	@@ -2215,7 +2215,8 @@ xmlRelaxNGGetErrorString(xmlRelaxNGValid
	50	snprintf(msg, 1000, "Unknown error code %d\n", err);
	51	}
	52	msg[1000 - 1] = 0;
	53	- return (xmlStrdup((xmlChar *) msg));
	54	+ xmlChar *result = xmlCharStrdup(msg);
	55	+ return (xmlEscapeFormatString(&result));
	56	}
	57
	58	/**
	59	Index: libxml2-2.9.2/xmlschemas.c
	60	===================================================================
	61	--- libxml2-2.9.2.orig/xmlschemas.c
	62	+++ libxml2-2.9.2/xmlschemas.c
	63	@@ -1769,7 +1769,7 @@ xmlSchemaFormatItemForReport(xmlChar **b
	64	}
	65	FREE_AND_NULL(str)
	66
	67	- return (*buf);
	68	+ return (xmlEscapeFormatString(buf));
	69	}
	70
	71	/**
	72	@@ -2249,6 +2249,13 @@ xmlSchemaFormatNodeForError(xmlChar ** m
	73	TODO
	74	return (NULL);
	75	}
	76	+
	77	+ /*
	78	+ * xmlSchemaFormatItemForReport() also returns an escaped format
	79	+ * string, so do this before calling it below (in the future).
	80	+ */
	81	+ xmlEscapeFormatString(msg);
	82	+
	83	/*
	84	* VAL TODO: The output of the given schema component is currently
	85	* disabled.
	86	@@ -2476,11 +2483,13 @@ xmlSchemaSimpleTypeErr(xmlSchemaAbstract
	87	msg = xmlStrcat(msg, BAD_CAST " '");
	88	if (type->builtInType != 0) {
	89	msg = xmlStrcat(msg, BAD_CAST "xs:");
	90	- msg = xmlStrcat(msg, type->name);
	91	- } else
	92	- msg = xmlStrcat(msg,
	93	- xmlSchemaFormatQName(&str,
	94	- type->targetNamespace, type->name));
	95	+ str = xmlStrdup(type->name);
	96	+ } else {
	97	+ const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name);
	98	+ if (!str)
	99	+ str = xmlStrdup(qName);
	100	+ }
	101	+ msg = xmlStrcat(msg, xmlEscapeFormatString(&str));
	102	msg = xmlStrcat(msg, BAD_CAST "'");
	103	FREE_AND_NULL(str);
	104	}
	105	@@ -2617,7 +2626,7 @@ xmlSchemaComplexTypeErr(xmlSchemaAbstrac
	106	str = xmlStrcat(str, BAD_CAST ", ");
	107	}
	108	str = xmlStrcat(str, BAD_CAST " ).\n");
	109	- msg = xmlStrcat(msg, BAD_CAST str);
	110	+ msg = xmlStrcat(msg, xmlEscapeFormatString(&str));
	111	FREE_AND_NULL(str)
	112	} else
	113	msg = xmlStrcat(msg, BAD_CAST "\n");
	114	@@ -3141,11 +3150,13 @@ xmlSchemaPSimpleTypeErr(xmlSchemaParserC
	115	msg = xmlStrcat(msg, BAD_CAST " '");
	116	if (type->builtInType != 0) {
	117	msg = xmlStrcat(msg, BAD_CAST "xs:");
	118	- msg = xmlStrcat(msg, type->name);
	119	- } else
	120	- msg = xmlStrcat(msg,
	121	- xmlSchemaFormatQName(&str,
	122	- type->targetNamespace, type->name));
	123	+ str = xmlStrdup(type->name);
	124	+ } else {
	125	+ const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name);
	126	+ if (!str)
	127	+ str = xmlStrdup(qName);
	128	+ }
	129	+ msg = xmlStrcat(msg, xmlEscapeFormatString(&str));
	130	msg = xmlStrcat(msg, BAD_CAST "'.");
	131	FREE_AND_NULL(str);
	132	}
	133	@@ -3158,7 +3169,9 @@ xmlSchemaPSimpleTypeErr(xmlSchemaParserC
	134	}
	135	if (expected) {
	136	msg = xmlStrcat(msg, BAD_CAST " Expected is '");
	137	- msg = xmlStrcat(msg, BAD_CAST expected);
	138	+ xmlChar *expectedEscaped = xmlCharStrdup(expected);
	139	+ msg = xmlStrcat(msg, xmlEscapeFormatString(&expectedEscaped));
	140	+ FREE_AND_NULL(expectedEscaped);
	141	msg = xmlStrcat(msg, BAD_CAST "'.\n");
	142	} else
	143	msg = xmlStrcat(msg, BAD_CAST "\n");
	144	Index: libxml2-2.9.2/xmlstring.c
	145	===================================================================
	146	--- libxml2-2.9.2.orig/xmlstring.c
	147	+++ libxml2-2.9.2/xmlstring.c
	148	@@ -987,5 +987,60 @@ xmlUTF8Strsub(const xmlChar *utf, int st
	149	return(xmlUTF8Strndup(utf, len));
	150	}
	151
	152	+/**
	153	+ * xmlEscapeFormatString:
	154	+ * @msg: a pointer to the string in which to escape '%' characters.
	155	+ * Must be a heap-allocated buffer created by libxml2 that may be
	156	+ * returned, or that may be freed and replaced.
	157	+ *
	158	+ * Replaces the string pointed to by 'msg' with an escaped string.
	159	+ * Returns the same string with all '%' characters escaped.
	160	+ */
	161	+xmlChar *
	162	+xmlEscapeFormatString(xmlChar **msg)
	163	+{
	164	+ xmlChar *msgPtr = NULL;
	165	+ xmlChar *result = NULL;
	166	+ xmlChar *resultPtr = NULL;
	167	+ size_t count = 0;
	168	+ size_t msgLen = 0;
	169	+ size_t resultLen = 0;
	170	+
	171	+ if (!msg \|\| !*msg)
	172	+ return(NULL);
	173	+
	174	+ for (msgPtr = msg; msgPtr != '\0'; ++msgPtr) {
	175	+ ++msgLen;
	176	+ if (*msgPtr == '%')
	177	+ ++count;
	178	+ }
	179	+
	180	+ if (count == 0)
	181	+ return(*msg);
	182	+
	183	+ resultLen = msgLen + count + 1;
	184	+ result = (xmlChar ) xmlMallocAtomic(resultLen sizeof(xmlChar));
	185	+ if (result == NULL) {
	186	+ /* Clear *msg to prevent format string vulnerabilities in
	187	+ out-of-memory situations. */
	188	+ xmlFree(*msg);
	189	+ *msg = NULL;
	190	+ xmlErrMemory(NULL, NULL);
	191	+ return(NULL);
	192	+ }
	193	+
	194	+ for (msgPtr = msg, resultPtr = result; msgPtr != '\0'; ++msgPtr, ++resultPtr) {
	195	+ resultPtr = msgPtr;
	196	+ if (*msgPtr == '%')
	197	+ *(++resultPtr) = '%';
	198	+ }
	199	+ result[resultLen - 1] = '\0';
	200	+
	201	+ xmlFree(*msg);
	202	+ *msg = result;
	203	+
	204	+ return *msg;
	205	+}
	206	+
	207	#define bottom_xmlstring
	208	#include "elfgcchack.h"