1 files changed, 147 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-3660.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-3660.patch
new file mode 100644
index 0000000000..b9621c93eb
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-3660.patch
@@ -0,0 +1,147 @@
+From be2a7edaf289c5da74a4f9ed3a0b6c733e775230 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Thu, 16 Oct 2014 13:59:47 +0800
+Subject: Fix for CVE-2014-3660
+Issues related to the billion laugh entity expansion which happened to
+escape the initial set of fixes
+Upstream-status: Backport
+Reference: https://git.gnome.org/browse/libxml2/commit/?id=be2a7edaf289c5da74a4f9ed3a0b6c733e775230&context=3&ignorews=0&ss=0
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+diff --git a/parser.c b/parser.c
+index f51e8d2..1d93967 100644
+--- a/parser.c
+++ b/parser.c
+@@ -130,6 +130,29 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+         return (0);
+     if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
+         return (1);
+
+    /*
+     * This may look absurd but is needed to detect
+     * entities problems
+     */
+    if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) &&
+       (ent->content != NULL) && (ent->checked == 0)) {
+       unsigned long oldnbent = ctxt->nbentities;
+       xmlChar *rep;
+
+       ent->checked = 1;
+
+       rep = xmlStringDecodeEntities(ctxt, ent->content,
+                                 XML_SUBSTITUTE_REF, 0, 0, 0);
+
+       ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
+       if (rep != NULL) {
+           if (xmlStrchr(rep, '<'))
+               ent->checked |= 1;
+           xmlFree(rep);
+           rep = NULL;
+       }
+    }
+     if (replacement != 0) {
+        if (replacement < XML_MAX_TEXT_LENGTH)
+            return(0);
+@@ -189,9 +212,12 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+             return (0);
+     } else {
+         /*
+-         * strange we got no data for checking just return
+         * strange we got no data for checking
+          */
+-        return (0);
+       if (((ctxt->lastError.code != XML_ERR_UNDECLARED_ENTITY) &&
+            (ctxt->lastError.code != XML_WAR_UNDECLARED_ENTITY)) ||
+           (ctxt->nbentities <= 10000))
+           return (0);
+     }
+     xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
+     return (1);
+@@ -2589,6 +2615,7 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) {
+                                      name, NULL);
+                    ctxt->valid = 0;
+                }
+               xmlParserEntityCheck(ctxt, 0, NULL, 0);
+            } else if (ctxt->input->free != deallocblankswrapper) {
+                    input = xmlNewBlanksWrapperInputStream(ctxt, entity);
+                    if (xmlPushInput(ctxt, input) < 0)
+@@ -2759,6 +2786,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+            if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) ||
+                (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR))
+                goto int_error;
+           xmlParserEntityCheck(ctxt, 0, ent, 0);
+            if (ent != NULL)
+                ctxt->nbentities += ent->checked / 2;
+            if ((ent != NULL) &&
+@@ -2810,6 +2838,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+            ent = xmlParseStringPEReference(ctxt, &str);
+            if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
+                goto int_error;
+           xmlParserEntityCheck(ctxt, 0, ent, 0);
+            if (ent != NULL)
+                ctxt->nbentities += ent->checked / 2;
+            if (ent != NULL) {
+@@ -7312,6 +7341,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+                   (ret != XML_WAR_UNDECLARED_ENTITY)) {
+            xmlFatalErrMsgStr(ctxt, XML_ERR_UNDECLARED_ENTITY,
+                     "Entity '%s' failed to parse\n", ent->name);
+           xmlParserEntityCheck(ctxt, 0, ent, 0);
+        } else if (list != NULL) {
+            xmlFreeNodeList(list);
+            list = NULL;
+@@ -7418,7 +7448,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+                /*
+                 * We are copying here, make sure there is no abuse
+                 */
+-               ctxt->sizeentcopy += ent->length;
+               ctxt->sizeentcopy += ent->length + 5;
+                if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))
+                    return;
+ 
+@@ -7466,7 +7496,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+                /*
+                 * We are copying here, make sure there is no abuse
+                 */
+-               ctxt->sizeentcopy += ent->length;
+               ctxt->sizeentcopy += ent->length + 5;
+                if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))
+                    return;
+ 
+@@ -7652,6 +7682,7 @@ xmlParseEntityRef(xmlParserCtxtPtr ctxt) {
+                ctxt->sax->reference(ctxt->userData, name);
+            }
+        }
+       xmlParserEntityCheck(ctxt, 0, ent, 0);
+        ctxt->valid = 0;
+     }
+ 
+@@ -7845,6 +7876,7 @@ xmlParseStringEntityRef(xmlParserCtxtPtr ctxt, const xmlChar ** str) {
+                          "Entity '%s' not defined\n",
+                          name);
+        }
+       xmlParserEntityCheck(ctxt, 0, ent, 0);
+        /* TODO ? check regressions ctxt->valid = 0; */
+     }
+ 
+@@ -8004,6 +8036,7 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+                          name, NULL);
+            ctxt->valid = 0;
+        }
+       xmlParserEntityCheck(ctxt, 0, NULL, 0);
+     } else {
+        /*
+         * Internal checking in case the entity quest barfed
+@@ -8243,6 +8276,7 @@ xmlParseStringPEReference(xmlParserCtxtPtr ctxt, const xmlChar **str) {
+                          name, NULL);
+            ctxt->valid = 0;
+        }
+       xmlParserEntityCheck(ctxt, 0, NULL, 0);
+     } else {
+        /*
+         * Internal checking in case the entity quest barfed
+-- 
+cgit v0.10.1

diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-3660.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-3660.patch new file mode 100644 index 0000000000..b9621c93eb --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-3660.patch
@@ -0,0 +1,147 @@
	1	From be2a7edaf289c5da74a4f9ed3a0b6c733e775230 Mon Sep 17 00:00:00 2001
	2	From: Daniel Veillard <veillard@redhat.com>
	3	Date: Thu, 16 Oct 2014 13:59:47 +0800
	4	Subject: Fix for CVE-2014-3660
	5
	6	Issues related to the billion laugh entity expansion which happened to
	7	escape the initial set of fixes
	8
	9	Upstream-status: Backport
	10	Reference: https://git.gnome.org/browse/libxml2/commit/?id=be2a7edaf289c5da74a4f9ed3a0b6c733e775230&context=3&ignorews=0&ss=0
	11
	12	Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
	13
	14	diff --git a/parser.c b/parser.c
	15	index f51e8d2..1d93967 100644
	16	--- a/parser.c
	17	+++ b/parser.c
	18	@@ -130,6 +130,29 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
	19	return (0);
	20	if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
	21	return (1);
	22	+
	23	+ /*
	24	+ * This may look absurd but is needed to detect
	25	+ * entities problems
	26	+ */
	27	+ if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) &&
	28	+ (ent->content != NULL) && (ent->checked == 0)) {
	29	+ unsigned long oldnbent = ctxt->nbentities;
	30	+ xmlChar *rep;
	31	+
	32	+ ent->checked = 1;
	33	+
	34	+ rep = xmlStringDecodeEntities(ctxt, ent->content,
	35	+ XML_SUBSTITUTE_REF, 0, 0, 0);
	36	+
	37	+ ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
	38	+ if (rep != NULL) {
	39	+ if (xmlStrchr(rep, '<'))
	40	+ ent->checked \|= 1;
	41	+ xmlFree(rep);
	42	+ rep = NULL;
	43	+ }
	44	+ }
	45	if (replacement != 0) {
	46	if (replacement < XML_MAX_TEXT_LENGTH)
	47	return(0);
	48	@@ -189,9 +212,12 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
	49	return (0);
	50	} else {
	51	/*
	52	- * strange we got no data for checking just return
	53	+ * strange we got no data for checking
	54	*/
	55	- return (0);
	56	+ if (((ctxt->lastError.code != XML_ERR_UNDECLARED_ENTITY) &&
	57	+ (ctxt->lastError.code != XML_WAR_UNDECLARED_ENTITY)) \|\|
	58	+ (ctxt->nbentities <= 10000))
	59	+ return (0);
	60	}
	61	xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
	62	return (1);
	63	@@ -2589,6 +2615,7 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) {
	64	name, NULL);
	65	ctxt->valid = 0;
	66	}
	67	+ xmlParserEntityCheck(ctxt, 0, NULL, 0);
	68	} else if (ctxt->input->free != deallocblankswrapper) {
	69	input = xmlNewBlanksWrapperInputStream(ctxt, entity);
	70	if (xmlPushInput(ctxt, input) < 0)
	71	@@ -2759,6 +2786,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
	72	if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) \|\|
	73	(ctxt->lastError.code == XML_ERR_INTERNAL_ERROR))
	74	goto int_error;
	75	+ xmlParserEntityCheck(ctxt, 0, ent, 0);
	76	if (ent != NULL)
	77	ctxt->nbentities += ent->checked / 2;
	78	if ((ent != NULL) &&
	79	@@ -2810,6 +2838,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
	80	ent = xmlParseStringPEReference(ctxt, &str);
	81	if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
	82	goto int_error;
	83	+ xmlParserEntityCheck(ctxt, 0, ent, 0);
	84	if (ent != NULL)
	85	ctxt->nbentities += ent->checked / 2;
	86	if (ent != NULL) {
	87	@@ -7312,6 +7341,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
	88	(ret != XML_WAR_UNDECLARED_ENTITY)) {
	89	xmlFatalErrMsgStr(ctxt, XML_ERR_UNDECLARED_ENTITY,
	90	"Entity '%s' failed to parse\n", ent->name);
	91	+ xmlParserEntityCheck(ctxt, 0, ent, 0);
	92	} else if (list != NULL) {
	93	xmlFreeNodeList(list);
	94	list = NULL;
	95	@@ -7418,7 +7448,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
	96	/*
	97	* We are copying here, make sure there is no abuse
	98	*/
	99	- ctxt->sizeentcopy += ent->length;
	100	+ ctxt->sizeentcopy += ent->length + 5;
	101	if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))
	102	return;
	103
	104	@@ -7466,7 +7496,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
	105	/*
	106	* We are copying here, make sure there is no abuse
	107	*/
	108	- ctxt->sizeentcopy += ent->length;
	109	+ ctxt->sizeentcopy += ent->length + 5;
	110	if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))
	111	return;
	112
	113	@@ -7652,6 +7682,7 @@ xmlParseEntityRef(xmlParserCtxtPtr ctxt) {
	114	ctxt->sax->reference(ctxt->userData, name);
	115	}
	116	}
	117	+ xmlParserEntityCheck(ctxt, 0, ent, 0);
	118	ctxt->valid = 0;
	119	}
	120
	121	@@ -7845,6 +7876,7 @@ xmlParseStringEntityRef(xmlParserCtxtPtr ctxt, const xmlChar ** str) {
	122	"Entity '%s' not defined\n",
	123	name);
	124	}
	125	+ xmlParserEntityCheck(ctxt, 0, ent, 0);
	126	/* TODO ? check regressions ctxt->valid = 0; */
	127	}
	128
	129	@@ -8004,6 +8036,7 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
	130	name, NULL);
	131	ctxt->valid = 0;
	132	}
	133	+ xmlParserEntityCheck(ctxt, 0, NULL, 0);
	134	} else {
	135	/*
	136	* Internal checking in case the entity quest barfed
	137	@@ -8243,6 +8276,7 @@ xmlParseStringPEReference(xmlParserCtxtPtr ctxt, const xmlChar **str) {
	138	name, NULL);
	139	ctxt->valid = 0;
	140	}
	141	+ xmlParserEntityCheck(ctxt, 0, NULL, 0);
	142	} else {
	143	/*
	144	* Internal checking in case the entity quest barfed
	145	--
	146	cgit v0.10.1
	147