3 files changed, 98 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index 9d1d2bd257..95fc75c02e 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -23,6 +23,8 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
           file://libxml-m4-use-pkgconfig.patch \
           file://configure.ac-fix-cross-compiling-warning.patch \
           file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \
+           file://CVE-2015-7942.patch \
+           file://CVE-2015-8035.patch \
          "
 BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
new file mode 100644
index 0000000000..a5930ed29b
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
@@ -0,0 +1,55 @@
+libxml2: CVE-2015-7942
+From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 23 Feb 2015 11:29:20 +0800
+Subject: Cleanup conditional section error handling
+For https://bugzilla.gnome.org/show_bug.cgi?id=744980
+The error handling of Conditional Section also need to be
+straightened as the structure of the document can't be
+guessed on a failure there and it's better to stop parsing
+as further errors are likely to be irrelevant.
+Upstream-Status: Backport
+https://git.gnome.org/browse/libxml2/patch/?id=9b8512337d14c8ddf662fcb98b0135f225a1c489
+[YOCTO #8641]
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ parser.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+Index: libxml2-2.9.2/parser.c
+===================================================================
+--- libxml2-2.9.2.orig/parser.c
+++ libxml2-2.9.2/parser.c
+@@ -6783,6 +6783,8 @@ xmlParseConditionalSections(xmlParserCtx
+        SKIP_BLANKS;
+        if (RAW != '[') {
+            xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
+           xmlStopParser(ctxt);
+           return;
+        } else {
+            if (ctxt->input->id != id) {
+                xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6843,6 +6845,8 @@ xmlParseConditionalSections(xmlParserCtx
+        SKIP_BLANKS;
+        if (RAW != '[') {
+            xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
+           xmlStopParser(ctxt);
+           return;
+        } else {
+            if (ctxt->input->id != id) {
+                xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6898,6 +6902,8 @@ xmlParseConditionalSections(xmlParserCtx
+ 
+     } else {
+        xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
+       xmlStopParser(ctxt);
+       return;
+     }
+ 
+     if (RAW == 0)
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
new file mode 100644
index 0000000000..d175f7453c
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
@@ -0,0 +1,41 @@
+libxml2: CVE-2015-8035
+From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 3 Nov 2015 15:31:25 +0800
+Subject: CVE-2015-8035 Fix XZ compression support loop
+For https://bugzilla.gnome.org/show_bug.cgi?id=757466
+DoS when parsing specially crafted XML document if XZ support
+is compiled in (which wasn't the case for 2.9.2 and master since
+Nov 2013, fixed in next commit !)
+Upstream-Status: Backport
+https://git.gnome.org/browse/libxml2/patch/?id=f0709e3ca8f8947f2d91ed34e92e38a4c23eae63
+[YOCTO #8641]
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ xzlib.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/xzlib.c b/xzlib.c
+index 0dcb9f4..1fab546 100644
+--- a/xzlib.c
+++ b/xzlib.c
+@@ -581,6 +581,10 @@ xz_decomp(xz_statep state)
+             xz_error(state, LZMA_DATA_ERROR, "compressed data error");
+             return -1;
+         }
+        if (ret == LZMA_PROG_ERROR) {
+            xz_error(state, LZMA_PROG_ERROR, "compression error");
+            return -1;
+        }
+     } while (strm->avail_out && ret != LZMA_STREAM_END);
+ 
+     /* update available output and crc check value */
+-- 
+cgit v0.11.2

diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc index 9d1d2bd257..95fc75c02e 100644 --- a/meta/recipes-core/libxml/libxml2.inc +++ b/meta/recipes-core/libxml/libxml2.inc
@@ -23,6 +23,8 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
23	file://libxml-m4-use-pkgconfig.patch \	23	file://libxml-m4-use-pkgconfig.patch \
24	file://configure.ac-fix-cross-compiling-warning.patch \	24	file://configure.ac-fix-cross-compiling-warning.patch \
25	file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \	25	file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \
		26	file://CVE-2015-7942.patch \
		27	file://CVE-2015-8035.patch \
26	"	28	"
27		29
28	BINCONFIG = "${bindir}/xml2-config"	30	BINCONFIG = "${bindir}/xml2-config"


diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch new file mode 100644 index 0000000000..a5930ed29b --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
@@ -0,0 +1,55 @@
		1	libxml2: CVE-2015-7942
		2
		3	From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001
		4	From: Daniel Veillard <veillard@redhat.com>
		5	Date: Mon, 23 Feb 2015 11:29:20 +0800
		6	Subject: Cleanup conditional section error handling
		7
		8	For https://bugzilla.gnome.org/show_bug.cgi?id=744980
		9
		10	The error handling of Conditional Section also need to be
		11	straightened as the structure of the document can't be
		12	guessed on a failure there and it's better to stop parsing
		13	as further errors are likely to be irrelevant.
		14
		15	Upstream-Status: Backport
		16	https://git.gnome.org/browse/libxml2/patch/?id=9b8512337d14c8ddf662fcb98b0135f225a1c489
		17
		18	[YOCTO #8641]
		19	Signed-off-by: Armin Kuster <akuster@mvista.com>
		20
		21	---
		22	parser.c \| 6 ++++++
		23	1 file changed, 6 insertions(+)
		24
		25	Index: libxml2-2.9.2/parser.c
		26	===================================================================
		27	--- libxml2-2.9.2.orig/parser.c
		28	+++ libxml2-2.9.2/parser.c
		29	@@ -6783,6 +6783,8 @@ xmlParseConditionalSections(xmlParserCtx
		30	SKIP_BLANKS;
		31	if (RAW != '[') {
		32	xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
		33	+ xmlStopParser(ctxt);
		34	+ return;
		35	} else {
		36	if (ctxt->input->id != id) {
		37	xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
		38	@@ -6843,6 +6845,8 @@ xmlParseConditionalSections(xmlParserCtx
		39	SKIP_BLANKS;
		40	if (RAW != '[') {
		41	xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
		42	+ xmlStopParser(ctxt);
		43	+ return;
		44	} else {
		45	if (ctxt->input->id != id) {
		46	xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
		47	@@ -6898,6 +6902,8 @@ xmlParseConditionalSections(xmlParserCtx
		48
		49	} else {
		50	xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
		51	+ xmlStopParser(ctxt);
		52	+ return;
		53	}
		54
		55	if (RAW == 0)


diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch new file mode 100644 index 0000000000..d175f7453c --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
@@ -0,0 +1,41 @@
		1	libxml2: CVE-2015-8035
		2
		3	From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001
		4	From: Daniel Veillard <veillard@redhat.com>
		5	Date: Tue, 3 Nov 2015 15:31:25 +0800
		6	Subject: CVE-2015-8035 Fix XZ compression support loop
		7
		8	For https://bugzilla.gnome.org/show_bug.cgi?id=757466
		9	DoS when parsing specially crafted XML document if XZ support
		10	is compiled in (which wasn't the case for 2.9.2 and master since
		11	Nov 2013, fixed in next commit !)
		12
		13	Upstream-Status: Backport
		14	https://git.gnome.org/browse/libxml2/patch/?id=f0709e3ca8f8947f2d91ed34e92e38a4c23eae63
		15
		16	[YOCTO #8641]
		17
		18	Signed-off-by: Armin Kuster <akuster@mvista.com>
		19
		20	---
		21	xzlib.c \| 4 ++++
		22	1 file changed, 4 insertions(+)
		23
		24	diff --git a/xzlib.c b/xzlib.c
		25	index 0dcb9f4..1fab546 100644
		26	--- a/xzlib.c
		27	+++ b/xzlib.c
		28	@@ -581,6 +581,10 @@ xz_decomp(xz_statep state)
		29	xz_error(state, LZMA_DATA_ERROR, "compressed data error");
		30	return -1;
		31	}
		32	+ if (ret == LZMA_PROG_ERROR) {
		33	+ xz_error(state, LZMA_PROG_ERROR, "compression error");
		34	+ return -1;
		35	+ }
		36	} while (strm->avail_out && ret != LZMA_STREAM_END);
		37
		38	/* update available output and crc check value */
		39	--
		40	cgit v0.11.2
		41