From e39962398625aeb780b2f8a08b194f35ded8b4b8 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Wed, 24 Feb 2016 08:39:28 +0100 Subject: libxml2: CVE-2015-7500 Fixes Heap buffer overflow in xmlParseMisc Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7500 Signed-off-by: Sona Sarmadi Signed-off-by: Tudor Florea --- meta/recipes-core/libxml/libxml2.inc | 2 + ...00-Fix-memory-access-error-due-to-incorre.patch | 131 +++++++++++++++++++ ...-name-parsing-at-the-end-of-current-input.patch | 138 +++++++++++++++++++++ 3 files changed, 271 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch create mode 100644 meta/recipes-core/libxml/libxml2/Fix-a-bug-on-name-parsing-at-the-end-of-current-input.patch diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc index 87aa21e2d3..08d7961241 100644 --- a/meta/recipes-core/libxml/libxml2.inc +++ b/meta/recipes-core/libxml/libxml2.inc @@ -28,6 +28,8 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \ file://CVE-2015-8241.patch \ file://CVE-2015-8317-Fail-parsing-early-on-if-encoding-conversion-failed.patch \ file://CVE-2015-8242-Buffer-overead-with-HTML-parser.patch \ + file://Fix-a-bug-on-name-parsing-at-the-end-of-current-input.patch \ + file://CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch \ " BINCONFIG = "${bindir}/xml2-config" diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch new file mode 100644 index 0000000000..b4860791bf --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch @@ -0,0 +1,131 @@ +From f1063fdbe7fa66332bbb76874101c2a7b51b519f Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 20 Nov 2015 16:06:59 +0800 +Subject: [PATCH] CVE-2015-7500 Fix memory access error due to incorrect + entities boundaries + +For https://bugzilla.gnome.org/show_bug.cgi?id=756525 +handle properly the case where we popped out of the current entity +while processing a start tag +Reported by Kostya Serebryany @ Google + +This slightly modifies the output of 754946 in regression tests + +Upstream-Status: Backport + +CVE-2015-7500 + +Signed-off-by: Armin Kuster + +--- + parser.c | 28 ++++++++++++++++++++++------ + result/errors/754946.xml.err | 7 +++++-- + 2 files changed, 27 insertions(+), 8 deletions(-) + +diff --git a/parser.c b/parser.c +index c7e4574..c5741e3 100644 +--- a/parser.c ++++ b/parser.c +@@ -9348,7 +9348,7 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref, + const xmlChar **atts = ctxt->atts; + int maxatts = ctxt->maxatts; + int nratts, nbatts, nbdef; +- int i, j, nbNs, attval, oldline, oldcol; ++ int i, j, nbNs, attval, oldline, oldcol, inputNr; + const xmlChar *base; + unsigned long cur; + int nsNr = ctxt->nsNr; +@@ -9367,6 +9367,7 @@ reparse: + SHRINK; + base = ctxt->input->base; + cur = ctxt->input->cur - ctxt->input->base; ++ inputNr = ctxt->inputNr; + oldline = ctxt->input->line; + oldcol = ctxt->input->col; + nbatts = 0; +@@ -9392,7 +9393,8 @@ reparse: + */ + SKIP_BLANKS; + GROW; +- if (ctxt->input->base != base) goto base_changed; ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) ++ goto base_changed; + + while (((RAW != '>') && + ((RAW != '/') || (NXT(1) != '>')) && +@@ -9403,7 +9405,7 @@ reparse: + + attname = xmlParseAttribute2(ctxt, prefix, localname, + &aprefix, &attvalue, &len, &alloc); +- if (ctxt->input->base != base) { ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) { + if ((attvalue != NULL) && (alloc != 0)) + xmlFree(attvalue); + attvalue = NULL; +@@ -9552,7 +9554,8 @@ skip_ns: + break; + } + SKIP_BLANKS; +- if (ctxt->input->base != base) goto base_changed; ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) ++ goto base_changed; + continue; + } + +@@ -9589,7 +9592,8 @@ failed: + GROW + if (ctxt->instate == XML_PARSER_EOF) + break; +- if (ctxt->input->base != base) goto base_changed; ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) ++ goto base_changed; + if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>')))) + break; + if (!IS_BLANK_CH(RAW)) { +@@ -9605,7 +9609,8 @@ failed: + break; + } + GROW; +- if (ctxt->input->base != base) goto base_changed; ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) ++ goto base_changed; + } + + /* +@@ -9772,6 +9777,17 @@ base_changed: + if ((ctxt->attallocs[j] != 0) && (atts[i] != NULL)) + xmlFree((xmlChar *) atts[i]); + } ++ ++ /* ++ * We can't switch from one entity to another in the middle ++ * of a start tag ++ */ ++ if (inputNr != ctxt->inputNr) { ++ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, ++ "Start tag doesn't start and stop in the same entity\n"); ++ return(NULL); ++ } ++ + ctxt->input->cur = ctxt->input->base + cur; + ctxt->input->line = oldline; + ctxt->input->col = oldcol; +diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err +index 423dff5..a75088b 100644 +--- a/result/errors/754946.xml.err ++++ b/result/errors/754946.xml.err +@@ -11,6 +11,9 @@ Entity: line 1: parser error : DOCTYPE improperly terminated + Entity: line 1: + A%SYSTEM;%SYSTEM; +Date: Tue, 15 Sep 2015 16:50:32 +0800 +Subject: [PATCH] Fix a bug on name parsing at the end of current input buffer + +For https://bugzilla.gnome.org/show_bug.cgi?id=754946 + +When hitting the end of the current input buffer while parsing +a name we could end up loosing the beginning of the name, which +led to various issues. + +Upstream-Status: backport + +Depend patch for CVE-2015-7500 + +Signed-off-by: Armin Kuster +--- + parser.c | 29 ++++++++++++++++++++--------- + result/errors/754946.xml | 0 + result/errors/754946.xml.err | 16 ++++++++++++++++ + result/errors/754946.xml.str | 4 ++++ + test/errors/754946.xml | 1 + + 5 files changed, 41 insertions(+), 9 deletions(-) + create mode 100644 result/errors/754946.xml + create mode 100644 result/errors/754946.xml.err + create mode 100644 result/errors/754946.xml.str + create mode 100644 test/errors/754946.xml + +diff --git a/parser.c b/parser.c +index 0edd53b..fd29a39 100644 +--- a/parser.c ++++ b/parser.c +@@ -3491,7 +3491,14 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + c = CUR_CHAR(l); + if (c == 0) { + count = 0; ++ /* ++ * when shrinking to extend the buffer we really need to preserve ++ * the part of the name we already parsed. Hence rolling back ++ * by current lenght. ++ */ ++ ctxt->input->cur -= l; + GROW; ++ ctxt->input->cur += l; + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); + end = ctxt->input->cur; +@@ -3523,7 +3530,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + + static const xmlChar * + xmlParseNCName(xmlParserCtxtPtr ctxt) { +- const xmlChar *in; ++ const xmlChar *in, *e; + const xmlChar *ret; + int count = 0; + +@@ -3535,16 +3542,19 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) { + * Accelerator for simple ASCII names + */ + in = ctxt->input->cur; +- if (((*in >= 0x61) && (*in <= 0x7A)) || +- ((*in >= 0x41) && (*in <= 0x5A)) || +- (*in == '_')) { ++ e = ctxt->input->end; ++ if ((((*in >= 0x61) && (*in <= 0x7A)) || ++ ((*in >= 0x41) && (*in <= 0x5A)) || ++ (*in == '_')) && (in < e)) { + in++; +- while (((*in >= 0x61) && (*in <= 0x7A)) || +- ((*in >= 0x41) && (*in <= 0x5A)) || +- ((*in >= 0x30) && (*in <= 0x39)) || +- (*in == '_') || (*in == '-') || +- (*in == '.')) ++ while ((((*in >= 0x61) && (*in <= 0x7A)) || ++ ((*in >= 0x41) && (*in <= 0x5A)) || ++ ((*in >= 0x30) && (*in <= 0x39)) || ++ (*in == '_') || (*in == '-') || ++ (*in == '.')) && (in < e)) + in++; ++ if (in >= e) ++ goto complex; + if ((*in > 0) && (*in < 0x80)) { + count = in - ctxt->input->cur; + if ((count > XML_MAX_NAME_LENGTH) && +@@ -3562,6 +3572,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) { + return(ret); + } + } ++complex: + return(xmlParseNCNameComplex(ctxt)); + } + +diff --git a/result/errors/754946.xml b/result/errors/754946.xml +new file mode 100644 +index 0000000..e69de29 +diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err +new file mode 100644 +index 0000000..423dff5 +--- /dev/null ++++ b/result/errors/754946.xml.err +@@ -0,0 +1,16 @@ ++Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration ++ ++ %SYSTEM; ++ ^ ++Entity: line 1: ++A%SYSTEM;