summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2015-12-05 18:57:27 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-01-20 17:08:29 (GMT)
commit66740c331478297e5eaaa9357a31a9cf095cfd6f (patch)
tree6e682ff1022ae6417f25029604b21fbb3e6742b7
parent2390475894663d718a00447ee48764f472ce60f7 (diff)
downloadpoky-66740c331478297e5eaaa9357a31a9cf095cfd6f.tar.gz
libxml2: security fix CVE-2015-7498
(From OE-Core rev: b3d6a714180199a5e0099e3d40b37c9bfa106eb1) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-core/libxml/libxml2.inc1
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch89
2 files changed, 90 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index 365d5bc..759f722 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -29,6 +29,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
29 file://CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch \ 29 file://CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch \
30 file://CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch \ 30 file://CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch \
31 file://0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch \ 31 file://0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch \
32 file://CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch \
32 " 33 "
33 34
34BINCONFIG = "${bindir}/xml2-config" 35BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch
new file mode 100644
index 0000000..47ba897
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch
@@ -0,0 +1,89 @@
1From afd27c21f6b36e22682b7da20d726bce2dcb2f43 Mon Sep 17 00:00:00 2001
2From: Daniel Veillard <veillard@redhat.com>
3Date: Mon, 9 Nov 2015 18:07:18 +0800
4Subject: [PATCH] Avoid processing entities after encoding conversion failures
5
6For https://bugzilla.gnome.org/show_bug.cgi?id=756527
7and was also raised by Chromium team in the past
8
9When we hit a convwersion failure when switching encoding
10it is bestter to stop parsing there, this was treated as a
11fatal error but the parser was continuing to process to extract
12more errors, unfortunately that makes little sense as the data
13is obviously corrupt and can potentially lead to unexpected behaviour.
14
15Upstream-Status: Backport
16
17CVE-2015-7498
18
19Signed-off-by: Armin Kuster <akuster@mvista.com>
20
21---
22 parser.c | 7 +++++--
23 parserInternals.c | 11 ++++++++++-
24 2 files changed, 15 insertions(+), 3 deletions(-)
25
26diff --git a/parser.c b/parser.c
27index 134afe7..c79b4e8 100644
28--- a/parser.c
29+++ b/parser.c
30@@ -10665,7 +10665,8 @@ xmlParseXMLDecl(xmlParserCtxtPtr ctxt) {
31 xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, "Blank needed here\n");
32 }
33 xmlParseEncodingDecl(ctxt);
34- if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) {
35+ if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) ||
36+ (ctxt->instate == XML_PARSER_EOF)) {
37 /*
38 * The XML REC instructs us to stop parsing right here
39 */
40@@ -10789,6 +10790,7 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) {
41
42 if (CUR == 0) {
43 xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL);
44+ return(-1);
45 }
46
47 /*
48@@ -10806,7 +10808,8 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) {
49 * Note that we will switch encoding on the fly.
50 */
51 xmlParseXMLDecl(ctxt);
52- if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) {
53+ if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) ||
54+ (ctxt->instate == XML_PARSER_EOF)) {
55 /*
56 * The XML REC instructs us to stop parsing right here
57 */
58diff --git a/parserInternals.c b/parserInternals.c
59index df204fd..c8230c1 100644
60--- a/parserInternals.c
61+++ b/parserInternals.c
62@@ -937,6 +937,7 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc)
63 {
64 xmlCharEncodingHandlerPtr handler;
65 int len = -1;
66+ int ret;
67
68 if (ctxt == NULL) return(-1);
69 switch (enc) {
70@@ -1097,7 +1098,15 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc)
71 if (handler == NULL)
72 return(-1);
73 ctxt->charset = XML_CHAR_ENCODING_UTF8;
74- return(xmlSwitchToEncodingInt(ctxt, handler, len));
75+ ret = xmlSwitchToEncodingInt(ctxt, handler, len);
76+ if ((ret < 0) || (ctxt->errNo == XML_I18N_CONV_FAILED)) {
77+ /*
78+ * on encoding conversion errors, stop the parser
79+ */
80+ xmlStopParser(ctxt);
81+ ctxt->errNo = XML_I18N_CONV_FAILED;
82+ }
83+ return(ret);
84 }
85
86 /**
87--
882.3.5
89