summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2015-12-05 18:58:09 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-01-20 17:08:29 (GMT)
commit88e28c86c5a57f8ba62a0d82804ca4f0fa7d9742 (patch)
tree03bf7cbf1101b0fc80a4f7e594c92143bfc2a62f
parent6abe713244a5dd8dd02c9dfbddfcb5fe6d26fbbe (diff)
downloadpoky-88e28c86c5a57f8ba62a0d82804ca4f0fa7d9742.tar.gz
libxml2: security fix CVE-2015-7499
includes: CVE-2015-7499-1 CVE-2015-7499-2 (From OE-Core rev: 3048fe24e4c5f83ad0971062a88592bcb6bf52bc) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-core/libxml/libxml2.inc2
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch88
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2015-7499-2-Detect-incoherency-on-GROW.patch43
3 files changed, 133 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index 7fadd2e..334d1de 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -31,6 +31,8 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
31 file://0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch \ 31 file://0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch \
32 file://CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch \ 32 file://CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch \
33 file://0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch \ 33 file://0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch \
34 file://CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch \
35 file://CVE-2015-7499-2-Detect-incoherency-on-GROW.patch \
34 " 36 "
35 37
36BINCONFIG = "${bindir}/xml2-config" 38BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch
new file mode 100644
index 0000000..e39ec65
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch
@@ -0,0 +1,88 @@
1From 28cd9cb747a94483f4aea7f0968d202c20bb4cfc Mon Sep 17 00:00:00 2001
2From: Daniel Veillard <veillard@redhat.com>
3Date: Fri, 20 Nov 2015 14:55:30 +0800
4Subject: [PATCH] Add xmlHaltParser() to stop the parser
5
6The problem is doing it in a consistent and safe fashion
7It's more complex than just setting ctxt->instate = XML_PARSER_EOF
8Update the public function to reuse that new internal routine
9
10Upstream-Status: Backport
11
12CVE-2015-7499-1
13
14Signed-off-by: Armin Kuster <akuster@mvista.com>
15
16---
17 parser.c | 34 +++++++++++++++++++++++++++++-----
18 1 file changed, 29 insertions(+), 5 deletions(-)
19
20diff --git a/parser.c b/parser.c
21index da6e729..b6e99b1 100644
22--- a/parser.c
23+++ b/parser.c
24@@ -94,6 +94,8 @@ static xmlParserCtxtPtr
25 xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID,
26 const xmlChar *base, xmlParserCtxtPtr pctx);
27
28+static void xmlHaltParser(xmlParserCtxtPtr ctxt);
29+
30 /************************************************************************
31 * *
32 * Arbitrary limits set in the parser. See XML_PARSE_HUGE *
33@@ -12625,25 +12627,47 @@ xmlCreatePushParserCtxt(xmlSAXHandlerPtr sax, void *user_data,
34 #endif /* LIBXML_PUSH_ENABLED */
35
36 /**
37- * xmlStopParser:
38+ * xmlHaltParser:
39 * @ctxt: an XML parser context
40 *
41- * Blocks further parser processing
42+ * Blocks further parser processing don't override error
43+ * for internal use
44 */
45-void
46-xmlStopParser(xmlParserCtxtPtr ctxt) {
47+static void
48+xmlHaltParser(xmlParserCtxtPtr ctxt) {
49 if (ctxt == NULL)
50 return;
51 ctxt->instate = XML_PARSER_EOF;
52- ctxt->errNo = XML_ERR_USER_STOP;
53 ctxt->disableSAX = 1;
54 if (ctxt->input != NULL) {
55+ /*
56+ * in case there was a specific allocation deallocate before
57+ * overriding base
58+ */
59+ if (ctxt->input->free != NULL) {
60+ ctxt->input->free((xmlChar *) ctxt->input->base);
61+ ctxt->input->free = NULL;
62+ }
63 ctxt->input->cur = BAD_CAST"";
64 ctxt->input->base = ctxt->input->cur;
65 }
66 }
67
68 /**
69+ * xmlStopParser:
70+ * @ctxt: an XML parser context
71+ *
72+ * Blocks further parser processing
73+ */
74+void
75+xmlStopParser(xmlParserCtxtPtr ctxt) {
76+ if (ctxt == NULL)
77+ return;
78+ xmlHaltParser(ctxt);
79+ ctxt->errNo = XML_ERR_USER_STOP;
80+}
81+
82+/**
83 * xmlCreateIOParserCtxt:
84 * @sax: a SAX handler
85 * @user_data: The user data returned on SAX callbacks
86--
872.3.5
88
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7499-2-Detect-incoherency-on-GROW.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7499-2-Detect-incoherency-on-GROW.patch
new file mode 100644
index 0000000..aff3920
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7499-2-Detect-incoherency-on-GROW.patch
@@ -0,0 +1,43 @@
1From 35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da Mon Sep 17 00:00:00 2001
2From: Daniel Veillard <veillard@redhat.com>
3Date: Fri, 20 Nov 2015 15:04:09 +0800
4Subject: [PATCH] Detect incoherency on GROW
5
6the current pointer to the input has to be between the base and end
7if not stop everything we have an internal state error.
8
9Upstream-Status: Backport
10
11CVE-2015-7499-2
12
13Signed-off-by: Armin Kuster <akuster@mvista.com>
14
15---
16 parser.c | 9 ++++++++-
17 1 file changed, 8 insertions(+), 1 deletion(-)
18
19diff --git a/parser.c b/parser.c
20index 1810f99..ab007aa 100644
21--- a/parser.c
22+++ b/parser.c
23@@ -2075,9 +2075,16 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
24 ((ctxt->input->buf) && (ctxt->input->buf->readcallback != (xmlInputReadCallback) xmlNop)) &&
25 ((ctxt->options & XML_PARSE_HUGE) == 0)) {
26 xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup");
27- ctxt->instate = XML_PARSER_EOF;
28+ xmlHaltParser(ctxt);
29+ return;
30 }
31 xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
32+ if ((ctxt->input->cur > ctxt->input->end) ||
33+ (ctxt->input->cur < ctxt->input->base)) {
34+ xmlHaltParser(ctxt);
35+ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "cur index out of bound");
36+ return;
37+ }
38 if ((ctxt->input->cur != NULL) && (*ctxt->input->cur == 0) &&
39 (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0))
40 xmlPopInput(ctxt);
41--
422.3.5
43