libxml2: Security Advisory - libxml2 - CVE-2015-1819

for CVE-2015-1819 Enforce the reader to run in constant memory (From OE-Core rev: 9e67d8ae592a37d7c92d6566466b09c83e9ec6a7) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yue Tao <Yue.Tao@windriver.com> 2015-06-15 09:18:52 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-06-18 09:14:07 +0100
commit: 8ef99a00dc75c6eed87aa1bc1528614a2a27eddf (patch)
tree: 909416c3d9a3450f52ce52d64b3eb0cc74a43378
parent: 64df52da57440b8d1f97a8f228399954effb7700 (diff)
download: poky-8ef99a00dc75c6eed87aa1bc1528614a2a27eddf.tar.gz
2 files changed, 182 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index d337bec0d0..1c3c37d509 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -20,6 +20,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
           file://python-sitepackages-dir.patch \
           file://libxml-m4-use-pkgconfig.patch \
           file://configure.ac-fix-cross-compiling-warning.patch \
+           file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \
          "
 BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch b/meta/recipes-core/libxml/libxml2/0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch
new file mode 100644
index 0000000000..96d58f9dd6
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch
@@ -0,0 +1,181 @@
+From 213f1fe0d76d30eaed6e5853057defc43e6df2c9 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 14 Apr 2015 17:41:48 +0800
+Subject: [PATCH] CVE-2015-1819 Enforce the reader to run in constant memory
+One of the operation on the reader could resolve entities
+leading to the classic expansion issue. Make sure the
+buffer used for xmlreader operation is bounded.
+Introduce a new allocation type for the buffers for this effect.
+Upstream-Status: Backport
+Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+---
+ buf.c                 |   43 ++++++++++++++++++++++++++++++++++++++++++-
+ include/libxml/tree.h |    3 ++-
+ xmlreader.c           |   20 +++++++++++++++++++-
+ 3 files changed, 63 insertions(+), 3 deletions(-)
+diff --git a/buf.c b/buf.c
+index 6efc7b6..07922ff 100644
+--- a/buf.c
+++ b/buf.c
+@@ -27,6 +27,7 @@
+ #include <libxml/tree.h>
+ #include <libxml/globals.h>
+ #include <libxml/tree.h>
+#include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */
+ #include "buf.h"
+ 
+ #define WITH_BUFFER_COMPAT
+@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf,
+     if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) ||
+         (scheme == XML_BUFFER_ALLOC_EXACT) ||
+         (scheme == XML_BUFFER_ALLOC_HYBRID) ||
+-        (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) {
+        (scheme == XML_BUFFER_ALLOC_IMMUTABLE) ||
+       (scheme == XML_BUFFER_ALLOC_BOUNDED)) {
+        buf->alloc = scheme;
+         if (buf->buffer)
+             buf->buffer->alloc = scheme;
+@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) {
+     size = buf->use + len + 100;
+ #endif
+ 
+    if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+        /*
+        * Used to provide parsing limits
+        */
+        if ((buf->use + len >= XML_MAX_TEXT_LENGTH) ||
+           (buf->size >= XML_MAX_TEXT_LENGTH)) {
+           xmlBufMemoryError(buf, "buffer error: text too long\n");
+           return(0);
+       }
+       if (size >= XML_MAX_TEXT_LENGTH)
+           size = XML_MAX_TEXT_LENGTH;
+    }
+     if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {
+         size_t start_buf = buf->content - buf->contentIO;
+ 
+@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size)
+     CHECK_COMPAT(buf)
+ 
+     if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
+    if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+        /*
+        * Used to provide parsing limits
+        */
+        if (size >= XML_MAX_TEXT_LENGTH) {
+           xmlBufMemoryError(buf, "buffer error: text too long\n");
+           return(0);
+       }
+    }
+ 
+     /* Don't resize if we don't have to */
+     if (size < buf->size)
+@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
+ 
+     needSize = buf->use + len + 2;
+     if (needSize > buf->size){
+       if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+           /*
+            * Used to provide parsing limits
+            */
+           if (needSize >= XML_MAX_TEXT_LENGTH) {
+               xmlBufMemoryError(buf, "buffer error: text too long\n");
+               return(-1);
+           }
+       }
+         if (!xmlBufResize(buf, needSize)){
+            xmlBufMemoryError(buf, "growing buffer");
+             return XML_ERR_NO_MEMORY;
+@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) {
+     }
+     needSize = buf->use + len + 2;
+     if (needSize > buf->size){
+       if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+           /*
+            * Used to provide parsing limits
+            */
+           if (needSize >= XML_MAX_TEXT_LENGTH) {
+               xmlBufMemoryError(buf, "buffer error: text too long\n");
+               return(-1);
+           }
+       }
+         if (!xmlBufResize(buf, needSize)){
+            xmlBufMemoryError(buf, "growing buffer");
+             return XML_ERR_NO_MEMORY;
+diff --git a/include/libxml/tree.h b/include/libxml/tree.h
+index 2f90717..4a9b3bc 100644
+--- a/include/libxml/tree.h
+++ b/include/libxml/tree.h
+@@ -76,7 +76,8 @@ typedef enum {
+     XML_BUFFER_ALLOC_EXACT,    /* grow only to the minimal size */
+     XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */
+     XML_BUFFER_ALLOC_IO,       /* special allocation scheme used for I/O */
+-    XML_BUFFER_ALLOC_HYBRID    /* exact up to a threshold, and doubleit thereafter */
+    XML_BUFFER_ALLOC_HYBRID,   /* exact up to a threshold, and doubleit thereafter */
+    XML_BUFFER_ALLOC_BOUNDED   /* limit the upper size of the buffer */
+ } xmlBufferAllocationScheme;
+ 
+ /**
+diff --git a/xmlreader.c b/xmlreader.c
+index f19e123..471e7e2 100644
+--- a/xmlreader.c
+++ b/xmlreader.c
+@@ -2091,6 +2091,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) {
+                "xmlNewTextReader : malloc failed\n");
+        return(NULL);
+     }
+    /* no operation on a reader should require a huge buffer */
+    xmlBufSetAllocationScheme(ret->buffer,
+                             XML_BUFFER_ALLOC_BOUNDED);
+     ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
+     if (ret->sax == NULL) {
+        xmlBufFree(ret->buffer);
+@@ -3616,6 +3619,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
+            return(((xmlNsPtr) node)->href);
+         case XML_ATTRIBUTE_NODE:{
+            xmlAttrPtr attr = (xmlAttrPtr) node;
+           const xmlChar *ret;
+ 
+            if ((attr->children != NULL) &&
+                (attr->children->type == XML_TEXT_NODE) &&
+@@ -3629,10 +3633,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
+                                         "xmlTextReaderSetup : malloc failed\n");
+                         return (NULL);
+                     }
+                   xmlBufSetAllocationScheme(reader->buffer,
+                                             XML_BUFFER_ALLOC_BOUNDED);
+                 } else
+                     xmlBufEmpty(reader->buffer);
+                xmlBufGetNodeContent(reader->buffer, node);
+-               return(xmlBufContent(reader->buffer));
+               ret = xmlBufContent(reader->buffer);
+               if (ret == NULL) {
+                   /* error on the buffer best to reallocate */
+                   xmlBufFree(reader->buffer);
+                   reader->buffer = xmlBufCreateSize(100);
+                   xmlBufSetAllocationScheme(reader->buffer,
+                                             XML_BUFFER_ALLOC_BOUNDED);
+                   ret = BAD_CAST "";
+               }
+               return(ret);
+            }
+            break;
+        }
+@@ -5131,6 +5146,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader,
+                         "xmlTextReaderSetup : malloc failed\n");
+         return (-1);
+     }
+    /* no operation on a reader should require a huge buffer */
+    xmlBufSetAllocationScheme(reader->buffer,
+                             XML_BUFFER_ALLOC_BOUNDED);
+     if (reader->sax == NULL)
+        reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
+     if (reader->sax == NULL) {
+-- 
+1.7.9.5
author	Yue Tao <Yue.Tao@windriver.com>	2015-06-15 09:18:52 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-06-18 09:14:07 +0100
commit	8ef99a00dc75c6eed87aa1bc1528614a2a27eddf (patch)
tree	909416c3d9a3450f52ce52d64b3eb0cc74a43378
parent	64df52da57440b8d1f97a8f228399954effb7700 (diff)
download	poky-8ef99a00dc75c6eed87aa1bc1528614a2a27eddf.tar.gz

diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc index d337bec0d0..1c3c37d509 100644 --- a/meta/recipes-core/libxml/libxml2.inc +++ b/meta/recipes-core/libxml/libxml2.inc
@@ -20,6 +20,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
20	file://python-sitepackages-dir.patch \	20	file://python-sitepackages-dir.patch \
21	file://libxml-m4-use-pkgconfig.patch \	21	file://libxml-m4-use-pkgconfig.patch \
22	file://configure.ac-fix-cross-compiling-warning.patch \	22	file://configure.ac-fix-cross-compiling-warning.patch \
		23	file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \
23	"	24	"
24		25
25	BINCONFIG = "${bindir}/xml2-config"	26	BINCONFIG = "${bindir}/xml2-config"


diff --git a/meta/recipes-core/libxml/libxml2/0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch b/meta/recipes-core/libxml/libxml2/0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch new file mode 100644 index 0000000000..96d58f9dd6 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch
@@ -0,0 +1,181 @@
		1	From 213f1fe0d76d30eaed6e5853057defc43e6df2c9 Mon Sep 17 00:00:00 2001
		2	From: Daniel Veillard <veillard@redhat.com>
		3	Date: Tue, 14 Apr 2015 17:41:48 +0800
		4	Subject: [PATCH] CVE-2015-1819 Enforce the reader to run in constant memory
		5
		6	One of the operation on the reader could resolve entities
		7	leading to the classic expansion issue. Make sure the
		8	buffer used for xmlreader operation is bounded.
		9	Introduce a new allocation type for the buffers for this effect.
		10
		11	Upstream-Status: Backport
		12
		13	Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
		14	Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
		15	---
		16	buf.c \| 43 ++++++++++++++++++++++++++++++++++++++++++-
		17	include/libxml/tree.h \| 3 ++-
		18	xmlreader.c \| 20 +++++++++++++++++++-
		19	3 files changed, 63 insertions(+), 3 deletions(-)
		20
		21	diff --git a/buf.c b/buf.c
		22	index 6efc7b6..07922ff 100644
		23	--- a/buf.c
		24	+++ b/buf.c
		25	@@ -27,6 +27,7 @@
		26	#include <libxml/tree.h>
		27	#include <libxml/globals.h>
		28	#include <libxml/tree.h>
		29	+#include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */
		30	#include "buf.h"
		31
		32	#define WITH_BUFFER_COMPAT
		33	@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf,
		34	if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) \|\|
		35	(scheme == XML_BUFFER_ALLOC_EXACT) \|\|
		36	(scheme == XML_BUFFER_ALLOC_HYBRID) \|\|
		37	- (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) {
		38	+ (scheme == XML_BUFFER_ALLOC_IMMUTABLE) \|\|
		39	+ (scheme == XML_BUFFER_ALLOC_BOUNDED)) {
		40	buf->alloc = scheme;
		41	if (buf->buffer)
		42	buf->buffer->alloc = scheme;
		43	@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) {
		44	size = buf->use + len + 100;
		45	#endif
		46
		47	+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
		48	+ /*
		49	+ * Used to provide parsing limits
		50	+ */
		51	+ if ((buf->use + len >= XML_MAX_TEXT_LENGTH) \|\|
		52	+ (buf->size >= XML_MAX_TEXT_LENGTH)) {
		53	+ xmlBufMemoryError(buf, "buffer error: text too long\n");
		54	+ return(0);
		55	+ }
		56	+ if (size >= XML_MAX_TEXT_LENGTH)
		57	+ size = XML_MAX_TEXT_LENGTH;
		58	+ }
		59	if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {
		60	size_t start_buf = buf->content - buf->contentIO;
		61
		62	@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size)
		63	CHECK_COMPAT(buf)
		64
		65	if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
		66	+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
		67	+ /*
		68	+ * Used to provide parsing limits
		69	+ */
		70	+ if (size >= XML_MAX_TEXT_LENGTH) {
		71	+ xmlBufMemoryError(buf, "buffer error: text too long\n");
		72	+ return(0);
		73	+ }
		74	+ }
		75
		76	/* Don't resize if we don't have to */
		77	if (size < buf->size)
		78	@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
		79
		80	needSize = buf->use + len + 2;
		81	if (needSize > buf->size){
		82	+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
		83	+ /*
		84	+ * Used to provide parsing limits
		85	+ */
		86	+ if (needSize >= XML_MAX_TEXT_LENGTH) {
		87	+ xmlBufMemoryError(buf, "buffer error: text too long\n");
		88	+ return(-1);
		89	+ }
		90	+ }
		91	if (!xmlBufResize(buf, needSize)){
		92	xmlBufMemoryError(buf, "growing buffer");
		93	return XML_ERR_NO_MEMORY;
		94	@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) {
		95	}
		96	needSize = buf->use + len + 2;
		97	if (needSize > buf->size){
		98	+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
		99	+ /*
		100	+ * Used to provide parsing limits
		101	+ */
		102	+ if (needSize >= XML_MAX_TEXT_LENGTH) {
		103	+ xmlBufMemoryError(buf, "buffer error: text too long\n");
		104	+ return(-1);
		105	+ }
		106	+ }
		107	if (!xmlBufResize(buf, needSize)){
		108	xmlBufMemoryError(buf, "growing buffer");
		109	return XML_ERR_NO_MEMORY;
		110	diff --git a/include/libxml/tree.h b/include/libxml/tree.h
		111	index 2f90717..4a9b3bc 100644
		112	--- a/include/libxml/tree.h
		113	+++ b/include/libxml/tree.h
		114	@@ -76,7 +76,8 @@ typedef enum {
		115	XML_BUFFER_ALLOC_EXACT, /* grow only to the minimal size */
		116	XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */
		117	XML_BUFFER_ALLOC_IO, /* special allocation scheme used for I/O */
		118	- XML_BUFFER_ALLOC_HYBRID /* exact up to a threshold, and doubleit thereafter */
		119	+ XML_BUFFER_ALLOC_HYBRID, /* exact up to a threshold, and doubleit thereafter */
		120	+ XML_BUFFER_ALLOC_BOUNDED /* limit the upper size of the buffer */
		121	} xmlBufferAllocationScheme;
		122
		123	/**
		124	diff --git a/xmlreader.c b/xmlreader.c
		125	index f19e123..471e7e2 100644
		126	--- a/xmlreader.c
		127	+++ b/xmlreader.c
		128	@@ -2091,6 +2091,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) {
		129	"xmlNewTextReader : malloc failed\n");
		130	return(NULL);
		131	}
		132	+ /* no operation on a reader should require a huge buffer */
		133	+ xmlBufSetAllocationScheme(ret->buffer,
		134	+ XML_BUFFER_ALLOC_BOUNDED);
		135	ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
		136	if (ret->sax == NULL) {
		137	xmlBufFree(ret->buffer);
		138	@@ -3616,6 +3619,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
		139	return(((xmlNsPtr) node)->href);
		140	case XML_ATTRIBUTE_NODE:{
		141	xmlAttrPtr attr = (xmlAttrPtr) node;
		142	+ const xmlChar *ret;
		143
		144	if ((attr->children != NULL) &&
		145	(attr->children->type == XML_TEXT_NODE) &&
		146	@@ -3629,10 +3633,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
		147	"xmlTextReaderSetup : malloc failed\n");
		148	return (NULL);
		149	}
		150	+ xmlBufSetAllocationScheme(reader->buffer,
		151	+ XML_BUFFER_ALLOC_BOUNDED);
		152	} else
		153	xmlBufEmpty(reader->buffer);
		154	xmlBufGetNodeContent(reader->buffer, node);
		155	- return(xmlBufContent(reader->buffer));
		156	+ ret = xmlBufContent(reader->buffer);
		157	+ if (ret == NULL) {
		158	+ /* error on the buffer best to reallocate */
		159	+ xmlBufFree(reader->buffer);
		160	+ reader->buffer = xmlBufCreateSize(100);
		161	+ xmlBufSetAllocationScheme(reader->buffer,
		162	+ XML_BUFFER_ALLOC_BOUNDED);
		163	+ ret = BAD_CAST "";
		164	+ }
		165	+ return(ret);
		166	}
		167	break;
		168	}
		169	@@ -5131,6 +5146,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader,
		170	"xmlTextReaderSetup : malloc failed\n");
		171	return (-1);
		172	}
		173	+ /* no operation on a reader should require a huge buffer */
		174	+ xmlBufSetAllocationScheme(reader->buffer,
		175	+ XML_BUFFER_ALLOC_BOUNDED);
		176	if (reader->sax == NULL)
		177	reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
		178	if (reader->sax == NULL) {
		179	--
		180	1.7.9.5
		181