aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2016-9318.patch207
-rw-r--r--meta/recipes-core/libxml/libxml2_2.9.4.bb1
2 files changed, 208 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-9318.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-9318.patch
new file mode 100644
index 0000000000..3581ab83df
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-9318.patch
@@ -0,0 +1,207 @@
+From 7fa1cd31552d52d50a9101f07c816ff6dd2d9f19 Mon Sep 17 00:00:00 2001
+From: Doran Moppert <dmoppert@redhat.com>
+Date: Fri, 7 Apr 2017 16:45:56 +0200
+Subject: [PATCH] Add an XML_PARSE_NOXXE flag to block all entities loading
+ even local
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=772726
+
+* include/libxml/parser.h: Add a new parser flag XML_PARSE_NOXXE
+* elfgcchack.h, xmlIO.h, xmlIO.c: associated loading routine
+* include/libxml/xmlerror.h: new error raised
+* xmllint.c: adds --noxxe flag to activate the option
+
+Upstream-Status: Backport
+CVE: CVE-2016-9318
+
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ elfgcchack.h | 10 ++++++++++
+ include/libxml/parser.h | 3 ++-
+ include/libxml/xmlIO.h | 8 ++++++++
+ include/libxml/xmlerror.h | 1 +
+ parser.c | 4 ++++
+ xmlIO.c | 40 +++++++++++++++++++++++++++++++++++-----
+ xmllint.c | 5 +++++
+ 7 files changed, 65 insertions(+), 6 deletions(-)
+
+diff --git a/elfgcchack.h b/elfgcchack.h
+index 8c52884..1b81dcd 100644
+--- a/elfgcchack.h
++++ b/elfgcchack.h
+@@ -6547,6 +6547,16 @@ extern __typeof (xmlNoNetExternalEntityLoader) xmlNoNetExternalEntityLoader__int
+ #endif
+ #endif
+
++#ifdef bottom_xmlIO
++#undef xmlNoXxeExternalEntityLoader
++extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader __attribute((alias("xmlNoXxeExternalEntityLoader__internal_alias")));
++#else
++#ifndef xmlNoXxeExternalEntityLoader
++extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader__internal_alias __attribute((visibility("hidden")));
++#define xmlNoXxeExternalEntityLoader xmlNoXxeExternalEntityLoader__internal_alias
++#endif
++#endif
++
+ #ifdef bottom_tree
+ #undef xmlNodeAddContent
+ extern __typeof (xmlNodeAddContent) xmlNodeAddContent __attribute((alias("xmlNodeAddContent__internal_alias")));
+diff --git a/include/libxml/parser.h b/include/libxml/parser.h
+index 47fbec0..63ca1b9 100644
+--- a/include/libxml/parser.h
++++ b/include/libxml/parser.h
+@@ -1111,7 +1111,8 @@ typedef enum {
+ XML_PARSE_HUGE = 1<<19,/* relax any hardcoded limit from the parser */
+ XML_PARSE_OLDSAX = 1<<20,/* parse using SAX2 interface before 2.7.0 */
+ XML_PARSE_IGNORE_ENC= 1<<21,/* ignore internal document encoding hint */
+- XML_PARSE_BIG_LINES = 1<<22 /* Store big lines numbers in text PSVI field */
++ XML_PARSE_BIG_LINES = 1<<22,/* Store big lines numbers in text PSVI field */
++ XML_PARSE_NOXXE = 1<<23 /* Forbid any external entity loading */
+ } xmlParserOption;
+
+ XMLPUBFUN void XMLCALL
+diff --git a/include/libxml/xmlIO.h b/include/libxml/xmlIO.h
+index 3e41744..8d3fdef 100644
+--- a/include/libxml/xmlIO.h
++++ b/include/libxml/xmlIO.h
+@@ -300,6 +300,14 @@ XMLPUBFUN xmlParserInputPtr XMLCALL
+ xmlParserCtxtPtr ctxt);
+
+ /*
++ * A predefined entity loader external entity expansion
++ */
++XMLPUBFUN xmlParserInputPtr XMLCALL
++ xmlNoXxeExternalEntityLoader (const char *URL,
++ const char *ID,
++ xmlParserCtxtPtr ctxt);
++
++/*
+ * xmlNormalizeWindowsPath is obsolete, don't use it.
+ * Check xmlCanonicPath in uri.h for a better alternative.
+ */
+diff --git a/include/libxml/xmlerror.h b/include/libxml/xmlerror.h
+index 037c16d..3036062 100644
+--- a/include/libxml/xmlerror.h
++++ b/include/libxml/xmlerror.h
+@@ -470,6 +470,7 @@ typedef enum {
+ XML_IO_EADDRINUSE, /* 1554 */
+ XML_IO_EALREADY, /* 1555 */
+ XML_IO_EAFNOSUPPORT, /* 1556 */
++ XML_IO_ILLEGAL_XXE, /* 1557 */
+ XML_XINCLUDE_RECURSION=1600,
+ XML_XINCLUDE_PARSE_VALUE, /* 1601 */
+ XML_XINCLUDE_ENTITY_DEF_MISMATCH, /* 1602 */
+diff --git a/parser.c b/parser.c
+index 53a6b7f..609a270 100644
+--- a/parser.c
++++ b/parser.c
+@@ -15350,6 +15350,10 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi
+ ctxt->options |= XML_PARSE_NONET;
+ options -= XML_PARSE_NONET;
+ }
++ if (options & XML_PARSE_NOXXE) {
++ ctxt->options |= XML_PARSE_NOXXE;
++ options -= XML_PARSE_NOXXE;
++ }
+ if (options & XML_PARSE_COMPACT) {
+ ctxt->options |= XML_PARSE_COMPACT;
+ options -= XML_PARSE_COMPACT;
+diff --git a/xmlIO.c b/xmlIO.c
+index 1a79c09..304f822 100644
+--- a/xmlIO.c
++++ b/xmlIO.c
+@@ -210,6 +210,7 @@ static const char *IOerr[] = {
+ "adddress in use", /* EADDRINUSE */
+ "already in use", /* EALREADY */
+ "unknown address familly", /* EAFNOSUPPORT */
++ "Attempt to load external entity %s", /* XML_IO_ILLEGAL_XXE */
+ };
+
+ #if defined(_WIN32) || defined (__DJGPP__) && !defined (__CYGWIN__)
+@@ -4053,13 +4054,22 @@ xmlDefaultExternalEntityLoader(const char *URL, const char *ID,
+ xmlGenericError(xmlGenericErrorContext,
+ "xmlDefaultExternalEntityLoader(%s, xxx)\n", URL);
+ #endif
+- if ((ctxt != NULL) && (ctxt->options & XML_PARSE_NONET)) {
++ if (ctxt != NULL) {
+ int options = ctxt->options;
+
+- ctxt->options -= XML_PARSE_NONET;
+- ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt);
+- ctxt->options = options;
+- return(ret);
++ if (options & XML_PARSE_NOXXE) {
++ ctxt->options -= XML_PARSE_NOXXE;
++ ret = xmlNoXxeExternalEntityLoader(URL, ID, ctxt);
++ ctxt->options = options;
++ return(ret);
++ }
++
++ if (options & XML_PARSE_NONET) {
++ ctxt->options -= XML_PARSE_NONET;
++ ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt);
++ ctxt->options = options;
++ return(ret);
++ }
+ }
+ #ifdef LIBXML_CATALOG_ENABLED
+ resource = xmlResolveResourceFromCatalog(URL, ID, ctxt);
+@@ -4160,6 +4170,13 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID,
+ xmlParserInputPtr input = NULL;
+ xmlChar *resource = NULL;
+
++ if (ctxt == NULL) {
++ return(NULL);
++ }
++ if (ctxt->input_id == 1) {
++ return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt);
++ }
++
+ #ifdef LIBXML_CATALOG_ENABLED
+ resource = xmlResolveResourceFromCatalog(URL, ID, ctxt);
+ #endif
+@@ -4182,5 +4199,18 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID,
+ return(input);
+ }
+
++xmlParserInputPtr
++xmlNoXxeExternalEntityLoader(const char *URL, const char *ID,
++ xmlParserCtxtPtr ctxt) {
++ if (ctxt == NULL) {
++ return(NULL);
++ }
++ if (ctxt->input_id == 1) {
++ return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt);
++ }
++ xmlIOErr(XML_IO_ILLEGAL_XXE, (const char *) URL);
++ return(NULL);
++}
++
+ #define bottom_xmlIO
+ #include "elfgcchack.h"
+diff --git a/xmllint.c b/xmllint.c
+index 67f7adb..d9368c1 100644
+--- a/xmllint.c
++++ b/xmllint.c
+@@ -3019,6 +3019,7 @@ static void usage(const char *name) {
+ printf("\t--path 'paths': provide a set of paths for resources\n");
+ printf("\t--load-trace : print trace of all external entities loaded\n");
+ printf("\t--nonet : refuse to fetch DTDs or entities over network\n");
++ printf("\t--noxxe : forbid any external entity loading\n");
+ printf("\t--nocompact : do not generate compact text nodes\n");
+ printf("\t--htmlout : output results as HTML\n");
+ printf("\t--nowrap : do not put HTML doc wrapper\n");
+@@ -3461,6 +3462,10 @@ main(int argc, char **argv) {
+ (!strcmp(argv[i], "--nonet"))) {
+ options |= XML_PARSE_NONET;
+ xmlSetExternalEntityLoader(xmlNoNetExternalEntityLoader);
++ } else if ((!strcmp(argv[i], "-noxxe")) ||
++ (!strcmp(argv[i], "--noxxe"))) {
++ options |= XML_PARSE_NOXXE;
++ xmlSetExternalEntityLoader(xmlNoXxeExternalEntityLoader);
+ } else if ((!strcmp(argv[i], "-nocompact")) ||
+ (!strcmp(argv[i], "--nocompact"))) {
+ options &= ~XML_PARSE_COMPACT;
+--
+2.10.2
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb
index 0c3d683623..7d0e121be1 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -23,6 +23,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
file://libxml2-CVE-2016-5131.patch \
file://libxml2-CVE-2016-4658.patch \
file://libxml2-fix_NULL_pointer_derefs.patch \
+ file://CVE-2016-9318.patch \
"
SRC_URI[libtar.md5sum] = "ae249165c173b1ff386ee8ad676815f5"