From c9a2e2f33e8b473f06a3941dab9b4ecccd111a23 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Mon, 16 Jan 2017 07:30:00 +0100 Subject: expat: CVE-2012-6702, CVE-2016-5300 References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5300 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702 http://www.openwall.com/lists/oss-security/2016/06/04/5 Reference to upstream fix: https://bugzilla.redhat.com/attachment.cgi?id=1165210 Squashed backport against vanilla Expat 2.1.1, addressing: * CVE-2012-6702 -- unanticipated internal calls to srand * CVE-2016-5300 -- use of too little entropy Signed-off-by: Sona Sarmadi Signed-off-by: Armin Kuster --- .../expat-2.1.0/CVE-2016-5300_CVE-2012-6702.patch | 123 +++++++++++++++++++++ meta/recipes-core/expat/expat_2.1.0.bb | 4 + 2 files changed, 127 insertions(+) create mode 100644 meta/recipes-core/expat/expat-2.1.0/CVE-2016-5300_CVE-2012-6702.patch diff --git a/meta/recipes-core/expat/expat-2.1.0/CVE-2016-5300_CVE-2012-6702.patch b/meta/recipes-core/expat/expat-2.1.0/CVE-2016-5300_CVE-2012-6702.patch new file mode 100644 index 0000000000..00cc731540 --- /dev/null +++ b/meta/recipes-core/expat/expat-2.1.0/CVE-2016-5300_CVE-2012-6702.patch @@ -0,0 +1,123 @@ +From cb31522769d11a375078a073cba94e7176cb48a4 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Wed, 16 Mar 2016 15:30:12 +0100 +Subject: [PATCH] Resolve call to srand, use more entropy (patch version 1.0) + +Squashed backport against vanilla Expat 2.1.1, addressing: +* CVE-2012-6702 -- unanticipated internal calls to srand +* CVE-2016-5300 -- use of too little entropy + +Since commit e3e81a6d9f0885ea02d3979151c358f314bf3d6d +(released with Expat 2.1.0) Expat called srand by itself +from inside generate_hash_secret_salt for an instance +of XML_Parser if XML_SetHashSalt was either (a) not called +for that instance or if (b) salt 0 was passed to XML_SetHashSalt +prior to parsing. That call to srand passed (rather litle) +entropy extracted from the current time as a seed for srand. + +That call to srand (1) broke repeatability for code calling +srand with a non-random seed prior to parsing with Expat, +and (2) resulted in a rather small set of hashing salts in +Expat in total. + +For a short- to mid-term fix, the new approach avoids calling +srand altogether, extracts more entropy out of the clock and +other sources, too. + +For a long term fix, we may want to read sizeof(long) bytes +from a source like getrandom(..) on Linux, and from similar +sources on other supported architectures. + +https://bugzilla.redhat.com/show_bug.cgi?id=1197087 + +CVE: CVE-2012-6702 +CVE: CVE-2016-5300 +Upstream-Status: Backport + +Removed changes from CMakeLists.txt from original patch, since that code is +not part of fix for these CVEs. +Reference to the commit for CMakeLists.txt changes: +https://sourceforge.net/p/expat/code_git/ci/37f7efb878660d55ff5fd67ad2cda1c103297df6 + +Signed-off-by: Sona Sarmadi +--- +diff -Nurp a/lib/xmlparse.c b/lib/xmlparse.c +--- a/lib/xmlparse.c 2017-01-13 10:16:35.570784710 +0100 ++++ b/lib/xmlparse.c 2017-01-13 11:22:20.522433486 +0100 +@@ -6,7 +6,14 @@ + #include /* memset(), memcpy() */ + #include + #include /* UINT_MAX */ +-#include /* time() */ ++ ++#ifdef COMPILED_FROM_DSP ++#define getpid GetCurrentProcessId ++#else ++#include /* gettimeofday() */ ++#include /* getpid() */ ++#include /* getpid() */ ++#endif + + #define XML_BUILDING_EXPAT 1 + +@@ -432,7 +439,7 @@ static ELEMENT_TYPE * + getElementType(XML_Parser parser, const ENCODING *enc, + const char *ptr, const char *end); + +-static unsigned long generate_hash_secret_salt(void); ++static unsigned long generate_hash_secret_salt(XML_Parser parser); + static XML_Bool startParsing(XML_Parser parser); + + static XML_Parser +@@ -691,11 +698,38 @@ static const XML_Char implicitContext[] + }; + + static unsigned long +-generate_hash_secret_salt(void) ++gather_time_entropy(void) ++{ ++#ifdef COMPILED_FROM_DSP ++ FILETIME ft; ++ GetSystemTimeAsFileTime(&ft); /* never fails */ ++ return ft.dwHighDateTime ^ ft.dwLowDateTime; ++#else ++ struct timeval tv; ++ int gettimeofday_res; ++ ++ gettimeofday_res = gettimeofday(&tv, NULL); ++ assert (gettimeofday_res == 0); ++ ++ /* Microseconds time is <20 bits entropy */ ++ return tv.tv_usec; ++#endif ++} ++ ++static unsigned long ++generate_hash_secret_salt(XML_Parser parser) + { +- unsigned int seed = time(NULL) % UINT_MAX; +- srand(seed); +- return rand(); ++ /* Process ID is 0 bits entropy if attacker has local access ++ * XML_Parser address is few bits of entropy if attacker has local access */ ++ const unsigned long entropy = ++ gather_time_entropy() ^ getpid() ^ (unsigned long)parser; ++ ++ /* Factors are 2^31-1 and 2^61-1 (Mersenne primes M31 and M61) */ ++ if (sizeof(unsigned long) == 4) { ++ return entropy * 2147483647; ++ } else { ++ return entropy * 2305843009213693951; ++ } + } + + static XML_Bool /* only valid for root parser */ +@@ -703,7 +737,7 @@ startParsing(XML_Parser parser) + { + /* hash functions must be initialized before setContext() is called */ + if (hash_secret_salt == 0) +- hash_secret_salt = generate_hash_secret_salt(); ++ hash_secret_salt = generate_hash_secret_salt(parser); + if (ns) { + /* implicit context only set for root parser, since child + parsers (i.e. external entity parsers) will inherit it diff --git a/meta/recipes-core/expat/expat_2.1.0.bb b/meta/recipes-core/expat/expat_2.1.0.bb index b958742edc..f81486485d 100644 --- a/meta/recipes-core/expat/expat_2.1.0.bb +++ b/meta/recipes-core/expat/expat_2.1.0.bb @@ -1,5 +1,9 @@ require expat.inc + +FILESEXTRAPATHS_prepend := "${THISDIR}/expat-2.1.0:" LIC_FILES_CHKSUM = "file://COPYING;md5=1b71f681713d1256e1c23b0890920874" +SRC_URI += "file://CVE-2016-5300_CVE-2012-6702.patch \ + " SRC_URI[md5sum] = "dd7dab7a5fea97d2a6a43f511449b7cd" SRC_URI[sha256sum] = "823705472f816df21c8f6aa026dd162b280806838bb55b3432b0fb1fcca7eb86" -- cgit 1.2.3-korg