diff options
author | Armin Kuster <akuster@mvista.com> | 2016-07-09 15:12:44 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-07-27 08:29:41 +0100 |
commit | b817c98017cb64f902cdae514fb162b3199a0a14 (patch) | |
tree | f928c1ce0e695ae6eab17349c691ed2abf5d70fb /meta/recipes-core | |
parent | ceabe39237a035efda6a74c746848a9fbab30a08 (diff) | |
download | openembedded-core-contrib-b817c98017cb64f902cdae514fb162b3199a0a14.tar.gz |
libxml2: Security fix for CVE-2016-4447
Affects libxml2 < 2.9.4
Signed-off-by: Armin Kuster <akuster@mvista.com>
Diffstat (limited to 'meta/recipes-core')
-rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2016-4447.patch | 208 | ||||
-rw-r--r-- | meta/recipes-core/libxml/libxml2_2.9.2.bb | 1 |
2 files changed, 209 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-4447.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-4447.patch new file mode 100644 index 0000000000..5957844433 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2016-4447.patch @@ -0,0 +1,208 @@ +From 00906759053986b8079985644172085f74331f83 Mon Sep 17 00:00:00 2001 +From: David Kilzer <ddkilzer@apple.com> +Date: Tue, 26 Jan 2016 16:57:03 -0800 +Subject: [PATCH] Heap-based buffer-underreads due to xmlParseName + +For https://bugzilla.gnome.org/show_bug.cgi?id=759573 + +* parser.c: +(xmlParseElementDecl): Return early on invalid input to fix +non-minimized test case (759573-2.xml). Otherwise the parser +gets into a bad state in SKIP(3) at the end of the function. +(xmlParseConditionalSections): Halt parsing when hitting invalid +input that would otherwise caused xmlParserHandlePEReference() +to recurse unexpectedly. This fixes the minimized test case +(759573.xml). + +* result/errors/759573-2.xml: Add. +* result/errors/759573-2.xml.err: Add. +* result/errors/759573-2.xml.str: Add. +* result/errors/759573.xml: Add. +* result/errors/759573.xml.err: Add. +* result/errors/759573.xml.str: Add. +* test/errors/759573-2.xml: Add. +* test/errors/759573.xml: Add. + +Upstream-Status: Backport +CVE: CVE-2016-4447 +Signed-off-by: Armin Kuster <akuster@mvist.com> + +--- + parser.c | 2 ++ + result/errors/759573-2.xml | 0 + result/errors/759573-2.xml.err | 58 ++++++++++++++++++++++++++++++++++++++++++ + result/errors/759573-2.xml.str | 4 +++ + result/errors/759573.xml | 0 + result/errors/759573.xml.err | 31 ++++++++++++++++++++++ + result/errors/759573.xml.str | 4 +++ + test/errors/759573-2.xml | 9 +++++++ + test/errors/759573.xml | 1 + + 9 files changed, 109 insertions(+) + create mode 100644 result/errors/759573-2.xml + create mode 100644 result/errors/759573-2.xml.err + create mode 100644 result/errors/759573-2.xml.str + create mode 100644 result/errors/759573.xml + create mode 100644 result/errors/759573.xml.err + create mode 100644 result/errors/759573.xml.str + create mode 100644 test/errors/759573-2.xml + create mode 100644 test/errors/759573.xml + +Index: libxml2-2.9.2/parser.c +=================================================================== +--- libxml2-2.9.2.orig/parser.c ++++ libxml2-2.9.2/parser.c +@@ -6723,6 +6723,7 @@ xmlParseElementDecl(xmlParserCtxtPtr ctx + if (!IS_BLANK_CH(CUR)) { + xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, + "Space required after 'ELEMENT'\n"); ++ return(-1); + } + SKIP_BLANKS; + name = xmlParseName(ctxt); +@@ -6874,6 +6875,7 @@ xmlParseConditionalSections(xmlParserCtx + + if ((CUR_PTR == check) && (cons == ctxt->input->consumed)) { + xmlFatalErr(ctxt, XML_ERR_EXT_SUBSET_NOT_FINISHED, NULL); ++ xmlHaltParser(ctxt); + break; + } + } +Index: libxml2-2.9.2/result/errors/759573-2.xml.err +=================================================================== +--- /dev/null ++++ libxml2-2.9.2/result/errors/759573-2.xml.err +@@ -0,0 +1,58 @@ ++Entity: line 1: parser error : Space required after '<!ENTITY' ++ %zz; ++ ^ ++Entity: line 1: ++<!ENTITY<?xDOCTYPEm~?> ++ ^ ++Entity: line 1: parser error : xmlParseEntityDecl: no name ++ %zz; ++ ^ ++Entity: line 1: ++<!ENTITY<?xDOCTYPEm~?> ++ ^ ++Entity: line 1: parser error : ParsePI: PI xDOCTYPEm space expected ++ %zz; ++ ^ ++Entity: line 1: ++<!ENTITY<?xDOCTYPEm~?> ++ ^ ++Entity: line 1: parser error : Space required after '<!ENTITY' ++ %zz; ++ ^ ++Entity: line 1: ++<!ENTITY<?xDOCTYPEm~?> ++ ^ ++Entity: line 1: parser error : xmlParseEntityDecl: no name ++ %zz; ++ ^ ++Entity: line 1: ++<!ENTITY<?xDOCTYPEm~?> ++ ^ ++Entity: line 1: parser error : ParsePI: PI xDOCTYPEm space expected ++ %zz; ++ ^ ++Entity: line 1: ++<!ENTITY<?xDOCTYPEm~?> ++ ^ ++Entity: line 1: parser error : Space required after 'ELEMENT' ++ %xx; ++ ^ ++Entity: line 3: ++%zz;<!ELEMENTD(%MENT%MENTDŹMENTD%zNMT9KENSMYSYSTEM;MENT9%zz; ++ ^ ++Entity: line 1: parser error : Content error in the external subset ++ %xx; ++ ^ ++Entity: line 3: ++%zz;<!ELEMENTD(%MENT%MENTDŹMENTD%zNMT9KENSMYSYSTEM;MENT9%zz; ++ ^ ++./test/errors/759573-2.xml:6: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration ++ ++%xx;ÿggKENSMYNT#MENTDŴzz;'> ++ ^ ++./test/errors/759573-2.xml:6: parser error : DOCTYPE improperly terminated ++%xx;ÿggKENSMYNT#MENTDŴzz;'> ++ ^ ++./test/errors/759573-2.xml:6: parser error : Start tag expected, '<' not found ++%xx;ÿggKENSMYNT#MENTDŴzz;'> ++ ^ +Index: libxml2-2.9.2/result/errors/759573-2.xml.str +=================================================================== +--- /dev/null ++++ libxml2-2.9.2/result/errors/759573-2.xml.str +@@ -0,0 +1,4 @@ ++./test/errors/759573-2.xml:2: parser error : Extra content at the end of the document ++<!DOCTYPE test [ ++ ^ ++./test/errors/759573-2.xml : failed to parse +Index: libxml2-2.9.2/result/errors/759573.xml.err +=================================================================== +--- /dev/null ++++ libxml2-2.9.2/result/errors/759573.xml.err +@@ -0,0 +1,31 @@ ++./test/errors/759573.xml:1: parser error : Space required after '<!ENTITY' ++ELEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITY ++ ^ ++./test/errors/759573.xml:1: parser error : Space required after the entity name ++LEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITYz ++ ^ ++./test/errors/759573.xml:1: parser error : Entity value required ++LEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITYz ++ ^ ++Entity: line 1: parser error : PEReference: no name ++ %xx; ++ ^ ++Entity: line 1: ++%<![INCLUDE[000%ஸ000%z; ++ ^ ++Entity: line 1: parser error : Content error in the external subset ++ %xx; ++ ^ ++Entity: line 1: ++%<![INCLUDE[000%ஸ000%z; ++ ^ ++./test/errors/759573.xml:1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration ++ ++T t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITYz>%xx; ++ ^ ++./test/errors/759573.xml:1: parser error : DOCTYPE improperly terminated ++T t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITYz>%xx; ++ ^ ++./test/errors/759573.xml:1: parser error : Start tag expected, '<' not found ++T t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITYz>%xx; ++ ^ +Index: libxml2-2.9.2/result/errors/759573.xml.str +=================================================================== +--- /dev/null ++++ libxml2-2.9.2/result/errors/759573.xml.str +@@ -0,0 +1,4 @@ ++./test/errors/759573.xml:1: parser error : Extra content at the end of the document ++<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ00 ++ ^ ++./test/errors/759573.xml : failed to parse +Index: libxml2-2.9.2/test/errors/759573-2.xml +=================================================================== +--- /dev/null ++++ libxml2-2.9.2/test/errors/759573-2.xml +@@ -0,0 +1,9 @@ ++<?xmh ven="1.0"?> ++<!DOCTYPE test [ ++<!ELEMENT test (#PCDATA) > ++<!ENTITY % xx '%zz;
<![INCLUDE[
%zz;<!ELEMENTD(%MENT%MENTDŹMENTD%zNMT9KENSMYSYSTEM;MENT9%zz;'> ++<!ENTITY % zz '<!ENTITY<?xDOCTYPEm~?>' > ++%xx;ÿggKENSMYNT#MENTDŴzz;'> ++<!ENBITY % zz '<!EN#3&##37;z ';!EY'#x;g ++<!ENTent ref="bè:b>r.B"/> ++e </ +\ No newline at end of file +Index: libxml2-2.9.2/test/errors/759573.xml +=================================================================== +--- /dev/null ++++ libxml2-2.9.2/test/errors/759573.xml +@@ -0,0 +1 @@ ++<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITYz>%xx; +\ No newline at end of file diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb index 90f7a7ab79..c7db1de14e 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.2.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb @@ -17,6 +17,7 @@ SRC_URI += "file://CVE-2016-1762.patch \ file://CVE-2016-1835.patch \ file://CVE-2016-1833.patch \ file://CVE-2016-3627.patch \ + file://CVE-2016-4447.patch \ " SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788" |