[oe-commits] [openembedded-core] 16/17: libxml2: Security fix for CVE-2016-4447

git at git.openembedded.org git at git.openembedded.org
Wed Jul 27 07:34:21 UTC 2016 

rpurdie pushed a commit to branch jethro
in repository openembedded-core.

commit b817c98017cb64f902cdae514fb162b3199a0a14
Author: Armin Kuster <akuster at mvista.com>
AuthorDate: Sat Jul 9 15:12:44 2016 -0700

    libxml2: Security fix for CVE-2016-4447
    
    Affects libxml2 < 2.9.4
    
    Signed-off-by: Armin Kuster <akuster at mvista.com>
---
 .../libxml/libxml2/CVE-2016-4447.patch             | 208 +++++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.2.bb          |   1 +
 2 files changed, 209 insertions(+)

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-4447.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-4447.patch
new file mode 100644
index 0000000..5957844
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-4447.patch
@@ -0,0 +1,208 @@
+From 00906759053986b8079985644172085f74331f83 Mon Sep 17 00:00:00 2001
+From: David Kilzer <ddkilzer at apple.com>
+Date: Tue, 26 Jan 2016 16:57:03 -0800
+Subject: [PATCH] Heap-based buffer-underreads due to xmlParseName
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=759573
+
+* parser.c:
+(xmlParseElementDecl): Return early on invalid input to fix
+non-minimized test case (759573-2.xml).  Otherwise the parser
+gets into a bad state in SKIP(3) at the end of the function.
+(xmlParseConditionalSections): Halt parsing when hitting invalid
+input that would otherwise caused xmlParserHandlePEReference()
+to recurse unexpectedly.  This fixes the minimized test case
+(759573.xml).
+
+* result/errors/759573-2.xml: Add.
+* result/errors/759573-2.xml.err: Add.
+* result/errors/759573-2.xml.str: Add.
+* result/errors/759573.xml: Add.
+* result/errors/759573.xml.err: Add.
+* result/errors/759573.xml.str: Add.
+* test/errors/759573-2.xml: Add.
+* test/errors/759573.xml: Add.
+
+Upstream-Status: Backport 
+CVE: CVE-2016-4447
+Signed-off-by: Armin Kuster <akuster at mvist.com>
+
+---
+ parser.c                       |  2 ++
+ result/errors/759573-2.xml     |  0
+ result/errors/759573-2.xml.err | 58 ++++++++++++++++++++++++++++++++++++++++++
+ result/errors/759573-2.xml.str |  4 +++
+ result/errors/759573.xml       |  0
+ result/errors/759573.xml.err   | 31 ++++++++++++++++++++++
+ result/errors/759573.xml.str   |  4 +++
+ test/errors/759573-2.xml       |  9 +++++++
+ test/errors/759573.xml         |  1 +
+ 9 files changed, 109 insertions(+)
+ create mode 100644 result/errors/759573-2.xml
+ create mode 100644 result/errors/759573-2.xml.err
+ create mode 100644 result/errors/759573-2.xml.str
+ create mode 100644 result/errors/759573.xml
+ create mode 100644 result/errors/759573.xml.err
+ create mode 100644 result/errors/759573.xml.str
+ create mode 100644 test/errors/759573-2.xml
+ create mode 100644 test/errors/759573.xml
+
+Index: libxml2-2.9.2/parser.c
+===================================================================
+--- libxml2-2.9.2.orig/parser.c
++++ libxml2-2.9.2/parser.c
+@@ -6723,6 +6723,7 @@ xmlParseElementDecl(xmlParserCtxtPtr ctx
+ 	if (!IS_BLANK_CH(CUR)) {
+ 	    xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,
+ 		           "Space required after 'ELEMENT'\n");
++	    return(-1);
+ 	}
+         SKIP_BLANKS;
+         name = xmlParseName(ctxt);
+@@ -6874,6 +6875,7 @@ xmlParseConditionalSections(xmlParserCtx
+ 
+ 	    if ((CUR_PTR == check) && (cons == ctxt->input->consumed)) {
+ 		xmlFatalErr(ctxt, XML_ERR_EXT_SUBSET_NOT_FINISHED, NULL);
++		xmlHaltParser(ctxt);
+ 		break;
+ 	    }
+ 	}
+Index: libxml2-2.9.2/result/errors/759573-2.xml.err
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/result/errors/759573-2.xml.err
+@@ -0,0 +1,58 @@
++Entity: line 1: parser error : Space required after '<!ENTITY'
++ %zz;
++     ^
++Entity: line 1:
++<!ENTITY<?xDOCTYPEm~?>
++        ^
++Entity: line 1: parser error : xmlParseEntityDecl: no name
++ %zz;
++     ^
++Entity: line 1:
++<!ENTITY<?xDOCTYPEm~?>
++        ^
++Entity: line 1: parser error : ParsePI: PI xDOCTYPEm space expected
++ %zz;
++     ^
++Entity: line 1:
++<!ENTITY<?xDOCTYPEm~?>
++                   ^
++Entity: line 1: parser error : Space required after '<!ENTITY'
++ %zz;
++     ^
++Entity: line 1:
++<!ENTITY<?xDOCTYPEm~?>
++        ^
++Entity: line 1: parser error : xmlParseEntityDecl: no name
++ %zz;
++     ^
++Entity: line 1:
++<!ENTITY<?xDOCTYPEm~?>
++        ^
++Entity: line 1: parser error : ParsePI: PI xDOCTYPEm space expected
++ %zz;
++     ^
++Entity: line 1:
++<!ENTITY<?xDOCTYPEm~?>
++                   ^
++Entity: line 1: parser error : Space required after 'ELEMENT'
++ %xx;
++     ^
++Entity: line 3:
++%zz;<!ELEMENTD(%MENT%MENTDŹMENTD%zNMT9KENSMYSYSTEM;MENT9%zz;
++             ^
++Entity: line 1: parser error : Content error in the external subset
++ %xx;
++     ^
++Entity: line 3:
++%zz;<!ELEMENTD(%MENT%MENTDŹMENTD%zNMT9KENSMYSYSTEM;MENT9%zz;
++             ^
++./test/errors/759573-2.xml:6: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
++
++%xx;�ggKENSMYNT&#35;MENTD&#372zz;'>
++    ^
++./test/errors/759573-2.xml:6: parser error : DOCTYPE improperly terminated
++%xx;�ggKENSMYNT&#35;MENTD&#372zz;'>
++    ^
++./test/errors/759573-2.xml:6: parser error : Start tag expected, '<' not found
++%xx;�ggKENSMYNT&#35;MENTD&#372zz;'>
++    ^
+Index: libxml2-2.9.2/result/errors/759573-2.xml.str
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/result/errors/759573-2.xml.str
+@@ -0,0 +1,4 @@
++./test/errors/759573-2.xml:2: parser error : Extra content at the end of the document
++<!DOCTYPE test [
++               ^
++./test/errors/759573-2.xml : failed to parse
+Index: libxml2-2.9.2/result/errors/759573.xml.err
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/result/errors/759573.xml.err
+@@ -0,0 +1,31 @@
++./test/errors/759573.xml:1: parser error : Space required after '<!ENTITY'
++ELEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITY
++                                                                               ^
++./test/errors/759573.xml:1: parser error : Space required after the entity name
++LEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITYz
++                                                                               ^
++./test/errors/759573.xml:1: parser error : Entity value required
++LEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITYz
++                                                                               ^
++Entity: line 1: parser error : PEReference: no name
++ %xx;
++     ^
++Entity: line 1:
++%<![INCLUDE[000%ஸ000%z;
++ ^
++Entity: line 1: parser error : Content error in the external subset
++ %xx;
++     ^
++Entity: line 1:
++%<![INCLUDE[000%ஸ000%z;
++            ^
++./test/errors/759573.xml:1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
++
++T t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITYz>%xx;
++                                                                               ^
++./test/errors/759573.xml:1: parser error : DOCTYPE improperly terminated
++T t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITYz>%xx;
++                                                                               ^
++./test/errors/759573.xml:1: parser error : Start tag expected, '<' not found
++T t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITYz>%xx;
++                                                                               ^
+Index: libxml2-2.9.2/result/errors/759573.xml.str
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/result/errors/759573.xml.str
+@@ -0,0 +1,4 @@
++./test/errors/759573.xml:1: parser error : Extra content at the end of the document
++<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;00
++               ^
++./test/errors/759573.xml : failed to parse
+Index: libxml2-2.9.2/test/errors/759573-2.xml
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/test/errors/759573-2.xml
+@@ -0,0 +1,9 @@
++<?xmh ven="1.0"?>
++<!DOCTYPE test [
++<!ELEMENT test (#PCDATA) >
++<!ENTITY % xx '&#37;zz;
<![INCLUDE[
&#37;zz;<!ELEMENTD(&#37;MENT&#37;MENTD&#377;MENTD&#37;zNMT9KENSMYSYSTEM;MENT9&#37;zz;'>
++<!ENTITY % zz '&#60;!ENTITY<?xDOCTYPEm~?>' >
++%xx;�ggKENSMYNT&#35;MENTD&#372zz;'>
++<!ENBITY % zz '&#60;!EN#3&##37;z ';!EY'#x;g
++<!ENTent ref="b�:b>r.B"/>
++e
		</
+\ No newline at end of file
+Index: libxml2-2.9.2/test/errors/759573.xml
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/test/errors/759573.xml
+@@ -0,0 +1 @@
++<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITYz>%xx;
+\ No newline at end of file
diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb
index 90f7a7a..c7db1de 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.2.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb
@@ -17,6 +17,7 @@ SRC_URI += "file://CVE-2016-1762.patch \
             file://CVE-2016-1835.patch \
             file://CVE-2016-1833.patch \
             file://CVE-2016-3627.patch \
+            file://CVE-2016-4447.patch \
     "
 
 SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the Openembedded-commits mailing list