[oe-commits] [openembedded-core] 16/36: libxml2: Revert "Add an XML_PARSE_NOXXE flag to block all entities loading even local"

git at git.openembedded.org git at git.openembedded.org
Mon Sep 11 21:16:49 UTC 2017 

This is an automated email from the git hooks/post-receive script.

rpurdie pushed a commit to branch pyro
in repository openembedded-core.

commit d2b1486bf8773d3eef36c5e77b82e70c88d9c682
Author: Andrej Valek <andrej.valek at siemens.com>
AuthorDate: Wed Jun 14 15:12:22 2017 +0200

    libxml2: Revert "Add an XML_PARSE_NOXXE flag to block all entities loading even local"
    
    The new flag doesn't work and the change even broke the XML_PARSE_NONET option.
    
    (From OE-Core rev: 8b586f60778579ee2c9adae429128a07e8437553)
    
    Signed-off-by: Andrej Valek <andrej.valek at siemens.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>
---
 .../libxml/libxml2/CVE-2016-9318.patch             | 207 ---------------------
 meta/recipes-core/libxml/libxml2_2.9.4.bb          |   1 -
 2 files changed, 208 deletions(-)

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-9318.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-9318.patch
deleted file mode 100644
index 3581ab8..0000000
--- a/meta/recipes-core/libxml/libxml2/CVE-2016-9318.patch
+++ /dev/null
@@ -1,207 +0,0 @@
-From 7fa1cd31552d52d50a9101f07c816ff6dd2d9f19 Mon Sep 17 00:00:00 2001
-From: Doran Moppert <dmoppert at redhat.com>
-Date: Fri, 7 Apr 2017 16:45:56 +0200
-Subject: [PATCH] Add an XML_PARSE_NOXXE flag to block all entities loading
- even local
-
-For https://bugzilla.gnome.org/show_bug.cgi?id=772726
-
-* include/libxml/parser.h: Add a new parser flag XML_PARSE_NOXXE
-* elfgcchack.h, xmlIO.h, xmlIO.c: associated loading routine
-* include/libxml/xmlerror.h: new error raised
-* xmllint.c: adds --noxxe flag to activate the option
-
-Upstream-Status: Backport
-CVE: CVE-2016-9318
-
-Signed-off-by: Catalin Enache <catalin.enache at windriver.com>
----
- elfgcchack.h              | 10 ++++++++++
- include/libxml/parser.h   |  3 ++-
- include/libxml/xmlIO.h    |  8 ++++++++
- include/libxml/xmlerror.h |  1 +
- parser.c                  |  4 ++++
- xmlIO.c                   | 40 +++++++++++++++++++++++++++++++++++-----
- xmllint.c                 |  5 +++++
- 7 files changed, 65 insertions(+), 6 deletions(-)
-
-diff --git a/elfgcchack.h b/elfgcchack.h
-index 8c52884..1b81dcd 100644
---- a/elfgcchack.h
-+++ b/elfgcchack.h
-@@ -6547,6 +6547,16 @@ extern __typeof (xmlNoNetExternalEntityLoader) xmlNoNetExternalEntityLoader__int
- #endif
- #endif
- 
-+#ifdef bottom_xmlIO
-+#undef xmlNoXxeExternalEntityLoader
-+extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader __attribute((alias("xmlNoXxeExternalEntityLoader__internal_alias")));
-+#else
-+#ifndef xmlNoXxeExternalEntityLoader
-+extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader__internal_alias __attribute((visibility("hidden")));
-+#define xmlNoXxeExternalEntityLoader xmlNoXxeExternalEntityLoader__internal_alias
-+#endif
-+#endif
-+
- #ifdef bottom_tree
- #undef xmlNodeAddContent
- extern __typeof (xmlNodeAddContent) xmlNodeAddContent __attribute((alias("xmlNodeAddContent__internal_alias")));
-diff --git a/include/libxml/parser.h b/include/libxml/parser.h
-index 47fbec0..63ca1b9 100644
---- a/include/libxml/parser.h
-+++ b/include/libxml/parser.h
-@@ -1111,7 +1111,8 @@ typedef enum {
-     XML_PARSE_HUGE      = 1<<19,/* relax any hardcoded limit from the parser */
-     XML_PARSE_OLDSAX    = 1<<20,/* parse using SAX2 interface before 2.7.0 */
-     XML_PARSE_IGNORE_ENC= 1<<21,/* ignore internal document encoding hint */
--    XML_PARSE_BIG_LINES = 1<<22 /* Store big lines numbers in text PSVI field */
-+    XML_PARSE_BIG_LINES = 1<<22,/* Store big lines numbers in text PSVI field */
-+    XML_PARSE_NOXXE	= 1<<23 /* Forbid any external entity loading */
- } xmlParserOption;
- 
- XMLPUBFUN void XMLCALL
-diff --git a/include/libxml/xmlIO.h b/include/libxml/xmlIO.h
-index 3e41744..8d3fdef 100644
---- a/include/libxml/xmlIO.h
-+++ b/include/libxml/xmlIO.h
-@@ -300,6 +300,14 @@ XMLPUBFUN xmlParserInputPtr XMLCALL
- 					 xmlParserCtxtPtr ctxt);
- 
- /*
-+ * A predefined entity loader external entity expansion
-+ */
-+XMLPUBFUN xmlParserInputPtr XMLCALL
-+	xmlNoXxeExternalEntityLoader	(const char *URL,
-+					 const char *ID,
-+					 xmlParserCtxtPtr ctxt);
-+
-+/*
-  * xmlNormalizeWindowsPath is obsolete, don't use it.
-  * Check xmlCanonicPath in uri.h for a better alternative.
-  */
-diff --git a/include/libxml/xmlerror.h b/include/libxml/xmlerror.h
-index 037c16d..3036062 100644
---- a/include/libxml/xmlerror.h
-+++ b/include/libxml/xmlerror.h
-@@ -470,6 +470,7 @@ typedef enum {
-     XML_IO_EADDRINUSE, /* 1554 */
-     XML_IO_EALREADY, /* 1555 */
-     XML_IO_EAFNOSUPPORT, /* 1556 */
-+    XML_IO_ILLEGAL_XXE, /* 1557 */
-     XML_XINCLUDE_RECURSION=1600,
-     XML_XINCLUDE_PARSE_VALUE, /* 1601 */
-     XML_XINCLUDE_ENTITY_DEF_MISMATCH, /* 1602 */
-diff --git a/parser.c b/parser.c
-index 53a6b7f..609a270 100644
---- a/parser.c
-+++ b/parser.c
-@@ -15350,6 +15350,10 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi
- 	ctxt->options |= XML_PARSE_NONET;
-         options -= XML_PARSE_NONET;
-     }
-+    if (options & XML_PARSE_NOXXE) {
-+	ctxt->options |= XML_PARSE_NOXXE;
-+        options -= XML_PARSE_NOXXE;
-+    }
-     if (options & XML_PARSE_COMPACT) {
- 	ctxt->options |= XML_PARSE_COMPACT;
-         options -= XML_PARSE_COMPACT;
-diff --git a/xmlIO.c b/xmlIO.c
-index 1a79c09..304f822 100644
---- a/xmlIO.c
-+++ b/xmlIO.c
-@@ -210,6 +210,7 @@ static const char *IOerr[] = {
-     "adddress in use",		/* EADDRINUSE */
-     "already in use",		/* EALREADY */
-     "unknown address familly",	/* EAFNOSUPPORT */
-+    "Attempt to load external entity %s", /* XML_IO_ILLEGAL_XXE */
- };
- 
- #if defined(_WIN32) || defined (__DJGPP__) && !defined (__CYGWIN__)
-@@ -4053,13 +4054,22 @@ xmlDefaultExternalEntityLoader(const char *URL, const char *ID,
-     xmlGenericError(xmlGenericErrorContext,
-                     "xmlDefaultExternalEntityLoader(%s, xxx)\n", URL);
- #endif
--    if ((ctxt != NULL) && (ctxt->options & XML_PARSE_NONET)) {
-+    if (ctxt != NULL) {
-         int options = ctxt->options;
- 
--	ctxt->options -= XML_PARSE_NONET;
--        ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt);
--	ctxt->options = options;
--	return(ret);
-+        if (options & XML_PARSE_NOXXE) {
-+            ctxt->options -= XML_PARSE_NOXXE;
-+            ret = xmlNoXxeExternalEntityLoader(URL, ID, ctxt);
-+            ctxt->options = options;
-+            return(ret);
-+        }
-+ 
-+        if (options & XML_PARSE_NONET) {
-+            ctxt->options -= XML_PARSE_NONET;
-+            ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt);
-+            ctxt->options = options;
-+            return(ret);
-+        }
-     }
- #ifdef LIBXML_CATALOG_ENABLED
-     resource = xmlResolveResourceFromCatalog(URL, ID, ctxt);
-@@ -4160,6 +4170,13 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID,
-     xmlParserInputPtr input = NULL;
-     xmlChar *resource = NULL;
- 
-+    if (ctxt == NULL) {
-+        return(NULL);
-+    }
-+    if (ctxt->input_id == 1) {
-+        return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt);
-+    }
-+
- #ifdef LIBXML_CATALOG_ENABLED
-     resource = xmlResolveResourceFromCatalog(URL, ID, ctxt);
- #endif
-@@ -4182,5 +4199,18 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID,
-     return(input);
- }
- 
-+xmlParserInputPtr
-+xmlNoXxeExternalEntityLoader(const char *URL, const char *ID,
-+                          xmlParserCtxtPtr ctxt) {
-+    if (ctxt == NULL) {
-+        return(NULL);
-+    }
-+    if (ctxt->input_id == 1) {
-+        return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt);
-+    }
-+    xmlIOErr(XML_IO_ILLEGAL_XXE, (const char *) URL);
-+    return(NULL);
-+}
-+
- #define bottom_xmlIO
- #include "elfgcchack.h"
-diff --git a/xmllint.c b/xmllint.c
-index 67f7adb..d9368c1 100644
---- a/xmllint.c
-+++ b/xmllint.c
-@@ -3019,6 +3019,7 @@ static void usage(const char *name) {
-     printf("\t--path 'paths': provide a set of paths for resources\n");
-     printf("\t--load-trace : print trace of all external entities loaded\n");
-     printf("\t--nonet : refuse to fetch DTDs or entities over network\n");
-+    printf("\t--noxxe : forbid any external entity loading\n");
-     printf("\t--nocompact : do not generate compact text nodes\n");
-     printf("\t--htmlout : output results as HTML\n");
-     printf("\t--nowrap : do not put HTML doc wrapper\n");
-@@ -3461,6 +3462,10 @@ main(int argc, char **argv) {
-                    (!strcmp(argv[i], "--nonet"))) {
- 	    options |= XML_PARSE_NONET;
- 	    xmlSetExternalEntityLoader(xmlNoNetExternalEntityLoader);
-+        } else if ((!strcmp(argv[i], "-noxxe")) ||
-+                   (!strcmp(argv[i], "--noxxe"))) {
-+	    options |= XML_PARSE_NOXXE;
-+	    xmlSetExternalEntityLoader(xmlNoXxeExternalEntityLoader);
-         } else if ((!strcmp(argv[i], "-nocompact")) ||
-                    (!strcmp(argv[i], "--nocompact"))) {
- 	    options &= ~XML_PARSE_COMPACT;
--- 
-2.10.2
-
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb
index 677d8c9..f67c47d 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -28,7 +28,6 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
            file://libxml2-CVE-2017-9049_CVE-2017-9050.patch \
            file://libxml2-CVE-2017-5969.patch \
            file://libxml2-CVE-2017-0663.patch \
-           file://CVE-2016-9318.patch \
            file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
            "
 

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the Openembedded-commits mailing list