[OE-core] [PATCH][V2][Jethro, fido 07/10] libxml2: security fix CVE-2015-7499
Armin Kuster
akuster808 at gmail.com
Fri Jan 8 00:48:30 UTC 2016
From: Armin Kuster <akuster at mvista.com>
includes:
CVE-2015-7499-1
CVE-2015-7499-2
Signed-off-by: Armin Kuster <akuster at mvista.com>
---
meta/recipes-core/libxml/libxml2.inc | 2 +
...99-1-Add-xmlHaltParser-to-stop-the-parser.patch | 88 ++++++++++++++++++++++
...VE-2015-7499-2-Detect-incoherency-on-GROW.patch | 43 +++++++++++
3 files changed, 133 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7499-2-Detect-incoherency-on-GROW.patch
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index 65b2625..3073851 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -29,6 +29,8 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
file://0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch \
file://CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch \
file://0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch \
+ file://CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch \
+ file://CVE-2015-7499-2-Detect-incoherency-on-GROW.patch \
"
BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch
new file mode 100644
index 0000000..e39ec65
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch
@@ -0,0 +1,88 @@
+From 28cd9cb747a94483f4aea7f0968d202c20bb4cfc Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard at redhat.com>
+Date: Fri, 20 Nov 2015 14:55:30 +0800
+Subject: [PATCH] Add xmlHaltParser() to stop the parser
+
+The problem is doing it in a consistent and safe fashion
+It's more complex than just setting ctxt->instate = XML_PARSER_EOF
+Update the public function to reuse that new internal routine
+
+Upstream-Status: Backport
+
+CVE-2015-7499-1
+
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ parser.c | 34 +++++++++++++++++++++++++++++-----
+ 1 file changed, 29 insertions(+), 5 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index da6e729..b6e99b1 100644
+--- a/parser.c
++++ b/parser.c
+@@ -94,6 +94,8 @@ static xmlParserCtxtPtr
+ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID,
+ const xmlChar *base, xmlParserCtxtPtr pctx);
+
++static void xmlHaltParser(xmlParserCtxtPtr ctxt);
++
+ /************************************************************************
+ * *
+ * Arbitrary limits set in the parser. See XML_PARSE_HUGE *
+@@ -12625,25 +12627,47 @@ xmlCreatePushParserCtxt(xmlSAXHandlerPtr sax, void *user_data,
+ #endif /* LIBXML_PUSH_ENABLED */
+
+ /**
+- * xmlStopParser:
++ * xmlHaltParser:
+ * @ctxt: an XML parser context
+ *
+- * Blocks further parser processing
++ * Blocks further parser processing don't override error
++ * for internal use
+ */
+-void
+-xmlStopParser(xmlParserCtxtPtr ctxt) {
++static void
++xmlHaltParser(xmlParserCtxtPtr ctxt) {
+ if (ctxt == NULL)
+ return;
+ ctxt->instate = XML_PARSER_EOF;
+- ctxt->errNo = XML_ERR_USER_STOP;
+ ctxt->disableSAX = 1;
+ if (ctxt->input != NULL) {
++ /*
++ * in case there was a specific allocation deallocate before
++ * overriding base
++ */
++ if (ctxt->input->free != NULL) {
++ ctxt->input->free((xmlChar *) ctxt->input->base);
++ ctxt->input->free = NULL;
++ }
+ ctxt->input->cur = BAD_CAST"";
+ ctxt->input->base = ctxt->input->cur;
+ }
+ }
+
+ /**
++ * xmlStopParser:
++ * @ctxt: an XML parser context
++ *
++ * Blocks further parser processing
++ */
++void
++xmlStopParser(xmlParserCtxtPtr ctxt) {
++ if (ctxt == NULL)
++ return;
++ xmlHaltParser(ctxt);
++ ctxt->errNo = XML_ERR_USER_STOP;
++}
++
++/**
+ * xmlCreateIOParserCtxt:
+ * @sax: a SAX handler
+ * @user_data: The user data returned on SAX callbacks
+--
+2.3.5
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7499-2-Detect-incoherency-on-GROW.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7499-2-Detect-incoherency-on-GROW.patch
new file mode 100644
index 0000000..aff3920
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7499-2-Detect-incoherency-on-GROW.patch
@@ -0,0 +1,43 @@
+From 35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard at redhat.com>
+Date: Fri, 20 Nov 2015 15:04:09 +0800
+Subject: [PATCH] Detect incoherency on GROW
+
+the current pointer to the input has to be between the base and end
+if not stop everything we have an internal state error.
+
+Upstream-Status: Backport
+
+CVE-2015-7499-2
+
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ parser.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index 1810f99..ab007aa 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2075,9 +2075,16 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
+ ((ctxt->input->buf) && (ctxt->input->buf->readcallback != (xmlInputReadCallback) xmlNop)) &&
+ ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup");
+- ctxt->instate = XML_PARSER_EOF;
++ xmlHaltParser(ctxt);
++ return;
+ }
+ xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
++ if ((ctxt->input->cur > ctxt->input->end) ||
++ (ctxt->input->cur < ctxt->input->base)) {
++ xmlHaltParser(ctxt);
++ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "cur index out of bound");
++ return;
++ }
+ if ((ctxt->input->cur != NULL) && (*ctxt->input->cur == 0) &&
+ (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0))
+ xmlPopInput(ctxt);
+--
+2.3.5
+
--
2.3.5
More information about the Openembedded-core
mailing list