summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2015-12-05 10:58:09 -0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-01-20 17:08:29 +0000
commit88e28c86c5a57f8ba62a0d82804ca4f0fa7d9742 (patch)
tree03bf7cbf1101b0fc80a4f7e594c92143bfc2a62f
parent6abe713244a5dd8dd02c9dfbddfcb5fe6d26fbbe (diff)
downloadast2050-yocto-poky-88e28c86c5a57f8ba62a0d82804ca4f0fa7d9742.zip
ast2050-yocto-poky-88e28c86c5a57f8ba62a0d82804ca4f0fa7d9742.tar.gz
libxml2: security fix CVE-2015-7499
includes: CVE-2015-7499-1 CVE-2015-7499-2 (From OE-Core rev: 3048fe24e4c5f83ad0971062a88592bcb6bf52bc) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-core/libxml/libxml2.inc2
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch88
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2015-7499-2-Detect-incoherency-on-GROW.patch43
3 files changed, 133 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index 7fadd2e..334d1de 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -31,6 +31,8 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
file://0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch \
file://CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch \
file://0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch \
+ file://CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch \
+ file://CVE-2015-7499-2-Detect-incoherency-on-GROW.patch \
"
BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch
new file mode 100644
index 0000000..e39ec65
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch
@@ -0,0 +1,88 @@
+From 28cd9cb747a94483f4aea7f0968d202c20bb4cfc Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 20 Nov 2015 14:55:30 +0800
+Subject: [PATCH] Add xmlHaltParser() to stop the parser
+
+The problem is doing it in a consistent and safe fashion
+It's more complex than just setting ctxt->instate = XML_PARSER_EOF
+Update the public function to reuse that new internal routine
+
+Upstream-Status: Backport
+
+CVE-2015-7499-1
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c | 34 +++++++++++++++++++++++++++++-----
+ 1 file changed, 29 insertions(+), 5 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index da6e729..b6e99b1 100644
+--- a/parser.c
++++ b/parser.c
+@@ -94,6 +94,8 @@ static xmlParserCtxtPtr
+ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID,
+ const xmlChar *base, xmlParserCtxtPtr pctx);
+
++static void xmlHaltParser(xmlParserCtxtPtr ctxt);
++
+ /************************************************************************
+ * *
+ * Arbitrary limits set in the parser. See XML_PARSE_HUGE *
+@@ -12625,25 +12627,47 @@ xmlCreatePushParserCtxt(xmlSAXHandlerPtr sax, void *user_data,
+ #endif /* LIBXML_PUSH_ENABLED */
+
+ /**
+- * xmlStopParser:
++ * xmlHaltParser:
+ * @ctxt: an XML parser context
+ *
+- * Blocks further parser processing
++ * Blocks further parser processing don't override error
++ * for internal use
+ */
+-void
+-xmlStopParser(xmlParserCtxtPtr ctxt) {
++static void
++xmlHaltParser(xmlParserCtxtPtr ctxt) {
+ if (ctxt == NULL)
+ return;
+ ctxt->instate = XML_PARSER_EOF;
+- ctxt->errNo = XML_ERR_USER_STOP;
+ ctxt->disableSAX = 1;
+ if (ctxt->input != NULL) {
++ /*
++ * in case there was a specific allocation deallocate before
++ * overriding base
++ */
++ if (ctxt->input->free != NULL) {
++ ctxt->input->free((xmlChar *) ctxt->input->base);
++ ctxt->input->free = NULL;
++ }
+ ctxt->input->cur = BAD_CAST"";
+ ctxt->input->base = ctxt->input->cur;
+ }
+ }
+
+ /**
++ * xmlStopParser:
++ * @ctxt: an XML parser context
++ *
++ * Blocks further parser processing
++ */
++void
++xmlStopParser(xmlParserCtxtPtr ctxt) {
++ if (ctxt == NULL)
++ return;
++ xmlHaltParser(ctxt);
++ ctxt->errNo = XML_ERR_USER_STOP;
++}
++
++/**
+ * xmlCreateIOParserCtxt:
+ * @sax: a SAX handler
+ * @user_data: The user data returned on SAX callbacks
+--
+2.3.5
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7499-2-Detect-incoherency-on-GROW.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7499-2-Detect-incoherency-on-GROW.patch
new file mode 100644
index 0000000..aff3920
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7499-2-Detect-incoherency-on-GROW.patch
@@ -0,0 +1,43 @@
+From 35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 20 Nov 2015 15:04:09 +0800
+Subject: [PATCH] Detect incoherency on GROW
+
+the current pointer to the input has to be between the base and end
+if not stop everything we have an internal state error.
+
+Upstream-Status: Backport
+
+CVE-2015-7499-2
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index 1810f99..ab007aa 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2075,9 +2075,16 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
+ ((ctxt->input->buf) && (ctxt->input->buf->readcallback != (xmlInputReadCallback) xmlNop)) &&
+ ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup");
+- ctxt->instate = XML_PARSER_EOF;
++ xmlHaltParser(ctxt);
++ return;
+ }
+ xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
++ if ((ctxt->input->cur > ctxt->input->end) ||
++ (ctxt->input->cur < ctxt->input->base)) {
++ xmlHaltParser(ctxt);
++ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "cur index out of bound");
++ return;
++ }
+ if ((ctxt->input->cur != NULL) && (*ctxt->input->cur == 0) &&
+ (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0))
+ xmlPopInput(ctxt);
+--
+2.3.5
+
OpenPOWER on IntegriCloud