From 66740c331478297e5eaaa9357a31a9cf095cfd6f Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Sat, 5 Dec 2015 10:57:27 -0800 Subject: libxml2: security fix CVE-2015-7498 (From OE-Core rev: b3d6a714180199a5e0099e3d40b37c9bfa106eb1) Signed-off-by: Armin Kuster Signed-off-by: Joshua Lock Signed-off-by: Richard Purdie --- meta/recipes-core/libxml/libxml2.inc | 1 + ...ssing-entities-after-encoding-conversion-.patch | 89 ++++++++++++++++++++++ 2 files changed, 90 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc index 365d5bc..759f722 100644 --- a/meta/recipes-core/libxml/libxml2.inc +++ b/meta/recipes-core/libxml/libxml2.inc @@ -29,6 +29,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \ file://CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch \ file://CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch \ file://0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch \ + file://CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch \ " BINCONFIG = "${bindir}/xml2-config" diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch new file mode 100644 index 0000000..47ba897 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch @@ -0,0 +1,89 @@ +From afd27c21f6b36e22682b7da20d726bce2dcb2f43 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Mon, 9 Nov 2015 18:07:18 +0800 +Subject: [PATCH] Avoid processing entities after encoding conversion failures + +For https://bugzilla.gnome.org/show_bug.cgi?id=756527 +and was also raised by Chromium team in the past + +When we hit a convwersion failure when switching encoding +it is bestter to stop parsing there, this was treated as a +fatal error but the parser was continuing to process to extract +more errors, unfortunately that makes little sense as the data +is obviously corrupt and can potentially lead to unexpected behaviour. + +Upstream-Status: Backport + +CVE-2015-7498 + +Signed-off-by: Armin Kuster + +--- + parser.c | 7 +++++-- + parserInternals.c | 11 ++++++++++- + 2 files changed, 15 insertions(+), 3 deletions(-) + +diff --git a/parser.c b/parser.c +index 134afe7..c79b4e8 100644 +--- a/parser.c ++++ b/parser.c +@@ -10665,7 +10665,8 @@ xmlParseXMLDecl(xmlParserCtxtPtr ctxt) { + xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, "Blank needed here\n"); + } + xmlParseEncodingDecl(ctxt); +- if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) { ++ if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) || ++ (ctxt->instate == XML_PARSER_EOF)) { + /* + * The XML REC instructs us to stop parsing right here + */ +@@ -10789,6 +10790,7 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) { + + if (CUR == 0) { + xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL); ++ return(-1); + } + + /* +@@ -10806,7 +10808,8 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) { + * Note that we will switch encoding on the fly. + */ + xmlParseXMLDecl(ctxt); +- if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) { ++ if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) || ++ (ctxt->instate == XML_PARSER_EOF)) { + /* + * The XML REC instructs us to stop parsing right here + */ +diff --git a/parserInternals.c b/parserInternals.c +index df204fd..c8230c1 100644 +--- a/parserInternals.c ++++ b/parserInternals.c +@@ -937,6 +937,7 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc) + { + xmlCharEncodingHandlerPtr handler; + int len = -1; ++ int ret; + + if (ctxt == NULL) return(-1); + switch (enc) { +@@ -1097,7 +1098,15 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc) + if (handler == NULL) + return(-1); + ctxt->charset = XML_CHAR_ENCODING_UTF8; +- return(xmlSwitchToEncodingInt(ctxt, handler, len)); ++ ret = xmlSwitchToEncodingInt(ctxt, handler, len); ++ if ((ret < 0) || (ctxt->errNo == XML_I18N_CONV_FAILED)) { ++ /* ++ * on encoding conversion errors, stop the parser ++ */ ++ xmlStopParser(ctxt); ++ ctxt->errNo = XML_I18N_CONV_FAILED; ++ } ++ return(ret); + } + + /** +-- +2.3.5 + -- cgit v1.1