From: Armin Kuster <akuster808@gmail.com>
To: openembedded-core@lists.openembedded.org
Cc: Armin Kuster <akuster@mvista.com>
Subject: [PATCH][V2][Jethro, fido 08/10] libxml2: security fix CVE-2015-7500
Date: Thu, 7 Jan 2016 16:48:31 -0800 [thread overview]
Message-ID: <1452214113-11697-8-git-send-email-akuster808@gmail.com> (raw)
In-Reply-To: <1452214113-11697-1-git-send-email-akuster808@gmail.com>
From: Armin Kuster <akuster@mvista.com>
includes a depend fix security issue CVE-2015-7500
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
meta/recipes-core/libxml/libxml2.inc | 2 +
...00-Fix-memory-access-error-due-to-incorre.patch | 131 +++++++++++++++++++
...n-name-parsing-at-the-end-of-current-inpu.patch | 138 +++++++++++++++++++++
3 files changed, 271 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch
create mode 100644 meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index 3073851..7fd7693 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -31,6 +31,8 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
file://0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch \
file://CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch \
file://CVE-2015-7499-2-Detect-incoherency-on-GROW.patch \
+ file://0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch \
+ file://0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch \
"
BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch b/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch
new file mode 100644
index 0000000..b486079
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch
@@ -0,0 +1,131 @@
+From f1063fdbe7fa66332bbb76874101c2a7b51b519f Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 20 Nov 2015 16:06:59 +0800
+Subject: [PATCH] CVE-2015-7500 Fix memory access error due to incorrect
+ entities boundaries
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756525
+handle properly the case where we popped out of the current entity
+while processing a start tag
+Reported by Kostya Serebryany @ Google
+
+This slightly modifies the output of 754946 in regression tests
+
+Upstream-Status: Backport
+
+CVE-2015-7500
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c | 28 ++++++++++++++++++++++------
+ result/errors/754946.xml.err | 7 +++++--
+ 2 files changed, 27 insertions(+), 8 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index c7e4574..c5741e3 100644
+--- a/parser.c
++++ b/parser.c
+@@ -9348,7 +9348,7 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref,
+ const xmlChar **atts = ctxt->atts;
+ int maxatts = ctxt->maxatts;
+ int nratts, nbatts, nbdef;
+- int i, j, nbNs, attval, oldline, oldcol;
++ int i, j, nbNs, attval, oldline, oldcol, inputNr;
+ const xmlChar *base;
+ unsigned long cur;
+ int nsNr = ctxt->nsNr;
+@@ -9367,6 +9367,7 @@ reparse:
+ SHRINK;
+ base = ctxt->input->base;
+ cur = ctxt->input->cur - ctxt->input->base;
++ inputNr = ctxt->inputNr;
+ oldline = ctxt->input->line;
+ oldcol = ctxt->input->col;
+ nbatts = 0;
+@@ -9392,7 +9393,8 @@ reparse:
+ */
+ SKIP_BLANKS;
+ GROW;
+- if (ctxt->input->base != base) goto base_changed;
++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
++ goto base_changed;
+
+ while (((RAW != '>') &&
+ ((RAW != '/') || (NXT(1) != '>')) &&
+@@ -9403,7 +9405,7 @@ reparse:
+
+ attname = xmlParseAttribute2(ctxt, prefix, localname,
+ &aprefix, &attvalue, &len, &alloc);
+- if (ctxt->input->base != base) {
++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) {
+ if ((attvalue != NULL) && (alloc != 0))
+ xmlFree(attvalue);
+ attvalue = NULL;
+@@ -9552,7 +9554,8 @@ skip_ns:
+ break;
+ }
+ SKIP_BLANKS;
+- if (ctxt->input->base != base) goto base_changed;
++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
++ goto base_changed;
+ continue;
+ }
+
+@@ -9589,7 +9592,8 @@ failed:
+ GROW
+ if (ctxt->instate == XML_PARSER_EOF)
+ break;
+- if (ctxt->input->base != base) goto base_changed;
++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
++ goto base_changed;
+ if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
+ break;
+ if (!IS_BLANK_CH(RAW)) {
+@@ -9605,7 +9609,8 @@ failed:
+ break;
+ }
+ GROW;
+- if (ctxt->input->base != base) goto base_changed;
++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
++ goto base_changed;
+ }
+
+ /*
+@@ -9772,6 +9777,17 @@ base_changed:
+ if ((ctxt->attallocs[j] != 0) && (atts[i] != NULL))
+ xmlFree((xmlChar *) atts[i]);
+ }
++
++ /*
++ * We can't switch from one entity to another in the middle
++ * of a start tag
++ */
++ if (inputNr != ctxt->inputNr) {
++ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
++ "Start tag doesn't start and stop in the same entity\n");
++ return(NULL);
++ }
++
+ ctxt->input->cur = ctxt->input->base + cur;
+ ctxt->input->line = oldline;
+ ctxt->input->col = oldcol;
+diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err
+index 423dff5..a75088b 100644
+--- a/result/errors/754946.xml.err
++++ b/result/errors/754946.xml.err
+@@ -11,6 +11,9 @@ Entity: line 1: parser error : DOCTYPE improperly terminated
+ Entity: line 1:
+ A<lbbbbbbbbbbbbbbbbbbb_
+ ^
++./test/errors/754946.xml:1: parser error : Start tag doesn't start and stop in the same entity
++>%SYSTEM;<![
++ ^
+ ./test/errors/754946.xml:1: parser error : Extra content at the end of the document
+-<!DOCTYPEA[<!ENTITY %
+- ^
++>%SYSTEM;<![
++ ^
+--
+2.3.5
+
diff --git a/meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch b/meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch
new file mode 100644
index 0000000..a86b9ee
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch
@@ -0,0 +1,138 @@
+From 51f02b0a03ea1fa6c65b3f9fd88cf60fb5803783 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 15 Sep 2015 16:50:32 +0800
+Subject: [PATCH] Fix a bug on name parsing at the end of current input buffer
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=754946
+
+When hitting the end of the current input buffer while parsing
+a name we could end up loosing the beginning of the name, which
+led to various issues.
+
+Upstream-Status: backport
+
+Depend patch for CVE-2015-7500
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ parser.c | 29 ++++++++++++++++++++---------
+ result/errors/754946.xml | 0
+ result/errors/754946.xml.err | 16 ++++++++++++++++
+ result/errors/754946.xml.str | 4 ++++
+ test/errors/754946.xml | 1 +
+ 5 files changed, 41 insertions(+), 9 deletions(-)
+ create mode 100644 result/errors/754946.xml
+ create mode 100644 result/errors/754946.xml.err
+ create mode 100644 result/errors/754946.xml.str
+ create mode 100644 test/errors/754946.xml
+
+diff --git a/parser.c b/parser.c
+index 0edd53b..fd29a39 100644
+--- a/parser.c
++++ b/parser.c
+@@ -3491,7 +3491,14 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
+ c = CUR_CHAR(l);
+ if (c == 0) {
+ count = 0;
++ /*
++ * when shrinking to extend the buffer we really need to preserve
++ * the part of the name we already parsed. Hence rolling back
++ * by current lenght.
++ */
++ ctxt->input->cur -= l;
+ GROW;
++ ctxt->input->cur += l;
+ if (ctxt->instate == XML_PARSER_EOF)
+ return(NULL);
+ end = ctxt->input->cur;
+@@ -3523,7 +3530,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
+
+ static const xmlChar *
+ xmlParseNCName(xmlParserCtxtPtr ctxt) {
+- const xmlChar *in;
++ const xmlChar *in, *e;
+ const xmlChar *ret;
+ int count = 0;
+
+@@ -3535,16 +3542,19 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
+ * Accelerator for simple ASCII names
+ */
+ in = ctxt->input->cur;
+- if (((*in >= 0x61) && (*in <= 0x7A)) ||
+- ((*in >= 0x41) && (*in <= 0x5A)) ||
+- (*in == '_')) {
++ e = ctxt->input->end;
++ if ((((*in >= 0x61) && (*in <= 0x7A)) ||
++ ((*in >= 0x41) && (*in <= 0x5A)) ||
++ (*in == '_')) && (in < e)) {
+ in++;
+- while (((*in >= 0x61) && (*in <= 0x7A)) ||
+- ((*in >= 0x41) && (*in <= 0x5A)) ||
+- ((*in >= 0x30) && (*in <= 0x39)) ||
+- (*in == '_') || (*in == '-') ||
+- (*in == '.'))
++ while ((((*in >= 0x61) && (*in <= 0x7A)) ||
++ ((*in >= 0x41) && (*in <= 0x5A)) ||
++ ((*in >= 0x30) && (*in <= 0x39)) ||
++ (*in == '_') || (*in == '-') ||
++ (*in == '.')) && (in < e))
+ in++;
++ if (in >= e)
++ goto complex;
+ if ((*in > 0) && (*in < 0x80)) {
+ count = in - ctxt->input->cur;
+ if ((count > XML_MAX_NAME_LENGTH) &&
+@@ -3562,6 +3572,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
+ return(ret);
+ }
+ }
++complex:
+ return(xmlParseNCNameComplex(ctxt));
+ }
+
+diff --git a/result/errors/754946.xml b/result/errors/754946.xml
+new file mode 100644
+index 0000000..e69de29
+diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err
+new file mode 100644
+index 0000000..423dff5
+--- /dev/null
++++ b/result/errors/754946.xml.err
+@@ -0,0 +1,16 @@
++Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
++
++ %SYSTEM;
++ ^
++Entity: line 1:
++A<lbbbbbbbbbbbbbbbbbbb_
++^
++Entity: line 1: parser error : DOCTYPE improperly terminated
++ %SYSTEM;
++ ^
++Entity: line 1:
++A<lbbbbbbbbbbbbbbbbbbb_
++^
++./test/errors/754946.xml:1: parser error : Extra content at the end of the document
++<!DOCTYPEA[<!ENTITY %
++ ^
+diff --git a/result/errors/754946.xml.str b/result/errors/754946.xml.str
+new file mode 100644
+index 0000000..3b748cc
+--- /dev/null
++++ b/result/errors/754946.xml.str
+@@ -0,0 +1,4 @@
++./test/errors/754946.xml:1: parser error : Extra content at the end of the document
++<!DOCTYPEA[<!ENTITY %
++ ^
++./test/errors/754946.xml : failed to parse
+diff --git a/test/errors/754946.xml b/test/errors/754946.xml
+new file mode 100644
+index 0000000..6b5f9b0
+--- /dev/null
++++ b/test/errors/754946.xml
+@@ -0,0 +1 @@
++<!DOCTYPEA[<!ENTITY %
SYSTEM "A<lbbbbbbbbbbbbbbbbbbb_"
>%SYSTEM;<![
+\ No newline at end of file
+--
+2.3.5
+
--
2.3.5
next prev parent reply other threads:[~2016-01-08 0:48 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-08 0:48 [PATCH][V2][Jethro, fido 01/10] libxml2: security fix CVE-2015-7941 Armin Kuster
2016-01-08 0:48 ` [PATCH][V2][Jethro, fido 02/10] libxml2: security fix CVE-2015-8317 Armin Kuster
2016-01-08 0:48 ` [PATCH][V2][Jethro, fido 03/10] libxml2: security fix CVE-2015-7942 Armin Kuster
2016-01-08 0:48 ` [PATCH][V2][Jethro, fido 04/10] libxml2: security fix CVE-2015-8035 Armin Kuster
2016-01-08 0:48 ` [PATCH][V2][Jethro, fido 05/10] libxml2: security fix CVE-2015-7498 Armin Kuster
2016-01-08 0:48 ` [PATCH][V2][Jethro, fido 06/10] libxml2: security fix CVE-2015-7497 Armin Kuster
2016-01-08 0:48 ` [PATCH][V2][Jethro, fido 07/10] libxml2: security fix CVE-2015-7499 Armin Kuster
2016-01-08 0:48 ` Armin Kuster [this message]
2016-01-08 0:48 ` [PATCH][V2][Jethro, fido 09/10] libxml2: security fix CVE-2015-8242 Armin Kuster
2016-01-08 0:48 ` [PATCH][V2][Jethro, fido 10/10] libxml2: security fix CVE-2015-5312 Armin Kuster
2016-01-12 3:38 ` [PATCH][V2][Jethro, fido 01/10] libxml2: security fix CVE-2015-7941 Robert Yang
2016-01-12 17:41 ` akuster808
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1452214113-11697-8-git-send-email-akuster808@gmail.com \
--to=akuster808@gmail.com \
--cc=akuster@mvista.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.