From: akuster808 <akuster808@gmail.com>
To: "Ahsan, Noor" <Noor_Ahsan@mentor.com>,
"MacDonald, Joe" <Joe_MacDonald@mentor.com>,
"openembedded-core@lists.openembedded.org"
<openembedded-core@lists.openembedded.org>
Subject: Re: [PATCH] libxml2: fix CVE-2014-3660
Date: Thu, 27 Nov 2014 07:31:55 -0800 [thread overview]
Message-ID: <547743EB.8000708@gmail.com> (raw)
In-Reply-To: <365E1805BC95084CBE82381A0B869994E75615E9@EU-MBX-01.mgc.mentorg.com>
On 11/27/2014 05:58 AM, Ahsan, Noor wrote:
> Hi,
>
> Sorry for the false alarm. It was included in master but not in dizzy branch. Kindly include in that branch as well. Thanks.
Sure thing.
thanks for the reminder.
- Armin
>
> Noor
>
> -----Original Message-----
> From: Ahsan, Noor
> Sent: Thursday, November 27, 2014 6:45 PM
> To: 'Joe MacDonald'; openembedded-core@lists.openembedded.org
> Subject: RE: [OE-core] [PATCH] libxml2: fix CVE-2014-3660
>
> Hello,
>
> We sent out this patch but we haven't received any feedback not it was included. Kindly include this in dizzy branch.
>
> Thanks.
>
> Noor
>
> -----Original Message-----
> From: openembedded-core-bounces@lists.openembedded.org [mailto:openembedded-core-bounces@lists.openembedded.org] On Behalf Of Joe MacDonald
> Sent: Monday, October 20, 2014 10:51 PM
> To: openembedded-core@lists.openembedded.org
> Subject: [OE-core] [PATCH] libxml2: fix CVE-2014-3660
>
> It was discovered that the patch for CVE-2014-0191 for libxml2 is incomplete. It is still possible to have libxml2 incorrectly perform entity substituton even when the application using libxml2 explicitly disables the feature. This can allow a remote denial-of-service attack on systems with libxml2 prior to 2.9.2.
>
> References:
> http://www.openwall.com/lists/oss-security/2014/10/17/7
> https://www.ncsc.nl/actueel/nieuwsberichten/kwetsbaarheid-ontdekt-in-libxml2.html
>
> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
> ---
> meta/recipes-core/libxml/libxml2.inc | 1 +
> .../libxml/libxml2/libxml2-CVE-2014-3660.patch | 147 +++++++++++++++++++++
> 2 files changed, 148 insertions(+)
> create mode 100644 meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-3660.patch
>
> diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
> index bcf9a62..c729c19 100644
> --- a/meta/recipes-core/libxml/libxml2.inc
> +++ b/meta/recipes-core/libxml/libxml2.inc
> @@ -21,6 +21,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
> file://libxml2-CVE-2014-0191-fix.patch \
> file://python-sitepackages-dir.patch \
> file://libxml-m4-use-pkgconfig.patch \
> + file://libxml2-CVE-2014-3660.patch \
> "
>
> BINCONFIG = "${bindir}/xml2-config"
> diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-3660.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-3660.patch
> new file mode 100644
> index 0000000..b9621c9
> --- /dev/null
> +++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-3660.patch
> @@ -0,0 +1,147 @@
> +From be2a7edaf289c5da74a4f9ed3a0b6c733e775230 Mon Sep 17 00:00:00 2001
> +From: Daniel Veillard <veillard@redhat.com>
> +Date: Thu, 16 Oct 2014 13:59:47 +0800
> +Subject: Fix for CVE-2014-3660
> +
> +Issues related to the billion laugh entity expansion which happened to
> +escape the initial set of fixes
> +
> +Upstream-status: Backport
> +Reference:
> +https://git.gnome.org/browse/libxml2/commit/?id=be2a7edaf289c5da74a4f9e
> +d3a0b6c733e775230&context=3&ignorews=0&ss=0
> +
> +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
> +
> +diff --git a/parser.c b/parser.c
> +index f51e8d2..1d93967 100644
> +--- a/parser.c
> ++++ b/parser.c
> +@@ -130,6 +130,29 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
> + return (0);
> + if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
> + return (1);
> ++
> ++ /*
> ++ * This may look absurd but is needed to detect
> ++ * entities problems
> ++ */
> ++ if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) &&
> ++ (ent->content != NULL) && (ent->checked == 0)) {
> ++ unsigned long oldnbent = ctxt->nbentities;
> ++ xmlChar *rep;
> ++
> ++ ent->checked = 1;
> ++
> ++ rep = xmlStringDecodeEntities(ctxt, ent->content,
> ++ XML_SUBSTITUTE_REF, 0, 0, 0);
> ++
> ++ ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
> ++ if (rep != NULL) {
> ++ if (xmlStrchr(rep, '<'))
> ++ ent->checked |= 1;
> ++ xmlFree(rep);
> ++ rep = NULL;
> ++ }
> ++ }
> + if (replacement != 0) {
> + if (replacement < XML_MAX_TEXT_LENGTH)
> + return(0);
> +@@ -189,9 +212,12 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
> + return (0);
> + } else {
> + /*
> +- * strange we got no data for checking just return
> ++ * strange we got no data for checking
> + */
> +- return (0);
> ++ if (((ctxt->lastError.code != XML_ERR_UNDECLARED_ENTITY) &&
> ++ (ctxt->lastError.code != XML_WAR_UNDECLARED_ENTITY)) ||
> ++ (ctxt->nbentities <= 10000))
> ++ return (0);
> + }
> + xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
> + return (1);
> +@@ -2589,6 +2615,7 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) {
> + name, NULL);
> + ctxt->valid = 0;
> + }
> ++ xmlParserEntityCheck(ctxt, 0, NULL, 0);
> + } else if (ctxt->input->free != deallocblankswrapper) {
> + input = xmlNewBlanksWrapperInputStream(ctxt, entity);
> + if (xmlPushInput(ctxt, input) < 0) @@ -2759,6 +2786,7 @@
> +xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
> + if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) ||
> + (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR))
> + goto int_error;
> ++ xmlParserEntityCheck(ctxt, 0, ent, 0);
> + if (ent != NULL)
> + ctxt->nbentities += ent->checked / 2;
> + if ((ent != NULL) &&
> +@@ -2810,6 +2838,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
> + ent = xmlParseStringPEReference(ctxt, &str);
> + if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
> + goto int_error;
> ++ xmlParserEntityCheck(ctxt, 0, ent, 0);
> + if (ent != NULL)
> + ctxt->nbentities += ent->checked / 2;
> + if (ent != NULL) {
> +@@ -7312,6 +7341,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
> + (ret != XML_WAR_UNDECLARED_ENTITY)) {
> + xmlFatalErrMsgStr(ctxt, XML_ERR_UNDECLARED_ENTITY,
> + "Entity '%s' failed to parse\n", ent->name);
> ++ xmlParserEntityCheck(ctxt, 0, ent, 0);
> + } else if (list != NULL) {
> + xmlFreeNodeList(list);
> + list = NULL;
> +@@ -7418,7 +7448,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
> + /*
> + * We are copying here, make sure there is no abuse
> + */
> +- ctxt->sizeentcopy += ent->length;
> ++ ctxt->sizeentcopy += ent->length + 5;
> + if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))
> + return;
> +
> +@@ -7466,7 +7496,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
> + /*
> + * We are copying here, make sure there is no abuse
> + */
> +- ctxt->sizeentcopy += ent->length;
> ++ ctxt->sizeentcopy += ent->length + 5;
> + if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))
> + return;
> +
> +@@ -7652,6 +7682,7 @@ xmlParseEntityRef(xmlParserCtxtPtr ctxt) {
> + ctxt->sax->reference(ctxt->userData, name);
> + }
> + }
> ++ xmlParserEntityCheck(ctxt, 0, ent, 0);
> + ctxt->valid = 0;
> + }
> +
> +@@ -7845,6 +7876,7 @@ xmlParseStringEntityRef(xmlParserCtxtPtr ctxt, const xmlChar ** str) {
> + "Entity '%s' not defined\n",
> + name);
> + }
> ++ xmlParserEntityCheck(ctxt, 0, ent, 0);
> + /* TODO ? check regressions ctxt->valid = 0; */
> + }
> +
> +@@ -8004,6 +8036,7 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
> + name, NULL);
> + ctxt->valid = 0;
> + }
> ++ xmlParserEntityCheck(ctxt, 0, NULL, 0);
> + } else {
> + /*
> + * Internal checking in case the entity quest barfed @@ -8243,6
> ++8276,7 @@ xmlParseStringPEReference(xmlParserCtxtPtr ctxt, const
> ++xmlChar **str) {
> + name, NULL);
> + ctxt->valid = 0;
> + }
> ++ xmlParserEntityCheck(ctxt, 0, NULL, 0);
> + } else {
> + /*
> + * Internal checking in case the entity quest barfed
> +--
> +cgit v0.10.1
> +
> --
> 1.9.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
prev parent reply other threads:[~2014-11-27 15:31 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-20 17:51 [PATCH] libxml2: fix CVE-2014-3660 Joe MacDonald
2014-11-27 13:45 ` Ahsan, Noor
2014-11-27 13:58 ` Ahsan, Noor
2014-11-27 15:31 ` akuster808 [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=547743EB.8000708@gmail.com \
--to=akuster808@gmail.com \
--cc=Joe_MacDonald@mentor.com \
--cc=Noor_Ahsan@mentor.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.