* [PATCH 1/7] libxml2-2.9.4: Disable LeakSanitizer when running API testsFix CVE-2016-4658
2017-06-14 15:26 [PATCH 0/7] Fix multiple CVEs Andrej Valek
@ 2017-06-14 15:26 ` Andrej Valek
2017-06-14 16:37 ` Burton, Ross
2017-06-14 15:26 ` [PATCH 2/7] libxml2-2.9.4: Avoid reparsing and simplify control flow in xmlParseStartTag2 Andrej Valek
` (14 subsequent siblings)
15 siblings, 1 reply; 22+ messages in thread
From: Andrej Valek @ 2017-06-14 15:26 UTC (permalink / raw)
To: openembedded-core
Makefile.am: Disable LeakSanitizer when running API tests
The autogenerated API tests leak memory.
Upstream-Status: Backported - [https://git.gnome.org/browse/libxml2/commit/?id=ac9a4560ee85b18811ff8ab7791ddfff7b144b0a]
CVE: -
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
meta/recipes-core/libxml/libxml2/runtest.patch | 22 ++++++++++++++++++----
1 file changed, 18 insertions(+), 4 deletions(-)
diff --git a/meta/recipes-core/libxml/libxml2/runtest.patch b/meta/recipes-core/libxml/libxml2/runtest.patch
index 397ab20..7b1b0e8 100644
--- a/meta/recipes-core/libxml/libxml2/runtest.patch
+++ b/meta/recipes-core/libxml/libxml2/runtest.patch
@@ -5,9 +5,9 @@ Signed-off-by: Mihaela Sendrea <mihaela.sendrea@enea.com>
Upstream-Status: Pending
diff -uNr a/Makefile.am b/Makefile.am
---- a/Makefile.am 2013-04-17 14:51:42.633386477 +0200
-+++ b/Makefile.am 2013-04-19 14:47:51.544720568 +0200
-@@ -202,10 +202,19 @@
+--- a/Makefile.am 2016-05-22 03:49:02.000000000 +0200
++++ b/Makefile.am 2017-06-14 10:38:43.381305385 +0200
+@@ -202,10 +202,24 @@
#testOOM_DEPENDENCIES = $(DEPS)
#testOOM_LDADD= $(LDADDS)
@@ -24,10 +24,24 @@ diff -uNr a/Makefile.am b/Makefile.am
[ -d test ] || $(LN_S) $(srcdir)/test .
[ -d result ] || $(LN_S) $(srcdir)/result .
- $(CHECKER) ./runtest$(EXEEXT) && $(CHECKER) ./testrecurse$(EXEEXT) &&$(CHECKER) ./testapi$(EXEEXT) && $(CHECKER) ./testchar$(EXEEXT)&& $(CHECKER) ./testdict$(EXEEXT) && $(CHECKER) ./runxmlconf$(EXEEXT)
-+ ./runtest$(EXEEXT) ; ./testrecurse$(EXEEXT) ; ./testapi$(EXEEXT) ; ./testchar$(EXEEXT) ; ./testdict$(EXEEXT) ; ./runxmlconf$(EXEEXT)
++ $(CHECKER) ./runtest$(EXEEXT) && \
++ $(CHECKER) ./testrecurse$(EXEEXT) && \
++ ASAN_OPTIONS="$$ASAN_OPTIONS:detect_leaks=0" $(CHECKER) ./testapi$(EXEEXT) && \
++ $(CHECKER) ./testchar$(EXEEXT) && \
++ $(CHECKER) ./testdict$(EXEEXT) && \
++ $(CHECKER) ./runxmlconf$(EXEEXT)
@(if [ "$(PYTHON_SUBDIR)" != "" ] ; then cd python ; \
$(MAKE) tests ; fi)
+@@ -229,7 +243,7 @@
+
+ APItests: testapi$(EXEEXT)
+ @echo "## Running the API regression tests this may take a little while"
+- -@($(CHECKER) $(top_builddir)/testapi -q)
++ -@(ASAN_OPTIONS="$$ASAN_OPTIONS:detect_leaks=0" $(CHECKER) $(top_builddir)/testapi -q)
+
+ HTMLtests : testHTML$(EXEEXT)
+ @(echo > .memdump)
diff -uNr a/runsuite.c b/runsuite.c
--- a/runsuite.c 2013-04-12 16:17:11.462823238 +0200
+++ b/runsuite.c 2013-04-17 14:07:24.352693211 +0200
--
2.1.4
^ permalink raw reply related [flat|nested] 22+ messages in thread* [PATCH 2/7] libxml2-2.9.4: Avoid reparsing and simplify control flow in xmlParseStartTag2
2017-06-14 15:26 [PATCH 0/7] Fix multiple CVEs Andrej Valek
2017-06-14 15:26 ` [PATCH 1/7] libxml2-2.9.4: Disable LeakSanitizer when running API testsFix CVE-2016-4658 Andrej Valek
@ 2017-06-14 15:26 ` Andrej Valek
2017-06-14 15:26 ` [PATCH 3/7] libxml2: Fix CVE-2017-9047 and CVE-2017-9048 Andrej Valek
` (13 subsequent siblings)
15 siblings, 0 replies; 22+ messages in thread
From: Andrej Valek @ 2017-06-14 15:26 UTC (permalink / raw)
To: openembedded-core
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=y, Size: 32557 bytes --]
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
...ibxml2-fix_and_simplify_xmlParseStartTag2.patch | 591 +++++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.4.bb | 1 +
2 files changed, 592 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/libxml2-fix_and_simplify_xmlParseStartTag2.patch
diff --git a/meta/recipes-core/libxml/libxml2/libxml2-fix_and_simplify_xmlParseStartTag2.patch b/meta/recipes-core/libxml/libxml2/libxml2-fix_and_simplify_xmlParseStartTag2.patch
new file mode 100644
index 0000000..7218dca
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/libxml2-fix_and_simplify_xmlParseStartTag2.patch
@@ -0,0 +1,591 @@
+libxml2-2.9.4: Avoid reparsing and simplify control flow in xmlParseStartTag2
+
+[No upstream tracking]
+
+parser: Avoid reparsing in xmlParseStartTag2
+
+The code in xmlParseStartTag2 must handle the case that the input
+buffer was grown and reallocated which can invalidate pointers to
+attribute values. Before, this was handled by detecting changes of
+the input buffer "base" pointer and, in case of a change, jumping
+back to the beginning of the function and reparsing the start tag.
+
+The major problem of this approach is that whether an input buffer is
+reallocated is nondeterministic, resulting in seemingly random test
+failures. See the mailing list thread "runtest mystery bug: name2.xml
+error case regression test" from 2012, for example.
+
+If a reallocation was detected, the code also made no attempts to
+continue parsing in case of errors which makes a difference in
+the lax "recover" mode.
+
+Now we store the current input buffer "base" pointer for each (not
+separately allocated) attribute in the namespace URI field, which isn't
+used until later. After the whole start tag was parsed, the pointers to
+the attribute values are reconstructed using the offset between the
+new and the old input buffer. This relies on arithmetic on dangling
+pointers which is technically undefined behavior. But it seems like
+the easiest and most efficient fix and a similar approach is used in
+xmlParserInputGrow.
+
+This changes the error output of several tests, typically making it
+more verbose because we try harder to continue parsing in case of errors.
+
+(Another possible solution is to check not only the "base" pointer
+but the size of the input buffer as well. But this would result in
+even more reparsing.)
+
+Remove some goto labels and deduplicate a bit of code after handling
+namespaces.
+
+There were two bugs where parameter-entity references could lead to an
+unexpected change of the input buffer in xmlParseNameComplex and
+xmlDictLookup being called with an invalid pointer.
+
+
+Upstream-Status: Backported
+ - [https://git.gnome.org/browse/libxml2/commit/?id=07b7428b69c368611d215a140fe630b2d1e61349]
+ - [https://git.gnome.org/browse/libxml2/commit/?id=855c19efb7cd30d927d673b3658563c4959ca6f0]
+CVE: -
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+
+diff --git a/parser.c b/parser.c
+index 609a270..74016e3 100644
+--- a/parser.c
++++ b/parser.c
+@@ -43,6 +43,7 @@
+ #include <limits.h>
+ #include <string.h>
+ #include <stdarg.h>
++#include <stddef.h>
+ #include <libxml/xmlmemory.h>
+ #include <libxml/threads.h>
+ #include <libxml/globals.h>
+@@ -9377,8 +9378,7 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref,
+ const xmlChar **atts = ctxt->atts;
+ int maxatts = ctxt->maxatts;
+ int nratts, nbatts, nbdef;
+- int i, j, nbNs, attval, oldline, oldcol, inputNr;
+- const xmlChar *base;
++ int i, j, nbNs, attval;
+ unsigned long cur;
+ int nsNr = ctxt->nsNr;
+
+@@ -9392,13 +9392,8 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref,
+ * The Shrinking is only possible once the full set of attribute
+ * callbacks have been done.
+ */
+-reparse:
+ SHRINK;
+- base = ctxt->input->base;
+ cur = ctxt->input->cur - ctxt->input->base;
+- inputNr = ctxt->inputNr;
+- oldline = ctxt->input->line;
+- oldcol = ctxt->input->col;
+ nbatts = 0;
+ nratts = 0;
+ nbdef = 0;
+@@ -9422,8 +9417,6 @@ reparse:
+ */
+ SKIP_BLANKS;
+ GROW;
+- if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+- goto base_changed;
+
+ while (((RAW != '>') &&
+ ((RAW != '/') || (NXT(1) != '>')) &&
+@@ -9434,203 +9427,174 @@ reparse:
+
+ attname = xmlParseAttribute2(ctxt, prefix, localname,
+ &aprefix, &attvalue, &len, &alloc);
+- if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) {
+- if ((attvalue != NULL) && (alloc != 0))
+- xmlFree(attvalue);
+- attvalue = NULL;
+- goto base_changed;
+- }
+- if ((attname != NULL) && (attvalue != NULL)) {
+- if (len < 0) len = xmlStrlen(attvalue);
+- if ((attname == ctxt->str_xmlns) && (aprefix == NULL)) {
+- const xmlChar *URL = xmlDictLookup(ctxt->dict, attvalue, len);
+- xmlURIPtr uri;
+-
+- if (URL == NULL) {
+- xmlErrMemory(ctxt, "dictionary allocation failure");
+- if ((attvalue != NULL) && (alloc != 0))
+- xmlFree(attvalue);
+- return(NULL);
+- }
+- if (*URL != 0) {
+- uri = xmlParseURI((const char *) URL);
+- if (uri == NULL) {
+- xmlNsErr(ctxt, XML_WAR_NS_URI,
+- "xmlns: '%s' is not a valid URI\n",
+- URL, NULL, NULL);
+- } else {
+- if (uri->scheme == NULL) {
+- xmlNsWarn(ctxt, XML_WAR_NS_URI_RELATIVE,
+- "xmlns: URI %s is not absolute\n",
+- URL, NULL, NULL);
+- }
+- xmlFreeURI(uri);
+- }
+- if (URL == ctxt->str_xml_ns) {
+- if (attname != ctxt->str_xml) {
+- xmlNsErr(ctxt, XML_NS_ERR_XML_NAMESPACE,
+- "xml namespace URI cannot be the default namespace\n",
+- NULL, NULL, NULL);
+- }
+- goto skip_default_ns;
+- }
+- if ((len == 29) &&
+- (xmlStrEqual(URL,
+- BAD_CAST "http://www.w3.org/2000/xmlns/"))) {
+- xmlNsErr(ctxt, XML_NS_ERR_XML_NAMESPACE,
+- "reuse of the xmlns namespace name is forbidden\n",
+- NULL, NULL, NULL);
+- goto skip_default_ns;
+- }
+- }
+- /*
+- * check that it's not a defined namespace
+- */
+- for (j = 1;j <= nbNs;j++)
+- if (ctxt->nsTab[ctxt->nsNr - 2 * j] == NULL)
+- break;
+- if (j <= nbNs)
+- xmlErrAttributeDup(ctxt, NULL, attname);
+- else
+- if (nsPush(ctxt, NULL, URL) > 0) nbNs++;
+-skip_default_ns:
+- if ((attvalue != NULL) && (alloc != 0)) {
+- xmlFree(attvalue);
+- attvalue = NULL;
+- }
+- if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
+- break;
+- if (!IS_BLANK_CH(RAW)) {
+- xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,
+- "attributes construct error\n");
+- break;
+- }
+- SKIP_BLANKS;
+- if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+- goto base_changed;
+- continue;
+- }
+- if (aprefix == ctxt->str_xmlns) {
+- const xmlChar *URL = xmlDictLookup(ctxt->dict, attvalue, len);
+- xmlURIPtr uri;
+-
+- if (attname == ctxt->str_xml) {
+- if (URL != ctxt->str_xml_ns) {
+- xmlNsErr(ctxt, XML_NS_ERR_XML_NAMESPACE,
+- "xml namespace prefix mapped to wrong URI\n",
+- NULL, NULL, NULL);
+- }
+- /*
+- * Do not keep a namespace definition node
+- */
+- goto skip_ns;
+- }
++ if ((attname == NULL) || (attvalue == NULL))
++ goto next_attr;
++ if (len < 0) len = xmlStrlen(attvalue);
++
++ if ((attname == ctxt->str_xmlns) && (aprefix == NULL)) {
++ const xmlChar *URL = xmlDictLookup(ctxt->dict, attvalue, len);
++ xmlURIPtr uri;
++
++ if (URL == NULL) {
++ xmlErrMemory(ctxt, "dictionary allocation failure");
++ if ((attvalue != NULL) && (alloc != 0))
++ xmlFree(attvalue);
++ return(NULL);
++ }
++ if (*URL != 0) {
++ uri = xmlParseURI((const char *) URL);
++ if (uri == NULL) {
++ xmlNsErr(ctxt, XML_WAR_NS_URI,
++ "xmlns: '%s' is not a valid URI\n",
++ URL, NULL, NULL);
++ } else {
++ if (uri->scheme == NULL) {
++ xmlNsWarn(ctxt, XML_WAR_NS_URI_RELATIVE,
++ "xmlns: URI %s is not absolute\n",
++ URL, NULL, NULL);
++ }
++ xmlFreeURI(uri);
++ }
+ if (URL == ctxt->str_xml_ns) {
+- if (attname != ctxt->str_xml) {
+- xmlNsErr(ctxt, XML_NS_ERR_XML_NAMESPACE,
+- "xml namespace URI mapped to wrong prefix\n",
+- NULL, NULL, NULL);
+- }
+- goto skip_ns;
+- }
+- if (attname == ctxt->str_xmlns) {
+- xmlNsErr(ctxt, XML_NS_ERR_XML_NAMESPACE,
+- "redefinition of the xmlns prefix is forbidden\n",
+- NULL, NULL, NULL);
+- goto skip_ns;
+- }
+- if ((len == 29) &&
+- (xmlStrEqual(URL,
+- BAD_CAST "http://www.w3.org/2000/xmlns/"))) {
+- xmlNsErr(ctxt, XML_NS_ERR_XML_NAMESPACE,
+- "reuse of the xmlns namespace name is forbidden\n",
+- NULL, NULL, NULL);
+- goto skip_ns;
+- }
+- if ((URL == NULL) || (URL[0] == 0)) {
+- xmlNsErr(ctxt, XML_NS_ERR_XML_NAMESPACE,
+- "xmlns:%s: Empty XML namespace is not allowed\n",
+- attname, NULL, NULL);
+- goto skip_ns;
+- } else {
+- uri = xmlParseURI((const char *) URL);
+- if (uri == NULL) {
+- xmlNsErr(ctxt, XML_WAR_NS_URI,
+- "xmlns:%s: '%s' is not a valid URI\n",
+- attname, URL, NULL);
+- } else {
+- if ((ctxt->pedantic) && (uri->scheme == NULL)) {
+- xmlNsWarn(ctxt, XML_WAR_NS_URI_RELATIVE,
+- "xmlns:%s: URI %s is not absolute\n",
+- attname, URL, NULL);
+- }
+- xmlFreeURI(uri);
+- }
+- }
+-
+- /*
+- * check that it's not a defined namespace
+- */
+- for (j = 1;j <= nbNs;j++)
+- if (ctxt->nsTab[ctxt->nsNr - 2 * j] == attname)
+- break;
+- if (j <= nbNs)
+- xmlErrAttributeDup(ctxt, aprefix, attname);
+- else
+- if (nsPush(ctxt, attname, URL) > 0) nbNs++;
+-skip_ns:
+- if ((attvalue != NULL) && (alloc != 0)) {
+- xmlFree(attvalue);
+- attvalue = NULL;
+- }
+- if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
+- break;
+- if (!IS_BLANK_CH(RAW)) {
+- xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,
+- "attributes construct error\n");
+- break;
+- }
+- SKIP_BLANKS;
+- if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+- goto base_changed;
+- continue;
+- }
++ if (attname != ctxt->str_xml) {
++ xmlNsErr(ctxt, XML_NS_ERR_XML_NAMESPACE,
++ "xml namespace URI cannot be the default namespace\n",
++ NULL, NULL, NULL);
++ }
++ goto next_attr;
++ }
++ if ((len == 29) &&
++ (xmlStrEqual(URL,
++ BAD_CAST "http://www.w3.org/2000/xmlns/"))) {
++ xmlNsErr(ctxt, XML_NS_ERR_XML_NAMESPACE,
++ "reuse of the xmlns namespace name is forbidden\n",
++ NULL, NULL, NULL);
++ goto next_attr;
++ }
++ }
++ /*
++ * check that it's not a defined namespace
++ */
++ for (j = 1;j <= nbNs;j++)
++ if (ctxt->nsTab[ctxt->nsNr - 2 * j] == NULL)
++ break;
++ if (j <= nbNs)
++ xmlErrAttributeDup(ctxt, NULL, attname);
++ else
++ if (nsPush(ctxt, NULL, URL) > 0) nbNs++;
++
++ } else if (aprefix == ctxt->str_xmlns) {
++ const xmlChar *URL = xmlDictLookup(ctxt->dict, attvalue, len);
++ xmlURIPtr uri;
++
++ if (attname == ctxt->str_xml) {
++ if (URL != ctxt->str_xml_ns) {
++ xmlNsErr(ctxt, XML_NS_ERR_XML_NAMESPACE,
++ "xml namespace prefix mapped to wrong URI\n",
++ NULL, NULL, NULL);
++ }
++ /*
++ * Do not keep a namespace definition node
++ */
++ goto next_attr;
++ }
++ if (URL == ctxt->str_xml_ns) {
++ if (attname != ctxt->str_xml) {
++ xmlNsErr(ctxt, XML_NS_ERR_XML_NAMESPACE,
++ "xml namespace URI mapped to wrong prefix\n",
++ NULL, NULL, NULL);
++ }
++ goto next_attr;
++ }
++ if (attname == ctxt->str_xmlns) {
++ xmlNsErr(ctxt, XML_NS_ERR_XML_NAMESPACE,
++ "redefinition of the xmlns prefix is forbidden\n",
++ NULL, NULL, NULL);
++ goto next_attr;
++ }
++ if ((len == 29) &&
++ (xmlStrEqual(URL,
++ BAD_CAST "http://www.w3.org/2000/xmlns/"))) {
++ xmlNsErr(ctxt, XML_NS_ERR_XML_NAMESPACE,
++ "reuse of the xmlns namespace name is forbidden\n",
++ NULL, NULL, NULL);
++ goto next_attr;
++ }
++ if ((URL == NULL) || (URL[0] == 0)) {
++ xmlNsErr(ctxt, XML_NS_ERR_XML_NAMESPACE,
++ "xmlns:%s: Empty XML namespace is not allowed\n",
++ attname, NULL, NULL);
++ goto next_attr;
++ } else {
++ uri = xmlParseURI((const char *) URL);
++ if (uri == NULL) {
++ xmlNsErr(ctxt, XML_WAR_NS_URI,
++ "xmlns:%s: '%s' is not a valid URI\n",
++ attname, URL, NULL);
++ } else {
++ if ((ctxt->pedantic) && (uri->scheme == NULL)) {
++ xmlNsWarn(ctxt, XML_WAR_NS_URI_RELATIVE,
++ "xmlns:%s: URI %s is not absolute\n",
++ attname, URL, NULL);
++ }
++ xmlFreeURI(uri);
++ }
++ }
+
+- /*
+- * Add the pair to atts
+- */
+- if ((atts == NULL) || (nbatts + 5 > maxatts)) {
+- if (xmlCtxtGrowAttrs(ctxt, nbatts + 5) < 0) {
+- if (attvalue[len] == 0)
+- xmlFree(attvalue);
+- goto failed;
+- }
+- maxatts = ctxt->maxatts;
+- atts = ctxt->atts;
+- }
+- ctxt->attallocs[nratts++] = alloc;
+- atts[nbatts++] = attname;
+- atts[nbatts++] = aprefix;
+- atts[nbatts++] = NULL; /* the URI will be fetched later */
+- atts[nbatts++] = attvalue;
+- attvalue += len;
+- atts[nbatts++] = attvalue;
+- /*
+- * tag if some deallocation is needed
+- */
+- if (alloc != 0) attval = 1;
+- } else {
+- if ((attvalue != NULL) && (attvalue[len] == 0))
+- xmlFree(attvalue);
+- }
++ /*
++ * check that it's not a defined namespace
++ */
++ for (j = 1;j <= nbNs;j++)
++ if (ctxt->nsTab[ctxt->nsNr - 2 * j] == attname)
++ break;
++ if (j <= nbNs)
++ xmlErrAttributeDup(ctxt, aprefix, attname);
++ else
++ if (nsPush(ctxt, attname, URL) > 0) nbNs++;
++
++ } else {
++ /*
++ * Add the pair to atts
++ */
++ if ((atts == NULL) || (nbatts + 5 > maxatts)) {
++ if (xmlCtxtGrowAttrs(ctxt, nbatts + 5) < 0) {
++ goto next_attr;
++ }
++ maxatts = ctxt->maxatts;
++ atts = ctxt->atts;
++ }
++ ctxt->attallocs[nratts++] = alloc;
++ atts[nbatts++] = attname;
++ atts[nbatts++] = aprefix;
++ /*
++ * The namespace URI field is used temporarily to point at the
++ * base of the current input buffer for non-alloced attributes.
++ * When the input buffer is reallocated, all the pointers become
++ * invalid, but they can be reconstructed later.
++ */
++ if (alloc)
++ atts[nbatts++] = NULL;
++ else
++ atts[nbatts++] = ctxt->input->base;
++ atts[nbatts++] = attvalue;
++ attvalue += len;
++ atts[nbatts++] = attvalue;
++ /*
++ * tag if some deallocation is needed
++ */
++ if (alloc != 0) attval = 1;
++ attvalue = NULL; /* moved into atts */
++ }
+
+-failed:
++next_attr:
++ if ((attvalue != NULL) && (alloc != 0)) {
++ xmlFree(attvalue);
++ attvalue = NULL;
++ }
+
+ GROW
+ if (ctxt->instate == XML_PARSER_EOF)
+ break;
+- if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+- goto base_changed;
+ if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
+ break;
+ if (!IS_BLANK_CH(RAW)) {
+@@ -9646,8 +9610,20 @@ failed:
+ break;
+ }
+ GROW;
+- if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+- goto base_changed;
++ }
++
++ /* Reconstruct attribute value pointers. */
++ for (i = 0, j = 0; j < nratts; i += 5, j++) {
++ if (atts[i+2] != NULL) {
++ /*
++ * Arithmetic on dangling pointers is technically undefined
++ * behavior, but well...
++ */
++ ptrdiff_t offset = ctxt->input->base - atts[i+2];
++ atts[i+2] = NULL; /* Reset repurposed namespace URI */
++ atts[i+3] += offset; /* value */
++ atts[i+4] += offset; /* valuend */
++ }
+ }
+
+ /*
+@@ -9804,34 +9780,6 @@ failed:
+ }
+
+ return(localname);
+-
+-base_changed:
+- /*
+- * the attribute strings are valid iif the base didn't changed
+- */
+- if (attval != 0) {
+- for (i = 3,j = 0; j < nratts;i += 5,j++)
+- if ((ctxt->attallocs[j] != 0) && (atts[i] != NULL))
+- xmlFree((xmlChar *) atts[i]);
+- }
+-
+- /*
+- * We can't switch from one entity to another in the middle
+- * of a start tag
+- */
+- if (inputNr != ctxt->inputNr) {
+- xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
+- "Start tag doesn't start and stop in the same entity\n");
+- return(NULL);
+- }
+-
+- ctxt->input->cur = ctxt->input->base + cur;
+- ctxt->input->line = oldline;
+- ctxt->input->col = oldcol;
+- if (ctxt->wellFormed == 1) {
+- goto reparse;
+- }
+- return(NULL);
+ }
+
+ /**
+diff --git a/result/errors/759398.xml.err b/result/errors/759398.xml.err
+index e08d9bf..f6036a3 100644
+--- a/result/errors/759398.xml.err
++++ b/result/errors/759398.xml.err
+@@ -1,9 +1,12 @@
+ ./test/errors/759398.xml:210: parser error : StartTag: invalid element name
+ need to worry about parsers whi<! don't expand PErefs finding
+ ^
+-./test/errors/759398.xml:309: parser error : Opening and ending tag mismatch: spec line 50 and termdef
++./test/errors/759398.xml:309: parser error : Opening and ending tag mismatch: â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–!
â„–â„–â„–
â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â!
„–â„–â„–â
„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„!
–â„–â„–â„
–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–m line 308 and termdef
+ and provide access to their content and structure.</termdef> <termdef
+ ^
+-./test/errors/759398.xml:309: parser error : Extra content at the end of the document
+-and provide access to their content and structure.</termdef> <termdef
+- ^
++./test/errors/759398.xml:314: parser error : Opening and ending tag mismatch: spec line 50 and p
++data and the information it must provide to the application.</p>
++ ^
++./test/errors/759398.xml:316: parser error : Extra content at the end of the document
++<div2 id='sec-origin-goals'>
++^
+diff --git a/result/errors/attr1.xml.err b/result/errors/attr1.xml.err
+index 4f08538..c4c4fc8 100644
+--- a/result/errors/attr1.xml.err
++++ b/result/errors/attr1.xml.err
+@@ -1,6 +1,9 @@
+ ./test/errors/attr1.xml:2: parser error : AttValue: ' expected
+
+ ^
+-./test/errors/attr1.xml:1: parser error : Extra content at the end of the document
+-<foo foo="oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
+- ^
++./test/errors/attr1.xml:2: parser error : attributes construct error
++
++^
++./test/errors/attr1.xml:2: parser error : Couldn't find end of Start Tag foo line 1
++
++^
+diff --git a/result/errors/attr2.xml.err b/result/errors/attr2.xml.err
+index c8a9c7d..77e342e 100644
+--- a/result/errors/attr2.xml.err
++++ b/result/errors/attr2.xml.err
+@@ -1,6 +1,9 @@
+ ./test/errors/attr2.xml:2: parser error : AttValue: ' expected
+
+ ^
+-./test/errors/attr2.xml:1: parser error : Extra content at the end of the document
+-<foo foo=">ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
+- ^
++./test/errors/attr2.xml:2: parser error : attributes construct error
++
++^
++./test/errors/attr2.xml:2: parser error : Couldn't find end of Start Tag foo line 1
++
++^
+diff --git a/result/errors/name2.xml.err b/result/errors/name2.xml.err
+index a6649a1..8a6acee 100644
+--- a/result/errors/name2.xml.err
++++ b/result/errors/name2.xml.err
+@@ -1,6 +1,9 @@
+ ./test/errors/name2.xml:2: parser error : Specification mandate value for attribute foooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo!
ooooooooo
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo!
ooooooooo
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo!
ooooooooo
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo!
ooooooooo
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo!
ooooooooo
ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
+
+ ^
+-./test/errors/name2.xml:1: parser error : Extra content at the end of the document
+-<foo foooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
+- ^
++./test/errors/name2.xml:2: parser error : attributes construct error
++
++^
++./test/errors/name2.xml:2: parser error : Couldn't find end of Start Tag foo line 1
++
++^
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb
index 4f60781..0577ad6 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -23,6 +23,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
file://libxml2-CVE-2016-5131.patch \
file://libxml2-CVE-2016-4658.patch \
file://libxml2-fix_NULL_pointer_derefs.patch \
+ file://libxml2-fix_and_simplify_xmlParseStartTag2.patch \
file://CVE-2016-9318.patch \
file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
"
--
2.1.4
^ permalink raw reply related [flat|nested] 22+ messages in thread* [PATCH 3/7] libxml2: Fix CVE-2017-9047 and CVE-2017-9048
2017-06-14 15:26 [PATCH 0/7] Fix multiple CVEs Andrej Valek
2017-06-14 15:26 ` [PATCH 1/7] libxml2-2.9.4: Disable LeakSanitizer when running API testsFix CVE-2016-4658 Andrej Valek
2017-06-14 15:26 ` [PATCH 2/7] libxml2-2.9.4: Avoid reparsing and simplify control flow in xmlParseStartTag2 Andrej Valek
@ 2017-06-14 15:26 ` Andrej Valek
2017-06-14 15:26 ` [PATCH 4/7] libxml2: Fix CVE-2017-9049 and CVE-2017-9050 Andrej Valek
` (12 subsequent siblings)
15 siblings, 0 replies; 22+ messages in thread
From: Andrej Valek @ 2017-06-14 15:26 UTC (permalink / raw)
To: openembedded-core
xmlSnprintfElementContent failed to correctly check the available
buffer space in two locations.
Fixes bug 781333 and bug 781701
CVE: CVE-2017-9047 CVE-2017-9048
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
.../libxml2-CVE-2017-9047_CVE-2017-9048.patch | 103 +++++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.4.bb | 1 +
2 files changed, 104 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-9047_CVE-2017-9048.patch
diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-9047_CVE-2017-9048.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-9047_CVE-2017-9048.patch
new file mode 100644
index 0000000..a045acf
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-9047_CVE-2017-9048.patch
@@ -0,0 +1,103 @@
+libxml2-2.9.4: Fix CVE-2017-9047 and CVE-2017-9048
+
+[No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=781333
+ -- https://bugzilla.gnome.org/show_bug.cgi?id=781701
+
+valid: Fix buffer size checks in xmlSnprintfElementContent
+
+xmlSnprintfElementContent failed to correctly check the available
+buffer space in two locations.
+
+Fixes bug 781333 and bug 781701
+
+Upstream-Status: Backported [https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74]
+CVE: CVE-2017-9047 CVE-2017-9048
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+
+diff --git a/result/valid/781333.xml b/result/valid/781333.xml
+new file mode 100644
+index 0000000..01baf11
+--- /dev/null
++++ b/result/valid/781333.xml
+@@ -0,0 +1,5 @@
++<?xml version="1.0"?>
++<!DOCTYPE a [
++<!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp!
ppppppppp
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp!
ppppppppp
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp!
ppppppppp
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp!
ppppppppp
pppppppppppppppppppppppppp:lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll!
lllllllll
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll!
lllllllll
lllllllllllllllllllllllllllllllll)>
++]>
++<a/>
+diff --git a/result/valid/781333.xml.err b/result/valid/781333.xml.err
+new file mode 100644
+index 0000000..2176200
+--- /dev/null
++++ b/result/valid/781333.xml.err
+@@ -0,0 +1,3 @@
++./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got
++<a/>
++ ^
+diff --git a/result/valid/781333.xml.err.rdr b/result/valid/781333.xml.err.rdr
+new file mode 100644
+index 0000000..1195a04
+--- /dev/null
++++ b/result/valid/781333.xml.err.rdr
+@@ -0,0 +1,6 @@
++./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got
++<a/>
++ ^
++./test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more child
++
++^
+diff --git a/test/valid/781333.xml b/test/valid/781333.xml
+new file mode 100644
+index 0000000..bceac9c
+--- /dev/null
++++ b/test/valid/781333.xml
+@@ -0,0 +1,4 @@
++<!DOCTYPE a [
++ <!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp!
ppppppppp
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp!
ppppppppp
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp!
ppppppppp
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp!
ppppppppp
pppppppppppppppppppppppppppppp:lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll!
lllllllll
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll!
lllllllll
lllllllllllllllllllllllllllllllllllll)>
++]>
++<a/>
+diff --git a/valid.c b/valid.c
+index 19f84b8..aaa30f6 100644
+--- a/valid.c
++++ b/valid.c
+@@ -1262,22 +1262,23 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int
+ case XML_ELEMENT_CONTENT_PCDATA:
+ strcat(buf, "#PCDATA");
+ break;
+- case XML_ELEMENT_CONTENT_ELEMENT:
++ case XML_ELEMENT_CONTENT_ELEMENT: {
++ int qnameLen = xmlStrlen(content->name);
++
++ if (content->prefix != NULL)
++ qnameLen += xmlStrlen(content->prefix) + 1;
++ if (size - len < qnameLen + 10) {
++ strcat(buf, " ...");
++ return;
++ }
+ if (content->prefix != NULL) {
+- if (size - len < xmlStrlen(content->prefix) + 10) {
+- strcat(buf, " ...");
+- return;
+- }
+ strcat(buf, (char *) content->prefix);
+ strcat(buf, ":");
+ }
+- if (size - len < xmlStrlen(content->name) + 10) {
+- strcat(buf, " ...");
+- return;
+- }
+ if (content->name != NULL)
+ strcat(buf, (char *) content->name);
+ break;
++ }
+ case XML_ELEMENT_CONTENT_SEQ:
+ if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
+@@ -1319,6 +1320,7 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int
+ xmlSnprintfElementContent(buf, size, content->c2, 0);
+ break;
+ }
++ if (size - strlen(buf) <= 2) return;
+ if (englob)
+ strcat(buf, ")");
+ switch (content->ocur) {
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb
index 0577ad6..dd2e034 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -24,6 +24,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
file://libxml2-CVE-2016-4658.patch \
file://libxml2-fix_NULL_pointer_derefs.patch \
file://libxml2-fix_and_simplify_xmlParseStartTag2.patch \
+ file://libxml2-CVE-2017-9047_CVE-2017-9048.patch \
file://CVE-2016-9318.patch \
file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
"
--
2.1.4
^ permalink raw reply related [flat|nested] 22+ messages in thread* [PATCH 4/7] libxml2: Fix CVE-2017-9049 and CVE-2017-9050
2017-06-14 15:26 [PATCH 0/7] Fix multiple CVEs Andrej Valek
` (2 preceding siblings ...)
2017-06-14 15:26 ` [PATCH 3/7] libxml2: Fix CVE-2017-9047 and CVE-2017-9048 Andrej Valek
@ 2017-06-14 15:26 ` Andrej Valek
2017-06-14 15:26 ` [PATCH 5/7] libxml2-2.9.4: Fix CVE-2017-5969 Andrej Valek
` (11 subsequent siblings)
15 siblings, 0 replies; 22+ messages in thread
From: Andrej Valek @ 2017-06-14 15:26 UTC (permalink / raw)
To: openembedded-core
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=y, Size: 11920 bytes --]
Fix handling of parameter-entity references
There were two bugs where parameter-entity references could lead to an
unexpected change of the input buffer in xmlParseNameComplex and
xmlDictLookup being called with an invalid pointer.
Fixes bug 781205 and bug 781361
CVE: CVE-2017-9049 CVE-2017-9050
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
.../libxml2-CVE-2017-9049_CVE-2017-9050.patch | 291 +++++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.4.bb | 1 +
2 files changed, 292 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-9049_CVE-2017-9050.patch
diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-9049_CVE-2017-9050.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-9049_CVE-2017-9050.patch
new file mode 100644
index 0000000..3d7ebc4
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-9049_CVE-2017-9050.patch
@@ -0,0 +1,291 @@
+libxml2-2.9.4: Fix CVE-2017-9049 and CVE-2017-9050
+
+[No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=781205
+ -- https://bugzilla.gnome.org/show_bug.cgi?id=781361
+
+parser: Fix handling of parameter-entity references
+
+There were two bugs where parameter-entity references could lead to an
+unexpected change of the input buffer in xmlParseNameComplex and
+xmlDictLookup being called with an invalid pointer.
+
+Percent sign in DTD Names
+=========================
+
+The NEXTL macro used to call xmlParserHandlePEReference. When parsing
+"complex" names inside the DTD, this could result in entity expansion
+which created a new input buffer. The fix is to simply remove the call
+to xmlParserHandlePEReference from the NEXTL macro. This is safe because
+no users of the macro require expansion of parameter entities.
+
+- xmlParseNameComplex
+- xmlParseNCNameComplex
+- xmlParseNmtoken
+
+The percent sign is not allowed in names, which are grammatical tokens.
+
+- xmlParseEntityValue
+
+Parameter-entity references in entity values are expanded but this
+happens in a separate step in this function.
+
+- xmlParseSystemLiteral
+
+Parameter-entity references are ignored in the system literal.
+
+- xmlParseAttValueComplex
+- xmlParseCharDataComplex
+- xmlParseCommentComplex
+- xmlParsePI
+- xmlParseCDSect
+
+Parameter-entity references are ignored outside the DTD.
+
+- xmlLoadEntityContent
+
+This function is only called from xmlStringLenDecodeEntities and
+entities are replaced in a separate step immediately after the function
+call.
+
+This bug could also be triggered with an internal subset and double
+entity expansion.
+
+This fixes bug 766956 initially reported by Wei Lei and independently by
+Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone
+involved.
+
+xmlParseNameComplex with XML_PARSE_OLD10
+========================================
+
+When parsing Names inside an expanded parameter entity with the
+XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the
+GROW macro if the input buffer was exhausted. At the end of the
+parameter entity's replacement text, this function would then call
+xmlPopInput which invalidated the input buffer.
+
+There should be no need to invoke GROW in this situation because the
+buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and,
+at least for UTF-8, in xmlCurrentChar. This also matches the code path
+executed when XML_PARSE_OLD10 is not set.
+
+This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).
+Thanks to Marcel Böhme and Thuan Pham for the report.
+
+Additional hardening
+====================
+
+A separate check was added in xmlParseNameComplex to validate the
+buffer size.
+
+Fixes bug 781205 and bug 781361
+
+Upstream-Status: Backported [https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74]
+CVE: CVE-2017-9049 CVE-2017-9050
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+
+diff --git a/Makefile.am b/Makefile.am
+index 9f988b0..dab15a4 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -422,6 +422,24 @@ Errtests : xmllint$(EXEEXT)
+ if [ -n "$$log" ] ; then echo $$name result ; echo $$log ; fi ; \
+ rm result.$$name error.$$name ; \
+ fi ; fi ; done)
++ @echo "## Error cases regression tests (old 1.0)"
++ -@(for i in $(srcdir)/test/errors10/*.xml ; do \
++ name=`basename $$i`; \
++ if [ ! -d $$i ] ; then \
++ if [ ! -f $(srcdir)/result/errors10/$$name ] ; then \
++ echo New test file $$name ; \
++ $(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i \
++ 2> $(srcdir)/result/errors10/$$name.err \
++ > $(srcdir)/result/errors10/$$name ; \
++ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \
++ else \
++ log=`$(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i 2> error.$$name > result.$$name ; \
++ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \
++ diff $(srcdir)/result/errors10/$$name result.$$name ; \
++ diff $(srcdir)/result/errors10/$$name.err error.$$name` ; \
++ if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \
++ rm result.$$name error.$$name ; \
++ fi ; fi ; done)
+ @echo "## Error cases stream regression tests"
+ -@(for i in $(srcdir)/test/errors/*.xml ; do \
+ name=`basename $$i`; \
+diff --git a/parser.c b/parser.c
+index 609a270..8e11c12 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2115,7 +2115,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
+ ctxt->input->line++; ctxt->input->col = 1; \
+ } else ctxt->input->col++; \
+ ctxt->input->cur += l; \
+- if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt); \
+ } while (0)
+
+ #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l)
+@@ -3406,13 +3405,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+ len += l;
+ NEXTL(l);
+ c = CUR_CHAR(l);
+- if (c == 0) {
+- count = 0;
+- GROW;
+- if (ctxt->instate == XML_PARSER_EOF)
+- return(NULL);
+- c = CUR_CHAR(l);
+- }
+ }
+ }
+ if ((len > XML_MAX_NAME_LENGTH) &&
+@@ -3420,6 +3412,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
+ return(NULL);
+ }
++ if (ctxt->input->cur - ctxt->input->base < len) {
++ /*
++ * There were a couple of bugs where PERefs lead to to a change
++ * of the buffer. Check the buffer size to avoid passing an invalid
++ * pointer to xmlDictLookup.
++ */
++ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
++ "unexpected change of input buffer");
++ return (NULL);
++ }
+ if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r'))
+ return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len));
+ return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
+diff --git a/result/errors10/781205.xml b/result/errors10/781205.xml
+new file mode 100644
+index 0000000..e69de29
+diff --git a/result/errors10/781205.xml.err b/result/errors10/781205.xml.err
+new file mode 100644
+index 0000000..da15c3f
+--- /dev/null
++++ b/result/errors10/781205.xml.err
+@@ -0,0 +1,21 @@
++Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
++
++ %a;
++ ^
++Entity: line 1:
++<:0000
++^
++Entity: line 1: parser error : DOCTYPE improperly terminated
++ %a;
++ ^
++Entity: line 1:
++<:0000
++^
++namespace error : Failed to parse QName ':0000'
++ %a;
++ ^
++<:0000
++ ^
++./test/errors10/781205.xml:4: parser error : Couldn't find end of Start Tag :0000 line 1
++
++^
+diff --git a/result/errors10/781361.xml b/result/errors10/781361.xml
+new file mode 100644
+index 0000000..e69de29
+diff --git a/result/errors10/781361.xml.err b/result/errors10/781361.xml.err
+new file mode 100644
+index 0000000..655f41a
+--- /dev/null
++++ b/result/errors10/781361.xml.err
+@@ -0,0 +1,13 @@
++./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY', 'ANY' or '(' expected
++
++^
++./test/errors10/781361.xml:4: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
++
++
++^
++./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated
++
++^
++./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not found
++
++^
+diff --git a/result/valid/766956.xml b/result/valid/766956.xml
+new file mode 100644
+index 0000000..e69de29
+diff --git a/result/valid/766956.xml.err b/result/valid/766956.xml.err
+new file mode 100644
+index 0000000..34b1dae
+--- /dev/null
++++ b/result/valid/766956.xml.err
+@@ -0,0 +1,9 @@
++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
++%ä%ent;
++ ^
++Entity: line 1: parser error : Content error in the external subset
++ %ent;
++ ^
++Entity: line 1:
++value
++^
+diff --git a/result/valid/766956.xml.err.rdr b/result/valid/766956.xml.err.rdr
+new file mode 100644
+index 0000000..7760346
+--- /dev/null
++++ b/result/valid/766956.xml.err.rdr
+@@ -0,0 +1,10 @@
++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
++%ä%ent;
++ ^
++Entity: line 1: parser error : Content error in the external subset
++ %ent;
++ ^
++Entity: line 1:
++value
++^
++./test/valid/766956.xml : failed to parse
+diff --git a/runtest.c b/runtest.c
+index bb74d2a..63e8c20 100644
+--- a/runtest.c
++++ b/runtest.c
+@@ -4202,6 +4202,9 @@ testDesc testDescriptions[] = {
+ { "Error cases regression tests",
+ errParseTest, "./test/errors/*.xml", "result/errors/", "", ".err",
+ 0 },
++ { "Error cases regression tests (old 1.0)",
++ errParseTest, "./test/errors10/*.xml", "result/errors10/", "", ".err",
++ XML_PARSE_OLD10 },
+ #ifdef LIBXML_READER_ENABLED
+ { "Error cases stream regression tests",
+ streamParseTest, "./test/errors/*.xml", "result/errors/", NULL, ".str",
+diff --git a/test/errors10/781205.xml b/test/errors10/781205.xml
+new file mode 100644
+index 0000000..d9e9e83
+--- /dev/null
++++ b/test/errors10/781205.xml
+@@ -0,0 +1,3 @@
++<!DOCTYPE D [
++ <!ENTITY % a "<:0000">
++ %a;
+diff --git a/test/errors10/781361.xml b/test/errors10/781361.xml
+new file mode 100644
+index 0000000..67476bc
+--- /dev/null
++++ b/test/errors10/781361.xml
+@@ -0,0 +1,3 @@
++<!DOCTYPE doc [
++ <!ENTITY % elem "<!ELEMENT e0000000000">
++ %elem;
+diff --git a/test/valid/766956.xml b/test/valid/766956.xml
+new file mode 100644
+index 0000000..19a95a0
+--- /dev/null
++++ b/test/valid/766956.xml
+@@ -0,0 +1,2 @@
++<!DOCTYPE test SYSTEM "dtds/766956.dtd">
++<test/>
+diff --git a/test/valid/dtds/766956.dtd b/test/valid/dtds/766956.dtd
+new file mode 100644
+index 0000000..dddde68
+--- /dev/null
++++ b/test/valid/dtds/766956.dtd
+@@ -0,0 +1,2 @@
++<!ENTITY % ent "value">
++%ä%ent;
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb
index dd2e034..3f78c2d 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -25,6 +25,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
file://libxml2-fix_NULL_pointer_derefs.patch \
file://libxml2-fix_and_simplify_xmlParseStartTag2.patch \
file://libxml2-CVE-2017-9047_CVE-2017-9048.patch \
+ file://libxml2-CVE-2017-9049_CVE-2017-9050.patch \
file://CVE-2016-9318.patch \
file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
"
--
2.1.4
^ permalink raw reply related [flat|nested] 22+ messages in thread* [PATCH 5/7] libxml2-2.9.4: Fix CVE-2017-5969
2017-06-14 15:26 [PATCH 0/7] Fix multiple CVEs Andrej Valek
` (3 preceding siblings ...)
2017-06-14 15:26 ` [PATCH 4/7] libxml2: Fix CVE-2017-9049 and CVE-2017-9050 Andrej Valek
@ 2017-06-14 15:26 ` Andrej Valek
2017-06-14 15:26 ` [PATCH 6/7] libxml2: Fix CVE-2017-0663 Andrej Valek
` (10 subsequent siblings)
15 siblings, 0 replies; 22+ messages in thread
From: Andrej Valek @ 2017-06-14 15:26 UTC (permalink / raw)
To: openembedded-core
Fix NULL pointer deref in xmlDumpElementContent
Can only be triggered in recovery mode.
Fixes bug 758422
CVE: CVE-2017-5969
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
.../libxml/libxml2/libxml2-CVE-2017-5969.patch | 62 ++++++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.4.bb | 1 +
2 files changed, 63 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-5969.patch
diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-5969.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-5969.patch
new file mode 100644
index 0000000..a484821
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-5969.patch
@@ -0,0 +1,62 @@
+libxml2-2.9.4: Fix CVE-2017-5969
+
+[No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=758422
+
+valid: Fix NULL pointer deref in xmlDumpElementContent
+
+Can only be triggered in recovery mode.
+
+Fixes bug 758422
+
+Upstream-Status: Backported - [https://git.gnome.org/browse/libxml2/commit/?id=94691dc884d1a8ada39f073408b4bb92fe7fe882]
+CVE: CVE-2017-5969
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+
+diff --git a/valid.c b/valid.c
+index 19f84b8..0a8e58a 100644
+--- a/valid.c
++++ b/valid.c
+@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob)
+ xmlBufferWriteCHAR(buf, content->name);
+ break;
+ case XML_ELEMENT_CONTENT_SEQ:
+- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
++ if ((content->c1 != NULL) &&
++ ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
++ (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
+ xmlDumpElementContent(buf, content->c1, 1);
+ else
+ xmlDumpElementContent(buf, content->c1, 0);
+ xmlBufferWriteChar(buf, " , ");
+- if ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
+- ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
+- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
++ if ((content->c2 != NULL) &&
++ ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
++ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
++ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
+ xmlDumpElementContent(buf, content->c2, 1);
+ else
+ xmlDumpElementContent(buf, content->c2, 0);
+ break;
+ case XML_ELEMENT_CONTENT_OR:
+- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
++ if ((content->c1 != NULL) &&
++ ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
++ (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
+ xmlDumpElementContent(buf, content->c1, 1);
+ else
+ xmlDumpElementContent(buf, content->c1, 0);
+ xmlBufferWriteChar(buf, " | ");
+- if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
+- ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
+- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
++ if ((content->c2 != NULL) &&
++ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
++ ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
++ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
+ xmlDumpElementContent(buf, content->c2, 1);
+ else
+ xmlDumpElementContent(buf, content->c2, 0);
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb
index 3f78c2d..2996809 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -26,6 +26,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
file://libxml2-fix_and_simplify_xmlParseStartTag2.patch \
file://libxml2-CVE-2017-9047_CVE-2017-9048.patch \
file://libxml2-CVE-2017-9049_CVE-2017-9050.patch \
+ file://libxml2-CVE-2017-5969.patch \
file://CVE-2016-9318.patch \
file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
"
--
2.1.4
^ permalink raw reply related [flat|nested] 22+ messages in thread* [PATCH 6/7] libxml2: Fix CVE-2017-0663
2017-06-14 15:26 [PATCH 0/7] Fix multiple CVEs Andrej Valek
` (4 preceding siblings ...)
2017-06-14 15:26 ` [PATCH 5/7] libxml2-2.9.4: Fix CVE-2017-5969 Andrej Valek
@ 2017-06-14 15:26 ` Andrej Valek
2017-06-14 15:26 ` [PATCH 7/7] libxml2: Revert "Add an XML_PARSE_NOXXE flag to block all entities loading even local" Andrej Valek
` (9 subsequent siblings)
15 siblings, 0 replies; 22+ messages in thread
From: Andrej Valek @ 2017-06-14 15:26 UTC (permalink / raw)
To: openembedded-core
Fix type confusion in xmlValidateOneNamespace
Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types
on namespace declarations make no practical sense anyway.
Fixes bug 780228
CVE: CVE-2017-0663
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
.../libxml/libxml2/libxml2-CVE-2017-0663.patch | 40 ++++++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.4.bb | 1 +
2 files changed, 41 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-0663.patch
diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-0663.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-0663.patch
new file mode 100644
index 0000000..66eeb82
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-0663.patch
@@ -0,0 +1,40 @@
+libxml2-2.9.4: Fix CVE-2017-0663
+
+[No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=780228
+
+valid: Fix type confusion in xmlValidateOneNamespace
+
+Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types
+on namespace declarations make no practical sense anyway.
+
+Fixes bug 780228
+
+Upstream-Status: Backported [https://git.gnome.org/browse/libxml2/commit/?id=92b9e8c8b3787068565a1820ba575d042f9eec66]
+CVE: CVE-2017-0663
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+
+diff --git a/libxml2-2.9.4/valid.c b/libxml2-2.9.4/valid.c
+index 19f84b8..e03d35e 100644
+--- a/valid.c
++++ b/valid.c
+@@ -4621,6 +4621,12 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
+ }
+ }
+
++ /*
++ * Casting ns to xmlAttrPtr is wrong. We'd need separate functions
++ * xmlAddID and xmlAddRef for namespace declarations, but it makes
++ * no practical sense to use ID types anyway.
++ */
++#if 0
+ /* Validity Constraint: ID uniqueness */
+ if (attrDecl->atype == XML_ATTRIBUTE_ID) {
+ if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
+@@ -4632,6 +4638,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
+ if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
+ ret = 0;
+ }
++#endif
+
+ /* Validity Constraint: Notation Attributes */
+ if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) {
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb
index 2996809..677d8c9 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -27,6 +27,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
file://libxml2-CVE-2017-9047_CVE-2017-9048.patch \
file://libxml2-CVE-2017-9049_CVE-2017-9050.patch \
file://libxml2-CVE-2017-5969.patch \
+ file://libxml2-CVE-2017-0663.patch \
file://CVE-2016-9318.patch \
file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
"
--
2.1.4
^ permalink raw reply related [flat|nested] 22+ messages in thread* [PATCH 7/7] libxml2: Revert "Add an XML_PARSE_NOXXE flag to block all entities loading even local"
2017-06-14 15:26 [PATCH 0/7] Fix multiple CVEs Andrej Valek
` (5 preceding siblings ...)
2017-06-14 15:26 ` [PATCH 6/7] libxml2: Fix CVE-2017-0663 Andrej Valek
@ 2017-06-14 15:26 ` Andrej Valek
2017-06-14 15:31 ` ✗ patchtest: failure for Fix multiple CVEs Patchwork
` (8 subsequent siblings)
15 siblings, 0 replies; 22+ messages in thread
From: Andrej Valek @ 2017-06-14 15:26 UTC (permalink / raw)
To: openembedded-core
The new flag doesn't work and the change even broke the XML_PARSE_NONET option.
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
.../libxml/libxml2/CVE-2016-9318.patch | 207 ---------------------
meta/recipes-core/libxml/libxml2_2.9.4.bb | 1 -
2 files changed, 208 deletions(-)
delete mode 100644 meta/recipes-core/libxml/libxml2/CVE-2016-9318.patch
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-9318.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-9318.patch
deleted file mode 100644
index 3581ab8..0000000
--- a/meta/recipes-core/libxml/libxml2/CVE-2016-9318.patch
+++ /dev/null
@@ -1,207 +0,0 @@
-From 7fa1cd31552d52d50a9101f07c816ff6dd2d9f19 Mon Sep 17 00:00:00 2001
-From: Doran Moppert <dmoppert@redhat.com>
-Date: Fri, 7 Apr 2017 16:45:56 +0200
-Subject: [PATCH] Add an XML_PARSE_NOXXE flag to block all entities loading
- even local
-
-For https://bugzilla.gnome.org/show_bug.cgi?id=772726
-
-* include/libxml/parser.h: Add a new parser flag XML_PARSE_NOXXE
-* elfgcchack.h, xmlIO.h, xmlIO.c: associated loading routine
-* include/libxml/xmlerror.h: new error raised
-* xmllint.c: adds --noxxe flag to activate the option
-
-Upstream-Status: Backport
-CVE: CVE-2016-9318
-
-Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
----
- elfgcchack.h | 10 ++++++++++
- include/libxml/parser.h | 3 ++-
- include/libxml/xmlIO.h | 8 ++++++++
- include/libxml/xmlerror.h | 1 +
- parser.c | 4 ++++
- xmlIO.c | 40 +++++++++++++++++++++++++++++++++++-----
- xmllint.c | 5 +++++
- 7 files changed, 65 insertions(+), 6 deletions(-)
-
-diff --git a/elfgcchack.h b/elfgcchack.h
-index 8c52884..1b81dcd 100644
---- a/elfgcchack.h
-+++ b/elfgcchack.h
-@@ -6547,6 +6547,16 @@ extern __typeof (xmlNoNetExternalEntityLoader) xmlNoNetExternalEntityLoader__int
- #endif
- #endif
-
-+#ifdef bottom_xmlIO
-+#undef xmlNoXxeExternalEntityLoader
-+extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader __attribute((alias("xmlNoXxeExternalEntityLoader__internal_alias")));
-+#else
-+#ifndef xmlNoXxeExternalEntityLoader
-+extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader__internal_alias __attribute((visibility("hidden")));
-+#define xmlNoXxeExternalEntityLoader xmlNoXxeExternalEntityLoader__internal_alias
-+#endif
-+#endif
-+
- #ifdef bottom_tree
- #undef xmlNodeAddContent
- extern __typeof (xmlNodeAddContent) xmlNodeAddContent __attribute((alias("xmlNodeAddContent__internal_alias")));
-diff --git a/include/libxml/parser.h b/include/libxml/parser.h
-index 47fbec0..63ca1b9 100644
---- a/include/libxml/parser.h
-+++ b/include/libxml/parser.h
-@@ -1111,7 +1111,8 @@ typedef enum {
- XML_PARSE_HUGE = 1<<19,/* relax any hardcoded limit from the parser */
- XML_PARSE_OLDSAX = 1<<20,/* parse using SAX2 interface before 2.7.0 */
- XML_PARSE_IGNORE_ENC= 1<<21,/* ignore internal document encoding hint */
-- XML_PARSE_BIG_LINES = 1<<22 /* Store big lines numbers in text PSVI field */
-+ XML_PARSE_BIG_LINES = 1<<22,/* Store big lines numbers in text PSVI field */
-+ XML_PARSE_NOXXE = 1<<23 /* Forbid any external entity loading */
- } xmlParserOption;
-
- XMLPUBFUN void XMLCALL
-diff --git a/include/libxml/xmlIO.h b/include/libxml/xmlIO.h
-index 3e41744..8d3fdef 100644
---- a/include/libxml/xmlIO.h
-+++ b/include/libxml/xmlIO.h
-@@ -300,6 +300,14 @@ XMLPUBFUN xmlParserInputPtr XMLCALL
- xmlParserCtxtPtr ctxt);
-
- /*
-+ * A predefined entity loader external entity expansion
-+ */
-+XMLPUBFUN xmlParserInputPtr XMLCALL
-+ xmlNoXxeExternalEntityLoader (const char *URL,
-+ const char *ID,
-+ xmlParserCtxtPtr ctxt);
-+
-+/*
- * xmlNormalizeWindowsPath is obsolete, don't use it.
- * Check xmlCanonicPath in uri.h for a better alternative.
- */
-diff --git a/include/libxml/xmlerror.h b/include/libxml/xmlerror.h
-index 037c16d..3036062 100644
---- a/include/libxml/xmlerror.h
-+++ b/include/libxml/xmlerror.h
-@@ -470,6 +470,7 @@ typedef enum {
- XML_IO_EADDRINUSE, /* 1554 */
- XML_IO_EALREADY, /* 1555 */
- XML_IO_EAFNOSUPPORT, /* 1556 */
-+ XML_IO_ILLEGAL_XXE, /* 1557 */
- XML_XINCLUDE_RECURSION=1600,
- XML_XINCLUDE_PARSE_VALUE, /* 1601 */
- XML_XINCLUDE_ENTITY_DEF_MISMATCH, /* 1602 */
-diff --git a/parser.c b/parser.c
-index 53a6b7f..609a270 100644
---- a/parser.c
-+++ b/parser.c
-@@ -15350,6 +15350,10 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi
- ctxt->options |= XML_PARSE_NONET;
- options -= XML_PARSE_NONET;
- }
-+ if (options & XML_PARSE_NOXXE) {
-+ ctxt->options |= XML_PARSE_NOXXE;
-+ options -= XML_PARSE_NOXXE;
-+ }
- if (options & XML_PARSE_COMPACT) {
- ctxt->options |= XML_PARSE_COMPACT;
- options -= XML_PARSE_COMPACT;
-diff --git a/xmlIO.c b/xmlIO.c
-index 1a79c09..304f822 100644
---- a/xmlIO.c
-+++ b/xmlIO.c
-@@ -210,6 +210,7 @@ static const char *IOerr[] = {
- "adddress in use", /* EADDRINUSE */
- "already in use", /* EALREADY */
- "unknown address familly", /* EAFNOSUPPORT */
-+ "Attempt to load external entity %s", /* XML_IO_ILLEGAL_XXE */
- };
-
- #if defined(_WIN32) || defined (__DJGPP__) && !defined (__CYGWIN__)
-@@ -4053,13 +4054,22 @@ xmlDefaultExternalEntityLoader(const char *URL, const char *ID,
- xmlGenericError(xmlGenericErrorContext,
- "xmlDefaultExternalEntityLoader(%s, xxx)\n", URL);
- #endif
-- if ((ctxt != NULL) && (ctxt->options & XML_PARSE_NONET)) {
-+ if (ctxt != NULL) {
- int options = ctxt->options;
-
-- ctxt->options -= XML_PARSE_NONET;
-- ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt);
-- ctxt->options = options;
-- return(ret);
-+ if (options & XML_PARSE_NOXXE) {
-+ ctxt->options -= XML_PARSE_NOXXE;
-+ ret = xmlNoXxeExternalEntityLoader(URL, ID, ctxt);
-+ ctxt->options = options;
-+ return(ret);
-+ }
-+
-+ if (options & XML_PARSE_NONET) {
-+ ctxt->options -= XML_PARSE_NONET;
-+ ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt);
-+ ctxt->options = options;
-+ return(ret);
-+ }
- }
- #ifdef LIBXML_CATALOG_ENABLED
- resource = xmlResolveResourceFromCatalog(URL, ID, ctxt);
-@@ -4160,6 +4170,13 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID,
- xmlParserInputPtr input = NULL;
- xmlChar *resource = NULL;
-
-+ if (ctxt == NULL) {
-+ return(NULL);
-+ }
-+ if (ctxt->input_id == 1) {
-+ return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt);
-+ }
-+
- #ifdef LIBXML_CATALOG_ENABLED
- resource = xmlResolveResourceFromCatalog(URL, ID, ctxt);
- #endif
-@@ -4182,5 +4199,18 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID,
- return(input);
- }
-
-+xmlParserInputPtr
-+xmlNoXxeExternalEntityLoader(const char *URL, const char *ID,
-+ xmlParserCtxtPtr ctxt) {
-+ if (ctxt == NULL) {
-+ return(NULL);
-+ }
-+ if (ctxt->input_id == 1) {
-+ return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt);
-+ }
-+ xmlIOErr(XML_IO_ILLEGAL_XXE, (const char *) URL);
-+ return(NULL);
-+}
-+
- #define bottom_xmlIO
- #include "elfgcchack.h"
-diff --git a/xmllint.c b/xmllint.c
-index 67f7adb..d9368c1 100644
---- a/xmllint.c
-+++ b/xmllint.c
-@@ -3019,6 +3019,7 @@ static void usage(const char *name) {
- printf("\t--path 'paths': provide a set of paths for resources\n");
- printf("\t--load-trace : print trace of all external entities loaded\n");
- printf("\t--nonet : refuse to fetch DTDs or entities over network\n");
-+ printf("\t--noxxe : forbid any external entity loading\n");
- printf("\t--nocompact : do not generate compact text nodes\n");
- printf("\t--htmlout : output results as HTML\n");
- printf("\t--nowrap : do not put HTML doc wrapper\n");
-@@ -3461,6 +3462,10 @@ main(int argc, char **argv) {
- (!strcmp(argv[i], "--nonet"))) {
- options |= XML_PARSE_NONET;
- xmlSetExternalEntityLoader(xmlNoNetExternalEntityLoader);
-+ } else if ((!strcmp(argv[i], "-noxxe")) ||
-+ (!strcmp(argv[i], "--noxxe"))) {
-+ options |= XML_PARSE_NOXXE;
-+ xmlSetExternalEntityLoader(xmlNoXxeExternalEntityLoader);
- } else if ((!strcmp(argv[i], "-nocompact")) ||
- (!strcmp(argv[i], "--nocompact"))) {
- options &= ~XML_PARSE_COMPACT;
---
-2.10.2
-
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb
index 677d8c9..f67c47d 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -28,7 +28,6 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
file://libxml2-CVE-2017-9049_CVE-2017-9050.patch \
file://libxml2-CVE-2017-5969.patch \
file://libxml2-CVE-2017-0663.patch \
- file://CVE-2016-9318.patch \
file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
"
--
2.1.4
^ permalink raw reply related [flat|nested] 22+ messages in thread* ✗ patchtest: failure for Fix multiple CVEs
2017-06-14 15:26 [PATCH 0/7] Fix multiple CVEs Andrej Valek
` (6 preceding siblings ...)
2017-06-14 15:26 ` [PATCH 7/7] libxml2: Revert "Add an XML_PARSE_NOXXE flag to block all entities loading even local" Andrej Valek
@ 2017-06-14 15:31 ` Patchwork
2017-06-15 6:34 ` [PATCH v2 0/7] libxml2: " Andrej Valek
` (7 subsequent siblings)
15 siblings, 0 replies; 22+ messages in thread
From: Patchwork @ 2017-06-14 15:31 UTC (permalink / raw)
To: Andrej Valek; +Cc: openembedded-core
== Series Details ==
Series: Fix multiple CVEs
Revision: 1
URL : https://patchwork.openembedded.org/series/7243/
State : failure
== Summary ==
Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:
* Issue Series cannot be parsed correctly due to malformed diff lines [test_mbox_format]
Suggested fix Create the series again using git-format-patch and ensure it can be applied using git am
Diff line diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb
* Issue Series does not apply on top of target branch [test_series_merge_on_head]
Suggested fix Rebase your series on top of targeted branch
Targeted branch master (currently at 059846662f)
If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).
---
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
^ permalink raw reply [flat|nested] 22+ messages in thread* [PATCH v2 0/7] libxml2: Fix multiple CVEs
2017-06-14 15:26 [PATCH 0/7] Fix multiple CVEs Andrej Valek
` (7 preceding siblings ...)
2017-06-14 15:31 ` ✗ patchtest: failure for Fix multiple CVEs Patchwork
@ 2017-06-15 6:34 ` Andrej Valek
2017-06-15 6:34 ` [PATCH v2 1/7] libxml2: Disable LeakSanitizer when running API tests Andrej Valek
` (6 subsequent siblings)
15 siblings, 0 replies; 22+ messages in thread
From: Andrej Valek @ 2017-06-15 6:34 UTC (permalink / raw)
To: openembedded-core
Fix CVE:
- CVE-2017-0663
- CVE-2017-9047
- CVE-2017-9048
- CVE-2017-9049
- CVE-2017-9050
- CVE-2017-5969
- Sync necessary changes for CVE fixing from master.
Andrej Valek (7):
libxml2: Disable LeakSanitizer when running API tests
libxml2: Avoid reparsing and simplify control flow in
xmlParseStartTag2
libxml2: Fix CVE-2017-9047 and CVE-2017-9048
libxml2: Fix CVE-2017-9049 and CVE-2017-9050
libxml2: Fix CVE-2017-5969
libxml2: Fix CVE-2017-0663
libxml2: Revert "Add an XML_PARSE_NOXXE flag to block all entities
loading even local"
.../libxml/libxml2/CVE-2016-9318.patch | 207 --------
.../libxml/libxml2/libxml2-CVE-2017-0663.patch | 40 ++
.../libxml/libxml2/libxml2-CVE-2017-5969.patch | 62 +++
.../libxml2-CVE-2017-9047_CVE-2017-9048.patch | 103 ++++
.../libxml2-CVE-2017-9049_CVE-2017-9050.patch | 291 ++++++++++
...ibxml2-fix_and_simplify_xmlParseStartTag2.patch | 590 +++++++++++++++++++++
meta/recipes-core/libxml/libxml2/runtest.patch | 22 +-
meta/recipes-core/libxml/libxml2_2.9.4.bb | 6 +-
8 files changed, 1109 insertions(+), 212 deletions(-)
delete mode 100644 meta/recipes-core/libxml/libxml2/CVE-2016-9318.patch
create mode 100644 meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-0663.patch
create mode 100644 meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-5969.patch
create mode 100644 meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-9047_CVE-2017-9048.patch
create mode 100644 meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-9049_CVE-2017-9050.patch
create mode 100644 meta/recipes-core/libxml/libxml2/libxml2-fix_and_simplify_xmlParseStartTag2.patch
--
2.1.4
^ permalink raw reply [flat|nested] 22+ messages in thread* [PATCH v2 1/7] libxml2: Disable LeakSanitizer when running API tests
2017-06-14 15:26 [PATCH 0/7] Fix multiple CVEs Andrej Valek
` (8 preceding siblings ...)
2017-06-15 6:34 ` [PATCH v2 0/7] libxml2: " Andrej Valek
@ 2017-06-15 6:34 ` Andrej Valek
2017-06-15 11:31 ` Burton, Ross
2017-06-15 6:34 ` [PATCH v2 2/7] libxml2: Avoid reparsing and simplify control flow in xmlParseStartTag2 Andrej Valek
` (5 subsequent siblings)
15 siblings, 1 reply; 22+ messages in thread
From: Andrej Valek @ 2017-06-15 6:34 UTC (permalink / raw)
To: openembedded-core
Makefile.am: Disable LeakSanitizer when running API tests
The autogenerated API tests leak memory.
Upstream-Status: Backported - [https://git.gnome.org/browse/libxml2/commit/?id=ac9a4560ee85b18811ff8ab7791ddfff7b144b0a]
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
meta/recipes-core/libxml/libxml2/runtest.patch | 22 ++++++++++++++++++----
1 file changed, 18 insertions(+), 4 deletions(-)
diff --git a/meta/recipes-core/libxml/libxml2/runtest.patch b/meta/recipes-core/libxml/libxml2/runtest.patch
index 397ab20..7b1b0e8 100644
--- a/meta/recipes-core/libxml/libxml2/runtest.patch
+++ b/meta/recipes-core/libxml/libxml2/runtest.patch
@@ -5,9 +5,9 @@ Signed-off-by: Mihaela Sendrea <mihaela.sendrea@enea.com>
Upstream-Status: Pending
diff -uNr a/Makefile.am b/Makefile.am
---- a/Makefile.am 2013-04-17 14:51:42.633386477 +0200
-+++ b/Makefile.am 2013-04-19 14:47:51.544720568 +0200
-@@ -202,10 +202,19 @@
+--- a/Makefile.am 2016-05-22 03:49:02.000000000 +0200
++++ b/Makefile.am 2017-06-14 10:38:43.381305385 +0200
+@@ -202,10 +202,24 @@
#testOOM_DEPENDENCIES = $(DEPS)
#testOOM_LDADD= $(LDADDS)
@@ -24,10 +24,24 @@ diff -uNr a/Makefile.am b/Makefile.am
[ -d test ] || $(LN_S) $(srcdir)/test .
[ -d result ] || $(LN_S) $(srcdir)/result .
- $(CHECKER) ./runtest$(EXEEXT) && $(CHECKER) ./testrecurse$(EXEEXT) &&$(CHECKER) ./testapi$(EXEEXT) && $(CHECKER) ./testchar$(EXEEXT)&& $(CHECKER) ./testdict$(EXEEXT) && $(CHECKER) ./runxmlconf$(EXEEXT)
-+ ./runtest$(EXEEXT) ; ./testrecurse$(EXEEXT) ; ./testapi$(EXEEXT) ; ./testchar$(EXEEXT) ; ./testdict$(EXEEXT) ; ./runxmlconf$(EXEEXT)
++ $(CHECKER) ./runtest$(EXEEXT) && \
++ $(CHECKER) ./testrecurse$(EXEEXT) && \
++ ASAN_OPTIONS="$$ASAN_OPTIONS:detect_leaks=0" $(CHECKER) ./testapi$(EXEEXT) && \
++ $(CHECKER) ./testchar$(EXEEXT) && \
++ $(CHECKER) ./testdict$(EXEEXT) && \
++ $(CHECKER) ./runxmlconf$(EXEEXT)
@(if [ "$(PYTHON_SUBDIR)" != "" ] ; then cd python ; \
$(MAKE) tests ; fi)
+@@ -229,7 +243,7 @@
+
+ APItests: testapi$(EXEEXT)
+ @echo "## Running the API regression tests this may take a little while"
+- -@($(CHECKER) $(top_builddir)/testapi -q)
++ -@(ASAN_OPTIONS="$$ASAN_OPTIONS:detect_leaks=0" $(CHECKER) $(top_builddir)/testapi -q)
+
+ HTMLtests : testHTML$(EXEEXT)
+ @(echo > .memdump)
diff -uNr a/runsuite.c b/runsuite.c
--- a/runsuite.c 2013-04-12 16:17:11.462823238 +0200
+++ b/runsuite.c 2013-04-17 14:07:24.352693211 +0200
--
2.1.4
^ permalink raw reply related [flat|nested] 22+ messages in thread* Re: [PATCH v2 1/7] libxml2: Disable LeakSanitizer when running API tests
2017-06-15 6:34 ` [PATCH v2 1/7] libxml2: Disable LeakSanitizer when running API tests Andrej Valek
@ 2017-06-15 11:31 ` Burton, Ross
2017-06-15 11:42 ` Andrej Valek
0 siblings, 1 reply; 22+ messages in thread
From: Burton, Ross @ 2017-06-15 11:31 UTC (permalink / raw)
To: Andrej Valek; +Cc: OE-core
[-- Attachment #1: Type: text/plain, Size: 513 bytes --]
On 15 June 2017 at 07:34, Andrej Valek <andrej.valek@siemens.com> wrote:
> Upstream-Status: Backported - [https://git.gnome.org/browse/
> libxml2/commit/?id=ac9a4560ee85b18811ff8ab7791ddfff7b144b0a]
>
> --- a/meta/recipes-core/libxml/libxml2/runtest.patch
> +++ b/meta/recipes-core/libxml/libxml2/runtest.patch
> @@ -5,9 +5,9 @@ Signed-off-by: Mihaela Sendrea <mihaela.sendrea@enea.com>
> Upstream-Status: Pending
>
Upstream-Status goes into the path file itself, not the commit log.
Ross
[-- Attachment #2: Type: text/html, Size: 1329 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH v2 1/7] libxml2: Disable LeakSanitizer when running API tests
2017-06-15 11:31 ` Burton, Ross
@ 2017-06-15 11:42 ` Andrej Valek
2017-06-15 11:47 ` Burton, Ross
0 siblings, 1 reply; 22+ messages in thread
From: Andrej Valek @ 2017-06-15 11:42 UTC (permalink / raw)
To: Burton, Ross; +Cc: OE-core
I am modifying already existing patch not creating the new one. Is it
necessary to change Upstream-Status to backported?
If yes, is it possible to fix only this patch, or do I need to push the
whole series?
Andrej
On 06/15/2017 01:31 PM, Burton, Ross wrote:
>
> On 15 June 2017 at 07:34, Andrej Valek <andrej.valek@siemens.com
> <mailto:andrej.valek@siemens.com>> wrote:
>
> Upstream-Status: Backported -
> [https://git.gnome.org/browse/libxml2/commit/?id=ac9a4560ee85b18811ff8ab7791ddfff7b144b0a
> <https://git.gnome.org/browse/libxml2/commit/?id=ac9a4560ee85b18811ff8ab7791ddfff7b144b0a>]
>
>
> --- a/meta/recipes-core/libxml/libxml2/runtest.patch
> +++ b/meta/recipes-core/libxml/libxml2/runtest.patch
> @@ -5,9 +5,9 @@ Signed-off-by: Mihaela Sendrea <mihaela.sendrea@enea.com
> <mailto:mihaela.sendrea@enea.com>>
> Upstream-Status: Pending
>
>
> Upstream-Status goes into the path file itself, not the commit log.
>
> Ross
>
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH v2 1/7] libxml2: Disable LeakSanitizer when running API tests
2017-06-15 11:42 ` Andrej Valek
@ 2017-06-15 11:47 ` Burton, Ross
2017-06-15 12:13 ` Andrej Valek
0 siblings, 1 reply; 22+ messages in thread
From: Burton, Ross @ 2017-06-15 11:47 UTC (permalink / raw)
To: Andrej Valek; +Cc: OE-core
[-- Attachment #1: Type: text/plain, Size: 631 bytes --]
On 15 June 2017 at 12:42, Andrej Valek <andrej.valek@siemens.com> wrote:
> I am modifying already existing patch not creating the new one. Is it
> necessary to change Upstream-Status to backported?
>
> If yes, is it possible to fix only this patch, or do I need to push the
> whole series?
>
If the patch is backported from upstream then please correct the status to
be backported, and remove the U-S from the commit message.
Also a later patch in the series uses "Backported" when the status is
Backport, please verify that all the patches have the right tags as there
are scripts which read the values.
Ross
[-- Attachment #2: Type: text/html, Size: 1199 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH v2 1/7] libxml2: Disable LeakSanitizer when running API tests
2017-06-15 11:47 ` Burton, Ross
@ 2017-06-15 12:13 ` Andrej Valek
0 siblings, 0 replies; 22+ messages in thread
From: Andrej Valek @ 2017-06-15 12:13 UTC (permalink / raw)
To: Burton, Ross; +Cc: OE-core
I have modified all patches and posted in
http://lists.openembedded.org/pipermail/openembedded-core/2017-June/138219.html
.
Andrej
On 06/15/2017 01:47 PM, Burton, Ross wrote:
>
> On 15 June 2017 at 12:42, Andrej Valek <andrej.valek@siemens.com
> <mailto:andrej.valek@siemens.com>> wrote:
>
> I am modifying already existing patch not creating the new one. Is it
> necessary to change Upstream-Status to backported?
>
> If yes, is it possible to fix only this patch, or do I need to push the
> whole series?
>
>
> If the patch is backported from upstream then please correct the status to be
> backported, and remove the U-S from the commit message.
>
> Also a later patch in the series uses "Backported" when the status is Backport,
> please verify that all the patches have the right tags as there are scripts
> which read the values.
>
> Ross
>
^ permalink raw reply [flat|nested] 22+ messages in thread
* [PATCH v2 2/7] libxml2: Avoid reparsing and simplify control flow in xmlParseStartTag2
2017-06-14 15:26 [PATCH 0/7] Fix multiple CVEs Andrej Valek
` (9 preceding siblings ...)
2017-06-15 6:34 ` [PATCH v2 1/7] libxml2: Disable LeakSanitizer when running API tests Andrej Valek
@ 2017-06-15 6:34 ` Andrej Valek
2017-06-15 6:34 ` [PATCH v2 3/7] libxml2: Fix CVE-2017-9047 and CVE-2017-9048 Andrej Valek
` (4 subsequent siblings)
15 siblings, 0 replies; 22+ messages in thread
From: Andrej Valek @ 2017-06-15 6:34 UTC (permalink / raw)
To: openembedded-core
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=UTF-8, Size: 32548 bytes --]
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
...ibxml2-fix_and_simplify_xmlParseStartTag2.patch | 590 +++++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.4.bb | 1 +
2 files changed, 591 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/libxml2-fix_and_simplify_xmlParseStartTag2.patch
diff --git a/meta/recipes-core/libxml/libxml2/libxml2-fix_and_simplify_xmlParseStartTag2.patch b/meta/recipes-core/libxml/libxml2/libxml2-fix_and_simplify_xmlParseStartTag2.patch
new file mode 100644
index 0000000..37e0781
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/libxml2-fix_and_simplify_xmlParseStartTag2.patch
@@ -0,0 +1,590 @@
+libxml2-2.9.4: Avoid reparsing and simplify control flow in xmlParseStartTag2
+
+[No upstream tracking]
+
+parser: Avoid reparsing in xmlParseStartTag2
+
+The code in xmlParseStartTag2 must handle the case that the input
+buffer was grown and reallocated which can invalidate pointers to
+attribute values. Before, this was handled by detecting changes of
+the input buffer "base" pointer and, in case of a change, jumping
+back to the beginning of the function and reparsing the start tag.
+
+The major problem of this approach is that whether an input buffer is
+reallocated is nondeterministic, resulting in seemingly random test
+failures. See the mailing list thread "runtest mystery bug: name2.xml
+error case regression test" from 2012, for example.
+
+If a reallocation was detected, the code also made no attempts to
+continue parsing in case of errors which makes a difference in
+the lax "recover" mode.
+
+Now we store the current input buffer "base" pointer for each (not
+separately allocated) attribute in the namespace URI field, which isn't
+used until later. After the whole start tag was parsed, the pointers to
+the attribute values are reconstructed using the offset between the
+new and the old input buffer. This relies on arithmetic on dangling
+pointers which is technically undefined behavior. But it seems like
+the easiest and most efficient fix and a similar approach is used in
+xmlParserInputGrow.
+
+This changes the error output of several tests, typically making it
+more verbose because we try harder to continue parsing in case of errors.
+
+(Another possible solution is to check not only the "base" pointer
+but the size of the input buffer as well. But this would result in
+even more reparsing.)
+
+Remove some goto labels and deduplicate a bit of code after handling
+namespaces.
+
+There were two bugs where parameter-entity references could lead to an
+unexpected change of the input buffer in xmlParseNameComplex and
+xmlDictLookup being called with an invalid pointer.
+
+
+Upstream-Status: Backported
+ - [https://git.gnome.org/browse/libxml2/commit/?id=07b7428b69c368611d215a140fe630b2d1e61349]
+ - [https://git.gnome.org/browse/libxml2/commit/?id=855c19efb7cd30d927d673b3658563c4959ca6f0]
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+
+diff --git a/parser.c b/parser.c
+index 609a270..74016e3 100644
+--- a/parser.c
++++ b/parser.c
+@@ -43,6 +43,7 @@
+ #include <limits.h>
+ #include <string.h>
+ #include <stdarg.h>
++#include <stddef.h>
+ #include <libxml/xmlmemory.h>
+ #include <libxml/threads.h>
+ #include <libxml/globals.h>
+@@ -9377,8 +9378,7 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref,
+ const xmlChar **atts = ctxt->atts;
+ int maxatts = ctxt->maxatts;
+ int nratts, nbatts, nbdef;
+- int i, j, nbNs, attval, oldline, oldcol, inputNr;
+- const xmlChar *base;
++ int i, j, nbNs, attval;
+ unsigned long cur;
+ int nsNr = ctxt->nsNr;
+
+@@ -9392,13 +9392,8 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref,
+ * The Shrinking is only possible once the full set of attribute
+ * callbacks have been done.
+ */
+-reparse:
+ SHRINK;
+- base = ctxt->input->base;
+ cur = ctxt->input->cur - ctxt->input->base;
+- inputNr = ctxt->inputNr;
+- oldline = ctxt->input->line;
+- oldcol = ctxt->input->col;
+ nbatts = 0;
+ nratts = 0;
+ nbdef = 0;
+@@ -9422,8 +9417,6 @@ reparse:
+ */
+ SKIP_BLANKS;
+ GROW;
+- if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+- goto base_changed;
+
+ while (((RAW != '>') &&
+ ((RAW != '/') || (NXT(1) != '>')) &&
+@@ -9434,203 +9427,174 @@ reparse:
+
+ attname = xmlParseAttribute2(ctxt, prefix, localname,
+ &aprefix, &attvalue, &len, &alloc);
+- if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) {
+- if ((attvalue != NULL) && (alloc != 0))
+- xmlFree(attvalue);
+- attvalue = NULL;
+- goto base_changed;
+- }
+- if ((attname != NULL) && (attvalue != NULL)) {
+- if (len < 0) len = xmlStrlen(attvalue);
+- if ((attname == ctxt->str_xmlns) && (aprefix == NULL)) {
+- const xmlChar *URL = xmlDictLookup(ctxt->dict, attvalue, len);
+- xmlURIPtr uri;
+-
+- if (URL == NULL) {
+- xmlErrMemory(ctxt, "dictionary allocation failure");
+- if ((attvalue != NULL) && (alloc != 0))
+- xmlFree(attvalue);
+- return(NULL);
+- }
+- if (*URL != 0) {
+- uri = xmlParseURI((const char *) URL);
+- if (uri == NULL) {
+- xmlNsErr(ctxt, XML_WAR_NS_URI,
+- "xmlns: '%s' is not a valid URI\n",
+- URL, NULL, NULL);
+- } else {
+- if (uri->scheme == NULL) {
+- xmlNsWarn(ctxt, XML_WAR_NS_URI_RELATIVE,
+- "xmlns: URI %s is not absolute\n",
+- URL, NULL, NULL);
+- }
+- xmlFreeURI(uri);
+- }
+- if (URL == ctxt->str_xml_ns) {
+- if (attname != ctxt->str_xml) {
+- xmlNsErr(ctxt, XML_NS_ERR_XML_NAMESPACE,
+- "xml namespace URI cannot be the default namespace\n",
+- NULL, NULL, NULL);
+- }
+- goto skip_default_ns;
+- }
+- if ((len == 29) &&
+- (xmlStrEqual(URL,
+- BAD_CAST "http://www.w3.org/2000/xmlns/"))) {
+- xmlNsErr(ctxt, XML_NS_ERR_XML_NAMESPACE,
+- "reuse of the xmlns namespace name is forbidden\n",
+- NULL, NULL, NULL);
+- goto skip_default_ns;
+- }
+- }
+- /*
+- * check that it's not a defined namespace
+- */
+- for (j = 1;j <= nbNs;j++)
+- if (ctxt->nsTab[ctxt->nsNr - 2 * j] == NULL)
+- break;
+- if (j <= nbNs)
+- xmlErrAttributeDup(ctxt, NULL, attname);
+- else
+- if (nsPush(ctxt, NULL, URL) > 0) nbNs++;
+-skip_default_ns:
+- if ((attvalue != NULL) && (alloc != 0)) {
+- xmlFree(attvalue);
+- attvalue = NULL;
+- }
+- if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
+- break;
+- if (!IS_BLANK_CH(RAW)) {
+- xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,
+- "attributes construct error\n");
+- break;
+- }
+- SKIP_BLANKS;
+- if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+- goto base_changed;
+- continue;
+- }
+- if (aprefix == ctxt->str_xmlns) {
+- const xmlChar *URL = xmlDictLookup(ctxt->dict, attvalue, len);
+- xmlURIPtr uri;
+-
+- if (attname == ctxt->str_xml) {
+- if (URL != ctxt->str_xml_ns) {
+- xmlNsErr(ctxt, XML_NS_ERR_XML_NAMESPACE,
+- "xml namespace prefix mapped to wrong URI\n",
+- NULL, NULL, NULL);
+- }
+- /*
+- * Do not keep a namespace definition node
+- */
+- goto skip_ns;
+- }
++ if ((attname == NULL) || (attvalue == NULL))
++ goto next_attr;
++ if (len < 0) len = xmlStrlen(attvalue);
++
++ if ((attname == ctxt->str_xmlns) && (aprefix == NULL)) {
++ const xmlChar *URL = xmlDictLookup(ctxt->dict, attvalue, len);
++ xmlURIPtr uri;
++
++ if (URL == NULL) {
++ xmlErrMemory(ctxt, "dictionary allocation failure");
++ if ((attvalue != NULL) && (alloc != 0))
++ xmlFree(attvalue);
++ return(NULL);
++ }
++ if (*URL != 0) {
++ uri = xmlParseURI((const char *) URL);
++ if (uri == NULL) {
++ xmlNsErr(ctxt, XML_WAR_NS_URI,
++ "xmlns: '%s' is not a valid URI\n",
++ URL, NULL, NULL);
++ } else {
++ if (uri->scheme == NULL) {
++ xmlNsWarn(ctxt, XML_WAR_NS_URI_RELATIVE,
++ "xmlns: URI %s is not absolute\n",
++ URL, NULL, NULL);
++ }
++ xmlFreeURI(uri);
++ }
+ if (URL == ctxt->str_xml_ns) {
+- if (attname != ctxt->str_xml) {
+- xmlNsErr(ctxt, XML_NS_ERR_XML_NAMESPACE,
+- "xml namespace URI mapped to wrong prefix\n",
+- NULL, NULL, NULL);
+- }
+- goto skip_ns;
+- }
+- if (attname == ctxt->str_xmlns) {
+- xmlNsErr(ctxt, XML_NS_ERR_XML_NAMESPACE,
+- "redefinition of the xmlns prefix is forbidden\n",
+- NULL, NULL, NULL);
+- goto skip_ns;
+- }
+- if ((len == 29) &&
+- (xmlStrEqual(URL,
+- BAD_CAST "http://www.w3.org/2000/xmlns/"))) {
+- xmlNsErr(ctxt, XML_NS_ERR_XML_NAMESPACE,
+- "reuse of the xmlns namespace name is forbidden\n",
+- NULL, NULL, NULL);
+- goto skip_ns;
+- }
+- if ((URL == NULL) || (URL[0] == 0)) {
+- xmlNsErr(ctxt, XML_NS_ERR_XML_NAMESPACE,
+- "xmlns:%s: Empty XML namespace is not allowed\n",
+- attname, NULL, NULL);
+- goto skip_ns;
+- } else {
+- uri = xmlParseURI((const char *) URL);
+- if (uri == NULL) {
+- xmlNsErr(ctxt, XML_WAR_NS_URI,
+- "xmlns:%s: '%s' is not a valid URI\n",
+- attname, URL, NULL);
+- } else {
+- if ((ctxt->pedantic) && (uri->scheme == NULL)) {
+- xmlNsWarn(ctxt, XML_WAR_NS_URI_RELATIVE,
+- "xmlns:%s: URI %s is not absolute\n",
+- attname, URL, NULL);
+- }
+- xmlFreeURI(uri);
+- }
+- }
+-
+- /*
+- * check that it's not a defined namespace
+- */
+- for (j = 1;j <= nbNs;j++)
+- if (ctxt->nsTab[ctxt->nsNr - 2 * j] == attname)
+- break;
+- if (j <= nbNs)
+- xmlErrAttributeDup(ctxt, aprefix, attname);
+- else
+- if (nsPush(ctxt, attname, URL) > 0) nbNs++;
+-skip_ns:
+- if ((attvalue != NULL) && (alloc != 0)) {
+- xmlFree(attvalue);
+- attvalue = NULL;
+- }
+- if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
+- break;
+- if (!IS_BLANK_CH(RAW)) {
+- xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,
+- "attributes construct error\n");
+- break;
+- }
+- SKIP_BLANKS;
+- if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+- goto base_changed;
+- continue;
+- }
++ if (attname != ctxt->str_xml) {
++ xmlNsErr(ctxt, XML_NS_ERR_XML_NAMESPACE,
++ "xml namespace URI cannot be the default namespace\n",
++ NULL, NULL, NULL);
++ }
++ goto next_attr;
++ }
++ if ((len == 29) &&
++ (xmlStrEqual(URL,
++ BAD_CAST "http://www.w3.org/2000/xmlns/"))) {
++ xmlNsErr(ctxt, XML_NS_ERR_XML_NAMESPACE,
++ "reuse of the xmlns namespace name is forbidden\n",
++ NULL, NULL, NULL);
++ goto next_attr;
++ }
++ }
++ /*
++ * check that it's not a defined namespace
++ */
++ for (j = 1;j <= nbNs;j++)
++ if (ctxt->nsTab[ctxt->nsNr - 2 * j] == NULL)
++ break;
++ if (j <= nbNs)
++ xmlErrAttributeDup(ctxt, NULL, attname);
++ else
++ if (nsPush(ctxt, NULL, URL) > 0) nbNs++;
++
++ } else if (aprefix == ctxt->str_xmlns) {
++ const xmlChar *URL = xmlDictLookup(ctxt->dict, attvalue, len);
++ xmlURIPtr uri;
++
++ if (attname == ctxt->str_xml) {
++ if (URL != ctxt->str_xml_ns) {
++ xmlNsErr(ctxt, XML_NS_ERR_XML_NAMESPACE,
++ "xml namespace prefix mapped to wrong URI\n",
++ NULL, NULL, NULL);
++ }
++ /*
++ * Do not keep a namespace definition node
++ */
++ goto next_attr;
++ }
++ if (URL == ctxt->str_xml_ns) {
++ if (attname != ctxt->str_xml) {
++ xmlNsErr(ctxt, XML_NS_ERR_XML_NAMESPACE,
++ "xml namespace URI mapped to wrong prefix\n",
++ NULL, NULL, NULL);
++ }
++ goto next_attr;
++ }
++ if (attname == ctxt->str_xmlns) {
++ xmlNsErr(ctxt, XML_NS_ERR_XML_NAMESPACE,
++ "redefinition of the xmlns prefix is forbidden\n",
++ NULL, NULL, NULL);
++ goto next_attr;
++ }
++ if ((len == 29) &&
++ (xmlStrEqual(URL,
++ BAD_CAST "http://www.w3.org/2000/xmlns/"))) {
++ xmlNsErr(ctxt, XML_NS_ERR_XML_NAMESPACE,
++ "reuse of the xmlns namespace name is forbidden\n",
++ NULL, NULL, NULL);
++ goto next_attr;
++ }
++ if ((URL == NULL) || (URL[0] == 0)) {
++ xmlNsErr(ctxt, XML_NS_ERR_XML_NAMESPACE,
++ "xmlns:%s: Empty XML namespace is not allowed\n",
++ attname, NULL, NULL);
++ goto next_attr;
++ } else {
++ uri = xmlParseURI((const char *) URL);
++ if (uri == NULL) {
++ xmlNsErr(ctxt, XML_WAR_NS_URI,
++ "xmlns:%s: '%s' is not a valid URI\n",
++ attname, URL, NULL);
++ } else {
++ if ((ctxt->pedantic) && (uri->scheme == NULL)) {
++ xmlNsWarn(ctxt, XML_WAR_NS_URI_RELATIVE,
++ "xmlns:%s: URI %s is not absolute\n",
++ attname, URL, NULL);
++ }
++ xmlFreeURI(uri);
++ }
++ }
+
+- /*
+- * Add the pair to atts
+- */
+- if ((atts == NULL) || (nbatts + 5 > maxatts)) {
+- if (xmlCtxtGrowAttrs(ctxt, nbatts + 5) < 0) {
+- if (attvalue[len] == 0)
+- xmlFree(attvalue);
+- goto failed;
+- }
+- maxatts = ctxt->maxatts;
+- atts = ctxt->atts;
+- }
+- ctxt->attallocs[nratts++] = alloc;
+- atts[nbatts++] = attname;
+- atts[nbatts++] = aprefix;
+- atts[nbatts++] = NULL; /* the URI will be fetched later */
+- atts[nbatts++] = attvalue;
+- attvalue += len;
+- atts[nbatts++] = attvalue;
+- /*
+- * tag if some deallocation is needed
+- */
+- if (alloc != 0) attval = 1;
+- } else {
+- if ((attvalue != NULL) && (attvalue[len] == 0))
+- xmlFree(attvalue);
+- }
++ /*
++ * check that it's not a defined namespace
++ */
++ for (j = 1;j <= nbNs;j++)
++ if (ctxt->nsTab[ctxt->nsNr - 2 * j] == attname)
++ break;
++ if (j <= nbNs)
++ xmlErrAttributeDup(ctxt, aprefix, attname);
++ else
++ if (nsPush(ctxt, attname, URL) > 0) nbNs++;
++
++ } else {
++ /*
++ * Add the pair to atts
++ */
++ if ((atts == NULL) || (nbatts + 5 > maxatts)) {
++ if (xmlCtxtGrowAttrs(ctxt, nbatts + 5) < 0) {
++ goto next_attr;
++ }
++ maxatts = ctxt->maxatts;
++ atts = ctxt->atts;
++ }
++ ctxt->attallocs[nratts++] = alloc;
++ atts[nbatts++] = attname;
++ atts[nbatts++] = aprefix;
++ /*
++ * The namespace URI field is used temporarily to point at the
++ * base of the current input buffer for non-alloced attributes.
++ * When the input buffer is reallocated, all the pointers become
++ * invalid, but they can be reconstructed later.
++ */
++ if (alloc)
++ atts[nbatts++] = NULL;
++ else
++ atts[nbatts++] = ctxt->input->base;
++ atts[nbatts++] = attvalue;
++ attvalue += len;
++ atts[nbatts++] = attvalue;
++ /*
++ * tag if some deallocation is needed
++ */
++ if (alloc != 0) attval = 1;
++ attvalue = NULL; /* moved into atts */
++ }
+
+-failed:
++next_attr:
++ if ((attvalue != NULL) && (alloc != 0)) {
++ xmlFree(attvalue);
++ attvalue = NULL;
++ }
+
+ GROW
+ if (ctxt->instate == XML_PARSER_EOF)
+ break;
+- if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+- goto base_changed;
+ if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
+ break;
+ if (!IS_BLANK_CH(RAW)) {
+@@ -9646,8 +9610,20 @@ failed:
+ break;
+ }
+ GROW;
+- if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+- goto base_changed;
++ }
++
++ /* Reconstruct attribute value pointers. */
++ for (i = 0, j = 0; j < nratts; i += 5, j++) {
++ if (atts[i+2] != NULL) {
++ /*
++ * Arithmetic on dangling pointers is technically undefined
++ * behavior, but well...
++ */
++ ptrdiff_t offset = ctxt->input->base - atts[i+2];
++ atts[i+2] = NULL; /* Reset repurposed namespace URI */
++ atts[i+3] += offset; /* value */
++ atts[i+4] += offset; /* valuend */
++ }
+ }
+
+ /*
+@@ -9804,34 +9780,6 @@ failed:
+ }
+
+ return(localname);
+-
+-base_changed:
+- /*
+- * the attribute strings are valid iif the base didn't changed
+- */
+- if (attval != 0) {
+- for (i = 3,j = 0; j < nratts;i += 5,j++)
+- if ((ctxt->attallocs[j] != 0) && (atts[i] != NULL))
+- xmlFree((xmlChar *) atts[i]);
+- }
+-
+- /*
+- * We can't switch from one entity to another in the middle
+- * of a start tag
+- */
+- if (inputNr != ctxt->inputNr) {
+- xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
+- "Start tag doesn't start and stop in the same entity\n");
+- return(NULL);
+- }
+-
+- ctxt->input->cur = ctxt->input->base + cur;
+- ctxt->input->line = oldline;
+- ctxt->input->col = oldcol;
+- if (ctxt->wellFormed == 1) {
+- goto reparse;
+- }
+- return(NULL);
+ }
+
+ /**
+diff --git a/result/errors/759398.xml.err b/result/errors/759398.xml.err
+index e08d9bf..f6036a3 100644
+--- a/result/errors/759398.xml.err
++++ b/result/errors/759398.xml.err
+@@ -1,9 +1,12 @@
+ ./test/errors/759398.xml:210: parser error : StartTag: invalid element name
+ need to worry about parsers whi<! don't expand PErefs finding
+ ^
+-./test/errors/759398.xml:309: parser error : Opening and ending tag mismatch: spec line 50 and termdef
++./test/errors/759398.xml:309: parser error : Opening and ending tag mismatch: â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–!
â„–â„–â„–
â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â!
„–â„–â„–â
„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„!
–â„–â„–â„
–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–â„–m line 308 and termdef
+ and provide access to their content and structure.</termdef> <termdef
+ ^
+-./test/errors/759398.xml:309: parser error : Extra content at the end of the document
+-and provide access to their content and structure.</termdef> <termdef
+- ^
++./test/errors/759398.xml:314: parser error : Opening and ending tag mismatch: spec line 50 and p
++data and the information it must provide to the application.</p>
++ ^
++./test/errors/759398.xml:316: parser error : Extra content at the end of the document
++<div2 id='sec-origin-goals'>
++^
+diff --git a/result/errors/attr1.xml.err b/result/errors/attr1.xml.err
+index 4f08538..c4c4fc8 100644
+--- a/result/errors/attr1.xml.err
++++ b/result/errors/attr1.xml.err
+@@ -1,6 +1,9 @@
+ ./test/errors/attr1.xml:2: parser error : AttValue: ' expected
+
+ ^
+-./test/errors/attr1.xml:1: parser error : Extra content at the end of the document
+-<foo foo="oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
+- ^
++./test/errors/attr1.xml:2: parser error : attributes construct error
++
++^
++./test/errors/attr1.xml:2: parser error : Couldn't find end of Start Tag foo line 1
++
++^
+diff --git a/result/errors/attr2.xml.err b/result/errors/attr2.xml.err
+index c8a9c7d..77e342e 100644
+--- a/result/errors/attr2.xml.err
++++ b/result/errors/attr2.xml.err
+@@ -1,6 +1,9 @@
+ ./test/errors/attr2.xml:2: parser error : AttValue: ' expected
+
+ ^
+-./test/errors/attr2.xml:1: parser error : Extra content at the end of the document
+-<foo foo=">ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
+- ^
++./test/errors/attr2.xml:2: parser error : attributes construct error
++
++^
++./test/errors/attr2.xml:2: parser error : Couldn't find end of Start Tag foo line 1
++
++^
+diff --git a/result/errors/name2.xml.err b/result/errors/name2.xml.err
+index a6649a1..8a6acee 100644
+--- a/result/errors/name2.xml.err
++++ b/result/errors/name2.xml.err
+@@ -1,6 +1,9 @@
+ ./test/errors/name2.xml:2: parser error : Specification mandate value for attribute foooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo!
ooooooooo
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo!
ooooooooo
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo!
ooooooooo
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo!
ooooooooo
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo!
ooooooooo
ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
+
+ ^
+-./test/errors/name2.xml:1: parser error : Extra content at the end of the document
+-<foo foooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
+- ^
++./test/errors/name2.xml:2: parser error : attributes construct error
++
++^
++./test/errors/name2.xml:2: parser error : Couldn't find end of Start Tag foo line 1
++
++^
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb
index 4f60781..0577ad6 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -23,6 +23,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
file://libxml2-CVE-2016-5131.patch \
file://libxml2-CVE-2016-4658.patch \
file://libxml2-fix_NULL_pointer_derefs.patch \
+ file://libxml2-fix_and_simplify_xmlParseStartTag2.patch \
file://CVE-2016-9318.patch \
file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
"
--
2.1.4
^ permalink raw reply related [flat|nested] 22+ messages in thread* [PATCH v2 3/7] libxml2: Fix CVE-2017-9047 and CVE-2017-9048
2017-06-14 15:26 [PATCH 0/7] Fix multiple CVEs Andrej Valek
` (10 preceding siblings ...)
2017-06-15 6:34 ` [PATCH v2 2/7] libxml2: Avoid reparsing and simplify control flow in xmlParseStartTag2 Andrej Valek
@ 2017-06-15 6:34 ` Andrej Valek
2017-06-15 6:34 ` [PATCH v2 4/7] libxml2: Fix CVE-2017-9049 and CVE-2017-9050 Andrej Valek
` (3 subsequent siblings)
15 siblings, 0 replies; 22+ messages in thread
From: Andrej Valek @ 2017-06-15 6:34 UTC (permalink / raw)
To: openembedded-core
xmlSnprintfElementContent failed to correctly check the available
buffer space in two locations.
Fixes bug 781333 and bug 781701
CVE: CVE-2017-9047 CVE-2017-9048
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
.../libxml2-CVE-2017-9047_CVE-2017-9048.patch | 103 +++++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.4.bb | 1 +
2 files changed, 104 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-9047_CVE-2017-9048.patch
diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-9047_CVE-2017-9048.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-9047_CVE-2017-9048.patch
new file mode 100644
index 0000000..a045acf
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-9047_CVE-2017-9048.patch
@@ -0,0 +1,103 @@
+libxml2-2.9.4: Fix CVE-2017-9047 and CVE-2017-9048
+
+[No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=781333
+ -- https://bugzilla.gnome.org/show_bug.cgi?id=781701
+
+valid: Fix buffer size checks in xmlSnprintfElementContent
+
+xmlSnprintfElementContent failed to correctly check the available
+buffer space in two locations.
+
+Fixes bug 781333 and bug 781701
+
+Upstream-Status: Backported [https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74]
+CVE: CVE-2017-9047 CVE-2017-9048
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+
+diff --git a/result/valid/781333.xml b/result/valid/781333.xml
+new file mode 100644
+index 0000000..01baf11
+--- /dev/null
++++ b/result/valid/781333.xml
+@@ -0,0 +1,5 @@
++<?xml version="1.0"?>
++<!DOCTYPE a [
++<!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp!
ppppppppp
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp!
ppppppppp
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp!
ppppppppp
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp!
ppppppppp
pppppppppppppppppppppppppp:lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll!
lllllllll
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll!
lllllllll
lllllllllllllllllllllllllllllllll)>
++]>
++<a/>
+diff --git a/result/valid/781333.xml.err b/result/valid/781333.xml.err
+new file mode 100644
+index 0000000..2176200
+--- /dev/null
++++ b/result/valid/781333.xml.err
+@@ -0,0 +1,3 @@
++./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got
++<a/>
++ ^
+diff --git a/result/valid/781333.xml.err.rdr b/result/valid/781333.xml.err.rdr
+new file mode 100644
+index 0000000..1195a04
+--- /dev/null
++++ b/result/valid/781333.xml.err.rdr
+@@ -0,0 +1,6 @@
++./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got
++<a/>
++ ^
++./test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more child
++
++^
+diff --git a/test/valid/781333.xml b/test/valid/781333.xml
+new file mode 100644
+index 0000000..bceac9c
+--- /dev/null
++++ b/test/valid/781333.xml
+@@ -0,0 +1,4 @@
++<!DOCTYPE a [
++ <!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp!
ppppppppp
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp!
ppppppppp
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp!
ppppppppp
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp!
ppppppppp
pppppppppppppppppppppppppppppp:lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll!
lllllllll
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll!
lllllllll
lllllllllllllllllllllllllllllllllllll)>
++]>
++<a/>
+diff --git a/valid.c b/valid.c
+index 19f84b8..aaa30f6 100644
+--- a/valid.c
++++ b/valid.c
+@@ -1262,22 +1262,23 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int
+ case XML_ELEMENT_CONTENT_PCDATA:
+ strcat(buf, "#PCDATA");
+ break;
+- case XML_ELEMENT_CONTENT_ELEMENT:
++ case XML_ELEMENT_CONTENT_ELEMENT: {
++ int qnameLen = xmlStrlen(content->name);
++
++ if (content->prefix != NULL)
++ qnameLen += xmlStrlen(content->prefix) + 1;
++ if (size - len < qnameLen + 10) {
++ strcat(buf, " ...");
++ return;
++ }
+ if (content->prefix != NULL) {
+- if (size - len < xmlStrlen(content->prefix) + 10) {
+- strcat(buf, " ...");
+- return;
+- }
+ strcat(buf, (char *) content->prefix);
+ strcat(buf, ":");
+ }
+- if (size - len < xmlStrlen(content->name) + 10) {
+- strcat(buf, " ...");
+- return;
+- }
+ if (content->name != NULL)
+ strcat(buf, (char *) content->name);
+ break;
++ }
+ case XML_ELEMENT_CONTENT_SEQ:
+ if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
+@@ -1319,6 +1320,7 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int
+ xmlSnprintfElementContent(buf, size, content->c2, 0);
+ break;
+ }
++ if (size - strlen(buf) <= 2) return;
+ if (englob)
+ strcat(buf, ")");
+ switch (content->ocur) {
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb
index 0577ad6..dd2e034 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -24,6 +24,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
file://libxml2-CVE-2016-4658.patch \
file://libxml2-fix_NULL_pointer_derefs.patch \
file://libxml2-fix_and_simplify_xmlParseStartTag2.patch \
+ file://libxml2-CVE-2017-9047_CVE-2017-9048.patch \
file://CVE-2016-9318.patch \
file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
"
--
2.1.4
^ permalink raw reply related [flat|nested] 22+ messages in thread* [PATCH v2 4/7] libxml2: Fix CVE-2017-9049 and CVE-2017-9050
2017-06-14 15:26 [PATCH 0/7] Fix multiple CVEs Andrej Valek
` (11 preceding siblings ...)
2017-06-15 6:34 ` [PATCH v2 3/7] libxml2: Fix CVE-2017-9047 and CVE-2017-9048 Andrej Valek
@ 2017-06-15 6:34 ` Andrej Valek
2017-06-15 6:34 ` [PATCH v2 5/7] libxml2: Fix CVE-2017-5969 Andrej Valek
` (2 subsequent siblings)
15 siblings, 0 replies; 22+ messages in thread
From: Andrej Valek @ 2017-06-15 6:34 UTC (permalink / raw)
To: openembedded-core
Fix handling of parameter-entity references
There were two bugs where parameter-entity references could lead to an
unexpected change of the input buffer in xmlParseNameComplex and
xmlDictLookup being called with an invalid pointer.
Fixes bug 781205 and bug 781361
CVE: CVE-2017-9049 CVE-2017-9050
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
.../libxml2-CVE-2017-9049_CVE-2017-9050.patch | 291 +++++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.4.bb | 1 +
2 files changed, 292 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-9049_CVE-2017-9050.patch
diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-9049_CVE-2017-9050.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-9049_CVE-2017-9050.patch
new file mode 100644
index 0000000..3d7ebc4
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-9049_CVE-2017-9050.patch
@@ -0,0 +1,291 @@
+libxml2-2.9.4: Fix CVE-2017-9049 and CVE-2017-9050
+
+[No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=781205
+ -- https://bugzilla.gnome.org/show_bug.cgi?id=781361
+
+parser: Fix handling of parameter-entity references
+
+There were two bugs where parameter-entity references could lead to an
+unexpected change of the input buffer in xmlParseNameComplex and
+xmlDictLookup being called with an invalid pointer.
+
+Percent sign in DTD Names
+=========================
+
+The NEXTL macro used to call xmlParserHandlePEReference. When parsing
+"complex" names inside the DTD, this could result in entity expansion
+which created a new input buffer. The fix is to simply remove the call
+to xmlParserHandlePEReference from the NEXTL macro. This is safe because
+no users of the macro require expansion of parameter entities.
+
+- xmlParseNameComplex
+- xmlParseNCNameComplex
+- xmlParseNmtoken
+
+The percent sign is not allowed in names, which are grammatical tokens.
+
+- xmlParseEntityValue
+
+Parameter-entity references in entity values are expanded but this
+happens in a separate step in this function.
+
+- xmlParseSystemLiteral
+
+Parameter-entity references are ignored in the system literal.
+
+- xmlParseAttValueComplex
+- xmlParseCharDataComplex
+- xmlParseCommentComplex
+- xmlParsePI
+- xmlParseCDSect
+
+Parameter-entity references are ignored outside the DTD.
+
+- xmlLoadEntityContent
+
+This function is only called from xmlStringLenDecodeEntities and
+entities are replaced in a separate step immediately after the function
+call.
+
+This bug could also be triggered with an internal subset and double
+entity expansion.
+
+This fixes bug 766956 initially reported by Wei Lei and independently by
+Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone
+involved.
+
+xmlParseNameComplex with XML_PARSE_OLD10
+========================================
+
+When parsing Names inside an expanded parameter entity with the
+XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the
+GROW macro if the input buffer was exhausted. At the end of the
+parameter entity's replacement text, this function would then call
+xmlPopInput which invalidated the input buffer.
+
+There should be no need to invoke GROW in this situation because the
+buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and,
+at least for UTF-8, in xmlCurrentChar. This also matches the code path
+executed when XML_PARSE_OLD10 is not set.
+
+This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).
+Thanks to Marcel Böhme and Thuan Pham for the report.
+
+Additional hardening
+====================
+
+A separate check was added in xmlParseNameComplex to validate the
+buffer size.
+
+Fixes bug 781205 and bug 781361
+
+Upstream-Status: Backported [https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74]
+CVE: CVE-2017-9049 CVE-2017-9050
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+
+diff --git a/Makefile.am b/Makefile.am
+index 9f988b0..dab15a4 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -422,6 +422,24 @@ Errtests : xmllint$(EXEEXT)
+ if [ -n "$$log" ] ; then echo $$name result ; echo $$log ; fi ; \
+ rm result.$$name error.$$name ; \
+ fi ; fi ; done)
++ @echo "## Error cases regression tests (old 1.0)"
++ -@(for i in $(srcdir)/test/errors10/*.xml ; do \
++ name=`basename $$i`; \
++ if [ ! -d $$i ] ; then \
++ if [ ! -f $(srcdir)/result/errors10/$$name ] ; then \
++ echo New test file $$name ; \
++ $(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i \
++ 2> $(srcdir)/result/errors10/$$name.err \
++ > $(srcdir)/result/errors10/$$name ; \
++ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \
++ else \
++ log=`$(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i 2> error.$$name > result.$$name ; \
++ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \
++ diff $(srcdir)/result/errors10/$$name result.$$name ; \
++ diff $(srcdir)/result/errors10/$$name.err error.$$name` ; \
++ if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \
++ rm result.$$name error.$$name ; \
++ fi ; fi ; done)
+ @echo "## Error cases stream regression tests"
+ -@(for i in $(srcdir)/test/errors/*.xml ; do \
+ name=`basename $$i`; \
+diff --git a/parser.c b/parser.c
+index 609a270..8e11c12 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2115,7 +2115,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
+ ctxt->input->line++; ctxt->input->col = 1; \
+ } else ctxt->input->col++; \
+ ctxt->input->cur += l; \
+- if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt); \
+ } while (0)
+
+ #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l)
+@@ -3406,13 +3405,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+ len += l;
+ NEXTL(l);
+ c = CUR_CHAR(l);
+- if (c == 0) {
+- count = 0;
+- GROW;
+- if (ctxt->instate == XML_PARSER_EOF)
+- return(NULL);
+- c = CUR_CHAR(l);
+- }
+ }
+ }
+ if ((len > XML_MAX_NAME_LENGTH) &&
+@@ -3420,6 +3412,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
+ return(NULL);
+ }
++ if (ctxt->input->cur - ctxt->input->base < len) {
++ /*
++ * There were a couple of bugs where PERefs lead to to a change
++ * of the buffer. Check the buffer size to avoid passing an invalid
++ * pointer to xmlDictLookup.
++ */
++ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
++ "unexpected change of input buffer");
++ return (NULL);
++ }
+ if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r'))
+ return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len));
+ return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
+diff --git a/result/errors10/781205.xml b/result/errors10/781205.xml
+new file mode 100644
+index 0000000..e69de29
+diff --git a/result/errors10/781205.xml.err b/result/errors10/781205.xml.err
+new file mode 100644
+index 0000000..da15c3f
+--- /dev/null
++++ b/result/errors10/781205.xml.err
+@@ -0,0 +1,21 @@
++Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
++
++ %a;
++ ^
++Entity: line 1:
++<:0000
++^
++Entity: line 1: parser error : DOCTYPE improperly terminated
++ %a;
++ ^
++Entity: line 1:
++<:0000
++^
++namespace error : Failed to parse QName ':0000'
++ %a;
++ ^
++<:0000
++ ^
++./test/errors10/781205.xml:4: parser error : Couldn't find end of Start Tag :0000 line 1
++
++^
+diff --git a/result/errors10/781361.xml b/result/errors10/781361.xml
+new file mode 100644
+index 0000000..e69de29
+diff --git a/result/errors10/781361.xml.err b/result/errors10/781361.xml.err
+new file mode 100644
+index 0000000..655f41a
+--- /dev/null
++++ b/result/errors10/781361.xml.err
+@@ -0,0 +1,13 @@
++./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY', 'ANY' or '(' expected
++
++^
++./test/errors10/781361.xml:4: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
++
++
++^
++./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated
++
++^
++./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not found
++
++^
+diff --git a/result/valid/766956.xml b/result/valid/766956.xml
+new file mode 100644
+index 0000000..e69de29
+diff --git a/result/valid/766956.xml.err b/result/valid/766956.xml.err
+new file mode 100644
+index 0000000..34b1dae
+--- /dev/null
++++ b/result/valid/766956.xml.err
+@@ -0,0 +1,9 @@
++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
++%ä%ent;
++ ^
++Entity: line 1: parser error : Content error in the external subset
++ %ent;
++ ^
++Entity: line 1:
++value
++^
+diff --git a/result/valid/766956.xml.err.rdr b/result/valid/766956.xml.err.rdr
+new file mode 100644
+index 0000000..7760346
+--- /dev/null
++++ b/result/valid/766956.xml.err.rdr
+@@ -0,0 +1,10 @@
++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
++%ä%ent;
++ ^
++Entity: line 1: parser error : Content error in the external subset
++ %ent;
++ ^
++Entity: line 1:
++value
++^
++./test/valid/766956.xml : failed to parse
+diff --git a/runtest.c b/runtest.c
+index bb74d2a..63e8c20 100644
+--- a/runtest.c
++++ b/runtest.c
+@@ -4202,6 +4202,9 @@ testDesc testDescriptions[] = {
+ { "Error cases regression tests",
+ errParseTest, "./test/errors/*.xml", "result/errors/", "", ".err",
+ 0 },
++ { "Error cases regression tests (old 1.0)",
++ errParseTest, "./test/errors10/*.xml", "result/errors10/", "", ".err",
++ XML_PARSE_OLD10 },
+ #ifdef LIBXML_READER_ENABLED
+ { "Error cases stream regression tests",
+ streamParseTest, "./test/errors/*.xml", "result/errors/", NULL, ".str",
+diff --git a/test/errors10/781205.xml b/test/errors10/781205.xml
+new file mode 100644
+index 0000000..d9e9e83
+--- /dev/null
++++ b/test/errors10/781205.xml
+@@ -0,0 +1,3 @@
++<!DOCTYPE D [
++ <!ENTITY % a "<:0000">
++ %a;
+diff --git a/test/errors10/781361.xml b/test/errors10/781361.xml
+new file mode 100644
+index 0000000..67476bc
+--- /dev/null
++++ b/test/errors10/781361.xml
+@@ -0,0 +1,3 @@
++<!DOCTYPE doc [
++ <!ENTITY % elem "<!ELEMENT e0000000000">
++ %elem;
+diff --git a/test/valid/766956.xml b/test/valid/766956.xml
+new file mode 100644
+index 0000000..19a95a0
+--- /dev/null
++++ b/test/valid/766956.xml
+@@ -0,0 +1,2 @@
++<!DOCTYPE test SYSTEM "dtds/766956.dtd">
++<test/>
+diff --git a/test/valid/dtds/766956.dtd b/test/valid/dtds/766956.dtd
+new file mode 100644
+index 0000000..dddde68
+--- /dev/null
++++ b/test/valid/dtds/766956.dtd
+@@ -0,0 +1,2 @@
++<!ENTITY % ent "value">
++%ä%ent;
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb
index dd2e034..3f78c2d 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -25,6 +25,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
file://libxml2-fix_NULL_pointer_derefs.patch \
file://libxml2-fix_and_simplify_xmlParseStartTag2.patch \
file://libxml2-CVE-2017-9047_CVE-2017-9048.patch \
+ file://libxml2-CVE-2017-9049_CVE-2017-9050.patch \
file://CVE-2016-9318.patch \
file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
"
--
2.1.4
^ permalink raw reply related [flat|nested] 22+ messages in thread* [PATCH v2 5/7] libxml2: Fix CVE-2017-5969
2017-06-14 15:26 [PATCH 0/7] Fix multiple CVEs Andrej Valek
` (12 preceding siblings ...)
2017-06-15 6:34 ` [PATCH v2 4/7] libxml2: Fix CVE-2017-9049 and CVE-2017-9050 Andrej Valek
@ 2017-06-15 6:34 ` Andrej Valek
2017-06-15 6:34 ` [PATCH v2 6/7] libxml2: Fix CVE-2017-0663 Andrej Valek
2017-06-15 6:34 ` [PATCH v2 7/7] libxml2: Revert "Add an XML_PARSE_NOXXE flag to block all entities loading even local" Andrej Valek
15 siblings, 0 replies; 22+ messages in thread
From: Andrej Valek @ 2017-06-15 6:34 UTC (permalink / raw)
To: openembedded-core
Fix NULL pointer deref in xmlDumpElementContent
Can only be triggered in recovery mode.
Fixes bug 758422
CVE: CVE-2017-5969
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
.../libxml/libxml2/libxml2-CVE-2017-5969.patch | 62 ++++++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.4.bb | 1 +
2 files changed, 63 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-5969.patch
diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-5969.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-5969.patch
new file mode 100644
index 0000000..a484821
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-5969.patch
@@ -0,0 +1,62 @@
+libxml2-2.9.4: Fix CVE-2017-5969
+
+[No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=758422
+
+valid: Fix NULL pointer deref in xmlDumpElementContent
+
+Can only be triggered in recovery mode.
+
+Fixes bug 758422
+
+Upstream-Status: Backported - [https://git.gnome.org/browse/libxml2/commit/?id=94691dc884d1a8ada39f073408b4bb92fe7fe882]
+CVE: CVE-2017-5969
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+
+diff --git a/valid.c b/valid.c
+index 19f84b8..0a8e58a 100644
+--- a/valid.c
++++ b/valid.c
+@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob)
+ xmlBufferWriteCHAR(buf, content->name);
+ break;
+ case XML_ELEMENT_CONTENT_SEQ:
+- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
++ if ((content->c1 != NULL) &&
++ ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
++ (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
+ xmlDumpElementContent(buf, content->c1, 1);
+ else
+ xmlDumpElementContent(buf, content->c1, 0);
+ xmlBufferWriteChar(buf, " , ");
+- if ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
+- ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
+- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
++ if ((content->c2 != NULL) &&
++ ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
++ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
++ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
+ xmlDumpElementContent(buf, content->c2, 1);
+ else
+ xmlDumpElementContent(buf, content->c2, 0);
+ break;
+ case XML_ELEMENT_CONTENT_OR:
+- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
++ if ((content->c1 != NULL) &&
++ ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
++ (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
+ xmlDumpElementContent(buf, content->c1, 1);
+ else
+ xmlDumpElementContent(buf, content->c1, 0);
+ xmlBufferWriteChar(buf, " | ");
+- if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
+- ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
+- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
++ if ((content->c2 != NULL) &&
++ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
++ ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
++ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
+ xmlDumpElementContent(buf, content->c2, 1);
+ else
+ xmlDumpElementContent(buf, content->c2, 0);
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb
index 3f78c2d..2996809 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -26,6 +26,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
file://libxml2-fix_and_simplify_xmlParseStartTag2.patch \
file://libxml2-CVE-2017-9047_CVE-2017-9048.patch \
file://libxml2-CVE-2017-9049_CVE-2017-9050.patch \
+ file://libxml2-CVE-2017-5969.patch \
file://CVE-2016-9318.patch \
file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
"
--
2.1.4
^ permalink raw reply related [flat|nested] 22+ messages in thread* [PATCH v2 6/7] libxml2: Fix CVE-2017-0663
2017-06-14 15:26 [PATCH 0/7] Fix multiple CVEs Andrej Valek
` (13 preceding siblings ...)
2017-06-15 6:34 ` [PATCH v2 5/7] libxml2: Fix CVE-2017-5969 Andrej Valek
@ 2017-06-15 6:34 ` Andrej Valek
2017-06-15 6:34 ` [PATCH v2 7/7] libxml2: Revert "Add an XML_PARSE_NOXXE flag to block all entities loading even local" Andrej Valek
15 siblings, 0 replies; 22+ messages in thread
From: Andrej Valek @ 2017-06-15 6:34 UTC (permalink / raw)
To: openembedded-core
Fix type confusion in xmlValidateOneNamespace
Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types
on namespace declarations make no practical sense anyway.
Fixes bug 780228
CVE: CVE-2017-0663
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
.../libxml/libxml2/libxml2-CVE-2017-0663.patch | 40 ++++++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.4.bb | 1 +
2 files changed, 41 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-0663.patch
diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-0663.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-0663.patch
new file mode 100644
index 0000000..a0e4255
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-0663.patch
@@ -0,0 +1,40 @@
+libxml2: Fix CVE-2017-0663
+
+[No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=780228
+
+valid: Fix type confusion in xmlValidateOneNamespace
+
+Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types
+on namespace declarations make no practical sense anyway.
+
+Fixes bug 780228
+
+Upstream-Status: Backported [https://git.gnome.org/browse/libxml2/commit/?id=92b9e8c8b3787068565a1820ba575d042f9eec66]
+CVE: CVE-2017-0663
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+
+diff --git a/valid.c b/valid.c
+index 19f84b8..e03d35e 100644
+--- a/valid.c
++++ b/valid.c
+@@ -4621,6 +4621,12 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
+ }
+ }
+
++ /*
++ * Casting ns to xmlAttrPtr is wrong. We'd need separate functions
++ * xmlAddID and xmlAddRef for namespace declarations, but it makes
++ * no practical sense to use ID types anyway.
++ */
++#if 0
+ /* Validity Constraint: ID uniqueness */
+ if (attrDecl->atype == XML_ATTRIBUTE_ID) {
+ if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
+@@ -4632,6 +4638,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
+ if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
+ ret = 0;
+ }
++#endif
+
+ /* Validity Constraint: Notation Attributes */
+ if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) {
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb
index 2996809..677d8c9 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -27,6 +27,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
file://libxml2-CVE-2017-9047_CVE-2017-9048.patch \
file://libxml2-CVE-2017-9049_CVE-2017-9050.patch \
file://libxml2-CVE-2017-5969.patch \
+ file://libxml2-CVE-2017-0663.patch \
file://CVE-2016-9318.patch \
file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
"
--
2.1.4
^ permalink raw reply related [flat|nested] 22+ messages in thread* [PATCH v2 7/7] libxml2: Revert "Add an XML_PARSE_NOXXE flag to block all entities loading even local"
2017-06-14 15:26 [PATCH 0/7] Fix multiple CVEs Andrej Valek
` (14 preceding siblings ...)
2017-06-15 6:34 ` [PATCH v2 6/7] libxml2: Fix CVE-2017-0663 Andrej Valek
@ 2017-06-15 6:34 ` Andrej Valek
15 siblings, 0 replies; 22+ messages in thread
From: Andrej Valek @ 2017-06-15 6:34 UTC (permalink / raw)
To: openembedded-core
The new flag doesn't work and the change even broke the XML_PARSE_NONET option.
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
.../libxml/libxml2/CVE-2016-9318.patch | 207 ---------------------
meta/recipes-core/libxml/libxml2_2.9.4.bb | 1 -
2 files changed, 208 deletions(-)
delete mode 100644 meta/recipes-core/libxml/libxml2/CVE-2016-9318.patch
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-9318.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-9318.patch
deleted file mode 100644
index 3581ab8..0000000
--- a/meta/recipes-core/libxml/libxml2/CVE-2016-9318.patch
+++ /dev/null
@@ -1,207 +0,0 @@
-From 7fa1cd31552d52d50a9101f07c816ff6dd2d9f19 Mon Sep 17 00:00:00 2001
-From: Doran Moppert <dmoppert@redhat.com>
-Date: Fri, 7 Apr 2017 16:45:56 +0200
-Subject: [PATCH] Add an XML_PARSE_NOXXE flag to block all entities loading
- even local
-
-For https://bugzilla.gnome.org/show_bug.cgi?id=772726
-
-* include/libxml/parser.h: Add a new parser flag XML_PARSE_NOXXE
-* elfgcchack.h, xmlIO.h, xmlIO.c: associated loading routine
-* include/libxml/xmlerror.h: new error raised
-* xmllint.c: adds --noxxe flag to activate the option
-
-Upstream-Status: Backport
-CVE: CVE-2016-9318
-
-Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
----
- elfgcchack.h | 10 ++++++++++
- include/libxml/parser.h | 3 ++-
- include/libxml/xmlIO.h | 8 ++++++++
- include/libxml/xmlerror.h | 1 +
- parser.c | 4 ++++
- xmlIO.c | 40 +++++++++++++++++++++++++++++++++++-----
- xmllint.c | 5 +++++
- 7 files changed, 65 insertions(+), 6 deletions(-)
-
-diff --git a/elfgcchack.h b/elfgcchack.h
-index 8c52884..1b81dcd 100644
---- a/elfgcchack.h
-+++ b/elfgcchack.h
-@@ -6547,6 +6547,16 @@ extern __typeof (xmlNoNetExternalEntityLoader) xmlNoNetExternalEntityLoader__int
- #endif
- #endif
-
-+#ifdef bottom_xmlIO
-+#undef xmlNoXxeExternalEntityLoader
-+extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader __attribute((alias("xmlNoXxeExternalEntityLoader__internal_alias")));
-+#else
-+#ifndef xmlNoXxeExternalEntityLoader
-+extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader__internal_alias __attribute((visibility("hidden")));
-+#define xmlNoXxeExternalEntityLoader xmlNoXxeExternalEntityLoader__internal_alias
-+#endif
-+#endif
-+
- #ifdef bottom_tree
- #undef xmlNodeAddContent
- extern __typeof (xmlNodeAddContent) xmlNodeAddContent __attribute((alias("xmlNodeAddContent__internal_alias")));
-diff --git a/include/libxml/parser.h b/include/libxml/parser.h
-index 47fbec0..63ca1b9 100644
---- a/include/libxml/parser.h
-+++ b/include/libxml/parser.h
-@@ -1111,7 +1111,8 @@ typedef enum {
- XML_PARSE_HUGE = 1<<19,/* relax any hardcoded limit from the parser */
- XML_PARSE_OLDSAX = 1<<20,/* parse using SAX2 interface before 2.7.0 */
- XML_PARSE_IGNORE_ENC= 1<<21,/* ignore internal document encoding hint */
-- XML_PARSE_BIG_LINES = 1<<22 /* Store big lines numbers in text PSVI field */
-+ XML_PARSE_BIG_LINES = 1<<22,/* Store big lines numbers in text PSVI field */
-+ XML_PARSE_NOXXE = 1<<23 /* Forbid any external entity loading */
- } xmlParserOption;
-
- XMLPUBFUN void XMLCALL
-diff --git a/include/libxml/xmlIO.h b/include/libxml/xmlIO.h
-index 3e41744..8d3fdef 100644
---- a/include/libxml/xmlIO.h
-+++ b/include/libxml/xmlIO.h
-@@ -300,6 +300,14 @@ XMLPUBFUN xmlParserInputPtr XMLCALL
- xmlParserCtxtPtr ctxt);
-
- /*
-+ * A predefined entity loader external entity expansion
-+ */
-+XMLPUBFUN xmlParserInputPtr XMLCALL
-+ xmlNoXxeExternalEntityLoader (const char *URL,
-+ const char *ID,
-+ xmlParserCtxtPtr ctxt);
-+
-+/*
- * xmlNormalizeWindowsPath is obsolete, don't use it.
- * Check xmlCanonicPath in uri.h for a better alternative.
- */
-diff --git a/include/libxml/xmlerror.h b/include/libxml/xmlerror.h
-index 037c16d..3036062 100644
---- a/include/libxml/xmlerror.h
-+++ b/include/libxml/xmlerror.h
-@@ -470,6 +470,7 @@ typedef enum {
- XML_IO_EADDRINUSE, /* 1554 */
- XML_IO_EALREADY, /* 1555 */
- XML_IO_EAFNOSUPPORT, /* 1556 */
-+ XML_IO_ILLEGAL_XXE, /* 1557 */
- XML_XINCLUDE_RECURSION=1600,
- XML_XINCLUDE_PARSE_VALUE, /* 1601 */
- XML_XINCLUDE_ENTITY_DEF_MISMATCH, /* 1602 */
-diff --git a/parser.c b/parser.c
-index 53a6b7f..609a270 100644
---- a/parser.c
-+++ b/parser.c
-@@ -15350,6 +15350,10 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi
- ctxt->options |= XML_PARSE_NONET;
- options -= XML_PARSE_NONET;
- }
-+ if (options & XML_PARSE_NOXXE) {
-+ ctxt->options |= XML_PARSE_NOXXE;
-+ options -= XML_PARSE_NOXXE;
-+ }
- if (options & XML_PARSE_COMPACT) {
- ctxt->options |= XML_PARSE_COMPACT;
- options -= XML_PARSE_COMPACT;
-diff --git a/xmlIO.c b/xmlIO.c
-index 1a79c09..304f822 100644
---- a/xmlIO.c
-+++ b/xmlIO.c
-@@ -210,6 +210,7 @@ static const char *IOerr[] = {
- "adddress in use", /* EADDRINUSE */
- "already in use", /* EALREADY */
- "unknown address familly", /* EAFNOSUPPORT */
-+ "Attempt to load external entity %s", /* XML_IO_ILLEGAL_XXE */
- };
-
- #if defined(_WIN32) || defined (__DJGPP__) && !defined (__CYGWIN__)
-@@ -4053,13 +4054,22 @@ xmlDefaultExternalEntityLoader(const char *URL, const char *ID,
- xmlGenericError(xmlGenericErrorContext,
- "xmlDefaultExternalEntityLoader(%s, xxx)\n", URL);
- #endif
-- if ((ctxt != NULL) && (ctxt->options & XML_PARSE_NONET)) {
-+ if (ctxt != NULL) {
- int options = ctxt->options;
-
-- ctxt->options -= XML_PARSE_NONET;
-- ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt);
-- ctxt->options = options;
-- return(ret);
-+ if (options & XML_PARSE_NOXXE) {
-+ ctxt->options -= XML_PARSE_NOXXE;
-+ ret = xmlNoXxeExternalEntityLoader(URL, ID, ctxt);
-+ ctxt->options = options;
-+ return(ret);
-+ }
-+
-+ if (options & XML_PARSE_NONET) {
-+ ctxt->options -= XML_PARSE_NONET;
-+ ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt);
-+ ctxt->options = options;
-+ return(ret);
-+ }
- }
- #ifdef LIBXML_CATALOG_ENABLED
- resource = xmlResolveResourceFromCatalog(URL, ID, ctxt);
-@@ -4160,6 +4170,13 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID,
- xmlParserInputPtr input = NULL;
- xmlChar *resource = NULL;
-
-+ if (ctxt == NULL) {
-+ return(NULL);
-+ }
-+ if (ctxt->input_id == 1) {
-+ return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt);
-+ }
-+
- #ifdef LIBXML_CATALOG_ENABLED
- resource = xmlResolveResourceFromCatalog(URL, ID, ctxt);
- #endif
-@@ -4182,5 +4199,18 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID,
- return(input);
- }
-
-+xmlParserInputPtr
-+xmlNoXxeExternalEntityLoader(const char *URL, const char *ID,
-+ xmlParserCtxtPtr ctxt) {
-+ if (ctxt == NULL) {
-+ return(NULL);
-+ }
-+ if (ctxt->input_id == 1) {
-+ return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt);
-+ }
-+ xmlIOErr(XML_IO_ILLEGAL_XXE, (const char *) URL);
-+ return(NULL);
-+}
-+
- #define bottom_xmlIO
- #include "elfgcchack.h"
-diff --git a/xmllint.c b/xmllint.c
-index 67f7adb..d9368c1 100644
---- a/xmllint.c
-+++ b/xmllint.c
-@@ -3019,6 +3019,7 @@ static void usage(const char *name) {
- printf("\t--path 'paths': provide a set of paths for resources\n");
- printf("\t--load-trace : print trace of all external entities loaded\n");
- printf("\t--nonet : refuse to fetch DTDs or entities over network\n");
-+ printf("\t--noxxe : forbid any external entity loading\n");
- printf("\t--nocompact : do not generate compact text nodes\n");
- printf("\t--htmlout : output results as HTML\n");
- printf("\t--nowrap : do not put HTML doc wrapper\n");
-@@ -3461,6 +3462,10 @@ main(int argc, char **argv) {
- (!strcmp(argv[i], "--nonet"))) {
- options |= XML_PARSE_NONET;
- xmlSetExternalEntityLoader(xmlNoNetExternalEntityLoader);
-+ } else if ((!strcmp(argv[i], "-noxxe")) ||
-+ (!strcmp(argv[i], "--noxxe"))) {
-+ options |= XML_PARSE_NOXXE;
-+ xmlSetExternalEntityLoader(xmlNoXxeExternalEntityLoader);
- } else if ((!strcmp(argv[i], "-nocompact")) ||
- (!strcmp(argv[i], "--nocompact"))) {
- options &= ~XML_PARSE_COMPACT;
---
-2.10.2
-
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb
index 677d8c9..f67c47d 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -28,7 +28,6 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
file://libxml2-CVE-2017-9049_CVE-2017-9050.patch \
file://libxml2-CVE-2017-5969.patch \
file://libxml2-CVE-2017-0663.patch \
- file://CVE-2016-9318.patch \
file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
"
--
2.1.4
^ permalink raw reply related [flat|nested] 22+ messages in thread