Openembedded Core Discussions
 help / color / mirror / Atom feed
From: Robert Yang <liezhi.yang@windriver.com>
To: Andre McCurdy <armccurdy@gmail.com>, Armin Kuster <akuster@mvista.com>
Cc: OE Core mailing list <openembedded-core@lists.openembedded.org>
Subject: Re: [PATCH 7/8] libxml2: fix CVE-2015-7942 and CVE-2015-8035
Date: Thu, 3 Dec 2015 10:43:53 +0800	[thread overview]
Message-ID: <565FAC69.3010805@windriver.com> (raw)
In-Reply-To: <CAJ86T=VLDQGwTGvq4+9nPoWOW2D=kf90MeNbAeQ4EeY0QkjGCQ@mail.gmail.com>


Hi Armin,

On 12/02/2015 06:48 AM, Andre McCurdy wrote:
> On Tue, Dec 1, 2015 at 1:44 AM, Robert Yang <liezhi.yang@windriver.com> wrote:
>> From: Armin Kuster <akuster@mvista.com>
>>
>> CVE-2015-7942 libxml2: heap-based buffer overflow in xmlParseConditionalSections()
>> CVE-2015-8035 libxml2: DoS when parsing specially crafted XML document if XZ support is enabled
>
> It looks like CVE-2015-7942 requires two separate patches, only one of
> which made it to oe-core master, plus there were a lot of the other
> CVE fixes committed upstream in October and November.

Do you have any comments on CVE-2015-7942, please ?

// Robert

>
>    http://www.xmlsoft.org/news.html
>    https://git.gnome.org/browse/libxml2/log/?h=v2.9.3
>
>
>> [YOCTO #8641]
>>
>> (From OE-Core master rev: 27de51f4ad21d9b896e7d48041e7cdf20c564a38)
>>
>> Signed-off-by: Armin Kuster <akuster@mvista.com>
>> Signed-off-by: Ross Burton <ross.burton@intel.com>
>> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
>> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
>> ---
>>   meta/recipes-core/libxml/libxml2.inc               |    2 +
>>   .../libxml/libxml2/CVE-2015-7942.patch             |   55 ++++++++++++++++++++
>>   .../libxml/libxml2/CVE-2015-8035.patch             |   41 +++++++++++++++
>>   3 files changed, 98 insertions(+)
>>   create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
>>   create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
>>
>> diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
>> index 1c3c37d..6ada401 100644
>> --- a/meta/recipes-core/libxml/libxml2.inc
>> +++ b/meta/recipes-core/libxml/libxml2.inc
>> @@ -21,6 +21,8 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
>>              file://libxml-m4-use-pkgconfig.patch \
>>              file://configure.ac-fix-cross-compiling-warning.patch \
>>              file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \
>> +           file://CVE-2015-7942.patch \
>> +           file://CVE-2015-8035.patch \
>>             "
>>
>>   BINCONFIG = "${bindir}/xml2-config"
>> diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
>> new file mode 100644
>> index 0000000..a5930ed
>> --- /dev/null
>> +++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
>> @@ -0,0 +1,55 @@
>> +libxml2: CVE-2015-7942
>> +
>> +From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001
>> +From: Daniel Veillard <veillard@redhat.com>
>> +Date: Mon, 23 Feb 2015 11:29:20 +0800
>> +Subject: Cleanup conditional section error handling
>> +
>> +For https://bugzilla.gnome.org/show_bug.cgi?id=744980
>> +
>> +The error handling of Conditional Section also need to be
>> +straightened as the structure of the document can't be
>> +guessed on a failure there and it's better to stop parsing
>> +as further errors are likely to be irrelevant.
>> +
>> +Upstream-Status: Backport
>> +https://git.gnome.org/browse/libxml2/patch/?id=9b8512337d14c8ddf662fcb98b0135f225a1c489
>> +
>> +[YOCTO #8641]
>> +Signed-off-by: Armin Kuster <akuster@mvista.com>
>> +
>> +---
>> + parser.c | 6 ++++++
>> + 1 file changed, 6 insertions(+)
>> +
>> +Index: libxml2-2.9.2/parser.c
>> +===================================================================
>> +--- libxml2-2.9.2.orig/parser.c
>> ++++ libxml2-2.9.2/parser.c
>> +@@ -6783,6 +6783,8 @@ xmlParseConditionalSections(xmlParserCtx
>> +       SKIP_BLANKS;
>> +       if (RAW != '[') {
>> +           xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
>> ++          xmlStopParser(ctxt);
>> ++          return;
>> +       } else {
>> +           if (ctxt->input->id != id) {
>> +               xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
>> +@@ -6843,6 +6845,8 @@ xmlParseConditionalSections(xmlParserCtx
>> +       SKIP_BLANKS;
>> +       if (RAW != '[') {
>> +           xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
>> ++          xmlStopParser(ctxt);
>> ++          return;
>> +       } else {
>> +           if (ctxt->input->id != id) {
>> +               xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
>> +@@ -6898,6 +6902,8 @@ xmlParseConditionalSections(xmlParserCtx
>> +
>> +     } else {
>> +       xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
>> ++      xmlStopParser(ctxt);
>> ++      return;
>> +     }
>> +
>> +     if (RAW == 0)
>> diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
>> new file mode 100644
>> index 0000000..d175f74
>> --- /dev/null
>> +++ b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
>> @@ -0,0 +1,41 @@
>> +libxml2: CVE-2015-8035
>> +
>> +From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001
>> +From: Daniel Veillard <veillard@redhat.com>
>> +Date: Tue, 3 Nov 2015 15:31:25 +0800
>> +Subject: CVE-2015-8035 Fix XZ compression support loop
>> +
>> +For https://bugzilla.gnome.org/show_bug.cgi?id=757466
>> +DoS when parsing specially crafted XML document if XZ support
>> +is compiled in (which wasn't the case for 2.9.2 and master since
>> +Nov 2013, fixed in next commit !)
>> +
>> +Upstream-Status: Backport
>> +https://git.gnome.org/browse/libxml2/patch/?id=f0709e3ca8f8947f2d91ed34e92e38a4c23eae63
>> +
>> +[YOCTO #8641]
>> +
>> +Signed-off-by: Armin Kuster <akuster@mvista.com>
>> +
>> +---
>> + xzlib.c | 4 ++++
>> + 1 file changed, 4 insertions(+)
>> +
>> +diff --git a/xzlib.c b/xzlib.c
>> +index 0dcb9f4..1fab546 100644
>> +--- a/xzlib.c
>> ++++ b/xzlib.c
>> +@@ -581,6 +581,10 @@ xz_decomp(xz_statep state)
>> +             xz_error(state, LZMA_DATA_ERROR, "compressed data error");
>> +             return -1;
>> +         }
>> ++        if (ret == LZMA_PROG_ERROR) {
>> ++            xz_error(state, LZMA_PROG_ERROR, "compression error");
>> ++            return -1;
>> ++        }
>> +     } while (strm->avail_out && ret != LZMA_STREAM_END);
>> +
>> +     /* update available output and crc check value */
>> +--
>> +cgit v0.11.2
>> +
>> --
>> 1.7.9.5
>>
>> --
>> _______________________________________________
>> Openembedded-core mailing list
>> Openembedded-core@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>


  reply	other threads:[~2015-12-03  2:43 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-12-01  9:44 [PATCH 0/8] [jethro] 8 patches for jethro Robert Yang
2015-12-01  9:44 ` [PATCH 1/8] opkg: add cache filename length fixes Robert Yang
2015-12-01  9:44 ` [PATCH 2/8] binutils: Fix octeon3 disassembly patch Robert Yang
2015-12-01  9:44 ` [PATCH 3/8] libarchive: rename patch to reflect CVE Robert Yang
2015-12-01  9:44 ` [PATCH 4/8] readline: rename patch to contain CVE reference Robert Yang
2015-12-01  9:44 ` [PATCH 5/8] unzip: rename patch to reflect CVE fix Robert Yang
2015-12-01  9:44 ` [PATCH 6/8] libxslt: CVE-2015-7995 Robert Yang
2015-12-01  9:44 ` [PATCH 7/8] libxml2: fix CVE-2015-7942 and CVE-2015-8035 Robert Yang
2015-12-01 22:48   ` Andre McCurdy
2015-12-03  2:43     ` Robert Yang [this message]
2015-12-01  9:44 ` [PATCH 8/8] libsndfile: fix CVE-2014-9756 Robert Yang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=565FAC69.3010805@windriver.com \
    --to=liezhi.yang@windriver.com \
    --cc=akuster@mvista.com \
    --cc=armccurdy@gmail.com \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox