diff options
Diffstat (limited to 'yocto-poky/meta/recipes-core/libxml')
24 files changed, 23 insertions, 1311 deletions
diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch deleted file mode 100644 index 96d58f9dd..000000000 --- a/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch +++ /dev/null @@ -1,181 +0,0 @@ -From 213f1fe0d76d30eaed6e5853057defc43e6df2c9 Mon Sep 17 00:00:00 2001 -From: Daniel Veillard <veillard@redhat.com> -Date: Tue, 14 Apr 2015 17:41:48 +0800 -Subject: [PATCH] CVE-2015-1819 Enforce the reader to run in constant memory - -One of the operation on the reader could resolve entities -leading to the classic expansion issue. Make sure the -buffer used for xmlreader operation is bounded. -Introduce a new allocation type for the buffers for this effect. - -Upstream-Status: Backport - -Signed-off-by: Yue Tao <Yue.Tao@windriver.com> -Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> ---- - buf.c | 43 ++++++++++++++++++++++++++++++++++++++++++- - include/libxml/tree.h | 3 ++- - xmlreader.c | 20 +++++++++++++++++++- - 3 files changed, 63 insertions(+), 3 deletions(-) - -diff --git a/buf.c b/buf.c -index 6efc7b6..07922ff 100644 ---- a/buf.c -+++ b/buf.c -@@ -27,6 +27,7 @@ - #include <libxml/tree.h> - #include <libxml/globals.h> - #include <libxml/tree.h> -+#include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */ - #include "buf.h" - - #define WITH_BUFFER_COMPAT -@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf, - if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) || - (scheme == XML_BUFFER_ALLOC_EXACT) || - (scheme == XML_BUFFER_ALLOC_HYBRID) || -- (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) { -+ (scheme == XML_BUFFER_ALLOC_IMMUTABLE) || -+ (scheme == XML_BUFFER_ALLOC_BOUNDED)) { - buf->alloc = scheme; - if (buf->buffer) - buf->buffer->alloc = scheme; -@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) { - size = buf->use + len + 100; - #endif - -+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { -+ /* -+ * Used to provide parsing limits -+ */ -+ if ((buf->use + len >= XML_MAX_TEXT_LENGTH) || -+ (buf->size >= XML_MAX_TEXT_LENGTH)) { -+ xmlBufMemoryError(buf, "buffer error: text too long\n"); -+ return(0); -+ } -+ if (size >= XML_MAX_TEXT_LENGTH) -+ size = XML_MAX_TEXT_LENGTH; -+ } - if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) { - size_t start_buf = buf->content - buf->contentIO; - -@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size) - CHECK_COMPAT(buf) - - if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); -+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { -+ /* -+ * Used to provide parsing limits -+ */ -+ if (size >= XML_MAX_TEXT_LENGTH) { -+ xmlBufMemoryError(buf, "buffer error: text too long\n"); -+ return(0); -+ } -+ } - - /* Don't resize if we don't have to */ - if (size < buf->size) -@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) { - - needSize = buf->use + len + 2; - if (needSize > buf->size){ -+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { -+ /* -+ * Used to provide parsing limits -+ */ -+ if (needSize >= XML_MAX_TEXT_LENGTH) { -+ xmlBufMemoryError(buf, "buffer error: text too long\n"); -+ return(-1); -+ } -+ } - if (!xmlBufResize(buf, needSize)){ - xmlBufMemoryError(buf, "growing buffer"); - return XML_ERR_NO_MEMORY; -@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) { - } - needSize = buf->use + len + 2; - if (needSize > buf->size){ -+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { -+ /* -+ * Used to provide parsing limits -+ */ -+ if (needSize >= XML_MAX_TEXT_LENGTH) { -+ xmlBufMemoryError(buf, "buffer error: text too long\n"); -+ return(-1); -+ } -+ } - if (!xmlBufResize(buf, needSize)){ - xmlBufMemoryError(buf, "growing buffer"); - return XML_ERR_NO_MEMORY; -diff --git a/include/libxml/tree.h b/include/libxml/tree.h -index 2f90717..4a9b3bc 100644 ---- a/include/libxml/tree.h -+++ b/include/libxml/tree.h -@@ -76,7 +76,8 @@ typedef enum { - XML_BUFFER_ALLOC_EXACT, /* grow only to the minimal size */ - XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */ - XML_BUFFER_ALLOC_IO, /* special allocation scheme used for I/O */ -- XML_BUFFER_ALLOC_HYBRID /* exact up to a threshold, and doubleit thereafter */ -+ XML_BUFFER_ALLOC_HYBRID, /* exact up to a threshold, and doubleit thereafter */ -+ XML_BUFFER_ALLOC_BOUNDED /* limit the upper size of the buffer */ - } xmlBufferAllocationScheme; - - /** -diff --git a/xmlreader.c b/xmlreader.c -index f19e123..471e7e2 100644 ---- a/xmlreader.c -+++ b/xmlreader.c -@@ -2091,6 +2091,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) { - "xmlNewTextReader : malloc failed\n"); - return(NULL); - } -+ /* no operation on a reader should require a huge buffer */ -+ xmlBufSetAllocationScheme(ret->buffer, -+ XML_BUFFER_ALLOC_BOUNDED); - ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); - if (ret->sax == NULL) { - xmlBufFree(ret->buffer); -@@ -3616,6 +3619,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) { - return(((xmlNsPtr) node)->href); - case XML_ATTRIBUTE_NODE:{ - xmlAttrPtr attr = (xmlAttrPtr) node; -+ const xmlChar *ret; - - if ((attr->children != NULL) && - (attr->children->type == XML_TEXT_NODE) && -@@ -3629,10 +3633,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) { - "xmlTextReaderSetup : malloc failed\n"); - return (NULL); - } -+ xmlBufSetAllocationScheme(reader->buffer, -+ XML_BUFFER_ALLOC_BOUNDED); - } else - xmlBufEmpty(reader->buffer); - xmlBufGetNodeContent(reader->buffer, node); -- return(xmlBufContent(reader->buffer)); -+ ret = xmlBufContent(reader->buffer); -+ if (ret == NULL) { -+ /* error on the buffer best to reallocate */ -+ xmlBufFree(reader->buffer); -+ reader->buffer = xmlBufCreateSize(100); -+ xmlBufSetAllocationScheme(reader->buffer, -+ XML_BUFFER_ALLOC_BOUNDED); -+ ret = BAD_CAST ""; -+ } -+ return(ret); - } - break; - } -@@ -5131,6 +5146,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader, - "xmlTextReaderSetup : malloc failed\n"); - return (-1); - } -+ /* no operation on a reader should require a huge buffer */ -+ xmlBufSetAllocationScheme(reader->buffer, -+ XML_BUFFER_ALLOC_BOUNDED); - if (reader->sax == NULL) - reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); - if (reader->sax == NULL) { --- -1.7.9.5 - diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-5312-Another-entity-expansion-issue.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-5312-Another-entity-expansion-issue.patch deleted file mode 100644 index 979618d2c..000000000 --- a/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-5312-Another-entity-expansion-issue.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 69030714cde66d525a8884bda01b9e8f0abf8e1e Mon Sep 17 00:00:00 2001 -From: David Drysdale <drysdale@google.com> -Date: Fri, 20 Nov 2015 11:13:45 +0800 -Subject: [PATCH] CVE-2015-5312 Another entity expansion issue - -For https://bugzilla.gnome.org/show_bug.cgi?id=756733 -It is one case where the code in place to detect entities expansions -failed to exit when the situation was detected, leading to DoS -Problem reported by Kostya Serebryany @ Google -Patch provided by David Drysdale @ Google - -Upstream-Status: Backport - -CVE-2015-5312 - -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - parser.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/parser.c b/parser.c -index b7b6668..da6e729 100644 ---- a/parser.c -+++ b/parser.c -@@ -2806,6 +2806,10 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, - 0, 0, 0); - ctxt->depth--; - -+ if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) || -+ (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR)) -+ goto int_error; -+ - if (rep != NULL) { - current = rep; - while (*current != 0) { /* non input consuming loop */ --- -2.3.5 - diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch deleted file mode 100644 index 955c96195..000000000 --- a/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 6360a31a84efe69d155ed96306b9a931a40beab9 Mon Sep 17 00:00:00 2001 -From: David Drysdale <drysdale@google.com> -Date: Fri, 20 Nov 2015 10:47:12 +0800 -Subject: [PATCH] CVE-2015-7497 Avoid an heap buffer overflow in - xmlDictComputeFastQKey - -For https://bugzilla.gnome.org/show_bug.cgi?id=756528 -It was possible to hit a negative offset in the name indexing -used to randomize the dictionary key generation -Reported and fix provided by David Drysdale @ Google - -Upstream-Status: Backport - -CVE-2015-7497 - -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - dict.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/dict.c b/dict.c -index 5f71d55..8c8f931 100644 ---- a/dict.c -+++ b/dict.c -@@ -486,7 +486,10 @@ xmlDictComputeFastQKey(const xmlChar *prefix, int plen, - value += 30 * (*prefix); - - if (len > 10) { -- value += name[len - (plen + 1 + 1)]; -+ int offset = len - (plen + 1 + 1); -+ if (offset < 0) -+ offset = len - (10 + 1); -+ value += name[offset]; - len = 10; - if (plen > 10) - plen = 10; --- -2.3.5 - diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch deleted file mode 100644 index b4860791b..000000000 --- a/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch +++ /dev/null @@ -1,131 +0,0 @@ -From f1063fdbe7fa66332bbb76874101c2a7b51b519f Mon Sep 17 00:00:00 2001 -From: Daniel Veillard <veillard@redhat.com> -Date: Fri, 20 Nov 2015 16:06:59 +0800 -Subject: [PATCH] CVE-2015-7500 Fix memory access error due to incorrect - entities boundaries - -For https://bugzilla.gnome.org/show_bug.cgi?id=756525 -handle properly the case where we popped out of the current entity -while processing a start tag -Reported by Kostya Serebryany @ Google - -This slightly modifies the output of 754946 in regression tests - -Upstream-Status: Backport - -CVE-2015-7500 - -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - parser.c | 28 ++++++++++++++++++++++------ - result/errors/754946.xml.err | 7 +++++-- - 2 files changed, 27 insertions(+), 8 deletions(-) - -diff --git a/parser.c b/parser.c -index c7e4574..c5741e3 100644 ---- a/parser.c -+++ b/parser.c -@@ -9348,7 +9348,7 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref, - const xmlChar **atts = ctxt->atts; - int maxatts = ctxt->maxatts; - int nratts, nbatts, nbdef; -- int i, j, nbNs, attval, oldline, oldcol; -+ int i, j, nbNs, attval, oldline, oldcol, inputNr; - const xmlChar *base; - unsigned long cur; - int nsNr = ctxt->nsNr; -@@ -9367,6 +9367,7 @@ reparse: - SHRINK; - base = ctxt->input->base; - cur = ctxt->input->cur - ctxt->input->base; -+ inputNr = ctxt->inputNr; - oldline = ctxt->input->line; - oldcol = ctxt->input->col; - nbatts = 0; -@@ -9392,7 +9393,8 @@ reparse: - */ - SKIP_BLANKS; - GROW; -- if (ctxt->input->base != base) goto base_changed; -+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) -+ goto base_changed; - - while (((RAW != '>') && - ((RAW != '/') || (NXT(1) != '>')) && -@@ -9403,7 +9405,7 @@ reparse: - - attname = xmlParseAttribute2(ctxt, prefix, localname, - &aprefix, &attvalue, &len, &alloc); -- if (ctxt->input->base != base) { -+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) { - if ((attvalue != NULL) && (alloc != 0)) - xmlFree(attvalue); - attvalue = NULL; -@@ -9552,7 +9554,8 @@ skip_ns: - break; - } - SKIP_BLANKS; -- if (ctxt->input->base != base) goto base_changed; -+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) -+ goto base_changed; - continue; - } - -@@ -9589,7 +9592,8 @@ failed: - GROW - if (ctxt->instate == XML_PARSER_EOF) - break; -- if (ctxt->input->base != base) goto base_changed; -+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) -+ goto base_changed; - if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>')))) - break; - if (!IS_BLANK_CH(RAW)) { -@@ -9605,7 +9609,8 @@ failed: - break; - } - GROW; -- if (ctxt->input->base != base) goto base_changed; -+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) -+ goto base_changed; - } - - /* -@@ -9772,6 +9777,17 @@ base_changed: - if ((ctxt->attallocs[j] != 0) && (atts[i] != NULL)) - xmlFree((xmlChar *) atts[i]); - } -+ -+ /* -+ * We can't switch from one entity to another in the middle -+ * of a start tag -+ */ -+ if (inputNr != ctxt->inputNr) { -+ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, -+ "Start tag doesn't start and stop in the same entity\n"); -+ return(NULL); -+ } -+ - ctxt->input->cur = ctxt->input->base + cur; - ctxt->input->line = oldline; - ctxt->input->col = oldcol; -diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err -index 423dff5..a75088b 100644 ---- a/result/errors/754946.xml.err -+++ b/result/errors/754946.xml.err -@@ -11,6 +11,9 @@ Entity: line 1: parser error : DOCTYPE improperly terminated - Entity: line 1: - A<lbbbbbbbbbbbbbbbbbbb_ - ^ -+./test/errors/754946.xml:1: parser error : Start tag doesn't start and stop in the same entity -+>%SYSTEM;<![ -+ ^ - ./test/errors/754946.xml:1: parser error : Extra content at the end of the document --<!DOCTYPEA[<!ENTITY % -- ^ -+>%SYSTEM;<![ -+ ^ --- -2.3.5 - diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch deleted file mode 100644 index 710735570..000000000 --- a/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch +++ /dev/null @@ -1,38 +0,0 @@ -From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001 -From: Daniel Veillard <veillard@redhat.com> -Date: Tue, 3 Nov 2015 15:31:25 +0800 -Subject: [PATCH] CVE-2015-8035 Fix XZ compression support loop - -For https://bugzilla.gnome.org/show_bug.cgi?id=757466 -DoS when parsing specially crafted XML document if XZ support -is compiled in (which wasn't the case for 2.9.2 and master since -Nov 2013, fixed in next commit !) - -Upstream-Status: Backport - -CVE-2015-8035 - -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - xzlib.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/xzlib.c b/xzlib.c -index 0dcb9f4..1fab546 100644 ---- a/xzlib.c -+++ b/xzlib.c -@@ -581,6 +581,10 @@ xz_decomp(xz_statep state) - xz_error(state, LZMA_DATA_ERROR, "compressed data error"); - return -1; - } -+ if (ret == LZMA_PROG_ERROR) { -+ xz_error(state, LZMA_PROG_ERROR, "compression error"); -+ return -1; -+ } - } while (strm->avail_out && ret != LZMA_STREAM_END); - - /* update available output and crc check value */ --- -2.3.5 - diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch deleted file mode 100644 index 73531b3c1..000000000 --- a/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 8fb4a770075628d6441fb17a1e435100e2f3b1a2 Mon Sep 17 00:00:00 2001 -From: Hugh Davenport <hugh@allthethings.co.nz> -Date: Fri, 20 Nov 2015 17:16:06 +0800 -Subject: [PATCH] CVE-2015-8242 Buffer overead with HTML parser in push mode - -For https://bugzilla.gnome.org/show_bug.cgi?id=756372 -Error in the code pointing to the codepoint in the stack for the -current char value instead of the pointer in the input that the SAX -callback expects -Reported and fixed by Hugh Davenport - -Upstream-Status: Backport - -CVE-2015-8242 - -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - HTMLparser.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/HTMLparser.c b/HTMLparser.c -index bdf7807..b729197 100644 ---- a/HTMLparser.c -+++ b/HTMLparser.c -@@ -5735,17 +5735,17 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) { - if (ctxt->keepBlanks) { - if (ctxt->sax->characters != NULL) - ctxt->sax->characters( -- ctxt->userData, &cur, 1); -+ ctxt->userData, &in->cur[0], 1); - } else { - if (ctxt->sax->ignorableWhitespace != NULL) - ctxt->sax->ignorableWhitespace( -- ctxt->userData, &cur, 1); -+ ctxt->userData, &in->cur[0], 1); - } - } else { - htmlCheckParagraph(ctxt); - if (ctxt->sax->characters != NULL) - ctxt->sax->characters( -- ctxt->userData, &cur, 1); -+ ctxt->userData, &in->cur[0], 1); - } - } - ctxt->token = 0; --- -2.3.5 - diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch deleted file mode 100644 index a86b9ee86..000000000 --- a/yocto-poky/meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch +++ /dev/null @@ -1,138 +0,0 @@ -From 51f02b0a03ea1fa6c65b3f9fd88cf60fb5803783 Mon Sep 17 00:00:00 2001 -From: Daniel Veillard <veillard@redhat.com> -Date: Tue, 15 Sep 2015 16:50:32 +0800 -Subject: [PATCH] Fix a bug on name parsing at the end of current input buffer - -For https://bugzilla.gnome.org/show_bug.cgi?id=754946 - -When hitting the end of the current input buffer while parsing -a name we could end up loosing the beginning of the name, which -led to various issues. - -Upstream-Status: backport - -Depend patch for CVE-2015-7500 - -Signed-off-by: Armin Kuster <akuster@mvista.com> ---- - parser.c | 29 ++++++++++++++++++++--------- - result/errors/754946.xml | 0 - result/errors/754946.xml.err | 16 ++++++++++++++++ - result/errors/754946.xml.str | 4 ++++ - test/errors/754946.xml | 1 + - 5 files changed, 41 insertions(+), 9 deletions(-) - create mode 100644 result/errors/754946.xml - create mode 100644 result/errors/754946.xml.err - create mode 100644 result/errors/754946.xml.str - create mode 100644 test/errors/754946.xml - -diff --git a/parser.c b/parser.c -index 0edd53b..fd29a39 100644 ---- a/parser.c -+++ b/parser.c -@@ -3491,7 +3491,14 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { - c = CUR_CHAR(l); - if (c == 0) { - count = 0; -+ /* -+ * when shrinking to extend the buffer we really need to preserve -+ * the part of the name we already parsed. Hence rolling back -+ * by current lenght. -+ */ -+ ctxt->input->cur -= l; - GROW; -+ ctxt->input->cur += l; - if (ctxt->instate == XML_PARSER_EOF) - return(NULL); - end = ctxt->input->cur; -@@ -3523,7 +3530,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { - - static const xmlChar * - xmlParseNCName(xmlParserCtxtPtr ctxt) { -- const xmlChar *in; -+ const xmlChar *in, *e; - const xmlChar *ret; - int count = 0; - -@@ -3535,16 +3542,19 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) { - * Accelerator for simple ASCII names - */ - in = ctxt->input->cur; -- if (((*in >= 0x61) && (*in <= 0x7A)) || -- ((*in >= 0x41) && (*in <= 0x5A)) || -- (*in == '_')) { -+ e = ctxt->input->end; -+ if ((((*in >= 0x61) && (*in <= 0x7A)) || -+ ((*in >= 0x41) && (*in <= 0x5A)) || -+ (*in == '_')) && (in < e)) { - in++; -- while (((*in >= 0x61) && (*in <= 0x7A)) || -- ((*in >= 0x41) && (*in <= 0x5A)) || -- ((*in >= 0x30) && (*in <= 0x39)) || -- (*in == '_') || (*in == '-') || -- (*in == '.')) -+ while ((((*in >= 0x61) && (*in <= 0x7A)) || -+ ((*in >= 0x41) && (*in <= 0x5A)) || -+ ((*in >= 0x30) && (*in <= 0x39)) || -+ (*in == '_') || (*in == '-') || -+ (*in == '.')) && (in < e)) - in++; -+ if (in >= e) -+ goto complex; - if ((*in > 0) && (*in < 0x80)) { - count = in - ctxt->input->cur; - if ((count > XML_MAX_NAME_LENGTH) && -@@ -3562,6 +3572,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) { - return(ret); - } - } -+complex: - return(xmlParseNCNameComplex(ctxt)); - } - -diff --git a/result/errors/754946.xml b/result/errors/754946.xml -new file mode 100644 -index 0000000..e69de29 -diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err -new file mode 100644 -index 0000000..423dff5 ---- /dev/null -+++ b/result/errors/754946.xml.err -@@ -0,0 +1,16 @@ -+Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration -+ -+ %SYSTEM; -+ ^ -+Entity: line 1: -+A<lbbbbbbbbbbbbbbbbbbb_ -+^ -+Entity: line 1: parser error : DOCTYPE improperly terminated -+ %SYSTEM; -+ ^ -+Entity: line 1: -+A<lbbbbbbbbbbbbbbbbbbb_ -+^ -+./test/errors/754946.xml:1: parser error : Extra content at the end of the document -+<!DOCTYPEA[<!ENTITY % -+ ^ -diff --git a/result/errors/754946.xml.str b/result/errors/754946.xml.str -new file mode 100644 -index 0000000..3b748cc ---- /dev/null -+++ b/result/errors/754946.xml.str -@@ -0,0 +1,4 @@ -+./test/errors/754946.xml:1: parser error : Extra content at the end of the document -+<!DOCTYPEA[<!ENTITY % -+ ^ -+./test/errors/754946.xml : failed to parse -diff --git a/test/errors/754946.xml b/test/errors/754946.xml -new file mode 100644 -index 0000000..6b5f9b0 ---- /dev/null -+++ b/test/errors/754946.xml -@@ -0,0 +1 @@ -+<!DOCTYPEA[<!ENTITY %
SYSTEM "A<lbbbbbbbbbbbbbbbbbbb_"
>%SYSTEM;<![ -\ No newline at end of file --- -2.3.5 - diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/0001-threads-Define-pthread-definitions-for-glibc-complia.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-threads-Define-pthread-definitions-for-glibc-complia.patch deleted file mode 100644 index c653a81af..000000000 --- a/yocto-poky/meta/recipes-core/libxml/libxml2/0001-threads-Define-pthread-definitions-for-glibc-complia.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 6750cc564a17c812555cca587660240ccffaaed3 Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Sat, 4 Apr 2015 08:50:40 -0700 -Subject: [PATCH] threads: Define pthread* definitions for glibc compliant libs - -This code is assuming glibc but not explicitly saying it -so lets make it so. Fixes following on musl - -threads.c:80:27: error: macro "pthread_equal" requires 2 arguments, but -only 1 given -| extern int pthread_equal () - -Signed-off-by: Khem Raj <raj.khem@gmail.com> - -Upstream-Status: Pending ---- - threads.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: libxml2-2.9.2/threads.c -=================================================================== ---- libxml2-2.9.2.orig/threads.c -+++ libxml2-2.9.2/threads.c -@@ -47,7 +47,7 @@ - #ifdef HAVE_PTHREAD_H - - static int libxml_is_threaded = -1; --#ifdef __GNUC__ -+#if defined(__GNUC__) && defined(__GLIBC__) - #ifdef linux - #if (__GNUC__ == 3 && __GNUC_MINOR__ >= 3) || (__GNUC__ > 3) - extern int pthread_once (pthread_once_t *__once_control, diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/72a46a519ce7326d9a00f0b6a7f2a8e958cd1675.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/72a46a519ce7326d9a00f0b6a7f2a8e958cd1675.patch deleted file mode 100644 index 10a8112b5..000000000 --- a/yocto-poky/meta/recipes-core/libxml/libxml2/72a46a519ce7326d9a00f0b6a7f2a8e958cd1675.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 72a46a519ce7326d9a00f0b6a7f2a8e958cd1675 Mon Sep 17 00:00:00 2001 -From: Daniel Veillard <veillard@redhat.com> -Date: Thu, 23 Oct 2014 11:35:36 +0800 -Subject: Fix missing entities after CVE-2014-3660 fix - -For https://bugzilla.gnome.org/show_bug.cgi?id=738805 - -The fix for CVE-2014-3660 introduced a regression in some case -where entity substitution is required and the entity is used -first in anotther entity referenced from an attribute value - -Upstream-Status: Backport - -diff --git a/parser.c b/parser.c -index 67c9dfd..a8d1b67 100644 ---- a/parser.c -+++ b/parser.c -@@ -7235,7 +7235,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { - * far more secure as the parser will only process data coming from - * the document entity by default. - */ -- if ((ent->checked == 0) && -+ if (((ent->checked == 0) || -+ ((ent->children == NULL) && (ctxt->options & XML_PARSE_NOENT))) && - ((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) || - (ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) { - unsigned long oldnbent = ctxt->nbentities; --- -cgit v0.10.1 - diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch deleted file mode 100644 index 47ba8970e..000000000 --- a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch +++ /dev/null @@ -1,89 +0,0 @@ -From afd27c21f6b36e22682b7da20d726bce2dcb2f43 Mon Sep 17 00:00:00 2001 -From: Daniel Veillard <veillard@redhat.com> -Date: Mon, 9 Nov 2015 18:07:18 +0800 -Subject: [PATCH] Avoid processing entities after encoding conversion failures - -For https://bugzilla.gnome.org/show_bug.cgi?id=756527 -and was also raised by Chromium team in the past - -When we hit a convwersion failure when switching encoding -it is bestter to stop parsing there, this was treated as a -fatal error but the parser was continuing to process to extract -more errors, unfortunately that makes little sense as the data -is obviously corrupt and can potentially lead to unexpected behaviour. - -Upstream-Status: Backport - -CVE-2015-7498 - -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - parser.c | 7 +++++-- - parserInternals.c | 11 ++++++++++- - 2 files changed, 15 insertions(+), 3 deletions(-) - -diff --git a/parser.c b/parser.c -index 134afe7..c79b4e8 100644 ---- a/parser.c -+++ b/parser.c -@@ -10665,7 +10665,8 @@ xmlParseXMLDecl(xmlParserCtxtPtr ctxt) { - xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, "Blank needed here\n"); - } - xmlParseEncodingDecl(ctxt); -- if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) { -+ if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) || -+ (ctxt->instate == XML_PARSER_EOF)) { - /* - * The XML REC instructs us to stop parsing right here - */ -@@ -10789,6 +10790,7 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) { - - if (CUR == 0) { - xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL); -+ return(-1); - } - - /* -@@ -10806,7 +10808,8 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) { - * Note that we will switch encoding on the fly. - */ - xmlParseXMLDecl(ctxt); -- if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) { -+ if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) || -+ (ctxt->instate == XML_PARSER_EOF)) { - /* - * The XML REC instructs us to stop parsing right here - */ -diff --git a/parserInternals.c b/parserInternals.c -index df204fd..c8230c1 100644 ---- a/parserInternals.c -+++ b/parserInternals.c -@@ -937,6 +937,7 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc) - { - xmlCharEncodingHandlerPtr handler; - int len = -1; -+ int ret; - - if (ctxt == NULL) return(-1); - switch (enc) { -@@ -1097,7 +1098,15 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc) - if (handler == NULL) - return(-1); - ctxt->charset = XML_CHAR_ENCODING_UTF8; -- return(xmlSwitchToEncodingInt(ctxt, handler, len)); -+ ret = xmlSwitchToEncodingInt(ctxt, handler, len); -+ if ((ret < 0) || (ctxt->errNo == XML_I18N_CONV_FAILED)) { -+ /* -+ * on encoding conversion errors, stop the parser -+ */ -+ xmlStopParser(ctxt); -+ ctxt->errNo = XML_I18N_CONV_FAILED; -+ } -+ return(ret); - } - - /** --- -2.3.5 - diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch deleted file mode 100644 index e39ec65cd..000000000 --- a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 28cd9cb747a94483f4aea7f0968d202c20bb4cfc Mon Sep 17 00:00:00 2001 -From: Daniel Veillard <veillard@redhat.com> -Date: Fri, 20 Nov 2015 14:55:30 +0800 -Subject: [PATCH] Add xmlHaltParser() to stop the parser - -The problem is doing it in a consistent and safe fashion -It's more complex than just setting ctxt->instate = XML_PARSER_EOF -Update the public function to reuse that new internal routine - -Upstream-Status: Backport - -CVE-2015-7499-1 - -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - parser.c | 34 +++++++++++++++++++++++++++++----- - 1 file changed, 29 insertions(+), 5 deletions(-) - -diff --git a/parser.c b/parser.c -index da6e729..b6e99b1 100644 ---- a/parser.c -+++ b/parser.c -@@ -94,6 +94,8 @@ static xmlParserCtxtPtr - xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID, - const xmlChar *base, xmlParserCtxtPtr pctx); - -+static void xmlHaltParser(xmlParserCtxtPtr ctxt); -+ - /************************************************************************ - * * - * Arbitrary limits set in the parser. See XML_PARSE_HUGE * -@@ -12625,25 +12627,47 @@ xmlCreatePushParserCtxt(xmlSAXHandlerPtr sax, void *user_data, - #endif /* LIBXML_PUSH_ENABLED */ - - /** -- * xmlStopParser: -+ * xmlHaltParser: - * @ctxt: an XML parser context - * -- * Blocks further parser processing -+ * Blocks further parser processing don't override error -+ * for internal use - */ --void --xmlStopParser(xmlParserCtxtPtr ctxt) { -+static void -+xmlHaltParser(xmlParserCtxtPtr ctxt) { - if (ctxt == NULL) - return; - ctxt->instate = XML_PARSER_EOF; -- ctxt->errNo = XML_ERR_USER_STOP; - ctxt->disableSAX = 1; - if (ctxt->input != NULL) { -+ /* -+ * in case there was a specific allocation deallocate before -+ * overriding base -+ */ -+ if (ctxt->input->free != NULL) { -+ ctxt->input->free((xmlChar *) ctxt->input->base); -+ ctxt->input->free = NULL; -+ } - ctxt->input->cur = BAD_CAST""; - ctxt->input->base = ctxt->input->cur; - } - } - - /** -+ * xmlStopParser: -+ * @ctxt: an XML parser context -+ * -+ * Blocks further parser processing -+ */ -+void -+xmlStopParser(xmlParserCtxtPtr ctxt) { -+ if (ctxt == NULL) -+ return; -+ xmlHaltParser(ctxt); -+ ctxt->errNo = XML_ERR_USER_STOP; -+} -+ -+/** - * xmlCreateIOParserCtxt: - * @sax: a SAX handler - * @user_data: The user data returned on SAX callbacks --- -2.3.5 - diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7499-2-Detect-incoherency-on-GROW.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7499-2-Detect-incoherency-on-GROW.patch deleted file mode 100644 index aff392095..000000000 --- a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7499-2-Detect-incoherency-on-GROW.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da Mon Sep 17 00:00:00 2001 -From: Daniel Veillard <veillard@redhat.com> -Date: Fri, 20 Nov 2015 15:04:09 +0800 -Subject: [PATCH] Detect incoherency on GROW - -the current pointer to the input has to be between the base and end -if not stop everything we have an internal state error. - -Upstream-Status: Backport - -CVE-2015-7499-2 - -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - parser.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/parser.c b/parser.c -index 1810f99..ab007aa 100644 ---- a/parser.c -+++ b/parser.c -@@ -2075,9 +2075,16 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) { - ((ctxt->input->buf) && (ctxt->input->buf->readcallback != (xmlInputReadCallback) xmlNop)) && - ((ctxt->options & XML_PARSE_HUGE) == 0)) { - xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup"); -- ctxt->instate = XML_PARSER_EOF; -+ xmlHaltParser(ctxt); -+ return; - } - xmlParserInputGrow(ctxt->input, INPUT_CHUNK); -+ if ((ctxt->input->cur > ctxt->input->end) || -+ (ctxt->input->cur < ctxt->input->base)) { -+ xmlHaltParser(ctxt); -+ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "cur index out of bound"); -+ return; -+ } - if ((ctxt->input->cur != NULL) && (*ctxt->input->cur == 0) && - (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0)) - xmlPopInput(ctxt); --- -2.3.5 - diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch deleted file mode 100644 index 11da9f9bd..000000000 --- a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch +++ /dev/null @@ -1,39 +0,0 @@ -From a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 Mon Sep 17 00:00:00 2001 -From: Daniel Veillard <veillard@redhat.com> -Date: Mon, 23 Feb 2015 11:17:35 +0800 -Subject: [PATCH] Stop parsing on entities boundaries errors - -For https://bugzilla.gnome.org/show_bug.cgi?id=744980 - -There are times, like on unterminated entities that it's preferable to -stop parsing, even if that means less error reporting. Entities are -feeding the parser on further processing, and if they are ill defined -then it's possible to get the parser to bug. Also do the same on -Conditional Sections if the input is broken, as the structure of -the document can't be guessed. - -Upstream-Status: Backport - -CVE-2015-7941-1 - -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - parser.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/parser.c b/parser.c -index a8d1b67..bbe97eb 100644 ---- a/parser.c -+++ b/parser.c -@@ -5658,6 +5658,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) { - if (RAW != '>') { - xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED, - "xmlParseEntityDecl: entity %s not terminated\n", name); -+ xmlStopParser(ctxt); - } else { - if (input != ctxt->input) { - xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, --- -2.3.5 - diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch deleted file mode 100644 index b7bd96053..000000000 --- a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001 -From: Daniel Veillard <veillard@redhat.com> -Date: Mon, 23 Feb 2015 11:29:20 +0800 -Subject: [PATCH] Cleanup conditional section error handling - -For https://bugzilla.gnome.org/show_bug.cgi?id=744980 - -The error handling of Conditional Section also need to be -straightened as the structure of the document can't be -guessed on a failure there and it's better to stop parsing -as further errors are likely to be irrelevant. - -Upstream-Status: Backport - -CVE-2015-7941-2 - -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - parser.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/parser.c b/parser.c -index bbe97eb..fe603ac 100644 ---- a/parser.c -+++ b/parser.c -@@ -6770,6 +6770,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { - SKIP_BLANKS; - if (RAW != '[') { - xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); -+ xmlStopParser(ctxt); -+ return; - } else { - if (ctxt->input->id != id) { - xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, -@@ -6830,6 +6832,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { - SKIP_BLANKS; - if (RAW != '[') { - xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); -+ xmlStopParser(ctxt); -+ return; - } else { - if (ctxt->input->id != id) { - xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, -@@ -6885,6 +6889,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { - - } else { - xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL); -+ xmlStopParser(ctxt); -+ return; - } - - if (RAW == 0) --- -2.3.5 - diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch deleted file mode 100644 index 34b60362c..000000000 --- a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 41ac9049a27f52e7a1f3b341f8714149fc88d450 Mon Sep 17 00:00:00 2001 -From: Daniel Veillard <veillard@redhat.com> -Date: Tue, 27 Oct 2015 10:53:44 +0800 -Subject: [PATCH] Fix an error in previous Conditional section patch - -an off by one mistake in the change, led to error on correct -document where the end of the included entity was exactly -the end of the conditional section, leading to regtest failure - -Upstream-Status: Backport - -CVE-2015-7942-2 - -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - parser.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/parser.c b/parser.c -index b9217ff..d67b300 100644 ---- a/parser.c -+++ b/parser.c -@@ -6916,7 +6916,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { - NULL, NULL); - } - if ((ctxt-> instate != XML_PARSER_EOF) && -- ((ctxt->input->cur + 3) < ctxt->input->end)) -+ ((ctxt->input->cur + 3) <= ctxt->input->end)) - SKIP(3); - } - } --- -2.3.5 - diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch deleted file mode 100644 index 40082ec07..000000000 --- a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch +++ /dev/null @@ -1,39 +0,0 @@ -From bd0526e66a56e75a18da8c15c4750db8f801c52d Mon Sep 17 00:00:00 2001 -From: Daniel Veillard <veillard@redhat.com> -Date: Fri, 23 Oct 2015 19:02:28 +0800 -Subject: [PATCH] Another variation of overflow in Conditional sections - -Which happen after the previous fix to -https://bugzilla.gnome.org/show_bug.cgi?id=756456 - -But stopping the parser and exiting we didn't pop the intermediary entities -and doing the SKIP there applies on an input which may be too small - -Upstream-Status: Backport - -CVE-2015-7942 - -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - parser.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/parser.c b/parser.c -index a65e4cc..b9217ff 100644 ---- a/parser.c -+++ b/parser.c -@@ -6915,7 +6915,9 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { - "All markup of the conditional section is not in the same entity\n", - NULL, NULL); - } -- SKIP(3); -+ if ((ctxt-> instate != XML_PARSER_EOF) && -+ ((ctxt->input->cur + 3) < ctxt->input->end)) -+ SKIP(3); - } - } - --- -2.3.5 - diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch deleted file mode 100644 index 89a46ad17..000000000 --- a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch +++ /dev/null @@ -1,40 +0,0 @@ -From ab2b9a93ff19cedde7befbf2fcc48c6e352b6cbe Mon Sep 17 00:00:00 2001 -From: Hugh Davenport <hugh@allthethings.co.nz> -Date: Tue, 3 Nov 2015 20:40:49 +0800 -Subject: [PATCH] Avoid extra processing of MarkupDecl when EOF - -For https://bugzilla.gnome.org/show_bug.cgi?id=756263 - -One place where ctxt->instate == XML_PARSER_EOF whic was set up -by entity detection issues doesn't get noticed, and even overrided - -Upstream-status: Backport - -https://git.gnome.org/browse/libxml2/commit/?id=ab2b9a93ff19cedde7befbf2fcc48c6e352b6cbe - -CVE: CVE-2015-8241 -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - parser.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -Index: libxml2-2.9.2/parser.c -=================================================================== ---- libxml2-2.9.2.orig/parser.c -+++ libxml2-2.9.2/parser.c -@@ -6999,6 +6999,14 @@ xmlParseMarkupDecl(xmlParserCtxtPtr ctxt - xmlParsePI(ctxt); - } - } -+ -+ /* -+ * detect requirement to exit there and act accordingly -+ * and avoid having instate overriden later on -+ */ -+ if (ctxt->instate == XML_PARSER_EOF) -+ return; -+ - /* - * This is only for internal subset. On external entities, - * the replacement is done before parsing stage diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-8317-Fail-parsing-early-on-if-encoding-conversion-failed.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-8317-Fail-parsing-early-on-if-encoding-conversion-failed.patch deleted file mode 100644 index 59425cbfc..000000000 --- a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-8317-Fail-parsing-early-on-if-encoding-conversion-failed.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 709a952110e98621c9b78c4f26462a9d8333102e Mon Sep 17 00:00:00 2001 -From: Daniel Veillard <veillard@redhat.com> -Date: Mon, 29 Jun 2015 16:10:26 +0800 -Subject: [PATCH] Fail parsing early on if encoding conversion failed - -For https://bugzilla.gnome.org/show_bug.cgi?id=751631 - -If we fail conversing the current input stream while -processing the encoding declaration of the XMLDecl -then it's safer to just abort there and not try to -report further errors. - -Upstream-Status: Backport - -CVE-2015-8317 - -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - parser.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/parser.c b/parser.c -index a3a9568..0edd53b 100644 ---- a/parser.c -+++ b/parser.c -@@ -10471,7 +10471,11 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ctxt) { - - handler = xmlFindCharEncodingHandler((const char *) encoding); - if (handler != NULL) { -- xmlSwitchToEncoding(ctxt, handler); -+ if (xmlSwitchToEncoding(ctxt, handler) < 0) { -+ /* failed to convert */ -+ ctxt->errNo = XML_ERR_UNSUPPORTED_ENCODING; -+ return(NULL); -+ } - } else { - xmlFatalErrMsgStr(ctxt, XML_ERR_UNSUPPORTED_ENCODING, - "Unsupported encoding %s\n", encoding); --- -2.3.5 - diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch deleted file mode 100644 index be06cc22c..000000000 --- a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch +++ /dev/null @@ -1,71 +0,0 @@ -From e724879d964d774df9b7969fc846605aa1bac54c Mon Sep 17 00:00:00 2001 -From: Daniel Veillard <veillard@redhat.com> -Date: Fri, 30 Oct 2015 21:14:55 +0800 -Subject: [PATCH] Fix parsing short unclosed comment uninitialized access - -For https://bugzilla.gnome.org/show_bug.cgi?id=746048 -The HTML parser was too optimistic when processing comments and -didn't check for the end of the stream on the first 2 characters - -Upstream-Status: Backport - -https://git.gnome.org/browse/libxml2/commit/?id=e724879d964d774df9b7969fc846605aa1bac54c - -CVE: CVE-2015-8710 - -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - HTMLparser.c | 21 ++++++++++++++------- - 1 file changed, 14 insertions(+), 7 deletions(-) - -Index: libxml2-2.9.2/HTMLparser.c -=================================================================== ---- libxml2-2.9.2.orig/HTMLparser.c -+++ libxml2-2.9.2/HTMLparser.c -@@ -3245,12 +3245,17 @@ htmlParseComment(htmlParserCtxtPtr ctxt) - ctxt->instate = state; - return; - } -+ len = 0; -+ buf[len] = 0; - q = CUR_CHAR(ql); -+ if (!IS_CHAR(q)) -+ goto unfinished; - NEXTL(ql); - r = CUR_CHAR(rl); -+ if (!IS_CHAR(r)) -+ goto unfinished; - NEXTL(rl); - cur = CUR_CHAR(l); -- len = 0; - while (IS_CHAR(cur) && - ((cur != '>') || - (r != '-') || (q != '-'))) { -@@ -3281,18 +3286,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt) - } - } - buf[len] = 0; -- if (!IS_CHAR(cur)) { -- htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, -- "Comment not terminated \n<!--%.50s\n", buf, NULL); -- xmlFree(buf); -- } else { -+ if (IS_CHAR(cur)) { - NEXT; - if ((ctxt->sax != NULL) && (ctxt->sax->comment != NULL) && - (!ctxt->disableSAX)) - ctxt->sax->comment(ctxt->userData, buf); - xmlFree(buf); -+ ctxt->instate = state; -+ return; - } -- ctxt->instate = state; -+ -+unfinished: -+ htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, -+ "Comment not terminated \n<!--%.50s\n", buf, NULL); -+ xmlFree(buf); - } - - /** diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/ansidecl.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/ansidecl.patch index 2452d780d..1085c680b 100644 --- a/yocto-poky/meta/recipes-core/libxml/libxml2/ansidecl.patch +++ b/yocto-poky/meta/recipes-core/libxml/libxml2/ansidecl.patch @@ -9,17 +9,17 @@ RP 2012/7/10 Upstream-Status: Inappropriate [its really a cmake bug] -Index: libxml2-2.8.0/include/libxml/xmlversion.h.in -=================================================================== ---- libxml2-2.8.0.orig/include/libxml/xmlversion.h.in 2012-07-10 11:51:52.460750573 +0000 -+++ libxml2-2.8.0/include/libxml/xmlversion.h.in 2012-07-10 11:52:41.436749397 +0000 -@@ -401,9 +401,6 @@ - #endif - - #ifdef __GNUC__ +diff --git a/configure.ac b/configure.ac +index 0260281..fdb58e9 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -484 +483,0 @@ AC_CHECK_HEADERS([time.h]) +-AC_CHECK_HEADERS([ansidecl.h]) +diff --git a/include/libxml/xmlversion.h.in b/include/libxml/xmlversion.h.in +index b173be9..d10f975 100644 +--- a/include/libxml/xmlversion.h.in ++++ b/include/libxml/xmlversion.h.in +@@ -413,3 +412,0 @@ XMLPUBFUN void XMLCALL xmlCheckVersion(int version); -#ifdef HAVE_ANSIDECL_H -#include <ansidecl.h> -#endif - - /** - * ATTRIBUTE_UNUSED: diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/libxml-m4-use-pkgconfig.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/libxml-m4-use-pkgconfig.patch index 0fc84070e..327716561 100644 --- a/yocto-poky/meta/recipes-core/libxml/libxml2/libxml-m4-use-pkgconfig.patch +++ b/yocto-poky/meta/recipes-core/libxml/libxml2/libxml-m4-use-pkgconfig.patch @@ -190,7 +190,7 @@ index 68cd824..5fa0a9b 100644 - LIBS="$ac_save_LIBS" - fi - fi -+ verdep=ifelse([$1], [], [], [>= $1]) ++ verdep=ifelse([$1], [], [], [">= $1"]) + PKG_CHECK_MODULES(XML, [libxml-2.0 $verdep], [$2], [$3]) - XML_CPPFLAGS="" diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-0191-fix.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-0191-fix.patch deleted file mode 100644 index 1c05ae649..000000000 --- a/yocto-poky/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-0191-fix.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Daniel Veillard <veillard@redhat.com> -Date: Tue, 22 Apr 2014 15:30:56 +0800 -Subject: Do not fetch external parameter entities - -Unless explicitely asked for when validating or replacing entities -with their value. Problem pointed out by Daniel Berrange <berrange@redhat.com> - -Upstream-Status: Backport -Reference: https://access.redhat.com/security/cve/CVE-2014-0191 - -Signed-off-by: Daniel Veillard <veillard@redhat.com> -Signed-off-by: Maxin B. John <maxin.john@enea.com> ---- -diff -Naur libxml2-2.9.1-orig/parser.c libxml2-2.9.1/parser.c ---- libxml2-2.9.1-orig/parser.c 2013-04-16 15:39:18.000000000 +0200 -+++ libxml2-2.9.1/parser.c 2014-05-07 13:35:46.883687946 +0200 -@@ -2595,6 +2595,20 @@ - xmlCharEncoding enc; - - /* -+ * Note: external parsed entities will not be loaded, it is -+ * not required for a non-validating parser, unless the -+ * option of validating, or substituting entities were -+ * given. Doing so is far more secure as the parser will -+ * only process data coming from the document entity by -+ * default. -+ */ -+ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && -+ ((ctxt->options & XML_PARSE_NOENT) == 0) && -+ ((ctxt->options & XML_PARSE_DTDVALID) == 0) && -+ (ctxt->validate == 0)) -+ return; -+ -+ /* - * handle the extra spaces added before and after - * c.f. http://www.w3.org/TR/REC-xml#as-PE - * this is done independently. diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2_2.9.2.bb b/yocto-poky/meta/recipes-core/libxml/libxml2_2.9.2.bb deleted file mode 100644 index 79a395cea..000000000 --- a/yocto-poky/meta/recipes-core/libxml/libxml2_2.9.2.bb +++ /dev/null @@ -1,11 +0,0 @@ -require libxml2.inc - -SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar \ - file://72a46a519ce7326d9a00f0b6a7f2a8e958cd1675.patch \ - file://0001-threads-Define-pthread-definitions-for-glibc-complia.patch \ - " - -SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788" -SRC_URI[libtar.sha256sum] = "5178c30b151d044aefb1b08bf54c3003a0ac55c59c866763997529d60770d5bc" -SRC_URI[testtar.md5sum] = "ae3d1ebe000a3972afa104ca7f0e1b4a" -SRC_URI[testtar.sha256sum] = "96151685cec997e1f9f3387e3626d61e6284d4d6e66e0e440c209286c03e9cc7" diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2.inc b/yocto-poky/meta/recipes-core/libxml/libxml2_2.9.3.bb index 310d5bbc5..9c9873fbd 100644 --- a/yocto-poky/meta/recipes-core/libxml/libxml2.inc +++ b/yocto-poky/meta/recipes-core/libxml/libxml2_2.9.3.bb @@ -9,36 +9,24 @@ LIC_FILES_CHKSUM = "file://Copyright;md5=2044417e2e5006b65a8b9067b683fcf1 \ file://list.c;beginline=4;endline=13;md5=cdbfa3dee51c099edb04e39f762ee907 \ file://trio.c;beginline=5;endline=14;md5=6c025753c86d958722ec76e94cae932e" -DEPENDS =+ "zlib" +DEPENDS = "zlib" SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \ + http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar \ file://libxml-64bit.patch \ file://ansidecl.patch \ file://runtest.patch \ file://run-ptest \ - file://libxml2-CVE-2014-0191-fix.patch \ file://python-sitepackages-dir.patch \ file://libxml-m4-use-pkgconfig.patch \ file://configure.ac-fix-cross-compiling-warning.patch \ - file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \ - file://CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch \ - file://CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch \ - file://CVE-2015-8317-Fail-parsing-early-on-if-encoding-conversion-failed.patch \ - file://CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch \ - file://CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch \ - file://0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch \ - file://CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch \ - file://0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch \ - file://CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch \ - file://CVE-2015-7499-2-Detect-incoherency-on-GROW.patch \ - file://0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch \ - file://0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch \ - file://0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch \ - file://0001-CVE-2015-5312-Another-entity-expansion-issue.patch \ - file://CVE-2015-8241.patch \ - file://CVE-2015-8710.patch \ " +SRC_URI[libtar.md5sum] = "daece17e045f1c107610e137ab50c179" +SRC_URI[libtar.sha256sum] = "4de9e31f46b44d34871c22f54bfc54398ef124d6f7cafb1f4a5958fbcd3ba12d" +SRC_URI[testtar.md5sum] = "ae3d1ebe000a3972afa104ca7f0e1b4a" +SRC_URI[testtar.sha256sum] = "96151685cec997e1f9f3387e3626d61e6284d4d6e66e0e440c209286c03e9cc7" + BINCONFIG = "${bindir}/xml2-config" inherit autotools pkgconfig binconfig-disabled pythonnative ptest @@ -47,32 +35,25 @@ RDEPENDS_${PN}-ptest += "python-core" RDEPENDS_${PN}-python += "python-core" -RDEPENDS_${PN}-ptest_append_libc-glibc += "glibc-gconv-ebcdic-us glibc-gconv-ibm1141" - -# We don't DEPEND on binutils for ansidecl.h so ensure we don't use the header -do_configure_prepend () { - sed -i -e '/.*ansidecl.h.*/d' ${S}/configure.ac -} +RDEPENDS_${PN}-ptest_append_libc-glibc = " glibc-gconv-ebcdic-us glibc-gconv-ibm1141" export PYTHON_SITE_PACKAGES="${PYTHON_SITEPACKAGES_DIR}" PACKAGECONFIG ??= "python" - PACKAGECONFIG[python] = "--with-python=${PYTHON},--without-python,python" + # WARNING: zlib is require for RPM use EXTRA_OECONF = "--without-debug --without-legacy --with-catalog --without-docbook --with-c14n --without-lzma --with-fexceptions" EXTRA_OECONF_class-native = "--without-legacy --without-docbook --with-c14n --without-lzma --with-zlib" EXTRA_OECONF_class-nativesdk = "--without-legacy --without-docbook --with-c14n --without-lzma --with-zlib" EXTRA_OECONF_linuxstdbase = "--with-debug --with-legacy --with-docbook --with-c14n --without-lzma --with-zlib" -# required for pythong binding +# required for python binding export HOST_SYS export BUILD_SYS export STAGING_LIBDIR export STAGING_INCDIR -export LDFLAGS += "-ldl" - python populate_packages_prepend () { # autonamer would call this libxml2-2, but we don't want that if d.getVar('DEBIAN_NAMES', True): @@ -81,14 +62,13 @@ python populate_packages_prepend () { PACKAGES += "${PN}-utils ${PN}-python" -FILES_${PN}-dbg += "${PYTHON_SITEPACKAGES_DIR}/.debug" FILES_${PN}-staticdev += "${PYTHON_SITEPACKAGES_DIR}/*.a" FILES_${PN}-dev += "${libdir}/xml2Conf.sh ${libdir}/cmake/*" FILES_${PN}-utils += "${bindir}/*" FILES_${PN}-python += "${PYTHON_SITEPACKAGES_DIR}" do_install_ptest () { - cp -r ${WORKDIR}/xmlconf ${D}${PTEST_PATH} + cp -r ${WORKDIR}/xmlconf ${D}${PTEST_PATH} } BBCLASSEXTEND = "native nativesdk" |