mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-02-22 01:19:41 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
1ff7aee3dad97402fcce8563f8b5e9506850f30f
poky/meta/recipes-core/libxml/libxml2/CVE-2016-4447.patch
Armin Kuster ad7cab35ff libxml2: Security fix for CVE-2016-4447 
Affects libxml2 < 2.9.4

(From OE-Core rev: b817c98017cb64f902cdae514fb162b3199a0a14)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-07-27 08:29:59 +01:00

209 lines
7.8 KiB
Diff
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From 00906759053986b8079985644172085f74331f83 Mon Sep 17 00:00:00 2001
From: David Kilzer <ddkilzer@apple.com>
Date: Tue, 26 Jan 2016 16:57:03 -0800
Subject: [PATCH] Heap-based buffer-underreads due to xmlParseName
For https://bugzilla.gnome.org/show_bug.cgi?id=759573
* parser.c:
(xmlParseElementDecl): Return early on invalid input to fix
non-minimized test case (759573-2.xml). Otherwise the parser
gets into a bad state in SKIP(3) at the end of the function.
(xmlParseConditionalSections): Halt parsing when hitting invalid
input that would otherwise caused xmlParserHandlePEReference()
to recurse unexpectedly. This fixes the minimized test case
(759573.xml).
* result/errors/759573-2.xml: Add.
* result/errors/759573-2.xml.err: Add.
* result/errors/759573-2.xml.str: Add.
* result/errors/759573.xml: Add.
* result/errors/759573.xml.err: Add.
* result/errors/759573.xml.str: Add.
* test/errors/759573-2.xml: Add.
* test/errors/759573.xml: Add.
Upstream-Status: Backport
CVE: CVE-2016-4447
Signed-off-by: Armin Kuster <akuster@mvist.com>
---
parser.c | 2 ++
result/errors/759573-2.xml | 0
result/errors/759573-2.xml.err | 58 ++++++++++++++++++++++++++++++++++++++++++
result/errors/759573-2.xml.str | 4 +++
result/errors/759573.xml | 0
result/errors/759573.xml.err | 31 ++++++++++++++++++++++
result/errors/759573.xml.str | 4 +++
test/errors/759573-2.xml | 9 +++++++
test/errors/759573.xml | 1 +
9 files changed, 109 insertions(+)
create mode 100644 result/errors/759573-2.xml
create mode 100644 result/errors/759573-2.xml.err
create mode 100644 result/errors/759573-2.xml.str
create mode 100644 result/errors/759573.xml
create mode 100644 result/errors/759573.xml.err
create mode 100644 result/errors/759573.xml.str
create mode 100644 test/errors/759573-2.xml
create mode 100644 test/errors/759573.xml
Index: libxml2-2.9.2/parser.c
===================================================================
--- libxml2-2.9.2.orig/parser.c
+++ libxml2-2.9.2/parser.c
@@ -6723,6 +6723,7 @@ xmlParseElementDecl(xmlParserCtxtPtr ctx
if (!IS_BLANK_CH(CUR)) {
xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,
"Space required after 'ELEMENT'\n");
+ return(-1);
}
SKIP_BLANKS;
name = xmlParseName(ctxt);
@@ -6874,6 +6875,7 @@ xmlParseConditionalSections(xmlParserCtx
if ((CUR_PTR == check) && (cons == ctxt->input->consumed)) {
xmlFatalErr(ctxt, XML_ERR_EXT_SUBSET_NOT_FINISHED, NULL);
+ xmlHaltParser(ctxt);
break;
}
}
Index: libxml2-2.9.2/result/errors/759573-2.xml.err
===================================================================
--- /dev/null
+++ libxml2-2.9.2/result/errors/759573-2.xml.err
@@ -0,0 +1,58 @@
+Entity: line 1: parser error : Space required after '<!ENTITY'
+ %zz;
+ ^
+Entity: line 1:
+<!ENTITY<?xDOCTYPEm~?>
+ ^
+Entity: line 1: parser error : xmlParseEntityDecl: no name
+ %zz;
+ ^
+Entity: line 1:
+<!ENTITY<?xDOCTYPEm~?>
+ ^
+Entity: line 1: parser error : ParsePI: PI xDOCTYPEm space expected
+ %zz;
+ ^
+Entity: line 1:
+<!ENTITY<?xDOCTYPEm~?>
+ ^
+Entity: line 1: parser error : Space required after '<!ENTITY'
+ %zz;
+ ^
+Entity: line 1:
+<!ENTITY<?xDOCTYPEm~?>
+ ^
+Entity: line 1: parser error : xmlParseEntityDecl: no name
+ %zz;
+ ^
+Entity: line 1:
+<!ENTITY<?xDOCTYPEm~?>
+ ^
+Entity: line 1: parser error : ParsePI: PI xDOCTYPEm space expected
+ %zz;
+ ^
+Entity: line 1:
+<!ENTITY<?xDOCTYPEm~?>
+ ^
+Entity: line 1: parser error : Space required after 'ELEMENT'
+ %xx;
+ ^
+Entity: line 3:
+%zz;<!ELEMENTD(%MENT%MENTDŹMENTD%zNMT9KENSMYSYSTEM;MENT9%zz;
+ ^
+Entity: line 1: parser error : Content error in the external subset
+ %xx;
+ ^
+Entity: line 3:
+%zz;<!ELEMENTD(%MENT%MENTDŹMENTD%zNMT9KENSMYSYSTEM;MENT9%zz;
+ ^
+./test/errors/759573-2.xml:6: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
+
+%xx;<03>ggKENSMYNT&#35;MENTD&#372zz;'>
+ ^
+./test/errors/759573-2.xml:6: parser error : DOCTYPE improperly terminated
+%xx;<03>ggKENSMYNT&#35;MENTD&#372zz;'>
+ ^
+./test/errors/759573-2.xml:6: parser error : Start tag expected, '<' not found
+%xx;<03>ggKENSMYNT&#35;MENTD&#372zz;'>
+ ^
Index: libxml2-2.9.2/result/errors/759573-2.xml.str
===================================================================
--- /dev/null
+++ libxml2-2.9.2/result/errors/759573-2.xml.str
@@ -0,0 +1,4 @@
+./test/errors/759573-2.xml:2: parser error : Extra content at the end of the document
+<!DOCTYPE test [
+ ^
+./test/errors/759573-2.xml : failed to parse
Index: libxml2-2.9.2/result/errors/759573.xml.err
===================================================================
--- /dev/null
+++ libxml2-2.9.2/result/errors/759573.xml.err
@@ -0,0 +1,31 @@
+./test/errors/759573.xml:1: parser error : Space required after '<!ENTITY'
+ELEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITY
+ ^
+./test/errors/759573.xml:1: parser error : Space required after the entity name
+LEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITYz
+ ^
+./test/errors/759573.xml:1: parser error : Entity value required
+LEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITYz
+ ^
+Entity: line 1: parser error : PEReference: no name
+ %xx;
+ ^
+Entity: line 1:
+%<![INCLUDE[000%ஸ000%z;
+ ^
+Entity: line 1: parser error : Content error in the external subset
+ %xx;
+ ^
+Entity: line 1:
+%<![INCLUDE[000%ஸ000%z;
+ ^
+./test/errors/759573.xml:1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
+
+T t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITYz>%xx;
+ ^
+./test/errors/759573.xml:1: parser error : DOCTYPE improperly terminated
+T t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITYz>%xx;
+ ^
+./test/errors/759573.xml:1: parser error : Start tag expected, '<' not found
+T t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITYz>%xx;
+ ^
Index: libxml2-2.9.2/result/errors/759573.xml.str
===================================================================
--- /dev/null
+++ libxml2-2.9.2/result/errors/759573.xml.str
@@ -0,0 +1,4 @@
+./test/errors/759573.xml:1: parser error : Extra content at the end of the document
+<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;00
+ ^
+./test/errors/759573.xml : failed to parse
Index: libxml2-2.9.2/test/errors/759573-2.xml
===================================================================
--- /dev/null
+++ libxml2-2.9.2/test/errors/759573-2.xml
@@ -0,0 +1,9 @@
+<?xmh ven="1.0"?>
+<!DOCTYPE test [
+<!ELEMENT test (#PCDATA) >
+<!ENTITY % xx '&#37;zz;
<![INCLUDE[
&#37;zz;<!ELEMENTD(&#37;MENT&#37;MENTD&#377;MENTD&#37;zNMT9KENSMYSYSTEM;MENT9&#37;zz;'>
+<!ENTITY % zz '&#60;!ENTITY<?xDOCTYPEm~?>' >
+%xx;<03>ggKENSMYNT&#35;MENTD&#372zz;'>
+<!ENBITY % zz '&#60;!EN#3&##37;z ';!EY'#x;g
+<!ENTent ref="b<>:b>r.B"/>
+e </
\ No newline at end of file
Index: libxml2-2.9.2/test/errors/759573.xml
===================================================================
--- /dev/null
+++ libxml2-2.9.2/test/errors/759573.xml
@@ -0,0 +1 @@
+<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITYz>%xx;
\ No newline at end of file
Reference in New Issue View Git Blame Copy Permalink