libxml2: Fix CVEs

CVE: CVE-2017-16932 CVE-2017-5130 CVE-2017-7375 CVE-2017-7376 Libxml2 in the upstream pyro is 2.9.4 CVE-2017-7376: For the stable distribution (stretch), these problems have been fixed in version 2.9.4+dfsg1-2.2+deb9u1 CVE-2017-7375: stretch (security) 2.9.4+dfsg1-2.2+deb9u2 Reference: CVE-2017-16932 https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961 CVE-2017-5130 https://gitlab.gnome.org/GNOME/libxml2/commit/897dffbae322b46b83f99a607d527058a72c51ed CVE-2017-7375 https://gitlab.gnome.org/GNOME/libxml2/commit/90ccb58242866b0ba3edbef8fe44214a101c2b3e CVE-2017-7376 https://gitlab.gnome.org/GNOME/libxml2/commit/5dca9eea1bd4263bfa4d037ab2443de1cd730f7e Change-Id: Icf68eea8e0916be2bc9f3e844f7d38f6fae75300 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> Signed-off-by: Adrian Mangeac <adrian.mangeac@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2018-09-11 10:09:27 +0200
committer: Dan Andresan <Dan.Andresan@enea.com> 2018-10-25 13:54:59 +0200
commit: 2057b91933875959294f823b12938d6cba6ea62b (patch)
tree: 357f87df7c8b037498a13094d39d6d77d2db35f5 /recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch
parent: 5b8928cd5f01d83ae27824bb5d411723cabc3108 (diff)
download: meta-el-common-2057b91933875959294f823b12938d6cba6ea62b.tar.gz
1 files changed, 106 insertions, 0 deletions
diff --git a/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch b/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch
new file mode 100644
index 0000000..9a94344
--- /dev/null
+++ b/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch
@@ -0,0 +1,106 @@
+From 899a5d9f0ed13b8e32449a08a361e0de127dd961 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 25 Jul 2017 14:59:49 +0200
+Subject: [PATCH] Detect infinite recursion in parameter entities
+When expanding a parameter entity in a DTD, infinite recursion could
+lead to an infinite loop or memory exhaustion.
+Thanks to Wei Lei for the first of many reports.
+Fixes bug 759579.
+CVE: CVE-2017-16932  
+Upstream-Status: Backport [https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961]
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ parser.c                     | 11 ++++++++++-
+ result/errors/759579.xml     |  0
+ result/errors/759579.xml.err |  6 ++++++
+ result/errors/759579.xml.str |  7 +++++++
+ test/errors/759579.xml       | 11 +++++++++++
+ 5 files changed, 34 insertions(+), 1 deletion(-)
+ create mode 100644 result/errors/759579.xml
+ create mode 100644 result/errors/759579.xml.err
+ create mode 100644 result/errors/759579.xml.str
+ create mode 100644 test/errors/759579.xml
+diff --git a/parser.c b/parser.c
+index 6286cad..51452a2 100644
+--- a/parser.c
+++ b/parser.c
+@@ -2250,6 +2250,13 @@ xmlPushInput(xmlParserCtxtPtr ctxt, xmlParserInputPtr input) {
+        xmlGenericError(xmlGenericErrorContext,
+                "Pushing input %d : %.30s\n", ctxt->inputNr+1, input->cur);
+     }
+    if (((ctxt->inputNr > 40) && ((ctxt->options & XML_PARSE_HUGE) == 0)) ||
+        (ctxt->inputNr > 1024)) {
+        xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
+        while (ctxt->inputNr > 1)
+            xmlFreeInputStream(inputPop(ctxt));
+       return(-1);
+    }
+     ret = inputPush(ctxt, input);
+     if (ctxt->instate == XML_PARSER_EOF)
+         return(-1);
+@@ -7916,8 +7923,10 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+             * c.f. http://www.w3.org/TR/REC-xml#as-PE
+             */
+            input = xmlNewEntityInputStream(ctxt, entity);
+-           if (xmlPushInput(ctxt, input) < 0)
+           if (xmlPushInput(ctxt, input) < 0) {
+                xmlFreeInputStream(input);
+                return;
+            } 
+            if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
+                (CMP5(CUR_PTR, '<', '?', 'x', 'm', 'l')) &&
+                (IS_BLANK_CH(NXT(5)))) {
+diff --git a/result/errors/759579.xml b/result/errors/759579.xml
+new file mode 100644
+index 0000000..e69de29
+diff --git a/result/errors/759579.xml.err b/result/errors/759579.xml.err
+new file mode 100644
+index 0000000..288026e
+--- /dev/null
+++ b/result/errors/759579.xml.err
+@@ -0,0 +1,6 @@
+Entity: line 2: parser error : Detected an entity reference loop
+        %z; %z; %z; %z; %z;
+           ^
+Entity: line 2: 
+        %z; %z; %z; %z; %z;
+           ^
+diff --git a/result/errors/759579.xml.str b/result/errors/759579.xml.str
+new file mode 100644
+index 0000000..09408f5
+--- /dev/null
+++ b/result/errors/759579.xml.str
+@@ -0,0 +1,7 @@
+Entity: line 2: parser error : Detected an entity reference loop
+        %z; %z; %z; %z; %z;
+           ^
+Entity: line 2: 
+        %z; %z; %z; %z; %z;
+           ^
+./test/errors/759579.xml : failed to parse
+diff --git a/test/errors/759579.xml b/test/errors/759579.xml
+new file mode 100644
+index 0000000..7fadd70
+--- /dev/null
+++ b/test/errors/759579.xml
+@@ -0,0 +1,11 @@
+<!DOCTYPE doc [
+    <!ENTITY % z '
+        &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
+        &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
+        &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
+        &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
+        &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
+    '>
+    %z;
+]>
+<doc/>
+-- 
+2.7.4
author	Andreas Wellving <andreas.wellving@enea.com>	2018-09-11 10:09:27 +0200
committer	Dan Andresan <Dan.Andresan@enea.com>	2018-10-25 13:54:59 +0200
commit	2057b91933875959294f823b12938d6cba6ea62b (patch)
tree	357f87df7c8b037498a13094d39d6d77d2db35f5 /recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch
parent	5b8928cd5f01d83ae27824bb5d411723cabc3108 (diff)
download	meta-el-common-2057b91933875959294f823b12938d6cba6ea62b.tar.gz

diff --git a/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch b/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch new file mode 100644 index 0000000..9a94344 --- /dev/null +++ b/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch
@@ -0,0 +1,106 @@
	1	From 899a5d9f0ed13b8e32449a08a361e0de127dd961 Mon Sep 17 00:00:00 2001
	2	From: Nick Wellnhofer <wellnhofer@aevum.de>
	3	Date: Tue, 25 Jul 2017 14:59:49 +0200
	4	Subject: [PATCH] Detect infinite recursion in parameter entities
	5
	6	When expanding a parameter entity in a DTD, infinite recursion could
	7	lead to an infinite loop or memory exhaustion.
	8
	9	Thanks to Wei Lei for the first of many reports.
	10
	11	Fixes bug 759579.
	12
	13	CVE: CVE-2017-16932
	14	Upstream-Status: Backport [https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961]
	15
	16	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	17	---
	18	parser.c \| 11 ++++++++++-
	19	result/errors/759579.xml \| 0
	20	result/errors/759579.xml.err \| 6 ++++++
	21	result/errors/759579.xml.str \| 7 +++++++
	22	test/errors/759579.xml \| 11 +++++++++++
	23	5 files changed, 34 insertions(+), 1 deletion(-)
	24	create mode 100644 result/errors/759579.xml
	25	create mode 100644 result/errors/759579.xml.err
	26	create mode 100644 result/errors/759579.xml.str
	27	create mode 100644 test/errors/759579.xml
	28
	29	diff --git a/parser.c b/parser.c
	30	index 6286cad..51452a2 100644
	31	--- a/parser.c
	32	+++ b/parser.c
	33	@@ -2250,6 +2250,13 @@ xmlPushInput(xmlParserCtxtPtr ctxt, xmlParserInputPtr input) {
	34	xmlGenericError(xmlGenericErrorContext,
	35	"Pushing input %d : %.30s\n", ctxt->inputNr+1, input->cur);
	36	}
	37	+ if (((ctxt->inputNr > 40) && ((ctxt->options & XML_PARSE_HUGE) == 0)) \|\|
	38	+ (ctxt->inputNr > 1024)) {
	39	+ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
	40	+ while (ctxt->inputNr > 1)
	41	+ xmlFreeInputStream(inputPop(ctxt));
	42	+ return(-1);
	43	+ }
	44	ret = inputPush(ctxt, input);
	45	if (ctxt->instate == XML_PARSER_EOF)
	46	return(-1);
	47	@@ -7916,8 +7923,10 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
	48	* c.f. http://www.w3.org/TR/REC-xml#as-PE
	49	*/
	50	input = xmlNewEntityInputStream(ctxt, entity);
	51	- if (xmlPushInput(ctxt, input) < 0)
	52	+ if (xmlPushInput(ctxt, input) < 0) {
	53	+ xmlFreeInputStream(input);
	54	return;
	55	+ }
	56	if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
	57	(CMP5(CUR_PTR, '<', '?', 'x', 'm', 'l')) &&
	58	(IS_BLANK_CH(NXT(5)))) {
	59	diff --git a/result/errors/759579.xml b/result/errors/759579.xml
	60	new file mode 100644
	61	index 0000000..e69de29
	62	diff --git a/result/errors/759579.xml.err b/result/errors/759579.xml.err
	63	new file mode 100644
	64	index 0000000..288026e
	65	--- /dev/null
	66	+++ b/result/errors/759579.xml.err
	67	@@ -0,0 +1,6 @@
	68	+Entity: line 2: parser error : Detected an entity reference loop
	69	+ %z; %z; %z; %z; %z;
	70	+ ^
	71	+Entity: line 2:
	72	+ %z; %z; %z; %z; %z;
	73	+ ^
	74	diff --git a/result/errors/759579.xml.str b/result/errors/759579.xml.str
	75	new file mode 100644
	76	index 0000000..09408f5
	77	--- /dev/null
	78	+++ b/result/errors/759579.xml.str
	79	@@ -0,0 +1,7 @@
	80	+Entity: line 2: parser error : Detected an entity reference loop
	81	+ %z; %z; %z; %z; %z;
	82	+ ^
	83	+Entity: line 2:
	84	+ %z; %z; %z; %z; %z;
	85	+ ^
	86	+./test/errors/759579.xml : failed to parse
	87	diff --git a/test/errors/759579.xml b/test/errors/759579.xml
	88	new file mode 100644
	89	index 0000000..7fadd70
	90	--- /dev/null
	91	+++ b/test/errors/759579.xml
	92	@@ -0,0 +1,11 @@
	93	+<!DOCTYPE doc [
	94	+ <!ENTITY % z '
	95	+ %z; %z; %z; %z; %z;
	96	+ %z; %z; %z; %z; %z;
	97	+ %z; %z; %z; %z; %z;
	98	+ %z; %z; %z; %z; %z;
	99	+ %z; %z; %z; %z; %z;
	100	+ '>
	101	+ %z;
	102	+]>
	103	+<doc/>
	104	--
	105	2.7.4
	106