From 2057b91933875959294f823b12938d6cba6ea62b Mon Sep 17 00:00:00 2001
From: Andreas Wellving <andreas.wellving@enea.com>
Date: Tue, 11 Sep 2018 10:09:27 +0200
Subject: libxml2: Fix CVEs

CVE: CVE-2017-16932 CVE-2017-5130 CVE-2017-7375 CVE-2017-7376

Libxml2 in the upstream pyro is 2.9.4
CVE-2017-7376: For the stable distribution (stretch), these problems
have been fixed in version 2.9.4+dfsg1-2.2+deb9u1
CVE-2017-7375: stretch (security) 2.9.4+dfsg1-2.2+deb9u2

Reference:
CVE-2017-16932 https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961
CVE-2017-5130 https://gitlab.gnome.org/GNOME/libxml2/commit/897dffbae322b46b83f99a607d527058a72c51ed
CVE-2017-7375 https://gitlab.gnome.org/GNOME/libxml2/commit/90ccb58242866b0ba3edbef8fe44214a101c2b3e
CVE-2017-7376 https://gitlab.gnome.org/GNOME/libxml2/commit/5dca9eea1bd4263bfa4d037ab2443de1cd730f7e

Change-Id: Icf68eea8e0916be2bc9f3e844f7d38f6fae75300
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
Signed-off-by: Adrian Mangeac <adrian.mangeac@enea.com>
---
 ...-infinite-recursion-in-parameter-entities.patch | 106 +++++++++++++++++++++
 1 file changed, 106 insertions(+)
 create mode 100644 recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch

(limited to 'recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch')

diff --git a/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch b/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch
new file mode 100644
index 0000000..9a94344
--- /dev/null
+++ b/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch
@@ -0,0 +1,106 @@
+From 899a5d9f0ed13b8e32449a08a361e0de127dd961 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 25 Jul 2017 14:59:49 +0200
+Subject: [PATCH] Detect infinite recursion in parameter entities
+
+When expanding a parameter entity in a DTD, infinite recursion could
+lead to an infinite loop or memory exhaustion.
+
+Thanks to Wei Lei for the first of many reports.
+
+Fixes bug 759579.
+
+CVE: CVE-2017-16932  
+Upstream-Status: Backport [https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961]
+
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ parser.c                     | 11 ++++++++++-
+ result/errors/759579.xml     |  0
+ result/errors/759579.xml.err |  6 ++++++
+ result/errors/759579.xml.str |  7 +++++++
+ test/errors/759579.xml       | 11 +++++++++++
+ 5 files changed, 34 insertions(+), 1 deletion(-)
+ create mode 100644 result/errors/759579.xml
+ create mode 100644 result/errors/759579.xml.err
+ create mode 100644 result/errors/759579.xml.str
+ create mode 100644 test/errors/759579.xml
+
+diff --git a/parser.c b/parser.c
+index 6286cad..51452a2 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2250,6 +2250,13 @@ xmlPushInput(xmlParserCtxtPtr ctxt, xmlParserInputPtr input) {
+ 	xmlGenericError(xmlGenericErrorContext,
+ 		"Pushing input %d : %.30s\n", ctxt->inputNr+1, input->cur);
+     }
++    if (((ctxt->inputNr > 40) && ((ctxt->options & XML_PARSE_HUGE) == 0)) ||
++        (ctxt->inputNr > 1024)) {
++        xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
++        while (ctxt->inputNr > 1)
++            xmlFreeInputStream(inputPop(ctxt));
++	return(-1);
++    }
+     ret = inputPush(ctxt, input);
+     if (ctxt->instate == XML_PARSER_EOF)
+         return(-1);
+@@ -7916,8 +7923,10 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+	     * c.f. http://www.w3.org/TR/REC-xml#as-PE
+	     */
+ 	    input = xmlNewEntityInputStream(ctxt, entity);
+-	    if (xmlPushInput(ctxt, input) < 0)
++	    if (xmlPushInput(ctxt, input) < 0) {
++                xmlFreeInputStream(input);
+ 		return;
++            } 
+	    if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
+		(CMP5(CUR_PTR, '<', '?', 'x', 'm', 'l')) &&
+		(IS_BLANK_CH(NXT(5)))) {
+diff --git a/result/errors/759579.xml b/result/errors/759579.xml
+new file mode 100644
+index 0000000..e69de29
+diff --git a/result/errors/759579.xml.err b/result/errors/759579.xml.err
+new file mode 100644
+index 0000000..288026e
+--- /dev/null
++++ b/result/errors/759579.xml.err
+@@ -0,0 +1,6 @@
++Entity: line 2: parser error : Detected an entity reference loop
++        %z; %z; %z; %z; %z;
++           ^
++Entity: line 2: 
++        %z; %z; %z; %z; %z;
++           ^
+diff --git a/result/errors/759579.xml.str b/result/errors/759579.xml.str
+new file mode 100644
+index 0000000..09408f5
+--- /dev/null
++++ b/result/errors/759579.xml.str
+@@ -0,0 +1,7 @@
++Entity: line 2: parser error : Detected an entity reference loop
++        %z; %z; %z; %z; %z;
++           ^
++Entity: line 2: 
++        %z; %z; %z; %z; %z;
++           ^
++./test/errors/759579.xml : failed to parse
+diff --git a/test/errors/759579.xml b/test/errors/759579.xml
+new file mode 100644
+index 0000000..7fadd70
+--- /dev/null
++++ b/test/errors/759579.xml
+@@ -0,0 +1,11 @@
++<!DOCTYPE doc [
++    <!ENTITY % z '
++        &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
++        &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
++        &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
++        &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
++        &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
++    '>
++    %z;
++]>
++<doc/>
+-- 
+2.7.4
+
-- 
cgit v1.2.3-54-g00ecf