NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

libxml2: security bump to version 2.9.3

Browse Source 
- Fixes:
  - CVE-2015-5312 - Another entity expansion issue
  - CVE-2015-7497 - Avoid an heap buffer overflow in xmlDictComputeFastQKey
  - CVE-2015-7500 - Fix memory access error due to incorrect entities boundaries
  - CVE-2015-8242 - Buffer overead with HTML parser in push mode

- Incorporates upstreamed patches as well, which also fixed:
  - CVE-2015-1819 - The xmlreader in libxml allows remote attackers to cause
    a denial of service (memory consumption) via crafted XML data, related
    to an XML Entity Expansion (XEE) attack.
  - CVE-2015-7941 - out-of-bounds memory access.
  - CVE-2015-7942 - heap-buffer-overflow in xmlParseConditionalSections.
  - CVE-2015-8035 - DoS via crafted xz file.

Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This commit is contained in:
Danomi Manchego 2015-11-21 20:38:28 -05:00 committed by Thomas Petazzoni
parent b18e4b5849
commit 08e08586b5
10 changed files with 2 additions and 442 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
package/libxml2/0001-libxml2-config.cmake.in-update-include-directories.patch
View File

@ -1,28 +0,0 @@
From dd6125f4b58fe7bc270e51bc3fcf41cd228d22fc Mon Sep 17 00:00:00 2001
From: Samuel Martin <s.martin49@gmail.com>
Date: Mon, 29 Dec 2014 20:40:18 +0100
Subject: [PATCH] libxml2-config.cmake.in: update include directories
Align the include directories on those from the pkg-config module.
Signed-off-by: Samuel Martin <s.martin49@gmail.com>
---
libxml2-config.cmake.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libxml2-config.cmake.in b/libxml2-config.cmake.in
index ac29329..6b16fc2 100644
--- a/libxml2-config.cmake.in
+++ b/libxml2-config.cmake.in
@@ -21,7 +21,7 @@ set(LIBXML2_VERSION_MINOR @LIBXML_MINOR_VERSION@)
set(LIBXML2_VERSION_MICRO @LIBXML_MICRO_VERSION@)
set(LIBXML2_VERSION_STRING "@VERSION@")
set(LIBXML2_INSTALL_PREFIX ${_libxml2_rootdir})
-set(LIBXML2_INCLUDE_DIRS ${_libxml2_rootdir}/include)
+set(LIBXML2_INCLUDE_DIRS ${_libxml2_rootdir}/include ${_libxml2_rootdir}/include/libxml2)
set(LIBXML2_LIBRARY_DIR ${_libxml2_rootdir}/lib)
set(LIBXML2_LIBRARIES -L${LIBXML2_LIBRARY_DIR} -lxml2)
--
2.2.1

52
package/libxml2/0002-threads-use-forward-declarations-only-for-glibc.patch
View File

@ -1,52 +0,0 @@
Fix musl compile
Downloaded from upstream commit
https://git.gnome.org/browse/libxml2/commit/?id=fff8a6b87e05200a0ad0af6f86c2e859c7de9172
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
---
From fff8a6b87e05200a0ad0af6f86c2e859c7de9172 Mon Sep 17 00:00:00 2001
From: Michael Heimpold <mhei@heimpold.de>
Date: Mon, 22 Dec 2014 11:12:12 +0800
Subject: threads: use forward declarations only for glibc
Fixes bug #704908
The declarations of pthread functions, used to generate weak references
to them, fail to suppress macros. Thus, if any pthread function has
been provided as a macro, compiling threads.c will fail.
This breaks on musl libc, which defines pthread_equal as a macro (in
addition to providing the function, as required).
Prevent the declarations for e.g. musl libc by refining the condition.
The idea for this solution was borrowed from the alpine linux guys, see
http://git.alpinelinux.org/cgit/aports/tree/main/libxml2/libxml2-pthread.patch
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
diff --git a/threads.c b/threads.c
index 8921204..78006a2 100644
--- a/threads.c
+++ b/threads.c
@@ -47,7 +47,7 @@
#ifdef HAVE_PTHREAD_H
static int libxml_is_threaded = -1;
-#ifdef __GNUC__
+#if defined(__GNUC__) && defined(__GLIBC__)
#ifdef linux
#if (__GNUC__ == 3 && __GNUC_MINOR__ >= 3) || (__GNUC__ > 3)
extern int pthread_once (pthread_once_t *__once_control,
@@ -89,7 +89,7 @@ extern int pthread_cond_signal ()
__attribute((weak));
#endif
#endif /* linux */
-#endif /* __GNUC__ */
+#endif /* defined(__GNUC__) && defined(__GLIBC__) */
#endif /* HAVE_PTHREAD_H */
/*
--
cgit v0.10.2

178
package/libxml2/0003-fix-CVE-2015-1819.patch
View File

@ -1,178 +0,0 @@
From 213f1fe0d76d30eaed6e5853057defc43e6df2c9 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Tue, 14 Apr 2015 17:41:48 +0800
Subject: CVE-2015-1819 Enforce the reader to run in constant memory
One of the operation on the reader could resolve entities
leading to the classic expansion issue. Make sure the
buffer used for xmlreader operation is bounded.
Introduce a new allocation type for the buffers for this effect.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
buf.c | 43 ++++++++++++++++++++++++++++++++++++++++++-
include/libxml/tree.h | 3 ++-
xmlreader.c | 20 +++++++++++++++++++-
3 files changed, 63 insertions(+), 3 deletions(-)
diff --git a/buf.c b/buf.c
index 6efc7b6..07922ff 100644
--- a/buf.c
+++ b/buf.c
@@ -27,6 +27,7 @@
#include <libxml/tree.h>
#include <libxml/globals.h>
#include <libxml/tree.h>
+#include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */
#include "buf.h"
#define WITH_BUFFER_COMPAT
@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf,
if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) ||
(scheme == XML_BUFFER_ALLOC_EXACT) ||
(scheme == XML_BUFFER_ALLOC_HYBRID) ||
- (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) {
+ (scheme == XML_BUFFER_ALLOC_IMMUTABLE) ||
+ (scheme == XML_BUFFER_ALLOC_BOUNDED)) {
buf->alloc = scheme;
if (buf->buffer)
buf->buffer->alloc = scheme;
@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) {
size = buf->use + len + 100;
#endif
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+ /*
+ * Used to provide parsing limits
+ */
+ if ((buf->use + len >= XML_MAX_TEXT_LENGTH) ||
+ (buf->size >= XML_MAX_TEXT_LENGTH)) {
+ xmlBufMemoryError(buf, "buffer error: text too long\n");
+ return(0);
+ }
+ if (size >= XML_MAX_TEXT_LENGTH)
+ size = XML_MAX_TEXT_LENGTH;
+ }
if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {
size_t start_buf = buf->content - buf->contentIO;
@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size)
CHECK_COMPAT(buf)
if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+ /*
+ * Used to provide parsing limits
+ */
+ if (size >= XML_MAX_TEXT_LENGTH) {
+ xmlBufMemoryError(buf, "buffer error: text too long\n");
+ return(0);
+ }
+ }
/* Don't resize if we don't have to */
if (size < buf->size)
@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
needSize = buf->use + len + 2;
if (needSize > buf->size){
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+ /*
+ * Used to provide parsing limits
+ */
+ if (needSize >= XML_MAX_TEXT_LENGTH) {
+ xmlBufMemoryError(buf, "buffer error: text too long\n");
+ return(-1);
+ }
+ }
if (!xmlBufResize(buf, needSize)){
xmlBufMemoryError(buf, "growing buffer");
return XML_ERR_NO_MEMORY;
@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) {
}
needSize = buf->use + len + 2;
if (needSize > buf->size){
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+ /*
+ * Used to provide parsing limits
+ */
+ if (needSize >= XML_MAX_TEXT_LENGTH) {
+ xmlBufMemoryError(buf, "buffer error: text too long\n");
+ return(-1);
+ }
+ }
if (!xmlBufResize(buf, needSize)){
xmlBufMemoryError(buf, "growing buffer");
return XML_ERR_NO_MEMORY;
diff --git a/include/libxml/tree.h b/include/libxml/tree.h
index 2f90717..4a9b3bc 100644
--- a/include/libxml/tree.h
+++ b/include/libxml/tree.h
@@ -76,7 +76,8 @@ typedef enum {
XML_BUFFER_ALLOC_EXACT, /* grow only to the minimal size */
XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */
XML_BUFFER_ALLOC_IO, /* special allocation scheme used for I/O */
- XML_BUFFER_ALLOC_HYBRID /* exact up to a threshold, and doubleit thereafter */
+ XML_BUFFER_ALLOC_HYBRID, /* exact up to a threshold, and doubleit thereafter */
+ XML_BUFFER_ALLOC_BOUNDED /* limit the upper size of the buffer */
} xmlBufferAllocationScheme;
/**
diff --git a/xmlreader.c b/xmlreader.c
index f19e123..471e7e2 100644
--- a/xmlreader.c
+++ b/xmlreader.c
@@ -2091,6 +2091,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) {
"xmlNewTextReader : malloc failed\n");
return(NULL);
}
+ /* no operation on a reader should require a huge buffer */
+ xmlBufSetAllocationScheme(ret->buffer,
+ XML_BUFFER_ALLOC_BOUNDED);
ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
if (ret->sax == NULL) {
xmlBufFree(ret->buffer);
@@ -3616,6 +3619,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
return(((xmlNsPtr) node)->href);
case XML_ATTRIBUTE_NODE:{
xmlAttrPtr attr = (xmlAttrPtr) node;
+ const xmlChar *ret;
if ((attr->children != NULL) &&
(attr->children->type == XML_TEXT_NODE) &&
@@ -3629,10 +3633,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
"xmlTextReaderSetup : malloc failed\n");
return (NULL);
}
+ xmlBufSetAllocationScheme(reader->buffer,
+ XML_BUFFER_ALLOC_BOUNDED);
} else
xmlBufEmpty(reader->buffer);
xmlBufGetNodeContent(reader->buffer, node);
- return(xmlBufContent(reader->buffer));
+ ret = xmlBufContent(reader->buffer);
+ if (ret == NULL) {
+ /* error on the buffer best to reallocate */
+ xmlBufFree(reader->buffer);
+ reader->buffer = xmlBufCreateSize(100);
+ xmlBufSetAllocationScheme(reader->buffer,
+ XML_BUFFER_ALLOC_BOUNDED);
+ ret = BAD_CAST "";
+ }
+ return(ret);
}
break;
}
@@ -5131,6 +5146,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader,
"xmlTextReaderSetup : malloc failed\n");
return (-1);
}
+ /* no operation on a reader should require a huge buffer */
+ xmlBufSetAllocationScheme(reader->buffer,
+ XML_BUFFER_ALLOC_BOUNDED);
if (reader->sax == NULL)
reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
if (reader->sax == NULL) {
--
cgit v0.11.2

34
package/libxml2/0004-fix-CVE-2015-7941-1.patch
View File

@ -1,34 +0,0 @@
From a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Mon, 23 Feb 2015 11:17:35 +0800
Subject: Stop parsing on entities boundaries errors
For https://bugzilla.gnome.org/show_bug.cgi?id=744980
There are times, like on unterminated entities that it's preferable to
stop parsing, even if that means less error reporting. Entities are
feeding the parser on further processing, and if they are ill defined
then it's possible to get the parser to bug. Also do the same on
Conditional Sections if the input is broken, as the structure of
the document can't be guessed.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
parser.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/parser.c b/parser.c
index a8d1b67..bbe97eb 100644
--- a/parser.c
+++ b/parser.c
@@ -5658,6 +5658,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) {
if (RAW != '>') {
xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
"xmlParseEntityDecl: entity %s not terminated\n", name);
+ xmlStopParser(ctxt);
} else {
if (input != ctxt->input) {
xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
--
cgit v0.11.2

51
package/libxml2/0005-fix-CVE-2015-7941-2.patch
View File

@ -1,51 +0,0 @@
From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Mon, 23 Feb 2015 11:29:20 +0800
Subject: Cleanup conditional section error handling
For https://bugzilla.gnome.org/show_bug.cgi?id=744980
The error handling of Conditional Section also need to be
straightened as the structure of the document can't be
guessed on a failure there and it's better to stop parsing
as further errors are likely to be irrelevant.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
parser.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/parser.c b/parser.c
index bbe97eb..fe603ac 100644
--- a/parser.c
+++ b/parser.c
@@ -6770,6 +6770,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
SKIP_BLANKS;
if (RAW != '[') {
xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
+ xmlStopParser(ctxt);
+ return;
} else {
if (ctxt->input->id != id) {
xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
@@ -6830,6 +6832,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
SKIP_BLANKS;
if (RAW != '[') {
xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
+ xmlStopParser(ctxt);
+ return;
} else {
if (ctxt->input->id != id) {
xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
@@ -6885,6 +6889,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
} else {
xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
+ xmlStopParser(ctxt);
+ return;
}
if (RAW == 0)
--
cgit v0.11.2

34
package/libxml2/0006-fix-CVE-2015-7942-1.patch
View File

@ -1,34 +0,0 @@
From bd0526e66a56e75a18da8c15c4750db8f801c52d Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Fri, 23 Oct 2015 19:02:28 +0800
Subject: Another variation of overflow in Conditional sections
Which happen after the previous fix to
https://bugzilla.gnome.org/show_bug.cgi?id=756456
But stopping the parser and exiting we didn't pop the intermediary entities
and doing the SKIP there applies on an input which may be too small
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
parser.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/parser.c b/parser.c
index a65e4cc..b9217ff 100644
--- a/parser.c
+++ b/parser.c
@@ -6915,7 +6915,9 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
"All markup of the conditional section is not in the same entity\n",
NULL, NULL);
}
- SKIP(3);
+ if ((ctxt-> instate != XML_PARSER_EOF) &&
+ ((ctxt->input->cur + 3) < ctxt->input->end))
+ SKIP(3);
}
}
--
cgit v0.11.2

30
package/libxml2/0007-fix-CVE-2015-7942-2.patch
View File

@ -1,30 +0,0 @@
From 41ac9049a27f52e7a1f3b341f8714149fc88d450 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Tue, 27 Oct 2015 10:53:44 +0800
Subject: Fix an error in previous Conditional section patch
an off by one mistake in the change, led to error on correct
document where the end of the included entity was exactly
the end of the conditional section, leading to regtest failure
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
parser.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/parser.c b/parser.c
index b9217ff..d67b300 100644
--- a/parser.c
+++ b/parser.c
@@ -6916,7 +6916,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
NULL, NULL);
}
if ((ctxt-> instate != XML_PARSER_EOF) &&
- ((ctxt->input->cur + 3) < ctxt->input->end))
+ ((ctxt->input->cur + 3) <= ctxt->input->end))
SKIP(3);
}
}
--
cgit v0.11.2

33
package/libxml2/0008-fix-CVE-2015-8035.patch
View File

@ -1,33 +0,0 @@
From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Tue, 3 Nov 2015 15:31:25 +0800
Subject: CVE-2015-8035 Fix XZ compression support loop
For https://bugzilla.gnome.org/show_bug.cgi?id=757466
DoS when parsing specially crafted XML document if XZ support
is compiled in (which wasn't the case for 2.9.2 and master since
Nov 2013, fixed in next commit !)
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
xzlib.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/xzlib.c b/xzlib.c
index 0dcb9f4..1fab546 100644
--- a/xzlib.c
+++ b/xzlib.c
@@ -581,6 +581,10 @@ xz_decomp(xz_statep state)
xz_error(state, LZMA_DATA_ERROR, "compressed data error");
return -1;
}
+ if (ret == LZMA_PROG_ERROR) {
+ xz_error(state, LZMA_PROG_ERROR, "compression error");
+ return -1;
+ }
} while (strm->avail_out && ret != LZMA_STREAM_END);
/* update available output and crc check value */
--
cgit v0.11.2

2
package/libxml2/libxml2.hash
View File

@ -1,2 +1,2 @@
# Locally calculated after checking pgp signature
sha256 5178c30b151d044aefb1b08bf54c3003a0ac55c59c866763997529d60770d5bc libxml2-2.9.2.tar.gz
sha256 4de9e31f46b44d34871c22f54bfc54398ef124d6f7cafb1f4a5958fbcd3ba12d libxml2-2.9.3.tar.gz

2
package/libxml2/libxml2.mk
View File

@ -4,7 +4,7 @@
#
################################################################################
LIBXML2_VERSION = 2.9.2
LIBXML2_VERSION = 2.9.3
LIBXML2_SITE = ftp://xmlsoft.org/libxml2
LIBXML2_INSTALL_STAGING = YES
LIBXML2_AUTORECONF = YES