From 08e08586b579d8a339ed6f1e3da01676fa3a7010 Mon Sep 17 00:00:00 2001 From: Danomi Manchego Date: Sat, 21 Nov 2015 20:38:28 -0500 Subject: [PATCH] libxml2: security bump to version 2.9.3 - Fixes: - CVE-2015-5312 - Another entity expansion issue - CVE-2015-7497 - Avoid an heap buffer overflow in xmlDictComputeFastQKey - CVE-2015-7500 - Fix memory access error due to incorrect entities boundaries - CVE-2015-8242 - Buffer overead with HTML parser in push mode - Incorporates upstreamed patches as well, which also fixed: - CVE-2015-1819 - The xmlreader in libxml allows remote attackers to cause a denial of service (memory consumption) via crafted XML data, related to an XML Entity Expansion (XEE) attack. - CVE-2015-7941 - out-of-bounds memory access. - CVE-2015-7942 - heap-buffer-overflow in xmlParseConditionalSections. - CVE-2015-8035 - DoS via crafted xz file. Signed-off-by: Danomi Manchego Signed-off-by: Thomas Petazzoni --- ....cmake.in-update-include-directories.patch | 28 --- ...-forward-declarations-only-for-glibc.patch | 52 ----- package/libxml2/0003-fix-CVE-2015-1819.patch | 178 ------------------ .../libxml2/0004-fix-CVE-2015-7941-1.patch | 34 ---- .../libxml2/0005-fix-CVE-2015-7941-2.patch | 51 ----- .../libxml2/0006-fix-CVE-2015-7942-1.patch | 34 ---- .../libxml2/0007-fix-CVE-2015-7942-2.patch | 30 --- package/libxml2/0008-fix-CVE-2015-8035.patch | 33 ---- package/libxml2/libxml2.hash | 2 +- package/libxml2/libxml2.mk | 2 +- 10 files changed, 2 insertions(+), 442 deletions(-) delete mode 100644 package/libxml2/0001-libxml2-config.cmake.in-update-include-directories.patch delete mode 100644 package/libxml2/0002-threads-use-forward-declarations-only-for-glibc.patch delete mode 100644 package/libxml2/0003-fix-CVE-2015-1819.patch delete mode 100644 package/libxml2/0004-fix-CVE-2015-7941-1.patch delete mode 100644 package/libxml2/0005-fix-CVE-2015-7941-2.patch delete mode 100644 package/libxml2/0006-fix-CVE-2015-7942-1.patch delete mode 100644 package/libxml2/0007-fix-CVE-2015-7942-2.patch delete mode 100644 package/libxml2/0008-fix-CVE-2015-8035.patch diff --git a/package/libxml2/0001-libxml2-config.cmake.in-update-include-directories.patch b/package/libxml2/0001-libxml2-config.cmake.in-update-include-directories.patch deleted file mode 100644 index 589c8d601e..0000000000 --- a/package/libxml2/0001-libxml2-config.cmake.in-update-include-directories.patch +++ /dev/null @@ -1,28 +0,0 @@ -From dd6125f4b58fe7bc270e51bc3fcf41cd228d22fc Mon Sep 17 00:00:00 2001 -From: Samuel Martin -Date: Mon, 29 Dec 2014 20:40:18 +0100 -Subject: [PATCH] libxml2-config.cmake.in: update include directories - -Align the include directories on those from the pkg-config module. - -Signed-off-by: Samuel Martin ---- - libxml2-config.cmake.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libxml2-config.cmake.in b/libxml2-config.cmake.in -index ac29329..6b16fc2 100644 ---- a/libxml2-config.cmake.in -+++ b/libxml2-config.cmake.in -@@ -21,7 +21,7 @@ set(LIBXML2_VERSION_MINOR @LIBXML_MINOR_VERSION@) - set(LIBXML2_VERSION_MICRO @LIBXML_MICRO_VERSION@) - set(LIBXML2_VERSION_STRING "@VERSION@") - set(LIBXML2_INSTALL_PREFIX ${_libxml2_rootdir}) --set(LIBXML2_INCLUDE_DIRS ${_libxml2_rootdir}/include) -+set(LIBXML2_INCLUDE_DIRS ${_libxml2_rootdir}/include ${_libxml2_rootdir}/include/libxml2) - set(LIBXML2_LIBRARY_DIR ${_libxml2_rootdir}/lib) - set(LIBXML2_LIBRARIES -L${LIBXML2_LIBRARY_DIR} -lxml2) - --- -2.2.1 - diff --git a/package/libxml2/0002-threads-use-forward-declarations-only-for-glibc.patch b/package/libxml2/0002-threads-use-forward-declarations-only-for-glibc.patch deleted file mode 100644 index 4123306fb8..0000000000 --- a/package/libxml2/0002-threads-use-forward-declarations-only-for-glibc.patch +++ /dev/null @@ -1,52 +0,0 @@ -Fix musl compile - -Downloaded from upstream commit -https://git.gnome.org/browse/libxml2/commit/?id=fff8a6b87e05200a0ad0af6f86c2e859c7de9172 - -Signed-off-by: Bernd Kuhls ---- -From fff8a6b87e05200a0ad0af6f86c2e859c7de9172 Mon Sep 17 00:00:00 2001 -From: Michael Heimpold -Date: Mon, 22 Dec 2014 11:12:12 +0800 -Subject: threads: use forward declarations only for glibc - -Fixes bug #704908 - -The declarations of pthread functions, used to generate weak references -to them, fail to suppress macros. Thus, if any pthread function has -been provided as a macro, compiling threads.c will fail. -This breaks on musl libc, which defines pthread_equal as a macro (in -addition to providing the function, as required). - -Prevent the declarations for e.g. musl libc by refining the condition. - -The idea for this solution was borrowed from the alpine linux guys, see -http://git.alpinelinux.org/cgit/aports/tree/main/libxml2/libxml2-pthread.patch - -Signed-off-by: Michael Heimpold - -diff --git a/threads.c b/threads.c -index 8921204..78006a2 100644 ---- a/threads.c -+++ b/threads.c -@@ -47,7 +47,7 @@ - #ifdef HAVE_PTHREAD_H - - static int libxml_is_threaded = -1; --#ifdef __GNUC__ -+#if defined(__GNUC__) && defined(__GLIBC__) - #ifdef linux - #if (__GNUC__ == 3 && __GNUC_MINOR__ >= 3) || (__GNUC__ > 3) - extern int pthread_once (pthread_once_t *__once_control, -@@ -89,7 +89,7 @@ extern int pthread_cond_signal () - __attribute((weak)); - #endif - #endif /* linux */ --#endif /* __GNUC__ */ -+#endif /* defined(__GNUC__) && defined(__GLIBC__) */ - #endif /* HAVE_PTHREAD_H */ - - /* --- -cgit v0.10.2 - diff --git a/package/libxml2/0003-fix-CVE-2015-1819.patch b/package/libxml2/0003-fix-CVE-2015-1819.patch deleted file mode 100644 index 12569c419b..0000000000 --- a/package/libxml2/0003-fix-CVE-2015-1819.patch +++ /dev/null @@ -1,178 +0,0 @@ -From 213f1fe0d76d30eaed6e5853057defc43e6df2c9 Mon Sep 17 00:00:00 2001 -From: Daniel Veillard -Date: Tue, 14 Apr 2015 17:41:48 +0800 -Subject: CVE-2015-1819 Enforce the reader to run in constant memory - -One of the operation on the reader could resolve entities -leading to the classic expansion issue. Make sure the -buffer used for xmlreader operation is bounded. -Introduce a new allocation type for the buffers for this effect. - -Signed-off-by: Gustavo Zacarias ---- - buf.c | 43 ++++++++++++++++++++++++++++++++++++++++++- - include/libxml/tree.h | 3 ++- - xmlreader.c | 20 +++++++++++++++++++- - 3 files changed, 63 insertions(+), 3 deletions(-) - -diff --git a/buf.c b/buf.c -index 6efc7b6..07922ff 100644 ---- a/buf.c -+++ b/buf.c -@@ -27,6 +27,7 @@ - #include - #include - #include -+#include /* for XML_MAX_TEXT_LENGTH */ - #include "buf.h" - - #define WITH_BUFFER_COMPAT -@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf, - if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) || - (scheme == XML_BUFFER_ALLOC_EXACT) || - (scheme == XML_BUFFER_ALLOC_HYBRID) || -- (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) { -+ (scheme == XML_BUFFER_ALLOC_IMMUTABLE) || -+ (scheme == XML_BUFFER_ALLOC_BOUNDED)) { - buf->alloc = scheme; - if (buf->buffer) - buf->buffer->alloc = scheme; -@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) { - size = buf->use + len + 100; - #endif - -+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { -+ /* -+ * Used to provide parsing limits -+ */ -+ if ((buf->use + len >= XML_MAX_TEXT_LENGTH) || -+ (buf->size >= XML_MAX_TEXT_LENGTH)) { -+ xmlBufMemoryError(buf, "buffer error: text too long\n"); -+ return(0); -+ } -+ if (size >= XML_MAX_TEXT_LENGTH) -+ size = XML_MAX_TEXT_LENGTH; -+ } - if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) { - size_t start_buf = buf->content - buf->contentIO; - -@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size) - CHECK_COMPAT(buf) - - if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); -+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { -+ /* -+ * Used to provide parsing limits -+ */ -+ if (size >= XML_MAX_TEXT_LENGTH) { -+ xmlBufMemoryError(buf, "buffer error: text too long\n"); -+ return(0); -+ } -+ } - - /* Don't resize if we don't have to */ - if (size < buf->size) -@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) { - - needSize = buf->use + len + 2; - if (needSize > buf->size){ -+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { -+ /* -+ * Used to provide parsing limits -+ */ -+ if (needSize >= XML_MAX_TEXT_LENGTH) { -+ xmlBufMemoryError(buf, "buffer error: text too long\n"); -+ return(-1); -+ } -+ } - if (!xmlBufResize(buf, needSize)){ - xmlBufMemoryError(buf, "growing buffer"); - return XML_ERR_NO_MEMORY; -@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) { - } - needSize = buf->use + len + 2; - if (needSize > buf->size){ -+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { -+ /* -+ * Used to provide parsing limits -+ */ -+ if (needSize >= XML_MAX_TEXT_LENGTH) { -+ xmlBufMemoryError(buf, "buffer error: text too long\n"); -+ return(-1); -+ } -+ } - if (!xmlBufResize(buf, needSize)){ - xmlBufMemoryError(buf, "growing buffer"); - return XML_ERR_NO_MEMORY; -diff --git a/include/libxml/tree.h b/include/libxml/tree.h -index 2f90717..4a9b3bc 100644 ---- a/include/libxml/tree.h -+++ b/include/libxml/tree.h -@@ -76,7 +76,8 @@ typedef enum { - XML_BUFFER_ALLOC_EXACT, /* grow only to the minimal size */ - XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */ - XML_BUFFER_ALLOC_IO, /* special allocation scheme used for I/O */ -- XML_BUFFER_ALLOC_HYBRID /* exact up to a threshold, and doubleit thereafter */ -+ XML_BUFFER_ALLOC_HYBRID, /* exact up to a threshold, and doubleit thereafter */ -+ XML_BUFFER_ALLOC_BOUNDED /* limit the upper size of the buffer */ - } xmlBufferAllocationScheme; - - /** -diff --git a/xmlreader.c b/xmlreader.c -index f19e123..471e7e2 100644 ---- a/xmlreader.c -+++ b/xmlreader.c -@@ -2091,6 +2091,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) { - "xmlNewTextReader : malloc failed\n"); - return(NULL); - } -+ /* no operation on a reader should require a huge buffer */ -+ xmlBufSetAllocationScheme(ret->buffer, -+ XML_BUFFER_ALLOC_BOUNDED); - ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); - if (ret->sax == NULL) { - xmlBufFree(ret->buffer); -@@ -3616,6 +3619,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) { - return(((xmlNsPtr) node)->href); - case XML_ATTRIBUTE_NODE:{ - xmlAttrPtr attr = (xmlAttrPtr) node; -+ const xmlChar *ret; - - if ((attr->children != NULL) && - (attr->children->type == XML_TEXT_NODE) && -@@ -3629,10 +3633,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) { - "xmlTextReaderSetup : malloc failed\n"); - return (NULL); - } -+ xmlBufSetAllocationScheme(reader->buffer, -+ XML_BUFFER_ALLOC_BOUNDED); - } else - xmlBufEmpty(reader->buffer); - xmlBufGetNodeContent(reader->buffer, node); -- return(xmlBufContent(reader->buffer)); -+ ret = xmlBufContent(reader->buffer); -+ if (ret == NULL) { -+ /* error on the buffer best to reallocate */ -+ xmlBufFree(reader->buffer); -+ reader->buffer = xmlBufCreateSize(100); -+ xmlBufSetAllocationScheme(reader->buffer, -+ XML_BUFFER_ALLOC_BOUNDED); -+ ret = BAD_CAST ""; -+ } -+ return(ret); - } - break; - } -@@ -5131,6 +5146,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader, - "xmlTextReaderSetup : malloc failed\n"); - return (-1); - } -+ /* no operation on a reader should require a huge buffer */ -+ xmlBufSetAllocationScheme(reader->buffer, -+ XML_BUFFER_ALLOC_BOUNDED); - if (reader->sax == NULL) - reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); - if (reader->sax == NULL) { --- -cgit v0.11.2 - diff --git a/package/libxml2/0004-fix-CVE-2015-7941-1.patch b/package/libxml2/0004-fix-CVE-2015-7941-1.patch deleted file mode 100644 index db41082606..0000000000 --- a/package/libxml2/0004-fix-CVE-2015-7941-1.patch +++ /dev/null @@ -1,34 +0,0 @@ -From a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 Mon Sep 17 00:00:00 2001 -From: Daniel Veillard -Date: Mon, 23 Feb 2015 11:17:35 +0800 -Subject: Stop parsing on entities boundaries errors - -For https://bugzilla.gnome.org/show_bug.cgi?id=744980 - -There are times, like on unterminated entities that it's preferable to -stop parsing, even if that means less error reporting. Entities are -feeding the parser on further processing, and if they are ill defined -then it's possible to get the parser to bug. Also do the same on -Conditional Sections if the input is broken, as the structure of -the document can't be guessed. - -Signed-off-by: Gustavo Zacarias ---- - parser.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/parser.c b/parser.c -index a8d1b67..bbe97eb 100644 ---- a/parser.c -+++ b/parser.c -@@ -5658,6 +5658,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) { - if (RAW != '>') { - xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED, - "xmlParseEntityDecl: entity %s not terminated\n", name); -+ xmlStopParser(ctxt); - } else { - if (input != ctxt->input) { - xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, --- -cgit v0.11.2 - diff --git a/package/libxml2/0005-fix-CVE-2015-7941-2.patch b/package/libxml2/0005-fix-CVE-2015-7941-2.patch deleted file mode 100644 index 9556277110..0000000000 --- a/package/libxml2/0005-fix-CVE-2015-7941-2.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001 -From: Daniel Veillard -Date: Mon, 23 Feb 2015 11:29:20 +0800 -Subject: Cleanup conditional section error handling - -For https://bugzilla.gnome.org/show_bug.cgi?id=744980 - -The error handling of Conditional Section also need to be -straightened as the structure of the document can't be -guessed on a failure there and it's better to stop parsing -as further errors are likely to be irrelevant. - -Signed-off-by: Gustavo Zacarias ---- - parser.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/parser.c b/parser.c -index bbe97eb..fe603ac 100644 ---- a/parser.c -+++ b/parser.c -@@ -6770,6 +6770,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { - SKIP_BLANKS; - if (RAW != '[') { - xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); -+ xmlStopParser(ctxt); -+ return; - } else { - if (ctxt->input->id != id) { - xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, -@@ -6830,6 +6832,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { - SKIP_BLANKS; - if (RAW != '[') { - xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); -+ xmlStopParser(ctxt); -+ return; - } else { - if (ctxt->input->id != id) { - xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, -@@ -6885,6 +6889,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { - - } else { - xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL); -+ xmlStopParser(ctxt); -+ return; - } - - if (RAW == 0) --- -cgit v0.11.2 - diff --git a/package/libxml2/0006-fix-CVE-2015-7942-1.patch b/package/libxml2/0006-fix-CVE-2015-7942-1.patch deleted file mode 100644 index 9dbc6238bd..0000000000 --- a/package/libxml2/0006-fix-CVE-2015-7942-1.patch +++ /dev/null @@ -1,34 +0,0 @@ -From bd0526e66a56e75a18da8c15c4750db8f801c52d Mon Sep 17 00:00:00 2001 -From: Daniel Veillard -Date: Fri, 23 Oct 2015 19:02:28 +0800 -Subject: Another variation of overflow in Conditional sections - -Which happen after the previous fix to -https://bugzilla.gnome.org/show_bug.cgi?id=756456 - -But stopping the parser and exiting we didn't pop the intermediary entities -and doing the SKIP there applies on an input which may be too small - -Signed-off-by: Gustavo Zacarias ---- - parser.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/parser.c b/parser.c -index a65e4cc..b9217ff 100644 ---- a/parser.c -+++ b/parser.c -@@ -6915,7 +6915,9 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { - "All markup of the conditional section is not in the same entity\n", - NULL, NULL); - } -- SKIP(3); -+ if ((ctxt-> instate != XML_PARSER_EOF) && -+ ((ctxt->input->cur + 3) < ctxt->input->end)) -+ SKIP(3); - } - } - --- -cgit v0.11.2 - diff --git a/package/libxml2/0007-fix-CVE-2015-7942-2.patch b/package/libxml2/0007-fix-CVE-2015-7942-2.patch deleted file mode 100644 index 59bf89e73e..0000000000 --- a/package/libxml2/0007-fix-CVE-2015-7942-2.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 41ac9049a27f52e7a1f3b341f8714149fc88d450 Mon Sep 17 00:00:00 2001 -From: Daniel Veillard -Date: Tue, 27 Oct 2015 10:53:44 +0800 -Subject: Fix an error in previous Conditional section patch - -an off by one mistake in the change, led to error on correct -document where the end of the included entity was exactly -the end of the conditional section, leading to regtest failure - -Signed-off-by: Gustavo Zacarias ---- - parser.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/parser.c b/parser.c -index b9217ff..d67b300 100644 ---- a/parser.c -+++ b/parser.c -@@ -6916,7 +6916,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { - NULL, NULL); - } - if ((ctxt-> instate != XML_PARSER_EOF) && -- ((ctxt->input->cur + 3) < ctxt->input->end)) -+ ((ctxt->input->cur + 3) <= ctxt->input->end)) - SKIP(3); - } - } --- -cgit v0.11.2 - diff --git a/package/libxml2/0008-fix-CVE-2015-8035.patch b/package/libxml2/0008-fix-CVE-2015-8035.patch deleted file mode 100644 index 6673f3e2fe..0000000000 --- a/package/libxml2/0008-fix-CVE-2015-8035.patch +++ /dev/null @@ -1,33 +0,0 @@ -From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001 -From: Daniel Veillard -Date: Tue, 3 Nov 2015 15:31:25 +0800 -Subject: CVE-2015-8035 Fix XZ compression support loop - -For https://bugzilla.gnome.org/show_bug.cgi?id=757466 -DoS when parsing specially crafted XML document if XZ support -is compiled in (which wasn't the case for 2.9.2 and master since -Nov 2013, fixed in next commit !) - -Signed-off-by: Gustavo Zacarias ---- - xzlib.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/xzlib.c b/xzlib.c -index 0dcb9f4..1fab546 100644 ---- a/xzlib.c -+++ b/xzlib.c -@@ -581,6 +581,10 @@ xz_decomp(xz_statep state) - xz_error(state, LZMA_DATA_ERROR, "compressed data error"); - return -1; - } -+ if (ret == LZMA_PROG_ERROR) { -+ xz_error(state, LZMA_PROG_ERROR, "compression error"); -+ return -1; -+ } - } while (strm->avail_out && ret != LZMA_STREAM_END); - - /* update available output and crc check value */ --- -cgit v0.11.2 - diff --git a/package/libxml2/libxml2.hash b/package/libxml2/libxml2.hash index 69f4fdc509..00fbf4372b 100644 --- a/package/libxml2/libxml2.hash +++ b/package/libxml2/libxml2.hash @@ -1,2 +1,2 @@ # Locally calculated after checking pgp signature -sha256 5178c30b151d044aefb1b08bf54c3003a0ac55c59c866763997529d60770d5bc libxml2-2.9.2.tar.gz +sha256 4de9e31f46b44d34871c22f54bfc54398ef124d6f7cafb1f4a5958fbcd3ba12d libxml2-2.9.3.tar.gz diff --git a/package/libxml2/libxml2.mk b/package/libxml2/libxml2.mk index e5832b2fc7..acfe59f4b8 100644 --- a/package/libxml2/libxml2.mk +++ b/package/libxml2/libxml2.mk @@ -4,7 +4,7 @@ # ################################################################################ -LIBXML2_VERSION = 2.9.2 +LIBXML2_VERSION = 2.9.3 LIBXML2_SITE = ftp://xmlsoft.org/libxml2 LIBXML2_INSTALL_STAGING = YES LIBXML2_AUTORECONF = YES -- 2.39.2