libxml2: add several security patches
authorGustavo Zacarias <gustavo@zacarias.com.ar>
Tue, 17 Nov 2015 23:08:45 +0000 (20:08 -0300)
committerThomas Petazzoni <thomas.petazzoni@free-electrons.com>
Wed, 18 Nov 2015 21:21:31 +0000 (22:21 +0100)
Fixes:
CVE-2015-1819 - The xmlreader in libxml allows remote attackers to cause
a denial of service (memory consumption) via crafted XML data, related
to an XML Entity Expansion (XEE) attack.
CVE-2015-7941 - out-of-bounds memory access.
CVE-2015-7942 - heap-buffer-overflow in xmlParseConditionalSections.
CVE-2015-8035 - DoS via crafted xz file.

All patches upstream.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
package/libxml2/0003-fix-CVE-2015-1819.patch [new file with mode: 0644]
package/libxml2/0004-fix-CVE-2015-7941-1.patch [new file with mode: 0644]
package/libxml2/0005-fix-CVE-2015-7941-2.patch [new file with mode: 0644]
package/libxml2/0006-fix-CVE-2015-7942-1.patch [new file with mode: 0644]
package/libxml2/0007-fix-CVE-2015-7942-2.patch [new file with mode: 0644]
package/libxml2/0008-fix-CVE-2015-8035.patch [new file with mode: 0644]

diff --git a/package/libxml2/0003-fix-CVE-2015-1819.patch b/package/libxml2/0003-fix-CVE-2015-1819.patch
new file mode 100644 (file)
index 0000000..12569c4
--- /dev/null
@@ -0,0 +1,178 @@
+From 213f1fe0d76d30eaed6e5853057defc43e6df2c9 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 14 Apr 2015 17:41:48 +0800
+Subject: CVE-2015-1819 Enforce the reader to run in constant memory
+
+One of the operation on the reader could resolve entities
+leading to the classic expansion issue. Make sure the
+buffer used for xmlreader operation is bounded.
+Introduce a new allocation type for the buffers for this effect.
+
+Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
+---
+ buf.c                 | 43 ++++++++++++++++++++++++++++++++++++++++++-
+ include/libxml/tree.h |  3 ++-
+ xmlreader.c           | 20 +++++++++++++++++++-
+ 3 files changed, 63 insertions(+), 3 deletions(-)
+
+diff --git a/buf.c b/buf.c
+index 6efc7b6..07922ff 100644
+--- a/buf.c
++++ b/buf.c
+@@ -27,6 +27,7 @@
+ #include <libxml/tree.h>
+ #include <libxml/globals.h>
+ #include <libxml/tree.h>
++#include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */
+ #include "buf.h"
+ #define WITH_BUFFER_COMPAT
+@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf,
+     if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) ||
+         (scheme == XML_BUFFER_ALLOC_EXACT) ||
+         (scheme == XML_BUFFER_ALLOC_HYBRID) ||
+-        (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) {
++        (scheme == XML_BUFFER_ALLOC_IMMUTABLE) ||
++      (scheme == XML_BUFFER_ALLOC_BOUNDED)) {
+       buf->alloc = scheme;
+         if (buf->buffer)
+             buf->buffer->alloc = scheme;
+@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) {
+     size = buf->use + len + 100;
+ #endif
++    if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++        /*
++       * Used to provide parsing limits
++       */
++        if ((buf->use + len >= XML_MAX_TEXT_LENGTH) ||
++          (buf->size >= XML_MAX_TEXT_LENGTH)) {
++          xmlBufMemoryError(buf, "buffer error: text too long\n");
++          return(0);
++      }
++      if (size >= XML_MAX_TEXT_LENGTH)
++          size = XML_MAX_TEXT_LENGTH;
++    }
+     if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {
+         size_t start_buf = buf->content - buf->contentIO;
+@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size)
+     CHECK_COMPAT(buf)
+     if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
++    if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++        /*
++       * Used to provide parsing limits
++       */
++        if (size >= XML_MAX_TEXT_LENGTH) {
++          xmlBufMemoryError(buf, "buffer error: text too long\n");
++          return(0);
++      }
++    }
+     /* Don't resize if we don't have to */
+     if (size < buf->size)
+@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
+     needSize = buf->use + len + 2;
+     if (needSize > buf->size){
++      if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++          /*
++           * Used to provide parsing limits
++           */
++          if (needSize >= XML_MAX_TEXT_LENGTH) {
++              xmlBufMemoryError(buf, "buffer error: text too long\n");
++              return(-1);
++          }
++      }
+         if (!xmlBufResize(buf, needSize)){
+           xmlBufMemoryError(buf, "growing buffer");
+             return XML_ERR_NO_MEMORY;
+@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) {
+     }
+     needSize = buf->use + len + 2;
+     if (needSize > buf->size){
++      if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++          /*
++           * Used to provide parsing limits
++           */
++          if (needSize >= XML_MAX_TEXT_LENGTH) {
++              xmlBufMemoryError(buf, "buffer error: text too long\n");
++              return(-1);
++          }
++      }
+         if (!xmlBufResize(buf, needSize)){
+           xmlBufMemoryError(buf, "growing buffer");
+             return XML_ERR_NO_MEMORY;
+diff --git a/include/libxml/tree.h b/include/libxml/tree.h
+index 2f90717..4a9b3bc 100644
+--- a/include/libxml/tree.h
++++ b/include/libxml/tree.h
+@@ -76,7 +76,8 @@ typedef enum {
+     XML_BUFFER_ALLOC_EXACT,   /* grow only to the minimal size */
+     XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */
+     XML_BUFFER_ALLOC_IO,      /* special allocation scheme used for I/O */
+-    XML_BUFFER_ALLOC_HYBRID   /* exact up to a threshold, and doubleit thereafter */
++    XML_BUFFER_ALLOC_HYBRID,  /* exact up to a threshold, and doubleit thereafter */
++    XML_BUFFER_ALLOC_BOUNDED  /* limit the upper size of the buffer */
+ } xmlBufferAllocationScheme;
+ /**
+diff --git a/xmlreader.c b/xmlreader.c
+index f19e123..471e7e2 100644
+--- a/xmlreader.c
++++ b/xmlreader.c
+@@ -2091,6 +2091,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) {
+               "xmlNewTextReader : malloc failed\n");
+       return(NULL);
+     }
++    /* no operation on a reader should require a huge buffer */
++    xmlBufSetAllocationScheme(ret->buffer,
++                            XML_BUFFER_ALLOC_BOUNDED);
+     ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
+     if (ret->sax == NULL) {
+       xmlBufFree(ret->buffer);
+@@ -3616,6 +3619,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
+           return(((xmlNsPtr) node)->href);
+         case XML_ATTRIBUTE_NODE:{
+           xmlAttrPtr attr = (xmlAttrPtr) node;
++          const xmlChar *ret;
+           if ((attr->children != NULL) &&
+               (attr->children->type == XML_TEXT_NODE) &&
+@@ -3629,10 +3633,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
+                                         "xmlTextReaderSetup : malloc failed\n");
+                         return (NULL);
+                     }
++                  xmlBufSetAllocationScheme(reader->buffer,
++                                            XML_BUFFER_ALLOC_BOUNDED);
+                 } else
+                     xmlBufEmpty(reader->buffer);
+               xmlBufGetNodeContent(reader->buffer, node);
+-              return(xmlBufContent(reader->buffer));
++              ret = xmlBufContent(reader->buffer);
++              if (ret == NULL) {
++                  /* error on the buffer best to reallocate */
++                  xmlBufFree(reader->buffer);
++                  reader->buffer = xmlBufCreateSize(100);
++                  xmlBufSetAllocationScheme(reader->buffer,
++                                            XML_BUFFER_ALLOC_BOUNDED);
++                  ret = BAD_CAST "";
++              }
++              return(ret);
+           }
+           break;
+       }
+@@ -5131,6 +5146,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader,
+                         "xmlTextReaderSetup : malloc failed\n");
+         return (-1);
+     }
++    /* no operation on a reader should require a huge buffer */
++    xmlBufSetAllocationScheme(reader->buffer,
++                            XML_BUFFER_ALLOC_BOUNDED);
+     if (reader->sax == NULL)
+       reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
+     if (reader->sax == NULL) {
+-- 
+cgit v0.11.2
+
diff --git a/package/libxml2/0004-fix-CVE-2015-7941-1.patch b/package/libxml2/0004-fix-CVE-2015-7941-1.patch
new file mode 100644 (file)
index 0000000..db41082
--- /dev/null
@@ -0,0 +1,34 @@
+From a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 23 Feb 2015 11:17:35 +0800
+Subject: Stop parsing on entities boundaries errors
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=744980
+
+There are times, like on unterminated entities that it's preferable to
+stop parsing, even if that means less error reporting. Entities are
+feeding the parser on further processing, and if they are ill defined
+then it's possible to get the parser to bug. Also do the same on
+Conditional Sections if the input is broken, as the structure of
+the document can't be guessed.
+
+Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
+---
+ parser.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/parser.c b/parser.c
+index a8d1b67..bbe97eb 100644
+--- a/parser.c
++++ b/parser.c
+@@ -5658,6 +5658,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) {
+       if (RAW != '>') {
+           xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
+                   "xmlParseEntityDecl: entity %s not terminated\n", name);
++          xmlStopParser(ctxt);
+       } else {
+           if (input != ctxt->input) {
+               xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
+-- 
+cgit v0.11.2
+
diff --git a/package/libxml2/0005-fix-CVE-2015-7941-2.patch b/package/libxml2/0005-fix-CVE-2015-7941-2.patch
new file mode 100644 (file)
index 0000000..9556277
--- /dev/null
@@ -0,0 +1,51 @@
+From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 23 Feb 2015 11:29:20 +0800
+Subject: Cleanup conditional section error handling
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=744980
+
+The error handling of Conditional Section also need to be
+straightened as the structure of the document can't be
+guessed on a failure there and it's better to stop parsing
+as further errors are likely to be irrelevant.
+
+Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
+---
+ parser.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index bbe97eb..fe603ac 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6770,6 +6770,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+       SKIP_BLANKS;
+       if (RAW != '[') {
+           xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
++          xmlStopParser(ctxt);
++          return;
+       } else {
+           if (ctxt->input->id != id) {
+               xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6830,6 +6832,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+       SKIP_BLANKS;
+       if (RAW != '[') {
+           xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
++          xmlStopParser(ctxt);
++          return;
+       } else {
+           if (ctxt->input->id != id) {
+               xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6885,6 +6889,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+     } else {
+       xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
++      xmlStopParser(ctxt);
++      return;
+     }
+     if (RAW == 0)
+-- 
+cgit v0.11.2
+
diff --git a/package/libxml2/0006-fix-CVE-2015-7942-1.patch b/package/libxml2/0006-fix-CVE-2015-7942-1.patch
new file mode 100644 (file)
index 0000000..9dbc623
--- /dev/null
@@ -0,0 +1,34 @@
+From bd0526e66a56e75a18da8c15c4750db8f801c52d Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 23 Oct 2015 19:02:28 +0800
+Subject: Another variation of overflow in Conditional sections
+
+Which happen after the previous fix to
+https://bugzilla.gnome.org/show_bug.cgi?id=756456
+
+But stopping the parser and exiting we didn't pop the intermediary entities
+and doing the SKIP there applies on an input which may be too small
+
+Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
+---
+ parser.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index a65e4cc..b9217ff 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6915,7 +6915,9 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+       "All markup of the conditional section is not in the same entity\n",
+                                NULL, NULL);
+       }
+-        SKIP(3);
++      if ((ctxt-> instate != XML_PARSER_EOF) &&
++          ((ctxt->input->cur + 3) < ctxt->input->end))
++          SKIP(3);
+     }
+ }
+-- 
+cgit v0.11.2
+
diff --git a/package/libxml2/0007-fix-CVE-2015-7942-2.patch b/package/libxml2/0007-fix-CVE-2015-7942-2.patch
new file mode 100644 (file)
index 0000000..59bf89e
--- /dev/null
@@ -0,0 +1,30 @@
+From 41ac9049a27f52e7a1f3b341f8714149fc88d450 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 27 Oct 2015 10:53:44 +0800
+Subject: Fix an error in previous Conditional section patch
+
+an off by one mistake in the change, led to error on correct
+document where the end of the included entity was exactly
+the end of the conditional section, leading to regtest failure
+
+Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
+---
+ parser.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index b9217ff..d67b300 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6916,7 +6916,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+                                NULL, NULL);
+       }
+       if ((ctxt-> instate != XML_PARSER_EOF) &&
+-          ((ctxt->input->cur + 3) < ctxt->input->end))
++          ((ctxt->input->cur + 3) <= ctxt->input->end))
+           SKIP(3);
+     }
+ }
+-- 
+cgit v0.11.2
+
diff --git a/package/libxml2/0008-fix-CVE-2015-8035.patch b/package/libxml2/0008-fix-CVE-2015-8035.patch
new file mode 100644 (file)
index 0000000..6673f3e
--- /dev/null
@@ -0,0 +1,33 @@
+From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 3 Nov 2015 15:31:25 +0800
+Subject: CVE-2015-8035 Fix XZ compression support loop
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=757466
+DoS when parsing specially crafted XML document if XZ support
+is compiled in (which wasn't the case for 2.9.2 and master since
+Nov 2013, fixed in next commit !)
+
+Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
+---
+ xzlib.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/xzlib.c b/xzlib.c
+index 0dcb9f4..1fab546 100644
+--- a/xzlib.c
++++ b/xzlib.c
+@@ -581,6 +581,10 @@ xz_decomp(xz_statep state)
+             xz_error(state, LZMA_DATA_ERROR, "compressed data error");
+             return -1;
+         }
++        if (ret == LZMA_PROG_ERROR) {
++            xz_error(state, LZMA_PROG_ERROR, "compression error");
++            return -1;
++        }
+     } while (strm->avail_out && ret != LZMA_STREAM_END);
+     /* update available output and crc check value */
+-- 
+cgit v0.11.2
+