From 97abbf210a9fbbddaec534faef7c6e86f0545bef Mon Sep 17 00:00:00 2001 From: Gustavo Zacarias Date: Tue, 17 Nov 2015 20:08:45 -0300 Subject: [PATCH] libxml2: add several security patches Fixes: CVE-2015-1819 - The xmlreader in libxml allows remote attackers to cause a denial of service (memory consumption) via crafted XML data, related to an XML Entity Expansion (XEE) attack. CVE-2015-7941 - out-of-bounds memory access. CVE-2015-7942 - heap-buffer-overflow in xmlParseConditionalSections. CVE-2015-8035 - DoS via crafted xz file. All patches upstream. Signed-off-by: Gustavo Zacarias Signed-off-by: Thomas Petazzoni --- package/libxml2/0003-fix-CVE-2015-1819.patch | 178 ++++++++++++++++++ .../libxml2/0004-fix-CVE-2015-7941-1.patch | 34 ++++ .../libxml2/0005-fix-CVE-2015-7941-2.patch | 51 +++++ .../libxml2/0006-fix-CVE-2015-7942-1.patch | 34 ++++ .../libxml2/0007-fix-CVE-2015-7942-2.patch | 30 +++ package/libxml2/0008-fix-CVE-2015-8035.patch | 33 ++++ 6 files changed, 360 insertions(+) create mode 100644 package/libxml2/0003-fix-CVE-2015-1819.patch create mode 100644 package/libxml2/0004-fix-CVE-2015-7941-1.patch create mode 100644 package/libxml2/0005-fix-CVE-2015-7941-2.patch create mode 100644 package/libxml2/0006-fix-CVE-2015-7942-1.patch create mode 100644 package/libxml2/0007-fix-CVE-2015-7942-2.patch create mode 100644 package/libxml2/0008-fix-CVE-2015-8035.patch diff --git a/package/libxml2/0003-fix-CVE-2015-1819.patch b/package/libxml2/0003-fix-CVE-2015-1819.patch new file mode 100644 index 0000000000..12569c419b --- /dev/null +++ b/package/libxml2/0003-fix-CVE-2015-1819.patch @@ -0,0 +1,178 @@ +From 213f1fe0d76d30eaed6e5853057defc43e6df2c9 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Tue, 14 Apr 2015 17:41:48 +0800 +Subject: CVE-2015-1819 Enforce the reader to run in constant memory + +One of the operation on the reader could resolve entities +leading to the classic expansion issue. Make sure the +buffer used for xmlreader operation is bounded. +Introduce a new allocation type for the buffers for this effect. + +Signed-off-by: Gustavo Zacarias +--- + buf.c | 43 ++++++++++++++++++++++++++++++++++++++++++- + include/libxml/tree.h | 3 ++- + xmlreader.c | 20 +++++++++++++++++++- + 3 files changed, 63 insertions(+), 3 deletions(-) + +diff --git a/buf.c b/buf.c +index 6efc7b6..07922ff 100644 +--- a/buf.c ++++ b/buf.c +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include /* for XML_MAX_TEXT_LENGTH */ + #include "buf.h" + + #define WITH_BUFFER_COMPAT +@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf, + if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) || + (scheme == XML_BUFFER_ALLOC_EXACT) || + (scheme == XML_BUFFER_ALLOC_HYBRID) || +- (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) { ++ (scheme == XML_BUFFER_ALLOC_IMMUTABLE) || ++ (scheme == XML_BUFFER_ALLOC_BOUNDED)) { + buf->alloc = scheme; + if (buf->buffer) + buf->buffer->alloc = scheme; +@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) { + size = buf->use + len + 100; + #endif + ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if ((buf->use + len >= XML_MAX_TEXT_LENGTH) || ++ (buf->size >= XML_MAX_TEXT_LENGTH)) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(0); ++ } ++ if (size >= XML_MAX_TEXT_LENGTH) ++ size = XML_MAX_TEXT_LENGTH; ++ } + if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) { + size_t start_buf = buf->content - buf->contentIO; + +@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size) + CHECK_COMPAT(buf) + + if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (size >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(0); ++ } ++ } + + /* Don't resize if we don't have to */ + if (size < buf->size) +@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) { + + needSize = buf->use + len + 2; + if (needSize > buf->size){ ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (needSize >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(-1); ++ } ++ } + if (!xmlBufResize(buf, needSize)){ + xmlBufMemoryError(buf, "growing buffer"); + return XML_ERR_NO_MEMORY; +@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) { + } + needSize = buf->use + len + 2; + if (needSize > buf->size){ ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (needSize >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(-1); ++ } ++ } + if (!xmlBufResize(buf, needSize)){ + xmlBufMemoryError(buf, "growing buffer"); + return XML_ERR_NO_MEMORY; +diff --git a/include/libxml/tree.h b/include/libxml/tree.h +index 2f90717..4a9b3bc 100644 +--- a/include/libxml/tree.h ++++ b/include/libxml/tree.h +@@ -76,7 +76,8 @@ typedef enum { + XML_BUFFER_ALLOC_EXACT, /* grow only to the minimal size */ + XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */ + XML_BUFFER_ALLOC_IO, /* special allocation scheme used for I/O */ +- XML_BUFFER_ALLOC_HYBRID /* exact up to a threshold, and doubleit thereafter */ ++ XML_BUFFER_ALLOC_HYBRID, /* exact up to a threshold, and doubleit thereafter */ ++ XML_BUFFER_ALLOC_BOUNDED /* limit the upper size of the buffer */ + } xmlBufferAllocationScheme; + + /** +diff --git a/xmlreader.c b/xmlreader.c +index f19e123..471e7e2 100644 +--- a/xmlreader.c ++++ b/xmlreader.c +@@ -2091,6 +2091,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) { + "xmlNewTextReader : malloc failed\n"); + return(NULL); + } ++ /* no operation on a reader should require a huge buffer */ ++ xmlBufSetAllocationScheme(ret->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); + ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); + if (ret->sax == NULL) { + xmlBufFree(ret->buffer); +@@ -3616,6 +3619,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) { + return(((xmlNsPtr) node)->href); + case XML_ATTRIBUTE_NODE:{ + xmlAttrPtr attr = (xmlAttrPtr) node; ++ const xmlChar *ret; + + if ((attr->children != NULL) && + (attr->children->type == XML_TEXT_NODE) && +@@ -3629,10 +3633,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) { + "xmlTextReaderSetup : malloc failed\n"); + return (NULL); + } ++ xmlBufSetAllocationScheme(reader->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); + } else + xmlBufEmpty(reader->buffer); + xmlBufGetNodeContent(reader->buffer, node); +- return(xmlBufContent(reader->buffer)); ++ ret = xmlBufContent(reader->buffer); ++ if (ret == NULL) { ++ /* error on the buffer best to reallocate */ ++ xmlBufFree(reader->buffer); ++ reader->buffer = xmlBufCreateSize(100); ++ xmlBufSetAllocationScheme(reader->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); ++ ret = BAD_CAST ""; ++ } ++ return(ret); + } + break; + } +@@ -5131,6 +5146,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader, + "xmlTextReaderSetup : malloc failed\n"); + return (-1); + } ++ /* no operation on a reader should require a huge buffer */ ++ xmlBufSetAllocationScheme(reader->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); + if (reader->sax == NULL) + reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); + if (reader->sax == NULL) { +-- +cgit v0.11.2 + diff --git a/package/libxml2/0004-fix-CVE-2015-7941-1.patch b/package/libxml2/0004-fix-CVE-2015-7941-1.patch new file mode 100644 index 0000000000..db41082606 --- /dev/null +++ b/package/libxml2/0004-fix-CVE-2015-7941-1.patch @@ -0,0 +1,34 @@ +From a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Mon, 23 Feb 2015 11:17:35 +0800 +Subject: Stop parsing on entities boundaries errors + +For https://bugzilla.gnome.org/show_bug.cgi?id=744980 + +There are times, like on unterminated entities that it's preferable to +stop parsing, even if that means less error reporting. Entities are +feeding the parser on further processing, and if they are ill defined +then it's possible to get the parser to bug. Also do the same on +Conditional Sections if the input is broken, as the structure of +the document can't be guessed. + +Signed-off-by: Gustavo Zacarias +--- + parser.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/parser.c b/parser.c +index a8d1b67..bbe97eb 100644 +--- a/parser.c ++++ b/parser.c +@@ -5658,6 +5658,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) { + if (RAW != '>') { + xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED, + "xmlParseEntityDecl: entity %s not terminated\n", name); ++ xmlStopParser(ctxt); + } else { + if (input != ctxt->input) { + xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, +-- +cgit v0.11.2 + diff --git a/package/libxml2/0005-fix-CVE-2015-7941-2.patch b/package/libxml2/0005-fix-CVE-2015-7941-2.patch new file mode 100644 index 0000000000..9556277110 --- /dev/null +++ b/package/libxml2/0005-fix-CVE-2015-7941-2.patch @@ -0,0 +1,51 @@ +From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Mon, 23 Feb 2015 11:29:20 +0800 +Subject: Cleanup conditional section error handling + +For https://bugzilla.gnome.org/show_bug.cgi?id=744980 + +The error handling of Conditional Section also need to be +straightened as the structure of the document can't be +guessed on a failure there and it's better to stop parsing +as further errors are likely to be irrelevant. + +Signed-off-by: Gustavo Zacarias +--- + parser.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/parser.c b/parser.c +index bbe97eb..fe603ac 100644 +--- a/parser.c ++++ b/parser.c +@@ -6770,6 +6770,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + SKIP_BLANKS; + if (RAW != '[') { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); ++ xmlStopParser(ctxt); ++ return; + } else { + if (ctxt->input->id != id) { + xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, +@@ -6830,6 +6832,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + SKIP_BLANKS; + if (RAW != '[') { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); ++ xmlStopParser(ctxt); ++ return; + } else { + if (ctxt->input->id != id) { + xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, +@@ -6885,6 +6889,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + + } else { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL); ++ xmlStopParser(ctxt); ++ return; + } + + if (RAW == 0) +-- +cgit v0.11.2 + diff --git a/package/libxml2/0006-fix-CVE-2015-7942-1.patch b/package/libxml2/0006-fix-CVE-2015-7942-1.patch new file mode 100644 index 0000000000..9dbc6238bd --- /dev/null +++ b/package/libxml2/0006-fix-CVE-2015-7942-1.patch @@ -0,0 +1,34 @@ +From bd0526e66a56e75a18da8c15c4750db8f801c52d Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 23 Oct 2015 19:02:28 +0800 +Subject: Another variation of overflow in Conditional sections + +Which happen after the previous fix to +https://bugzilla.gnome.org/show_bug.cgi?id=756456 + +But stopping the parser and exiting we didn't pop the intermediary entities +and doing the SKIP there applies on an input which may be too small + +Signed-off-by: Gustavo Zacarias +--- + parser.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index a65e4cc..b9217ff 100644 +--- a/parser.c ++++ b/parser.c +@@ -6915,7 +6915,9 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + "All markup of the conditional section is not in the same entity\n", + NULL, NULL); + } +- SKIP(3); ++ if ((ctxt-> instate != XML_PARSER_EOF) && ++ ((ctxt->input->cur + 3) < ctxt->input->end)) ++ SKIP(3); + } + } + +-- +cgit v0.11.2 + diff --git a/package/libxml2/0007-fix-CVE-2015-7942-2.patch b/package/libxml2/0007-fix-CVE-2015-7942-2.patch new file mode 100644 index 0000000000..59bf89e73e --- /dev/null +++ b/package/libxml2/0007-fix-CVE-2015-7942-2.patch @@ -0,0 +1,30 @@ +From 41ac9049a27f52e7a1f3b341f8714149fc88d450 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Tue, 27 Oct 2015 10:53:44 +0800 +Subject: Fix an error in previous Conditional section patch + +an off by one mistake in the change, led to error on correct +document where the end of the included entity was exactly +the end of the conditional section, leading to regtest failure + +Signed-off-by: Gustavo Zacarias +--- + parser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index b9217ff..d67b300 100644 +--- a/parser.c ++++ b/parser.c +@@ -6916,7 +6916,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + NULL, NULL); + } + if ((ctxt-> instate != XML_PARSER_EOF) && +- ((ctxt->input->cur + 3) < ctxt->input->end)) ++ ((ctxt->input->cur + 3) <= ctxt->input->end)) + SKIP(3); + } + } +-- +cgit v0.11.2 + diff --git a/package/libxml2/0008-fix-CVE-2015-8035.patch b/package/libxml2/0008-fix-CVE-2015-8035.patch new file mode 100644 index 0000000000..6673f3e2fe --- /dev/null +++ b/package/libxml2/0008-fix-CVE-2015-8035.patch @@ -0,0 +1,33 @@ +From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Tue, 3 Nov 2015 15:31:25 +0800 +Subject: CVE-2015-8035 Fix XZ compression support loop + +For https://bugzilla.gnome.org/show_bug.cgi?id=757466 +DoS when parsing specially crafted XML document if XZ support +is compiled in (which wasn't the case for 2.9.2 and master since +Nov 2013, fixed in next commit !) + +Signed-off-by: Gustavo Zacarias +--- + xzlib.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/xzlib.c b/xzlib.c +index 0dcb9f4..1fab546 100644 +--- a/xzlib.c ++++ b/xzlib.c +@@ -581,6 +581,10 @@ xz_decomp(xz_statep state) + xz_error(state, LZMA_DATA_ERROR, "compressed data error"); + return -1; + } ++ if (ret == LZMA_PROG_ERROR) { ++ xz_error(state, LZMA_PROG_ERROR, "compression error"); ++ return -1; ++ } + } while (strm->avail_out && ret != LZMA_STREAM_END); + + /* update available output and crc check value */ +-- +cgit v0.11.2 + -- 2.30.2