libxml2: fix CVE-2014-3660

It was discovered that the patch for CVE-2014-0191 for libxml2 is
incomplete.  It is still possible to have libxml2 incorrectly perform
entity substituton even when the application using libxml2 explicitly
disables the feature.  This can allow a remote denial-of-service attack on
systems with libxml2 prior to 2.9.2.

References:
    http://www.openwall.com/lists/oss-security/2014/10/17/7
    https://www.ncsc.nl/actueel/nieuwsberichten/kwetsbaarheid-ontdekt-in-libxml2.html

(From OE-Core rev: 643597a5c432b2e02033d0cefa3ba4da980d078f)

Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index bcf9a62ded4d33b6af25d2fc51a566db266d0e47..c729c199cff06af38b0399cfd8666b606341c195 100644 (file)
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -21,6 +21,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
            file://libxml2-CVE-2014-0191-fix.patch \
            file://python-sitepackages-dir.patch \
            file://libxml-m4-use-pkgconfig.patch \
+           file://libxml2-CVE-2014-3660.patch \
           "
 
 BINCONFIG = "${bindir}/xml2-config"

diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-3660.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-3660.patch
new file mode 100644 (file)
index 0000000..b9621c9
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-3660.patch
@@ -0,0 +1,147 @@
+From be2a7edaf289c5da74a4f9ed3a0b6c733e775230 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Thu, 16 Oct 2014 13:59:47 +0800
+Subject: Fix for CVE-2014-3660
+
+Issues related to the billion laugh entity expansion which happened to
+escape the initial set of fixes
+
+Upstream-status: Backport
+Reference: https://git.gnome.org/browse/libxml2/commit/?id=be2a7edaf289c5da74a4f9ed3a0b6c733e775230&context=3&ignorews=0&ss=0
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+
+diff --git a/parser.c b/parser.c
+index f51e8d2..1d93967 100644
+--- a/parser.c
++++ b/parser.c
+@@ -130,6 +130,29 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+         return (0);
+     if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
+         return (1);
++
++    /*
++     * This may look absurd but is needed to detect
++     * entities problems
++     */
++    if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) &&
++      (ent->content != NULL) && (ent->checked == 0)) {
++      unsigned long oldnbent = ctxt->nbentities;
++      xmlChar *rep;
++
++      ent->checked = 1;
++
++      rep = xmlStringDecodeEntities(ctxt, ent->content,
++                                XML_SUBSTITUTE_REF, 0, 0, 0);
++
++      ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
++      if (rep != NULL) {
++          if (xmlStrchr(rep, '<'))
++              ent->checked |= 1;
++          xmlFree(rep);
++          rep = NULL;
++      }
++    }
+     if (replacement != 0) {
+       if (replacement < XML_MAX_TEXT_LENGTH)
+           return(0);
+@@ -189,9 +212,12 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+             return (0);
+     } else {
+         /*
+-         * strange we got no data for checking just return
++         * strange we got no data for checking
+          */
+-        return (0);
++      if (((ctxt->lastError.code != XML_ERR_UNDECLARED_ENTITY) &&
++           (ctxt->lastError.code != XML_WAR_UNDECLARED_ENTITY)) ||
++          (ctxt->nbentities <= 10000))
++          return (0);
+     }
+     xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
+     return (1);
+@@ -2589,6 +2615,7 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) {
+                                     name, NULL);
+                   ctxt->valid = 0;
+               }
++              xmlParserEntityCheck(ctxt, 0, NULL, 0);
+           } else if (ctxt->input->free != deallocblankswrapper) {
+                   input = xmlNewBlanksWrapperInputStream(ctxt, entity);
+                   if (xmlPushInput(ctxt, input) < 0)
+@@ -2759,6 +2786,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+           if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) ||
+               (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR))
+               goto int_error;
++          xmlParserEntityCheck(ctxt, 0, ent, 0);
+           if (ent != NULL)
+               ctxt->nbentities += ent->checked / 2;
+           if ((ent != NULL) &&
+@@ -2810,6 +2838,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+           ent = xmlParseStringPEReference(ctxt, &str);
+           if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
+               goto int_error;
++          xmlParserEntityCheck(ctxt, 0, ent, 0);
+           if (ent != NULL)
+               ctxt->nbentities += ent->checked / 2;
+           if (ent != NULL) {
+@@ -7312,6 +7341,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+                  (ret != XML_WAR_UNDECLARED_ENTITY)) {
+           xmlFatalErrMsgStr(ctxt, XML_ERR_UNDECLARED_ENTITY,
+                    "Entity '%s' failed to parse\n", ent->name);
++          xmlParserEntityCheck(ctxt, 0, ent, 0);
+       } else if (list != NULL) {
+           xmlFreeNodeList(list);
+           list = NULL;
+@@ -7418,7 +7448,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+               /*
+                * We are copying here, make sure there is no abuse
+                */
+-              ctxt->sizeentcopy += ent->length;
++              ctxt->sizeentcopy += ent->length + 5;
+               if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))
+                   return;
+ 
+@@ -7466,7 +7496,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+               /*
+                * We are copying here, make sure there is no abuse
+                */
+-              ctxt->sizeentcopy += ent->length;
++              ctxt->sizeentcopy += ent->length + 5;
+               if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))
+                   return;
+ 
+@@ -7652,6 +7682,7 @@ xmlParseEntityRef(xmlParserCtxtPtr ctxt) {
+               ctxt->sax->reference(ctxt->userData, name);
+           }
+       }
++      xmlParserEntityCheck(ctxt, 0, ent, 0);
+       ctxt->valid = 0;
+     }
+ 
+@@ -7845,6 +7876,7 @@ xmlParseStringEntityRef(xmlParserCtxtPtr ctxt, const xmlChar ** str) {
+                         "Entity '%s' not defined\n",
+                         name);
+       }
++      xmlParserEntityCheck(ctxt, 0, ent, 0);
+       /* TODO ? check regressions ctxt->valid = 0; */
+     }
+ 
+@@ -8004,6 +8036,7 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+                         name, NULL);
+           ctxt->valid = 0;
+       }
++      xmlParserEntityCheck(ctxt, 0, NULL, 0);
+     } else {
+       /*
+        * Internal checking in case the entity quest barfed
+@@ -8243,6 +8276,7 @@ xmlParseStringPEReference(xmlParserCtxtPtr ctxt, const xmlChar **str) {
+                         name, NULL);
+           ctxt->valid = 0;
+       }
++      xmlParserEntityCheck(ctxt, 0, NULL, 0);
+     } else {
+       /*
+        * Internal checking in case the entity quest barfed
+-- 
+cgit v0.10.1
+