* [PATCH][jethro][fido][ 00/15] Libxml2: multiple security fixes
@ 2015-12-05 19:35 Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 01/15] libxml2: security fix CVE-2015-7941-1 Armin Kuster
` (16 more replies)
0 siblings, 17 replies; 19+ messages in thread
From: Armin Kuster @ 2015-12-05 19:35 UTC (permalink / raw)
To: openembedded-core
Each CVE is an independant patch so they can be easily merged to other distros
and/or stable branches.
I have included two previous CVE's sent for jethro which can be ignored.
I put the CVE's in order as there where fixed upstream.
Armin Kuster (15):
libxml2: security fix CVE-2015-7941-1
libxml2: security fix CVE-2015-7941-2
libxml2: security fix CVE-2015-8317
libxml2: security fix CVE-2015-7942
libxml2: security fix CVE-2015-7942-2
libxml2: security fix CVE-2015-8317
libxml2: security fix CVE-2015-7498
libxml2: security fix CVE-2015-7497
libxml2: security fix CVE-2015-7499-1
libxml2: security fix CVE-2015-7499-2
libxml2: depend fix security issue CVE-2015-7500
libxml2: security fix CVE-2015-7500
libxml2: security fix CVE-2015-8242
libxml2: security fix CVE-2015-5312
libxml2: multiple security fixes.
meta/recipes-core/libxml/libxml2.inc | 14 +++
...-2015-5312-Another-entity-expansion-issue.patch | 39 ++++++
...97-Avoid-an-heap-buffer-overflow-in-xmlDi.patch | 40 ++++++
...00-Fix-memory-access-error-due-to-incorre.patch | 131 +++++++++++++++++++
...2015-8035-Fix-XZ-compression-support-loop.patch | 38 ++++++
...42-Buffer-overead-with-HTML-parser-in-pus.patch | 49 ++++++++
...n-name-parsing-at-the-end-of-current-inpu.patch | 138 +++++++++++++++++++++
...ssing-entities-after-encoding-conversion-.patch | 89 +++++++++++++
...99-1-Add-xmlHaltParser-to-stop-the-parser.patch | 88 +++++++++++++
...VE-2015-7499-2-Detect-incoherency-on-GROW.patch | 43 +++++++
...top-parsing-on-entities-boundaries-errors.patch | 39 ++++++
...leanup-conditional-section-error-handling.patch | 56 +++++++++
...ror-in-previous-Conditional-section-patch.patch | 35 ++++++
...iation-of-overflow-in-Conditional-section.patch | 39 ++++++
...ng-early-on-if-encoding-conversion-failed.patch | 42 +++++++
15 files changed, 880 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/0001-CVE-2015-5312-Another-entity-expansion-issue.patch
create mode 100644 meta/recipes-core/libxml/libxml2/0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch
create mode 100644 meta/recipes-core/libxml/libxml2/0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch
create mode 100644 meta/recipes-core/libxml/libxml2/0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch
create mode 100644 meta/recipes-core/libxml/libxml2/0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch
create mode 100644 meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7499-2-Detect-incoherency-on-GROW.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8317-Fail-parsing-early-on-if-encoding-conversion-failed.patch
--
2.3.5
^ permalink raw reply [flat|nested] 19+ messages in thread
* [PATCH][jethro][fido] 01/15] libxml2: security fix CVE-2015-7941-1
2015-12-05 19:35 [PATCH][jethro][fido][ 00/15] Libxml2: multiple security fixes Armin Kuster
@ 2015-12-05 19:35 ` Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 02/15] libxml2: security fix CVE-2015-7941-2 Armin Kuster
` (15 subsequent siblings)
16 siblings, 0 replies; 19+ messages in thread
From: Armin Kuster @ 2015-12-05 19:35 UTC (permalink / raw)
To: openembedded-core; +Cc: Armin Kuster
From: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
...top-parsing-on-entities-boundaries-errors.patch | 39 ++++++++++++++++++++++
1 file changed, 39 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch
new file mode 100644
index 0000000..11da9f9
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch
@@ -0,0 +1,39 @@
+From a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 23 Feb 2015 11:17:35 +0800
+Subject: [PATCH] Stop parsing on entities boundaries errors
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=744980
+
+There are times, like on unterminated entities that it's preferable to
+stop parsing, even if that means less error reporting. Entities are
+feeding the parser on further processing, and if they are ill defined
+then it's possible to get the parser to bug. Also do the same on
+Conditional Sections if the input is broken, as the structure of
+the document can't be guessed.
+
+Upstream-Status: Backport
+
+CVE-2015-7941-1
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/parser.c b/parser.c
+index a8d1b67..bbe97eb 100644
+--- a/parser.c
++++ b/parser.c
+@@ -5658,6 +5658,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) {
+ if (RAW != '>') {
+ xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
+ "xmlParseEntityDecl: entity %s not terminated\n", name);
++ xmlStopParser(ctxt);
+ } else {
+ if (input != ctxt->input) {
+ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
+--
+2.3.5
+
--
2.3.5
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH][jethro][fido] 02/15] libxml2: security fix CVE-2015-7941-2
2015-12-05 19:35 [PATCH][jethro][fido][ 00/15] Libxml2: multiple security fixes Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 01/15] libxml2: security fix CVE-2015-7941-1 Armin Kuster
@ 2015-12-05 19:35 ` Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 03/15] libxml2: security fix CVE-2015-8317 Armin Kuster
` (14 subsequent siblings)
16 siblings, 0 replies; 19+ messages in thread
From: Armin Kuster @ 2015-12-05 19:35 UTC (permalink / raw)
To: openembedded-core; +Cc: Armin Kuster
From: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
...leanup-conditional-section-error-handling.patch | 56 ++++++++++++++++++++++
1 file changed, 56 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch
new file mode 100644
index 0000000..b7bd960
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch
@@ -0,0 +1,56 @@
+From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 23 Feb 2015 11:29:20 +0800
+Subject: [PATCH] Cleanup conditional section error handling
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=744980
+
+The error handling of Conditional Section also need to be
+straightened as the structure of the document can't be
+guessed on a failure there and it's better to stop parsing
+as further errors are likely to be irrelevant.
+
+Upstream-Status: Backport
+
+CVE-2015-7941-2
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index bbe97eb..fe603ac 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6770,6 +6770,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ SKIP_BLANKS;
+ if (RAW != '[') {
+ xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
++ xmlStopParser(ctxt);
++ return;
+ } else {
+ if (ctxt->input->id != id) {
+ xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6830,6 +6832,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ SKIP_BLANKS;
+ if (RAW != '[') {
+ xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
++ xmlStopParser(ctxt);
++ return;
+ } else {
+ if (ctxt->input->id != id) {
+ xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6885,6 +6889,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+
+ } else {
+ xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
++ xmlStopParser(ctxt);
++ return;
+ }
+
+ if (RAW == 0)
+--
+2.3.5
+
--
2.3.5
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH][jethro][fido] 03/15] libxml2: security fix CVE-2015-8317
2015-12-05 19:35 [PATCH][jethro][fido][ 00/15] Libxml2: multiple security fixes Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 01/15] libxml2: security fix CVE-2015-7941-1 Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 02/15] libxml2: security fix CVE-2015-7941-2 Armin Kuster
@ 2015-12-05 19:35 ` Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 04/15] libxml2: security fix CVE-2015-7942 Armin Kuster
` (13 subsequent siblings)
16 siblings, 0 replies; 19+ messages in thread
From: Armin Kuster @ 2015-12-05 19:35 UTC (permalink / raw)
To: openembedded-core; +Cc: Armin Kuster
From: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
...ng-early-on-if-encoding-conversion-failed.patch | 42 ++++++++++++++++++++++
1 file changed, 42 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8317-Fail-parsing-early-on-if-encoding-conversion-failed.patch
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-8317-Fail-parsing-early-on-if-encoding-conversion-failed.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-8317-Fail-parsing-early-on-if-encoding-conversion-failed.patch
new file mode 100644
index 0000000..59425cb
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-8317-Fail-parsing-early-on-if-encoding-conversion-failed.patch
@@ -0,0 +1,42 @@
+From 709a952110e98621c9b78c4f26462a9d8333102e Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 29 Jun 2015 16:10:26 +0800
+Subject: [PATCH] Fail parsing early on if encoding conversion failed
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=751631
+
+If we fail conversing the current input stream while
+processing the encoding declaration of the XMLDecl
+then it's safer to just abort there and not try to
+report further errors.
+
+Upstream-Status: Backport
+
+CVE-2015-8317
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index a3a9568..0edd53b 100644
+--- a/parser.c
++++ b/parser.c
+@@ -10471,7 +10471,11 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ctxt) {
+
+ handler = xmlFindCharEncodingHandler((const char *) encoding);
+ if (handler != NULL) {
+- xmlSwitchToEncoding(ctxt, handler);
++ if (xmlSwitchToEncoding(ctxt, handler) < 0) {
++ /* failed to convert */
++ ctxt->errNo = XML_ERR_UNSUPPORTED_ENCODING;
++ return(NULL);
++ }
+ } else {
+ xmlFatalErrMsgStr(ctxt, XML_ERR_UNSUPPORTED_ENCODING,
+ "Unsupported encoding %s\n", encoding);
+--
+2.3.5
+
--
2.3.5
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH][jethro][fido] 04/15] libxml2: security fix CVE-2015-7942
2015-12-05 19:35 [PATCH][jethro][fido][ 00/15] Libxml2: multiple security fixes Armin Kuster
` (2 preceding siblings ...)
2015-12-05 19:35 ` [PATCH][jethro][fido] 03/15] libxml2: security fix CVE-2015-8317 Armin Kuster
@ 2015-12-05 19:35 ` Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 05/15] libxml2: security fix CVE-2015-7942-2 Armin Kuster
` (12 subsequent siblings)
16 siblings, 0 replies; 19+ messages in thread
From: Armin Kuster @ 2015-12-05 19:35 UTC (permalink / raw)
To: openembedded-core; +Cc: Armin Kuster
From: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
...iation-of-overflow-in-Conditional-section.patch | 39 ++++++++++++++++++++++
1 file changed, 39 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch
new file mode 100644
index 0000000..40082ec
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch
@@ -0,0 +1,39 @@
+From bd0526e66a56e75a18da8c15c4750db8f801c52d Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 23 Oct 2015 19:02:28 +0800
+Subject: [PATCH] Another variation of overflow in Conditional sections
+
+Which happen after the previous fix to
+https://bugzilla.gnome.org/show_bug.cgi?id=756456
+
+But stopping the parser and exiting we didn't pop the intermediary entities
+and doing the SKIP there applies on an input which may be too small
+
+Upstream-Status: Backport
+
+CVE-2015-7942
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index a65e4cc..b9217ff 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6915,7 +6915,9 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ "All markup of the conditional section is not in the same entity\n",
+ NULL, NULL);
+ }
+- SKIP(3);
++ if ((ctxt-> instate != XML_PARSER_EOF) &&
++ ((ctxt->input->cur + 3) < ctxt->input->end))
++ SKIP(3);
+ }
+ }
+
+--
+2.3.5
+
--
2.3.5
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH][jethro][fido] 05/15] libxml2: security fix CVE-2015-7942-2
2015-12-05 19:35 [PATCH][jethro][fido][ 00/15] Libxml2: multiple security fixes Armin Kuster
` (3 preceding siblings ...)
2015-12-05 19:35 ` [PATCH][jethro][fido] 04/15] libxml2: security fix CVE-2015-7942 Armin Kuster
@ 2015-12-05 19:35 ` Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 06/15] libxml2: security fix CVE-2015-8317 Armin Kuster
` (11 subsequent siblings)
16 siblings, 0 replies; 19+ messages in thread
From: Armin Kuster @ 2015-12-05 19:35 UTC (permalink / raw)
To: openembedded-core; +Cc: Armin Kuster
From: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
...ror-in-previous-Conditional-section-patch.patch | 35 ++++++++++++++++++++++
1 file changed, 35 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch
new file mode 100644
index 0000000..34b6036
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch
@@ -0,0 +1,35 @@
+From 41ac9049a27f52e7a1f3b341f8714149fc88d450 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 27 Oct 2015 10:53:44 +0800
+Subject: [PATCH] Fix an error in previous Conditional section patch
+
+an off by one mistake in the change, led to error on correct
+document where the end of the included entity was exactly
+the end of the conditional section, leading to regtest failure
+
+Upstream-Status: Backport
+
+CVE-2015-7942-2
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index b9217ff..d67b300 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6916,7 +6916,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ NULL, NULL);
+ }
+ if ((ctxt-> instate != XML_PARSER_EOF) &&
+- ((ctxt->input->cur + 3) < ctxt->input->end))
++ ((ctxt->input->cur + 3) <= ctxt->input->end))
+ SKIP(3);
+ }
+ }
+--
+2.3.5
+
--
2.3.5
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH][jethro][fido] 06/15] libxml2: security fix CVE-2015-8317
2015-12-05 19:35 [PATCH][jethro][fido][ 00/15] Libxml2: multiple security fixes Armin Kuster
` (4 preceding siblings ...)
2015-12-05 19:35 ` [PATCH][jethro][fido] 05/15] libxml2: security fix CVE-2015-7942-2 Armin Kuster
@ 2015-12-05 19:35 ` Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 07/15] libxml2: security fix CVE-2015-7498 Armin Kuster
` (10 subsequent siblings)
16 siblings, 0 replies; 19+ messages in thread
From: Armin Kuster @ 2015-12-05 19:35 UTC (permalink / raw)
To: openembedded-core; +Cc: Armin Kuster
From: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
...2015-8035-Fix-XZ-compression-support-loop.patch | 38 ++++++++++++++++++++++
1 file changed, 38 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch
diff --git a/meta/recipes-core/libxml/libxml2/0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch b/meta/recipes-core/libxml/libxml2/0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch
new file mode 100644
index 0000000..7107355
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch
@@ -0,0 +1,38 @@
+From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 3 Nov 2015 15:31:25 +0800
+Subject: [PATCH] CVE-2015-8035 Fix XZ compression support loop
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=757466
+DoS when parsing specially crafted XML document if XZ support
+is compiled in (which wasn't the case for 2.9.2 and master since
+Nov 2013, fixed in next commit !)
+
+Upstream-Status: Backport
+
+CVE-2015-8035
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ xzlib.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/xzlib.c b/xzlib.c
+index 0dcb9f4..1fab546 100644
+--- a/xzlib.c
++++ b/xzlib.c
+@@ -581,6 +581,10 @@ xz_decomp(xz_statep state)
+ xz_error(state, LZMA_DATA_ERROR, "compressed data error");
+ return -1;
+ }
++ if (ret == LZMA_PROG_ERROR) {
++ xz_error(state, LZMA_PROG_ERROR, "compression error");
++ return -1;
++ }
+ } while (strm->avail_out && ret != LZMA_STREAM_END);
+
+ /* update available output and crc check value */
+--
+2.3.5
+
--
2.3.5
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH][jethro][fido] 07/15] libxml2: security fix CVE-2015-7498
2015-12-05 19:35 [PATCH][jethro][fido][ 00/15] Libxml2: multiple security fixes Armin Kuster
` (5 preceding siblings ...)
2015-12-05 19:35 ` [PATCH][jethro][fido] 06/15] libxml2: security fix CVE-2015-8317 Armin Kuster
@ 2015-12-05 19:35 ` Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 08/15] libxml2: security fix CVE-2015-7497 Armin Kuster
` (9 subsequent siblings)
16 siblings, 0 replies; 19+ messages in thread
From: Armin Kuster @ 2015-12-05 19:35 UTC (permalink / raw)
To: openembedded-core; +Cc: Armin Kuster
From: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
...ssing-entities-after-encoding-conversion-.patch | 89 ++++++++++++++++++++++
1 file changed, 89 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch
new file mode 100644
index 0000000..47ba897
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch
@@ -0,0 +1,89 @@
+From afd27c21f6b36e22682b7da20d726bce2dcb2f43 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 9 Nov 2015 18:07:18 +0800
+Subject: [PATCH] Avoid processing entities after encoding conversion failures
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756527
+and was also raised by Chromium team in the past
+
+When we hit a convwersion failure when switching encoding
+it is bestter to stop parsing there, this was treated as a
+fatal error but the parser was continuing to process to extract
+more errors, unfortunately that makes little sense as the data
+is obviously corrupt and can potentially lead to unexpected behaviour.
+
+Upstream-Status: Backport
+
+CVE-2015-7498
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c | 7 +++++--
+ parserInternals.c | 11 ++++++++++-
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index 134afe7..c79b4e8 100644
+--- a/parser.c
++++ b/parser.c
+@@ -10665,7 +10665,8 @@ xmlParseXMLDecl(xmlParserCtxtPtr ctxt) {
+ xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, "Blank needed here\n");
+ }
+ xmlParseEncodingDecl(ctxt);
+- if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) {
++ if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) ||
++ (ctxt->instate == XML_PARSER_EOF)) {
+ /*
+ * The XML REC instructs us to stop parsing right here
+ */
+@@ -10789,6 +10790,7 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) {
+
+ if (CUR == 0) {
+ xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL);
++ return(-1);
+ }
+
+ /*
+@@ -10806,7 +10808,8 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) {
+ * Note that we will switch encoding on the fly.
+ */
+ xmlParseXMLDecl(ctxt);
+- if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) {
++ if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) ||
++ (ctxt->instate == XML_PARSER_EOF)) {
+ /*
+ * The XML REC instructs us to stop parsing right here
+ */
+diff --git a/parserInternals.c b/parserInternals.c
+index df204fd..c8230c1 100644
+--- a/parserInternals.c
++++ b/parserInternals.c
+@@ -937,6 +937,7 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc)
+ {
+ xmlCharEncodingHandlerPtr handler;
+ int len = -1;
++ int ret;
+
+ if (ctxt == NULL) return(-1);
+ switch (enc) {
+@@ -1097,7 +1098,15 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc)
+ if (handler == NULL)
+ return(-1);
+ ctxt->charset = XML_CHAR_ENCODING_UTF8;
+- return(xmlSwitchToEncodingInt(ctxt, handler, len));
++ ret = xmlSwitchToEncodingInt(ctxt, handler, len);
++ if ((ret < 0) || (ctxt->errNo == XML_I18N_CONV_FAILED)) {
++ /*
++ * on encoding conversion errors, stop the parser
++ */
++ xmlStopParser(ctxt);
++ ctxt->errNo = XML_I18N_CONV_FAILED;
++ }
++ return(ret);
+ }
+
+ /**
+--
+2.3.5
+
--
2.3.5
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH][jethro][fido] 08/15] libxml2: security fix CVE-2015-7497
2015-12-05 19:35 [PATCH][jethro][fido][ 00/15] Libxml2: multiple security fixes Armin Kuster
` (6 preceding siblings ...)
2015-12-05 19:35 ` [PATCH][jethro][fido] 07/15] libxml2: security fix CVE-2015-7498 Armin Kuster
@ 2015-12-05 19:35 ` Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 09/15] libxml2: security fix CVE-2015-7499-1 Armin Kuster
` (8 subsequent siblings)
16 siblings, 0 replies; 19+ messages in thread
From: Armin Kuster @ 2015-12-05 19:35 UTC (permalink / raw)
To: openembedded-core; +Cc: Armin Kuster
From: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
...97-Avoid-an-heap-buffer-overflow-in-xmlDi.patch | 40 ++++++++++++++++++++++
1 file changed, 40 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch
diff --git a/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch b/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch
new file mode 100644
index 0000000..955c961
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch
@@ -0,0 +1,40 @@
+From 6360a31a84efe69d155ed96306b9a931a40beab9 Mon Sep 17 00:00:00 2001
+From: David Drysdale <drysdale@google.com>
+Date: Fri, 20 Nov 2015 10:47:12 +0800
+Subject: [PATCH] CVE-2015-7497 Avoid an heap buffer overflow in
+ xmlDictComputeFastQKey
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756528
+It was possible to hit a negative offset in the name indexing
+used to randomize the dictionary key generation
+Reported and fix provided by David Drysdale @ Google
+
+Upstream-Status: Backport
+
+CVE-2015-7497
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ dict.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/dict.c b/dict.c
+index 5f71d55..8c8f931 100644
+--- a/dict.c
++++ b/dict.c
+@@ -486,7 +486,10 @@ xmlDictComputeFastQKey(const xmlChar *prefix, int plen,
+ value += 30 * (*prefix);
+
+ if (len > 10) {
+- value += name[len - (plen + 1 + 1)];
++ int offset = len - (plen + 1 + 1);
++ if (offset < 0)
++ offset = len - (10 + 1);
++ value += name[offset];
+ len = 10;
+ if (plen > 10)
+ plen = 10;
+--
+2.3.5
+
--
2.3.5
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH][jethro][fido] 09/15] libxml2: security fix CVE-2015-7499-1
2015-12-05 19:35 [PATCH][jethro][fido][ 00/15] Libxml2: multiple security fixes Armin Kuster
` (7 preceding siblings ...)
2015-12-05 19:35 ` [PATCH][jethro][fido] 08/15] libxml2: security fix CVE-2015-7497 Armin Kuster
@ 2015-12-05 19:35 ` Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 10/15] libxml2: security fix CVE-2015-7499-2 Armin Kuster
` (7 subsequent siblings)
16 siblings, 0 replies; 19+ messages in thread
From: Armin Kuster @ 2015-12-05 19:35 UTC (permalink / raw)
To: openembedded-core; +Cc: Armin Kuster
From: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
...99-1-Add-xmlHaltParser-to-stop-the-parser.patch | 88 ++++++++++++++++++++++
1 file changed, 88 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch
new file mode 100644
index 0000000..e39ec65
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch
@@ -0,0 +1,88 @@
+From 28cd9cb747a94483f4aea7f0968d202c20bb4cfc Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 20 Nov 2015 14:55:30 +0800
+Subject: [PATCH] Add xmlHaltParser() to stop the parser
+
+The problem is doing it in a consistent and safe fashion
+It's more complex than just setting ctxt->instate = XML_PARSER_EOF
+Update the public function to reuse that new internal routine
+
+Upstream-Status: Backport
+
+CVE-2015-7499-1
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c | 34 +++++++++++++++++++++++++++++-----
+ 1 file changed, 29 insertions(+), 5 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index da6e729..b6e99b1 100644
+--- a/parser.c
++++ b/parser.c
+@@ -94,6 +94,8 @@ static xmlParserCtxtPtr
+ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID,
+ const xmlChar *base, xmlParserCtxtPtr pctx);
+
++static void xmlHaltParser(xmlParserCtxtPtr ctxt);
++
+ /************************************************************************
+ * *
+ * Arbitrary limits set in the parser. See XML_PARSE_HUGE *
+@@ -12625,25 +12627,47 @@ xmlCreatePushParserCtxt(xmlSAXHandlerPtr sax, void *user_data,
+ #endif /* LIBXML_PUSH_ENABLED */
+
+ /**
+- * xmlStopParser:
++ * xmlHaltParser:
+ * @ctxt: an XML parser context
+ *
+- * Blocks further parser processing
++ * Blocks further parser processing don't override error
++ * for internal use
+ */
+-void
+-xmlStopParser(xmlParserCtxtPtr ctxt) {
++static void
++xmlHaltParser(xmlParserCtxtPtr ctxt) {
+ if (ctxt == NULL)
+ return;
+ ctxt->instate = XML_PARSER_EOF;
+- ctxt->errNo = XML_ERR_USER_STOP;
+ ctxt->disableSAX = 1;
+ if (ctxt->input != NULL) {
++ /*
++ * in case there was a specific allocation deallocate before
++ * overriding base
++ */
++ if (ctxt->input->free != NULL) {
++ ctxt->input->free((xmlChar *) ctxt->input->base);
++ ctxt->input->free = NULL;
++ }
+ ctxt->input->cur = BAD_CAST"";
+ ctxt->input->base = ctxt->input->cur;
+ }
+ }
+
+ /**
++ * xmlStopParser:
++ * @ctxt: an XML parser context
++ *
++ * Blocks further parser processing
++ */
++void
++xmlStopParser(xmlParserCtxtPtr ctxt) {
++ if (ctxt == NULL)
++ return;
++ xmlHaltParser(ctxt);
++ ctxt->errNo = XML_ERR_USER_STOP;
++}
++
++/**
+ * xmlCreateIOParserCtxt:
+ * @sax: a SAX handler
+ * @user_data: The user data returned on SAX callbacks
+--
+2.3.5
+
--
2.3.5
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH][jethro][fido] 10/15] libxml2: security fix CVE-2015-7499-2
2015-12-05 19:35 [PATCH][jethro][fido][ 00/15] Libxml2: multiple security fixes Armin Kuster
` (8 preceding siblings ...)
2015-12-05 19:35 ` [PATCH][jethro][fido] 09/15] libxml2: security fix CVE-2015-7499-1 Armin Kuster
@ 2015-12-05 19:35 ` Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 11/15] libxml2: depend fix security issue CVE-2015-7500 Armin Kuster
` (6 subsequent siblings)
16 siblings, 0 replies; 19+ messages in thread
From: Armin Kuster @ 2015-12-05 19:35 UTC (permalink / raw)
To: openembedded-core; +Cc: Armin Kuster
From: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
...VE-2015-7499-2-Detect-incoherency-on-GROW.patch | 43 ++++++++++++++++++++++
1 file changed, 43 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7499-2-Detect-incoherency-on-GROW.patch
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7499-2-Detect-incoherency-on-GROW.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7499-2-Detect-incoherency-on-GROW.patch
new file mode 100644
index 0000000..aff3920
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7499-2-Detect-incoherency-on-GROW.patch
@@ -0,0 +1,43 @@
+From 35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 20 Nov 2015 15:04:09 +0800
+Subject: [PATCH] Detect incoherency on GROW
+
+the current pointer to the input has to be between the base and end
+if not stop everything we have an internal state error.
+
+Upstream-Status: Backport
+
+CVE-2015-7499-2
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index 1810f99..ab007aa 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2075,9 +2075,16 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
+ ((ctxt->input->buf) && (ctxt->input->buf->readcallback != (xmlInputReadCallback) xmlNop)) &&
+ ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup");
+- ctxt->instate = XML_PARSER_EOF;
++ xmlHaltParser(ctxt);
++ return;
+ }
+ xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
++ if ((ctxt->input->cur > ctxt->input->end) ||
++ (ctxt->input->cur < ctxt->input->base)) {
++ xmlHaltParser(ctxt);
++ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "cur index out of bound");
++ return;
++ }
+ if ((ctxt->input->cur != NULL) && (*ctxt->input->cur == 0) &&
+ (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0))
+ xmlPopInput(ctxt);
+--
+2.3.5
+
--
2.3.5
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH][jethro][fido] 11/15] libxml2: depend fix security issue CVE-2015-7500
2015-12-05 19:35 [PATCH][jethro][fido][ 00/15] Libxml2: multiple security fixes Armin Kuster
` (9 preceding siblings ...)
2015-12-05 19:35 ` [PATCH][jethro][fido] 10/15] libxml2: security fix CVE-2015-7499-2 Armin Kuster
@ 2015-12-05 19:35 ` Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 12/15] libxml2: security fix CVE-2015-7500 Armin Kuster
` (5 subsequent siblings)
16 siblings, 0 replies; 19+ messages in thread
From: Armin Kuster @ 2015-12-05 19:35 UTC (permalink / raw)
To: openembedded-core; +Cc: Armin Kuster
From: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
...n-name-parsing-at-the-end-of-current-inpu.patch | 138 +++++++++++++++++++++
1 file changed, 138 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch
diff --git a/meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch b/meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch
new file mode 100644
index 0000000..a86b9ee
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch
@@ -0,0 +1,138 @@
+From 51f02b0a03ea1fa6c65b3f9fd88cf60fb5803783 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 15 Sep 2015 16:50:32 +0800
+Subject: [PATCH] Fix a bug on name parsing at the end of current input buffer
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=754946
+
+When hitting the end of the current input buffer while parsing
+a name we could end up loosing the beginning of the name, which
+led to various issues.
+
+Upstream-Status: backport
+
+Depend patch for CVE-2015-7500
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ parser.c | 29 ++++++++++++++++++++---------
+ result/errors/754946.xml | 0
+ result/errors/754946.xml.err | 16 ++++++++++++++++
+ result/errors/754946.xml.str | 4 ++++
+ test/errors/754946.xml | 1 +
+ 5 files changed, 41 insertions(+), 9 deletions(-)
+ create mode 100644 result/errors/754946.xml
+ create mode 100644 result/errors/754946.xml.err
+ create mode 100644 result/errors/754946.xml.str
+ create mode 100644 test/errors/754946.xml
+
+diff --git a/parser.c b/parser.c
+index 0edd53b..fd29a39 100644
+--- a/parser.c
++++ b/parser.c
+@@ -3491,7 +3491,14 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
+ c = CUR_CHAR(l);
+ if (c == 0) {
+ count = 0;
++ /*
++ * when shrinking to extend the buffer we really need to preserve
++ * the part of the name we already parsed. Hence rolling back
++ * by current lenght.
++ */
++ ctxt->input->cur -= l;
+ GROW;
++ ctxt->input->cur += l;
+ if (ctxt->instate == XML_PARSER_EOF)
+ return(NULL);
+ end = ctxt->input->cur;
+@@ -3523,7 +3530,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
+
+ static const xmlChar *
+ xmlParseNCName(xmlParserCtxtPtr ctxt) {
+- const xmlChar *in;
++ const xmlChar *in, *e;
+ const xmlChar *ret;
+ int count = 0;
+
+@@ -3535,16 +3542,19 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
+ * Accelerator for simple ASCII names
+ */
+ in = ctxt->input->cur;
+- if (((*in >= 0x61) && (*in <= 0x7A)) ||
+- ((*in >= 0x41) && (*in <= 0x5A)) ||
+- (*in == '_')) {
++ e = ctxt->input->end;
++ if ((((*in >= 0x61) && (*in <= 0x7A)) ||
++ ((*in >= 0x41) && (*in <= 0x5A)) ||
++ (*in == '_')) && (in < e)) {
+ in++;
+- while (((*in >= 0x61) && (*in <= 0x7A)) ||
+- ((*in >= 0x41) && (*in <= 0x5A)) ||
+- ((*in >= 0x30) && (*in <= 0x39)) ||
+- (*in == '_') || (*in == '-') ||
+- (*in == '.'))
++ while ((((*in >= 0x61) && (*in <= 0x7A)) ||
++ ((*in >= 0x41) && (*in <= 0x5A)) ||
++ ((*in >= 0x30) && (*in <= 0x39)) ||
++ (*in == '_') || (*in == '-') ||
++ (*in == '.')) && (in < e))
+ in++;
++ if (in >= e)
++ goto complex;
+ if ((*in > 0) && (*in < 0x80)) {
+ count = in - ctxt->input->cur;
+ if ((count > XML_MAX_NAME_LENGTH) &&
+@@ -3562,6 +3572,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
+ return(ret);
+ }
+ }
++complex:
+ return(xmlParseNCNameComplex(ctxt));
+ }
+
+diff --git a/result/errors/754946.xml b/result/errors/754946.xml
+new file mode 100644
+index 0000000..e69de29
+diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err
+new file mode 100644
+index 0000000..423dff5
+--- /dev/null
++++ b/result/errors/754946.xml.err
+@@ -0,0 +1,16 @@
++Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
++
++ %SYSTEM;
++ ^
++Entity: line 1:
++A<lbbbbbbbbbbbbbbbbbbb_
++^
++Entity: line 1: parser error : DOCTYPE improperly terminated
++ %SYSTEM;
++ ^
++Entity: line 1:
++A<lbbbbbbbbbbbbbbbbbbb_
++^
++./test/errors/754946.xml:1: parser error : Extra content at the end of the document
++<!DOCTYPEA[<!ENTITY %
++ ^
+diff --git a/result/errors/754946.xml.str b/result/errors/754946.xml.str
+new file mode 100644
+index 0000000..3b748cc
+--- /dev/null
++++ b/result/errors/754946.xml.str
+@@ -0,0 +1,4 @@
++./test/errors/754946.xml:1: parser error : Extra content at the end of the document
++<!DOCTYPEA[<!ENTITY %
++ ^
++./test/errors/754946.xml : failed to parse
+diff --git a/test/errors/754946.xml b/test/errors/754946.xml
+new file mode 100644
+index 0000000..6b5f9b0
+--- /dev/null
++++ b/test/errors/754946.xml
+@@ -0,0 +1 @@
++<!DOCTYPEA[<!ENTITY %
SYSTEM "A<lbbbbbbbbbbbbbbbbbbb_"
>%SYSTEM;<![
+\ No newline at end of file
+--
+2.3.5
+
--
2.3.5
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH][jethro][fido] 12/15] libxml2: security fix CVE-2015-7500
2015-12-05 19:35 [PATCH][jethro][fido][ 00/15] Libxml2: multiple security fixes Armin Kuster
` (10 preceding siblings ...)
2015-12-05 19:35 ` [PATCH][jethro][fido] 11/15] libxml2: depend fix security issue CVE-2015-7500 Armin Kuster
@ 2015-12-05 19:35 ` Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 13/15] libxml2: security fix CVE-2015-8242 Armin Kuster
` (4 subsequent siblings)
16 siblings, 0 replies; 19+ messages in thread
From: Armin Kuster @ 2015-12-05 19:35 UTC (permalink / raw)
To: openembedded-core; +Cc: Armin Kuster
From: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
...00-Fix-memory-access-error-due-to-incorre.patch | 131 +++++++++++++++++++++
1 file changed, 131 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch
diff --git a/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch b/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch
new file mode 100644
index 0000000..b486079
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch
@@ -0,0 +1,131 @@
+From f1063fdbe7fa66332bbb76874101c2a7b51b519f Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 20 Nov 2015 16:06:59 +0800
+Subject: [PATCH] CVE-2015-7500 Fix memory access error due to incorrect
+ entities boundaries
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756525
+handle properly the case where we popped out of the current entity
+while processing a start tag
+Reported by Kostya Serebryany @ Google
+
+This slightly modifies the output of 754946 in regression tests
+
+Upstream-Status: Backport
+
+CVE-2015-7500
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c | 28 ++++++++++++++++++++++------
+ result/errors/754946.xml.err | 7 +++++--
+ 2 files changed, 27 insertions(+), 8 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index c7e4574..c5741e3 100644
+--- a/parser.c
++++ b/parser.c
+@@ -9348,7 +9348,7 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref,
+ const xmlChar **atts = ctxt->atts;
+ int maxatts = ctxt->maxatts;
+ int nratts, nbatts, nbdef;
+- int i, j, nbNs, attval, oldline, oldcol;
++ int i, j, nbNs, attval, oldline, oldcol, inputNr;
+ const xmlChar *base;
+ unsigned long cur;
+ int nsNr = ctxt->nsNr;
+@@ -9367,6 +9367,7 @@ reparse:
+ SHRINK;
+ base = ctxt->input->base;
+ cur = ctxt->input->cur - ctxt->input->base;
++ inputNr = ctxt->inputNr;
+ oldline = ctxt->input->line;
+ oldcol = ctxt->input->col;
+ nbatts = 0;
+@@ -9392,7 +9393,8 @@ reparse:
+ */
+ SKIP_BLANKS;
+ GROW;
+- if (ctxt->input->base != base) goto base_changed;
++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
++ goto base_changed;
+
+ while (((RAW != '>') &&
+ ((RAW != '/') || (NXT(1) != '>')) &&
+@@ -9403,7 +9405,7 @@ reparse:
+
+ attname = xmlParseAttribute2(ctxt, prefix, localname,
+ &aprefix, &attvalue, &len, &alloc);
+- if (ctxt->input->base != base) {
++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) {
+ if ((attvalue != NULL) && (alloc != 0))
+ xmlFree(attvalue);
+ attvalue = NULL;
+@@ -9552,7 +9554,8 @@ skip_ns:
+ break;
+ }
+ SKIP_BLANKS;
+- if (ctxt->input->base != base) goto base_changed;
++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
++ goto base_changed;
+ continue;
+ }
+
+@@ -9589,7 +9592,8 @@ failed:
+ GROW
+ if (ctxt->instate == XML_PARSER_EOF)
+ break;
+- if (ctxt->input->base != base) goto base_changed;
++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
++ goto base_changed;
+ if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
+ break;
+ if (!IS_BLANK_CH(RAW)) {
+@@ -9605,7 +9609,8 @@ failed:
+ break;
+ }
+ GROW;
+- if (ctxt->input->base != base) goto base_changed;
++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
++ goto base_changed;
+ }
+
+ /*
+@@ -9772,6 +9777,17 @@ base_changed:
+ if ((ctxt->attallocs[j] != 0) && (atts[i] != NULL))
+ xmlFree((xmlChar *) atts[i]);
+ }
++
++ /*
++ * We can't switch from one entity to another in the middle
++ * of a start tag
++ */
++ if (inputNr != ctxt->inputNr) {
++ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
++ "Start tag doesn't start and stop in the same entity\n");
++ return(NULL);
++ }
++
+ ctxt->input->cur = ctxt->input->base + cur;
+ ctxt->input->line = oldline;
+ ctxt->input->col = oldcol;
+diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err
+index 423dff5..a75088b 100644
+--- a/result/errors/754946.xml.err
++++ b/result/errors/754946.xml.err
+@@ -11,6 +11,9 @@ Entity: line 1: parser error : DOCTYPE improperly terminated
+ Entity: line 1:
+ A<lbbbbbbbbbbbbbbbbbbb_
+ ^
++./test/errors/754946.xml:1: parser error : Start tag doesn't start and stop in the same entity
++>%SYSTEM;<![
++ ^
+ ./test/errors/754946.xml:1: parser error : Extra content at the end of the document
+-<!DOCTYPEA[<!ENTITY %
+- ^
++>%SYSTEM;<![
++ ^
+--
+2.3.5
+
--
2.3.5
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH][jethro][fido] 13/15] libxml2: security fix CVE-2015-8242
2015-12-05 19:35 [PATCH][jethro][fido][ 00/15] Libxml2: multiple security fixes Armin Kuster
` (11 preceding siblings ...)
2015-12-05 19:35 ` [PATCH][jethro][fido] 12/15] libxml2: security fix CVE-2015-7500 Armin Kuster
@ 2015-12-05 19:35 ` Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 14/15] libxml2: security fix CVE-2015-5312 Armin Kuster
` (3 subsequent siblings)
16 siblings, 0 replies; 19+ messages in thread
From: Armin Kuster @ 2015-12-05 19:35 UTC (permalink / raw)
To: openembedded-core; +Cc: Armin Kuster
From: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
...42-Buffer-overead-with-HTML-parser-in-pus.patch | 49 ++++++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch
diff --git a/meta/recipes-core/libxml/libxml2/0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch b/meta/recipes-core/libxml/libxml2/0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch
new file mode 100644
index 0000000..73531b3
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch
@@ -0,0 +1,49 @@
+From 8fb4a770075628d6441fb17a1e435100e2f3b1a2 Mon Sep 17 00:00:00 2001
+From: Hugh Davenport <hugh@allthethings.co.nz>
+Date: Fri, 20 Nov 2015 17:16:06 +0800
+Subject: [PATCH] CVE-2015-8242 Buffer overead with HTML parser in push mode
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756372
+Error in the code pointing to the codepoint in the stack for the
+current char value instead of the pointer in the input that the SAX
+callback expects
+Reported and fixed by Hugh Davenport
+
+Upstream-Status: Backport
+
+CVE-2015-8242
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ HTMLparser.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/HTMLparser.c b/HTMLparser.c
+index bdf7807..b729197 100644
+--- a/HTMLparser.c
++++ b/HTMLparser.c
+@@ -5735,17 +5735,17 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
+ if (ctxt->keepBlanks) {
+ if (ctxt->sax->characters != NULL)
+ ctxt->sax->characters(
+- ctxt->userData, &cur, 1);
++ ctxt->userData, &in->cur[0], 1);
+ } else {
+ if (ctxt->sax->ignorableWhitespace != NULL)
+ ctxt->sax->ignorableWhitespace(
+- ctxt->userData, &cur, 1);
++ ctxt->userData, &in->cur[0], 1);
+ }
+ } else {
+ htmlCheckParagraph(ctxt);
+ if (ctxt->sax->characters != NULL)
+ ctxt->sax->characters(
+- ctxt->userData, &cur, 1);
++ ctxt->userData, &in->cur[0], 1);
+ }
+ }
+ ctxt->token = 0;
+--
+2.3.5
+
--
2.3.5
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH][jethro][fido] 14/15] libxml2: security fix CVE-2015-5312
2015-12-05 19:35 [PATCH][jethro][fido][ 00/15] Libxml2: multiple security fixes Armin Kuster
` (12 preceding siblings ...)
2015-12-05 19:35 ` [PATCH][jethro][fido] 13/15] libxml2: security fix CVE-2015-8242 Armin Kuster
@ 2015-12-05 19:35 ` Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 15/15] libxml2: multiple security fixes Armin Kuster
` (2 subsequent siblings)
16 siblings, 0 replies; 19+ messages in thread
From: Armin Kuster @ 2015-12-05 19:35 UTC (permalink / raw)
To: openembedded-core; +Cc: Armin Kuster
From: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
...-2015-5312-Another-entity-expansion-issue.patch | 39 ++++++++++++++++++++++
1 file changed, 39 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/0001-CVE-2015-5312-Another-entity-expansion-issue.patch
diff --git a/meta/recipes-core/libxml/libxml2/0001-CVE-2015-5312-Another-entity-expansion-issue.patch b/meta/recipes-core/libxml/libxml2/0001-CVE-2015-5312-Another-entity-expansion-issue.patch
new file mode 100644
index 0000000..979618d
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/0001-CVE-2015-5312-Another-entity-expansion-issue.patch
@@ -0,0 +1,39 @@
+From 69030714cde66d525a8884bda01b9e8f0abf8e1e Mon Sep 17 00:00:00 2001
+From: David Drysdale <drysdale@google.com>
+Date: Fri, 20 Nov 2015 11:13:45 +0800
+Subject: [PATCH] CVE-2015-5312 Another entity expansion issue
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756733
+It is one case where the code in place to detect entities expansions
+failed to exit when the situation was detected, leading to DoS
+Problem reported by Kostya Serebryany @ Google
+Patch provided by David Drysdale @ Google
+
+Upstream-Status: Backport
+
+CVE-2015-5312
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index b7b6668..da6e729 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2806,6 +2806,10 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ 0, 0, 0);
+ ctxt->depth--;
+
++ if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) ||
++ (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR))
++ goto int_error;
++
+ if (rep != NULL) {
+ current = rep;
+ while (*current != 0) { /* non input consuming loop */
+--
+2.3.5
+
--
2.3.5
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH][jethro][fido] 15/15] libxml2: multiple security fixes.
2015-12-05 19:35 [PATCH][jethro][fido][ 00/15] Libxml2: multiple security fixes Armin Kuster
` (13 preceding siblings ...)
2015-12-05 19:35 ` [PATCH][jethro][fido] 14/15] libxml2: security fix CVE-2015-5312 Armin Kuster
@ 2015-12-05 19:35 ` Armin Kuster
2015-12-08 8:16 ` [PATCH][jethro][fido][ 00/15] Libxml2: " Robert Yang
2015-12-16 21:05 ` Joshua Lock
16 siblings, 0 replies; 19+ messages in thread
From: Armin Kuster @ 2015-12-05 19:35 UTC (permalink / raw)
To: openembedded-core; +Cc: Armin Kuster
From: Armin Kuster <akuster@mvista.com>
CVE-2015-7941-1
CVE-2015-7941-2
CVE-2015-8317
CVE-2015-7942
CVE-2015-7942-2
CVE-2015-8035
CVE-2015-7498
CVE-2015-7497
CVE-2015-5312
CVE-2015-7499-1
CVE-2015-7499-2
CVE-2015-7500
CVE-2015-8242
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
meta/recipes-core/libxml/libxml2.inc | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index 1c3c37d..0a85aaa 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -20,7 +20,21 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
file://python-sitepackages-dir.patch \
file://libxml-m4-use-pkgconfig.patch \
file://configure.ac-fix-cross-compiling-warning.patch \
+ file://CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch \
+ file://CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch \
file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \
+ file://CVE-2015-8317-Fail-parsing-early-on-if-encoding-conversion-failed.patch \
+ file://CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch \
+ file://CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch \
+ file://0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch \
+ file://CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch \
+ file://0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch \
+ file://0001-CVE-2015-5312-Another-entity-expansion-issue.patch \
+ file://CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch \
+ file://CVE-2015-7499-2-Detect-incoherency-on-GROW.patch \
+ file://0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch \
+ file://0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch \
+ file://0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch \
"
BINCONFIG = "${bindir}/xml2-config"
--
2.3.5
^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: [PATCH][jethro][fido][ 00/15] Libxml2: multiple security fixes
2015-12-05 19:35 [PATCH][jethro][fido][ 00/15] Libxml2: multiple security fixes Armin Kuster
` (14 preceding siblings ...)
2015-12-05 19:35 ` [PATCH][jethro][fido] 15/15] libxml2: multiple security fixes Armin Kuster
@ 2015-12-08 8:16 ` Robert Yang
2015-12-16 21:05 ` Joshua Lock
16 siblings, 0 replies; 19+ messages in thread
From: Robert Yang @ 2015-12-08 8:16 UTC (permalink / raw)
To: Armin Kuster, openembedded-core
Hi Armin,
With these patches, for jethro, I think that the following one is not
needed any more ?
commit d7fa0b41843dd417eba31f1a8dcd60ce08a57d66
Author: Armin Kuster <akuster@mvista.com>
Date: Wed Nov 11 14:21:46 2015 -0800
libxml2: fix CVE-2015-7942 and CVE-2015-8035
// Robert
On 12/06/2015 03:35 AM, Armin Kuster wrote:
> Each CVE is an independant patch so they can be easily merged to other distros
> and/or stable branches.
>
> I have included two previous CVE's sent for jethro which can be ignored.
> I put the CVE's in order as there where fixed upstream.
>
> Armin Kuster (15):
> libxml2: security fix CVE-2015-7941-1
> libxml2: security fix CVE-2015-7941-2
> libxml2: security fix CVE-2015-8317
> libxml2: security fix CVE-2015-7942
> libxml2: security fix CVE-2015-7942-2
> libxml2: security fix CVE-2015-8317
> libxml2: security fix CVE-2015-7498
> libxml2: security fix CVE-2015-7497
> libxml2: security fix CVE-2015-7499-1
> libxml2: security fix CVE-2015-7499-2
> libxml2: depend fix security issue CVE-2015-7500
> libxml2: security fix CVE-2015-7500
> libxml2: security fix CVE-2015-8242
> libxml2: security fix CVE-2015-5312
> libxml2: multiple security fixes.
>
> meta/recipes-core/libxml/libxml2.inc | 14 +++
> ...-2015-5312-Another-entity-expansion-issue.patch | 39 ++++++
> ...97-Avoid-an-heap-buffer-overflow-in-xmlDi.patch | 40 ++++++
> ...00-Fix-memory-access-error-due-to-incorre.patch | 131 +++++++++++++++++++
> ...2015-8035-Fix-XZ-compression-support-loop.patch | 38 ++++++
> ...42-Buffer-overead-with-HTML-parser-in-pus.patch | 49 ++++++++
> ...n-name-parsing-at-the-end-of-current-inpu.patch | 138 +++++++++++++++++++++
> ...ssing-entities-after-encoding-conversion-.patch | 89 +++++++++++++
> ...99-1-Add-xmlHaltParser-to-stop-the-parser.patch | 88 +++++++++++++
> ...VE-2015-7499-2-Detect-incoherency-on-GROW.patch | 43 +++++++
> ...top-parsing-on-entities-boundaries-errors.patch | 39 ++++++
> ...leanup-conditional-section-error-handling.patch | 56 +++++++++
> ...ror-in-previous-Conditional-section-patch.patch | 35 ++++++
> ...iation-of-overflow-in-Conditional-section.patch | 39 ++++++
> ...ng-early-on-if-encoding-conversion-failed.patch | 42 +++++++
> 15 files changed, 880 insertions(+)
> create mode 100644 meta/recipes-core/libxml/libxml2/0001-CVE-2015-5312-Another-entity-expansion-issue.patch
> create mode 100644 meta/recipes-core/libxml/libxml2/0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch
> create mode 100644 meta/recipes-core/libxml/libxml2/0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch
> create mode 100644 meta/recipes-core/libxml/libxml2/0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch
> create mode 100644 meta/recipes-core/libxml/libxml2/0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch
> create mode 100644 meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch
> create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch
> create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch
> create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7499-2-Detect-incoherency-on-GROW.patch
> create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch
> create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch
> create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch
> create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch
> create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8317-Fail-parsing-early-on-if-encoding-conversion-failed.patch
>
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH][jethro][fido][ 00/15] Libxml2: multiple security fixes
2015-12-05 19:35 [PATCH][jethro][fido][ 00/15] Libxml2: multiple security fixes Armin Kuster
` (15 preceding siblings ...)
2015-12-08 8:16 ` [PATCH][jethro][fido][ 00/15] Libxml2: " Robert Yang
@ 2015-12-16 21:05 ` Joshua Lock
2015-12-21 16:12 ` akuster808
16 siblings, 1 reply; 19+ messages in thread
From: Joshua Lock @ 2015-12-16 21:05 UTC (permalink / raw)
To: openembedded-core
Hi Armin,
On 05/12/15 19:35, Armin Kuster wrote:
> Each CVE is an independant patch so they can be easily merged to other distros
> and/or stable branches.
As others have mentioned elsewhere I think this would be much nicer if
each patch was added to the SRC_URI in the same commit which introduces
the patch.
In addition, I believe it would also make sense to have 2 patches for
the same CVE applied at once?
Ideally this series would be 11 patches, each of which updated SRC_URI
and added the patch files to fix a single CVE.
What do you think? I am more than happy to take this series and make the
suggested change (11 commits, each editing SRC_URI) myself before
requesting my fido-next branch be merged?
Thanks,
Joshua
> I have included two previous CVE's sent for jethro which can be ignored.
> I put the CVE's in order as there where fixed upstream.
>
> Armin Kuster (15):
> libxml2: security fix CVE-2015-7941-1
> libxml2: security fix CVE-2015-7941-2
> libxml2: security fix CVE-2015-8317
> libxml2: security fix CVE-2015-7942
> libxml2: security fix CVE-2015-7942-2
> libxml2: security fix CVE-2015-8317
> libxml2: security fix CVE-2015-7498
> libxml2: security fix CVE-2015-7497
> libxml2: security fix CVE-2015-7499-1
> libxml2: security fix CVE-2015-7499-2
> libxml2: depend fix security issue CVE-2015-7500
> libxml2: security fix CVE-2015-7500
> libxml2: security fix CVE-2015-8242
> libxml2: security fix CVE-2015-5312
> libxml2: multiple security fixes.
>
> meta/recipes-core/libxml/libxml2.inc | 14 +++
> ...-2015-5312-Another-entity-expansion-issue.patch | 39 ++++++
> ...97-Avoid-an-heap-buffer-overflow-in-xmlDi.patch | 40 ++++++
> ...00-Fix-memory-access-error-due-to-incorre.patch | 131 +++++++++++++++++++
> ...2015-8035-Fix-XZ-compression-support-loop.patch | 38 ++++++
> ...42-Buffer-overead-with-HTML-parser-in-pus.patch | 49 ++++++++
> ...n-name-parsing-at-the-end-of-current-inpu.patch | 138 +++++++++++++++++++++
> ...ssing-entities-after-encoding-conversion-.patch | 89 +++++++++++++
> ...99-1-Add-xmlHaltParser-to-stop-the-parser.patch | 88 +++++++++++++
> ...VE-2015-7499-2-Detect-incoherency-on-GROW.patch | 43 +++++++
> ...top-parsing-on-entities-boundaries-errors.patch | 39 ++++++
> ...leanup-conditional-section-error-handling.patch | 56 +++++++++
> ...ror-in-previous-Conditional-section-patch.patch | 35 ++++++
> ...iation-of-overflow-in-Conditional-section.patch | 39 ++++++
> ...ng-early-on-if-encoding-conversion-failed.patch | 42 +++++++
> 15 files changed, 880 insertions(+)
> create mode 100644 meta/recipes-core/libxml/libxml2/0001-CVE-2015-5312-Another-entity-expansion-issue.patch
> create mode 100644 meta/recipes-core/libxml/libxml2/0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch
> create mode 100644 meta/recipes-core/libxml/libxml2/0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch
> create mode 100644 meta/recipes-core/libxml/libxml2/0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch
> create mode 100644 meta/recipes-core/libxml/libxml2/0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch
> create mode 100644 meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch
> create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch
> create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch
> create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7499-2-Detect-incoherency-on-GROW.patch
> create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch
> create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch
> create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch
> create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch
> create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8317-Fail-parsing-early-on-if-encoding-conversion-failed.patch
>
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH][jethro][fido][ 00/15] Libxml2: multiple security fixes
2015-12-16 21:05 ` Joshua Lock
@ 2015-12-21 16:12 ` akuster808
0 siblings, 0 replies; 19+ messages in thread
From: akuster808 @ 2015-12-21 16:12 UTC (permalink / raw)
To: Joshua Lock, openembedded-core
On 12/16/2015 01:05 PM, Joshua Lock wrote:
> Hi Armin,
>
> On 05/12/15 19:35, Armin Kuster wrote:
>> Each CVE is an independant patch so they can be easily merged to other
>> distros
>> and/or stable branches.
>
> As others have mentioned elsewhere I think this would be much nicer if
> each patch was added to the SRC_URI in the same commit which introduces
> the patch.
>
> In addition, I believe it would also make sense to have 2 patches for
> the same CVE applied at once?
>
> Ideally this series would be 11 patches, each of which updated SRC_URI
> and added the patch files to fix a single CVE.
>
That make sense to me.
> What do you think?
I will have more free time soon so I can rend the series in a few days.
I am more than happy to take this series and make the
> suggested change (11 commits, each editing SRC_URI) myself before
> requesting my fido-next branch be merged?
- armin
>
> Thanks,
>
> Joshua
>
>> I have included two previous CVE's sent for jethro which can be ignored.
>> I put the CVE's in order as there where fixed upstream.
>>
>> Armin Kuster (15):
>> libxml2: security fix CVE-2015-7941-1
>> libxml2: security fix CVE-2015-7941-2
>> libxml2: security fix CVE-2015-8317
>> libxml2: security fix CVE-2015-7942
>> libxml2: security fix CVE-2015-7942-2
>> libxml2: security fix CVE-2015-8317
>> libxml2: security fix CVE-2015-7498
>> libxml2: security fix CVE-2015-7497
>> libxml2: security fix CVE-2015-7499-1
>> libxml2: security fix CVE-2015-7499-2
>> libxml2: depend fix security issue CVE-2015-7500
>> libxml2: security fix CVE-2015-7500
>> libxml2: security fix CVE-2015-8242
>> libxml2: security fix CVE-2015-5312
>> libxml2: multiple security fixes.
>>
>> meta/recipes-core/libxml/libxml2.inc | 14 +++
>> ...-2015-5312-Another-entity-expansion-issue.patch | 39 ++++++
>> ...97-Avoid-an-heap-buffer-overflow-in-xmlDi.patch | 40 ++++++
>> ...00-Fix-memory-access-error-due-to-incorre.patch | 131
>> +++++++++++++++++++
>> ...2015-8035-Fix-XZ-compression-support-loop.patch | 38 ++++++
>> ...42-Buffer-overead-with-HTML-parser-in-pus.patch | 49 ++++++++
>> ...n-name-parsing-at-the-end-of-current-inpu.patch | 138
>> +++++++++++++++++++++
>> ...ssing-entities-after-encoding-conversion-.patch | 89 +++++++++++++
>> ...99-1-Add-xmlHaltParser-to-stop-the-parser.patch | 88 +++++++++++++
>> ...VE-2015-7499-2-Detect-incoherency-on-GROW.patch | 43 +++++++
>> ...top-parsing-on-entities-boundaries-errors.patch | 39 ++++++
>> ...leanup-conditional-section-error-handling.patch | 56 +++++++++
>> ...ror-in-previous-Conditional-section-patch.patch | 35 ++++++
>> ...iation-of-overflow-in-Conditional-section.patch | 39 ++++++
>> ...ng-early-on-if-encoding-conversion-failed.patch | 42 +++++++
>> 15 files changed, 880 insertions(+)
>> create mode 100644
>> meta/recipes-core/libxml/libxml2/0001-CVE-2015-5312-Another-entity-expansion-issue.patch
>>
>> create mode 100644
>> meta/recipes-core/libxml/libxml2/0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch
>>
>> create mode 100644
>> meta/recipes-core/libxml/libxml2/0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch
>>
>> create mode 100644
>> meta/recipes-core/libxml/libxml2/0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch
>>
>> create mode 100644
>> meta/recipes-core/libxml/libxml2/0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch
>>
>> create mode 100644
>> meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch
>>
>> create mode 100644
>> meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch
>>
>> create mode 100644
>> meta/recipes-core/libxml/libxml2/CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch
>>
>> create mode 100644
>> meta/recipes-core/libxml/libxml2/CVE-2015-7499-2-Detect-incoherency-on-GROW.patch
>>
>> create mode 100644
>> meta/recipes-core/libxml/libxml2/CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch
>>
>> create mode 100644
>> meta/recipes-core/libxml/libxml2/CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch
>>
>> create mode 100644
>> meta/recipes-core/libxml/libxml2/CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch
>>
>> create mode 100644
>> meta/recipes-core/libxml/libxml2/CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch
>>
>> create mode 100644
>> meta/recipes-core/libxml/libxml2/CVE-2015-8317-Fail-parsing-early-on-if-encoding-conversion-failed.patch
>>
>>
>
^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2015-12-21 16:12 UTC | newest]
Thread overview: 19+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-12-05 19:35 [PATCH][jethro][fido][ 00/15] Libxml2: multiple security fixes Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 01/15] libxml2: security fix CVE-2015-7941-1 Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 02/15] libxml2: security fix CVE-2015-7941-2 Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 03/15] libxml2: security fix CVE-2015-8317 Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 04/15] libxml2: security fix CVE-2015-7942 Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 05/15] libxml2: security fix CVE-2015-7942-2 Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 06/15] libxml2: security fix CVE-2015-8317 Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 07/15] libxml2: security fix CVE-2015-7498 Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 08/15] libxml2: security fix CVE-2015-7497 Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 09/15] libxml2: security fix CVE-2015-7499-1 Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 10/15] libxml2: security fix CVE-2015-7499-2 Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 11/15] libxml2: depend fix security issue CVE-2015-7500 Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 12/15] libxml2: security fix CVE-2015-7500 Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 13/15] libxml2: security fix CVE-2015-8242 Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 14/15] libxml2: security fix CVE-2015-5312 Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 15/15] libxml2: multiple security fixes Armin Kuster
2015-12-08 8:16 ` [PATCH][jethro][fido][ 00/15] Libxml2: " Robert Yang
2015-12-16 21:05 ` Joshua Lock
2015-12-21 16:12 ` akuster808
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.