[PATCH 0/8] [jethro] 8 patches for jethro

[PATCH 0/8] [jethro] 8 patches for jethro

[Robert Yang]

Hello,

Here are 8 patches for jethro. There are still a few patches that are
requested but not included here because they have not been merged by
master by now.

All these patches have already been merged by master.

// Robert

The following changes since commit e44ed8c18e395b9c055aefee113b90708e8a8a2f:

  build-appliance-image: Update to jethro head revision (2015-11-03 14:02:57 +0000)

are available in the git repository at:

  git://git.openembedded.org/openembedded-core-contrib rbt/jethro-next
  http://cgit.openembedded.org/cgit.cgi/openembedded-core-contrib/log/?h=rbt/HEAD

Alejandro del Castillo (1):
  opkg: add cache filename length fixes

Armin Kuster (2):
  libxslt: CVE-2015-7995
  libxml2: fix CVE-2015-7942 and CVE-2015-8035

Mark Hatle (1):
  binutils: Fix octeon3 disassembly patch

Maxin B. John (1):
  libsndfile: fix CVE-2014-9756

Ross Burton (3):
  libarchive: rename patch to reflect CVE
  readline: rename patch to contain CVE reference
  unzip: rename patch to reflect CVE fix

 meta/recipes-core/libxml/libxml2.inc               |    2 +
 .../libxml/libxml2/CVE-2015-7942.patch             |   55 +++++++++
 .../libxml/libxml2/CVE-2015-8035.patch             |   41 +++++++
 ...ne63-003.patch => readline-cve-2014-2524.patch} |    0
 meta/recipes-core/readline/readline_6.3.bb         |    2 +-
 .../binutils/binutils/binutils-octeon3.patch       |    2 +-
 ...ng_util-New-file-with-bin_to_hex-function.patch |  122 ++++++++++++++++++++
 .../opkg/0002-md5-Add-md5_to_string-function.patch |  110 ++++++++++++++++++
 ...0003-sha256-Add-sha256_to_string-function.patch |  110 ++++++++++++++++++
 ...4-opkg_download-Use-short-cache-file-name.patch |   85 ++++++++++++++
 meta/recipes-devtools/opkg/opkg_0.3.0.bb           |    4 +
 ...option.patch => libarchive-CVE-2015-2304.patch} |    0
 .../libarchive/libarchive_3.1.2.bb                 |    2 +-
 ...nzip-6.0_overflow3.diff => cve-2014-9636.patch} |    0
 meta/recipes-extended/unzip/unzip_6.0.bb           |    2 +-
 .../files/libsndfile-fix-CVE-2014-9756.patch       |   24 ++++
 .../libsndfile/libsndfile1_1.0.25.bb               |    1 +
 .../libxslt/libxslt/CVE-2015-7995.patch            |   33 ++++++
 meta/recipes-support/libxslt/libxslt_1.1.28.bb     |    3 +-
 19 files changed, 593 insertions(+), 5 deletions(-)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
 rename meta/recipes-core/readline/readline-6.3/{readline63-003.patch => readline-cve-2014-2524.patch} (100%)
 create mode 100644 meta/recipes-devtools/opkg/opkg/0001-string_util-New-file-with-bin_to_hex-function.patch
 create mode 100644 meta/recipes-devtools/opkg/opkg/0002-md5-Add-md5_to_string-function.patch
 create mode 100644 meta/recipes-devtools/opkg/opkg/0003-sha256-Add-sha256_to_string-function.patch
 create mode 100644 meta/recipes-devtools/opkg/opkg/0004-opkg_download-Use-short-cache-file-name.patch
 rename meta/recipes-extended/libarchive/libarchive/{0001-Add-ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS-option.patch => libarchive-CVE-2015-2304.patch} (100%)
 rename meta/recipes-extended/unzip/unzip/{unzip-6.0_overflow3.diff => cve-2014-9636.patch} (100%)
 create mode 100644 meta/recipes-multimedia/libsndfile/files/libsndfile-fix-CVE-2014-9756.patch
 create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch

-- 
1.7.9.5

[PATCH 1/8] opkg: add cache filename length fixes

[Robert Yang]

From: Alejandro del Castillo <alejandro.delcastillo@ni.com>

(From OE-Core master rev: 8e53500a7c05204fc63759f456639545a022e82b)

Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Nicolas Dechesne <nicolas.dechesne@linaro.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
---
 ...ng_util-New-file-with-bin_to_hex-function.patch |  122 ++++++++++++++++++++
 .../opkg/0002-md5-Add-md5_to_string-function.patch |  110 ++++++++++++++++++
 ...0003-sha256-Add-sha256_to_string-function.patch |  110 ++++++++++++++++++
 ...4-opkg_download-Use-short-cache-file-name.patch |   85 ++++++++++++++
 meta/recipes-devtools/opkg/opkg_0.3.0.bb           |    4 +
 5 files changed, 431 insertions(+)
 create mode 100644 meta/recipes-devtools/opkg/opkg/0001-string_util-New-file-with-bin_to_hex-function.patch
 create mode 100644 meta/recipes-devtools/opkg/opkg/0002-md5-Add-md5_to_string-function.patch
 create mode 100644 meta/recipes-devtools/opkg/opkg/0003-sha256-Add-sha256_to_string-function.patch
 create mode 100644 meta/recipes-devtools/opkg/opkg/0004-opkg_download-Use-short-cache-file-name.patch

diff --git a/meta/recipes-devtools/opkg/opkg/0001-string_util-New-file-with-bin_to_hex-function.patch b/meta/recipes-devtools/opkg/opkg/0001-string_util-New-file-with-bin_to_hex-function.patch
new file mode 100644
index 0000000..fb3ac46
--- /dev/null
+++ b/meta/recipes-devtools/opkg/opkg/0001-string_util-New-file-with-bin_to_hex-function.patch
@@ -0,0 +1,122 @@
+From 646b80024567a6245c598be3374653fa1fa09a12 Mon Sep 17 00:00:00 2001
+From: Paul Barker <paul@paulbarker.me.uk>
+Date: Sat, 7 Nov 2015 10:23:49 +0000
+Subject: [PATCH 1/4] string_util: New file with bin_to_hex function
+
+This function does very simple conversion from binary data to a hex string.
+
+Signed-off-by: Paul Barker <paul@paulbarker.me.uk>
+Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com>
+
+Upstream-Status: Accepted
+---
+ libopkg/Makefile.am   |  4 ++--
+ libopkg/string_util.c | 42 ++++++++++++++++++++++++++++++++++++++++++
+ libopkg/string_util.h | 24 ++++++++++++++++++++++++
+ 3 files changed, 68 insertions(+), 2 deletions(-)
+ create mode 100644 libopkg/string_util.c
+ create mode 100644 libopkg/string_util.h
+
+diff --git a/libopkg/Makefile.am b/libopkg/Makefile.am
+index ee3fbee..3e62c24 100644
+--- a/libopkg/Makefile.am
++++ b/libopkg/Makefile.am
+@@ -13,7 +13,7 @@ opkg_headers = active_list.h cksum_list.h conffile.h conffile_list.h \
+ 	pkg_depends.h pkg_dest.h pkg_dest_list.h pkg_extract.h pkg_hash.h \
+ 	pkg_parse.h pkg_src.h pkg_src_list.h pkg_vec.h release.h \
+ 	release_parse.h sha256.h sprintf_alloc.h str_list.h void_list.h \
+-	xregex.h xsystem.h xfuncs.h opkg_verify.h
++	xregex.h xsystem.h xfuncs.h opkg_verify.h string_util.h
+ 
+ opkg_sources = opkg_cmd.c opkg_configure.c opkg_download.c \
+ 	opkg_install.c opkg_remove.c opkg_conf.c release.c \
+@@ -23,7 +23,7 @@ opkg_sources = opkg_cmd.c opkg_configure.c opkg_download.c \
+ 	pkg_src.c pkg_src_list.c str_list.c void_list.c active_list.c \
+ 	file_util.c opkg_message.c md5.c parse_util.c cksum_list.c \
+ 	sprintf_alloc.c xregex.c xsystem.c xfuncs.c opkg_archive.c \
+-	opkg_verify.c
++	opkg_verify.c string_util.c
+ 
+ if HAVE_CURL
+ opkg_sources += opkg_download_curl.c
+diff --git a/libopkg/string_util.c b/libopkg/string_util.c
+new file mode 100644
+index 0000000..822cab6
+--- /dev/null
++++ b/libopkg/string_util.c
+@@ -0,0 +1,42 @@
++/* vi: set expandtab sw=4 sts=4: */
++/* string_util.c - convenience routines for common string operations
++
++   Copyright (C) 2015 Paul Barker
++
++   This program is free software; you can redistribute it and/or
++   modify it under the terms of the GNU General Public License as
++   published by the Free Software Foundation; either version 2, or (at
++   your option) any later version.
++
++   This program is distributed in the hope that it will be useful, but
++   WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   General Public License for more details.
++*/
++
++#include "config.h"
++
++#include "string_util.h"
++#include "xfuncs.h"
++
++char *bin_to_hex(const void *bin_data, size_t len)
++{
++    const unsigned char *src = (const unsigned char *)bin_data;
++    char *buf = xmalloc(2 * len + 1);
++    int i;
++
++    static const unsigned char bin2hex[16] = {
++        '0', '1', '2', '3',
++        '4', '5', '6', '7',
++        '8', '9', 'a', 'b',
++        'c', 'd', 'e', 'f'
++    };
++
++    for (i = 0; i < len; i++) {
++        buf[i * 2] = bin2hex[src[i] >> 4];
++        buf[i * 2 + 1] = bin2hex[src[i] & 0xf];
++    }
++
++    buf[len * 2] = '\0';
++    return buf;
++}
+diff --git a/libopkg/string_util.h b/libopkg/string_util.h
+new file mode 100644
+index 0000000..a920e2a
+--- /dev/null
++++ b/libopkg/string_util.h
+@@ -0,0 +1,24 @@
++/* vi: set expandtab sw=4 sts=4: */
++/* string_util.h - convenience routines for common file operations
++
++   Copyright (C) 2015 Paul Barker
++
++   This program is free software; you can redistribute it and/or
++   modify it under the terms of the GNU General Public License as
++   published by the Free Software Foundation; either version 2, or (at
++   your option) any later version.
++
++   This program is distributed in the hope that it will be useful, but
++   WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   General Public License for more details.
++*/
++
++#ifndef STRING_UTIL_H
++#define STRING_UTIL_H
++
++#include <stddef.h>
++
++char *bin_to_hex(const void *bin_data, size_t len);
++
++#endif /* STRING_UTIL_H */
+-- 
+1.9.1
+
diff --git a/meta/recipes-devtools/opkg/opkg/0002-md5-Add-md5_to_string-function.patch b/meta/recipes-devtools/opkg/opkg/0002-md5-Add-md5_to_string-function.patch
new file mode 100644
index 0000000..3b823c6
--- /dev/null
+++ b/meta/recipes-devtools/opkg/opkg/0002-md5-Add-md5_to_string-function.patch
@@ -0,0 +1,110 @@
+From ecad8afab377d8be95eeaafc08afa228c8e030c3 Mon Sep 17 00:00:00 2001
+From: Paul Barker <paul@paulbarker.me.uk>
+Date: Sat, 7 Nov 2015 10:23:50 +0000
+Subject: [PATCH 2/4] md5: Add md5_to_string function
+
+Signed-off-by: Paul Barker <paul@paulbarker.me.uk>
+Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com>
+
+Upstream-Status: Accepted
+---
+ libopkg/file_util.c | 28 +++-------------------------
+ libopkg/md5.c       |  7 +++++++
+ libopkg/md5.h       |  3 +++
+ 3 files changed, 13 insertions(+), 25 deletions(-)
+
+diff --git a/libopkg/file_util.c b/libopkg/file_util.c
+index 5eff469..cb3dbf0 100644
+--- a/libopkg/file_util.c
++++ b/libopkg/file_util.c
+@@ -349,27 +349,13 @@ int file_mkdir_hier(const char *path, long mode)
+ 
+ char *file_md5sum_alloc(const char *file_name)
+ {
+-    static const int md5sum_bin_len = 16;
+-    static const int md5sum_hex_len = 32;
+-
+-    static const unsigned char bin2hex[16] = {
+-        '0', '1', '2', '3',
+-        '4', '5', '6', '7',
+-        '8', '9', 'a', 'b',
+-        'c', 'd', 'e', 'f'
+-    };
+-
+-    int i, err;
++    int err;
+     FILE *file;
+-    char *md5sum_hex;
+-    unsigned char md5sum_bin[md5sum_bin_len];
+-
+-    md5sum_hex = xcalloc(1, md5sum_hex_len + 1);
++    unsigned char md5sum_bin[16];
+ 
+     file = fopen(file_name, "r");
+     if (file == NULL) {
+         opkg_perror(ERROR, "Failed to open file %s", file_name);
+-        free(md5sum_hex);
+         return NULL;
+     }
+ 
+@@ -377,20 +363,12 @@ char *file_md5sum_alloc(const char *file_name)
+     if (err) {
+         opkg_msg(ERROR, "Could't compute md5sum for %s.\n", file_name);
+         fclose(file);
+-        free(md5sum_hex);
+         return NULL;
+     }
+ 
+     fclose(file);
+ 
+-    for (i = 0; i < md5sum_bin_len; i++) {
+-        md5sum_hex[i * 2] = bin2hex[md5sum_bin[i] >> 4];
+-        md5sum_hex[i * 2 + 1] = bin2hex[md5sum_bin[i] & 0xf];
+-    }
+-
+-    md5sum_hex[md5sum_hex_len] = '\0';
+-
+-    return md5sum_hex;
++    return md5_to_string(md5sum_bin);
+ }
+ 
+ #ifdef HAVE_SHA256
+diff --git a/libopkg/md5.c b/libopkg/md5.c
+index d476b8b..bc2b229 100644
+--- a/libopkg/md5.c
++++ b/libopkg/md5.c
+@@ -30,6 +30,8 @@
+ #include <string.h>
+ #include <sys/types.h>
+ 
++#include "string_util.h"
++
+ #if USE_UNLOCKED_IO
+ #include "unlocked-io.h"
+ #endif
+@@ -431,3 +433,8 @@ void md5_process_block(const void *buffer, size_t len, struct md5_ctx *ctx)
+     ctx->C = C;
+     ctx->D = D;
+ }
++
++char *md5_to_string(const void *md5sum_bin)
++{
++    return bin_to_hex(md5sum_bin, 16);
++}
+diff --git a/libopkg/md5.h b/libopkg/md5.h
+index 01320f5..2a7274d 100644
+--- a/libopkg/md5.h
++++ b/libopkg/md5.h
+@@ -118,6 +118,9 @@ extern int __md5_stream(FILE * stream, void *resblock) __THROW;
+ extern void *__md5_buffer(const char *buffer, size_t len,
+                           void *resblock) __THROW;
+ 
++/* Convert a binary md5sum value to an ASCII string. */
++char *md5_to_string(const void *md5sum_bin);
++
+ #ifdef __cplusplus
+ }
+ #endif
+-- 
+1.9.1
+
diff --git a/meta/recipes-devtools/opkg/opkg/0003-sha256-Add-sha256_to_string-function.patch b/meta/recipes-devtools/opkg/opkg/0003-sha256-Add-sha256_to_string-function.patch
new file mode 100644
index 0000000..16e82d7
--- /dev/null
+++ b/meta/recipes-devtools/opkg/opkg/0003-sha256-Add-sha256_to_string-function.patch
@@ -0,0 +1,110 @@
+From 92e8378103bba3b91f2dec4e6fda3e1755a7c0fd Mon Sep 17 00:00:00 2001
+From: Paul Barker <paul@paulbarker.me.uk>
+Date: Sat, 7 Nov 2015 10:23:51 +0000
+Subject: [PATCH 3/4] sha256: Add sha256_to_string function
+
+Signed-off-by: Paul Barker <paul@paulbarker.me.uk>
+Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com>
+
+Upstream-Status: Accepted
+---
+ libopkg/file_util.c | 28 +++-------------------------
+ libopkg/sha256.c    |  7 +++++++
+ libopkg/sha256.h    |  3 +++
+ 3 files changed, 13 insertions(+), 25 deletions(-)
+
+diff --git a/libopkg/file_util.c b/libopkg/file_util.c
+index cb3dbf0..864aedb 100644
+--- a/libopkg/file_util.c
++++ b/libopkg/file_util.c
+@@ -374,27 +374,13 @@ char *file_md5sum_alloc(const char *file_name)
+ #ifdef HAVE_SHA256
+ char *file_sha256sum_alloc(const char *file_name)
+ {
+-    static const int sha256sum_bin_len = 32;
+-    static const int sha256sum_hex_len = 64;
+-
+-    static const unsigned char bin2hex[16] = {
+-        '0', '1', '2', '3',
+-        '4', '5', '6', '7',
+-        '8', '9', 'a', 'b',
+-        'c', 'd', 'e', 'f'
+-    };
+-
+-    int i, err;
++    int err;
+     FILE *file;
+-    char *sha256sum_hex;
+-    unsigned char sha256sum_bin[sha256sum_bin_len];
+-
+-    sha256sum_hex = xcalloc(1, sha256sum_hex_len + 1);
++    unsigned char sha256sum_bin[32];
+ 
+     file = fopen(file_name, "r");
+     if (file == NULL) {
+         opkg_perror(ERROR, "Failed to open file %s", file_name);
+-        free(sha256sum_hex);
+         return NULL;
+     }
+ 
+@@ -402,20 +388,12 @@ char *file_sha256sum_alloc(const char *file_name)
+     if (err) {
+         opkg_msg(ERROR, "Could't compute sha256sum for %s.\n", file_name);
+         fclose(file);
+-        free(sha256sum_hex);
+         return NULL;
+     }
+ 
+     fclose(file);
+ 
+-    for (i = 0; i < sha256sum_bin_len; i++) {
+-        sha256sum_hex[i * 2] = bin2hex[sha256sum_bin[i] >> 4];
+-        sha256sum_hex[i * 2 + 1] = bin2hex[sha256sum_bin[i] & 0xf];
+-    }
+-
+-    sha256sum_hex[sha256sum_hex_len] = '\0';
+-
+-    return sha256sum_hex;
++    return sha256_to_string(sha256sum_bin);
+ }
+ 
+ #endif
+diff --git a/libopkg/sha256.c b/libopkg/sha256.c
+index 0816858..bceed72 100644
+--- a/libopkg/sha256.c
++++ b/libopkg/sha256.c
+@@ -29,6 +29,8 @@
+ #include <stddef.h>
+ #include <string.h>
+ 
++#include "string_util.h"
++
+ #if USE_UNLOCKED_IO
+ #include "unlocked-io.h"
+ #endif
+@@ -517,3 +519,8 @@ void sha256_process_block(const void *buffer, size_t len,
+         h = ctx->state[7] += h;
+     }
+ }
++
++char *sha256_to_string(const void *sha256sum_bin)
++{
++    return bin_to_hex(sha256sum_bin, 32);
++}
+diff --git a/libopkg/sha256.h b/libopkg/sha256.h
+index 734ab54..0d1e9e5 100644
+--- a/libopkg/sha256.h
++++ b/libopkg/sha256.h
+@@ -85,6 +85,9 @@ extern int sha224_stream(FILE * stream, void *resblock);
+ extern void *sha256_buffer(const char *buffer, size_t len, void *resblock);
+ extern void *sha224_buffer(const char *buffer, size_t len, void *resblock);
+ 
++/* Convert a binary sha256sum value to an ASCII string. */
++char *sha256_to_string(const void *sha256sum_bin);
++
+ #ifdef __cplusplus
+ }
+ #endif
+-- 
+1.9.1
+
diff --git a/meta/recipes-devtools/opkg/opkg/0004-opkg_download-Use-short-cache-file-name.patch b/meta/recipes-devtools/opkg/opkg/0004-opkg_download-Use-short-cache-file-name.patch
new file mode 100644
index 0000000..7ea661d
--- /dev/null
+++ b/meta/recipes-devtools/opkg/opkg/0004-opkg_download-Use-short-cache-file-name.patch
@@ -0,0 +1,85 @@
+From 61636f15718edc7ea17b91f22f1d97b905eaf951 Mon Sep 17 00:00:00 2001
+From: Paul Barker <paul@paulbarker.me.uk>
+Date: Sat, 7 Nov 2015 10:23:52 +0000
+Subject: [PATCH 4/4] opkg_download: Use short cache file name
+
+Source URIs can be very long. The cache directory itself may already have a very
+long path, especially if we're installing packages into an offline rootfs.
+Therefore it's not a good idea to simply tag the source URI onto the cache
+directory path to create a cache file name.
+
+To create shorter cache file names which are deterministic and very likely to be
+unique, we use the md5sum of the source URI along with the basename of the
+source URI. The basename is length limited to ensure that it the resulting
+filename length is always reasonable.
+
+Signed-off-by: Paul Barker <paul@paulbarker.me.uk>
+Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com>
+
+Upstream-Status: Accepted
+---
+ libopkg/opkg_download.c | 35 ++++++++++++++++++++++++++++-------
+ 1 file changed, 28 insertions(+), 7 deletions(-)
+
+diff --git a/libopkg/opkg_download.c b/libopkg/opkg_download.c
+index e9b86a5..a37b10d 100644
+--- a/libopkg/opkg_download.c
++++ b/libopkg/opkg_download.c
+@@ -29,10 +29,18 @@
+ #include "opkg_verify.h"
+ #include "opkg_utils.h"
+ 
++#include "md5.h"
+ #include "sprintf_alloc.h"
+ #include "file_util.h"
+ #include "xfuncs.h"
+ 
++/* Limit the short file name used to generate cache file names to 90 characters
++ * so that when added to the md5sum (32 characters) and an underscore, the
++ * resulting length is below 128 characters. The maximum file name length
++ * differs between plaforms but 128 characters should be reasonable.
++ */
++#define MAX_SHORT_FILE_NAME_LENGTH 90
++
+ static int opkg_download_set_env()
+ {
+     int r;
+@@ -135,15 +143,28 @@ int opkg_download_internal(const char *src, const char *dest,
+  */
+ char *get_cache_location(const char *src)
+ {
+-    char *cache_name = xstrdup(src);
+-    char *cache_location, *p;
++    unsigned char md5sum_bin[16];
++    char *md5sum_hex;
++    char *cache_location;
++    char *short_file_name;
++    char *tmp = xstrdup(src);
+ 
+-    for (p = cache_name; *p; p++)
+-        if (*p == '/')
+-            *p = '_';
++    md5_buffer(src, strlen(src), md5sum_bin);
++    md5sum_hex = md5_to_string(md5sum_bin);
+ 
+-    sprintf_alloc(&cache_location, "%s/%s", opkg_config->cache_dir, cache_name);
+-    free(cache_name);
++    /* Generate a short file name which will be used along with an md5sum of the
++     * full src URI in the cache file name. This short file name is limited to
++     * MAX_SHORT_FILE_NAME_LENGTH to ensure that the total cache file name
++     * length is reasonable.
++     */
++    short_file_name = basename(tmp);
++    if (strlen(short_file_name) > MAX_SHORT_FILE_NAME_LENGTH)
++        short_file_name[MAX_SHORT_FILE_NAME_LENGTH] = '\0';
++
++    sprintf_alloc(&cache_location, "%s/%s_%s", opkg_config->cache_dir,
++                  md5sum_hex, short_file_name);
++    free(md5sum_hex);
++    free(tmp);
+     return cache_location;
+ }
+ 
+-- 
+1.9.1
+
diff --git a/meta/recipes-devtools/opkg/opkg_0.3.0.bb b/meta/recipes-devtools/opkg/opkg_0.3.0.bb
index 588250e..5ad3e92 100644
--- a/meta/recipes-devtools/opkg/opkg_0.3.0.bb
+++ b/meta/recipes-devtools/opkg/opkg_0.3.0.bb
@@ -17,6 +17,10 @@ SRC_URI = "http://downloads.yoctoproject.org/releases/${BPN}/${BPN}-${PV}.tar.gz
            file://0001-opkg_archive-add-support-for-empty-compressed-files.patch \
            file://0001-libopkg-include-stdio.h-for-getting-FILE-defined.patch \
            file://0001-opkg_conf-create-opkg.lock-in-run-instead-of-var-run.patch \
+           file://0001-string_util-New-file-with-bin_to_hex-function.patch \
+           file://0002-md5-Add-md5_to_string-function.patch \
+           file://0003-sha256-Add-sha256_to_string-function.patch \
+           file://0004-opkg_download-Use-short-cache-file-name.patch \
 "
 
 SRC_URI[md5sum] = "3412cdc71d78b98facc84b19331ec64e"
-- 
1.7.9.5

[PATCH 2/8] binutils: Fix octeon3 disassembly patch

[Robert Yang]

From: Mark Hatle <mark.hatle@windriver.com>

The structure has apparently changed, and there was a missing
setting.  This corrects a segfault when disassembling code.

(From OE-Core master rev: 2e8f1ffe3a8d7740b0ac68eefbba3fe28f7ba6d4)

Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
---
 .../binutils/binutils/binutils-octeon3.patch       |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/binutils/binutils/binutils-octeon3.patch b/meta/recipes-devtools/binutils/binutils/binutils-octeon3.patch
index 6108c0d..4e8c69f 100644
--- a/meta/recipes-devtools/binutils/binutils/binutils-octeon3.patch
+++ b/meta/recipes-devtools/binutils/binutils/binutils-octeon3.patch
@@ -229,7 +229,7 @@ Index: git/opcodes/mips-dis.c
 +  { "octeon3",   1, bfd_mach_mips_octeon3, CPU_OCTEON3,
 +    ISA_MIPS64R2 | INSN_OCTEON3, ASE_VIRT | ASE_VIRT64,
 +    mips_cp0_names_numeric,
-+    NULL, 0, mips_hwr_names_numeric },
++    NULL, 0, mips_cp1_names_mips3264, mips_hwr_names_numeric },
 +
    { "xlr", 1, bfd_mach_mips_xlr, CPU_XLR,
      ISA_MIPS64 | INSN_XLR, 0,
-- 
1.7.9.5

[PATCH 3/8] libarchive: rename patch to reflect CVE

[Robert Yang]

From: Ross Burton <ross.burton@intel.com>

This patch is a CVE fix, so rename it to help CVE detection tools identify it as
such.

(From OE-Core master rev: 3fd05ce1f709cbbd8fdeb1dbfdffbd39922eca6e)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
---
 ...option.patch => libarchive-CVE-2015-2304.patch} |    0
 .../libarchive/libarchive_3.1.2.bb                 |    2 +-
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-extended/libarchive/libarchive/{0001-Add-ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS-option.patch => libarchive-CVE-2015-2304.patch} (100%)

diff --git a/meta/recipes-extended/libarchive/libarchive/0001-Add-ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS-option.patch b/meta/recipes-extended/libarchive/libarchive/libarchive-CVE-2015-2304.patch
similarity index 100%
rename from meta/recipes-extended/libarchive/libarchive/0001-Add-ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS-option.patch
rename to meta/recipes-extended/libarchive/libarchive/libarchive-CVE-2015-2304.patch
diff --git a/meta/recipes-extended/libarchive/libarchive_3.1.2.bb b/meta/recipes-extended/libarchive/libarchive_3.1.2.bb
index aaa3255..716db9a 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.1.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.1.2.bb
@@ -32,7 +32,7 @@ PACKAGECONFIG[nettle] = "--with-nettle,--without-nettle,nettle,"
 SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
            file://libarchive-CVE-2013-0211.patch \
            file://pkgconfig.patch \
-           file://0001-Add-ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS-option.patch \
+           file://libarchive-CVE-2015-2304.patch \
            file://mkdir.patch \
            "
 
-- 
1.7.9.5

[PATCH 4/8] readline: rename patch to contain CVE reference

[Robert Yang]

From: Ross Burton <ross.burton@intel.com>

To help automated scanning of CVEs, put the CVE ID in the filename.

(From OE-Core master rev: 211bce4f23230c7898cccdb73b582420f830f977)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
---
 ...ne63-003.patch => readline-cve-2014-2524.patch} |    0
 meta/recipes-core/readline/readline_6.3.bb         |    2 +-
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-core/readline/readline-6.3/{readline63-003.patch => readline-cve-2014-2524.patch} (100%)

diff --git a/meta/recipes-core/readline/readline-6.3/readline63-003.patch b/meta/recipes-core/readline/readline-6.3/readline-cve-2014-2524.patch
similarity index 100%
rename from meta/recipes-core/readline/readline-6.3/readline63-003.patch
rename to meta/recipes-core/readline/readline-6.3/readline-cve-2014-2524.patch
diff --git a/meta/recipes-core/readline/readline_6.3.bb b/meta/recipes-core/readline/readline_6.3.bb
index 6ba1c18..fc362ae 100644
--- a/meta/recipes-core/readline/readline_6.3.bb
+++ b/meta/recipes-core/readline/readline_6.3.bb
@@ -1,6 +1,6 @@
 require readline.inc
 
-SRC_URI += "file://readline63-003.patch;striplevel=0 \
+SRC_URI += "file://readline-cve-2014-2524.patch;striplevel=0 \
             file://readline-dispatch-multikey.patch"
 
 SRC_URI[archive.md5sum] = "33c8fb279e981274f485fd91da77e94a"
-- 
1.7.9.5

[PATCH 5/8] unzip: rename patch to reflect CVE fix

[Robert Yang]

From: Ross Burton <ross.burton@intel.com>

(From OE-Core rev: e3d2974348bd830ec2fcf84ea08cbf38abbc0327)

(master rev: 78e05984b1ac48b1f25547ccd9740611cd5890a9)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
---
 ...nzip-6.0_overflow3.diff => cve-2014-9636.patch} |    0
 meta/recipes-extended/unzip/unzip_6.0.bb           |    2 +-
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-extended/unzip/unzip/{unzip-6.0_overflow3.diff => cve-2014-9636.patch} (100%)

diff --git a/meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff b/meta/recipes-extended/unzip/unzip/cve-2014-9636.patch
similarity index 100%
rename from meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff
rename to meta/recipes-extended/unzip/unzip/cve-2014-9636.patch
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index 9e63d3a..b386323 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -10,7 +10,7 @@ SRC_URI = "ftp://ftp.info-zip.org/pub/infozip/src/unzip60.tgz \
 	file://avoid-strip.patch \
 	file://define-ldflags.patch \
 	file://06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch \
-	file://unzip-6.0_overflow3.diff \
+	file://cve-2014-9636.patch \
 	file://09-cve-2014-8139-crc-overflow.patch \
 	file://10-cve-2014-8140-test-compr-eb.patch \
 	file://11-cve-2014-8141-getzip64data.patch \
-- 
1.7.9.5

[PATCH 6/8] libxslt: CVE-2015-7995

[Robert Yang]

From: Armin Kuster <akuster@mvista.com>

This is a is being give a High rating so please consider it for
all 1.1.28 versions.

A type confusion error within the libxslt "xsltStylePreCompute()"
function in preproc.c can lead to a DoS. Confirmed in version 1.1.28,
other versions may also be affected.

(From OE-Core master rev: 0f89bbab6588a1171259801fa879516740030acb)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
---
 .../libxslt/libxslt/CVE-2015-7995.patch            |   33 ++++++++++++++++++++
 meta/recipes-support/libxslt/libxslt_1.1.28.bb     |    3 +-
 2 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch

diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch b/meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch
new file mode 100644
index 0000000..e4d09c2
--- /dev/null
+++ b/meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch
@@ -0,0 +1,33 @@
+From 7ca19df892ca22d9314e95d59ce2abdeff46b617 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Thu, 29 Oct 2015 19:33:23 +0800
+Subject: Fix for type confusion in preprocessing attributes
+
+CVE-2015-7995 http://www.openwall.com/lists/oss-security/2015/10/27/10
+We need to check that the parent node is an element before dereferencing
+its namespace
+
+Upstream-Status: Backport
+
+https://git.gnome.org/browse/libxslt/commit/?id=7ca19df892ca22d9314e95d59ce2abdeff46b617
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libxslt/preproc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: libxslt-1.1.28/libxslt/preproc.c
+===================================================================
+--- libxslt-1.1.28.orig/libxslt/preproc.c
++++ libxslt-1.1.28/libxslt/preproc.c
+@@ -2245,7 +2245,8 @@ xsltStylePreCompute(xsltStylesheetPtr st
+ 	} else if (IS_XSLT_NAME(inst, "attribute")) {
+ 	    xmlNodePtr parent = inst->parent;
+ 
+-	    if ((parent == NULL) || (parent->ns == NULL) ||
++	    if ((parent == NULL) ||
++	        (parent->type != XML_ELEMENT_NODE) || (parent->ns == NULL) ||
+ 		((parent->ns != inst->ns) &&
+ 		 (!xmlStrEqual(parent->ns->href, inst->ns->href))) ||
+ 		(!xmlStrEqual(parent->name, BAD_CAST "attribute-set"))) {
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.28.bb b/meta/recipes-support/libxslt/libxslt_1.1.28.bb
index 166bcd8..87fabec 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.28.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.28.bb
@@ -10,7 +10,8 @@ DEPENDS = "libxml2"
 
 SRC_URI = "ftp://xmlsoft.org/libxslt//libxslt-${PV}.tar.gz \
            file://pkgconfig_fix.patch \
-           file://pkgconfig.patch"
+           file://pkgconfig.patch \
+           file://CVE-2015-7995.patch"
 
 SRC_URI[md5sum] = "9667bf6f9310b957254fdcf6596600b7"
 SRC_URI[sha256sum] = "5fc7151a57b89c03d7b825df5a0fae0a8d5f05674c0e7cf2937ecec4d54a028c"
-- 
1.7.9.5

[PATCH 7/8] libxml2: fix CVE-2015-7942 and CVE-2015-8035

[Robert Yang]

From: Armin Kuster <akuster@mvista.com>

CVE-2015-7942 libxml2: heap-based buffer overflow in xmlParseConditionalSections()
CVE-2015-8035 libxml2: DoS when parsing specially crafted XML document if XZ support is enabled

[YOCTO #8641]

(From OE-Core master rev: 27de51f4ad21d9b896e7d48041e7cdf20c564a38)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
---
 meta/recipes-core/libxml/libxml2.inc               |    2 +
 .../libxml/libxml2/CVE-2015-7942.patch             |   55 ++++++++++++++++++++
 .../libxml/libxml2/CVE-2015-8035.patch             |   41 +++++++++++++++
 3 files changed, 98 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch

diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index 1c3c37d..6ada401 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -21,6 +21,8 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
            file://libxml-m4-use-pkgconfig.patch \
            file://configure.ac-fix-cross-compiling-warning.patch \
            file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \
+           file://CVE-2015-7942.patch \
+           file://CVE-2015-8035.patch \
           "
 
 BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
new file mode 100644
index 0000000..a5930ed
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
@@ -0,0 +1,55 @@
+libxml2: CVE-2015-7942
+
+From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 23 Feb 2015 11:29:20 +0800
+Subject: Cleanup conditional section error handling
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=744980
+
+The error handling of Conditional Section also need to be
+straightened as the structure of the document can't be
+guessed on a failure there and it's better to stop parsing
+as further errors are likely to be irrelevant.
+
+Upstream-Status: Backport
+https://git.gnome.org/browse/libxml2/patch/?id=9b8512337d14c8ddf662fcb98b0135f225a1c489
+
+[YOCTO #8641]
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+Index: libxml2-2.9.2/parser.c
+===================================================================
+--- libxml2-2.9.2.orig/parser.c
++++ libxml2-2.9.2/parser.c
+@@ -6783,6 +6783,8 @@ xmlParseConditionalSections(xmlParserCtx
+ 	SKIP_BLANKS;
+ 	if (RAW != '[') {
+ 	    xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
++	    xmlStopParser(ctxt);
++	    return;
+ 	} else {
+ 	    if (ctxt->input->id != id) {
+ 		xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6843,6 +6845,8 @@ xmlParseConditionalSections(xmlParserCtx
+ 	SKIP_BLANKS;
+ 	if (RAW != '[') {
+ 	    xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
++	    xmlStopParser(ctxt);
++	    return;
+ 	} else {
+ 	    if (ctxt->input->id != id) {
+ 		xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6898,6 +6902,8 @@ xmlParseConditionalSections(xmlParserCtx
+ 
+     } else {
+ 	xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
++	xmlStopParser(ctxt);
++	return;
+     }
+ 
+     if (RAW == 0)
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
new file mode 100644
index 0000000..d175f74
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
@@ -0,0 +1,41 @@
+libxml2: CVE-2015-8035
+
+From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 3 Nov 2015 15:31:25 +0800
+Subject: CVE-2015-8035 Fix XZ compression support loop
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=757466
+DoS when parsing specially crafted XML document if XZ support
+is compiled in (which wasn't the case for 2.9.2 and master since
+Nov 2013, fixed in next commit !)
+
+Upstream-Status: Backport
+https://git.gnome.org/browse/libxml2/patch/?id=f0709e3ca8f8947f2d91ed34e92e38a4c23eae63
+
+[YOCTO #8641]
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ xzlib.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/xzlib.c b/xzlib.c
+index 0dcb9f4..1fab546 100644
+--- a/xzlib.c
++++ b/xzlib.c
+@@ -581,6 +581,10 @@ xz_decomp(xz_statep state)
+             xz_error(state, LZMA_DATA_ERROR, "compressed data error");
+             return -1;
+         }
++        if (ret == LZMA_PROG_ERROR) {
++            xz_error(state, LZMA_PROG_ERROR, "compression error");
++            return -1;
++        }
+     } while (strm->avail_out && ret != LZMA_STREAM_END);
+ 
+     /* update available output and crc check value */
+-- 
+cgit v0.11.2
+
-- 
1.7.9.5

[PATCH 8/8] libsndfile: fix CVE-2014-9756

[Robert Yang]

From: "Maxin B. John" <maxin.john@intel.com>

Fix divide by zero bug (CVE-2014-9756)

(From OE-Core master rev: f47cf07ab9d00ed7eddc8e867138481f7bd2bb7d)

Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
---
 .../files/libsndfile-fix-CVE-2014-9756.patch       |   24 ++++++++++++++++++++
 .../libsndfile/libsndfile1_1.0.25.bb               |    1 +
 2 files changed, 25 insertions(+)
 create mode 100644 meta/recipes-multimedia/libsndfile/files/libsndfile-fix-CVE-2014-9756.patch

diff --git a/meta/recipes-multimedia/libsndfile/files/libsndfile-fix-CVE-2014-9756.patch b/meta/recipes-multimedia/libsndfile/files/libsndfile-fix-CVE-2014-9756.patch
new file mode 100644
index 0000000..b54b3ba
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/files/libsndfile-fix-CVE-2014-9756.patch
@@ -0,0 +1,24 @@
+src/file_io.c : Prevent potential divide-by-zero.
+
+Closes: https://github.com/erikd/libsndfile/issues/92
+
+Upstream-Status: Backport
+
+Fixes CVE-2014-9756
+
+Signed-off-by: Erik de Castro Lopo <erikd@mega-nerd.com>
+Signed-off-by: Maxin B. John <maxin.john@intel.com>
+---
+diff -Naur libsndfile-1.0.25-orig/src/file_io.c libsndfile-1.0.25/src/file_io.c
+--- libsndfile-1.0.25-orig/src/file_io.c	2011-01-19 12:12:28.000000000 +0200
++++ libsndfile-1.0.25/src/file_io.c	2015-11-04 15:02:04.337395618 +0200
+@@ -358,6 +358,9 @@
+ {	sf_count_t total = 0 ;
+ 	ssize_t	count ;
+ 
++    if (bytes == 0 || items == 0)
++        return 0 ;
++
+ 	if (psf->virtual_io)
+ 		return psf->vio.write (ptr, bytes*items, psf->vio_user_data) / bytes ;
+ 
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.25.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.25.bb
index 3e02f4e..be875c2 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.25.bb
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.25.bb
@@ -9,6 +9,7 @@ PR = "r2"
 SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \
            file://0001-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch \
            file://0001-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch \
+           file://libsndfile-fix-CVE-2014-9756.patch \
 "
 
 SRC_URI[md5sum] = "e2b7bb637e01022c7d20f95f9c3990a2"
-- 
1.7.9.5

Re: [PATCH 7/8] libxml2: fix CVE-2015-7942 and CVE-2015-8035

[Andre McCurdy]

On Tue, Dec 1, 2015 at 1:44 AM, Robert Yang <liezhi.yang@windriver.com> wrote:
> From: Armin Kuster <akuster@mvista.com>
>
> CVE-2015-7942 libxml2: heap-based buffer overflow in xmlParseConditionalSections()
> CVE-2015-8035 libxml2: DoS when parsing specially crafted XML document if XZ support is enabled

It looks like CVE-2015-7942 requires two separate patches, only one of
which made it to oe-core master, plus there were a lot of the other
CVE fixes committed upstream in October and November.

  http://www.xmlsoft.org/news.html
  https://git.gnome.org/browse/libxml2/log/?h=v2.9.3


> [YOCTO #8641]
>
> (From OE-Core master rev: 27de51f4ad21d9b896e7d48041e7cdf20c564a38)
>
> Signed-off-by: Armin Kuster <akuster@mvista.com>
> Signed-off-by: Ross Burton <ross.burton@intel.com>
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
> ---
>  meta/recipes-core/libxml/libxml2.inc               |    2 +
>  .../libxml/libxml2/CVE-2015-7942.patch             |   55 ++++++++++++++++++++
>  .../libxml/libxml2/CVE-2015-8035.patch             |   41 +++++++++++++++
>  3 files changed, 98 insertions(+)
>  create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
>  create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
>
> diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
> index 1c3c37d..6ada401 100644
> --- a/meta/recipes-core/libxml/libxml2.inc
> +++ b/meta/recipes-core/libxml/libxml2.inc
> @@ -21,6 +21,8 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
>             file://libxml-m4-use-pkgconfig.patch \
>             file://configure.ac-fix-cross-compiling-warning.patch \
>             file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \
> +           file://CVE-2015-7942.patch \
> +           file://CVE-2015-8035.patch \
>            "
>
>  BINCONFIG = "${bindir}/xml2-config"
> diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
> new file mode 100644
> index 0000000..a5930ed
> --- /dev/null
> +++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
> @@ -0,0 +1,55 @@
> +libxml2: CVE-2015-7942
> +
> +From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001
> +From: Daniel Veillard <veillard@redhat.com>
> +Date: Mon, 23 Feb 2015 11:29:20 +0800
> +Subject: Cleanup conditional section error handling
> +
> +For https://bugzilla.gnome.org/show_bug.cgi?id=744980
> +
> +The error handling of Conditional Section also need to be
> +straightened as the structure of the document can't be
> +guessed on a failure there and it's better to stop parsing
> +as further errors are likely to be irrelevant.
> +
> +Upstream-Status: Backport
> +https://git.gnome.org/browse/libxml2/patch/?id=9b8512337d14c8ddf662fcb98b0135f225a1c489
> +
> +[YOCTO #8641]
> +Signed-off-by: Armin Kuster <akuster@mvista.com>
> +
> +---
> + parser.c | 6 ++++++
> + 1 file changed, 6 insertions(+)
> +
> +Index: libxml2-2.9.2/parser.c
> +===================================================================
> +--- libxml2-2.9.2.orig/parser.c
> ++++ libxml2-2.9.2/parser.c
> +@@ -6783,6 +6783,8 @@ xmlParseConditionalSections(xmlParserCtx
> +       SKIP_BLANKS;
> +       if (RAW != '[') {
> +           xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
> ++          xmlStopParser(ctxt);
> ++          return;
> +       } else {
> +           if (ctxt->input->id != id) {
> +               xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
> +@@ -6843,6 +6845,8 @@ xmlParseConditionalSections(xmlParserCtx
> +       SKIP_BLANKS;
> +       if (RAW != '[') {
> +           xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
> ++          xmlStopParser(ctxt);
> ++          return;
> +       } else {
> +           if (ctxt->input->id != id) {
> +               xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
> +@@ -6898,6 +6902,8 @@ xmlParseConditionalSections(xmlParserCtx
> +
> +     } else {
> +       xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
> ++      xmlStopParser(ctxt);
> ++      return;
> +     }
> +
> +     if (RAW == 0)
> diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
> new file mode 100644
> index 0000000..d175f74
> --- /dev/null
> +++ b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
> @@ -0,0 +1,41 @@
> +libxml2: CVE-2015-8035
> +
> +From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001
> +From: Daniel Veillard <veillard@redhat.com>
> +Date: Tue, 3 Nov 2015 15:31:25 +0800
> +Subject: CVE-2015-8035 Fix XZ compression support loop
> +
> +For https://bugzilla.gnome.org/show_bug.cgi?id=757466
> +DoS when parsing specially crafted XML document if XZ support
> +is compiled in (which wasn't the case for 2.9.2 and master since
> +Nov 2013, fixed in next commit !)
> +
> +Upstream-Status: Backport
> +https://git.gnome.org/browse/libxml2/patch/?id=f0709e3ca8f8947f2d91ed34e92e38a4c23eae63
> +
> +[YOCTO #8641]
> +
> +Signed-off-by: Armin Kuster <akuster@mvista.com>
> +
> +---
> + xzlib.c | 4 ++++
> + 1 file changed, 4 insertions(+)
> +
> +diff --git a/xzlib.c b/xzlib.c
> +index 0dcb9f4..1fab546 100644
> +--- a/xzlib.c
> ++++ b/xzlib.c
> +@@ -581,6 +581,10 @@ xz_decomp(xz_statep state)
> +             xz_error(state, LZMA_DATA_ERROR, "compressed data error");
> +             return -1;
> +         }
> ++        if (ret == LZMA_PROG_ERROR) {
> ++            xz_error(state, LZMA_PROG_ERROR, "compression error");
> ++            return -1;
> ++        }
> +     } while (strm->avail_out && ret != LZMA_STREAM_END);
> +
> +     /* update available output and crc check value */
> +--
> +cgit v0.11.2
> +
> --
> 1.7.9.5
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [PATCH 7/8] libxml2: fix CVE-2015-7942 and CVE-2015-8035

[Robert Yang]

Hi Armin,

On 12/02/2015 06:48 AM, Andre McCurdy wrote:
> On Tue, Dec 1, 2015 at 1:44 AM, Robert Yang <liezhi.yang@windriver.com> wrote:
>> From: Armin Kuster <akuster@mvista.com>
>>
>> CVE-2015-7942 libxml2: heap-based buffer overflow in xmlParseConditionalSections()
>> CVE-2015-8035 libxml2: DoS when parsing specially crafted XML document if XZ support is enabled
>
> It looks like CVE-2015-7942 requires two separate patches, only one of
> which made it to oe-core master, plus there were a lot of the other
> CVE fixes committed upstream in October and November.

Do you have any comments on CVE-2015-7942, please ?

// Robert

>
>    http://www.xmlsoft.org/news.html
>    https://git.gnome.org/browse/libxml2/log/?h=v2.9.3
>
>
>> [YOCTO #8641]
>>
>> (From OE-Core master rev: 27de51f4ad21d9b896e7d48041e7cdf20c564a38)
>>
>> Signed-off-by: Armin Kuster <akuster@mvista.com>
>> Signed-off-by: Ross Burton <ross.burton@intel.com>
>> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
>> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
>> ---
>>   meta/recipes-core/libxml/libxml2.inc               |    2 +
>>   .../libxml/libxml2/CVE-2015-7942.patch             |   55 ++++++++++++++++++++
>>   .../libxml/libxml2/CVE-2015-8035.patch             |   41 +++++++++++++++
>>   3 files changed, 98 insertions(+)
>>   create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
>>   create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
>>
>> diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
>> index 1c3c37d..6ada401 100644
>> --- a/meta/recipes-core/libxml/libxml2.inc
>> +++ b/meta/recipes-core/libxml/libxml2.inc
>> @@ -21,6 +21,8 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
>>              file://libxml-m4-use-pkgconfig.patch \
>>              file://configure.ac-fix-cross-compiling-warning.patch \
>>              file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \
>> +           file://CVE-2015-7942.patch \
>> +           file://CVE-2015-8035.patch \
>>             "
>>
>>   BINCONFIG = "${bindir}/xml2-config"
>> diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
>> new file mode 100644
>> index 0000000..a5930ed
>> --- /dev/null
>> +++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
>> @@ -0,0 +1,55 @@
>> +libxml2: CVE-2015-7942
>> +
>> +From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001
>> +From: Daniel Veillard <veillard@redhat.com>
>> +Date: Mon, 23 Feb 2015 11:29:20 +0800
>> +Subject: Cleanup conditional section error handling
>> +
>> +For https://bugzilla.gnome.org/show_bug.cgi?id=744980
>> +
>> +The error handling of Conditional Section also need to be
>> +straightened as the structure of the document can't be
>> +guessed on a failure there and it's better to stop parsing
>> +as further errors are likely to be irrelevant.
>> +
>> +Upstream-Status: Backport
>> +https://git.gnome.org/browse/libxml2/patch/?id=9b8512337d14c8ddf662fcb98b0135f225a1c489
>> +
>> +[YOCTO #8641]
>> +Signed-off-by: Armin Kuster <akuster@mvista.com>
>> +
>> +---
>> + parser.c | 6 ++++++
>> + 1 file changed, 6 insertions(+)
>> +
>> +Index: libxml2-2.9.2/parser.c
>> +===================================================================
>> +--- libxml2-2.9.2.orig/parser.c
>> ++++ libxml2-2.9.2/parser.c
>> +@@ -6783,6 +6783,8 @@ xmlParseConditionalSections(xmlParserCtx
>> +       SKIP_BLANKS;
>> +       if (RAW != '[') {
>> +           xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
>> ++          xmlStopParser(ctxt);
>> ++          return;
>> +       } else {
>> +           if (ctxt->input->id != id) {
>> +               xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
>> +@@ -6843,6 +6845,8 @@ xmlParseConditionalSections(xmlParserCtx
>> +       SKIP_BLANKS;
>> +       if (RAW != '[') {
>> +           xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
>> ++          xmlStopParser(ctxt);
>> ++          return;
>> +       } else {
>> +           if (ctxt->input->id != id) {
>> +               xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
>> +@@ -6898,6 +6902,8 @@ xmlParseConditionalSections(xmlParserCtx
>> +
>> +     } else {
>> +       xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
>> ++      xmlStopParser(ctxt);
>> ++      return;
>> +     }
>> +
>> +     if (RAW == 0)
>> diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
>> new file mode 100644
>> index 0000000..d175f74
>> --- /dev/null
>> +++ b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
>> @@ -0,0 +1,41 @@
>> +libxml2: CVE-2015-8035
>> +
>> +From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001
>> +From: Daniel Veillard <veillard@redhat.com>
>> +Date: Tue, 3 Nov 2015 15:31:25 +0800
>> +Subject: CVE-2015-8035 Fix XZ compression support loop
>> +
>> +For https://bugzilla.gnome.org/show_bug.cgi?id=757466
>> +DoS when parsing specially crafted XML document if XZ support
>> +is compiled in (which wasn't the case for 2.9.2 and master since
>> +Nov 2013, fixed in next commit !)
>> +
>> +Upstream-Status: Backport
>> +https://git.gnome.org/browse/libxml2/patch/?id=f0709e3ca8f8947f2d91ed34e92e38a4c23eae63
>> +
>> +[YOCTO #8641]
>> +
>> +Signed-off-by: Armin Kuster <akuster@mvista.com>
>> +
>> +---
>> + xzlib.c | 4 ++++
>> + 1 file changed, 4 insertions(+)
>> +
>> +diff --git a/xzlib.c b/xzlib.c
>> +index 0dcb9f4..1fab546 100644
>> +--- a/xzlib.c
>> ++++ b/xzlib.c
>> +@@ -581,6 +581,10 @@ xz_decomp(xz_statep state)
>> +             xz_error(state, LZMA_DATA_ERROR, "compressed data error");
>> +             return -1;
>> +         }
>> ++        if (ret == LZMA_PROG_ERROR) {
>> ++            xz_error(state, LZMA_PROG_ERROR, "compression error");
>> ++            return -1;
>> ++        }
>> +     } while (strm->avail_out && ret != LZMA_STREAM_END);
>> +
>> +     /* update available output and crc check value */
>> +--
>> +cgit v0.11.2
>> +
>> --
>> 1.7.9.5
>>
>> --
>> _______________________________________________
>> Openembedded-core mailing list
>> Openembedded-core@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>