diff options
Diffstat (limited to 'meta/recipes-core/libxml/libxml2')
10 files changed, 1851 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-9318.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-9318.patch new file mode 100644 index 0000000000..3581ab83df --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2016-9318.patch @@ -0,0 +1,207 @@ +From 7fa1cd31552d52d50a9101f07c816ff6dd2d9f19 Mon Sep 17 00:00:00 2001 +From: Doran Moppert <dmoppert@redhat.com> +Date: Fri, 7 Apr 2017 16:45:56 +0200 +Subject: [PATCH] Add an XML_PARSE_NOXXE flag to block all entities loading + even local + +For https://bugzilla.gnome.org/show_bug.cgi?id=772726 + +* include/libxml/parser.h: Add a new parser flag XML_PARSE_NOXXE +* elfgcchack.h, xmlIO.h, xmlIO.c: associated loading routine +* include/libxml/xmlerror.h: new error raised +* xmllint.c: adds --noxxe flag to activate the option + +Upstream-Status: Backport +CVE: CVE-2016-9318 + +Signed-off-by: Catalin Enache <catalin.enache@windriver.com> +--- + elfgcchack.h | 10 ++++++++++ + include/libxml/parser.h | 3 ++- + include/libxml/xmlIO.h | 8 ++++++++ + include/libxml/xmlerror.h | 1 + + parser.c | 4 ++++ + xmlIO.c | 40 +++++++++++++++++++++++++++++++++++----- + xmllint.c | 5 +++++ + 7 files changed, 65 insertions(+), 6 deletions(-) + +diff --git a/elfgcchack.h b/elfgcchack.h +index 8c52884..1b81dcd 100644 +--- a/elfgcchack.h ++++ b/elfgcchack.h +@@ -6547,6 +6547,16 @@ extern __typeof (xmlNoNetExternalEntityLoader) xmlNoNetExternalEntityLoader__int + #endif + #endif + ++#ifdef bottom_xmlIO ++#undef xmlNoXxeExternalEntityLoader ++extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader __attribute((alias("xmlNoXxeExternalEntityLoader__internal_alias"))); ++#else ++#ifndef xmlNoXxeExternalEntityLoader ++extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader__internal_alias __attribute((visibility("hidden"))); ++#define xmlNoXxeExternalEntityLoader xmlNoXxeExternalEntityLoader__internal_alias ++#endif ++#endif ++ + #ifdef bottom_tree + #undef xmlNodeAddContent + extern __typeof (xmlNodeAddContent) xmlNodeAddContent __attribute((alias("xmlNodeAddContent__internal_alias"))); +diff --git a/include/libxml/parser.h b/include/libxml/parser.h +index 47fbec0..63ca1b9 100644 +--- a/include/libxml/parser.h ++++ b/include/libxml/parser.h +@@ -1111,7 +1111,8 @@ typedef enum { + XML_PARSE_HUGE = 1<<19,/* relax any hardcoded limit from the parser */ + XML_PARSE_OLDSAX = 1<<20,/* parse using SAX2 interface before 2.7.0 */ + XML_PARSE_IGNORE_ENC= 1<<21,/* ignore internal document encoding hint */ +- XML_PARSE_BIG_LINES = 1<<22 /* Store big lines numbers in text PSVI field */ ++ XML_PARSE_BIG_LINES = 1<<22,/* Store big lines numbers in text PSVI field */ ++ XML_PARSE_NOXXE = 1<<23 /* Forbid any external entity loading */ + } xmlParserOption; + + XMLPUBFUN void XMLCALL +diff --git a/include/libxml/xmlIO.h b/include/libxml/xmlIO.h +index 3e41744..8d3fdef 100644 +--- a/include/libxml/xmlIO.h ++++ b/include/libxml/xmlIO.h +@@ -300,6 +300,14 @@ XMLPUBFUN xmlParserInputPtr XMLCALL + xmlParserCtxtPtr ctxt); + + /* ++ * A predefined entity loader external entity expansion ++ */ ++XMLPUBFUN xmlParserInputPtr XMLCALL ++ xmlNoXxeExternalEntityLoader (const char *URL, ++ const char *ID, ++ xmlParserCtxtPtr ctxt); ++ ++/* + * xmlNormalizeWindowsPath is obsolete, don't use it. + * Check xmlCanonicPath in uri.h for a better alternative. + */ +diff --git a/include/libxml/xmlerror.h b/include/libxml/xmlerror.h +index 037c16d..3036062 100644 +--- a/include/libxml/xmlerror.h ++++ b/include/libxml/xmlerror.h +@@ -470,6 +470,7 @@ typedef enum { + XML_IO_EADDRINUSE, /* 1554 */ + XML_IO_EALREADY, /* 1555 */ + XML_IO_EAFNOSUPPORT, /* 1556 */ ++ XML_IO_ILLEGAL_XXE, /* 1557 */ + XML_XINCLUDE_RECURSION=1600, + XML_XINCLUDE_PARSE_VALUE, /* 1601 */ + XML_XINCLUDE_ENTITY_DEF_MISMATCH, /* 1602 */ +diff --git a/parser.c b/parser.c +index 53a6b7f..609a270 100644 +--- a/parser.c ++++ b/parser.c +@@ -15350,6 +15350,10 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi + ctxt->options |= XML_PARSE_NONET; + options -= XML_PARSE_NONET; + } ++ if (options & XML_PARSE_NOXXE) { ++ ctxt->options |= XML_PARSE_NOXXE; ++ options -= XML_PARSE_NOXXE; ++ } + if (options & XML_PARSE_COMPACT) { + ctxt->options |= XML_PARSE_COMPACT; + options -= XML_PARSE_COMPACT; +diff --git a/xmlIO.c b/xmlIO.c +index 1a79c09..304f822 100644 +--- a/xmlIO.c ++++ b/xmlIO.c +@@ -210,6 +210,7 @@ static const char *IOerr[] = { + "adddress in use", /* EADDRINUSE */ + "already in use", /* EALREADY */ + "unknown address familly", /* EAFNOSUPPORT */ ++ "Attempt to load external entity %s", /* XML_IO_ILLEGAL_XXE */ + }; + + #if defined(_WIN32) || defined (__DJGPP__) && !defined (__CYGWIN__) +@@ -4053,13 +4054,22 @@ xmlDefaultExternalEntityLoader(const char *URL, const char *ID, + xmlGenericError(xmlGenericErrorContext, + "xmlDefaultExternalEntityLoader(%s, xxx)\n", URL); + #endif +- if ((ctxt != NULL) && (ctxt->options & XML_PARSE_NONET)) { ++ if (ctxt != NULL) { + int options = ctxt->options; + +- ctxt->options -= XML_PARSE_NONET; +- ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt); +- ctxt->options = options; +- return(ret); ++ if (options & XML_PARSE_NOXXE) { ++ ctxt->options -= XML_PARSE_NOXXE; ++ ret = xmlNoXxeExternalEntityLoader(URL, ID, ctxt); ++ ctxt->options = options; ++ return(ret); ++ } ++ ++ if (options & XML_PARSE_NONET) { ++ ctxt->options -= XML_PARSE_NONET; ++ ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt); ++ ctxt->options = options; ++ return(ret); ++ } + } + #ifdef LIBXML_CATALOG_ENABLED + resource = xmlResolveResourceFromCatalog(URL, ID, ctxt); +@@ -4160,6 +4170,13 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID, + xmlParserInputPtr input = NULL; + xmlChar *resource = NULL; + ++ if (ctxt == NULL) { ++ return(NULL); ++ } ++ if (ctxt->input_id == 1) { ++ return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt); ++ } ++ + #ifdef LIBXML_CATALOG_ENABLED + resource = xmlResolveResourceFromCatalog(URL, ID, ctxt); + #endif +@@ -4182,5 +4199,18 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID, + return(input); + } + ++xmlParserInputPtr ++xmlNoXxeExternalEntityLoader(const char *URL, const char *ID, ++ xmlParserCtxtPtr ctxt) { ++ if (ctxt == NULL) { ++ return(NULL); ++ } ++ if (ctxt->input_id == 1) { ++ return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt); ++ } ++ xmlIOErr(XML_IO_ILLEGAL_XXE, (const char *) URL); ++ return(NULL); ++} ++ + #define bottom_xmlIO + #include "elfgcchack.h" +diff --git a/xmllint.c b/xmllint.c +index 67f7adb..d9368c1 100644 +--- a/xmllint.c ++++ b/xmllint.c +@@ -3019,6 +3019,7 @@ static void usage(const char *name) { + printf("\t--path 'paths': provide a set of paths for resources\n"); + printf("\t--load-trace : print trace of all external entities loaded\n"); + printf("\t--nonet : refuse to fetch DTDs or entities over network\n"); ++ printf("\t--noxxe : forbid any external entity loading\n"); + printf("\t--nocompact : do not generate compact text nodes\n"); + printf("\t--htmlout : output results as HTML\n"); + printf("\t--nowrap : do not put HTML doc wrapper\n"); +@@ -3461,6 +3462,10 @@ main(int argc, char **argv) { + (!strcmp(argv[i], "--nonet"))) { + options |= XML_PARSE_NONET; + xmlSetExternalEntityLoader(xmlNoNetExternalEntityLoader); ++ } else if ((!strcmp(argv[i], "-noxxe")) || ++ (!strcmp(argv[i], "--noxxe"))) { ++ options |= XML_PARSE_NOXXE; ++ xmlSetExternalEntityLoader(xmlNoXxeExternalEntityLoader); + } else if ((!strcmp(argv[i], "-nocompact")) || + (!strcmp(argv[i], "--nocompact"))) { + options &= ~XML_PARSE_COMPACT; +-- +2.10.2 + diff --git a/meta/recipes-core/libxml/libxml2/ansidecl.patch b/meta/recipes-core/libxml/libxml2/ansidecl.patch new file mode 100644 index 0000000000..1085c680b6 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/ansidecl.patch @@ -0,0 +1,25 @@ +Sadly cmake is broken. If it sees this reference and ansidecl is present, it will add a +dependency upon it, even if HAVE_ANSIDEC_H is never set. + +The easiest solution is to remove these lines, otherwise recipes like libzypp can have a +dependency on the ansidecl.h header via cmake. This can lead to odd results if the +header is removed (clean binutils) and then the code is recompiled. + +RP 2012/7/10 + +Upstream-Status: Inappropriate [its really a cmake bug] + +diff --git a/configure.ac b/configure.ac +index 0260281..fdb58e9 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -484 +483,0 @@ AC_CHECK_HEADERS([time.h]) +-AC_CHECK_HEADERS([ansidecl.h]) +diff --git a/include/libxml/xmlversion.h.in b/include/libxml/xmlversion.h.in +index b173be9..d10f975 100644 +--- a/include/libxml/xmlversion.h.in ++++ b/include/libxml/xmlversion.h.in +@@ -413,3 +412,0 @@ XMLPUBFUN void XMLCALL xmlCheckVersion(int version); +-#ifdef HAVE_ANSIDECL_H +-#include <ansidecl.h> +-#endif diff --git a/meta/recipes-core/libxml/libxml2/libxml-m4-use-pkgconfig.patch b/meta/recipes-core/libxml/libxml2/libxml-m4-use-pkgconfig.patch new file mode 100644 index 0000000000..3277165618 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/libxml-m4-use-pkgconfig.patch @@ -0,0 +1,204 @@ +AM_PATH_XML2 uses xml-config which we disable through +binconfig-disabled.bbclass, so port it to use pkg-config instead. + +Upstream-Status: Pending +Signed-off-by: Ross Burton <ross.burton@intel.com> + +diff --git a/libxml.m4 b/libxml.m4 +index 68cd824..5fa0a9b 100644 +--- a/libxml.m4 ++++ b/libxml.m4 +@@ -1,188 +1,12 @@ +-# Configure paths for LIBXML2 +-# Mike Hommey 2004-06-19 +-# use CPPFLAGS instead of CFLAGS +-# Toshio Kuratomi 2001-04-21 +-# Adapted from: +-# Configure paths for GLIB +-# Owen Taylor 97-11-3 +- + dnl AM_PATH_XML2([MINIMUM-VERSION, [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND]]]) + dnl Test for XML, and define XML_CPPFLAGS and XML_LIBS + dnl +-AC_DEFUN([AM_PATH_XML2],[ +-AC_ARG_WITH(xml-prefix, +- [ --with-xml-prefix=PFX Prefix where libxml is installed (optional)], +- xml_config_prefix="$withval", xml_config_prefix="") +-AC_ARG_WITH(xml-exec-prefix, +- [ --with-xml-exec-prefix=PFX Exec prefix where libxml is installed (optional)], +- xml_config_exec_prefix="$withval", xml_config_exec_prefix="") +-AC_ARG_ENABLE(xmltest, +- [ --disable-xmltest Do not try to compile and run a test LIBXML program],, +- enable_xmltest=yes) +- +- if test x$xml_config_exec_prefix != x ; then +- xml_config_args="$xml_config_args" +- if test x${XML2_CONFIG+set} != xset ; then +- XML2_CONFIG=$xml_config_exec_prefix/bin/xml2-config +- fi +- fi +- if test x$xml_config_prefix != x ; then +- xml_config_args="$xml_config_args --prefix=$xml_config_prefix" +- if test x${XML2_CONFIG+set} != xset ; then +- XML2_CONFIG=$xml_config_prefix/bin/xml2-config +- fi +- fi +- +- AC_PATH_PROG(XML2_CONFIG, xml2-config, no) +- min_xml_version=ifelse([$1], ,2.0.0,[$1]) +- AC_MSG_CHECKING(for libxml - version >= $min_xml_version) +- no_xml="" +- if test "$XML2_CONFIG" = "no" ; then +- no_xml=yes +- else +- XML_CPPFLAGS=`$XML2_CONFIG $xml_config_args --cflags` +- XML_LIBS=`$XML2_CONFIG $xml_config_args --libs` +- xml_config_major_version=`$XML2_CONFIG $xml_config_args --version | \ +- sed 's/\([[0-9]]*\).\([[0-9]]*\).\([[0-9]]*\)/\1/'` +- xml_config_minor_version=`$XML2_CONFIG $xml_config_args --version | \ +- sed 's/\([[0-9]]*\).\([[0-9]]*\).\([[0-9]]*\)/\2/'` +- xml_config_micro_version=`$XML2_CONFIG $xml_config_args --version | \ +- sed 's/\([[0-9]]*\).\([[0-9]]*\).\([[0-9]]*\)/\3/'` +- if test "x$enable_xmltest" = "xyes" ; then +- ac_save_CPPFLAGS="$CPPFLAGS" +- ac_save_LIBS="$LIBS" +- CPPFLAGS="$CPPFLAGS $XML_CPPFLAGS" +- LIBS="$XML_LIBS $LIBS" +-dnl +-dnl Now check if the installed libxml is sufficiently new. +-dnl (Also sanity checks the results of xml2-config to some extent) +-dnl +- rm -f conf.xmltest +- AC_TRY_RUN([ +-#include <stdlib.h> +-#include <stdio.h> +-#include <string.h> +-#include <libxml/xmlversion.h> +- +-int +-main() +-{ +- int xml_major_version, xml_minor_version, xml_micro_version; +- int major, minor, micro; +- char *tmp_version; +- +- system("touch conf.xmltest"); +- +- /* Capture xml2-config output via autoconf/configure variables */ +- /* HP/UX 9 (%@#!) writes to sscanf strings */ +- tmp_version = (char *)strdup("$min_xml_version"); +- if (sscanf(tmp_version, "%d.%d.%d", &major, &minor, µ) != 3) { +- printf("%s, bad version string from xml2-config\n", "$min_xml_version"); +- exit(1); +- } +- free(tmp_version); +- +- /* Capture the version information from the header files */ +- tmp_version = (char *)strdup(LIBXML_DOTTED_VERSION); +- if (sscanf(tmp_version, "%d.%d.%d", &xml_major_version, &xml_minor_version, &xml_micro_version) != 3) { +- printf("%s, bad version string from libxml includes\n", "LIBXML_DOTTED_VERSION"); +- exit(1); +- } +- free(tmp_version); +- +- /* Compare xml2-config output to the libxml headers */ +- if ((xml_major_version != $xml_config_major_version) || +- (xml_minor_version != $xml_config_minor_version) || +- (xml_micro_version != $xml_config_micro_version)) +- { +- printf("*** libxml header files (version %d.%d.%d) do not match\n", +- xml_major_version, xml_minor_version, xml_micro_version); +- printf("*** xml2-config (version %d.%d.%d)\n", +- $xml_config_major_version, $xml_config_minor_version, $xml_config_micro_version); +- return 1; +- } +-/* Compare the headers to the library to make sure we match */ +- /* Less than ideal -- doesn't provide us with return value feedback, +- * only exits if there's a serious mismatch between header and library. +- */ +- LIBXML_TEST_VERSION; +- +- /* Test that the library is greater than our minimum version */ +- if ((xml_major_version > major) || +- ((xml_major_version == major) && (xml_minor_version > minor)) || +- ((xml_major_version == major) && (xml_minor_version == minor) && +- (xml_micro_version >= micro))) +- { +- return 0; +- } +- else +- { +- printf("\n*** An old version of libxml (%d.%d.%d) was found.\n", +- xml_major_version, xml_minor_version, xml_micro_version); +- printf("*** You need a version of libxml newer than %d.%d.%d. The latest version of\n", +- major, minor, micro); +- printf("*** libxml is always available from ftp://ftp.xmlsoft.org.\n"); +- printf("***\n"); +- printf("*** If you have already installed a sufficiently new version, this error\n"); +- printf("*** probably means that the wrong copy of the xml2-config shell script is\n"); +- printf("*** being found. The easiest way to fix this is to remove the old version\n"); +- printf("*** of LIBXML, but you can also set the XML2_CONFIG environment to point to the\n"); +- printf("*** correct copy of xml2-config. (In this case, you will have to\n"); +- printf("*** modify your LD_LIBRARY_PATH enviroment variable, or edit /etc/ld.so.conf\n"); +- printf("*** so that the correct libraries are found at run-time))\n"); +- } +- return 1; +-} +-],, no_xml=yes,[echo $ac_n "cross compiling; assumed OK... $ac_c"]) +- CPPFLAGS="$ac_save_CPPFLAGS" +- LIBS="$ac_save_LIBS" +- fi +- fi ++AC_DEFUN([AM_PATH_XML2],[ ++ AC_REQUIRE([PKG_PROG_PKG_CONFIG]) + +- if test "x$no_xml" = x ; then +- AC_MSG_RESULT(yes (version $xml_config_major_version.$xml_config_minor_version.$xml_config_micro_version)) +- ifelse([$2], , :, [$2]) +- else +- AC_MSG_RESULT(no) +- if test "$XML2_CONFIG" = "no" ; then +- echo "*** The xml2-config script installed by LIBXML could not be found" +- echo "*** If libxml was installed in PREFIX, make sure PREFIX/bin is in" +- echo "*** your path, or set the XML2_CONFIG environment variable to the" +- echo "*** full path to xml2-config." +- else +- if test -f conf.xmltest ; then +- : +- else +- echo "*** Could not run libxml test program, checking why..." +- CPPFLAGS="$CPPFLAGS $XML_CPPFLAGS" +- LIBS="$LIBS $XML_LIBS" +- AC_TRY_LINK([ +-#include <libxml/xmlversion.h> +-#include <stdio.h> +-], [ LIBXML_TEST_VERSION; return 0;], +- [ echo "*** The test program compiled, but did not run. This usually means" +- echo "*** that the run-time linker is not finding LIBXML or finding the wrong" +- echo "*** version of LIBXML. If it is not finding LIBXML, you'll need to set your" +- echo "*** LD_LIBRARY_PATH environment variable, or edit /etc/ld.so.conf to point" +- echo "*** to the installed location Also, make sure you have run ldconfig if that" +- echo "*** is required on your system" +- echo "***" +- echo "*** If you have an old version installed, it is best to remove it, although" +- echo "*** you may also be able to get things to work by modifying LD_LIBRARY_PATH" ], +- [ echo "*** The test program failed to compile or link. See the file config.log for the" +- echo "*** exact error that occured. This usually means LIBXML was incorrectly installed" +- echo "*** or that you have moved LIBXML since it was installed. In the latter case, you" +- echo "*** may want to edit the xml2-config script: $XML2_CONFIG" ]) +- CPPFLAGS="$ac_save_CPPFLAGS" +- LIBS="$ac_save_LIBS" +- fi +- fi ++ verdep=ifelse([$1], [], [], [">= $1"]) ++ PKG_CHECK_MODULES(XML, [libxml-2.0 $verdep], [$2], [$3]) + +- XML_CPPFLAGS="" +- XML_LIBS="" +- ifelse([$3], , :, [$3]) +- fi ++ XML_CPPFLAGS=$XML_CFLAGS + AC_SUBST(XML_CPPFLAGS) +- AC_SUBST(XML_LIBS) +- rm -f conf.xmltest + ]) diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-4658.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-4658.patch new file mode 100644 index 0000000000..5412e8c02a --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-4658.patch @@ -0,0 +1,269 @@ +libxml2-2.9.4: Fix CVE-2016-4658 + +[No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4658 + +xpointer: Disallow namespace nodes in XPointer points and ranges + +Namespace nodes must be copied to avoid use-after-free errors. +But they don't necessarily have a physical representation in a +document, so simply disallow them in XPointer ranges. + +Upstream-Status: Backported + - [https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b] + - [https://git.gnome.org/browse/libxml2/commit/?id=3f8a91036d338e51c059d54397a42d645f019c65] +CVE: CVE-2016-4658 +Signed-off-by: Andrej Valek <andrej.valek@siemens.com> +Signed-off-by: Pascal Bach <pascal.bach@siemens.com> + +diff --git a/xpointer.c b/xpointer.c +index 676c510..911680d 100644 +--- a/xpointer.c ++++ b/xpointer.c +@@ -320,6 +320,45 @@ xmlXPtrRangesEqual(xmlXPathObjectPtr range1, xmlXPathObjectPtr range2) { + } + + /** ++ * xmlXPtrNewRangeInternal: ++ * @start: the starting node ++ * @startindex: the start index ++ * @end: the ending point ++ * @endindex: the ending index ++ * ++ * Internal function to create a new xmlXPathObjectPtr of type range ++ * ++ * Returns the newly created object. ++ */ ++static xmlXPathObjectPtr ++xmlXPtrNewRangeInternal(xmlNodePtr start, int startindex, ++ xmlNodePtr end, int endindex) { ++ xmlXPathObjectPtr ret; ++ ++ /* ++ * Namespace nodes must be copied (see xmlXPathNodeSetDupNs). ++ * Disallow them for now. ++ */ ++ if ((start != NULL) && (start->type == XML_NAMESPACE_DECL)) ++ return(NULL); ++ if ((end != NULL) && (end->type == XML_NAMESPACE_DECL)) ++ return(NULL); ++ ++ ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); ++ if (ret == NULL) { ++ xmlXPtrErrMemory("allocating range"); ++ return(NULL); ++ } ++ memset(ret, 0, sizeof(xmlXPathObject)); ++ ret->type = XPATH_RANGE; ++ ret->user = start; ++ ret->index = startindex; ++ ret->user2 = end; ++ ret->index2 = endindex; ++ return(ret); ++} ++ ++/** + * xmlXPtrNewRange: + * @start: the starting node + * @startindex: the start index +@@ -344,17 +383,7 @@ xmlXPtrNewRange(xmlNodePtr start, int startindex, + if (endindex < 0) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = startindex; +- ret->user2 = end; +- ret->index2 = endindex; ++ ret = xmlXPtrNewRangeInternal(start, startindex, end, endindex); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -381,17 +410,8 @@ xmlXPtrNewRangePoints(xmlXPathObjectPtr start, xmlXPathObjectPtr end) { + if (end->type != XPATH_POINT) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start->user; +- ret->index = start->index; +- ret->user2 = end->user; +- ret->index2 = end->index; ++ ret = xmlXPtrNewRangeInternal(start->user, start->index, end->user, ++ end->index); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -416,17 +436,7 @@ xmlXPtrNewRangePointNode(xmlXPathObjectPtr start, xmlNodePtr end) { + if (start->type != XPATH_POINT) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start->user; +- ret->index = start->index; +- ret->user2 = end; +- ret->index2 = -1; ++ ret = xmlXPtrNewRangeInternal(start->user, start->index, end, -1); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -453,17 +463,7 @@ xmlXPtrNewRangeNodePoint(xmlNodePtr start, xmlXPathObjectPtr end) { + if (end->type != XPATH_POINT) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = -1; +- ret->user2 = end->user; +- ret->index2 = end->index; ++ ret = xmlXPtrNewRangeInternal(start, -1, end->user, end->index); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -486,17 +486,7 @@ xmlXPtrNewRangeNodes(xmlNodePtr start, xmlNodePtr end) { + if (end == NULL) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = -1; +- ret->user2 = end; +- ret->index2 = -1; ++ ret = xmlXPtrNewRangeInternal(start, -1, end, -1); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -516,17 +506,7 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) { + if (start == NULL) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = -1; +- ret->user2 = NULL; +- ret->index2 = -1; ++ ret = xmlXPtrNewRangeInternal(start, -1, NULL, -1); + return(ret); + } + +@@ -541,6 +521,8 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) { + */ + xmlXPathObjectPtr + xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) { ++ xmlNodePtr endNode; ++ int endIndex; + xmlXPathObjectPtr ret; + + if (start == NULL) +@@ -549,7 +531,12 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) { + return(NULL); + switch (end->type) { + case XPATH_POINT: ++ endNode = end->user; ++ endIndex = end->index; ++ break; + case XPATH_RANGE: ++ endNode = end->user2; ++ endIndex = end->index2; + break; + case XPATH_NODESET: + /* +@@ -557,39 +544,15 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) { + */ + if (end->nodesetval->nodeNr <= 0) + return(NULL); ++ endNode = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1]; ++ endIndex = -1; + break; + default: + /* TODO */ + return(NULL); + } + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = -1; +- switch (end->type) { +- case XPATH_POINT: +- ret->user2 = end->user; +- ret->index2 = end->index; +- break; +- case XPATH_RANGE: +- ret->user2 = end->user2; +- ret->index2 = end->index2; +- break; +- case XPATH_NODESET: { +- ret->user2 = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1]; +- ret->index2 = -1; +- break; +- } +- default: +- STRANGE +- return(NULL); +- } ++ ret = xmlXPtrNewRangeInternal(start, -1, endNode, endIndex); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -1835,8 +1798,8 @@ xmlXPtrStartPointFunction(xmlXPathParserContextPtr ctxt, int nargs) { + case XPATH_RANGE: { + xmlNodePtr node = tmp->user; + if (node != NULL) { +- if (node->type == XML_ATTRIBUTE_NODE) { +- /* TODO: Namespace Nodes ??? */ ++ if ((node->type == XML_ATTRIBUTE_NODE) || ++ (node->type == XML_NAMESPACE_DECL)) { + xmlXPathFreeObject(obj); + xmlXPtrFreeLocationSet(newset); + XP_ERROR(XPTR_SYNTAX_ERROR); +@@ -1931,8 +1894,8 @@ xmlXPtrEndPointFunction(xmlXPathParserContextPtr ctxt, int nargs) { + case XPATH_RANGE: { + xmlNodePtr node = tmp->user2; + if (node != NULL) { +- if (node->type == XML_ATTRIBUTE_NODE) { +- /* TODO: Namespace Nodes ??? */ ++ if ((node->type == XML_ATTRIBUTE_NODE) || ++ (node->type == XML_NAMESPACE_DECL)) { + xmlXPathFreeObject(obj); + xmlXPtrFreeLocationSet(newset); + XP_ERROR(XPTR_SYNTAX_ERROR); diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-5131.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-5131.patch new file mode 100644 index 0000000000..9d47d023a9 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-5131.patch @@ -0,0 +1,180 @@ +From 9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Tue, 28 Jun 2016 14:22:23 +0200 +Subject: [PATCH] Fix XPointer paths beginning with range-to + +The old code would invoke the broken xmlXPtrRangeToFunction. range-to +isn't really a function but a special kind of location step. Remove +this function and always handle range-to in the XPath code. + +The old xmlXPtrRangeToFunction could also be abused to trigger a +use-after-free error with the potential for remote code execution. + +Found with afl-fuzz. + +Fixes CVE-2016-5131. + +CVE: CVE-2016-5131 +Upstream-Status: Backport +https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e + +Signed-off-by: Yi Zhao <yi.zhao@windirver.com> +--- + result/XPath/xptr/vidbase | 13 ++++++++ + test/XPath/xptr/vidbase | 1 + + xpath.c | 7 ++++- + xpointer.c | 76 ++++------------------------------------------- + 4 files changed, 26 insertions(+), 71 deletions(-) + +diff --git a/result/XPath/xptr/vidbase b/result/XPath/xptr/vidbase +index 8b9e92d..f19193e 100644 +--- a/result/XPath/xptr/vidbase ++++ b/result/XPath/xptr/vidbase +@@ -17,3 +17,16 @@ Object is a Location Set: + To node + ELEMENT p + ++ ++======================== ++Expression: xpointer(range-to(id('chapter2'))) ++Object is a Location Set: ++1 : Object is a range : ++ From node ++ / ++ To node ++ ELEMENT chapter ++ ATTRIBUTE id ++ TEXT ++ content=chapter2 ++ +diff --git a/test/XPath/xptr/vidbase b/test/XPath/xptr/vidbase +index b146383..884b106 100644 +--- a/test/XPath/xptr/vidbase ++++ b/test/XPath/xptr/vidbase +@@ -1,2 +1,3 @@ + xpointer(id('chapter1')/p) + xpointer(id('chapter1')/p[1]/range-to(following-sibling::p[2])) ++xpointer(range-to(id('chapter2'))) +diff --git a/xpath.c b/xpath.c +index d992841..5a01b1b 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -10691,13 +10691,18 @@ xmlXPathCompPathExpr(xmlXPathParserContextPtr ctxt) { + lc = 1; + break; + } else if ((NXT(len) == '(')) { +- /* Note Type or Function */ ++ /* Node Type or Function */ + if (xmlXPathIsNodeType(name)) { + #ifdef DEBUG_STEP + xmlGenericError(xmlGenericErrorContext, + "PathExpr: Type search\n"); + #endif + lc = 1; ++#ifdef LIBXML_XPTR_ENABLED ++ } else if (ctxt->xptr && ++ xmlStrEqual(name, BAD_CAST "range-to")) { ++ lc = 1; ++#endif + } else { + #ifdef DEBUG_STEP + xmlGenericError(xmlGenericErrorContext, +diff --git a/xpointer.c b/xpointer.c +index 676c510..d74174a 100644 +--- a/xpointer.c ++++ b/xpointer.c +@@ -1332,8 +1332,6 @@ xmlXPtrNewContext(xmlDocPtr doc, xmlNodePtr here, xmlNodePtr origin) { + ret->here = here; + ret->origin = origin; + +- xmlXPathRegisterFunc(ret, (xmlChar *)"range-to", +- xmlXPtrRangeToFunction); + xmlXPathRegisterFunc(ret, (xmlChar *)"range", + xmlXPtrRangeFunction); + xmlXPathRegisterFunc(ret, (xmlChar *)"range-inside", +@@ -2243,76 +2241,14 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) { + * @nargs: the number of args + * + * Implement the range-to() XPointer function ++ * ++ * Obsolete. range-to is not a real function but a special type of location ++ * step which is handled in xpath.c. + */ + void +-xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, int nargs) { +- xmlXPathObjectPtr range; +- const xmlChar *cur; +- xmlXPathObjectPtr res, obj; +- xmlXPathObjectPtr tmp; +- xmlLocationSetPtr newset = NULL; +- xmlNodeSetPtr oldset; +- int i; +- +- if (ctxt == NULL) return; +- CHECK_ARITY(1); +- /* +- * Save the expression pointer since we will have to evaluate +- * it multiple times. Initialize the new set. +- */ +- CHECK_TYPE(XPATH_NODESET); +- obj = valuePop(ctxt); +- oldset = obj->nodesetval; +- ctxt->context->node = NULL; +- +- cur = ctxt->cur; +- newset = xmlXPtrLocationSetCreate(NULL); +- +- for (i = 0; i < oldset->nodeNr; i++) { +- ctxt->cur = cur; +- +- /* +- * Run the evaluation with a node list made of a single item +- * in the nodeset. +- */ +- ctxt->context->node = oldset->nodeTab[i]; +- tmp = xmlXPathNewNodeSet(ctxt->context->node); +- valuePush(ctxt, tmp); +- +- xmlXPathEvalExpr(ctxt); +- CHECK_ERROR; +- +- /* +- * The result of the evaluation need to be tested to +- * decided whether the filter succeeded or not +- */ +- res = valuePop(ctxt); +- range = xmlXPtrNewRangeNodeObject(oldset->nodeTab[i], res); +- if (range != NULL) { +- xmlXPtrLocationSetAdd(newset, range); +- } +- +- /* +- * Cleanup +- */ +- if (res != NULL) +- xmlXPathFreeObject(res); +- if (ctxt->value == tmp) { +- res = valuePop(ctxt); +- xmlXPathFreeObject(res); +- } +- +- ctxt->context->node = NULL; +- } +- +- /* +- * The result is used as the new evaluation set. +- */ +- xmlXPathFreeObject(obj); +- ctxt->context->node = NULL; +- ctxt->context->contextSize = -1; +- ctxt->context->proximityPosition = -1; +- valuePush(ctxt, xmlXPtrWrapLocationSet(newset)); ++xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, ++ int nargs ATTRIBUTE_UNUSED) { ++ XP_ERROR(XPATH_EXPR_ERROR); + } + + /** +-- +2.7.4 + diff --git a/meta/recipes-core/libxml/libxml2/libxml2-fix_NULL_pointer_derefs.patch b/meta/recipes-core/libxml/libxml2/libxml2-fix_NULL_pointer_derefs.patch new file mode 100644 index 0000000000..83552ca3ec --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/libxml2-fix_NULL_pointer_derefs.patch @@ -0,0 +1,46 @@ +libxml2-2.9.4: Fix more NULL pointer derefs + +xpointer: Fix more NULL pointer derefs + +Upstream-Status: Backported [https://git.gnom |