libxml2: CVE-2017-5969

Fixes a NULL pointer dereference in libxml2, when using xmllint --recover. A maliciously crafted file, when parsed in recovery mode, could cause the application to crash. Reference https://bugzilla.gnome.org/show_bug.cgi?id=778519 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-08-21 08:43:01 +0200
committer: Adrian Dudau <adrian.dudau@enea.com> 2017-08-21 10:55:46 +0200
commit: b86da431eda5794bb1e7df211b1c10a665ff5095 (patch)
tree: 424a749d038a466d62d9952e6ead768ab1d9c205
parent: 7005fb8af628193ae6af840350e4e87cb3be19ec (diff)
download: meta-el-common-b86da431eda5794bb1e7df211b1c10a665ff5095.tar.gz
2 files changed, 74 insertions, 0 deletions
diff --git a/recipes-core/libxml/libxml2/CVE-2017-5969.patch b/recipes-core/libxml/libxml2/CVE-2017-5969.patch
new file mode 100644
index 0000000..0c5efbe
--- /dev/null
+++ b/recipes-core/libxml/libxml2/CVE-2017-5969.patch
@@ -0,0 +1,68 @@
+From 94691dc884d1a8ada39f073408b4bb92fe7fe882 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Wed, 7 Jun 2017 16:47:36 +0200
+Subject: [PATCH] Fix NULL pointer deref in xmlDumpElementContent
+Can only be triggered in recovery mode.
+Fixes bug 758422 (CVE-2017-5969).
+CVE: CVE-2017-5969
+Upstream-Status: Backport
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ valid.c | 24 ++++++++++++++----------
+ 1 file changed, 14 insertions(+), 10 deletions(-)
+diff --git a/valid.c b/valid.c
+index 9b2df56..8075d3a 100644
+--- a/valid.c
+++ b/valid.c
+@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob)
+            xmlBufferWriteCHAR(buf, content->name);
+            break;
+        case XML_ELEMENT_CONTENT_SEQ:
+-           if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+-               (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
+           if ((content->c1 != NULL) &&
+               ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+                (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
+                xmlDumpElementContent(buf, content->c1, 1);
+            else
+                xmlDumpElementContent(buf, content->c1, 0);
+             xmlBufferWriteChar(buf, " , ");
+-           if ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
+-               ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
+-                (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
+           if ((content->c2 != NULL) &&
+               ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
+                ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
+                 (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
+                xmlDumpElementContent(buf, content->c2, 1);
+            else
+                xmlDumpElementContent(buf, content->c2, 0);
+            break;
+        case XML_ELEMENT_CONTENT_OR:
+-           if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+-               (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
+           if ((content->c1 != NULL) &&
+               ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+                (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
+                xmlDumpElementContent(buf, content->c1, 1);
+            else
+                xmlDumpElementContent(buf, content->c1, 0);
+             xmlBufferWriteChar(buf, " | ");
+-           if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
+-               ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
+-                (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
+           if ((content->c2 != NULL) &&
+               ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
+                ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
+                 (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
+                xmlDumpElementContent(buf, content->c2, 1);
+            else
+                xmlDumpElementContent(buf, content->c2, 0);
+-- 
+1.9.1
diff --git a/recipes-core/libxml/libxml2_%.bbappend b/recipes-core/libxml/libxml2_%.bbappend
new file mode 100644
index 0000000..271f582
--- /dev/null
+++ b/recipes-core/libxml/libxml2_%.bbappend
@@ -0,0 +1,6 @@
+# look for files in the layer first
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+SRC_URI += "file://CVE-2017-5969.patch \
+           "
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-08-21 08:43:01 +0200
committer	Adrian Dudau <adrian.dudau@enea.com>	2017-08-21 10:55:46 +0200
commit	b86da431eda5794bb1e7df211b1c10a665ff5095 (patch)
tree	424a749d038a466d62d9952e6ead768ab1d9c205
parent	7005fb8af628193ae6af840350e4e87cb3be19ec (diff)
download	meta-el-common-b86da431eda5794bb1e7df211b1c10a665ff5095.tar.gz

diff --git a/recipes-core/libxml/libxml2/CVE-2017-5969.patch b/recipes-core/libxml/libxml2/CVE-2017-5969.patch new file mode 100644 index 0000000..0c5efbe --- /dev/null +++ b/recipes-core/libxml/libxml2/CVE-2017-5969.patch
@@ -0,0 +1,68 @@
	1	From 94691dc884d1a8ada39f073408b4bb92fe7fe882 Mon Sep 17 00:00:00 2001
	2	From: Daniel Veillard <veillard@redhat.com>
	3	Date: Wed, 7 Jun 2017 16:47:36 +0200
	4	Subject: [PATCH] Fix NULL pointer deref in xmlDumpElementContent
	5
	6	Can only be triggered in recovery mode.
	7
	8	Fixes bug 758422 (CVE-2017-5969).
	9
	10	CVE: CVE-2017-5969
	11	Upstream-Status: Backport
	12
	13	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	14	---
	15	valid.c \| 24 ++++++++++++++----------
	16	1 file changed, 14 insertions(+), 10 deletions(-)
	17
	18	diff --git a/valid.c b/valid.c
	19	index 9b2df56..8075d3a 100644
	20	--- a/valid.c
	21	+++ b/valid.c
	22	@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob)
	23	xmlBufferWriteCHAR(buf, content->name);
	24	break;
	25	case XML_ELEMENT_CONTENT_SEQ:
	26	- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) \|\|
	27	- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
	28	+ if ((content->c1 != NULL) &&
	29	+ ((content->c1->type == XML_ELEMENT_CONTENT_OR) \|\|
	30	+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
	31	xmlDumpElementContent(buf, content->c1, 1);
	32	else
	33	xmlDumpElementContent(buf, content->c1, 0);
	34	xmlBufferWriteChar(buf, " , ");
	35	- if ((content->c2->type == XML_ELEMENT_CONTENT_OR) \|\|
	36	- ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
	37	- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
	38	+ if ((content->c2 != NULL) &&
	39	+ ((content->c2->type == XML_ELEMENT_CONTENT_OR) \|\|
	40	+ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
	41	+ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
	42	xmlDumpElementContent(buf, content->c2, 1);
	43	else
	44	xmlDumpElementContent(buf, content->c2, 0);
	45	break;
	46	case XML_ELEMENT_CONTENT_OR:
	47	- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) \|\|
	48	- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
	49	+ if ((content->c1 != NULL) &&
	50	+ ((content->c1->type == XML_ELEMENT_CONTENT_OR) \|\|
	51	+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
	52	xmlDumpElementContent(buf, content->c1, 1);
	53	else
	54	xmlDumpElementContent(buf, content->c1, 0);
	55	xmlBufferWriteChar(buf, " \| ");
	56	- if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) \|\|
	57	- ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
	58	- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
	59	+ if ((content->c2 != NULL) &&
	60	+ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) \|\|
	61	+ ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
	62	+ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
	63	xmlDumpElementContent(buf, content->c2, 1);
	64	else
	65	xmlDumpElementContent(buf, content->c2, 0);
	66	--
	67	1.9.1
	68


diff --git a/recipes-core/libxml/libxml2_%.bbappend b/recipes-core/libxml/libxml2_%.bbappend new file mode 100644 index 0000000..271f582 --- /dev/null +++ b/recipes-core/libxml/libxml2_%.bbappend
@@ -0,0 +1,6 @@
	1	# look for files in the layer first
	2	FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
	3
	4	SRC_URI += "file://CVE-2017-5969.patch \
	5	"
	6