libxml2: Fix CVEs

CVE: CVE-2017-16932 CVE-2017-5130 CVE-2017-7375 CVE-2017-7376 Libxml2 in the upstream pyro is 2.9.4 CVE-2017-7376: For the stable distribution (stretch), these problems have been fixed in version 2.9.4+dfsg1-2.2+deb9u1 CVE-2017-7375: stretch (security) 2.9.4+dfsg1-2.2+deb9u2 Reference: CVE-2017-16932 https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961 CVE-2017-5130 https://gitlab.gnome.org/GNOME/libxml2/commit/897dffbae322b46b83f99a607d527058a72c51ed CVE-2017-7375 https://gitlab.gnome.org/GNOME/libxml2/commit/90ccb58242866b0ba3edbef8fe44214a101c2b3e CVE-2017-7376 https://gitlab.gnome.org/GNOME/libxml2/commit/5dca9eea1bd4263bfa4d037ab2443de1cd730f7e Change-Id: Icf68eea8e0916be2bc9f3e844f7d38f6fae75300 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> Signed-off-by: Adrian Mangeac <adrian.mangeac@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2018-09-11 10:09:27 +0200
committer: Dan Andresan <Dan.Andresan@enea.com> 2018-10-25 13:54:59 +0200
commit: 2057b91933875959294f823b12938d6cba6ea62b (patch)
tree: 357f87df7c8b037498a13094d39d6d77d2db35f5 /recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch
parent: 5b8928cd5f01d83ae27824bb5d411723cabc3108 (diff)
download: meta-el-common-2057b91933875959294f823b12938d6cba6ea62b.tar.gz
1 files changed, 66 insertions, 0 deletions
diff --git a/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch b/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch
new file mode 100644
index 0000000..e072ef1
--- /dev/null
+++ b/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch
@@ -0,0 +1,66 @@
+From 897dffbae322b46b83f99a607d527058a72c51ed Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 6 Jun 2017 13:21:14 +0200
+Subject: [PATCH] Check for integer overflow in memory debug code
+Fixes bug 783026.
+Thanks to Pranjal Jumde for the report.
+CVE: CVE-2017-5130
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/897dffbae322b46b83f99a607d527058a72c51ed]
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ xmlmemory.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+diff --git a/xmlmemory.c b/xmlmemory.c
+index f08c8c3..c53141f 100644
+--- a/xmlmemory.c
+++ b/xmlmemory.c
+@@ -172,6 +172,13 @@ xmlMallocLoc(size_t size, const char * file, int line)
+ 
+     TEST_POINT
+ 
+    if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
+       xmlGenericError(xmlGenericErrorContext,
+               "xmlMallocLoc : Unsigned overflow\n");
+       xmlMemoryDump();
+       return(NULL);
+    }
+
+     p = (MEMHDR *) malloc(RESERVE_SIZE+size);
+ 
+     if (!p) {
+@@ -352,6 +359,13 @@ xmlReallocLoc(void *ptr,size_t size, const char * file, int line)
+ #endif
+     xmlMutexUnlock(xmlMemMutex);
+ 
+    if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
+       xmlGenericError(xmlGenericErrorContext,
+               "xmlMallocLoc : Unsigned overflow\n");
+       xmlMemoryDump();
+       return(NULL);
+    }
+
+     tmp = (MEMHDR *) realloc(p,RESERVE_SIZE+size);
+     if (!tmp) {
+         free(p);
+@@ -499,6 +513,13 @@ xmlMemStrdupLoc(const char *str, const char *file, int line)
+     if (!xmlMemInitialized) xmlInitMemory();
+     TEST_POINT
+ 
+    if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
+       xmlGenericError(xmlGenericErrorContext,
+               "xmlMallocLoc : Unsigned overflow\n");
+       xmlMemoryDump();
+       return(NULL);
+    }
+
+     p = (MEMHDR *) malloc(RESERVE_SIZE+size);
+     if (!p) {
+       goto error;
+-- 
+2.7.4
author	Andreas Wellving <andreas.wellving@enea.com>	2018-09-11 10:09:27 +0200
committer	Dan Andresan <Dan.Andresan@enea.com>	2018-10-25 13:54:59 +0200
commit	2057b91933875959294f823b12938d6cba6ea62b (patch)
tree	357f87df7c8b037498a13094d39d6d77d2db35f5 /recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch
parent	5b8928cd5f01d83ae27824bb5d411723cabc3108 (diff)
download	meta-el-common-2057b91933875959294f823b12938d6cba6ea62b.tar.gz

diff --git a/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch b/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch new file mode 100644 index 0000000..e072ef1 --- /dev/null +++ b/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch
@@ -0,0 +1,66 @@
	1	From 897dffbae322b46b83f99a607d527058a72c51ed Mon Sep 17 00:00:00 2001
	2	From: Nick Wellnhofer <wellnhofer@aevum.de>
	3	Date: Tue, 6 Jun 2017 13:21:14 +0200
	4	Subject: [PATCH] Check for integer overflow in memory debug code
	5
	6	Fixes bug 783026.
	7
	8	Thanks to Pranjal Jumde for the report.
	9
	10	CVE: CVE-2017-5130
	11	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/897dffbae322b46b83f99a607d527058a72c51ed]
	12
	13	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	14	---
	15	xmlmemory.c \| 21 +++++++++++++++++++++
	16	1 file changed, 21 insertions(+)
	17
	18	diff --git a/xmlmemory.c b/xmlmemory.c
	19	index f08c8c3..c53141f 100644
	20	--- a/xmlmemory.c
	21	+++ b/xmlmemory.c
	22	@@ -172,6 +172,13 @@ xmlMallocLoc(size_t size, const char * file, int line)
	23
	24	TEST_POINT
	25
	26	+ if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
	27	+ xmlGenericError(xmlGenericErrorContext,
	28	+ "xmlMallocLoc : Unsigned overflow\n");
	29	+ xmlMemoryDump();
	30	+ return(NULL);
	31	+ }
	32	+
	33	p = (MEMHDR *) malloc(RESERVE_SIZE+size);
	34
	35	if (!p) {
	36	@@ -352,6 +359,13 @@ xmlReallocLoc(void ptr,size_t size, const char file, int line)
	37	#endif
	38	xmlMutexUnlock(xmlMemMutex);
	39
	40	+ if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
	41	+ xmlGenericError(xmlGenericErrorContext,
	42	+ "xmlMallocLoc : Unsigned overflow\n");
	43	+ xmlMemoryDump();
	44	+ return(NULL);
	45	+ }
	46	+
	47	tmp = (MEMHDR *) realloc(p,RESERVE_SIZE+size);
	48	if (!tmp) {
	49	free(p);
	50	@@ -499,6 +513,13 @@ xmlMemStrdupLoc(const char str, const char file, int line)
	51	if (!xmlMemInitialized) xmlInitMemory();
	52	TEST_POINT
	53
	54	+ if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
	55	+ xmlGenericError(xmlGenericErrorContext,
	56	+ "xmlMallocLoc : Unsigned overflow\n");
	57	+ xmlMemoryDump();
	58	+ return(NULL);
	59	+ }
	60	+
	61	p = (MEMHDR *) malloc(RESERVE_SIZE+size);
	62	if (!p) {
	63	goto error;
	64	--
	65	2.7.4
	66