diff options
author | Andreas Wellving <andreas.wellving@enea.com> | 2018-09-11 10:09:27 +0200 |
---|---|---|
committer | Dan Andresan <Dan.Andresan@enea.com> | 2018-10-25 13:54:59 +0200 |
commit | 2057b91933875959294f823b12938d6cba6ea62b (patch) | |
tree | 357f87df7c8b037498a13094d39d6d77d2db35f5 /recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch | |
parent | 5b8928cd5f01d83ae27824bb5d411723cabc3108 (diff) | |
download | meta-el-common-2057b91933875959294f823b12938d6cba6ea62b.tar.gz |
libxml2: Fix CVEs
CVE: CVE-2017-16932 CVE-2017-5130 CVE-2017-7375 CVE-2017-7376
Libxml2 in the upstream pyro is 2.9.4
CVE-2017-7376: For the stable distribution (stretch), these problems
have been fixed in version 2.9.4+dfsg1-2.2+deb9u1
CVE-2017-7375: stretch (security) 2.9.4+dfsg1-2.2+deb9u2
Reference:
CVE-2017-16932 https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961
CVE-2017-5130 https://gitlab.gnome.org/GNOME/libxml2/commit/897dffbae322b46b83f99a607d527058a72c51ed
CVE-2017-7375 https://gitlab.gnome.org/GNOME/libxml2/commit/90ccb58242866b0ba3edbef8fe44214a101c2b3e
CVE-2017-7376 https://gitlab.gnome.org/GNOME/libxml2/commit/5dca9eea1bd4263bfa4d037ab2443de1cd730f7e
Change-Id: Icf68eea8e0916be2bc9f3e844f7d38f6fae75300
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
Signed-off-by: Adrian Mangeac <adrian.mangeac@enea.com>
Diffstat (limited to 'recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch')
-rw-r--r-- | recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch b/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch new file mode 100644 index 0000000..e072ef1 --- /dev/null +++ b/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch | |||
@@ -0,0 +1,66 @@ | |||
1 | From 897dffbae322b46b83f99a607d527058a72c51ed Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Tue, 6 Jun 2017 13:21:14 +0200 | ||
4 | Subject: [PATCH] Check for integer overflow in memory debug code | ||
5 | |||
6 | Fixes bug 783026. | ||
7 | |||
8 | Thanks to Pranjal Jumde for the report. | ||
9 | |||
10 | CVE: CVE-2017-5130 | ||
11 | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/897dffbae322b46b83f99a607d527058a72c51ed] | ||
12 | |||
13 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
14 | --- | ||
15 | xmlmemory.c | 21 +++++++++++++++++++++ | ||
16 | 1 file changed, 21 insertions(+) | ||
17 | |||
18 | diff --git a/xmlmemory.c b/xmlmemory.c | ||
19 | index f08c8c3..c53141f 100644 | ||
20 | --- a/xmlmemory.c | ||
21 | +++ b/xmlmemory.c | ||
22 | @@ -172,6 +172,13 @@ xmlMallocLoc(size_t size, const char * file, int line) | ||
23 | |||
24 | TEST_POINT | ||
25 | |||
26 | + if (size > (MAX_SIZE_T - RESERVE_SIZE)) { | ||
27 | + xmlGenericError(xmlGenericErrorContext, | ||
28 | + "xmlMallocLoc : Unsigned overflow\n"); | ||
29 | + xmlMemoryDump(); | ||
30 | + return(NULL); | ||
31 | + } | ||
32 | + | ||
33 | p = (MEMHDR *) malloc(RESERVE_SIZE+size); | ||
34 | |||
35 | if (!p) { | ||
36 | @@ -352,6 +359,13 @@ xmlReallocLoc(void *ptr,size_t size, const char * file, int line) | ||
37 | #endif | ||
38 | xmlMutexUnlock(xmlMemMutex); | ||
39 | |||
40 | + if (size > (MAX_SIZE_T - RESERVE_SIZE)) { | ||
41 | + xmlGenericError(xmlGenericErrorContext, | ||
42 | + "xmlMallocLoc : Unsigned overflow\n"); | ||
43 | + xmlMemoryDump(); | ||
44 | + return(NULL); | ||
45 | + } | ||
46 | + | ||
47 | tmp = (MEMHDR *) realloc(p,RESERVE_SIZE+size); | ||
48 | if (!tmp) { | ||
49 | free(p); | ||
50 | @@ -499,6 +513,13 @@ xmlMemStrdupLoc(const char *str, const char *file, int line) | ||
51 | if (!xmlMemInitialized) xmlInitMemory(); | ||
52 | TEST_POINT | ||
53 | |||
54 | + if (size > (MAX_SIZE_T - RESERVE_SIZE)) { | ||
55 | + xmlGenericError(xmlGenericErrorContext, | ||
56 | + "xmlMallocLoc : Unsigned overflow\n"); | ||
57 | + xmlMemoryDump(); | ||
58 | + return(NULL); | ||
59 | + } | ||
60 | + | ||
61 | p = (MEMHDR *) malloc(RESERVE_SIZE+size); | ||
62 | if (!p) { | ||
63 | goto error; | ||
64 | -- | ||
65 | 2.7.4 | ||
66 | |||