From b86da431eda5794bb1e7df211b1c10a665ff5095 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Mon, 21 Aug 2017 08:43:01 +0200 Subject: libxml2: CVE-2017-5969 Fixes a NULL pointer dereference in libxml2, when using xmllint --recover. A maliciously crafted file, when parsed in recovery mode, could cause the application to crash. Reference https://bugzilla.gnome.org/show_bug.cgi?id=778519 Signed-off-by: Sona Sarmadi Signed-off-by: Adrian Dudau --- recipes-core/libxml/libxml2/CVE-2017-5969.patch | 68 +++++++++++++++++++++++++ recipes-core/libxml/libxml2_%.bbappend | 6 +++ 2 files changed, 74 insertions(+) create mode 100644 recipes-core/libxml/libxml2/CVE-2017-5969.patch create mode 100644 recipes-core/libxml/libxml2_%.bbappend (limited to 'recipes-core') diff --git a/recipes-core/libxml/libxml2/CVE-2017-5969.patch b/recipes-core/libxml/libxml2/CVE-2017-5969.patch new file mode 100644 index 0000000..0c5efbe --- /dev/null +++ b/recipes-core/libxml/libxml2/CVE-2017-5969.patch @@ -0,0 +1,68 @@ +From 94691dc884d1a8ada39f073408b4bb92fe7fe882 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Wed, 7 Jun 2017 16:47:36 +0200 +Subject: [PATCH] Fix NULL pointer deref in xmlDumpElementContent + +Can only be triggered in recovery mode. + +Fixes bug 758422 (CVE-2017-5969). + +CVE: CVE-2017-5969 +Upstream-Status: Backport + +Signed-off-by: Sona Sarmadi +--- + valid.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +diff --git a/valid.c b/valid.c +index 9b2df56..8075d3a 100644 +--- a/valid.c ++++ b/valid.c +@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob) + xmlBufferWriteCHAR(buf, content->name); + break; + case XML_ELEMENT_CONTENT_SEQ: +- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || +- (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) ++ if ((content->c1 != NULL) && ++ ((content->c1->type == XML_ELEMENT_CONTENT_OR) || ++ (content->c1->type == XML_ELEMENT_CONTENT_SEQ))) + xmlDumpElementContent(buf, content->c1, 1); + else + xmlDumpElementContent(buf, content->c1, 0); + xmlBufferWriteChar(buf, " , "); +- if ((content->c2->type == XML_ELEMENT_CONTENT_OR) || +- ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) && +- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))) ++ if ((content->c2 != NULL) && ++ ((content->c2->type == XML_ELEMENT_CONTENT_OR) || ++ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) && ++ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))) + xmlDumpElementContent(buf, content->c2, 1); + else + xmlDumpElementContent(buf, content->c2, 0); + break; + case XML_ELEMENT_CONTENT_OR: +- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || +- (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) ++ if ((content->c1 != NULL) && ++ ((content->c1->type == XML_ELEMENT_CONTENT_OR) || ++ (content->c1->type == XML_ELEMENT_CONTENT_SEQ))) + xmlDumpElementContent(buf, content->c1, 1); + else + xmlDumpElementContent(buf, content->c1, 0); + xmlBufferWriteChar(buf, " | "); +- if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) || +- ((content->c2->type == XML_ELEMENT_CONTENT_OR) && +- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))) ++ if ((content->c2 != NULL) && ++ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) || ++ ((content->c2->type == XML_ELEMENT_CONTENT_OR) && ++ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))) + xmlDumpElementContent(buf, content->c2, 1); + else + xmlDumpElementContent(buf, content->c2, 0); +-- +1.9.1 + diff --git a/recipes-core/libxml/libxml2_%.bbappend b/recipes-core/libxml/libxml2_%.bbappend new file mode 100644 index 0000000..271f582 --- /dev/null +++ b/recipes-core/libxml/libxml2_%.bbappend @@ -0,0 +1,6 @@ +# look for files in the layer first +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +SRC_URI += "file://CVE-2017-5969.patch \ + " + -- cgit v1.2.3-54-g00ecf