From f51f71b2da372e3eaaa1d47c7e01724b2b8867ed Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Wed, 6 Sep 2017 11:01:07 +0200
Subject: libxml2: CVE-2017-0663

A remote code execution vulnerability in libxml2 could enable an attacker
using a specially crafted file to execute arbitrary code within the context
of an unprivileged process. This issue is rated as High due to the
possibility of remote code execution in an application that uses this library.

Reference:
https://security-tracker.debian.org/tracker/CVE-2017-0663

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
---
 recipes-core/libxml/libxml2/CVE-2017-0663.patch | 47 +++++++++++++++++++++++++
 recipes-core/libxml/libxml2_%.bbappend          |  3 +-
 2 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 recipes-core/libxml/libxml2/CVE-2017-0663.patch

(limited to 'recipes-core')

diff --git a/recipes-core/libxml/libxml2/CVE-2017-0663.patch b/recipes-core/libxml/libxml2/CVE-2017-0663.patch
new file mode 100644
index 0000000..a4f88b6
--- /dev/null
+++ b/recipes-core/libxml/libxml2/CVE-2017-0663.patch
@@ -0,0 +1,47 @@
+From 92b9e8c8b3787068565a1820ba575d042f9eec66 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 6 Jun 2017 12:56:28 +0200
+Subject: Fix type confusion in xmlValidateOneNamespace
+
+Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types on
+namespace declarations make no practical sense anyway.
+
+Fixes bug 780228.
+
+Found with libFuzzer and ASan.
+CVE: CVE-2017-0663
+Upstream-Status: Backport [https://git.gnome.org/browse/libxml2/commit/?id=92b9e8c8b3787068565a1820ba575d042f9eec66]
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ valid.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/valid.c b/valid.c
+index 8075d3a..c51ea29 100644
+--- a/valid.c
++++ b/valid.c
+@@ -4627,6 +4627,12 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
+ 	}
+     }
+ 
++    /*
++     * Casting ns to xmlAttrPtr is wrong. We'd need separate functions
++     * xmlAddID and xmlAddRef for namespace declarations, but it makes
++     * no practical sense to use ID types anyway.
++     */
++#if 0
+     /* Validity Constraint: ID uniqueness */
+     if (attrDecl->atype == XML_ATTRIBUTE_ID) {
+         if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
+@@ -4638,6 +4644,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
+         if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
+ 	    ret = 0;
+     }
++#endif
+ 
+     /* Validity Constraint: Notation Attributes */
+     if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) {
+-- 
+cgit v0.12
+
diff --git a/recipes-core/libxml/libxml2_%.bbappend b/recipes-core/libxml/libxml2_%.bbappend
index c6e5705..01e59d3 100644
--- a/recipes-core/libxml/libxml2_%.bbappend
+++ b/recipes-core/libxml/libxml2_%.bbappend
@@ -1,7 +1,8 @@
 # look for files in the layer first
 FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
 
-SRC_URI += "file://CVE-2017-5969.patch \
+SRC_URI += "file://CVE-2017-0663.patch \
+            file://CVE-2017-5969.patch \
             file://CVE-2017-9047_CVE-2017-9048.patch \
             file://CVE-2017-9049_CVE-2017-9050.patch \
            "
-- 
cgit v1.2.3-54-g00ecf