summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYi Zhao <yi.zhao@windriver.com>2016-11-28 17:55:40 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-11-30 15:48:08 +0000
commit685ef239df17c6aae8bf20529e3dacc32e18edb4 (patch)
tree3369fbd930cd4530dad6e2e3fb9cb9753a7b00d5
parentb7deb1f046fc4f5ae2c1e1b3be0dce9b131c2f28 (diff)
downloadpoky-685ef239df17c6aae8bf20529e3dacc32e18edb4.tar.gz
libxml2: Security fix CVE-2016-5131
CVE-2016-5131 libxml2: Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5131 Patch from: https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e (From OE-Core rev: 640bd2b98ff33e49b42f1087650ebe20d92259a4) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-5131.patch180
-rw-r--r--meta/recipes-core/libxml/libxml2_2.9.4.bb1
2 files changed, 181 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-5131.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-5131.patch
new file mode 100644
index 0000000000..9d47d023a9
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-5131.patch
@@ -0,0 +1,180 @@
1From 9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Tue, 28 Jun 2016 14:22:23 +0200
4Subject: [PATCH] Fix XPointer paths beginning with range-to
5
6The old code would invoke the broken xmlXPtrRangeToFunction. range-to
7isn't really a function but a special kind of location step. Remove
8this function and always handle range-to in the XPath code.
9
10The old xmlXPtrRangeToFunction could also be abused to trigger a
11use-after-free error with the potential for remote code execution.
12
13Found with afl-fuzz.
14
15Fixes CVE-2016-5131.
16
17CVE: CVE-2016-5131
18Upstream-Status: Backport
19https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e
20
21Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
22---
23 result/XPath/xptr/vidbase | 13 ++++++++
24 test/XPath/xptr/vidbase | 1 +
25 xpath.c | 7 ++++-
26 xpointer.c | 76 ++++-------------------------------------------
27 4 files changed, 26 insertions(+), 71 deletions(-)
28
29diff --git a/result/XPath/xptr/vidbase b/result/XPath/xptr/vidbase
30index 8b9e92d..f19193e 100644
31--- a/result/XPath/xptr/vidbase
32+++ b/result/XPath/xptr/vidbase
33@@ -17,3 +17,16 @@ Object is a Location Set:
34 To node
35 ELEMENT p
36
37+
38+========================
39+Expression: xpointer(range-to(id('chapter2')))
40+Object is a Location Set:
41+1 : Object is a range :
42+ From node
43+ /
44+ To node
45+ ELEMENT chapter
46+ ATTRIBUTE id
47+ TEXT
48+ content=chapter2
49+
50diff --git a/test/XPath/xptr/vidbase b/test/XPath/xptr/vidbase
51index b146383..884b106 100644
52--- a/test/XPath/xptr/vidbase
53+++ b/test/XPath/xptr/vidbase
54@@ -1,2 +1,3 @@
55 xpointer(id('chapter1')/p)
56 xpointer(id('chapter1')/p[1]/range-to(following-sibling::p[2]))
57+xpointer(range-to(id('chapter2')))
58diff --git a/xpath.c b/xpath.c
59index d992841..5a01b1b 100644
60--- a/xpath.c
61+++ b/xpath.c
62@@ -10691,13 +10691,18 @@ xmlXPathCompPathExpr(xmlXPathParserContextPtr ctxt) {
63 lc = 1;
64 break;
65 } else if ((NXT(len) == '(')) {
66- /* Note Type or Function */
67+ /* Node Type or Function */
68 if (xmlXPathIsNodeType(name)) {
69 #ifdef DEBUG_STEP
70 xmlGenericError(xmlGenericErrorContext,
71 "PathExpr: Type search\n");
72 #endif
73 lc = 1;
74+#ifdef LIBXML_XPTR_ENABLED
75+ } else if (ctxt->xptr &&
76+ xmlStrEqual(name, BAD_CAST "range-to")) {
77+ lc = 1;
78+#endif
79 } else {
80 #ifdef DEBUG_STEP
81 xmlGenericError(xmlGenericErrorContext,
82diff --git a/xpointer.c b/xpointer.c
83index 676c510..d74174a 100644
84--- a/xpointer.c
85+++ b/xpointer.c
86@@ -1332,8 +1332,6 @@ xmlXPtrNewContext(xmlDocPtr doc, xmlNodePtr here, xmlNodePtr origin) {
87 ret->here = here;
88 ret->origin = origin;
89
90- xmlXPathRegisterFunc(ret, (xmlChar *)"range-to",
91- xmlXPtrRangeToFunction);
92 xmlXPathRegisterFunc(ret, (xmlChar *)"range",
93 xmlXPtrRangeFunction);
94 xmlXPathRegisterFunc(ret, (xmlChar *)"range-inside",
95@@ -2243,76 +2241,14 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) {
96 * @nargs: the number of args
97 *
98 * Implement the range-to() XPointer function
99+ *
100+ * Obsolete. range-to is not a real function but a special type of location
101+ * step which is handled in xpath.c.
102 */
103 void
104-xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, int nargs) {
105- xmlXPathObjectPtr range;
106- const xmlChar *cur;
107- xmlXPathObjectPtr res, obj;
108- xmlXPathObjectPtr tmp;
109- xmlLocationSetPtr newset = NULL;
110- xmlNodeSetPtr oldset;
111- int i;
112-
113- if (ctxt == NULL) return;
114- CHECK_ARITY(1);
115- /*
116- * Save the expression pointer since we will have to evaluate
117- * it multiple times. Initialize the new set.
118- */
119- CHECK_TYPE(XPATH_NODESET);
120- obj = valuePop(ctxt);
121- oldset = obj->nodesetval;
122- ctxt->context->node = NULL;
123-
124- cur = ctxt->cur;
125- newset = xmlXPtrLocationSetCreate(NULL);
126-
127- for (i = 0; i < oldset->nodeNr; i++) {
128- ctxt->cur = cur;
129-
130- /*
131- * Run the evaluation with a node list made of a single item
132- * in the nodeset.
133- */
134- ctxt->context->node = oldset->nodeTab[i];
135- tmp = xmlXPathNewNodeSet(ctxt->context->node);
136- valuePush(ctxt, tmp);
137-
138- xmlXPathEvalExpr(ctxt);
139- CHECK_ERROR;
140-
141- /*
142- * The result of the evaluation need to be tested to
143- * decided whether the filter succeeded or not
144- */
145- res = valuePop(ctxt);
146- range = xmlXPtrNewRangeNodeObject(oldset->nodeTab[i], res);
147- if (range != NULL) {
148- xmlXPtrLocationSetAdd(newset, range);
149- }
150-
151- /*
152- * Cleanup
153- */
154- if (res != NULL)
155- xmlXPathFreeObject(res);
156- if (ctxt->value == tmp) {
157- res = valuePop(ctxt);
158- xmlXPathFreeObject(res);
159- }
160-
161- ctxt->context->node = NULL;
162- }
163-
164- /*
165- * The result is used as the new evaluation set.
166- */
167- xmlXPathFreeObject(obj);
168- ctxt->context->node = NULL;
169- ctxt->context->contextSize = -1;
170- ctxt->context->proximityPosition = -1;
171- valuePush(ctxt, xmlXPtrWrapLocationSet(newset));
172+xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt,
173+ int nargs ATTRIBUTE_UNUSED) {
174+ XP_ERROR(XPATH_EXPR_ERROR);
175 }
176
177 /**
178--
1792.7.4
180
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb
index 59874bec2c..1fed90b07e 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -19,6 +19,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
19 file://run-ptest \ 19 file://run-ptest \
20 file://python-sitepackages-dir.patch \ 20 file://python-sitepackages-dir.patch \
21 file://libxml-m4-use-pkgconfig.patch \ 21 file://libxml-m4-use-pkgconfig.patch \
22 file://libxml2-CVE-2016-5131.patch \
22 " 23 "
23 24
24SRC_URI[libtar.md5sum] = "ae249165c173b1ff386ee8ad676815f5" 25SRC_URI[libtar.md5sum] = "ae249165c173b1ff386ee8ad676815f5"