summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrej Valek <andrej.valek@siemens.com>2016-12-12 14:20:19 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-12-16 10:23:23 +0000
commitc7f90071327a5a9026de547bbd881d6d608dcc0b (patch)
treea214699539be48b3d8e5366acd55ed529c0b49eb
parent333890953db568118b34692e9beb15c3c8eecdd0 (diff)
downloadpoky-c7f90071327a5a9026de547bbd881d6d608dcc0b.tar.gz
libxml2: Necessary changes before fixing CVE-2016-5131
xpath: - Check for errors after evaluating first operand. - Add sanity check for empty stack. - Include comparation in changes from xmlXPathCmpNodesExt to xmlXPathCmpNodes (From OE-Core rev: 96ef568f75dded56a2123b63dcc8b443f796afe0) Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Pascal Bach <pascal.bach@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-core/libxml/libxml2/libxml2-fix_node_comparison.patch67
-rw-r--r--meta/recipes-core/libxml/libxml2_2.9.4.bb1
2 files changed, 68 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/libxml2-fix_node_comparison.patch b/meta/recipes-core/libxml/libxml2/libxml2-fix_node_comparison.patch
new file mode 100644
index 0000000000..11718bb2bd
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/libxml2-fix_node_comparison.patch
@@ -0,0 +1,67 @@
1libxml2-2.9.4: Fix comparison with root node in xmlXPathCmpNodes and NULL pointer deref in XPointer
2
3xpath:
4 - Check for errors after evaluating first operand.
5 - Add sanity check for empty stack.
6 - Include comparation in changes from xmlXPathCmpNodesExt to xmlXPathCmpNodes
7
8Upstream-Status: Backported
9 - [https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b]
10 - [https://git.gnome.org/browse/libxml2/commit/?id=a005199330b86dada19d162cae15ef9bdcb6baa8]
11CVE: necessary changes for fixing CVE-2016-5131
12Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
13Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
14
15diff --git a/result/XPath/xptr/viderror b/result/XPath/xptr/viderror
16new file mode 100644
17index 0000000..d589882
18--- /dev/null
19+++ b/result/XPath/xptr/viderror
20@@ -0,0 +1,4 @@
21+
22+========================
23+Expression: xpointer(non-existing-fn()/range-to(id('chapter2')))
24+Object is empty (NULL)
25diff --git a/test/XPath/xptr/viderror b/test/XPath/xptr/viderror
26new file mode 100644
27index 0000000..da8c53b
28--- /dev/null
29+++ b/test/XPath/xptr/viderror
30@@ -0,0 +1 @@
31+xpointer(non-existing-fn()/range-to(id('chapter2')))
32diff --git a/xpath.c b/xpath.c
33index 113bce6..d992841 100644
34--- a/xpath.c
35+++ b/xpath.c
36@@ -3342,13 +3342,13 @@ xmlXPathCmpNodes(xmlNodePtr node1, xmlNodePtr node2) {
37 * compute depth to root
38 */
39 for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) {
40- if (cur == node1)
41+ if (cur->parent == node1)
42 return(1);
43 depth2++;
44 }
45 root = cur;
46 for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) {
47- if (cur == node2)
48+ if (cur->parent == node2)
49 return(-1);
50 depth1++;
51 }
52@@ -14005,9 +14005,14 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
53 xmlNodeSetPtr oldset;
54 int i, j;
55
56- if (op->ch1 != -1)
57+ if (op->ch1 != -1) {
58 total +=
59 xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]);
60+ CHECK_ERROR0;
61+ }
62+ if (ctxt->value == NULL) {
63+ XP_ERROR0(XPATH_INVALID_OPERAND);
64+ }
65 if (op->ch2 == -1)
66 return (total);
67
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb
index 1fed90b07e..66a89400e5 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -19,6 +19,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
19 file://run-ptest \ 19 file://run-ptest \
20 file://python-sitepackages-dir.patch \ 20 file://python-sitepackages-dir.patch \
21 file://libxml-m4-use-pkgconfig.patch \ 21 file://libxml-m4-use-pkgconfig.patch \
22 file://libxml2-fix_node_comparison.patch \
22 file://libxml2-CVE-2016-5131.patch \ 23 file://libxml2-CVE-2016-5131.patch \
23 " 24 "
24 25