diff options
author | Andrej Valek <andrej.valek@siemens.com> | 2016-12-12 14:20:19 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-12-16 10:23:23 +0000 |
commit | c7f90071327a5a9026de547bbd881d6d608dcc0b (patch) | |
tree | a214699539be48b3d8e5366acd55ed529c0b49eb | |
parent | 333890953db568118b34692e9beb15c3c8eecdd0 (diff) | |
download | poky-c7f90071327a5a9026de547bbd881d6d608dcc0b.tar.gz |
libxml2: Necessary changes before fixing CVE-2016-5131
xpath:
- Check for errors after evaluating first operand.
- Add sanity check for empty stack.
- Include comparation in changes from xmlXPathCmpNodesExt to xmlXPathCmpNodes
(From OE-Core rev: 96ef568f75dded56a2123b63dcc8b443f796afe0)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-core/libxml/libxml2/libxml2-fix_node_comparison.patch | 67 | ||||
-rw-r--r-- | meta/recipes-core/libxml/libxml2_2.9.4.bb | 1 |
2 files changed, 68 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/libxml2-fix_node_comparison.patch b/meta/recipes-core/libxml/libxml2/libxml2-fix_node_comparison.patch new file mode 100644 index 0000000000..11718bb2bd --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/libxml2-fix_node_comparison.patch | |||
@@ -0,0 +1,67 @@ | |||
1 | libxml2-2.9.4: Fix comparison with root node in xmlXPathCmpNodes and NULL pointer deref in XPointer | ||
2 | |||
3 | xpath: | ||
4 | - Check for errors after evaluating first operand. | ||
5 | - Add sanity check for empty stack. | ||
6 | - Include comparation in changes from xmlXPathCmpNodesExt to xmlXPathCmpNodes | ||
7 | |||
8 | Upstream-Status: Backported | ||
9 | - [https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b] | ||
10 | - [https://git.gnome.org/browse/libxml2/commit/?id=a005199330b86dada19d162cae15ef9bdcb6baa8] | ||
11 | CVE: necessary changes for fixing CVE-2016-5131 | ||
12 | Signed-off-by: Andrej Valek <andrej.valek@siemens.com> | ||
13 | Signed-off-by: Pascal Bach <pascal.bach@siemens.com> | ||
14 | |||
15 | diff --git a/result/XPath/xptr/viderror b/result/XPath/xptr/viderror | ||
16 | new file mode 100644 | ||
17 | index 0000000..d589882 | ||
18 | --- /dev/null | ||
19 | +++ b/result/XPath/xptr/viderror | ||
20 | @@ -0,0 +1,4 @@ | ||
21 | + | ||
22 | +======================== | ||
23 | +Expression: xpointer(non-existing-fn()/range-to(id('chapter2'))) | ||
24 | +Object is empty (NULL) | ||
25 | diff --git a/test/XPath/xptr/viderror b/test/XPath/xptr/viderror | ||
26 | new file mode 100644 | ||
27 | index 0000000..da8c53b | ||
28 | --- /dev/null | ||
29 | +++ b/test/XPath/xptr/viderror | ||
30 | @@ -0,0 +1 @@ | ||
31 | +xpointer(non-existing-fn()/range-to(id('chapter2'))) | ||
32 | diff --git a/xpath.c b/xpath.c | ||
33 | index 113bce6..d992841 100644 | ||
34 | --- a/xpath.c | ||
35 | +++ b/xpath.c | ||
36 | @@ -3342,13 +3342,13 @@ xmlXPathCmpNodes(xmlNodePtr node1, xmlNodePtr node2) { | ||
37 | * compute depth to root | ||
38 | */ | ||
39 | for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) { | ||
40 | - if (cur == node1) | ||
41 | + if (cur->parent == node1) | ||
42 | return(1); | ||
43 | depth2++; | ||
44 | } | ||
45 | root = cur; | ||
46 | for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) { | ||
47 | - if (cur == node2) | ||
48 | + if (cur->parent == node2) | ||
49 | return(-1); | ||
50 | depth1++; | ||
51 | } | ||
52 | @@ -14005,9 +14005,14 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) | ||
53 | xmlNodeSetPtr oldset; | ||
54 | int i, j; | ||
55 | |||
56 | - if (op->ch1 != -1) | ||
57 | + if (op->ch1 != -1) { | ||
58 | total += | ||
59 | xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]); | ||
60 | + CHECK_ERROR0; | ||
61 | + } | ||
62 | + if (ctxt->value == NULL) { | ||
63 | + XP_ERROR0(XPATH_INVALID_OPERAND); | ||
64 | + } | ||
65 | if (op->ch2 == -1) | ||
66 | return (total); | ||
67 | |||
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb index 1fed90b07e..66a89400e5 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.4.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb | |||
@@ -19,6 +19,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \ | |||
19 | file://run-ptest \ | 19 | file://run-ptest \ |
20 | file://python-sitepackages-dir.patch \ | 20 | file://python-sitepackages-dir.patch \ |
21 | file://libxml-m4-use-pkgconfig.patch \ | 21 | file://libxml-m4-use-pkgconfig.patch \ |
22 | file://libxml2-fix_node_comparison.patch \ | ||
22 | file://libxml2-CVE-2016-5131.patch \ | 23 | file://libxml2-CVE-2016-5131.patch \ |
23 | " | 24 | " |
24 | 25 | ||