diff options
| author | Andrej Valek <andrej.valek@siemens.com> | 2017-06-14 15:01:35 +0200 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-07-27 22:36:44 +0100 |
| commit | 9d59e7d739fe48cf99c894dc3f9dd79a252084f3 (patch) | |
| tree | 1a0c772d52aa83bd9ab77858fdff8b3db71a6289 | |
| parent | 93b0d29184419318cda433bb0a764f8f2a7eeb6a (diff) | |
| download | poky-9d59e7d739fe48cf99c894dc3f9dd79a252084f3.tar.gz | |
libxml2: Fix CVE-2017-5969
Fix NULL pointer deref in xmlDumpElementContent
Can only be triggered in recovery mode.
Fixes bug 758422
CVE: CVE-2017-5969
(From OE-Core rev: 0cae039cbe513b7998e067f4f3958af2ec65ed1a)
(From OE-Core rev: f0017a7b8b3fc4407e6596156b57aa1183937382)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-5969.patch | 62 | ||||
| -rw-r--r-- | meta/recipes-core/libxml/libxml2_2.9.4.bb | 1 |
2 files changed, 63 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-5969.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-5969.patch new file mode 100644 index 0000000000..571b05c087 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-5969.patch | |||
| @@ -0,0 +1,62 @@ | |||
| 1 | libxml2-2.9.4: Fix CVE-2017-5969 | ||
| 2 | |||
| 3 | [No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=758422 | ||
| 4 | |||
| 5 | valid: Fix NULL pointer deref in xmlDumpElementContent | ||
| 6 | |||
| 7 | Can only be triggered in recovery mode. | ||
| 8 | |||
| 9 | Fixes bug 758422 | ||
| 10 | |||
| 11 | Upstream-Status: Backport - [https://git.gnome.org/browse/libxml2/commit/?id=94691dc884d1a8ada39f073408b4bb92fe7fe882] | ||
| 12 | CVE: CVE-2017-5969 | ||
| 13 | Signed-off-by: Andrej Valek <andrej.valek@siemens.com> | ||
| 14 | |||
| 15 | diff --git a/valid.c b/valid.c | ||
| 16 | index 19f84b8..0a8e58a 100644 | ||
| 17 | --- a/valid.c | ||
| 18 | +++ b/valid.c | ||
| 19 | @@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob) | ||
| 20 | xmlBufferWriteCHAR(buf, content->name); | ||
| 21 | break; | ||
| 22 | case XML_ELEMENT_CONTENT_SEQ: | ||
| 23 | - if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || | ||
| 24 | - (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) | ||
| 25 | + if ((content->c1 != NULL) && | ||
| 26 | + ((content->c1->type == XML_ELEMENT_CONTENT_OR) || | ||
| 27 | + (content->c1->type == XML_ELEMENT_CONTENT_SEQ))) | ||
| 28 | xmlDumpElementContent(buf, content->c1, 1); | ||
| 29 | else | ||
| 30 | xmlDumpElementContent(buf, content->c1, 0); | ||
| 31 | xmlBufferWriteChar(buf, " , "); | ||
| 32 | - if ((content->c2->type == XML_ELEMENT_CONTENT_OR) || | ||
| 33 | - ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) && | ||
| 34 | - (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))) | ||
| 35 | + if ((content->c2 != NULL) && | ||
| 36 | + ((content->c2->type == XML_ELEMENT_CONTENT_OR) || | ||
| 37 | + ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) && | ||
| 38 | + (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))) | ||
| 39 | xmlDumpElementContent(buf, content->c2, 1); | ||
| 40 | else | ||
| 41 | xmlDumpElementContent(buf, content->c2, 0); | ||
| 42 | break; | ||
| 43 | case XML_ELEMENT_CONTENT_OR: | ||
| 44 | - if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || | ||
| 45 | - (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) | ||
| 46 | + if ((content->c1 != NULL) && | ||
| 47 | + ((content->c1->type == XML_ELEMENT_CONTENT_OR) || | ||
| 48 | + (content->c1->type == XML_ELEMENT_CONTENT_SEQ))) | ||
| 49 | xmlDumpElementContent(buf, content->c1, 1); | ||
| 50 | else | ||
| 51 | xmlDumpElementContent(buf, content->c1, 0); | ||
| 52 | xmlBufferWriteChar(buf, " | "); | ||
| 53 | - if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) || | ||
| 54 | - ((content->c2->type == XML_ELEMENT_CONTENT_OR) && | ||
| 55 | - (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))) | ||
| 56 | + if ((content->c2 != NULL) && | ||
| 57 | + ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) || | ||
| 58 | + ((content->c2->type == XML_ELEMENT_CONTENT_OR) && | ||
| 59 | + (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))) | ||
| 60 | xmlDumpElementContent(buf, content->c2, 1); | ||
| 61 | else | ||
| 62 | xmlDumpElementContent(buf, content->c2, 0); | ||
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb index 09a74451d8..5776f0f8d3 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.4.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb | |||
| @@ -26,6 +26,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \ | |||
| 26 | file://libxml2-fix_and_simplify_xmlParseStartTag2.patch \ | 26 | file://libxml2-fix_and_simplify_xmlParseStartTag2.patch \ |
| 27 | file://libxml2-CVE-2017-9047_CVE-2017-9048.patch \ | 27 | file://libxml2-CVE-2017-9047_CVE-2017-9048.patch \ |
| 28 | file://libxml2-CVE-2017-9049_CVE-2017-9050.patch \ | 28 | file://libxml2-CVE-2017-9049_CVE-2017-9050.patch \ |
| 29 | file://libxml2-CVE-2017-5969.patch \ | ||
| 29 | file://CVE-2016-9318.patch \ | 30 | file://CVE-2016-9318.patch \ |
| 30 | " | 31 | " |
| 31 | 32 | ||