diff options
| author | Armin Kuster <akuster@mvista.com> | 2016-07-09 15:02:26 -0700 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-07-27 08:29:59 +0100 |
| commit | 1081306623cdac51b031d433acd6f77c1f83bf2d (patch) | |
| tree | a2f2085ba6277f545a766654c4038e3150fd717c | |
| parent | f96cfb009dce61d5059fc4c6fd4da59d908df30e (diff) | |
| download | poky-1081306623cdac51b031d433acd6f77c1f83bf2d.tar.gz | |
libxml2: Security fix for CVE-2016-1835
Affects libxml2 < 2.9.4
(From OE-Core rev: d008b7023cb703a787c8fcac5cd87628b38a9ecd)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2016-1835.patch | 95 | ||||
| -rw-r--r-- | meta/recipes-core/libxml/libxml2_2.9.2.bb | 1 |
2 files changed, 96 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-1835.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-1835.patch new file mode 100644 index 0000000000..158b0aa5fa --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2016-1835.patch | |||
| @@ -0,0 +1,95 @@ | |||
| 1 | From 38eae571111db3b43ffdeb05487c9f60551906fb Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Pranjal Jumde <pjumde@apple.com> | ||
| 3 | Date: Mon, 7 Mar 2016 14:04:08 -0800 | ||
| 4 | Subject: [PATCH] Heap use-after-free in xmlSAX2AttributeNs | ||
| 5 | |||
| 6 | For https://bugzilla.gnome.org/show_bug.cgi?id=759020 | ||
| 7 | |||
| 8 | * parser.c: | ||
| 9 | (xmlParseStartTag2): Attribute strings are only valid if the | ||
| 10 | base does not change, so add another check where the base may | ||
| 11 | change. Make sure to set 'attvalue' to NULL after freeing it. | ||
| 12 | * result/errors/759020.xml: Added. | ||
| 13 | * result/errors/759020.xml.err: Added. | ||
| 14 | * result/errors/759020.xml.str: Added. | ||
| 15 | * test/errors/759020.xml: Added test case. | ||
| 16 | |||
| 17 | Upstream-Status: Backport | ||
| 18 | CVE: CVE-2016-1835 | ||
| 19 | |||
| 20 | excluded test/errors/759020.xml: Added test case., they wont apply | ||
| 21 | |||
| 22 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
| 23 | |||
| 24 | --- | ||
| 25 | parser.c | 12 ++++++++++-- | ||
| 26 | result/errors/759020.xml | 0 | ||
| 27 | result/errors/759020.xml.err | 6 ++++++ | ||
| 28 | result/errors/759020.xml.str | 7 +++++++ | ||
| 29 | test/errors/759020.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++ | ||
| 30 | 5 files changed, 69 insertions(+), 2 deletions(-) | ||
| 31 | create mode 100644 result/errors/759020.xml | ||
| 32 | create mode 100644 result/errors/759020.xml.err | ||
| 33 | create mode 100644 result/errors/759020.xml.str | ||
| 34 | create mode 100644 test/errors/759020.xml | ||
| 35 | |||
| 36 | Index: libxml2-2.9.2/parser.c | ||
| 37 | =================================================================== | ||
| 38 | --- libxml2-2.9.2.orig/parser.c | ||
| 39 | +++ libxml2-2.9.2/parser.c | ||
| 40 | @@ -9499,7 +9499,10 @@ reparse: | ||
| 41 | else | ||
| 42 | if (nsPush(ctxt, NULL, URL) > 0) nbNs++; | ||
| 43 | skip_default_ns: | ||
| 44 | - if (alloc != 0) xmlFree(attvalue); | ||
| 45 | + if ((attvalue != NULL) && (alloc != 0)) { | ||
| 46 | + xmlFree(attvalue); | ||
| 47 | + attvalue = NULL; | ||
| 48 | + } | ||
| 49 | if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>')))) | ||
| 50 | break; | ||
| 51 | if (!IS_BLANK_CH(RAW)) { | ||
| 52 | @@ -9508,6 +9511,8 @@ skip_default_ns: | ||
| 53 | break; | ||
| 54 | } | ||
| 55 | SKIP_BLANKS; | ||
| 56 | + if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) | ||
| 57 | + goto base_changed; | ||
| 58 | continue; | ||
| 59 | } | ||
| 60 | if (aprefix == ctxt->str_xmlns) { | ||
| 61 | @@ -9579,7 +9584,10 @@ skip_default_ns: | ||
| 62 | else | ||
| 63 | if (nsPush(ctxt, attname, URL) > 0) nbNs++; | ||
| 64 | skip_ns: | ||
| 65 | - if (alloc != 0) xmlFree(attvalue); | ||
| 66 | + if ((attvalue != NULL) && (alloc != 0)) { | ||
| 67 | + xmlFree(attvalue); | ||
| 68 | + attvalue = NULL; | ||
| 69 | + } | ||
| 70 | if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>')))) | ||
| 71 | break; | ||
| 72 | if (!IS_BLANK_CH(RAW)) { | ||
| 73 | Index: libxml2-2.9.2/result/errors/759020.xml.err | ||
| 74 | =================================================================== | ||
| 75 | --- /dev/null | ||
| 76 | +++ libxml2-2.9.2/result/errors/759020.xml.err | ||
| 77 | @@ -0,0 +1,6 @@ | ||
| 78 | +./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute | ||
| 79 | +0000000000000000000000000000000000000000000000000000000000000000000000000000000' | ||
| 80 | + ^ | ||
| 81 | +./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00 line 2 | ||
| 82 | + | ||
| 83 | + ^ | ||
| 84 | Index: libxml2-2.9.2/result/errors/759020.xml.str | ||
| 85 | =================================================================== | ||
| 86 | --- /dev/null | ||
| 87 | +++ libxml2-2.9.2/result/errors/759020.xml.str | ||
| 88 | @@ -0,0 +1,7 @@ | ||
| 89 | +./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute | ||
| 90 | +0000000000000000000000000000000000000000000000000000000000000000000000000000000' | ||
| 91 | + ^ | ||
| 92 | +./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00 | ||
| 93 | + | ||
| 94 | + ^ | ||
| 95 | +./test/errors/759020.xml : failed to parse | ||
diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb index eeed6ac170..2bbdb0961d 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.2.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb | |||
| @@ -14,6 +14,7 @@ SRC_URI += "file://CVE-2016-1762.patch \ | |||
| 14 | file://CVE-2016-1836.patch \ | 14 | file://CVE-2016-1836.patch \ |
| 15 | file://CVE-2016-4449.patch \ | 15 | file://CVE-2016-4449.patch \ |
| 16 | file://CVE-2016-1837.patch \ | 16 | file://CVE-2016-1837.patch \ |
| 17 | file://CVE-2016-1835.patch \ | ||
| 17 | " | 18 | " |
| 18 | 19 | ||
| 19 | SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788" | 20 | SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788" |