summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-07-09 15:06:40 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-07-27 08:29:59 +0100
commit4e260c96f4a3535a6874a8361f7e58a2fa1ca7ed (patch)
tree0f201e0835add43813020e786d6d4bad45c9dee9
parent1ecd2f56aa274ce11c9d72f58289218d824ec995 (diff)
downloadpoky-4e260c96f4a3535a6874a8361f7e58a2fa1ca7ed.tar.gz
libxml2: Security fix for CVE-2016-3627
Affects libxml2 < 2.9.4 (From OE-Core rev: ceabe39237a035efda6a74c746848a9fbab30a08) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2016-3627.patch64
-rw-r--r--meta/recipes-core/libxml/libxml2_2.9.2.bb1
2 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-3627.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-3627.patch
new file mode 100644
index 0000000000..2de9c5ecb9
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-3627.patch
@@ -0,0 +1,64 @@
1From bdd66182ef53fe1f7209ab6535fda56366bd7ac9 Mon Sep 17 00:00:00 2001
2From: Daniel Veillard <veillard@redhat.com>
3Date: Mon, 23 May 2016 12:27:58 +0800
4Subject: [PATCH] Avoid building recursive entities
5
6For https://bugzilla.gnome.org/show_bug.cgi?id=762100
7
8When we detect a recusive entity we should really not
9build the associated data, moreover if someone bypass
10libxml2 fatal errors and still tries to serialize a broken
11entity make sure we don't risk to get ito a recursion
12
13* parser.c: xmlParserEntityCheck() don't build if entity loop
14 were found and remove the associated text content
15* tree.c: xmlStringGetNodeList() avoid a potential recursion
16
17Upstream-Status: Backport
18CVE: CVE-2016-3627
19Signed-off-by: Armin Kuster <akuster@mvsita.com
20
21---
22 parser.c | 6 +++++-
23 tree.c | 1 +
24 2 files changed, 6 insertions(+), 1 deletion(-)
25
26diff --git a/parser.c b/parser.c
27index ea0e89e..53a6b7f 100644
28--- a/parser.c
29+++ b/parser.c
30@@ -138,7 +138,8 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
31 * entities problems
32 */
33 if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) &&
34- (ent->content != NULL) && (ent->checked == 0)) {
35+ (ent->content != NULL) && (ent->checked == 0) &&
36+ (ctxt->errNo != XML_ERR_ENTITY_LOOP)) {
37 unsigned long oldnbent = ctxt->nbentities;
38 xmlChar *rep;
39
40@@ -148,6 +149,9 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
41 rep = xmlStringDecodeEntities(ctxt, ent->content,
42 XML_SUBSTITUTE_REF, 0, 0, 0);
43 --ctxt->depth;
44+ if (ctxt->errNo == XML_ERR_ENTITY_LOOP) {
45+ ent->content[0] = 0;
46+ }
47
48 ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
49 if (rep != NULL) {
50diff --git a/tree.c b/tree.c
51index 7fbca6e..9d330b8 100644
52--- a/tree.c
53+++ b/tree.c
54@@ -1593,6 +1593,7 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
55 else if ((ent != NULL) && (ent->children == NULL)) {
56 xmlNodePtr temp;
57
58+ ent->children = (xmlNodePtr) -1;
59 ent->children = xmlStringGetNodeList(doc,
60 (const xmlChar*)node->content);
61 ent->owner = 1;
62--
632.3.5
64
diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb
index 76efa9ffca..90f7a7ab79 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.2.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb
@@ -16,6 +16,7 @@ SRC_URI += "file://CVE-2016-1762.patch \
16 file://CVE-2016-1837.patch \ 16 file://CVE-2016-1837.patch \
17 file://CVE-2016-1835.patch \ 17 file://CVE-2016-1835.patch \
18 file://CVE-2016-1833.patch \ 18 file://CVE-2016-1833.patch \
19 file://CVE-2016-3627.patch \
19 " 20 "
20 21
21SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788" 22SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"