summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-07-09 14:28:45 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-07-27 08:29:58 +0100
commitf01272c3a5b05922519186bf84a9d5765385e259 (patch)
treefe7eaab4a1558c6c9295f38d6e559a9c870eabc6
parentf2688ed2008c591ed5009371d8e25e95a5891505 (diff)
downloadpoky-f01272c3a5b05922519186bf84a9d5765385e259.tar.gz
libxml2: Security fix for CVE-2016-3705
(From OE-Core rev: aa8ad693a977e104797dd623d7efad705e298eb2) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2016-3705.patch71
-rw-r--r--meta/recipes-core/libxml/libxml2_2.9.2.bb1
2 files changed, 72 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-3705.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-3705.patch
new file mode 100644
index 0000000000..8587a63498
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-3705.patch
@@ -0,0 +1,71 @@
1From 8f30bdff69edac9075f4663ce3b56b0c52d48ce6 Mon Sep 17 00:00:00 2001
2From: Peter Simons <psimons@suse.com>
3Date: Fri, 15 Apr 2016 11:56:55 +0200
4Subject: [PATCH] Add missing increments of recursion depth counter to XML
5 parser.
6
7For https://bugzilla.gnome.org/show_bug.cgi?id=765207
8CVE-2016-3705
9The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call
10xmlStringDecodeEntities() in a recursive context without incrementing the
11'depth' counter in the parser context. Because of that omission, the parser
12failed to detect attribute recursions in certain documents before running out
13of stack space.
14
15Upstream-Status: Backport
16CVE: CVE-2016-3705
17Signed-off-by: Armin Kuster <akuster@mvista.com>
18
19---
20 parser.c | 8 ++++++++
21 1 file changed, 8 insertions(+)
22
23Index: libxml2-2.9.2/parser.c
24===================================================================
25--- libxml2-2.9.2.orig/parser.c
26+++ libxml2-2.9.2/parser.c
27@@ -144,8 +144,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ct
28
29 ent->checked = 1;
30
31+ ++ctxt->depth;
32 rep = xmlStringDecodeEntities(ctxt, ent->content,
33 XML_SUBSTITUTE_REF, 0, 0, 0);
34+ --ctxt->depth;
35
36 ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
37 if (rep != NULL) {
38@@ -3978,8 +3980,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctx
39 * an entity declaration, it is bypassed and left as is.
40 * so XML_SUBSTITUTE_REF is not set here.
41 */
42+ ++ctxt->depth;
43 ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF,
44 0, 0, 0);
45+ --ctxt->depth;
46 if (orig != NULL)
47 *orig = buf;
48 else
49@@ -4104,9 +4108,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
50 } else if ((ent != NULL) &&
51 (ctxt->replaceEntities != 0)) {
52 if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) {
53+ ++ctxt->depth;
54 rep = xmlStringDecodeEntities(ctxt, ent->content,
55 XML_SUBSTITUTE_REF,
56 0, 0, 0);
57+ --ctxt->depth;
58 if (rep != NULL) {
59 current = rep;
60 while (*current != 0) { /* non input consuming */
61@@ -4142,8 +4148,10 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
62 (ent->content != NULL) && (ent->checked == 0)) {
63 unsigned long oldnbent = ctxt->nbentities;
64
65+ ++ctxt->depth;
66 rep = xmlStringDecodeEntities(ctxt, ent->content,
67 XML_SUBSTITUTE_REF, 0, 0, 0);
68+ --ctxt->depth;
69
70 ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
71 if (rep != NULL) {
diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb
index 7f2ded76c1..ec6000f794 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.2.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb
@@ -5,6 +5,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar \
5 file://0001-threads-Define-pthread-definitions-for-glibc-complia.patch \ 5 file://0001-threads-Define-pthread-definitions-for-glibc-complia.patch \
6 " 6 "
7SRC_URI += "file://CVE-2016-1762.patch \ 7SRC_URI += "file://CVE-2016-1762.patch \
8 file://CVE-2016-3705.patch \
8 " 9 "
9 10
10SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788" 11SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"