diff options
author | Hongxu Jia <hongxu.jia@windriver.com> | 2017-08-23 04:30:45 -0400 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-08-27 22:30:06 +0100 |
commit | 2f84fb232f972cb1ca2dc9fa3644cc6a509051ae (patch) | |
tree | 79e9d44d615bb1f905756ef363d763773e5f1b26 | |
parent | 9ec4a4629db6b044b8f52f0b6383f3526012693a (diff) | |
download | poky-2f84fb232f972cb1ca2dc9fa3644cc6a509051ae.tar.gz |
libxml2: Fix CVE-2017-8872
fix global-buffer-overflow in htmlParseTryOrFinish (HTMLparser.c:5403)
https://bugzilla.gnome.org/show_bug.cgi?id=775200
Here is the reproduce steps on ubuntu 16.04, use clang with "-fsanitize=address"
...
export CC="clang"
export CFLAGS="-fsanitize=address"
./configure --disable-shared
make clean all -j
wget https://bugzilla.gnome.org/attachment.cgi?id=340871 -O poc
./xmllint --html --push poc
==2785==ERROR: AddressSanitizer: global-buffer-overflow on address
0x000000a0de21 at pc 0x0000006a7f6e bp 0x7ffdfe940c10 sp 0x7ffdfe940c08
READ of size 1 at 0x000000a0de21 thread T0 #0 0x6a7f6d
(/home/jiahongxu/Downloads/libxml2-2.9.4/xmllint+0x6a7f6d) #1 0x6a7356
(/home/jiahongxu/Downloads/libxml2-2.9.4/xmllint+0x6a7356) #2 0x4f4504
(/home/jiahongxu/Downloads/libxml2-2.9.4/xmllint+0x4f4504) #3 0x4f045e
(/home/jiahongxu/Downloads/libxml2-2.9.4/xmllint+0x4f045e) #4 0x7f81977d682f
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #5 0x419ad8
(/home/jiahongxu/Downloads/libxml2-2.9.4/xmllint+0x419ad8)
...
(From OE-Core rev: a615b0825927a09a0aa8312d131c9acbaef8956d)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch | 37 | ||||
-rw-r--r-- | meta/recipes-core/libxml/libxml2_2.9.4.bb | 1 |
2 files changed, 38 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch new file mode 100644 index 0000000000..26779aa572 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From d2f873a541c72b0f67e15562819bf98b884b30b7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hongxu Jia <hongxu.jia@windriver.com> | ||
3 | Date: Wed, 23 Aug 2017 16:04:49 +0800 | ||
4 | Subject: [PATCH] fix CVE-2017-8872 | ||
5 | |||
6 | this makes xmlHaltParser "empty" the buffer, as it resets cur and ava | ||
7 | il too here. | ||
8 | |||
9 | this seems to cure this specific issue, and also passes the testsuite | ||
10 | |||
11 | Signed-off-by: Marcus Meissner <meissner@suse.de> | ||
12 | |||
13 | https://bugzilla.gnome.org/show_bug.cgi?id=775200 | ||
14 | Upstream-Status: Backport [https://bugzilla.gnome.org/attachment.cgi?id=355527&action=diff] | ||
15 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> | ||
16 | --- | ||
17 | parser.c | 4 ++++ | ||
18 | 1 file changed, 4 insertions(+) | ||
19 | |||
20 | diff --git a/parser.c b/parser.c | ||
21 | index 9506ead..6c07ffd 100644 | ||
22 | --- a/parser.c | ||
23 | +++ b/parser.c | ||
24 | @@ -12664,6 +12664,10 @@ xmlHaltParser(xmlParserCtxtPtr ctxt) { | ||
25 | } | ||
26 | ctxt->input->cur = BAD_CAST""; | ||
27 | ctxt->input->base = ctxt->input->cur; | ||
28 | + if (ctxt->input->buf) { | ||
29 | + xmlBufEmpty (ctxt->input->buf->buffer); | ||
30 | + } else | ||
31 | + ctxt->input->length = 0; | ||
32 | } | ||
33 | } | ||
34 | |||
35 | -- | ||
36 | 2.7.4 | ||
37 | |||
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb index f67c47d29c..107539b50d 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.4.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb | |||
@@ -28,6 +28,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \ | |||
28 | file://libxml2-CVE-2017-9049_CVE-2017-9050.patch \ | 28 | file://libxml2-CVE-2017-9049_CVE-2017-9050.patch \ |
29 | file://libxml2-CVE-2017-5969.patch \ | 29 | file://libxml2-CVE-2017-5969.patch \ |
30 | file://libxml2-CVE-2017-0663.patch \ | 30 | file://libxml2-CVE-2017-0663.patch \ |
31 | file://libxml2-CVE-2017-8872.patch \ | ||
31 | file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \ | 32 | file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \ |
32 | " | 33 | " |
33 | 34 | ||