libxml2: CVE-2016-9318

libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document. Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9318 Upstream patch: https://git.gnome.org/browse/libxml2/commit/?id=2304078555896cf1638c628f50326aeef6f0e0d0 (From OE-Core rev: 0dd44c00e3b2fbc3befc3f361624a3a60161d979) Signed-off-by: Catalin Enache <catalin.enache@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Catalin Enache <catalin.enache@windriver.com> 2017-04-14 11:43:32 +0300
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-04-29 11:17:23 +0100
commit: d7ec005904b456c62a226efd5c6931e81459052a (patch)
tree: fbbb0318d9e97a4c8d29645bc2822ce8233c5c93 /meta/recipes-core/libxml/libxml2_2.9.4.bb
parent: 5970acb3fe28d4af59834b5cacb2d8d4d3511506 (diff)
download: poky-d7ec005904b456c62a226efd5c6931e81459052a.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb
index 0c3d683623..7d0e121be1 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -23,6 +23,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
           file://libxml2-CVE-2016-5131.patch \
           file://libxml2-CVE-2016-4658.patch \
           file://libxml2-fix_NULL_pointer_derefs.patch \
+           file://CVE-2016-9318.patch \
          "
 SRC_URI[libtar.md5sum] = "ae249165c173b1ff386ee8ad676815f5"
author	Catalin Enache <catalin.enache@windriver.com>	2017-04-14 11:43:32 +0300
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-04-29 11:17:23 +0100
commit	d7ec005904b456c62a226efd5c6931e81459052a (patch)
tree	fbbb0318d9e97a4c8d29645bc2822ce8233c5c93 /meta/recipes-core/libxml/libxml2_2.9.4.bb
parent	5970acb3fe28d4af59834b5cacb2d8d4d3511506 (diff)
download	poky-d7ec005904b456c62a226efd5c6931e81459052a.tar.gz

diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb index 0c3d683623..7d0e121be1 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.4.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -23,6 +23,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
23	file://libxml2-CVE-2016-5131.patch \	23	file://libxml2-CVE-2016-5131.patch \
24	file://libxml2-CVE-2016-4658.patch \	24	file://libxml2-CVE-2016-4658.patch \
25	file://libxml2-fix_NULL_pointer_derefs.patch \	25	file://libxml2-fix_NULL_pointer_derefs.patch \
		26	file://CVE-2016-9318.patch \
26	"	27	"
27		28
28	SRC_URI[libtar.md5sum] = "ae249165c173b1ff386ee8ad676815f5"	29	SRC_URI[libtar.md5sum] = "ae249165c173b1ff386ee8ad676815f5"