diff options
author | Yi Zhao <yi.zhao@windriver.com> | 2016-11-28 17:55:40 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-11-30 15:48:08 +0000 |
commit | 685ef239df17c6aae8bf20529e3dacc32e18edb4 (patch) | |
tree | 3369fbd930cd4530dad6e2e3fb9cb9753a7b00d5 /meta/recipes-core | |
parent | b7deb1f046fc4f5ae2c1e1b3be0dce9b131c2f28 (diff) | |
download | poky-685ef239df17c6aae8bf20529e3dacc32e18edb4.tar.gz |
libxml2: Security fix CVE-2016-5131
CVE-2016-5131 libxml2: Use-after-free vulnerability in libxml2 through
2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote
attackers to cause a denial of service or possibly have unspecified
other impact via vectors related to the XPointer range-to function.
External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5131
Patch from:
https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e
(From OE-Core rev: 640bd2b98ff33e49b42f1087650ebe20d92259a4)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core')
-rw-r--r-- | meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-5131.patch | 180 | ||||
-rw-r--r-- | meta/recipes-core/libxml/libxml2_2.9.4.bb | 1 |
2 files changed, 181 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-5131.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-5131.patch new file mode 100644 index 0000000000..9d47d023a9 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-5131.patch | |||
@@ -0,0 +1,180 @@ | |||
1 | From 9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Tue, 28 Jun 2016 14:22:23 +0200 | ||
4 | Subject: [PATCH] Fix XPointer paths beginning with range-to | ||
5 | |||
6 | The old code would invoke the broken xmlXPtrRangeToFunction. range-to | ||
7 | isn't really a function but a special kind of location step. Remove | ||
8 | this function and always handle range-to in the XPath code. | ||
9 | |||
10 | The old xmlXPtrRangeToFunction could also be abused to trigger a | ||
11 | use-after-free error with the potential for remote code execution. | ||
12 | |||
13 | Found with afl-fuzz. | ||
14 | |||
15 | Fixes CVE-2016-5131. | ||
16 | |||
17 | CVE: CVE-2016-5131 | ||
18 | Upstream-Status: Backport | ||
19 | https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e | ||
20 | |||
21 | Signed-off-by: Yi Zhao <yi.zhao@windirver.com> | ||
22 | --- | ||
23 | result/XPath/xptr/vidbase | 13 ++++++++ | ||
24 | test/XPath/xptr/vidbase | 1 + | ||
25 | xpath.c | 7 ++++- | ||
26 | xpointer.c | 76 ++++------------------------------------------- | ||
27 | 4 files changed, 26 insertions(+), 71 deletions(-) | ||
28 | |||
29 | diff --git a/result/XPath/xptr/vidbase b/result/XPath/xptr/vidbase | ||
30 | index 8b9e92d..f19193e 100644 | ||
31 | --- a/result/XPath/xptr/vidbase | ||
32 | +++ b/result/XPath/xptr/vidbase | ||
33 | @@ -17,3 +17,16 @@ Object is a Location Set: | ||
34 | To node | ||
35 | ELEMENT p | ||
36 | |||
37 | + | ||
38 | +======================== | ||
39 | +Expression: xpointer(range-to(id('chapter2'))) | ||
40 | +Object is a Location Set: | ||
41 | +1 : Object is a range : | ||
42 | + From node | ||
43 | + / | ||
44 | + To node | ||
45 | + ELEMENT chapter | ||
46 | + ATTRIBUTE id | ||
47 | + TEXT | ||
48 | + content=chapter2 | ||
49 | + | ||
50 | diff --git a/test/XPath/xptr/vidbase b/test/XPath/xptr/vidbase | ||
51 | index b146383..884b106 100644 | ||
52 | --- a/test/XPath/xptr/vidbase | ||
53 | +++ b/test/XPath/xptr/vidbase | ||
54 | @@ -1,2 +1,3 @@ | ||
55 | xpointer(id('chapter1')/p) | ||
56 | xpointer(id('chapter1')/p[1]/range-to(following-sibling::p[2])) | ||
57 | +xpointer(range-to(id('chapter2'))) | ||
58 | diff --git a/xpath.c b/xpath.c | ||
59 | index d992841..5a01b1b 100644 | ||
60 | --- a/xpath.c | ||
61 | +++ b/xpath.c | ||
62 | @@ -10691,13 +10691,18 @@ xmlXPathCompPathExpr(xmlXPathParserContextPtr ctxt) { | ||
63 | lc = 1; | ||
64 | break; | ||
65 | } else if ((NXT(len) == '(')) { | ||
66 | - /* Note Type or Function */ | ||
67 | + /* Node Type or Function */ | ||
68 | if (xmlXPathIsNodeType(name)) { | ||
69 | #ifdef DEBUG_STEP | ||
70 | xmlGenericError(xmlGenericErrorContext, | ||
71 | "PathExpr: Type search\n"); | ||
72 | #endif | ||
73 | lc = 1; | ||
74 | +#ifdef LIBXML_XPTR_ENABLED | ||
75 | + } else if (ctxt->xptr && | ||
76 | + xmlStrEqual(name, BAD_CAST "range-to")) { | ||
77 | + lc = 1; | ||
78 | +#endif | ||
79 | } else { | ||
80 | #ifdef DEBUG_STEP | ||
81 | xmlGenericError(xmlGenericErrorContext, | ||
82 | diff --git a/xpointer.c b/xpointer.c | ||
83 | index 676c510..d74174a 100644 | ||
84 | --- a/xpointer.c | ||
85 | +++ b/xpointer.c | ||
86 | @@ -1332,8 +1332,6 @@ xmlXPtrNewContext(xmlDocPtr doc, xmlNodePtr here, xmlNodePtr origin) { | ||
87 | ret->here = here; | ||
88 | ret->origin = origin; | ||
89 | |||
90 | - xmlXPathRegisterFunc(ret, (xmlChar *)"range-to", | ||
91 | - xmlXPtrRangeToFunction); | ||
92 | xmlXPathRegisterFunc(ret, (xmlChar *)"range", | ||
93 | xmlXPtrRangeFunction); | ||
94 | xmlXPathRegisterFunc(ret, (xmlChar *)"range-inside", | ||
95 | @@ -2243,76 +2241,14 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) { | ||
96 | * @nargs: the number of args | ||
97 | * | ||
98 | * Implement the range-to() XPointer function | ||
99 | + * | ||
100 | + * Obsolete. range-to is not a real function but a special type of location | ||
101 | + * step which is handled in xpath.c. | ||
102 | */ | ||
103 | void | ||
104 | -xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, int nargs) { | ||
105 | - xmlXPathObjectPtr range; | ||
106 | - const xmlChar *cur; | ||
107 | - xmlXPathObjectPtr res, obj; | ||
108 | - xmlXPathObjectPtr tmp; | ||
109 | - xmlLocationSetPtr newset = NULL; | ||
110 | - xmlNodeSetPtr oldset; | ||
111 | - int i; | ||
112 | - | ||
113 | - if (ctxt == NULL) return; | ||
114 | - CHECK_ARITY(1); | ||
115 | - /* | ||
116 | - * Save the expression pointer since we will have to evaluate | ||
117 | - * it multiple times. Initialize the new set. | ||
118 | - */ | ||
119 | - CHECK_TYPE(XPATH_NODESET); | ||
120 | - obj = valuePop(ctxt); | ||
121 | - oldset = obj->nodesetval; | ||
122 | - ctxt->context->node = NULL; | ||
123 | - | ||
124 | - cur = ctxt->cur; | ||
125 | - newset = xmlXPtrLocationSetCreate(NULL); | ||
126 | - | ||
127 | - for (i = 0; i < oldset->nodeNr; i++) { | ||
128 | - ctxt->cur = cur; | ||
129 | - | ||
130 | - /* | ||
131 | - * Run the evaluation with a node list made of a single item | ||
132 | - * in the nodeset. | ||
133 | - */ | ||
134 | - ctxt->context->node = oldset->nodeTab[i]; | ||
135 | - tmp = xmlXPathNewNodeSet(ctxt->context->node); | ||
136 | - valuePush(ctxt, tmp); | ||
137 | - | ||
138 | - xmlXPathEvalExpr(ctxt); | ||
139 | - CHECK_ERROR; | ||
140 | - | ||
141 | - /* | ||
142 | - * The result of the evaluation need to be tested to | ||
143 | - * decided whether the filter succeeded or not | ||
144 | - */ | ||
145 | - res = valuePop(ctxt); | ||
146 | - range = xmlXPtrNewRangeNodeObject(oldset->nodeTab[i], res); | ||
147 | - if (range != NULL) { | ||
148 | - xmlXPtrLocationSetAdd(newset, range); | ||
149 | - } | ||
150 | - | ||
151 | - /* | ||
152 | - * Cleanup | ||
153 | - */ | ||
154 | - if (res != NULL) | ||
155 | - xmlXPathFreeObject(res); | ||
156 | - if (ctxt->value == tmp) { | ||
157 | - res = valuePop(ctxt); | ||
158 | - xmlXPathFreeObject(res); | ||
159 | - } | ||
160 | - | ||
161 | - ctxt->context->node = NULL; | ||
162 | - } | ||
163 | - | ||
164 | - /* | ||
165 | - * The result is used as the new evaluation set. | ||
166 | - */ | ||
167 | - xmlXPathFreeObject(obj); | ||
168 | - ctxt->context->node = NULL; | ||
169 | - ctxt->context->contextSize = -1; | ||
170 | - ctxt->context->proximityPosition = -1; | ||
171 | - valuePush(ctxt, xmlXPtrWrapLocationSet(newset)); | ||
172 | +xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, | ||
173 | + int nargs ATTRIBUTE_UNUSED) { | ||
174 | + XP_ERROR(XPATH_EXPR_ERROR); | ||
175 | } | ||
176 | |||
177 | /** | ||
178 | -- | ||
179 | 2.7.4 | ||
180 | |||
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb index 59874bec2c..1fed90b07e 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.4.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb | |||
@@ -19,6 +19,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \ | |||
19 | file://run-ptest \ | 19 | file://run-ptest \ |
20 | file://python-sitepackages-dir.patch \ | 20 | file://python-sitepackages-dir.patch \ |
21 | file://libxml-m4-use-pkgconfig.patch \ | 21 | file://libxml-m4-use-pkgconfig.patch \ |
22 | file://libxml2-CVE-2016-5131.patch \ | ||
22 | " | 23 | " |
23 | 24 | ||
24 | SRC_URI[libtar.md5sum] = "ae249165c173b1ff386ee8ad676815f5" | 25 | SRC_URI[libtar.md5sum] = "ae249165c173b1ff386ee8ad676815f5" |