libxml2: Fix CVE-2017-0663

Fix type confusion in xmlValidateOneNamespace Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types on namespace declarations make no practical sense anyway. Fixes bug 780228 CVE: CVE-2017-0663 (From OE-Core rev: a965be7b6a1d730851b4a3bc8fd534b9b2334227) Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Andrej Valek <andrej.valek@siemens.com> 2017-06-14 15:07:56 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-06-23 11:44:13 +0100
commit: 80aac29b3845cd5e415fe4a30eb7daad10764e90 (patch)
tree: e4a2ff91a6b9930b0367b80f410af7d97ad5058a /meta/recipes-core
parent: e1a7eb810f9648fa4aed4a4df2ea1d646fbb3c62 (diff)
download: poky-80aac29b3845cd5e415fe4a30eb7daad10764e90.tar.gz
2 files changed, 41 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-0663.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-0663.patch
new file mode 100644
index 0000000000..0108265855
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-0663.patch
@@ -0,0 +1,40 @@
+libxml2: Fix CVE-2017-0663
+[No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=780228
+valid: Fix type confusion in xmlValidateOneNamespace
+Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types
+on namespace declarations make no practical sense anyway.
+Fixes bug 780228
+Upstream-Status: Backport [https://git.gnome.org/browse/libxml2/commit/?id=92b9e8c8b3787068565a1820ba575d042f9eec66]
+CVE: CVE-2017-0663
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+diff --git a/valid.c b/valid.c
+index 19f84b8..e03d35e 100644
+--- a/valid.c
+++ b/valid.c
+@@ -4621,6 +4621,12 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
+        }
+     }
+ 
+    /*
+     * Casting ns to xmlAttrPtr is wrong. We'd need separate functions
+     * xmlAddID and xmlAddRef for namespace declarations, but it makes
+     * no practical sense to use ID types anyway.
+     */
+#if 0
+     /* Validity Constraint: ID uniqueness */
+     if (attrDecl->atype == XML_ATTRIBUTE_ID) {
+         if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
+@@ -4632,6 +4638,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
+         if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
+            ret = 0;
+     }
+#endif
+ 
+     /* Validity Constraint: Notation Attributes */
+     if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) {
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb
index 2996809e4a..677d8c9bb5 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -27,6 +27,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
           file://libxml2-CVE-2017-9047_CVE-2017-9048.patch \
           file://libxml2-CVE-2017-9049_CVE-2017-9050.patch \
           file://libxml2-CVE-2017-5969.patch \
+           file://libxml2-CVE-2017-0663.patch \
           file://CVE-2016-9318.patch \
           file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
           "
author	Andrej Valek <andrej.valek@siemens.com>	2017-06-14 15:07:56 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-06-23 11:44:13 +0100
commit	80aac29b3845cd5e415fe4a30eb7daad10764e90 (patch)
tree	e4a2ff91a6b9930b0367b80f410af7d97ad5058a /meta/recipes-core
parent	e1a7eb810f9648fa4aed4a4df2ea1d646fbb3c62 (diff)
download	poky-80aac29b3845cd5e415fe4a30eb7daad10764e90.tar.gz

diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-0663.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-0663.patch new file mode 100644 index 0000000000..0108265855 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-0663.patch
@@ -0,0 +1,40 @@
		1	libxml2: Fix CVE-2017-0663
		2
		3	[No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=780228
		4
		5	valid: Fix type confusion in xmlValidateOneNamespace
		6
		7	Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types
		8	on namespace declarations make no practical sense anyway.
		9
		10	Fixes bug 780228
		11
		12	Upstream-Status: Backport [https://git.gnome.org/browse/libxml2/commit/?id=92b9e8c8b3787068565a1820ba575d042f9eec66]
		13	CVE: CVE-2017-0663
		14	Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
		15
		16	diff --git a/valid.c b/valid.c
		17	index 19f84b8..e03d35e 100644
		18	--- a/valid.c
		19	+++ b/valid.c
		20	@@ -4621,6 +4621,12 @@ xmlNodePtr elem, const xmlChar prefix, xmlNsPtr ns, const xmlChar value) {
		21	}
		22	}
		23
		24	+ /*
		25	+ * Casting ns to xmlAttrPtr is wrong. We'd need separate functions
		26	+ * xmlAddID and xmlAddRef for namespace declarations, but it makes
		27	+ * no practical sense to use ID types anyway.
		28	+ */
		29	+#if 0
		30	/* Validity Constraint: ID uniqueness */
		31	if (attrDecl->atype == XML_ATTRIBUTE_ID) {
		32	if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
		33	@@ -4632,6 +4638,7 @@ xmlNodePtr elem, const xmlChar prefix, xmlNsPtr ns, const xmlChar value) {
		34	if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
		35	ret = 0;
		36	}
		37	+#endif
		38
		39	/* Validity Constraint: Notation Attributes */
		40	if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) {


diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb index 2996809e4a..677d8c9bb5 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.4.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -27,6 +27,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
27	file://libxml2-CVE-2017-9047_CVE-2017-9048.patch \	27	file://libxml2-CVE-2017-9047_CVE-2017-9048.patch \
28	file://libxml2-CVE-2017-9049_CVE-2017-9050.patch \	28	file://libxml2-CVE-2017-9049_CVE-2017-9050.patch \
29	file://libxml2-CVE-2017-5969.patch \	29	file://libxml2-CVE-2017-5969.patch \
		30	file://libxml2-CVE-2017-0663.patch \
30	file://CVE-2016-9318.patch \	31	file://CVE-2016-9318.patch \
31	file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \	32	file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
32	"	33	"