libxml2: Fix CVE-2019-19956

see: https://gitlab.gnome.org/GNOME/libxml2/commit/5a02583c7e683896d84878bd90641d8d9b0d0549 (From OE-Core rev: 9fd363d21df59fff4488763d62548c936b4d14fb) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Lee Chee Yang <chee.yang.lee@intel.com> 2020-02-04 07:06:01 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-02-04 18:43:08 +0000
commit: 7dc72fde6edeb5d6ac6b3832530998afeea67cbc (patch)
tree: c3cda89ec42eccc5d4aa51fde655c97a8b3f2b70 /meta/recipes-core
parent: 69cfd69410544217c90cf0d6320e9544f6d9fa36 (diff)
download: poky-7dc72fde6edeb5d6ac6b3832530998afeea67cbc.tar.gz
2 files changed, 41 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/Fix-CVE-2019-19956.patch b/meta/recipes-core/libxml/libxml2/Fix-CVE-2019-19956.patch
new file mode 100644
index 0000000000..1c2dff9d5f
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/Fix-CVE-2019-19956.patch
@@ -0,0 +1,40 @@
+From 5a02583c7e683896d84878bd90641d8d9b0d0549 Mon Sep 17 00:00:00 2001
+From: Zhipeng Xie <xiezhipeng1@huawei.com>
+Date: Wed, 7 Aug 2019 17:39:17 +0800
+Subject: [PATCH] Fix memory leak in xmlParseBalancedChunkMemoryRecover
+When doc is NULL, namespace created in xmlTreeEnsureXMLDecl
+is bind to newDoc->oldNs, in this case, set newDoc->oldNs to
+NULL and free newDoc will cause a memory leak.
+Found with libFuzzer.
+Closes #82.
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/5a02583c7e683896d84878bd90641d8d9b0d0549]
+CVE: CVE-2019-19956
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ parser.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/parser.c b/parser.c
+index 1ce1ccf1..26d9f4e3 100644
+--- a/parser.c
+++ b/parser.c
+@@ -13894,7 +13894,8 @@ xmlParseBalancedChunkMemoryRecover(xmlDocPtr doc, xmlSAXHandlerPtr sax,
+     xmlFreeParserCtxt(ctxt);
+     newDoc->intSubset = NULL;
+     newDoc->extSubset = NULL;
+-    newDoc->oldNs = NULL;
+    if(doc != NULL)
+       newDoc->oldNs = NULL;
+     xmlFreeDoc(newDoc);
+ 
+     return(ret);
+-- 
+2.24.1
diff --git a/meta/recipes-core/libxml/libxml2_2.9.9.bb b/meta/recipes-core/libxml/libxml2_2.9.9.bb
index c38f883e44..c44a90b1c2 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.9.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.9.bb
@@ -20,6 +20,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
           file://libxml-m4-use-pkgconfig.patch \
           file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
           file://fix-execution-of-ptests.patch \
+           file://Fix-CVE-2019-19956.patch \
           "
 SRC_URI[libtar.md5sum] = "c04a5a0a042eaa157e8e8c9eabe76bd6"
author	Lee Chee Yang <chee.yang.lee@intel.com>	2020-02-04 07:06:01 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-02-04 18:43:08 +0000
commit	7dc72fde6edeb5d6ac6b3832530998afeea67cbc (patch)
tree	c3cda89ec42eccc5d4aa51fde655c97a8b3f2b70 /meta/recipes-core
parent	69cfd69410544217c90cf0d6320e9544f6d9fa36 (diff)
download	poky-7dc72fde6edeb5d6ac6b3832530998afeea67cbc.tar.gz

diff --git a/meta/recipes-core/libxml/libxml2/Fix-CVE-2019-19956.patch b/meta/recipes-core/libxml/libxml2/Fix-CVE-2019-19956.patch new file mode 100644 index 0000000000..1c2dff9d5f --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/Fix-CVE-2019-19956.patch
@@ -0,0 +1,40 @@
		1	From 5a02583c7e683896d84878bd90641d8d9b0d0549 Mon Sep 17 00:00:00 2001
		2	From: Zhipeng Xie <xiezhipeng1@huawei.com>
		3	Date: Wed, 7 Aug 2019 17:39:17 +0800
		4	Subject: [PATCH] Fix memory leak in xmlParseBalancedChunkMemoryRecover
		5
		6	When doc is NULL, namespace created in xmlTreeEnsureXMLDecl
		7	is bind to newDoc->oldNs, in this case, set newDoc->oldNs to
		8	NULL and free newDoc will cause a memory leak.
		9
		10	Found with libFuzzer.
		11
		12	Closes #82.
		13
		14	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/5a02583c7e683896d84878bd90641d8d9b0d0549]
		15	CVE: CVE-2019-19956
		16
		17	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		18
		19	---
		20	parser.c \| 3 ++-
		21	1 file changed, 2 insertions(+), 1 deletion(-)
		22
		23	diff --git a/parser.c b/parser.c
		24	index 1ce1ccf1..26d9f4e3 100644
		25	--- a/parser.c
		26	+++ b/parser.c
		27	@@ -13894,7 +13894,8 @@ xmlParseBalancedChunkMemoryRecover(xmlDocPtr doc, xmlSAXHandlerPtr sax,
		28	xmlFreeParserCtxt(ctxt);
		29	newDoc->intSubset = NULL;
		30	newDoc->extSubset = NULL;
		31	- newDoc->oldNs = NULL;
		32	+ if(doc != NULL)
		33	+ newDoc->oldNs = NULL;
		34	xmlFreeDoc(newDoc);
		35
		36	return(ret);
		37	--
		38	2.24.1
		39
		40


diff --git a/meta/recipes-core/libxml/libxml2_2.9.9.bb b/meta/recipes-core/libxml/libxml2_2.9.9.bb index c38f883e44..c44a90b1c2 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.9.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.9.bb
@@ -20,6 +20,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
20	file://libxml-m4-use-pkgconfig.patch \	20	file://libxml-m4-use-pkgconfig.patch \
21	file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \	21	file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
22	file://fix-execution-of-ptests.patch \	22	file://fix-execution-of-ptests.patch \
		23	file://Fix-CVE-2019-19956.patch \
23	"	24	"
24		25
25	SRC_URI[libtar.md5sum] = "c04a5a0a042eaa157e8e8c9eabe76bd6"	26	SRC_URI[libtar.md5sum] = "c04a5a0a042eaa157e8e8c9eabe76bd6"