summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2015-11-11 14:21:46 -0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-11-25 08:08:08 +0000
commit8514d21e6a8fef634d6f361bdfd19ef87a3e5567 (patch)
tree20cbd370438bf21329766267072452ac1121c7e1 /meta
parente864f71f4cc2e1cedfd36a8b9ab526fdb76fbb7d (diff)
downloadpoky-8514d21e6a8fef634d6f361bdfd19ef87a3e5567.tar.gz
libxml2: fix CVE-2015-7942 and CVE-2015-8035
CVE-2015-7942 libxml2: heap-based buffer overflow in xmlParseConditionalSections() CVE-2015-8035 libxml2: DoS when parsing specially crafted XML document if XZ support is enabled [YOCTO #8641] (From OE-Core rev: 27de51f4ad21d9b896e7d48041e7cdf20c564a38) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-core/libxml/libxml2.inc2
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch55
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch41
3 files changed, 98 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index 1c3c37d509..6ada401385 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -21,6 +21,8 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
21 file://libxml-m4-use-pkgconfig.patch \ 21 file://libxml-m4-use-pkgconfig.patch \
22 file://configure.ac-fix-cross-compiling-warning.patch \ 22 file://configure.ac-fix-cross-compiling-warning.patch \
23 file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \ 23 file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \
24 file://CVE-2015-7942.patch \
25 file://CVE-2015-8035.patch \
24 " 26 "
25 27
26BINCONFIG = "${bindir}/xml2-config" 28BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
new file mode 100644
index 0000000000..a5930ed29b
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
@@ -0,0 +1,55 @@
1libxml2: CVE-2015-7942
2
3From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001
4From: Daniel Veillard <veillard@redhat.com>
5Date: Mon, 23 Feb 2015 11:29:20 +0800
6Subject: Cleanup conditional section error handling
7
8For https://bugzilla.gnome.org/show_bug.cgi?id=744980
9
10The error handling of Conditional Section also need to be
11straightened as the structure of the document can't be
12guessed on a failure there and it's better to stop parsing
13as further errors are likely to be irrelevant.
14
15Upstream-Status: Backport
16https://git.gnome.org/browse/libxml2/patch/?id=9b8512337d14c8ddf662fcb98b0135f225a1c489
17
18[YOCTO #8641]
19Signed-off-by: Armin Kuster <akuster@mvista.com>
20
21---
22 parser.c | 6 ++++++
23 1 file changed, 6 insertions(+)
24
25Index: libxml2-2.9.2/parser.c
26===================================================================
27--- libxml2-2.9.2.orig/parser.c
28+++ libxml2-2.9.2/parser.c
29@@ -6783,6 +6783,8 @@ xmlParseConditionalSections(xmlParserCtx
30 SKIP_BLANKS;
31 if (RAW != '[') {
32 xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
33+ xmlStopParser(ctxt);
34+ return;
35 } else {
36 if (ctxt->input->id != id) {
37 xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
38@@ -6843,6 +6845,8 @@ xmlParseConditionalSections(xmlParserCtx
39 SKIP_BLANKS;
40 if (RAW != '[') {
41 xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
42+ xmlStopParser(ctxt);
43+ return;
44 } else {
45 if (ctxt->input->id != id) {
46 xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
47@@ -6898,6 +6902,8 @@ xmlParseConditionalSections(xmlParserCtx
48
49 } else {
50 xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
51+ xmlStopParser(ctxt);
52+ return;
53 }
54
55 if (RAW == 0)
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
new file mode 100644
index 0000000000..d175f7453c
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
@@ -0,0 +1,41 @@
1libxml2: CVE-2015-8035
2
3From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001
4From: Daniel Veillard <veillard@redhat.com>
5Date: Tue, 3 Nov 2015 15:31:25 +0800
6Subject: CVE-2015-8035 Fix XZ compression support loop
7
8For https://bugzilla.gnome.org/show_bug.cgi?id=757466
9DoS when parsing specially crafted XML document if XZ support
10is compiled in (which wasn't the case for 2.9.2 and master since
11Nov 2013, fixed in next commit !)
12
13Upstream-Status: Backport
14https://git.gnome.org/browse/libxml2/patch/?id=f0709e3ca8f8947f2d91ed34e92e38a4c23eae63
15
16[YOCTO #8641]
17
18Signed-off-by: Armin Kuster <akuster@mvista.com>
19
20---
21 xzlib.c | 4 ++++
22 1 file changed, 4 insertions(+)
23
24diff --git a/xzlib.c b/xzlib.c
25index 0dcb9f4..1fab546 100644
26--- a/xzlib.c
27+++ b/xzlib.c
28@@ -581,6 +581,10 @@ xz_decomp(xz_statep state)
29 xz_error(state, LZMA_DATA_ERROR, "compressed data error");
30 return -1;
31 }
32+ if (ret == LZMA_PROG_ERROR) {
33+ xz_error(state, LZMA_PROG_ERROR, "compression error");
34+ return -1;
35+ }
36 } while (strm->avail_out && ret != LZMA_STREAM_END);
37
38 /* update available output and crc check value */
39--
40cgit v0.11.2
41