diff options
author | Ross Burton <ross.burton@intel.com> | 2018-10-04 10:20:20 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-10-04 23:00:55 +0100 |
commit | 95969ef3dd184c02c1beceb3e34ca6cfef72cd53 (patch) | |
tree | b7f09e3d4d9cb89ab801d13d327e4f5d64872609 /meta | |
parent | 8c3db8cb9ed6c4d2d293d2faddabe6918edab7b9 (diff) | |
download | poky-95969ef3dd184c02c1beceb3e34ca6cfef72cd53.tar.gz |
libxml2: refresh CVE-2017-8872
The patch associated with the CVE-2017-8872 report was never merged into
libxml2, but a slightly different patch for the same problem was. Cherry-pick
that as a backport, which also fixes the failing test suite.
(From OE-Core rev: 512869aea6dde1bb2374601f7c4d793ac9edaa42)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch | 73 |
1 files changed, 50 insertions, 23 deletions
diff --git a/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch b/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch index b34479f318..42a4b0ed60 100644 --- a/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch +++ b/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch | |||
@@ -1,38 +1,65 @@ | |||
1 | From b4bee17b158e289e5c4c9045e64e5374ccafe068 Mon Sep 17 00:00:00 2001 | 1 | Upstream-Status: Backport |
2 | From: Salvatore Bonaccorso <carnil@debian.org> | 2 | CVE: CVE-2017-8872 |
3 | Date: Tue, 3 Jul 2018 15:54:03 +0800 | 3 | Signed-off-by: Ross Burton <ross.burton@intel.com> |
4 | Subject: [PATCH] Out-of-bounds read in htmlParseTryOrFinish (CVE-2017-8872) | ||
5 | 4 | ||
6 | https://bugzilla.gnome.org/show_bug.cgi?id=775200 | 5 | From 123234f2cfcd9e9b9f83047eee1dc17b4c3f4407 Mon Sep 17 00:00:00 2001 |
7 | Fixes bug 775200. | 6 | From: Nick Wellnhofer <wellnhofer@aevum.de> |
7 | Date: Tue, 11 Sep 2018 14:52:07 +0200 | ||
8 | Subject: [PATCH] Free input buffer in xmlHaltParser | ||
8 | 9 | ||
9 | Signed-off-by: Salvatore Bonaccorso <carnil@debian.org> | 10 | This avoids miscalculation of available bytes. |
10 | 11 | ||
11 | Upstream-Status: Submitted | 12 | Thanks to Yunho Kim for the report. |
12 | https://bug775200.bugzilla-attachments.gnome.org/attachment.cgi?id=366193 | 13 | |
13 | CVE: CVE-2017-8872 | 14 | Closes: #26 |
14 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> | ||
15 | --- | 15 | --- |
16 | parser.c | 6 +++++- | 16 | parser.c | 5 +++++ |
17 | 1 file changed, 5 insertions(+), 1 deletion(-) | 17 | result/errors/759573.xml.err | 17 +++++++---------- |
18 | 2 files changed, 12 insertions(+), 10 deletions(-) | ||
18 | 19 | ||
19 | diff --git a/parser.c b/parser.c | 20 | diff --git a/parser.c b/parser.c |
20 | index ca9fde2..fb4c889 100644 | 21 | index ca9fde2c..5813a664 100644 |
21 | --- a/parser.c | 22 | --- a/parser.c |
22 | +++ b/parser.c | 23 | +++ b/parser.c |
23 | @@ -12464,7 +12464,11 @@ xmlHaltParser(xmlParserCtxtPtr ctxt) { | 24 | @@ -12462,7 +12462,12 @@ xmlHaltParser(xmlParserCtxtPtr ctxt) { |
25 | ctxt->input->free((xmlChar *) ctxt->input->base); | ||
26 | ctxt->input->free = NULL; | ||
24 | } | 27 | } |
28 | + if (ctxt->input->buf != NULL) { | ||
29 | + xmlFreeParserInputBuffer(ctxt->input->buf); | ||
30 | + ctxt->input->buf = NULL; | ||
31 | + } | ||
25 | ctxt->input->cur = BAD_CAST""; | 32 | ctxt->input->cur = BAD_CAST""; |
33 | + ctxt->input->length = 0; | ||
26 | ctxt->input->base = ctxt->input->cur; | 34 | ctxt->input->base = ctxt->input->cur; |
27 | - ctxt->input->end = ctxt->input->cur; | 35 | ctxt->input->end = ctxt->input->cur; |
28 | + ctxt->input->end = ctxt->input->cur; | ||
29 | + if (ctxt->input->buf) | ||
30 | + xmlBufEmpty (ctxt->input->buf->buffer); | ||
31 | + else | ||
32 | + ctxt->input->length = 0; | ||
33 | } | 36 | } |
34 | } | 37 | diff --git a/result/errors/759573.xml.err b/result/errors/759573.xml.err |
38 | index 554039f6..38ef5c40 100644 | ||
39 | --- a/result/errors/759573.xml.err | ||
40 | +++ b/result/errors/759573.xml.err | ||
41 | @@ -21,14 +21,11 @@ Entity: line 1: | ||
42 | ^ | ||
43 | ./test/errors/759573.xml:1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration | ||
35 | 44 | ||
45 | -<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ00 | ||
46 | - ^ | ||
47 | + | ||
48 | +^ | ||
49 | ./test/errors/759573.xml:1: parser error : DOCTYPE improperly terminated | ||
50 | -<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ00 | ||
51 | - ^ | ||
52 | -./test/errors/759573.xml:1: parser error : StartTag: invalid element name | ||
53 | -<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ00 | ||
54 | - ^ | ||
55 | -./test/errors/759573.xml:1: parser error : Extra content at the end of the document | ||
56 | -<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ00 | ||
57 | - ^ | ||
58 | + | ||
59 | +^ | ||
60 | +./test/errors/759573.xml:1: parser error : Start tag expected, '<' not found | ||
61 | + | ||
62 | +^ | ||
36 | -- | 63 | -- |
37 | 2.7.4 | 64 | 2.11.0 |
38 | 65 | ||