diff options
author | Armin Kuster <akuster@mvista.com> | 2016-07-09 14:31:00 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-07-27 08:29:58 +0100 |
commit | 17480a956d7fcdf8aa01d3825b50595926dd1d4b (patch) | |
tree | 5c26f705d9ced8f1c78e384b2f004d1a413f76f3 /meta | |
parent | b3c799c831a2aed08c967f5083b15109be87f549 (diff) | |
download | poky-17480a956d7fcdf8aa01d3825b50595926dd1d4b.tar.gz |
libxml2: Security fix for CVE-2016-4483.patch
affects libxml2 < 2.9.4
(From OE-Core rev: a28fea55f72284d3f4ed85f19f80b8475e726ee6)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2016-4483.patch | 55 | ||||
-rw-r--r-- | meta/recipes-core/libxml/libxml2_2.9.2.bb | 1 |
2 files changed, 56 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-4483.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-4483.patch new file mode 100644 index 0000000000..cf8d6badf3 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2016-4483.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From c97750d11bb8b6f3303e7131fe526a61ac65bcfd Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Veillard <veillard@redhat.com> | ||
3 | Date: Mon, 23 May 2016 13:39:13 +0800 | ||
4 | Subject: [PATCH] Avoid an out of bound access when serializing malformed | ||
5 | strings | ||
6 | |||
7 | For https://bugzilla.gnome.org/show_bug.cgi?id=766414 | ||
8 | |||
9 | * xmlsave.c: xmlBufAttrSerializeTxtContent() if an attribute value | ||
10 | is not UTF-8 be more careful when serializing it as we may do an | ||
11 | out of bound access as a result. | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | CVE: CVE-2016-4483 | ||
15 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
16 | |||
17 | --- | ||
18 | xmlsave.c | 8 ++++---- | ||
19 | 1 file changed, 4 insertions(+), 4 deletions(-) | ||
20 | |||
21 | diff --git a/xmlsave.c b/xmlsave.c | ||
22 | index 774404b..4a8e3f3 100644 | ||
23 | --- a/xmlsave.c | ||
24 | +++ b/xmlsave.c | ||
25 | @@ -2097,8 +2097,8 @@ xmlBufAttrSerializeTxtContent(xmlBufPtr buf, xmlDocPtr doc, | ||
26 | xmlBufAdd(buf, BAD_CAST "&", 5); | ||
27 | cur++; | ||
28 | base = cur; | ||
29 | - } else if ((*cur >= 0x80) && ((doc == NULL) || | ||
30 | - (doc->encoding == NULL))) { | ||
31 | + } else if ((*cur >= 0x80) && (cur[1] != 0) && | ||
32 | + ((doc == NULL) || (doc->encoding == NULL))) { | ||
33 | /* | ||
34 | * We assume we have UTF-8 content. | ||
35 | */ | ||
36 | @@ -2121,14 +2121,14 @@ xmlBufAttrSerializeTxtContent(xmlBufPtr buf, xmlDocPtr doc, | ||
37 | val <<= 6; | ||
38 | val |= (cur[1]) & 0x3F; | ||
39 | l = 2; | ||
40 | - } else if (*cur < 0xF0) { | ||
41 | + } else if ((*cur < 0xF0) && (cur [2] != 0)) { | ||
42 | val = (cur[0]) & 0x0F; | ||
43 | val <<= 6; | ||
44 | val |= (cur[1]) & 0x3F; | ||
45 | val <<= 6; | ||
46 | val |= (cur[2]) & 0x3F; | ||
47 | l = 3; | ||
48 | - } else if (*cur < 0xF8) { | ||
49 | + } else if ((*cur < 0xF8) && (cur [2] != 0) && (cur[3] != 0)) { | ||
50 | val = (cur[0]) & 0x07; | ||
51 | val <<= 6; | ||
52 | val |= (cur[1]) & 0x3F; | ||
53 | -- | ||
54 | 2.3.5 | ||
55 | |||
diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb index e2400af62d..41cba644fe 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.2.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb | |||
@@ -7,6 +7,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar \ | |||
7 | SRC_URI += "file://CVE-2016-1762.patch \ | 7 | SRC_URI += "file://CVE-2016-1762.patch \ |
8 | file://CVE-2016-3705.patch \ | 8 | file://CVE-2016-3705.patch \ |
9 | file://CVE-2016-1834.patch \ | 9 | file://CVE-2016-1834.patch \ |
10 | file://CVE-2016-4483.patch \ | ||
10 | " | 11 | " |
11 | 12 | ||
12 | SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788" | 13 | SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788" |