summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-01-30 14:39:28 -0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-02-04 23:20:16 +0000
commit1bbf18385b76eccb2a413d72088d1ba66acaac02 (patch)
tree1bc25f47e90e17152093a3e1b7abcf5125be793b /meta
parent2ec6d1dcbca7e52f145623483f20ab9c7cf08d99 (diff)
downloadpoky-1bbf18385b76eccb2a413d72088d1ba66acaac02.tar.gz
libxml2: Security fix CVE-2015-8710
CVE-2015-8710 libxml2: out-of-bounds memory access when parsing an unclosed HTML comment (From OE-Core rev: 03d481070ebc6f9af799aec5d038871f9c73901c) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-core/libxml/libxml2.inc1
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch71
2 files changed, 72 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index bced950fa9..310d5bbc56 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -36,6 +36,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
36 file://0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch \ 36 file://0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch \
37 file://0001-CVE-2015-5312-Another-entity-expansion-issue.patch \ 37 file://0001-CVE-2015-5312-Another-entity-expansion-issue.patch \
38 file://CVE-2015-8241.patch \ 38 file://CVE-2015-8241.patch \
39 file://CVE-2015-8710.patch \
39 " 40 "
40 41
41BINCONFIG = "${bindir}/xml2-config" 42BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch
new file mode 100644
index 0000000000..be06cc22c8
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch
@@ -0,0 +1,71 @@
1From e724879d964d774df9b7969fc846605aa1bac54c Mon Sep 17 00:00:00 2001
2From: Daniel Veillard <veillard@redhat.com>
3Date: Fri, 30 Oct 2015 21:14:55 +0800
4Subject: [PATCH] Fix parsing short unclosed comment uninitialized access
5
6For https://bugzilla.gnome.org/show_bug.cgi?id=746048
7The HTML parser was too optimistic when processing comments and
8didn't check for the end of the stream on the first 2 characters
9
10Upstream-Status: Backport
11
12https://git.gnome.org/browse/libxml2/commit/?id=e724879d964d774df9b7969fc846605aa1bac54c
13
14CVE: CVE-2015-8710
15
16Signed-off-by: Armin Kuster <akuster@mvista.com>
17
18---
19 HTMLparser.c | 21 ++++++++++++++-------
20 1 file changed, 14 insertions(+), 7 deletions(-)
21
22Index: libxml2-2.9.2/HTMLparser.c
23===================================================================
24--- libxml2-2.9.2.orig/HTMLparser.c
25+++ libxml2-2.9.2/HTMLparser.c
26@@ -3245,12 +3245,17 @@ htmlParseComment(htmlParserCtxtPtr ctxt)
27 ctxt->instate = state;
28 return;
29 }
30+ len = 0;
31+ buf[len] = 0;
32 q = CUR_CHAR(ql);
33+ if (!IS_CHAR(q))
34+ goto unfinished;
35 NEXTL(ql);
36 r = CUR_CHAR(rl);
37+ if (!IS_CHAR(r))
38+ goto unfinished;
39 NEXTL(rl);
40 cur = CUR_CHAR(l);
41- len = 0;
42 while (IS_CHAR(cur) &&
43 ((cur != '>') ||
44 (r != '-') || (q != '-'))) {
45@@ -3281,18 +3286,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt)
46 }
47 }
48 buf[len] = 0;
49- if (!IS_CHAR(cur)) {
50- htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
51- "Comment not terminated \n<!--%.50s\n", buf, NULL);
52- xmlFree(buf);
53- } else {
54+ if (IS_CHAR(cur)) {
55 NEXT;
56 if ((ctxt->sax != NULL) && (ctxt->sax->comment != NULL) &&
57 (!ctxt->disableSAX))
58 ctxt->sax->comment(ctxt->userData, buf);
59 xmlFree(buf);
60+ ctxt->instate = state;
61+ return;
62 }
63- ctxt->instate = state;
64+
65+unfinished:
66+ htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
67+ "Comment not terminated \n<!--%.50s\n", buf, NULL);
68+ xmlFree(buf);
69 }
70
71 /**