summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2016-3705.patch71
-rw-r--r--meta/recipes-core/libxml/libxml2_2.9.2.bb1
2 files changed, 72 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-3705.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-3705.patch
new file mode 100644
index 0000000000..8587a63498
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-3705.patch
@@ -0,0 +1,71 @@
1From 8f30bdff69edac9075f4663ce3b56b0c52d48ce6 Mon Sep 17 00:00:00 2001
2From: Peter Simons <psimons@suse.com>
3Date: Fri, 15 Apr 2016 11:56:55 +0200
4Subject: [PATCH] Add missing increments of recursion depth counter to XML
5 parser.
6
7For https://bugzilla.gnome.org/show_bug.cgi?id=765207
8CVE-2016-3705
9The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call
10xmlStringDecodeEntities() in a recursive context without incrementing the
11'depth' counter in the parser context. Because of that omission, the parser
12failed to detect attribute recursions in certain documents before running out
13of stack space.
14
15Upstream-Status: Backport
16CVE: CVE-2016-3705
17Signed-off-by: Armin Kuster <akuster@mvista.com>
18
19---
20 parser.c | 8 ++++++++
21 1 file changed, 8 insertions(+)
22
23Index: libxml2-2.9.2/parser.c
24===================================================================
25--- libxml2-2.9.2.orig/parser.c
26+++ libxml2-2.9.2/parser.c
27@@ -144,8 +144,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ct
28
29 ent->checked = 1;
30
31+ ++ctxt->depth;
32 rep = xmlStringDecodeEntities(ctxt, ent->content,
33 XML_SUBSTITUTE_REF, 0, 0, 0);
34+ --ctxt->depth;
35
36 ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
37 if (rep != NULL) {
38@@ -3978,8 +3980,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctx
39 * an entity declaration, it is bypassed and left as is.
40 * so XML_SUBSTITUTE_REF is not set here.
41 */
42+ ++ctxt->depth;
43 ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF,
44 0, 0, 0);
45+ --ctxt->depth;
46 if (orig != NULL)
47 *orig = buf;
48 else
49@@ -4104,9 +4108,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
50 } else if ((ent != NULL) &&
51 (ctxt->replaceEntities != 0)) {
52 if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) {
53+ ++ctxt->depth;
54 rep = xmlStringDecodeEntities(ctxt, ent->content,
55 XML_SUBSTITUTE_REF,
56 0, 0, 0);
57+ --ctxt->depth;
58 if (rep != NULL) {
59 current = rep;
60 while (*current != 0) { /* non input consuming */
61@@ -4142,8 +4148,10 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
62 (ent->content != NULL) && (ent->checked == 0)) {
63 unsigned long oldnbent = ctxt->nbentities;
64
65+ ++ctxt->depth;
66 rep = xmlStringDecodeEntities(ctxt, ent->content,
67 XML_SUBSTITUTE_REF, 0, 0, 0);
68+ --ctxt->depth;
69
70 ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
71 if (rep != NULL) {
diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb
index 7f2ded76c1..ec6000f794 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.2.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb
@@ -5,6 +5,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar \
5 file://0001-threads-Define-pthread-definitions-for-glibc-complia.patch \ 5 file://0001-threads-Define-pthread-definitions-for-glibc-complia.patch \
6 " 6 "
7SRC_URI += "file://CVE-2016-1762.patch \ 7SRC_URI += "file://CVE-2016-1762.patch \
8 file://CVE-2016-3705.patch \
8 " 9 "
9 10
10SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788" 11SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"