diff options
-rw-r--r-- | meta/recipes-core/libxml/libxml2/0001-Fix-infinite-loop-in-LZMA-decompression.patch | 55 | ||||
-rw-r--r-- | meta/recipes-core/libxml/libxml2_2.9.8.bb | 1 |
2 files changed, 56 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/0001-Fix-infinite-loop-in-LZMA-decompression.patch b/meta/recipes-core/libxml/libxml2/0001-Fix-infinite-loop-in-LZMA-decompression.patch new file mode 100644 index 0000000000..16c229574c --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/0001-Fix-infinite-loop-in-LZMA-decompression.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From 28a9dc642ffd759df1e48be247a114f440a6c16e Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Mon, 30 Jul 2018 13:14:11 +0200 | ||
4 | Subject: [PATCH] Fix infinite loop in LZMA decompression | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Check the liblzma error code more thoroughly to avoid infinite loops. | ||
10 | |||
11 | Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13 | ||
12 | Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914 | ||
13 | |||
14 | This is CVE-2018-9251 and CVE-2018-14567. | ||
15 | |||
16 | Thanks to Dongliang Mu and Simon Wörner for the reports. | ||
17 | |||
18 | CVE: CVE-2018-9251 | ||
19 | CVE: CVE-2018-14567 | ||
20 | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74] | ||
21 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> | ||
22 | --- | ||
23 | xzlib.c | 9 +++++++++ | ||
24 | 1 file changed, 9 insertions(+) | ||
25 | |||
26 | diff --git a/xzlib.c b/xzlib.c | ||
27 | index a839169..0ba88cf 100644 | ||
28 | --- a/xzlib.c | ||
29 | +++ b/xzlib.c | ||
30 | @@ -562,6 +562,10 @@ xz_decomp(xz_statep state) | ||
31 | "internal error: inflate stream corrupt"); | ||
32 | return -1; | ||
33 | } | ||
34 | + /* | ||
35 | + * FIXME: Remapping a couple of error codes and falling through | ||
36 | + * to the LZMA error handling looks fragile. | ||
37 | + */ | ||
38 | if (ret == Z_MEM_ERROR) | ||
39 | ret = LZMA_MEM_ERROR; | ||
40 | if (ret == Z_DATA_ERROR) | ||
41 | @@ -587,6 +591,11 @@ xz_decomp(xz_statep state) | ||
42 | xz_error(state, LZMA_PROG_ERROR, "compression error"); | ||
43 | return -1; | ||
44 | } | ||
45 | + if ((state->how != GZIP) && | ||
46 | + (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) { | ||
47 | + xz_error(state, ret, "lzma error"); | ||
48 | + return -1; | ||
49 | + } | ||
50 | } while (strm->avail_out && ret != LZMA_STREAM_END); | ||
51 | |||
52 | /* update available output and crc check value */ | ||
53 | -- | ||
54 | 2.7.4 | ||
55 | |||
diff --git a/meta/recipes-core/libxml/libxml2_2.9.8.bb b/meta/recipes-core/libxml/libxml2_2.9.8.bb index 4ebd2ef383..f01cb2cd34 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.8.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.8.bb | |||
@@ -22,6 +22,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \ | |||
22 | file://fix-execution-of-ptests.patch \ | 22 | file://fix-execution-of-ptests.patch \ |
23 | file://fix-CVE-2017-8872.patch \ | 23 | file://fix-CVE-2017-8872.patch \ |
24 | file://fix-CVE-2018-14404.patch \ | 24 | file://fix-CVE-2018-14404.patch \ |
25 | file://0001-Fix-infinite-loop-in-LZMA-decompression.patch \ | ||
25 | " | 26 | " |
26 | 27 | ||
27 | SRC_URI[libtar.md5sum] = "b786e353e2aa1b872d70d5d1ca0c740d" | 28 | SRC_URI[libtar.md5sum] = "b786e353e2aa1b872d70d5d1ca0c740d" |