summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-core/libxml/libxml2.inc2
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch35
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch39
3 files changed, 76 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index 180dd66bce..56a99e8b6d 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -26,6 +26,8 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
26 file://CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch \ 26 file://CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch \
27 file://CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch \ 27 file://CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch \
28 file://CVE-2015-8317-Fail-parsing-early-on-if-encoding-conversion-failed.patch \ 28 file://CVE-2015-8317-Fail-parsing-early-on-if-encoding-conversion-failed.patch \
29 file://CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch \
30 file://CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch \
29 " 31 "
30 32
31BINCONFIG = "${bindir}/xml2-config" 33BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch
new file mode 100644
index 0000000000..34b60362c3
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch
@@ -0,0 +1,35 @@
1From 41ac9049a27f52e7a1f3b341f8714149fc88d450 Mon Sep 17 00:00:00 2001
2From: Daniel Veillard <veillard@redhat.com>
3Date: Tue, 27 Oct 2015 10:53:44 +0800
4Subject: [PATCH] Fix an error in previous Conditional section patch
5
6an off by one mistake in the change, led to error on correct
7document where the end of the included entity was exactly
8the end of the conditional section, leading to regtest failure
9
10Upstream-Status: Backport
11
12CVE-2015-7942-2
13
14Signed-off-by: Armin Kuster <akuster@mvista.com>
15
16---
17 parser.c | 2 +-
18 1 file changed, 1 insertion(+), 1 deletion(-)
19
20diff --git a/parser.c b/parser.c
21index b9217ff..d67b300 100644
22--- a/parser.c
23+++ b/parser.c
24@@ -6916,7 +6916,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
25 NULL, NULL);
26 }
27 if ((ctxt-> instate != XML_PARSER_EOF) &&
28- ((ctxt->input->cur + 3) < ctxt->input->end))
29+ ((ctxt->input->cur + 3) <= ctxt->input->end))
30 SKIP(3);
31 }
32 }
33--
342.3.5
35
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch
new file mode 100644
index 0000000000..40082ec07f
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch
@@ -0,0 +1,39 @@
1From bd0526e66a56e75a18da8c15c4750db8f801c52d Mon Sep 17 00:00:00 2001
2From: Daniel Veillard <veillard@redhat.com>
3Date: Fri, 23 Oct 2015 19:02:28 +0800
4Subject: [PATCH] Another variation of overflow in Conditional sections
5
6Which happen after the previous fix to
7https://bugzilla.gnome.org/show_bug.cgi?id=756456
8
9But stopping the parser and exiting we didn't pop the intermediary entities
10and doing the SKIP there applies on an input which may be too small
11
12Upstream-Status: Backport
13
14CVE-2015-7942
15
16Signed-off-by: Armin Kuster <akuster@mvista.com>
17
18---
19 parser.c | 4 +++-
20 1 file changed, 3 insertions(+), 1 deletion(-)
21
22diff --git a/parser.c b/parser.c
23index a65e4cc..b9217ff 100644
24--- a/parser.c
25+++ b/parser.c
26@@ -6915,7 +6915,9 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
27 "All markup of the conditional section is not in the same entity\n",
28 NULL, NULL);
29 }
30- SKIP(3);
31+ if ((ctxt-> instate != XML_PARSER_EOF) &&
32+ ((ctxt->input->cur + 3) < ctxt->input->end))
33+ SKIP(3);
34 }
35 }
36
37--
382.3.5
39