1 files changed, 95 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-1835.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-1835.patch
new file mode 100644
index 0000000000..158b0aa5fa
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-1835.patch
@@ -0,0 +1,95 @@
+From 38eae571111db3b43ffdeb05487c9f60551906fb Mon Sep 17 00:00:00 2001
+From: Pranjal Jumde <pjumde@apple.com>
+Date: Mon, 7 Mar 2016 14:04:08 -0800
+Subject: [PATCH] Heap use-after-free in xmlSAX2AttributeNs
+For https://bugzilla.gnome.org/show_bug.cgi?id=759020
+* parser.c:
+(xmlParseStartTag2): Attribute strings are only valid if the
+base does not change, so add another check where the base may
+change.  Make sure to set 'attvalue' to NULL after freeing it.
+* result/errors/759020.xml: Added.
+* result/errors/759020.xml.err: Added.
+* result/errors/759020.xml.str: Added.
+* test/errors/759020.xml: Added test case.
+Upstream-Status: Backport
+CVE: CVE-2016-1835
+excluded  test/errors/759020.xml: Added test case., they wont apply 
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ parser.c                     | 12 ++++++++++--
+ result/errors/759020.xml     |  0
+ result/errors/759020.xml.err |  6 ++++++
+ result/errors/759020.xml.str |  7 +++++++
+ test/errors/759020.xml       | 46 ++++++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 69 insertions(+), 2 deletions(-)
+ create mode 100644 result/errors/759020.xml
+ create mode 100644 result/errors/759020.xml.err
+ create mode 100644 result/errors/759020.xml.str
+ create mode 100644 test/errors/759020.xml
+Index: libxml2-2.9.2/parser.c
+===================================================================
+--- libxml2-2.9.2.orig/parser.c
+++ libxml2-2.9.2/parser.c
+@@ -9499,7 +9499,10 @@ reparse:
+                else
+                    if (nsPush(ctxt, NULL, URL) > 0) nbNs++;
+ skip_default_ns:
+-               if (alloc != 0) xmlFree(attvalue);
+               if ((attvalue != NULL) && (alloc != 0)) {
+                   xmlFree(attvalue);
+                   attvalue = NULL;
+               }
+                if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
+                    break;
+                if (!IS_BLANK_CH(RAW)) {
+@@ -9508,6 +9511,8 @@ skip_default_ns:
+                    break;
+                }
+                SKIP_BLANKS;
+               if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+                   goto base_changed;
+                continue;
+            }
+             if (aprefix == ctxt->str_xmlns) {
+@@ -9579,7 +9584,10 @@ skip_default_ns:
+                else
+                    if (nsPush(ctxt, attname, URL) > 0) nbNs++;
+ skip_ns:
+-               if (alloc != 0) xmlFree(attvalue);
+               if ((attvalue != NULL) && (alloc != 0)) {
+                   xmlFree(attvalue);
+                   attvalue = NULL;
+               }
+                if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
+                    break;
+                if (!IS_BLANK_CH(RAW)) {
+Index: libxml2-2.9.2/result/errors/759020.xml.err
+===================================================================
+--- /dev/null
+++ libxml2-2.9.2/result/errors/759020.xml.err
+@@ -0,0 +1,6 @@
+./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute
+0000000000000000000000000000000000000000000000000000000000000000000000000000000'
+                                                                               ^
+./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00 line 2
+
+                                                                   ^
+Index: libxml2-2.9.2/result/errors/759020.xml.str
+===================================================================
+--- /dev/null
+++ libxml2-2.9.2/result/errors/759020.xml.str
+@@ -0,0 +1,7 @@
+./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute
+0000000000000000000000000000000000000000000000000000000000000000000000000000000'
+                                                                               ^
+./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00
+
+                                                                   ^
+./test/errors/759020.xml : failed to parse

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-1835.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-1835.patch new file mode 100644 index 0000000000..158b0aa5fa --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2016-1835.patch
@@ -0,0 +1,95 @@
	1	From 38eae571111db3b43ffdeb05487c9f60551906fb Mon Sep 17 00:00:00 2001
	2	From: Pranjal Jumde <pjumde@apple.com>
	3	Date: Mon, 7 Mar 2016 14:04:08 -0800
	4	Subject: [PATCH] Heap use-after-free in xmlSAX2AttributeNs
	5
	6	For https://bugzilla.gnome.org/show_bug.cgi?id=759020
	7
	8	* parser.c:
	9	(xmlParseStartTag2): Attribute strings are only valid if the
	10	base does not change, so add another check where the base may
	11	change. Make sure to set 'attvalue' to NULL after freeing it.
	12	* result/errors/759020.xml: Added.
	13	* result/errors/759020.xml.err: Added.
	14	* result/errors/759020.xml.str: Added.
	15	* test/errors/759020.xml: Added test case.
	16
	17	Upstream-Status: Backport
	18	CVE: CVE-2016-1835
	19
	20	excluded test/errors/759020.xml: Added test case., they wont apply
	21
	22	Signed-off-by: Armin Kuster <akuster@mvista.com>
	23
	24	---
	25	parser.c \| 12 ++++++++++--
	26	result/errors/759020.xml \| 0
	27	result/errors/759020.xml.err \| 6 ++++++
	28	result/errors/759020.xml.str \| 7 +++++++
	29	test/errors/759020.xml \| 46 ++++++++++++++++++++++++++++++++++++++++++++
	30	5 files changed, 69 insertions(+), 2 deletions(-)
	31	create mode 100644 result/errors/759020.xml
	32	create mode 100644 result/errors/759020.xml.err
	33	create mode 100644 result/errors/759020.xml.str
	34	create mode 100644 test/errors/759020.xml
	35
	36	Index: libxml2-2.9.2/parser.c
	37	===================================================================
	38	--- libxml2-2.9.2.orig/parser.c
	39	+++ libxml2-2.9.2/parser.c
	40	@@ -9499,7 +9499,10 @@ reparse:
	41	else
	42	if (nsPush(ctxt, NULL, URL) > 0) nbNs++;
	43	skip_default_ns:
	44	- if (alloc != 0) xmlFree(attvalue);
	45	+ if ((attvalue != NULL) && (alloc != 0)) {
	46	+ xmlFree(attvalue);
	47	+ attvalue = NULL;
	48	+ }
	49	if ((RAW == '>') \|\| (((RAW == '/') && (NXT(1) == '>'))))
	50	break;
	51	if (!IS_BLANK_CH(RAW)) {
	52	@@ -9508,6 +9511,8 @@ skip_default_ns:
	53	break;
	54	}
	55	SKIP_BLANKS;
	56	+ if ((ctxt->input->base != base) \|\| (inputNr != ctxt->inputNr))
	57	+ goto base_changed;
	58	continue;
	59	}
	60	if (aprefix == ctxt->str_xmlns) {
	61	@@ -9579,7 +9584,10 @@ skip_default_ns:
	62	else
	63	if (nsPush(ctxt, attname, URL) > 0) nbNs++;
	64	skip_ns:
	65	- if (alloc != 0) xmlFree(attvalue);
	66	+ if ((attvalue != NULL) && (alloc != 0)) {
	67	+ xmlFree(attvalue);
	68	+ attvalue = NULL;
	69	+ }
	70	if ((RAW == '>') \|\| (((RAW == '/') && (NXT(1) == '>'))))
	71	break;
	72	if (!IS_BLANK_CH(RAW)) {
	73	Index: libxml2-2.9.2/result/errors/759020.xml.err
	74	===================================================================
	75	--- /dev/null
	76	+++ libxml2-2.9.2/result/errors/759020.xml.err
	77	@@ -0,0 +1,6 @@
	78	+./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute
	79	+0000000000000000000000000000000000000000000000000000000000000000000000000000000'
	80	+ ^
	81	+./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00 line 2
	82	+
	83	+ ^
	84	Index: libxml2-2.9.2/result/errors/759020.xml.str
	85	===================================================================
	86	--- /dev/null
	87	+++ libxml2-2.9.2/result/errors/759020.xml.str
	88	@@ -0,0 +1,7 @@
	89	+./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute
	90	+0000000000000000000000000000000000000000000000000000000000000000000000000000000'
	91	+ ^
	92	+./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00
	93	+
	94	+ ^
	95	+./test/errors/759020.xml : failed to parse