diff options
Diffstat (limited to 'meta/recipes-core')
-rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2016-1834.patch | 55 | ||||
-rw-r--r-- | meta/recipes-core/libxml/libxml2_2.9.2.bb | 1 |
2 files changed, 56 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-1834.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-1834.patch new file mode 100644 index 0000000000..9fc15f3f20 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2016-1834.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From 8fbbf5513d609c1770b391b99e33314cd0742704 Mon Sep 17 00:00:00 2001 | ||
2 | From: Pranjal Jumde <pjumde@apple.com> | ||
3 | Date: Tue, 8 Mar 2016 17:29:00 -0800 | ||
4 | Subject: [PATCH] Bug 763071: heap-buffer-overflow in xmlStrncat | ||
5 | <https://bugzilla.gnome.org/show_bug.cgi?id=763071> | ||
6 | |||
7 | * xmlstring.c: | ||
8 | (xmlStrncat): Return NULL if xmlStrlen returns a negative length. | ||
9 | (xmlStrncatNew): Ditto. | ||
10 | |||
11 | Upstream-Status: Backport | ||
12 | CVE: CVE-2016-1834 | ||
13 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
14 | |||
15 | --- | ||
16 | xmlstring.c | 9 ++++++++- | ||
17 | 1 file changed, 8 insertions(+), 1 deletion(-) | ||
18 | |||
19 | diff --git a/xmlstring.c b/xmlstring.c | ||
20 | index b89c9e9..00287d4 100644 | ||
21 | --- a/xmlstring.c | ||
22 | +++ b/xmlstring.c | ||
23 | @@ -457,6 +457,8 @@ xmlStrncat(xmlChar *cur, const xmlChar *add, int len) { | ||
24 | return(xmlStrndup(add, len)); | ||
25 | |||
26 | size = xmlStrlen(cur); | ||
27 | + if (size < 0) | ||
28 | + return(NULL); | ||
29 | ret = (xmlChar *) xmlRealloc(cur, (size + len + 1) * sizeof(xmlChar)); | ||
30 | if (ret == NULL) { | ||
31 | xmlErrMemory(NULL, NULL); | ||
32 | @@ -484,14 +486,19 @@ xmlStrncatNew(const xmlChar *str1, const xmlChar *str2, int len) { | ||
33 | int size; | ||
34 | xmlChar *ret; | ||
35 | |||
36 | - if (len < 0) | ||
37 | + if (len < 0) { | ||
38 | len = xmlStrlen(str2); | ||
39 | + if (len < 0) | ||
40 | + return(NULL); | ||
41 | + } | ||
42 | if ((str2 == NULL) || (len == 0)) | ||
43 | return(xmlStrdup(str1)); | ||
44 | if (str1 == NULL) | ||
45 | return(xmlStrndup(str2, len)); | ||
46 | |||
47 | size = xmlStrlen(str1); | ||
48 | + if (size < 0) | ||
49 | + return(NULL); | ||
50 | ret = (xmlChar *) xmlMalloc((size + len + 1) * sizeof(xmlChar)); | ||
51 | if (ret == NULL) { | ||
52 | xmlErrMemory(NULL, NULL); | ||
53 | -- | ||
54 | 2.3.5 | ||
55 | |||
diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb index ec6000f794..e2400af62d 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.2.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb | |||
@@ -6,6 +6,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar \ | |||
6 | " | 6 | " |
7 | SRC_URI += "file://CVE-2016-1762.patch \ | 7 | SRC_URI += "file://CVE-2016-1762.patch \ |
8 | file://CVE-2016-3705.patch \ | 8 | file://CVE-2016-3705.patch \ |
9 | file://CVE-2016-1834.patch \ | ||
9 | " | 10 | " |
10 | 11 | ||
11 | SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788" | 12 | SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788" |