2 files changed, 144 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-1837.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-1837.patch
new file mode 100644
index 0000000000..0ed527ad20
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-1837.patch
@@ -0,0 +1,143 @@
+From 11ed4a7a90d5ce156a18980a4ad4e53e77384852 Mon Sep 17 00:00:00 2001
+From: Pranjal Jumde <pjumde@apple.com>
+Date: Wed, 2 Mar 2016 15:52:24 -0800
+Subject: [PATCH] Heap use-after-free in htmlParsePubidLiteral and
+ htmlParseSystemiteral
+For https://bugzilla.gnome.org/show_bug.cgi?id=760263
+* HTMLparser.c: Add BASE_PTR convenience macro.
+(htmlParseSystemLiteral): Store length and start position instead
+of a pointer while iterating through the public identifier since
+the underlying buffer may change, resulting in a stale pointer
+being used.
+(htmlParsePubidLiteral): Ditto.
+Upstream-status: Backport
+CVE: CVE-2016-1837.patch
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ HTMLparser.c | 58 +++++++++++++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 43 insertions(+), 15 deletions(-)
+Index: libxml2-2.9.2/HTMLparser.c
+===================================================================
+--- libxml2-2.9.2.orig/HTMLparser.c
+++ libxml2-2.9.2/HTMLparser.c
+@@ -303,6 +303,7 @@ htmlNodeInfoPop(htmlParserCtxtPtr ctxt)
+ #define UPP(val) (toupper(ctxt->input->cur[(val)]))
+ 
+ #define CUR_PTR ctxt->input->cur
+#define BASE_PTR ctxt->input->base
+ 
+ #define SHRINK if ((ctxt->input->cur - ctxt->input->base > 2 * INPUT_CHUNK) && \
+                   (ctxt->input->end - ctxt->input->cur < 2 * INPUT_CHUNK)) \
+@@ -2773,31 +2774,43 @@ htmlParseAttValue(htmlParserCtxtPtr ctxt
+ 
+ static xmlChar *
+ htmlParseSystemLiteral(htmlParserCtxtPtr ctxt) {
+-    const xmlChar *q;
+    size_t len = 0, startPosition = 0;
+     xmlChar *ret = NULL;
+ 
+     if (CUR == '"') {
+         NEXT;
+-       q = CUR_PTR;
+-       while ((IS_CHAR_CH(CUR)) && (CUR != '"'))
+
+        if (CUR_PTR < BASE_PTR)
+            return(ret);
+        startPosition = CUR_PTR - BASE_PTR;
+
+       while ((IS_CHAR_CH(CUR)) && (CUR != '"')) {
+            NEXT;
+           len++;
+       }
+        if (!IS_CHAR_CH(CUR)) {
+            htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
+                         "Unfinished SystemLiteral\n", NULL, NULL);
+        } else {
+-           ret = xmlStrndup(q, CUR_PTR - q);
+           ret = xmlStrndup((BASE_PTR+startPosition), len);
+            NEXT;
+         }
+     } else if (CUR == '\'') {
+         NEXT;
+-       q = CUR_PTR;
+-       while ((IS_CHAR_CH(CUR)) && (CUR != '\''))
+
+        if (CUR_PTR < BASE_PTR)
+            return(ret);
+        startPosition = CUR_PTR - BASE_PTR;
+
+       while ((IS_CHAR_CH(CUR)) && (CUR != '\'')) {
+            NEXT;
+           len++;
+       }
+        if (!IS_CHAR_CH(CUR)) {
+            htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
+                         "Unfinished SystemLiteral\n", NULL, NULL);
+        } else {
+-           ret = xmlStrndup(q, CUR_PTR - q);
+           ret = xmlStrndup((BASE_PTR+startPosition), len);
+            NEXT;
+         }
+     } else {
+@@ -2821,32 +2834,47 @@ htmlParseSystemLiteral(htmlParserCtxtPtr
+ 
+ static xmlChar *
+ htmlParsePubidLiteral(htmlParserCtxtPtr ctxt) {
+-    const xmlChar *q;
+    size_t len = 0, startPosition = 0;
+     xmlChar *ret = NULL;
+     /*
+      * Name ::= (Letter | '_') (NameChar)*
+      */
+     if (CUR == '"') {
+         NEXT;
+-       q = CUR_PTR;
+-       while (IS_PUBIDCHAR_CH(CUR)) NEXT;
+
+        if (CUR_PTR < BASE_PTR)
+            return(ret);
+        startPosition = CUR_PTR - BASE_PTR;
+
+        while (IS_PUBIDCHAR_CH(CUR)) {
+            len++;
+            NEXT;
+        }
+
+        if (CUR != '"') {
+            htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
+                         "Unfinished PubidLiteral\n", NULL, NULL);
+        } else {
+-           ret = xmlStrndup(q, CUR_PTR - q);
+           ret = xmlStrndup((BASE_PTR + startPosition), len);
+            NEXT;
+        }
+     } else if (CUR == '\'') {
+         NEXT;
+-       q = CUR_PTR;
+-       while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\''))
+-           NEXT;
+
+        if (CUR_PTR < BASE_PTR)
+            return(ret);
+        startPosition = CUR_PTR - BASE_PTR;
+
+        while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\'')){
+            len++;
+            NEXT;
+        }
+
+        if (CUR != '\'') {
+            htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
+                         "Unfinished PubidLiteral\n", NULL, NULL);
+        } else {
+-           ret = xmlStrndup(q, CUR_PTR - q);
+           ret = xmlStrndup((BASE_PTR + startPosition), len);
+            NEXT;
+        }
+     } else {
diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb
index 10e4b563f3..eeed6ac170 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.2.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb
@@ -13,6 +13,7 @@ SRC_URI += "file://CVE-2016-1762.patch \
            file://CVE-2016-1839.patch \
            file://CVE-2016-1836.patch \
            file://CVE-2016-4449.patch \
+            file://CVE-2016-1837.patch \
    "
 SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-1837.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-1837.patch new file mode 100644 index 0000000000..0ed527ad20 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2016-1837.patch
@@ -0,0 +1,143 @@
		1	From 11ed4a7a90d5ce156a18980a4ad4e53e77384852 Mon Sep 17 00:00:00 2001
		2	From: Pranjal Jumde <pjumde@apple.com>
		3	Date: Wed, 2 Mar 2016 15:52:24 -0800
		4	Subject: [PATCH] Heap use-after-free in htmlParsePubidLiteral and
		5	htmlParseSystemiteral
		6
		7	For https://bugzilla.gnome.org/show_bug.cgi?id=760263
		8
		9	* HTMLparser.c: Add BASE_PTR convenience macro.
		10	(htmlParseSystemLiteral): Store length and start position instead
		11	of a pointer while iterating through the public identifier since
		12	the underlying buffer may change, resulting in a stale pointer
		13	being used.
		14	(htmlParsePubidLiteral): Ditto.
		15
		16	Upstream-status: Backport
		17	CVE: CVE-2016-1837.patch
		18
		19	Signed-off-by: Armin Kuster <akuster@mvista.com>
		20
		21	---
		22	HTMLparser.c \| 58 +++++++++++++++++++++++++++++++++++++++++++---------------
		23	1 file changed, 43 insertions(+), 15 deletions(-)
		24
		25	Index: libxml2-2.9.2/HTMLparser.c
		26	===================================================================
		27	--- libxml2-2.9.2.orig/HTMLparser.c
		28	+++ libxml2-2.9.2/HTMLparser.c
		29	@@ -303,6 +303,7 @@ htmlNodeInfoPop(htmlParserCtxtPtr ctxt)
		30	#define UPP(val) (toupper(ctxt->input->cur[(val)]))
		31
		32	#define CUR_PTR ctxt->input->cur
		33	+#define BASE_PTR ctxt->input->base
		34
		35	#define SHRINK if ((ctxt->input->cur - ctxt->input->base > 2 * INPUT_CHUNK) && \
		36	(ctxt->input->end - ctxt->input->cur < 2 * INPUT_CHUNK)) \
		37	@@ -2773,31 +2774,43 @@ htmlParseAttValue(htmlParserCtxtPtr ctxt
		38
		39	static xmlChar *
		40	htmlParseSystemLiteral(htmlParserCtxtPtr ctxt) {
		41	- const xmlChar *q;
		42	+ size_t len = 0, startPosition = 0;
		43	xmlChar *ret = NULL;
		44
		45	if (CUR == '"') {
		46	NEXT;
		47	- q = CUR_PTR;
		48	- while ((IS_CHAR_CH(CUR)) && (CUR != '"'))
		49	+
		50	+ if (CUR_PTR < BASE_PTR)
		51	+ return(ret);
		52	+ startPosition = CUR_PTR - BASE_PTR;
		53	+
		54	+ while ((IS_CHAR_CH(CUR)) && (CUR != '"')) {
		55	NEXT;
		56	+ len++;
		57	+ }
		58	if (!IS_CHAR_CH(CUR)) {
		59	htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
		60	"Unfinished SystemLiteral\n", NULL, NULL);
		61	} else {
		62	- ret = xmlStrndup(q, CUR_PTR - q);
		63	+ ret = xmlStrndup((BASE_PTR+startPosition), len);
		64	NEXT;
		65	}
		66	} else if (CUR == '\'') {
		67	NEXT;
		68	- q = CUR_PTR;
		69	- while ((IS_CHAR_CH(CUR)) && (CUR != '\''))
		70	+
		71	+ if (CUR_PTR < BASE_PTR)
		72	+ return(ret);
		73	+ startPosition = CUR_PTR - BASE_PTR;
		74	+
		75	+ while ((IS_CHAR_CH(CUR)) && (CUR != '\'')) {
		76	NEXT;
		77	+ len++;
		78	+ }
		79	if (!IS_CHAR_CH(CUR)) {
		80	htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
		81	"Unfinished SystemLiteral\n", NULL, NULL);
		82	} else {
		83	- ret = xmlStrndup(q, CUR_PTR - q);
		84	+ ret = xmlStrndup((BASE_PTR+startPosition), len);
		85	NEXT;
		86	}
		87	} else {
		88	@@ -2821,32 +2834,47 @@ htmlParseSystemLiteral(htmlParserCtxtPtr
		89
		90	static xmlChar *
		91	htmlParsePubidLiteral(htmlParserCtxtPtr ctxt) {
		92	- const xmlChar *q;
		93	+ size_t len = 0, startPosition = 0;
		94	xmlChar *ret = NULL;
		95	/*
		96	* Name ::= (Letter \| '_') (NameChar)*
		97	*/
		98	if (CUR == '"') {
		99	NEXT;
		100	- q = CUR_PTR;
		101	- while (IS_PUBIDCHAR_CH(CUR)) NEXT;
		102	+
		103	+ if (CUR_PTR < BASE_PTR)
		104	+ return(ret);
		105	+ startPosition = CUR_PTR - BASE_PTR;
		106	+
		107	+ while (IS_PUBIDCHAR_CH(CUR)) {
		108	+ len++;
		109	+ NEXT;
		110	+ }
		111	+
		112	if (CUR != '"') {
		113	htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
		114	"Unfinished PubidLiteral\n", NULL, NULL);
		115	} else {
		116	- ret = xmlStrndup(q, CUR_PTR - q);
		117	+ ret = xmlStrndup((BASE_PTR + startPosition), len);
		118	NEXT;
		119	}
		120	} else if (CUR == '\'') {
		121	NEXT;
		122	- q = CUR_PTR;
		123	- while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\''))
		124	- NEXT;
		125	+
		126	+ if (CUR_PTR < BASE_PTR)
		127	+ return(ret);
		128	+ startPosition = CUR_PTR - BASE_PTR;
		129	+
		130	+ while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\'')){
		131	+ len++;
		132	+ NEXT;
		133	+ }
		134	+
		135	if (CUR != '\'') {
		136	htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
		137	"Unfinished PubidLiteral\n", NULL, NULL);
		138	} else {
		139	- ret = xmlStrndup(q, CUR_PTR - q);
		140	+ ret = xmlStrndup((BASE_PTR + startPosition), len);
		141	NEXT;
		142	}
		143	} else {


diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb index 10e4b563f3..eeed6ac170 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.2.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb
@@ -13,6 +13,7 @@ SRC_URI += "file://CVE-2016-1762.patch \
13	file://CVE-2016-1839.patch \	13	file://CVE-2016-1839.patch \
14	file://CVE-2016-1836.patch \	14	file://CVE-2016-1836.patch \
15	file://CVE-2016-4449.patch \	15	file://CVE-2016-4449.patch \
		16	file://CVE-2016-1837.patch \
16	"	17	"
17		18
18	SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"	19	SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"