2 files changed, 63 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-5969.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-5969.patch
new file mode 100644
index 0000000000..571b05c087
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-5969.patch
@@ -0,0 +1,62 @@
+libxml2-2.9.4: Fix CVE-2017-5969
+[No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=758422
+valid: Fix NULL pointer deref in xmlDumpElementContent
+Can only be triggered in recovery mode.
+Fixes bug 758422
+Upstream-Status: Backport - [https://git.gnome.org/browse/libxml2/commit/?id=94691dc884d1a8ada39f073408b4bb92fe7fe882]
+CVE: CVE-2017-5969
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+diff --git a/valid.c b/valid.c
+index 19f84b8..0a8e58a 100644
+--- a/valid.c
+++ b/valid.c
+@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob)
+            xmlBufferWriteCHAR(buf, content->name);
+            break;
+        case XML_ELEMENT_CONTENT_SEQ:
+-           if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+-               (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
+           if ((content->c1 != NULL) &&
+               ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+                (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
+                xmlDumpElementContent(buf, content->c1, 1);
+            else
+                xmlDumpElementContent(buf, content->c1, 0);
+             xmlBufferWriteChar(buf, " , ");
+-           if ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
+-               ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
+-                (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
+           if ((content->c2 != NULL) &&
+               ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
+                ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
+                 (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
+                xmlDumpElementContent(buf, content->c2, 1);
+            else
+                xmlDumpElementContent(buf, content->c2, 0);
+            break;
+        case XML_ELEMENT_CONTENT_OR:
+-           if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+-               (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
+           if ((content->c1 != NULL) &&
+               ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+                (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
+                xmlDumpElementContent(buf, content->c1, 1);
+            else
+                xmlDumpElementContent(buf, content->c1, 0);
+             xmlBufferWriteChar(buf, " | ");
+-           if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
+-               ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
+-                (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
+           if ((content->c2 != NULL) &&
+               ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
+                ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
+                 (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
+                xmlDumpElementContent(buf, content->c2, 1);
+            else
+                xmlDumpElementContent(buf, content->c2, 0);
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb
index 3f78c2de63..2996809e4a 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -26,6 +26,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
           file://libxml2-fix_and_simplify_xmlParseStartTag2.patch \
           file://libxml2-CVE-2017-9047_CVE-2017-9048.patch \
           file://libxml2-CVE-2017-9049_CVE-2017-9050.patch \
+           file://libxml2-CVE-2017-5969.patch \
           file://CVE-2016-9318.patch \
           file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
           "

diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-5969.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-5969.patch new file mode 100644 index 0000000000..571b05c087 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-5969.patch
@@ -0,0 +1,62 @@
		1	libxml2-2.9.4: Fix CVE-2017-5969
		2
		3	[No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=758422
		4
		5	valid: Fix NULL pointer deref in xmlDumpElementContent
		6
		7	Can only be triggered in recovery mode.
		8
		9	Fixes bug 758422
		10
		11	Upstream-Status: Backport - [https://git.gnome.org/browse/libxml2/commit/?id=94691dc884d1a8ada39f073408b4bb92fe7fe882]
		12	CVE: CVE-2017-5969
		13	Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
		14
		15	diff --git a/valid.c b/valid.c
		16	index 19f84b8..0a8e58a 100644
		17	--- a/valid.c
		18	+++ b/valid.c
		19	@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob)
		20	xmlBufferWriteCHAR(buf, content->name);
		21	break;
		22	case XML_ELEMENT_CONTENT_SEQ:
		23	- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) \|\|
		24	- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
		25	+ if ((content->c1 != NULL) &&
		26	+ ((content->c1->type == XML_ELEMENT_CONTENT_OR) \|\|
		27	+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
		28	xmlDumpElementContent(buf, content->c1, 1);
		29	else
		30	xmlDumpElementContent(buf, content->c1, 0);
		31	xmlBufferWriteChar(buf, " , ");
		32	- if ((content->c2->type == XML_ELEMENT_CONTENT_OR) \|\|
		33	- ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
		34	- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
		35	+ if ((content->c2 != NULL) &&
		36	+ ((content->c2->type == XML_ELEMENT_CONTENT_OR) \|\|
		37	+ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
		38	+ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
		39	xmlDumpElementContent(buf, content->c2, 1);
		40	else
		41	xmlDumpElementContent(buf, content->c2, 0);
		42	break;
		43	case XML_ELEMENT_CONTENT_OR:
		44	- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) \|\|
		45	- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
		46	+ if ((content->c1 != NULL) &&
		47	+ ((content->c1->type == XML_ELEMENT_CONTENT_OR) \|\|
		48	+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
		49	xmlDumpElementContent(buf, content->c1, 1);
		50	else
		51	xmlDumpElementContent(buf, content->c1, 0);
		52	xmlBufferWriteChar(buf, " \| ");
		53	- if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) \|\|
		54	- ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
		55	- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
		56	+ if ((content->c2 != NULL) &&
		57	+ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) \|\|
		58	+ ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
		59	+ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
		60	xmlDumpElementContent(buf, content->c2, 1);
		61	else
		62	xmlDumpElementContent(buf, content->c2, 0);


diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb index 3f78c2de63..2996809e4a 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.4.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -26,6 +26,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
26	file://libxml2-fix_and_simplify_xmlParseStartTag2.patch \	26	file://libxml2-fix_and_simplify_xmlParseStartTag2.patch \
27	file://libxml2-CVE-2017-9047_CVE-2017-9048.patch \	27	file://libxml2-CVE-2017-9047_CVE-2017-9048.patch \
28	file://libxml2-CVE-2017-9049_CVE-2017-9050.patch \	28	file://libxml2-CVE-2017-9049_CVE-2017-9050.patch \
		29	file://libxml2-CVE-2017-5969.patch \
29	file://CVE-2016-9318.patch \	30	file://CVE-2016-9318.patch \
30	file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \	31	file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
31	"	32	"