From 1081306623cdac51b031d433acd6f77c1f83bf2d Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Sat, 9 Jul 2016 15:02:26 -0700 Subject: libxml2: Security fix for CVE-2016-1835 Affects libxml2 < 2.9.4 (From OE-Core rev: d008b7023cb703a787c8fcac5cd87628b38a9ecd) Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie --- .../libxml/libxml2/CVE-2016-1835.patch | 95 ++++++++++++++++++++++ meta/recipes-core/libxml/libxml2_2.9.2.bb | 1 + 2 files changed, 96 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2016-1835.patch diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-1835.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-1835.patch new file mode 100644 index 0000000000..158b0aa5fa --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2016-1835.patch @@ -0,0 +1,95 @@ +From 38eae571111db3b43ffdeb05487c9f60551906fb Mon Sep 17 00:00:00 2001 +From: Pranjal Jumde +Date: Mon, 7 Mar 2016 14:04:08 -0800 +Subject: [PATCH] Heap use-after-free in xmlSAX2AttributeNs + +For https://bugzilla.gnome.org/show_bug.cgi?id=759020 + +* parser.c: +(xmlParseStartTag2): Attribute strings are only valid if the +base does not change, so add another check where the base may +change. Make sure to set 'attvalue' to NULL after freeing it. +* result/errors/759020.xml: Added. +* result/errors/759020.xml.err: Added. +* result/errors/759020.xml.str: Added. +* test/errors/759020.xml: Added test case. + +Upstream-Status: Backport +CVE: CVE-2016-1835 + +excluded test/errors/759020.xml: Added test case., they wont apply + +Signed-off-by: Armin Kuster + +--- + parser.c | 12 ++++++++++-- + result/errors/759020.xml | 0 + result/errors/759020.xml.err | 6 ++++++ + result/errors/759020.xml.str | 7 +++++++ + test/errors/759020.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 69 insertions(+), 2 deletions(-) + create mode 100644 result/errors/759020.xml + create mode 100644 result/errors/759020.xml.err + create mode 100644 result/errors/759020.xml.str + create mode 100644 test/errors/759020.xml + +Index: libxml2-2.9.2/parser.c +=================================================================== +--- libxml2-2.9.2.orig/parser.c ++++ libxml2-2.9.2/parser.c +@@ -9499,7 +9499,10 @@ reparse: + else + if (nsPush(ctxt, NULL, URL) > 0) nbNs++; + skip_default_ns: +- if (alloc != 0) xmlFree(attvalue); ++ if ((attvalue != NULL) && (alloc != 0)) { ++ xmlFree(attvalue); ++ attvalue = NULL; ++ } + if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>')))) + break; + if (!IS_BLANK_CH(RAW)) { +@@ -9508,6 +9511,8 @@ skip_default_ns: + break; + } + SKIP_BLANKS; ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) ++ goto base_changed; + continue; + } + if (aprefix == ctxt->str_xmlns) { +@@ -9579,7 +9584,10 @@ skip_default_ns: + else + if (nsPush(ctxt, attname, URL) > 0) nbNs++; + skip_ns: +- if (alloc != 0) xmlFree(attvalue); ++ if ((attvalue != NULL) && (alloc != 0)) { ++ xmlFree(attvalue); ++ attvalue = NULL; ++ } + if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>')))) + break; + if (!IS_BLANK_CH(RAW)) { +Index: libxml2-2.9.2/result/errors/759020.xml.err +=================================================================== +--- /dev/null ++++ libxml2-2.9.2/result/errors/759020.xml.err +@@ -0,0 +1,6 @@ ++./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute ++0000000000000000000000000000000000000000000000000000000000000000000000000000000' ++ ^ ++./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00 line 2 ++ ++ ^ +Index: libxml2-2.9.2/result/errors/759020.xml.str +=================================================================== +--- /dev/null ++++ libxml2-2.9.2/result/errors/759020.xml.str +@@ -0,0 +1,7 @@ ++./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute ++0000000000000000000000000000000000000000000000000000000000000000000000000000000' ++ ^ ++./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00 ++ ++ ^ ++./test/errors/759020.xml : failed to parse diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb index eeed6ac170..2bbdb0961d 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.2.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb @@ -14,6 +14,7 @@ SRC_URI += "file://CVE-2016-1762.patch \ file://CVE-2016-1836.patch \ file://CVE-2016-4449.patch \ file://CVE-2016-1837.patch \ + file://CVE-2016-1835.patch \ " SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788" -- cgit v1.2.3-54-g00ecf