summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-02-06 23:15:01 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-02-07 17:23:06 (GMT)
commit092903a2ef92627e93cd26dda4583db7bc0288a3 (patch)
tree98103f41c4fa1c870140665cb11a4e8ea4aba0a5
parentc2f4fe8d0c7e5d0c5720aaee20c5f7a8f6ea068c (diff)
downloadpoky-092903a2ef92627e93cd26dda4583db7bc0288a3.tar.gz
libxml2: Security fix CVE-2015-8710
CVE-2015-8710 libxml2: out-of-bounds memory access when parsing an unclosed HTML comment (From OE-Core rev: 03d481070ebc6f9af799aec5d038871f9c73901c) (From OE-Core rev: d5db25213613cb862255047c0e995fd5489d9765) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-core/libxml/libxml2.inc1
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch71
2 files changed, 72 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index 01d6bbe..2748b4f 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -38,6 +38,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
38 file://0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch \ 38 file://0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch \
39 file://0001-CVE-2015-5312-Another-entity-expansion-issue.patch \ 39 file://0001-CVE-2015-5312-Another-entity-expansion-issue.patch \
40 file://CVE-2015-8241.patch \ 40 file://CVE-2015-8241.patch \
41 file://CVE-2015-8710.patch \
41 " 42 "
42 43
43BINCONFIG = "${bindir}/xml2-config" 44BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch
new file mode 100644
index 0000000..be06cc2
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch
@@ -0,0 +1,71 @@
1From e724879d964d774df9b7969fc846605aa1bac54c Mon Sep 17 00:00:00 2001
2From: Daniel Veillard <veillard@redhat.com>
3Date: Fri, 30 Oct 2015 21:14:55 +0800
4Subject: [PATCH] Fix parsing short unclosed comment uninitialized access
5
6For https://bugzilla.gnome.org/show_bug.cgi?id=746048
7The HTML parser was too optimistic when processing comments and
8didn't check for the end of the stream on the first 2 characters
9
10Upstream-Status: Backport
11
12https://git.gnome.org/browse/libxml2/commit/?id=e724879d964d774df9b7969fc846605aa1bac54c
13
14CVE: CVE-2015-8710
15
16Signed-off-by: Armin Kuster <akuster@mvista.com>
17
18---
19 HTMLparser.c | 21 ++++++++++++++-------
20 1 file changed, 14 insertions(+), 7 deletions(-)
21
22Index: libxml2-2.9.2/HTMLparser.c
23===================================================================
24--- libxml2-2.9.2.orig/HTMLparser.c
25+++ libxml2-2.9.2/HTMLparser.c
26@@ -3245,12 +3245,17 @@ htmlParseComment(htmlParserCtxtPtr ctxt)
27 ctxt->instate = state;
28 return;
29 }
30+ len = 0;
31+ buf[len] = 0;
32 q = CUR_CHAR(ql);
33+ if (!IS_CHAR(q))
34+ goto unfinished;
35 NEXTL(ql);
36 r = CUR_CHAR(rl);
37+ if (!IS_CHAR(r))
38+ goto unfinished;
39 NEXTL(rl);
40 cur = CUR_CHAR(l);
41- len = 0;
42 while (IS_CHAR(cur) &&
43 ((cur != '>') ||
44 (r != '-') || (q != '-'))) {
45@@ -3281,18 +3286,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt)
46 }
47 }
48 buf[len] = 0;
49- if (!IS_CHAR(cur)) {
50- htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
51- "Comment not terminated \n<!--%.50s\n", buf, NULL);
52- xmlFree(buf);
53- } else {
54+ if (IS_CHAR(cur)) {
55 NEXT;
56 if ((ctxt->sax != NULL) && (ctxt->sax->comment != NULL) &&
57 (!ctxt->disableSAX))
58 ctxt->sax->comment(ctxt->userData, buf);
59 xmlFree(buf);
60+ ctxt->instate = state;
61+ return;
62 }
63- ctxt->instate = state;
64+
65+unfinished:
66+ htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
67+ "Comment not terminated \n<!--%.50s\n", buf, NULL);
68+ xmlFree(buf);
69 }
70
71 /**