summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2016-04-05 10:34:36 (GMT)
committerNora Björklund <nora.bjorklund@enea.com>2016-04-07 07:13:54 (GMT)
commit9f53426654e9a75a085901ca33fe1ea8173e7b7f (patch)
tree77455eb6239476f6cb713dcd9153ba99246813a8
parent8aa66d3b1a976786c4f794e76f8386dc7f2667e5 (diff)
downloadpoky-9f53426654e9a75a085901ca33fe1ea8173e7b7f.tar.gz
libxml2: CVE-2015-8710
out-of-bounds memory access when parsing an unclosed HTML comment Link to the libxml2's bugtracker: https://bugzilla.gnome.org/show_bug.cgi?id=746048 Patch is backported from: http://git.yoctoproject.org/cgit/cgit.cgi/poky/ patch/?id=1bbf18385b76eccb2a413d72088d1ba66acaac02 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Nora Björklund <nora.bjorklund@enea.com>
-rw-r--r--meta/recipes-core/libxml/libxml2.inc1
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch71
2 files changed, 72 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index 08d7961..afb193c 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -30,6 +30,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
30 file://CVE-2015-8242-Buffer-overead-with-HTML-parser.patch \ 30 file://CVE-2015-8242-Buffer-overead-with-HTML-parser.patch \
31 file://Fix-a-bug-on-name-parsing-at-the-end-of-current-input.patch \ 31 file://Fix-a-bug-on-name-parsing-at-the-end-of-current-input.patch \
32 file://CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch \ 32 file://CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch \
33 file://CVE-2015-8710.patch \
33 " 34 "
34 35
35BINCONFIG = "${bindir}/xml2-config" 36BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch
new file mode 100644
index 0000000..71609c4
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch
@@ -0,0 +1,71 @@
1From e724879d964d774df9b7969fc846605aa1bac54c Mon Sep 17 00:00:00 2001
2From: Daniel Veillard <veillard@redhat.com>
3Date: Fri, 30 Oct 2015 21:14:55 +0800
4Subject: [PATCH] Fix parsing short unclosed comment uninitialized access
5
6For https://bugzilla.gnome.org/show_bug.cgi?id=746048
7The HTML parser was too optimistic when processing comments and
8didn't check for the end of the stream on the first 2 characters
9
10Upstream-Status: Backport
11
12https://git.gnome.org/browse/libxml2/commit/?id=e724879d964d774df9b7969fc846605aa1bac54c
13
14CVE: CVE-2015-8710
15
16Signed-off-by: Armin Kuster <akuster@mvista.com>
17igned-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
18---
19 HTMLparser.c | 21 ++++++++++++++-------
20 1 file changed, 14 insertions(+), 7 deletions(-)
21
22Index: libxml2-2.9.2/HTMLparser.c
23===================================================================
24--- libxml2-2.9.2.orig/HTMLparser.c
25+++ libxml2-2.9.2/HTMLparser.c
26@@ -3245,12 +3245,17 @@ htmlParseComment(htmlParserCtxtPtr ctxt)
27 ctxt->instate = state;
28 return;
29 }
30+ len = 0;
31+ buf[len] = 0;
32 q = CUR_CHAR(ql);
33+ if (!IS_CHAR(q))
34+ goto unfinished;
35 NEXTL(ql);
36 r = CUR_CHAR(rl);
37+ if (!IS_CHAR(r))
38+ goto unfinished;
39 NEXTL(rl);
40 cur = CUR_CHAR(l);
41- len = 0;
42 while (IS_CHAR(cur) &&
43 ((cur != '>') ||
44 (r != '-') || (q != '-'))) {
45@@ -3281,18 +3286,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt)
46 }
47 }
48 buf[len] = 0;
49- if (!IS_CHAR(cur)) {
50- htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
51- "Comment not terminated \n<!--%.50s\n", buf, NULL);
52- xmlFree(buf);
53- } else {
54+ if (IS_CHAR(cur)) {
55 NEXT;
56 if ((ctxt->sax != NULL) && (ctxt->sax->comment != NULL) &&
57 (!ctxt->disableSAX))
58 ctxt->sax->comment(ctxt->userData, buf);
59 xmlFree(buf);
60+ ctxt->instate = state;
61+ return;
62 }
63- ctxt->instate = state;
64+
65+unfinished:
66+ htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
67+ "Comment not terminated \n<!--%.50s\n", buf, NULL);
68+ xmlFree(buf);
69 }
70
71 /**