diff options
| -rw-r--r-- | meta/recipes-core/libxml/libxml2.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-core/libxml/libxml2/0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch | 40 |
2 files changed, 41 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc index 389f5cdf40..65b262582b 100644 --- a/meta/recipes-core/libxml/libxml2.inc +++ b/meta/recipes-core/libxml/libxml2.inc | |||
| @@ -28,6 +28,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \ | |||
| 28 | file://CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch \ | 28 | file://CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch \ |
| 29 | file://0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch \ | 29 | file://0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch \ |
| 30 | file://CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch \ | 30 | file://CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch \ |
| 31 | file://0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch \ | ||
| 31 | " | 32 | " |
| 32 | 33 | ||
| 33 | BINCONFIG = "${bindir}/xml2-config" | 34 | BINCONFIG = "${bindir}/xml2-config" |
diff --git a/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch b/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch new file mode 100644 index 0000000000..955c961957 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch | |||
| @@ -0,0 +1,40 @@ | |||
| 1 | From 6360a31a84efe69d155ed96306b9a931a40beab9 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: David Drysdale <drysdale@google.com> | ||
| 3 | Date: Fri, 20 Nov 2015 10:47:12 +0800 | ||
| 4 | Subject: [PATCH] CVE-2015-7497 Avoid an heap buffer overflow in | ||
| 5 | xmlDictComputeFastQKey | ||
| 6 | |||
| 7 | For https://bugzilla.gnome.org/show_bug.cgi?id=756528 | ||
| 8 | It was possible to hit a negative offset in the name indexing | ||
| 9 | used to randomize the dictionary key generation | ||
| 10 | Reported and fix provided by David Drysdale @ Google | ||
| 11 | |||
| 12 | Upstream-Status: Backport | ||
| 13 | |||
| 14 | CVE-2015-7497 | ||
| 15 | |||
| 16 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
| 17 | |||
| 18 | --- | ||
| 19 | dict.c | 5 ++++- | ||
| 20 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
| 21 | |||
| 22 | diff --git a/dict.c b/dict.c | ||
| 23 | index 5f71d55..8c8f931 100644 | ||
| 24 | --- a/dict.c | ||
| 25 | +++ b/dict.c | ||
| 26 | @@ -486,7 +486,10 @@ xmlDictComputeFastQKey(const xmlChar *prefix, int plen, | ||
| 27 | value += 30 * (*prefix); | ||
| 28 | |||
| 29 | if (len > 10) { | ||
| 30 | - value += name[len - (plen + 1 + 1)]; | ||
| 31 | + int offset = len - (plen + 1 + 1); | ||
| 32 | + if (offset < 0) | ||
| 33 | + offset = len - (10 + 1); | ||
| 34 | + value += name[offset]; | ||
| 35 | len = 10; | ||
| 36 | if (plen > 10) | ||
| 37 | plen = 10; | ||
| 38 | -- | ||
| 39 | 2.3.5 | ||
| 40 | |||