[oe-commits] [openembedded-core] 04/17: libxml2: Security fix for CVE-2016-3705
git at git.openembedded.org
git at git.openembedded.org
Wed Jul 27 07:34:09 UTC 2016
rpurdie pushed a commit to branch jethro
in repository openembedded-core.
commit aa8ad693a977e104797dd623d7efad705e298eb2
Author: Armin Kuster <akuster at mvista.com>
AuthorDate: Sat Jul 9 14:28:45 2016 -0700
libxml2: Security fix for CVE-2016-3705
Signed-off-by: Armin Kuster <akuster at mvista.com>
---
.../libxml/libxml2/CVE-2016-3705.patch | 71 ++++++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.2.bb | 1 +
2 files changed, 72 insertions(+)
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-3705.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-3705.patch
new file mode 100644
index 0000000..8587a63
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-3705.patch
@@ -0,0 +1,71 @@
+From 8f30bdff69edac9075f4663ce3b56b0c52d48ce6 Mon Sep 17 00:00:00 2001
+From: Peter Simons <psimons at suse.com>
+Date: Fri, 15 Apr 2016 11:56:55 +0200
+Subject: [PATCH] Add missing increments of recursion depth counter to XML
+ parser.
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=765207
+CVE-2016-3705
+The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call
+xmlStringDecodeEntities() in a recursive context without incrementing the
+'depth' counter in the parser context. Because of that omission, the parser
+failed to detect attribute recursions in certain documents before running out
+of stack space.
+
+Upstream-Status: Backport
+CVE: CVE-2016-3705
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ parser.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+Index: libxml2-2.9.2/parser.c
+===================================================================
+--- libxml2-2.9.2.orig/parser.c
++++ libxml2-2.9.2/parser.c
+@@ -144,8 +144,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ct
+
+ ent->checked = 1;
+
++ ++ctxt->depth;
+ rep = xmlStringDecodeEntities(ctxt, ent->content,
+ XML_SUBSTITUTE_REF, 0, 0, 0);
++ --ctxt->depth;
+
+ ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
+ if (rep != NULL) {
+@@ -3978,8 +3980,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctx
+ * an entity declaration, it is bypassed and left as is.
+ * so XML_SUBSTITUTE_REF is not set here.
+ */
++ ++ctxt->depth;
+ ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF,
+ 0, 0, 0);
++ --ctxt->depth;
+ if (orig != NULL)
+ *orig = buf;
+ else
+@@ -4104,9 +4108,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
+ } else if ((ent != NULL) &&
+ (ctxt->replaceEntities != 0)) {
+ if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) {
++ ++ctxt->depth;
+ rep = xmlStringDecodeEntities(ctxt, ent->content,
+ XML_SUBSTITUTE_REF,
+ 0, 0, 0);
++ --ctxt->depth;
+ if (rep != NULL) {
+ current = rep;
+ while (*current != 0) { /* non input consuming */
+@@ -4142,8 +4148,10 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
+ (ent->content != NULL) && (ent->checked == 0)) {
+ unsigned long oldnbent = ctxt->nbentities;
+
++ ++ctxt->depth;
+ rep = xmlStringDecodeEntities(ctxt, ent->content,
+ XML_SUBSTITUTE_REF, 0, 0, 0);
++ --ctxt->depth;
+
+ ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
+ if (rep != NULL) {
diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb
index 7f2ded7..ec6000f 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.2.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb
@@ -5,6 +5,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar \
file://0001-threads-Define-pthread-definitions-for-glibc-complia.patch \
"
SRC_URI += "file://CVE-2016-1762.patch \
+ file://CVE-2016-3705.patch \
"
SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Openembedded-commits
mailing list