[oe-commits] [openembedded-core] 07/17: libxml2: Security fix for CVE-2016-1840

git at git.openembedded.org git at git.openembedded.org
Wed Jul 27 07:34:12 UTC 2016 

rpurdie pushed a commit to branch jethro
in repository openembedded-core.

commit 9d894179128771c4a2628c103f5c39e2e6ef13c5
Author: Armin Kuster <akuster at mvista.com>
AuthorDate: Sat Jul 9 14:54:21 2016 -0700

    libxml2: Security fix for CVE-2016-1840
    
    affects libxml2 < 2.9.4
    
    Signed-off-by: Armin Kuster <akuster at mvista.com>
---
 .../libxml/libxml2/CVE-2016-1840.patch             | 37 ++++++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.2.bb          |  1 +
 2 files changed, 38 insertions(+)

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-1840.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-1840.patch
new file mode 100644
index 0000000..41de9f8
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-1840.patch
@@ -0,0 +1,37 @@
+From cbb271655cadeb8dbb258a64701d9a3a0c4835b4 Mon Sep 17 00:00:00 2001
+From: Pranjal Jumde <pjumde at apple.com>
+Date: Mon, 7 Mar 2016 06:34:26 -0800
+Subject: [PATCH] Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup
+ <https://bugzilla.gnome.org/show_bug.cgi?id=757711>
+
+* xmlregexp.c:
+(xmlFAParseCharRange): Only advance to the next character if
+there is no error.  Advancing to the next character in case of
+an error while parsing regexp leads to an out of bounds access.
+
+Upstream-Status: Backport
+CVE: CVE-2016-1840
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ xmlregexp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: libxml2-2.9.2/xmlregexp.c
+===================================================================
+--- libxml2-2.9.2.orig/xmlregexp.c
++++ libxml2-2.9.2/xmlregexp.c
+@@ -5052,11 +5052,12 @@ xmlFAParseCharRange(xmlRegParserCtxtPtr
+ 	ERROR("Expecting the end of a char range");
+ 	return;
+     }
+-    NEXTL(len);
++
+     /* TODO check that the values are acceptable character ranges for XML */
+     if (end < start) {
+ 	ERROR("End of range is before start of range");
+     } else {
++        NEXTL(len);
+         xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg,
+ 		           XML_REGEXP_CHARVAL, start, end, NULL);
+     }
diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb
index 41cba64..563661b 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.2.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb
@@ -8,6 +8,7 @@ SRC_URI += "file://CVE-2016-1762.patch \
             file://CVE-2016-3705.patch \
             file://CVE-2016-1834.patch \
             file://CVE-2016-4483.patch \
+            file://CVE-2016-1840.patch \
     "
 
 SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the Openembedded-commits mailing list