[oe-commits] [openembedded-core] 08/17: libxml2: Security fix for CVE-2016-1838

git at git.openembedded.org git at git.openembedded.org
Wed Jul 27 07:34:13 UTC 2016 

rpurdie pushed a commit to branch jethro
in repository openembedded-core.

commit d24b0ac044e02ec34f74e46ad599ac8bdb10432c
Author: Armin Kuster <akuster at mvista.com>
AuthorDate: Sat Jul 9 14:55:49 2016 -0700

    libxml2: Security fix for CVE-2016-1838
    
    Affects libxml2 < 2.9.4
    
    Signed-off-by: Armin Kuster <akuster at mvista.com>
---
 .../libxml/libxml2/CVE-2016-1838.patch             | 96 ++++++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.2.bb          |  1 +
 2 files changed, 97 insertions(+)

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-1838.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-1838.patch
new file mode 100644
index 0000000..1e30d78
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-1838.patch
@@ -0,0 +1,96 @@
+From db07dd613e461df93dde7902c6505629bf0734e9 Mon Sep 17 00:00:00 2001
+From: David Kilzer <ddkilzer at apple.com>
+Date: Fri, 12 Feb 2016 09:58:29 -0800
+Subject: [PATCH] Bug 758588: Heap-based buffer overread in
+ xmlParserPrintFileContextInternal
+ <https://bugzilla.gnome.org/show_bug.cgi?id=758588>
+
+* parser.c:
+(xmlParseEndTag2): Add bounds checks before dereferencing
+ctxt->input->cur past the end of the buffer, or incrementing the
+pointer past the end of the buffer.
+
+* result/errors/758588.xml: Add test result.
+* result/errors/758588.xml.err: Ditto.
+* result/errors/758588.xml.str: Ditto.
+* test/errors/758588.xml: Add regression test.
+
+Upstream-Status: Backport
+CVE: CVE-2016-1838
+
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ parser.c                     |  8 ++++++--
+ result/errors/758588.xml     |  0
+ result/errors/758588.xml.err |  9 +++++++++
+ result/errors/758588.xml.str | 10 ++++++++++
+ test/errors/758588.xml       |  1 +
+ 5 files changed, 26 insertions(+), 2 deletions(-)
+ create mode 100644 result/errors/758588.xml
+ create mode 100644 result/errors/758588.xml.err
+ create mode 100644 result/errors/758588.xml.str
+ create mode 100644 test/errors/758588.xml
+
+Index: libxml2-2.9.2/parser.c
+===================================================================
+--- libxml2-2.9.2.orig/parser.c
++++ libxml2-2.9.2/parser.c
+@@ -9837,6 +9837,7 @@ static void
+ xmlParseEndTag2(xmlParserCtxtPtr ctxt, const xmlChar *prefix,
+                 const xmlChar *URI, int line, int nsNr, int tlen) {
+     const xmlChar *name;
++    size_t curLength;
+ 
+     GROW;
+     if ((RAW != '<') || (NXT(1) != '/')) {
+@@ -9845,8 +9846,11 @@ xmlParseEndTag2(xmlParserCtxtPtr ctxt, c
+     }
+     SKIP(2);
+ 
+-    if ((tlen > 0) && (xmlStrncmp(ctxt->input->cur, ctxt->name, tlen) == 0)) {
+-        if (ctxt->input->cur[tlen] == '>') {
++    curLength = ctxt->input->end - ctxt->input->cur;
++    if ((tlen > 0) && (curLength >= (size_t)tlen) &&
++        (xmlStrncmp(ctxt->input->cur, ctxt->name, tlen) == 0)) {
++        if ((curLength >= (size_t)(tlen + 1)) &&
++	    (ctxt->input->cur[tlen] == '>')) {
+ 	    ctxt->input->cur += tlen + 1;
+ 	    ctxt->input->col += tlen + 1;
+ 	    goto done;
+Index: libxml2-2.9.2/result/errors/758588.xml.err
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/result/errors/758588.xml.err
+@@ -0,0 +1,9 @@
++./test/errors/758588.xml:1: namespace error : Namespace prefix a-340282366920938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794 [...]
++63472597946867209384634725979468672093846347259794686720938463472597946867261d:a
++                                                                               ^
++./test/errors/758588.xml:1: parser error : expected '>'
++2597946867209384634725979468672093846347259794686720938463472597946867261d:a></a
++                                                                               ^
++./test/errors/758588.xml:1: parser error : Opening and ending tag mismatch: a line 1 and a
++2597946867209384634725979468672093846347259794686720938463472597946867261d:a></a
++                                                                               ^
+Index: libxml2-2.9.2/result/errors/758588.xml.str
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/result/errors/758588.xml.str
+@@ -0,0 +1,10 @@
++./test/errors/758588.xml:1: namespace error : Namespace prefix a-340282366920938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794 [...]
++63472597946867209384634725979468672093846347259794686720938463472597946867261d:a
++                                                                               ^
++./test/errors/758588.xml:1: parser error : expected '>'
++2597946867209384634725979468672093846347259794686720938463472597946867261d:a></a
++                                                                               ^
++./test/errors/758588.xml:1: parser error : Opening and ending tag mismatch: a line 1 and a
++2597946867209384634725979468672093846347259794686720938463472597946867261d:a></a
++                                                                               ^
++./test/errors/758588.xml : failed to parse
+Index: libxml2-2.9.2/test/errors/758588.xml
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/test/errors/758588.xml
+@@ -0,0 +1 @@
++<a-34028236692093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468 [...]
+\ No newline at end of file
diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb
index 563661b..a7c2904 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.2.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb
@@ -9,6 +9,7 @@ SRC_URI += "file://CVE-2016-1762.patch \
             file://CVE-2016-1834.patch \
             file://CVE-2016-4483.patch \
             file://CVE-2016-1840.patch \
+            file://CVE-2016-1838.patch \
     "
 
 SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the Openembedded-commits mailing list