[oe-commits] [openembedded-core] 13/17: libxml2: Security fix for CVE-2016-1835
git at git.openembedded.org
git at git.openembedded.org
Wed Jul 27 07:34:18 UTC 2016
rpurdie pushed a commit to branch jethro
in repository openembedded-core.
commit d008b7023cb703a787c8fcac5cd87628b38a9ecd
Author: Armin Kuster <akuster at mvista.com>
AuthorDate: Sat Jul 9 15:02:26 2016 -0700
libxml2: Security fix for CVE-2016-1835
Affects libxml2 < 2.9.4
Signed-off-by: Armin Kuster <akuster at mvista.com>
---
.../libxml/libxml2/CVE-2016-1835.patch | 95 ++++++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.2.bb | 1 +
2 files changed, 96 insertions(+)
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-1835.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-1835.patch
new file mode 100644
index 0000000..158b0aa
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-1835.patch
@@ -0,0 +1,95 @@
+From 38eae571111db3b43ffdeb05487c9f60551906fb Mon Sep 17 00:00:00 2001
+From: Pranjal Jumde <pjumde at apple.com>
+Date: Mon, 7 Mar 2016 14:04:08 -0800
+Subject: [PATCH] Heap use-after-free in xmlSAX2AttributeNs
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=759020
+
+* parser.c:
+(xmlParseStartTag2): Attribute strings are only valid if the
+base does not change, so add another check where the base may
+change. Make sure to set 'attvalue' to NULL after freeing it.
+* result/errors/759020.xml: Added.
+* result/errors/759020.xml.err: Added.
+* result/errors/759020.xml.str: Added.
+* test/errors/759020.xml: Added test case.
+
+Upstream-Status: Backport
+CVE: CVE-2016-1835
+
+excluded test/errors/759020.xml: Added test case., they wont apply
+
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ parser.c | 12 ++++++++++--
+ result/errors/759020.xml | 0
+ result/errors/759020.xml.err | 6 ++++++
+ result/errors/759020.xml.str | 7 +++++++
+ test/errors/759020.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 69 insertions(+), 2 deletions(-)
+ create mode 100644 result/errors/759020.xml
+ create mode 100644 result/errors/759020.xml.err
+ create mode 100644 result/errors/759020.xml.str
+ create mode 100644 test/errors/759020.xml
+
+Index: libxml2-2.9.2/parser.c
+===================================================================
+--- libxml2-2.9.2.orig/parser.c
++++ libxml2-2.9.2/parser.c
+@@ -9499,7 +9499,10 @@ reparse:
+ else
+ if (nsPush(ctxt, NULL, URL) > 0) nbNs++;
+ skip_default_ns:
+- if (alloc != 0) xmlFree(attvalue);
++ if ((attvalue != NULL) && (alloc != 0)) {
++ xmlFree(attvalue);
++ attvalue = NULL;
++ }
+ if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
+ break;
+ if (!IS_BLANK_CH(RAW)) {
+@@ -9508,6 +9511,8 @@ skip_default_ns:
+ break;
+ }
+ SKIP_BLANKS;
++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
++ goto base_changed;
+ continue;
+ }
+ if (aprefix == ctxt->str_xmlns) {
+@@ -9579,7 +9584,10 @@ skip_default_ns:
+ else
+ if (nsPush(ctxt, attname, URL) > 0) nbNs++;
+ skip_ns:
+- if (alloc != 0) xmlFree(attvalue);
++ if ((attvalue != NULL) && (alloc != 0)) {
++ xmlFree(attvalue);
++ attvalue = NULL;
++ }
+ if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
+ break;
+ if (!IS_BLANK_CH(RAW)) {
+Index: libxml2-2.9.2/result/errors/759020.xml.err
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/result/errors/759020.xml.err
+@@ -0,0 +1,6 @@
++./test/errors/759020.xml:3: namespace warning : xmlns: URI 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 [...]
++0000000000000000000000000000000000000000000000000000000000000000000000000000000'
++ ^
++./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00 line 2
++
++ ^
+Index: libxml2-2.9.2/result/errors/759020.xml.str
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/result/errors/759020.xml.str
+@@ -0,0 +1,7 @@
++./test/errors/759020.xml:3: namespace warning : xmlns: URI 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 [...]
++0000000000000000000000000000000000000000000000000000000000000000000000000000000'
++ ^
++./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00
++
++ ^
++./test/errors/759020.xml : failed to parse
diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb
index eeed6ac..2bbdb09 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.2.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb
@@ -14,6 +14,7 @@ SRC_URI += "file://CVE-2016-1762.patch \
file://CVE-2016-1836.patch \
file://CVE-2016-4449.patch \
file://CVE-2016-1837.patch \
+ file://CVE-2016-1835.patch \
"
SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Openembedded-commits
mailing list