[oe-commits] [openembedded-core] 15/17: libxml2: Security fix for CVE-2016-3627
git at git.openembedded.org
git at git.openembedded.org
Wed Jul 27 07:34:20 UTC 2016
rpurdie pushed a commit to branch jethro
in repository openembedded-core.
commit ceabe39237a035efda6a74c746848a9fbab30a08
Author: Armin Kuster <akuster at mvista.com>
AuthorDate: Sat Jul 9 15:06:40 2016 -0700
libxml2: Security fix for CVE-2016-3627
Affects libxml2 < 2.9.4
Signed-off-by: Armin Kuster <akuster at mvista.com>
---
.../libxml/libxml2/CVE-2016-3627.patch | 64 ++++++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.2.bb | 1 +
2 files changed, 65 insertions(+)
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-3627.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-3627.patch
new file mode 100644
index 0000000..2de9c5e
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-3627.patch
@@ -0,0 +1,64 @@
+From bdd66182ef53fe1f7209ab6535fda56366bd7ac9 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard at redhat.com>
+Date: Mon, 23 May 2016 12:27:58 +0800
+Subject: [PATCH] Avoid building recursive entities
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=762100
+
+When we detect a recusive entity we should really not
+build the associated data, moreover if someone bypass
+libxml2 fatal errors and still tries to serialize a broken
+entity make sure we don't risk to get ito a recursion
+
+* parser.c: xmlParserEntityCheck() don't build if entity loop
+ were found and remove the associated text content
+* tree.c: xmlStringGetNodeList() avoid a potential recursion
+
+Upstream-Status: Backport
+CVE: CVE-2016-3627
+Signed-off-by: Armin Kuster <akuster at mvsita.com
+
+---
+ parser.c | 6 +++++-
+ tree.c | 1 +
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index ea0e89e..53a6b7f 100644
+--- a/parser.c
++++ b/parser.c
+@@ -138,7 +138,8 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+ * entities problems
+ */
+ if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) &&
+- (ent->content != NULL) && (ent->checked == 0)) {
++ (ent->content != NULL) && (ent->checked == 0) &&
++ (ctxt->errNo != XML_ERR_ENTITY_LOOP)) {
+ unsigned long oldnbent = ctxt->nbentities;
+ xmlChar *rep;
+
+@@ -148,6 +149,9 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+ rep = xmlStringDecodeEntities(ctxt, ent->content,
+ XML_SUBSTITUTE_REF, 0, 0, 0);
+ --ctxt->depth;
++ if (ctxt->errNo == XML_ERR_ENTITY_LOOP) {
++ ent->content[0] = 0;
++ }
+
+ ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
+ if (rep != NULL) {
+diff --git a/tree.c b/tree.c
+index 7fbca6e..9d330b8 100644
+--- a/tree.c
++++ b/tree.c
+@@ -1593,6 +1593,7 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
+ else if ((ent != NULL) && (ent->children == NULL)) {
+ xmlNodePtr temp;
+
++ ent->children = (xmlNodePtr) -1;
+ ent->children = xmlStringGetNodeList(doc,
+ (const xmlChar*)node->content);
+ ent->owner = 1;
+--
+2.3.5
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb
index 76efa9f..90f7a7a 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.2.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb
@@ -16,6 +16,7 @@ SRC_URI += "file://CVE-2016-1762.patch \
file://CVE-2016-1837.patch \
file://CVE-2016-1835.patch \
file://CVE-2016-1833.patch \
+ file://CVE-2016-3627.patch \
"
SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Openembedded-commits
mailing list