[oe-commits] [openembedded-core] 06/43: libxml2: Fix CVE-2017-5969

git at git.openembedded.org git at git.openembedded.org
Thu Jul 27 21:38:01 UTC 2017 

This is an automated email from the git hooks/post-receive script.

rpurdie pushed a commit to branch pyro
in repository openembedded-core.

commit f0017a7b8b3fc4407e6596156b57aa1183937382
Author: Andrej Valek <andrej.valek at siemens.com>
AuthorDate: Wed Jun 14 15:01:35 2017 +0200

    libxml2: Fix CVE-2017-5969
    
    Fix NULL pointer deref in xmlDumpElementContent
    
    Can only be triggered in recovery mode.
    
    Fixes bug 758422
    
    CVE: CVE-2017-5969
    (From OE-Core rev: 0cae039cbe513b7998e067f4f3958af2ec65ed1a)
    
    Signed-off-by: Andrej Valek <andrej.valek at siemens.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>
---
 .../libxml/libxml2/libxml2-CVE-2017-5969.patch     | 62 ++++++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.4.bb          |  1 +
 2 files changed, 63 insertions(+)

diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-5969.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-5969.patch
new file mode 100644
index 0000000..571b05c
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-5969.patch
@@ -0,0 +1,62 @@
+libxml2-2.9.4: Fix CVE-2017-5969
+
+[No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=758422
+
+valid: Fix NULL pointer deref in xmlDumpElementContent
+
+Can only be triggered in recovery mode.
+
+Fixes bug 758422
+
+Upstream-Status: Backport - [https://git.gnome.org/browse/libxml2/commit/?id=94691dc884d1a8ada39f073408b4bb92fe7fe882]
+CVE: CVE-2017-5969
+Signed-off-by: Andrej Valek <andrej.valek at siemens.com>
+
+diff --git a/valid.c b/valid.c
+index 19f84b8..0a8e58a 100644
+--- a/valid.c
++++ b/valid.c
+@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob)
+ 	    xmlBufferWriteCHAR(buf, content->name);
+ 	    break;
+ 	case XML_ELEMENT_CONTENT_SEQ:
+-	    if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+-	        (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
++	    if ((content->c1 != NULL) &&
++	        ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
++	         (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
+ 		xmlDumpElementContent(buf, content->c1, 1);
+ 	    else
+ 		xmlDumpElementContent(buf, content->c1, 0);
+             xmlBufferWriteChar(buf, " , ");
+-	    if ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
+-	        ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
+-		 (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
++	    if ((content->c2 != NULL) &&
++	        ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
++	         ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
++		  (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
+ 		xmlDumpElementContent(buf, content->c2, 1);
+ 	    else
+ 		xmlDumpElementContent(buf, content->c2, 0);
+ 	    break;
+ 	case XML_ELEMENT_CONTENT_OR:
+-	    if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+-	        (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
++	    if ((content->c1 != NULL) &&
++	        ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
++	         (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
+ 		xmlDumpElementContent(buf, content->c1, 1);
+ 	    else
+ 		xmlDumpElementContent(buf, content->c1, 0);
+             xmlBufferWriteChar(buf, " | ");
+-	    if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
+-	        ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
+-		 (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
++	    if ((content->c2 != NULL) &&
++	        ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
++	         ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
++		  (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
+ 		xmlDumpElementContent(buf, content->c2, 1);
+ 	    else
+ 		xmlDumpElementContent(buf, content->c2, 0);
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb
index 09a7445..5776f0f 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -26,6 +26,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
            file://libxml2-fix_and_simplify_xmlParseStartTag2.patch \
            file://libxml2-CVE-2017-9047_CVE-2017-9048.patch \
            file://libxml2-CVE-2017-9049_CVE-2017-9050.patch \
+           file://libxml2-CVE-2017-5969.patch \
            file://CVE-2016-9318.patch \
           "
 

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the Openembedded-commits mailing list