[OE-core] [PATCH][V2] expat: CVE-2015-1283
Zhixiong Chi
Zhixiong.Chi at windriver.com
Thu Dec 24 09:29:59 UTC 2015
Add CVE-2015-1283 patch for fixing integer overflow bug in expat.
Details are at below link:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1283
Patch comes from:
https://hg.mozilla.org/releases/mozilla-esr31/rev/2f3e78643f5c
https://codereview.chromium.org/1224303003
Signed-off-by: Zhixiong Chi <Zhixiong.Chi at windriver.com>
---
.../expat/expat-2.1.0/expat-CVE-2015-1283.patch | 62 ++++++++++++++++++++++
meta/recipes-core/expat/expat.inc | 4 +-
2 files changed, 65 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-core/expat/expat-2.1.0/expat-CVE-2015-1283.patch
diff --git a/meta/recipes-core/expat/expat-2.1.0/expat-CVE-2015-1283.patch b/meta/recipes-core/expat/expat-2.1.0/expat-CVE-2015-1283.patch
new file mode 100644
index 0000000..1d0acb6
--- /dev/null
+++ b/meta/recipes-core/expat/expat-2.1.0/expat-CVE-2015-1283.patch
@@ -0,0 +1,62 @@
+Multiple integer overflows in the XML_GetBuffer function in Expat
+through 2.1.0, allow remote attackers to cause a denial of service
+(heap-based buffer overflow) or possibly have unspecified other
+impact via crafted XML data.
+
+CVSSv2: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
+
+CVE: CVE-2015-1283
+Upstream-Status: Backport
+
+Signed-off-by: Eric Rahm <erahm at mozilla.com>
+Signed-off-by: Zhixiong Chi <zhixiong.chi at windirver.com>
+
+Index: expat-2.1.0/lib/xmlparse.c
+===================================================================
+--- expat-2.1.0.orig/lib/xmlparse.c 2012-03-11 13:13:12.000000000 +0800
++++ expat-2.1.0/lib/xmlparse.c 2015-12-23 10:29:07.347361329 +0800
+@@ -1678,6 +1678,12 @@
+ void * XMLCALL
+ XML_GetBuffer(XML_Parser parser, int len)
+ {
++/* BEGIN MOZILLA CHANGE (sanity check len) */
++ if (len < 0) {
++ errorCode = XML_ERROR_NO_MEMORY;
++ return NULL;
++ }
++/* END MOZILLA CHANGE */
+ switch (ps_parsing) {
+ case XML_SUSPENDED:
+ errorCode = XML_ERROR_SUSPENDED;
+@@ -1689,8 +1695,13 @@
+ }
+
+ if (len > bufferLim - bufferEnd) {
+- /* FIXME avoid integer overflow */
+ int neededSize = len + (int)(bufferEnd - bufferPtr);
++/* BEGIN MOZILLA CHANGE (sanity check neededSize) */
++ if (neededSize < 0) {
++ errorCode = XML_ERROR_NO_MEMORY;
++ return NULL;
++ }
++/* END MOZILLA CHANGE */
+ #ifdef XML_CONTEXT_BYTES
+ int keep = (int)(bufferPtr - buffer);
+
+@@ -1719,7 +1730,15 @@
+ bufferSize = INIT_BUFFER_SIZE;
+ do {
+ bufferSize *= 2;
+- } while (bufferSize < neededSize);
++/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
++ } while (bufferSize < neededSize && bufferSize > 0);
++/* END MOZILLA CHANGE */
++/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */
++ if (bufferSize <= 0) {
++ errorCode = XML_ERROR_NO_MEMORY;
++ return NULL;
++ }
++/* END MOZILLA CHANGE */
+ newBuf = (char *)MALLOC(bufferSize);
+ if (newBuf == 0) {
+ errorCode = XML_ERROR_NO_MEMORY;
diff --git a/meta/recipes-core/expat/expat.inc b/meta/recipes-core/expat/expat.inc
index 6dfafe9..4bd60a2 100644
--- a/meta/recipes-core/expat/expat.inc
+++ b/meta/recipes-core/expat/expat.inc
@@ -5,7 +5,9 @@ SECTION = "libs"
LICENSE = "MIT"
SRC_URI = "${SOURCEFORGE_MIRROR}/expat/expat-${PV}.tar.gz \
- file://autotools.patch"
+ file://autotools.patch \
+ file://expat-CVE-2015-1283.patch \
+ "
inherit autotools lib_package gzipnative
--
1.9.1
More information about the Openembedded-core
mailing list