[OE-core] [PATCH 1/3] libxml2: Necessary changes before fixing CVE-2016-5131 Fix comaparation with root node in xmlXPathCmpNodes and NULL pointer deref in XPointer

Burton, Ross ross.burton at intel.com
Mon Dec 12 13:44:02 UTC 2016 

I see part 1 and 2 but no part 3.

Also, have you asked upstream if they'll be making a point release with
these in?

Ross

On 12 December 2016 at 13:20, Andrej Valek <andrej.valek at siemens.com> wrote:

> xpath:
>  - Check for errors after evaluating first operand.
>  - Add sanity check for empty stack.
>  - Include comparation in changes from xmlXPathCmpNodesExt to
> xmlXPathCmpNodes
>
> Signed-off-by: Andrej Valek <andrej.valek at siemens.com>
> Signed-off-by: Pascal Bach <pascal.bach at siemens.com>
> ---
>  .../libxml2/libxml2-fix_node_comparison.patch      | 67
> ++++++++++++++++++++++
>  meta/recipes-core/libxml/libxml2_2.9.4.bb          |  1 +
>  2 files changed, 68 insertions(+)
>  create mode 100644 meta/recipes-core/libxml/libxml2/libxml2-fix_node_
> comparison.patch
>
> diff --git a/meta/recipes-core/libxml/libxml2/libxml2-fix_node_comparison.patch
> b/meta/recipes-core/libxml/libxml2/libxml2-fix_node_comparison.patch
> new file mode 100644
> index 0000000..11718bb
> --- /dev/null
> +++ b/meta/recipes-core/libxml/libxml2/libxml2-fix_node_comparison.patch
> @@ -0,0 +1,67 @@
> +libxml2-2.9.4: Fix comparison with root node in xmlXPathCmpNodes and NULL
> pointer deref in XPointer
> +
> +xpath:
> + - Check for errors after evaluating first operand.
> + - Add sanity check for empty stack.
> + - Include comparation in changes from xmlXPathCmpNodesExt to
> xmlXPathCmpNodes
> +
> +Upstream-Status: Backported
> + - [https://git.gnome.org/browse/libxml2/commit/?id=
> c1d1f7121194036608bf555f08d3062a36fd344b]
> + - [https://git.gnome.org/browse/libxml2/commit/?id=
> a005199330b86dada19d162cae15ef9bdcb6baa8]
> +CVE: necessary changes for fixing CVE-2016-5131
> +Signed-off-by: Andrej Valek <andrej.valek at siemens.com>
> +Signed-off-by: Pascal Bach <pascal.bach at siemens.com>
> +
> +diff --git a/result/XPath/xptr/viderror b/result/XPath/xptr/viderror
> +new file mode 100644
> +index 0000000..d589882
> +--- /dev/null
> ++++ b/result/XPath/xptr/viderror
> +@@ -0,0 +1,4 @@
> ++
> ++========================
> ++Expression: xpointer(non-existing-fn()/range-to(id('chapter2')))
> ++Object is empty (NULL)
> +diff --git a/test/XPath/xptr/viderror b/test/XPath/xptr/viderror
> +new file mode 100644
> +index 0000000..da8c53b
> +--- /dev/null
> ++++ b/test/XPath/xptr/viderror
> +@@ -0,0 +1 @@
> ++xpointer(non-existing-fn()/range-to(id('chapter2')))
> +diff --git a/xpath.c b/xpath.c
> +index 113bce6..d992841 100644
> +--- a/xpath.c
> ++++ b/xpath.c
> +@@ -3342,13 +3342,13 @@ xmlXPathCmpNodes(xmlNodePtr node1, xmlNodePtr
> node2) {
> +      * compute depth to root
> +      */
> +     for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) {
> +-      if (cur == node1)
> ++      if (cur->parent == node1)
> +           return(1);
> +       depth2++;
> +     }
> +     root = cur;
> +     for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) {
> +-      if (cur == node2)
> ++      if (cur->parent == node2)
> +           return(-1);
> +       depth1++;
> +     }
> +@@ -14005,9 +14005,14 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr
> ctxt, xmlXPathStepOpPtr op)
> +                 xmlNodeSetPtr oldset;
> +                 int i, j;
> +
> +-                if (op->ch1 != -1)
> ++                if (op->ch1 != -1) {
> +                     total +=
> +                         xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]);
> ++                    CHECK_ERROR0;
> ++                }
> ++                if (ctxt->value == NULL) {
> ++                    XP_ERROR0(XPATH_INVALID_OPERAND);
> ++                }
> +                 if (op->ch2 == -1)
> +                     return (total);
> +
> diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb
> b/meta/recipes-core/libxml/libxml2_2.9.4.bb
> index 1fed90b..66a8940 100644
> --- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
> +++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
> @@ -19,6 +19,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/
> libxml2-${PV}.tar.gz;name=libtar \
>             file://run-ptest \
>             file://python-sitepackages-dir.patch \
>             file://libxml-m4-use-pkgconfig.patch \
> +           file://libxml2-fix_node_comparison.patch \
>             file://libxml2-CVE-2016-5131.patch \
>            "
>
> --
> 2.1.4
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20161212/2c2b723c/attachment-0002.html>

More information about the Openembedded-core mailing list