[OE-core] [PATCH] libxml2: Fix CVE-2017-8872
Jussi Kukkonen
jussi.kukkonen at intel.com
Thu Jun 8 11:10:34 UTC 2017
On 7 June 2017 at 11:51, Fan Xin <fan.xin at jp.fujitsu.com> wrote:
>
> CVE: CVE-2017-8872
> The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows
attackers
> to cause a denial of service (buffer over-read) or information disclosure.
>
> External References:
> https://bugzilla.gnome.org/show_bug.cgi?id=77520
This should be
https://bugzilla.gnome.org/show_bug.cgi?id=775200
I have the same question that was asked in the upstream bug comment 6 about
two weeks ago: The patch doesn't seem to have any effect (because the goto
will happen anyway since 'avail' is 0), am I missing something?
Jussi
>
>
> Signed-off-by: Fan Xin <fan.xin at jp.fujitsu.com>
> ---
> .../libxml/libxml2/libxml2-CVE-2017-8872.patch | 23
++++++++++++++++++++++
> meta/recipes-core/libxml/libxml2_2.9.4.bb | 1 +
> 2 files changed, 24 insertions(+)
> create mode 100644
meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch
>
> diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch
b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch
> new file mode 100644
> index 0000000..df05e06
> --- /dev/null
> +++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch
> @@ -0,0 +1,23 @@
> +libxml2-2.9.4: Fix CVE-2017-8872
> +
> +Bug 775200 - (CVE-2017-8872) global-buffer-overflow in
htmlParseTryOrFinish (HTMLparser.c:5403)
> + - [https://bugzilla.gnome.org/show_bug.cgi?id=775200]
> +
> +CVE: CVE-2017-8872
> +Upstream-Status: Submitted
> +
> +Signed-off-by: Fan Xin <fan.xin at jp.fujitsu.com>
> +
> +Index: libxml2-2.9.4/HTMLparser.c
> +===================================================================
> +--- libxml2-2.9.4.orig/HTMLparser.c
> ++++ libxml2-2.9.4/HTMLparser.c
> +@@ -5396,6 +5396,8 @@ htmlParseTryOrFinish(htmlParserCtxtPtr c
> + ctxt->instate = XML_PARSER_EOF;
> + if ((ctxt->sax) && (ctxt->sax->endDocument != NULL))
> + ctxt->sax->endDocument(ctxt->userData);
> ++
> ++ goto done;
> + }
> + }
> + if (avail < 1)
> diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb
b/meta/recipes-core/libxml/libxml2_2.9.4.bb
> index ea0d3b8..0b4cbca 100644
> --- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
> +++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
> @@ -24,6 +24,7 @@ SRC_URI = "
ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
> file://libxml2-CVE-2016-4658.patch \
> file://libxml2-fix_NULL_pointer_derefs.patch \
> file://CVE-2016-9318.patch \
> + file://libxml2-CVE-2017-8872.patch \
> "
>
> SRC_URI[libtar.md5sum] = "ae249165c173b1ff386ee8ad676815f5"
> --
> 1.9.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20170608/b46969d8/attachment-0002.html>
More information about the Openembedded-core
mailing list