[OE-core] [PATCH] libxml2: refresh CVE-2017-8872
Ross Burton
ross.burton at intel.com
Thu Oct 4 10:04:52 UTC 2018
The patch associated with the CVE-2017-8872 report was never merged into
libxml2, but a slightly different patch for the same problem was. Cherry-pick
that as a backport, which also fixes the failing test suite.
Signed-off-by: Ross Burton <ross.burton at intel.com>
---
.../libxml/libxml2/fix-CVE-2017-8872.patch | 73 +++++++++++++++-------
1 file changed, 50 insertions(+), 23 deletions(-)
diff --git a/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch b/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch
index b34479f318f..42a4b0ed602 100644
--- a/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch
+++ b/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch
@@ -1,38 +1,65 @@
-From b4bee17b158e289e5c4c9045e64e5374ccafe068 Mon Sep 17 00:00:00 2001
-From: Salvatore Bonaccorso <carnil at debian.org>
-Date: Tue, 3 Jul 2018 15:54:03 +0800
-Subject: [PATCH] Out-of-bounds read in htmlParseTryOrFinish (CVE-2017-8872)
+Upstream-Status: Backport
+CVE: CVE-2017-8872
+Signed-off-by: Ross Burton <ross.burton at intel.com>
-https://bugzilla.gnome.org/show_bug.cgi?id=775200
-Fixes bug 775200.
+From 123234f2cfcd9e9b9f83047eee1dc17b4c3f4407 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer at aevum.de>
+Date: Tue, 11 Sep 2018 14:52:07 +0200
+Subject: [PATCH] Free input buffer in xmlHaltParser
-Signed-off-by: Salvatore Bonaccorso <carnil at debian.org>
+This avoids miscalculation of available bytes.
-Upstream-Status: Submitted
-https://bug775200.bugzilla-attachments.gnome.org/attachment.cgi?id=366193
-CVE: CVE-2017-8872
-Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
+Thanks to Yunho Kim for the report.
+
+Closes: #26
---
- parser.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
+ parser.c | 5 +++++
+ result/errors/759573.xml.err | 17 +++++++----------
+ 2 files changed, 12 insertions(+), 10 deletions(-)
diff --git a/parser.c b/parser.c
-index ca9fde2..fb4c889 100644
+index ca9fde2c..5813a664 100644
--- a/parser.c
+++ b/parser.c
-@@ -12464,7 +12464,11 @@ xmlHaltParser(xmlParserCtxtPtr ctxt) {
+@@ -12462,7 +12462,12 @@ xmlHaltParser(xmlParserCtxtPtr ctxt) {
+ ctxt->input->free((xmlChar *) ctxt->input->base);
+ ctxt->input->free = NULL;
}
++ if (ctxt->input->buf != NULL) {
++ xmlFreeParserInputBuffer(ctxt->input->buf);
++ ctxt->input->buf = NULL;
++ }
ctxt->input->cur = BAD_CAST"";
++ ctxt->input->length = 0;
ctxt->input->base = ctxt->input->cur;
-- ctxt->input->end = ctxt->input->cur;
-+ ctxt->input->end = ctxt->input->cur;
-+ if (ctxt->input->buf)
-+ xmlBufEmpty (ctxt->input->buf->buffer);
-+ else
-+ ctxt->input->length = 0;
+ ctxt->input->end = ctxt->input->cur;
}
- }
+diff --git a/result/errors/759573.xml.err b/result/errors/759573.xml.err
+index 554039f6..38ef5c40 100644
+--- a/result/errors/759573.xml.err
++++ b/result/errors/759573.xml.err
+@@ -21,14 +21,11 @@ Entity: line 1:
+ ^
+ ./test/errors/759573.xml:1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
+-<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ00
+- ^
++
++^
+ ./test/errors/759573.xml:1: parser error : DOCTYPE improperly terminated
+-<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ00
+- ^
+-./test/errors/759573.xml:1: parser error : StartTag: invalid element name
+-<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ00
+- ^
+-./test/errors/759573.xml:1: parser error : Extra content at the end of the document
+-<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ00
+- ^
++
++^
++./test/errors/759573.xml:1: parser error : Start tag expected, '<' not found
++
++^
--
-2.7.4
+2.11.0
--
2.11.0
More information about the Openembedded-core
mailing list