mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-19 15:32:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

libxml2: Security fix for CVE-2016-1835

Browse Source 
Affects libxml2 < 2.9.4

(From OE-Core rev: d008b7023cb703a787c8fcac5cd87628b38a9ecd)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Armin Kuster
2016-07-09 15:02:26 -07:00
committed by Richard Purdie
parent f96cfb009d
commit 1081306623
2 changed files with 96 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

95
meta/recipes-core/libxml/libxml2/CVE-2016-1835.patch Normal file
View File

@@ -0,0 +1,95 @@
From 38eae571111db3b43ffdeb05487c9f60551906fb Mon Sep 17 00:00:00 2001
From: Pranjal Jumde <pjumde@apple.com>
Date: Mon, 7 Mar 2016 14:04:08 -0800
Subject: [PATCH] Heap use-after-free in xmlSAX2AttributeNs
For https://bugzilla.gnome.org/show_bug.cgi?id=759020
* parser.c:
(xmlParseStartTag2): Attribute strings are only valid if the
base does not change, so add another check where the base may
change. Make sure to set 'attvalue' to NULL after freeing it.
* result/errors/759020.xml: Added.
* result/errors/759020.xml.err: Added.
* result/errors/759020.xml.str: Added.
* test/errors/759020.xml: Added test case.
Upstream-Status: Backport
CVE: CVE-2016-1835
excluded test/errors/759020.xml: Added test case., they wont apply
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
parser.c | 12 ++++++++++--
result/errors/759020.xml | 0
result/errors/759020.xml.err | 6 ++++++
result/errors/759020.xml.str | 7 +++++++
test/errors/759020.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++
5 files changed, 69 insertions(+), 2 deletions(-)
create mode 100644 result/errors/759020.xml
create mode 100644 result/errors/759020.xml.err
create mode 100644 result/errors/759020.xml.str
create mode 100644 test/errors/759020.xml
Index: libxml2-2.9.2/parser.c
===================================================================
--- libxml2-2.9.2.orig/parser.c
+++ libxml2-2.9.2/parser.c
@@ -9499,7 +9499,10 @@ reparse:
else
if (nsPush(ctxt, NULL, URL) > 0) nbNs++;
skip_default_ns:
- if (alloc != 0) xmlFree(attvalue);
+ if ((attvalue != NULL) && (alloc != 0)) {
+ xmlFree(attvalue);
+ attvalue = NULL;
+ }
if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
break;
if (!IS_BLANK_CH(RAW)) {
@@ -9508,6 +9511,8 @@ skip_default_ns:
break;
}
SKIP_BLANKS;
+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+ goto base_changed;
continue;
}
if (aprefix == ctxt->str_xmlns) {
@@ -9579,7 +9584,10 @@ skip_default_ns:
else
if (nsPush(ctxt, attname, URL) > 0) nbNs++;
skip_ns:
- if (alloc != 0) xmlFree(attvalue);
+ if ((attvalue != NULL) && (alloc != 0)) {
+ xmlFree(attvalue);
+ attvalue = NULL;
+ }
if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
break;
if (!IS_BLANK_CH(RAW)) {
Index: libxml2-2.9.2/result/errors/759020.xml.err
===================================================================
--- /dev/null
+++ libxml2-2.9.2/result/errors/759020.xml.err
@@ -0,0 +1,6 @@
+./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute
+0000000000000000000000000000000000000000000000000000000000000000000000000000000'
+ ^
+./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00 line 2
+
+ ^
Index: libxml2-2.9.2/result/errors/759020.xml.str
===================================================================
--- /dev/null
+++ libxml2-2.9.2/result/errors/759020.xml.str
@@ -0,0 +1,7 @@
+./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute
+0000000000000000000000000000000000000000000000000000000000000000000000000000000'
+ ^
+./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00
+
+ ^
+./test/errors/759020.xml : failed to parse

1
meta/recipes-core/libxml/libxml2_2.9.2.bb
View File

@@ -14,6 +14,7 @@ SRC_URI += "file://CVE-2016-1762.patch \
file://CVE-2016-1836.patch \
file://CVE-2016-4449.patch \
file://CVE-2016-1837.patch \
file://CVE-2016-1835.patch \
"
SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"