mirror of
https://git.yoctoproject.org/poky
synced 2026-04-16 15:32:13 +02:00
libxml2: Security fix for CVE-2016-3627
Affects libxml2 < 2.9.4 (From OE-Core rev: ceabe39237a035efda6a74c746848a9fbab30a08) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Armin Kuster
committed by
Richard Purdie
Richard Purdie
parent
1ecd2f56aa
commit
4e260c96f4
64
meta/recipes-core/libxml/libxml2/CVE-2016-3627.patch
Normal file
64
meta/recipes-core/libxml/libxml2/CVE-2016-3627.patch
Normal file
@@ -0,0 +1,64 @@
|
||||
From bdd66182ef53fe1f7209ab6535fda56366bd7ac9 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Veillard <veillard@redhat.com>
|
||||
Date: Mon, 23 May 2016 12:27:58 +0800
|
||||
Subject: [PATCH] Avoid building recursive entities
|
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=762100
|
||||
|
||||
When we detect a recusive entity we should really not
|
||||
build the associated data, moreover if someone bypass
|
||||
libxml2 fatal errors and still tries to serialize a broken
|
||||
entity make sure we don't risk to get ito a recursion
|
||||
|
||||
* parser.c: xmlParserEntityCheck() don't build if entity loop
|
||||
were found and remove the associated text content
|
||||
* tree.c: xmlStringGetNodeList() avoid a potential recursion
|
||||
|
||||
Upstream-Status: Backport
|
||||
CVE: CVE-2016-3627
|
||||
Signed-off-by: Armin Kuster <akuster@mvsita.com
|
||||
|
||||
---
|
||||
parser.c | 6 +++++-
|
||||
tree.c | 1 +
|
||||
2 files changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/parser.c b/parser.c
|
||||
index ea0e89e..53a6b7f 100644
|
||||
--- a/parser.c
|
||||
+++ b/parser.c
|
||||
@@ -138,7 +138,8 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
|
||||
* entities problems
|
||||
*/
|
||||
if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) &&
|
||||
- (ent->content != NULL) && (ent->checked == 0)) {
|
||||
+ (ent->content != NULL) && (ent->checked == 0) &&
|
||||
+ (ctxt->errNo != XML_ERR_ENTITY_LOOP)) {
|
||||
unsigned long oldnbent = ctxt->nbentities;
|
||||
xmlChar *rep;
|
||||
|
||||
@@ -148,6 +149,9 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
|
||||
rep = xmlStringDecodeEntities(ctxt, ent->content,
|
||||
XML_SUBSTITUTE_REF, 0, 0, 0);
|
||||
--ctxt->depth;
|
||||
+ if (ctxt->errNo == XML_ERR_ENTITY_LOOP) {
|
||||
+ ent->content[0] = 0;
|
||||
+ }
|
||||
|
||||
ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
|
||||
if (rep != NULL) {
|
||||
diff --git a/tree.c b/tree.c
|
||||
index 7fbca6e..9d330b8 100644
|
||||
--- a/tree.c
|
||||
+++ b/tree.c
|
||||
@@ -1593,6 +1593,7 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
|
||||
else if ((ent != NULL) && (ent->children == NULL)) {
|
||||
xmlNodePtr temp;
|
||||
|
||||
+ ent->children = (xmlNodePtr) -1;
|
||||
ent->children = xmlStringGetNodeList(doc,
|
||||
(const xmlChar*)node->content);
|
||||
ent->owner = 1;
|
||||
--
|
||||
2.3.5
|
||||
|
||||
@@ -16,6 +16,7 @@ SRC_URI += "file://CVE-2016-1762.patch \
|
||||
file://CVE-2016-1837.patch \
|
||||
file://CVE-2016-1835.patch \
|
||||
file://CVE-2016-1833.patch \
|
||||
file://CVE-2016-3627.patch \
|
||||
"
|
||||
|
||||
SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"
|
||||
|
||||
Reference in New Issue
Block a user