aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-07-09 14:57:08 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-07-27 08:29:36 +0100
commit689145fc5ae377eab088ee524c447223be29707f (patch)
treeb73c4821b2a9bf1638811d54ccd40411ecbb8f47
parentd24b0ac044e02ec34f74e46ad599ac8bdb10432c (diff)
downloadopenembedded-core-contrib-689145fc5ae377eab088ee524c447223be29707f.tar.gz
openembedded-core-contrib-689145fc5ae377eab088ee524c447223be29707f.tar.bz2
openembedded-core-contrib-689145fc5ae377eab088ee524c447223be29707f.zip
libxml2: Security fix for CVE-2016-1839
Affects libxml2 < 2.9.4 Signed-off-by: Armin Kuster <akuster@mvista.com>
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2016-1839.patch127
-rw-r--r--meta/recipes-core/libxml/libxml2_2.9.2.bb1
2 files changed, 128 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-1839.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-1839.patch
new file mode 100644
index 00000000000..b6cf883da7c
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-1839.patch
@@ -0,0 +1,127 @@
+From a820dbeac29d330bae4be05d9ecd939ad6b4aa33 Mon Sep 17 00:00:00 2001
+From: Pranjal Jumde <pjumde@apple.com>
+Date: Tue, 1 Mar 2016 11:34:04 -0800
+Subject: [PATCH] Bug 758605: Heap-based buffer overread in xmlDictAddString
+ <https://bugzilla.gnome.org/show_bug.cgi?id=758605>
+
+Reviewed by David Kilzer.
+
+* HTMLparser.c:
+(htmlParseName): Add bounds check.
+(htmlParseNameComplex): Ditto.
+* result/HTML/758605.html: Added.
+* result/HTML/758605.html.err: Added.
+* result/HTML/758605.html.sax: Added.
+* runtest.c:
+(pushParseTest): The input for the new test case was so small
+(4 bytes) that htmlParseChunk() was never called after
+htmlCreatePushParserCtxt(), thereby creating a false positive
+test failure. Fixed by using a do-while loop so we always call
+htmlParseChunk() at least once.
+* test/HTML/758605.html: Added.
+
+Upstream-Status: Backport
+CVE: CVE-2016-1839
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ HTMLparser.c | 8 ++++++++
+ result/HTML/758605.html | 3 +++
+ result/HTML/758605.html.err | 3 +++
+ result/HTML/758605.html.sax | 13 +++++++++++++
+ runtest.c | 4 ++--
+ test/HTML/758605.html | 1 +
+ 6 files changed, 30 insertions(+), 2 deletions(-)
+ create mode 100644 result/HTML/758605.html
+ create mode 100644 result/HTML/758605.html.err
+ create mode 100644 result/HTML/758605.html.sax
+ create mode 100644 test/HTML/758605.html
+
+Index: libxml2-2.9.2/HTMLparser.c
+===================================================================
+--- libxml2-2.9.2.orig/HTMLparser.c
++++ libxml2-2.9.2/HTMLparser.c
+@@ -2471,6 +2471,10 @@ htmlParseName(htmlParserCtxtPtr ctxt) {
+ (*in == '_') || (*in == '-') ||
+ (*in == ':') || (*in == '.'))
+ in++;
++
++ if (in == ctxt->input->end)
++ return(NULL);
++
+ if ((*in > 0) && (*in < 0x80)) {
+ count = in - ctxt->input->cur;
+ ret = xmlDictLookup(ctxt->dict, ctxt->input->cur, count);
+@@ -2514,6 +2518,10 @@ htmlParseNameComplex(xmlParserCtxtPtr ct
+ NEXTL(l);
+ c = CUR_CHAR(l);
+ }
++
++ if (ctxt->input->base > ctxt->input->cur - len)
++ return(NULL);
++
+ return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
+ }
+
+Index: libxml2-2.9.2/result/HTML/758605.html
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/result/HTML/758605.html
+@@ -0,0 +1,3 @@
++<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
++<html><body><p>&amp;
++</p></body></html>
+Index: libxml2-2.9.2/result/HTML/758605.html.err
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/result/HTML/758605.html.err
+@@ -0,0 +1,3 @@
++./test/HTML/758605.html:1: HTML parser error : htmlParseEntityRef: no name
++ê
++ ^
+Index: libxml2-2.9.2/result/HTML/758605.html.sax
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/result/HTML/758605.html.sax
+@@ -0,0 +1,13 @@
++SAX.setDocumentLocator()
++SAX.startDocument()
++SAX.error: htmlParseEntityRef: no name
++SAX.startElement(html)
++SAX.startElement(body)
++SAX.startElement(p)
++SAX.characters(&amp;, 1)
++SAX.ignorableWhitespace(
++, 1)
++SAX.endElement(p)
++SAX.endElement(body)
++SAX.endElement(html)
++SAX.endDocument()
+Index: libxml2-2.9.2/runtest.c
+===================================================================
+--- libxml2-2.9.2.orig/runtest.c
++++ libxml2-2.9.2/runtest.c
+@@ -1827,7 +1827,7 @@ pushParseTest(const char *filename, cons
+ ctxt = xmlCreatePushParserCtxt(NULL, NULL, base + cur, 4, filename);
+ xmlCtxtUseOptions(ctxt, options);
+ cur += 4;
+- while (cur < size) {
++ do {
+ if (cur + 1024 >= size) {
+ #ifdef LIBXML_HTML_ENABLED
+ if (options & XML_PARSE_HTML)
+@@ -1845,7 +1845,7 @@ pushParseTest(const char *filename, cons
+ xmlParseChunk(ctxt, base + cur, 1024, 0);
+ cur += 1024;
+ }
+- }
++ } while (cur < size);
+ doc = ctxt->myDoc;
+ #ifdef LIBXML_HTML_ENABLED
+ if (options & XML_PARSE_HTML)
+Index: libxml2-2.9.2/test/HTML/758605.html
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/test/HTML/758605.html
+@@ -0,0 +1 @@
++&:
diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb
index a7c290434bf..328e2a3dbdf 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.2.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb
@@ -10,6 +10,7 @@ SRC_URI += "file://CVE-2016-1762.patch \
file://CVE-2016-4483.patch \
file://CVE-2016-1840.patch \
file://CVE-2016-1838.patch \
+ file://CVE-2016-1839.patch \
"
SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"