libxml2: Security fix for CVE-2016-1835

Affects libxml2 < 2.9.4 Signed-off-by: Armin Kuster <akuster@mvista.com>
author: Armin Kuster <akuster@mvista.com> 2016-07-09 15:02:26 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-07-27 08:29:39 +0100
commit: d008b7023cb703a787c8fcac5cd87628b38a9ecd (patch)
tree: a2abe94f9cb1503df76c967c29b20be62c0469ab /meta/recipes-core/libxml
parent: d0e3cc8c9234083a4ad6a0c1befe02b6076b084c (diff)
download: openembedded-core-contrib-d008b7023cb703a787c8fcac5cd87628b38a9ecd.tar.gz
2 files changed, 96 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-1835.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-1835.patch
new file mode 100644
index 0000000000..158b0aa5fa
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-1835.patch
@@ -0,0 +1,95 @@
+From 38eae571111db3b43ffdeb05487c9f60551906fb Mon Sep 17 00:00:00 2001
+From: Pranjal Jumde <pjumde@apple.com>
+Date: Mon, 7 Mar 2016 14:04:08 -0800
+Subject: [PATCH] Heap use-after-free in xmlSAX2AttributeNs
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=759020
+
+* parser.c:
+(xmlParseStartTag2): Attribute strings are only valid if the
+base does not change, so add another check where the base may
+change.  Make sure to set 'attvalue' to NULL after freeing it.
+* result/errors/759020.xml: Added.
+* result/errors/759020.xml.err: Added.
+* result/errors/759020.xml.str: Added.
+* test/errors/759020.xml: Added test case.
+
+Upstream-Status: Backport
+CVE: CVE-2016-1835
+
+excluded  test/errors/759020.xml: Added test case., they wont apply 
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c                     | 12 ++++++++++--
+ result/errors/759020.xml     |  0
+ result/errors/759020.xml.err |  6 ++++++
+ result/errors/759020.xml.str |  7 +++++++
+ test/errors/759020.xml       | 46 ++++++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 69 insertions(+), 2 deletions(-)
+ create mode 100644 result/errors/759020.xml
+ create mode 100644 result/errors/759020.xml.err
+ create mode 100644 result/errors/759020.xml.str
+ create mode 100644 test/errors/759020.xml
+
+Index: libxml2-2.9.2/parser.c
+===================================================================
+--- libxml2-2.9.2.orig/parser.c
++++ libxml2-2.9.2/parser.c
+@@ -9499,7 +9499,10 @@ reparse:
+ 		else
+ 		    if (nsPush(ctxt, NULL, URL) > 0) nbNs++;
+ skip_default_ns:
+-		if (alloc != 0) xmlFree(attvalue);
++		if ((attvalue != NULL) && (alloc != 0)) {
++		    xmlFree(attvalue);
++		    attvalue = NULL;
++		}
+ 		if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
+ 		    break;
+ 		if (!IS_BLANK_CH(RAW)) {
+@@ -9508,6 +9511,8 @@ skip_default_ns:
+ 		    break;
+ 		}
+ 		SKIP_BLANKS;
++		if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
++		    goto base_changed;
+ 		continue;
+ 	    }
+             if (aprefix == ctxt->str_xmlns) {
+@@ -9579,7 +9584,10 @@ skip_default_ns:
+ 		else
+ 		    if (nsPush(ctxt, attname, URL) > 0) nbNs++;
+ skip_ns:
+-		if (alloc != 0) xmlFree(attvalue);
++		if ((attvalue != NULL) && (alloc != 0)) {
++		    xmlFree(attvalue);
++		    attvalue = NULL;
++		}
+ 		if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
+ 		    break;
+ 		if (!IS_BLANK_CH(RAW)) {
+Index: libxml2-2.9.2/result/errors/759020.xml.err
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/result/errors/759020.xml.err
+@@ -0,0 +1,6 @@
++./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute
++0000000000000000000000000000000000000000000000000000000000000000000000000000000'
++                                                                               ^
++./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00 line 2
++
++                                                                   ^
+Index: libxml2-2.9.2/result/errors/759020.xml.str
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/result/errors/759020.xml.str
+@@ -0,0 +1,7 @@
++./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute
++0000000000000000000000000000000000000000000000000000000000000000000000000000000'
++                                                                               ^
++./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00
++
++                                                                   ^
++./test/errors/759020.xml : failed to parse
diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb
index eeed6ac170..2bbdb0961d 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.2.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb
@@ -14,6 +14,7 @@ SRC_URI += "file://CVE-2016-1762.patch \
             file://CVE-2016-1836.patch \
             file://CVE-2016-4449.patch \
             file://CVE-2016-1837.patch \
+            file://CVE-2016-1835.patch \
     "
 
 SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"
author	Armin Kuster <akuster@mvista.com>	2016-07-09 15:02:26 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-07-27 08:29:39 +0100
commit	d008b7023cb703a787c8fcac5cd87628b38a9ecd (patch)
tree	a2abe94f9cb1503df76c967c29b20be62c0469ab /meta/recipes-core/libxml
parent	d0e3cc8c9234083a4ad6a0c1befe02b6076b084c (diff)
download	openembedded-core-contrib-d008b7023cb703a787c8fcac5cd87628b38a9ecd.tar.gz