diff options
| author |   Armin Kuster <akuster@mvista.com> | 2016-07-09 14:31:00 -0700 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-07-27 08:29:33 +0100 |
| commit | a28fea55f72284d3f4ed85f19f80b8475e726ee6 (patch) | |
| tree | 9bef363ddb7630953a16dd848a88d1c6200aca10 | |
| parent | 233f3b29760c878a3acb3aa0e22b7c252f17e2b3 (diff) | |
| download | openembedded-core-a28fea55f72284d3f4ed85f19f80b8475e726ee6.tar.gz | |
libxml2: Security fix for CVE-2016-4483.patch
affects libxml2 < 2.9.4
Signed-off-by: Armin Kuster <akuster@mvista.com>
| -rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2016-4483.patch | 55 | ||||
| -rw-r--r-- | meta/recipes-core/libxml/libxml2_2.9.2.bb | 1 |
2 files changed, 56 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-4483.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-4483.patch new file mode 100644 index 0000000000..cf8d6badf3 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2016-4483.patch @@ -0,0 +1,55 @@ +From c97750d11bb8b6f3303e7131fe526a61ac65bcfd Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Mon, 23 May 2016 13:39:13 +0800 +Subject: [PATCH] Avoid an out of bound access when serializing malformed + strings + +For https://bugzilla.gnome.org/show_bug.cgi?id=766414 + +* xmlsave.c: xmlBufAttrSerializeTxtContent() if an attribute value + is not UTF-8 be more careful when serializing it as we may do an + out of bound access as a result. + +Upstream-Status: Backport +CVE: CVE-2016-4483 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + xmlsave.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/xmlsave.c b/xmlsave.c +index 774404b..4a8e3f3 100644 +--- a/xmlsave.c ++++ b/xmlsave.c +@@ -2097,8 +2097,8 @@ xmlBufAttrSerializeTxtContent(xmlBufPtr buf, xmlDocPtr doc, + xmlBufAdd(buf, BAD_CAST "&", 5); + cur++; + base = cur; +- } else if ((*cur >= 0x80) && ((doc == NULL) || +- (doc->encoding == NULL))) { ++ } else if ((*cur >= 0x80) && (cur[1] != 0) && ++ ((doc == NULL) || (doc->encoding == NULL))) { + /* + * We assume we have UTF-8 content. + */ +@@ -2121,14 +2121,14 @@ xmlBufAttrSerializeTxtContent(xmlBufPtr buf, xmlDocPtr doc, + val <<= 6; + val |= (cur[1]) & 0x3F; + l = 2; +- } else if (*cur < 0xF0) { ++ } else if ((*cur < 0xF0) && (cur [2] != 0)) { + val = (cur[0]) & 0x0F; + val <<= 6; + val |= (cur[1]) & 0x3F; + val <<= 6; + val |= (cur[2]) & 0x3F; + l = 3; +- } else if (*cur < 0xF8) { ++ } else if ((*cur < 0xF8) && (cur [2] != 0) && (cur[3] != 0)) { + val = (cur[0]) & 0x07; + val <<= 6; + val |= (cur[1]) & 0x3F; +-- +2.3.5 + diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb index e2400af62d..41cba644fe 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.2.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb @@ -7,6 +7,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar \ SRC_URI += "file://CVE-2016-1762.patch \ file://CVE-2016-3705.patch \ file://CVE-2016-1834.patch \ + file://CVE-2016-4483.patch \ " SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788" |