aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-01-30 14:39:28 -0800
committerSaul Wold <sgw@linux.intel.com>2016-02-01 08:23:28 -0800
commit03d481070ebc6f9af799aec5d038871f9c73901c (patch)
tree3b3e2866063c4d466ac40c93f4e1ea1922f6b93a
parentf3c19a39cdec435f26a7f46a3432231ba4daa19c (diff)
downloadopenembedded-core-contrib-03d481070ebc6f9af799aec5d038871f9c73901c.tar.gz
openembedded-core-contrib-03d481070ebc6f9af799aec5d038871f9c73901c.tar.bz2
openembedded-core-contrib-03d481070ebc6f9af799aec5d038871f9c73901c.zip
libxml2: Security fix CVE-2015-8710
CVE-2015-8710 libxml2: out-of-bounds memory access when parsing an unclosed HTML comment Signed-off-by: Armin Kuster <akuster@mvista.com>
-rw-r--r--meta/recipes-core/libxml/libxml2.inc1
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch71
2 files changed, 72 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index bced950fa9..310d5bbc56 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -36,6 +36,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
file://0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch \
file://0001-CVE-2015-5312-Another-entity-expansion-issue.patch \
file://CVE-2015-8241.patch \
+ file://CVE-2015-8710.patch \
"
BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch
new file mode 100644
index 0000000000..be06cc22c8
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch
@@ -0,0 +1,71 @@
+From e724879d964d774df9b7969fc846605aa1bac54c Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 30 Oct 2015 21:14:55 +0800
+Subject: [PATCH] Fix parsing short unclosed comment uninitialized access
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=746048
+The HTML parser was too optimistic when processing comments and
+didn't check for the end of the stream on the first 2 characters
+
+Upstream-Status: Backport
+
+https://git.gnome.org/browse/libxml2/commit/?id=e724879d964d774df9b7969fc846605aa1bac54c
+
+CVE: CVE-2015-8710
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ HTMLparser.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+Index: libxml2-2.9.2/HTMLparser.c
+===================================================================
+--- libxml2-2.9.2.orig/HTMLparser.c
++++ libxml2-2.9.2/HTMLparser.c
+@@ -3245,12 +3245,17 @@ htmlParseComment(htmlParserCtxtPtr ctxt)
+ ctxt->instate = state;
+ return;
+ }
++ len = 0;
++ buf[len] = 0;
+ q = CUR_CHAR(ql);
++ if (!IS_CHAR(q))
++ goto unfinished;
+ NEXTL(ql);
+ r = CUR_CHAR(rl);
++ if (!IS_CHAR(r))
++ goto unfinished;
+ NEXTL(rl);
+ cur = CUR_CHAR(l);
+- len = 0;
+ while (IS_CHAR(cur) &&
+ ((cur != '>') ||
+ (r != '-') || (q != '-'))) {
+@@ -3281,18 +3286,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt)
+ }
+ }
+ buf[len] = 0;
+- if (!IS_CHAR(cur)) {
+- htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
+- "Comment not terminated \n<!--%.50s\n", buf, NULL);
+- xmlFree(buf);
+- } else {
++ if (IS_CHAR(cur)) {
+ NEXT;
+ if ((ctxt->sax != NULL) && (ctxt->sax->comment != NULL) &&
+ (!ctxt->disableSAX))
+ ctxt->sax->comment(ctxt->userData, buf);
+ xmlFree(buf);
++ ctxt->instate = state;
++ return;
+ }
+- ctxt->instate = state;
++
++unfinished:
++ htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
++ "Comment not terminated \n<!--%.50s\n", buf, NULL);
++ xmlFree(buf);
+ }
+
+ /**