diff options
Diffstat (limited to 'meta/recipes-core')
-rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2016-1840.patch | 37 | ||||
-rw-r--r-- | meta/recipes-core/libxml/libxml2_2.9.2.bb | 1 |
2 files changed, 38 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-1840.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-1840.patch new file mode 100644 index 0000000000..41de9f80d8 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2016-1840.patch @@ -0,0 +1,37 @@ +From cbb271655cadeb8dbb258a64701d9a3a0c4835b4 Mon Sep 17 00:00:00 2001 +From: Pranjal Jumde <pjumde@apple.com> +Date: Mon, 7 Mar 2016 06:34:26 -0800 +Subject: [PATCH] Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup + <https://bugzilla.gnome.org/show_bug.cgi?id=757711> + +* xmlregexp.c: +(xmlFAParseCharRange): Only advance to the next character if +there is no error. Advancing to the next character in case of +an error while parsing regexp leads to an out of bounds access. + +Upstream-Status: Backport +CVE: CVE-2016-1840 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + xmlregexp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: libxml2-2.9.2/xmlregexp.c +=================================================================== +--- libxml2-2.9.2.orig/xmlregexp.c ++++ libxml2-2.9.2/xmlregexp.c +@@ -5052,11 +5052,12 @@ xmlFAParseCharRange(xmlRegParserCtxtPtr + ERROR("Expecting the end of a char range"); + return; + } +- NEXTL(len); ++ + /* TODO check that the values are acceptable character ranges for XML */ + if (end < start) { + ERROR("End of range is before start of range"); + } else { ++ NEXTL(len); + xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg, + XML_REGEXP_CHARVAL, start, end, NULL); + } diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb index 41cba644fe..563661b1fd 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.2.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb @@ -8,6 +8,7 @@ SRC_URI += "file://CVE-2016-1762.patch \ file://CVE-2016-3705.patch \ file://CVE-2016-1834.patch \ file://CVE-2016-4483.patch \ + file://CVE-2016-1840.patch \ " SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788" |