From 8a59dc853d2870bc33ef3cc5af202e33b3d7c6c2 Mon Sep 17 00:00:00 2001
From: Armin Kuster <akuster@mvista.com>
Date: Sat, 9 Jul 2016 14:27:44 -0700
Subject: libxml2: Security fix for CVE-2016-1762

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 .../libxml/libxml2/CVE-2016-1762.patch             | 84 ++++++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.2.bb          |  2 +
 2 files changed, 86 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2016-1762.patch

(limited to 'meta/recipes-core')

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-1762.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-1762.patch
new file mode 100644
index 0000000000..8fff179ce9
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-1762.patch
@@ -0,0 +1,84 @@
+From a7a94612aa3b16779e2c74e1fa353b5d9786c602 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 9 Feb 2016 12:55:29 +0100
+Subject: [PATCH] Heap-based buffer overread in xmlNextChar
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=759671
+
+when the end of the internal subset isn't properly detected
+xmlParseInternalSubset should just return instead of trying
+to process input further.
+
+Upstream-Status: Backport
+CVE: CVE-2016-1762
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c                       |  1 +
+ result/errors/754946.xml.err   | 10 +++++-----
+ result/errors/content1.xml.err |  2 +-
+ result/valid/t8.xml.err        |  2 +-
+ result/valid/t8a.xml.err       |  2 +-
+ 5 files changed, 9 insertions(+), 8 deletions(-)
+
+Index: libxml2-2.9.2/parser.c
+===================================================================
+--- libxml2-2.9.2.orig/parser.c
++++ libxml2-2.9.2/parser.c
+@@ -8480,6 +8480,7 @@ xmlParseInternalSubset(xmlParserCtxtPtr
+      */
+     if (RAW != '>') {
+ 	xmlFatalErr(ctxt, XML_ERR_DOCTYPE_NOT_FINISHED, NULL);
++	return;
+     }
+     NEXT;
+ }
+Index: libxml2-2.9.2/result/errors/754946.xml.err
+===================================================================
+--- libxml2-2.9.2.orig/result/errors/754946.xml.err
++++ libxml2-2.9.2/result/errors/754946.xml.err
+@@ -11,9 +11,9 @@ Entity: line 1: parser error : DOCTYPE i
+ Entity: line 1: 
+ A<lbbbbbbbbbbbbbbbbbbb_
+ ^
+-./test/errors/754946.xml:1: parser error : Start tag doesn't start and stop in the same entity
+->%SYSTEM;<![
+-         ^
+-./test/errors/754946.xml:1: parser error : Extra content at the end of the document
+->%SYSTEM;<![
++Entity: line 1: parser error : Start tag expected, '<' not found
++ %SYSTEM; 
+          ^
++Entity: line 1: 
++A<lbbbbbbbbbbbbbbbbbbb_
++^
+Index: libxml2-2.9.2/result/errors/content1.xml.err
+===================================================================
+--- libxml2-2.9.2.orig/result/errors/content1.xml.err
++++ libxml2-2.9.2/result/errors/content1.xml.err
+@@ -13,4 +13,4 @@
+                          ^
+ ./test/errors/content1.xml:7: parser error : Start tag expected, '<' not found
+ <!ELEMENT aElement (a |b * >
+-                           ^
++                         ^
+Index: libxml2-2.9.2/result/valid/t8.xml.err
+===================================================================
+--- libxml2-2.9.2.orig/result/valid/t8.xml.err
++++ libxml2-2.9.2/result/valid/t8.xml.err
+@@ -16,4 +16,4 @@ Entity: line 1: parser error : Start tag
+           ^
+ Entity: line 1: 
+ &lt;!ELEMENT root (middle) >
+- ^
++^
+Index: libxml2-2.9.2/result/valid/t8a.xml.err
+===================================================================
+--- libxml2-2.9.2.orig/result/valid/t8a.xml.err
++++ libxml2-2.9.2/result/valid/t8a.xml.err
+@@ -16,4 +16,4 @@ Entity: line 1: parser error : Start tag
+           ^
+ Entity: line 1: 
+ &lt;!ELEMENT root (middle) >
+- ^
++^
diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb
index 79a395cea1..7f2ded76c1 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.2.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb
@@ -4,6 +4,8 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar \
             file://72a46a519ce7326d9a00f0b6a7f2a8e958cd1675.patch \
 	    file://0001-threads-Define-pthread-definitions-for-glibc-complia.patch \
 	   "
+SRC_URI += "file://CVE-2016-1762.patch \
+    "
 
 SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"
 SRC_URI[libtar.sha256sum] = "5178c30b151d044aefb1b08bf54c3003a0ac55c59c866763997529d60770d5bc"
-- 
cgit 1.2.3-korg