diff options
| author | Armin Kuster <akuster@mvista.com> | 2016-02-06 15:15:01 -0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-02-07 17:23:06 +0000 |
| commit | 092903a2ef92627e93cd26dda4583db7bc0288a3 (patch) | |
| tree | 98103f41c4fa1c870140665cb11a4e8ea4aba0a5 | |
| parent | c2f4fe8d0c7e5d0c5720aaee20c5f7a8f6ea068c (diff) | |
| download | ast2050-yocto-poky-092903a2ef92627e93cd26dda4583db7bc0288a3.zip ast2050-yocto-poky-092903a2ef92627e93cd26dda4583db7bc0288a3.tar.gz | |
libxml2: Security fix CVE-2015-8710
CVE-2015-8710 libxml2: out-of-bounds memory access when parsing an unclosed HTML comment
(From OE-Core rev: 03d481070ebc6f9af799aec5d038871f9c73901c)
(From OE-Core rev: d5db25213613cb862255047c0e995fd5489d9765)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/recipes-core/libxml/libxml2.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch | 71 |
2 files changed, 72 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc index 01d6bbe..2748b4f 100644 --- a/meta/recipes-core/libxml/libxml2.inc +++ b/meta/recipes-core/libxml/libxml2.inc @@ -38,6 +38,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \ file://0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch \ file://0001-CVE-2015-5312-Another-entity-expansion-issue.patch \ file://CVE-2015-8241.patch \ + file://CVE-2015-8710.patch \ " BINCONFIG = "${bindir}/xml2-config" diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch new file mode 100644 index 0000000..be06cc2 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch @@ -0,0 +1,71 @@ +From e724879d964d774df9b7969fc846605aa1bac54c Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Fri, 30 Oct 2015 21:14:55 +0800 +Subject: [PATCH] Fix parsing short unclosed comment uninitialized access + +For https://bugzilla.gnome.org/show_bug.cgi?id=746048 +The HTML parser was too optimistic when processing comments and +didn't check for the end of the stream on the first 2 characters + +Upstream-Status: Backport + +https://git.gnome.org/browse/libxml2/commit/?id=e724879d964d774df9b7969fc846605aa1bac54c + +CVE: CVE-2015-8710 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + HTMLparser.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +Index: libxml2-2.9.2/HTMLparser.c +=================================================================== +--- libxml2-2.9.2.orig/HTMLparser.c ++++ libxml2-2.9.2/HTMLparser.c +@@ -3245,12 +3245,17 @@ htmlParseComment(htmlParserCtxtPtr ctxt) + ctxt->instate = state; + return; + } ++ len = 0; ++ buf[len] = 0; + q = CUR_CHAR(ql); ++ if (!IS_CHAR(q)) ++ goto unfinished; + NEXTL(ql); + r = CUR_CHAR(rl); ++ if (!IS_CHAR(r)) ++ goto unfinished; + NEXTL(rl); + cur = CUR_CHAR(l); +- len = 0; + while (IS_CHAR(cur) && + ((cur != '>') || + (r != '-') || (q != '-'))) { +@@ -3281,18 +3286,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt) + } + } + buf[len] = 0; +- if (!IS_CHAR(cur)) { +- htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, +- "Comment not terminated \n<!--%.50s\n", buf, NULL); +- xmlFree(buf); +- } else { ++ if (IS_CHAR(cur)) { + NEXT; + if ((ctxt->sax != NULL) && (ctxt->sax->comment != NULL) && + (!ctxt->disableSAX)) + ctxt->sax->comment(ctxt->userData, buf); + xmlFree(buf); ++ ctxt->instate = state; ++ return; + } +- ctxt->instate = state; ++ ++unfinished: ++ htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, ++ "Comment not terminated \n<!--%.50s\n", buf, NULL); ++ xmlFree(buf); + } + + /** |
