From 663943a80238572030978df484c73f4e80e06bf1 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Sat, 5 Dec 2015 10:54:57 -0800 Subject: libxml2: security fix CVE-2015-7942 includes: CVE-2015-7942 CVE-2015-7942-2 (From OE-Core rev: 4ca806d70cf65a66daab85898bcf5d682bef43d3) Signed-off-by: Armin Kuster Signed-off-by: Joshua Lock Signed-off-by: Richard Purdie --- meta/recipes-core/libxml/libxml2.inc | 2 ++ ...ror-in-previous-Conditional-section-patch.patch | 35 +++++++++++++++++++ ...iation-of-overflow-in-Conditional-section.patch | 39 ++++++++++++++++++++++ 3 files changed, 76 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc index 180dd66..56a99e8 100644 --- a/meta/recipes-core/libxml/libxml2.inc +++ b/meta/recipes-core/libxml/libxml2.inc @@ -26,6 +26,8 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \ file://CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch \ file://CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch \ file://CVE-2015-8317-Fail-parsing-early-on-if-encoding-conversion-failed.patch \ + file://CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch \ + file://CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch \ " BINCONFIG = "${bindir}/xml2-config" diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch new file mode 100644 index 0000000..34b6036 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch @@ -0,0 +1,35 @@ +From 41ac9049a27f52e7a1f3b341f8714149fc88d450 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Tue, 27 Oct 2015 10:53:44 +0800 +Subject: [PATCH] Fix an error in previous Conditional section patch + +an off by one mistake in the change, led to error on correct +document where the end of the included entity was exactly +the end of the conditional section, leading to regtest failure + +Upstream-Status: Backport + +CVE-2015-7942-2 + +Signed-off-by: Armin Kuster + +--- + parser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index b9217ff..d67b300 100644 +--- a/parser.c ++++ b/parser.c +@@ -6916,7 +6916,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + NULL, NULL); + } + if ((ctxt-> instate != XML_PARSER_EOF) && +- ((ctxt->input->cur + 3) < ctxt->input->end)) ++ ((ctxt->input->cur + 3) <= ctxt->input->end)) + SKIP(3); + } + } +-- +2.3.5 + diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch new file mode 100644 index 0000000..40082ec --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch @@ -0,0 +1,39 @@ +From bd0526e66a56e75a18da8c15c4750db8f801c52d Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 23 Oct 2015 19:02:28 +0800 +Subject: [PATCH] Another variation of overflow in Conditional sections + +Which happen after the previous fix to +https://bugzilla.gnome.org/show_bug.cgi?id=756456 + +But stopping the parser and exiting we didn't pop the intermediary entities +and doing the SKIP there applies on an input which may be too small + +Upstream-Status: Backport + +CVE-2015-7942 + +Signed-off-by: Armin Kuster + +--- + parser.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index a65e4cc..b9217ff 100644 +--- a/parser.c ++++ b/parser.c +@@ -6915,7 +6915,9 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + "All markup of the conditional section is not in the same entity\n", + NULL, NULL); + } +- SKIP(3); ++ if ((ctxt-> instate != XML_PARSER_EOF) && ++ ((ctxt->input->cur + 3) < ctxt->input->end)) ++ SKIP(3); + } + } + +-- +2.3.5 + -- cgit v1.1