diff options
| author | Armin Kuster <akuster@mvista.com> | 2015-12-05 10:57:48 -0800 |
|---|---|---|
| committer | Robert Yang <liezhi.yang@windriver.com> | 2016-01-13 22:21:20 -0800 |
| commit | c1d69a59a693dabf4b48619fdc12ce0f148a2386 (patch) | |
| tree | ede9a6d9b705641f084d116f92d62644c93ca83e /meta | |
| parent | cece10f44c9cceddab17adf1a1debc4b14e50a8d (diff) | |
| download | openembedded-core-c1d69a59a693dabf4b48619fdc12ce0f148a2386.tar.gz openembedded-core-c1d69a59a693dabf4b48619fdc12ce0f148a2386.tar.bz2 openembedded-core-c1d69a59a693dabf4b48619fdc12ce0f148a2386.zip | |
libxml2: security fix CVE-2015-7497
Signed-off-by: Armin Kuster <akuster@mvista.com>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/recipes-core/libxml/libxml2.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-core/libxml/libxml2/0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch | 40 |
2 files changed, 41 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc index 389f5cdf40..65b262582b 100644 --- a/meta/recipes-core/libxml/libxml2.inc +++ b/meta/recipes-core/libxml/libxml2.inc @@ -28,6 +28,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \ file://CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch \ file://0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch \ file://CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch \ + file://0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch \ " BINCONFIG = "${bindir}/xml2-config" diff --git a/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch b/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch new file mode 100644 index 0000000000..955c961957 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch @@ -0,0 +1,40 @@ +From 6360a31a84efe69d155ed96306b9a931a40beab9 Mon Sep 17 00:00:00 2001 +From: David Drysdale <drysdale@google.com> +Date: Fri, 20 Nov 2015 10:47:12 +0800 +Subject: [PATCH] CVE-2015-7497 Avoid an heap buffer overflow in + xmlDictComputeFastQKey + +For https://bugzilla.gnome.org/show_bug.cgi?id=756528 +It was possible to hit a negative offset in the name indexing +used to randomize the dictionary key generation +Reported and fix provided by David Drysdale @ Google + +Upstream-Status: Backport + +CVE-2015-7497 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + dict.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/dict.c b/dict.c +index 5f71d55..8c8f931 100644 +--- a/dict.c ++++ b/dict.c +@@ -486,7 +486,10 @@ xmlDictComputeFastQKey(const xmlChar *prefix, int plen, + value += 30 * (*prefix); + + if (len > 10) { +- value += name[len - (plen + 1 + 1)]; ++ int offset = len - (plen + 1 + 1); ++ if (offset < 0) ++ offset = len - (10 + 1); ++ value += name[offset]; + len = 10; + if (plen > 10) + plen = 10; +-- +2.3.5 + |