diff options
| -rw-r--r-- | meta/recipes-core/libxml/libxml2.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch | 71 |
2 files changed, 72 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc index bced950fa9..310d5bbc56 100644 --- a/meta/recipes-core/libxml/libxml2.inc +++ b/meta/recipes-core/libxml/libxml2.inc @@ -36,6 +36,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \ file://0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch \ file://0001-CVE-2015-5312-Another-entity-expansion-issue.patch \ file://CVE-2015-8241.patch \ + file://CVE-2015-8710.patch \ " BINCONFIG = "${bindir}/xml2-config" diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch new file mode 100644 index 0000000000..be06cc22c8 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch @@ -0,0 +1,71 @@ +From e724879d964d774df9b7969fc846605aa1bac54c Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Fri, 30 Oct 2015 21:14:55 +0800 +Subject: [PATCH] Fix parsing short unclosed comment uninitialized access + +For https://bugzilla.gnome.org/show_bug.cgi?id=746048 +The HTML parser was too optimistic when processing comments and +didn't check for the end of the stream on the first 2 characters + +Upstream-Status: Backport + +https://git.gnome.org/browse/libxml2/commit/?id=e724879d964d774df9b7969fc846605aa1bac54c + +CVE: CVE-2015-8710 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + HTMLparser.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +Index: libxml2-2.9.2/HTMLparser.c +=================================================================== +--- libxml2-2.9.2.orig/HTMLparser.c ++++ libxml2-2.9.2/HTMLparser.c +@@ -3245,12 +3245,17 @@ htmlParseComment(htmlParserCtxtPtr ctxt) + ctxt->instate = state; + return; + } ++ len = 0; ++ buf[len] = 0; + q = CUR_CHAR(ql); ++ if (!IS_CHAR(q)) ++ goto unfinished; + NEXTL(ql); + r = CUR_CHAR(rl); ++ if (!IS_CHAR(r)) ++ goto unfinished; + NEXTL(rl); + cur = CUR_CHAR(l); +- len = 0; + while (IS_CHAR(cur) && + ((cur != '>') || + (r != '-') || (q != '-'))) { +@@ -3281,18 +3286,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt) + } + } + buf[len] = 0; +- if (!IS_CHAR(cur)) { +- htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, +- "Comment not terminated \n<!--%.50s\n", buf, NULL); +- xmlFree(buf); +- } else { ++ if (IS_CHAR(cur)) { + NEXT; + if ((ctxt->sax != NULL) && (ctxt->sax->comment != NULL) && + (!ctxt->disableSAX)) + ctxt->sax->comment(ctxt->userData, buf); + xmlFree(buf); ++ ctxt->instate = state; ++ return; + } +- ctxt->instate = state; ++ ++unfinished: ++ htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, ++ "Comment not terminated \n<!--%.50s\n", buf, NULL); ++ xmlFree(buf); + } + + /** |