mirror of
https://git.yoctoproject.org/poky
synced 2026-05-31 12:49:46 +00:00
libxml2: Security fix for CVE-2016-3627
Affects libxml2 < 2.9.4 (From OE-Core rev: ceabe39237a035efda6a74c746848a9fbab30a08) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Armin Kuster
committed by
Richard Purdie
Richard Purdie
parent
1ecd2f56aa
commit
4e260c96f4
@@ -0,0 +1,64 @@
|
|||||||
|
From bdd66182ef53fe1f7209ab6535fda56366bd7ac9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Veillard <veillard@redhat.com>
|
||||||
|
Date: Mon, 23 May 2016 12:27:58 +0800
|
||||||
|
Subject: [PATCH] Avoid building recursive entities
|
||||||
|
|
||||||
|
For https://bugzilla.gnome.org/show_bug.cgi?id=762100
|
||||||
|
|
||||||
|
When we detect a recusive entity we should really not
|
||||||
|
build the associated data, moreover if someone bypass
|
||||||
|
libxml2 fatal errors and still tries to serialize a broken
|
||||||
|
entity make sure we don't risk to get ito a recursion
|
||||||
|
|
||||||
|
* parser.c: xmlParserEntityCheck() don't build if entity loop
|
||||||
|
were found and remove the associated text content
|
||||||
|
* tree.c: xmlStringGetNodeList() avoid a potential recursion
|
||||||
|
|
||||||
|
Upstream-Status: Backport
|
||||||
|
CVE: CVE-2016-3627
|
||||||
|
Signed-off-by: Armin Kuster <akuster@mvsita.com
|
||||||
|
|
||||||
|
---
|
||||||
|
parser.c | 6 +++++-
|
||||||
|
tree.c | 1 +
|
||||||
|
2 files changed, 6 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/parser.c b/parser.c
|
||||||
|
index ea0e89e..53a6b7f 100644
|
||||||
|
--- a/parser.c
|
||||||
|
+++ b/parser.c
|
||||||
|
@@ -138,7 +138,8 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
|
||||||
|
* entities problems
|
||||||
|
*/
|
||||||
|
if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) &&
|
||||||
|
- (ent->content != NULL) && (ent->checked == 0)) {
|
||||||
|
+ (ent->content != NULL) && (ent->checked == 0) &&
|
||||||
|
+ (ctxt->errNo != XML_ERR_ENTITY_LOOP)) {
|
||||||
|
unsigned long oldnbent = ctxt->nbentities;
|
||||||
|
xmlChar *rep;
|
||||||
|
|
||||||
|
@@ -148,6 +149,9 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
|
||||||
|
rep = xmlStringDecodeEntities(ctxt, ent->content,
|
||||||
|
XML_SUBSTITUTE_REF, 0, 0, 0);
|
||||||
|
--ctxt->depth;
|
||||||
|
+ if (ctxt->errNo == XML_ERR_ENTITY_LOOP) {
|
||||||
|
+ ent->content[0] = 0;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
|
||||||
|
if (rep != NULL) {
|
||||||
|
diff --git a/tree.c b/tree.c
|
||||||
|
index 7fbca6e..9d330b8 100644
|
||||||
|
--- a/tree.c
|
||||||
|
+++ b/tree.c
|
||||||
|
@@ -1593,6 +1593,7 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
|
||||||
|
else if ((ent != NULL) && (ent->children == NULL)) {
|
||||||
|
xmlNodePtr temp;
|
||||||
|
|
||||||
|
+ ent->children = (xmlNodePtr) -1;
|
||||||
|
ent->children = xmlStringGetNodeList(doc,
|
||||||
|
(const xmlChar*)node->content);
|
||||||
|
ent->owner = 1;
|
||||||
|
--
|
||||||
|
2.3.5
|
||||||
|
|
||||||
@@ -16,6 +16,7 @@ SRC_URI += "file://CVE-2016-1762.patch \
|
|||||||
file://CVE-2016-1837.patch \
|
file://CVE-2016-1837.patch \
|
||||||
file://CVE-2016-1835.patch \
|
file://CVE-2016-1835.patch \
|
||||||
file://CVE-2016-1833.patch \
|
file://CVE-2016-1833.patch \
|
||||||
|
file://CVE-2016-3627.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"
|
SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"
|
||||||
|
|||||||
Reference in New Issue
Block a user