summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-07-09 14:31:00 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-07-27 08:29:33 +0100
commita28fea55f72284d3f4ed85f19f80b8475e726ee6 (patch)
tree9bef363ddb7630953a16dd848a88d1c6200aca10
parent233f3b29760c878a3acb3aa0e22b7c252f17e2b3 (diff)
downloadopenembedded-core-contrib-a28fea55f72284d3f4ed85f19f80b8475e726ee6.tar.gz
openembedded-core-contrib-a28fea55f72284d3f4ed85f19f80b8475e726ee6.tar.bz2
openembedded-core-contrib-a28fea55f72284d3f4ed85f19f80b8475e726ee6.zip
libxml2: Security fix for CVE-2016-4483.patch
affects libxml2 < 2.9.4 Signed-off-by: Armin Kuster <akuster@mvista.com>
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2016-4483.patch55
-rw-r--r--meta/recipes-core/libxml/libxml2_2.9.2.bb1
2 files changed, 56 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-4483.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-4483.patch
new file mode 100644
index 0000000000..cf8d6badf3
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-4483.patch
@@ -0,0 +1,55 @@
+From c97750d11bb8b6f3303e7131fe526a61ac65bcfd Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 23 May 2016 13:39:13 +0800
+Subject: [PATCH] Avoid an out of bound access when serializing malformed
+ strings
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=766414
+
+* xmlsave.c: xmlBufAttrSerializeTxtContent() if an attribute value
+ is not UTF-8 be more careful when serializing it as we may do an
+ out of bound access as a result.
+
+Upstream-Status: Backport
+CVE: CVE-2016-4483
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ xmlsave.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/xmlsave.c b/xmlsave.c
+index 774404b..4a8e3f3 100644
+--- a/xmlsave.c
++++ b/xmlsave.c
+@@ -2097,8 +2097,8 @@ xmlBufAttrSerializeTxtContent(xmlBufPtr buf, xmlDocPtr doc,
+ xmlBufAdd(buf, BAD_CAST "&amp;", 5);
+ cur++;
+ base = cur;
+- } else if ((*cur >= 0x80) && ((doc == NULL) ||
+- (doc->encoding == NULL))) {
++ } else if ((*cur >= 0x80) && (cur[1] != 0) &&
++ ((doc == NULL) || (doc->encoding == NULL))) {
+ /*
+ * We assume we have UTF-8 content.
+ */
+@@ -2121,14 +2121,14 @@ xmlBufAttrSerializeTxtContent(xmlBufPtr buf, xmlDocPtr doc,
+ val <<= 6;
+ val |= (cur[1]) & 0x3F;
+ l = 2;
+- } else if (*cur < 0xF0) {
++ } else if ((*cur < 0xF0) && (cur [2] != 0)) {
+ val = (cur[0]) & 0x0F;
+ val <<= 6;
+ val |= (cur[1]) & 0x3F;
+ val <<= 6;
+ val |= (cur[2]) & 0x3F;
+ l = 3;
+- } else if (*cur < 0xF8) {
++ } else if ((*cur < 0xF8) && (cur [2] != 0) && (cur[3] != 0)) {
+ val = (cur[0]) & 0x07;
+ val <<= 6;
+ val |= (cur[1]) & 0x3F;
+--
+2.3.5
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb
index e2400af62d..41cba644fe 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.2.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb
@@ -7,6 +7,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar \
SRC_URI += "file://CVE-2016-1762.patch \
file://CVE-2016-3705.patch \
file://CVE-2016-1834.patch \
+ file://CVE-2016-4483.patch \
"
SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"