[gnome-continuous-yocto/gnomeostree-3.28-rocko: 7404/8267] libxml2: Fix CVE-2017-8872



commit 2f84fb232f972cb1ca2dc9fa3644cc6a509051ae
Author: Hongxu Jia <hongxu jia windriver com>
Date:   Wed Aug 23 04:30:45 2017 -0400

    libxml2: Fix CVE-2017-8872
    
    fix global-buffer-overflow in htmlParseTryOrFinish (HTMLparser.c:5403)
    
    https://bugzilla.gnome.org/show_bug.cgi?id=775200
    
    Here is the reproduce steps on ubuntu 16.04, use clang with "-fsanitize=address"
    ...
    export CC="clang"
    export CFLAGS="-fsanitize=address"
    
    ./configure --disable-shared
    
    make clean all -j
    
    wget https://bugzilla.gnome.org/attachment.cgi?id=340871 -O poc
    
    ./xmllint --html --push poc
    ==2785==ERROR: AddressSanitizer: global-buffer-overflow on address
    0x000000a0de21 at pc 0x0000006a7f6e bp 0x7ffdfe940c10 sp 0x7ffdfe940c08
    READ of size 1 at 0x000000a0de21 thread T0    #0 0x6a7f6d
    (/home/jiahongxu/Downloads/libxml2-2.9.4/xmllint+0x6a7f6d)    #1 0x6a7356
    (/home/jiahongxu/Downloads/libxml2-2.9.4/xmllint+0x6a7356)    #2 0x4f4504
    (/home/jiahongxu/Downloads/libxml2-2.9.4/xmllint+0x4f4504)    #3 0x4f045e
    (/home/jiahongxu/Downloads/libxml2-2.9.4/xmllint+0x4f045e)    #4 0x7f81977d682f
    (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)    #5 0x419ad8
    (/home/jiahongxu/Downloads/libxml2-2.9.4/xmllint+0x419ad8)
    ...
    
    (From OE-Core rev: a615b0825927a09a0aa8312d131c9acbaef8956d)
    
    Signed-off-by: Hongxu Jia <hongxu jia windriver com>
    Signed-off-by: Richard Purdie <richard purdie linuxfoundation org>

 .../libxml/libxml2/libxml2-CVE-2017-8872.patch     |   37 ++++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.4.bb          |    1 +
 2 files changed, 38 insertions(+), 0 deletions(-)
---
diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch 
b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch
new file mode 100644
index 0000000..26779aa
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch
@@ -0,0 +1,37 @@
+From d2f873a541c72b0f67e15562819bf98b884b30b7 Mon Sep 17 00:00:00 2001
+From: Hongxu Jia <hongxu jia windriver com>
+Date: Wed, 23 Aug 2017 16:04:49 +0800
+Subject: [PATCH] fix CVE-2017-8872
+
+this makes xmlHaltParser "empty" the buffer, as it resets cur and ava
+il too here.
+
+this seems to cure this specific issue, and also passes the testsuite
+
+Signed-off-by: Marcus Meissner <meissner suse de>
+
+https://bugzilla.gnome.org/show_bug.cgi?id=775200
+Upstream-Status: Backport [https://bugzilla.gnome.org/attachment.cgi?id=355527&action=diff]
+Signed-off-by: Hongxu Jia <hongxu jia windriver com>
+---
+ parser.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index 9506ead..6c07ffd 100644
+--- a/parser.c
++++ b/parser.c
+@@ -12664,6 +12664,10 @@ xmlHaltParser(xmlParserCtxtPtr ctxt) {
+       }
+       ctxt->input->cur = BAD_CAST"";
+       ctxt->input->base = ctxt->input->cur;
++      if (ctxt->input->buf) {
++              xmlBufEmpty (ctxt->input->buf->buffer);
++      } else
++              ctxt->input->length = 0;
+     }
+ }
+ 
+-- 
+2.7.4
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb
index f67c47d..107539b 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -28,6 +28,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
            file://libxml2-CVE-2017-9049_CVE-2017-9050.patch \
            file://libxml2-CVE-2017-5969.patch \
            file://libxml2-CVE-2017-0663.patch \
+           file://libxml2-CVE-2017-8872.patch \
            file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
            "
 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]