libxml2: refresh CVE-2017-8872

Message ID	20181004100452.9713-1-ross.burton@intel.com
State	Accepted
Commit	512869aea6dde1bb2374601f7c4d793ac9edaa42
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; From: Ross Burton <ross.burton@intel.com> To: openembedded-core@lists.openembedded.org Date: Thu, 4 Oct 2018 11:04:52 +0100 Message-Id: <20181004100452.9713-1-ross.burton@intel.com> Subject: [OE-core] [PATCH] libxml2: refresh CVE-2017-8872 Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org
Series	libxml2: refresh CVE-2017-8872 \| expand libxml2: refresh CVE-2017-8872

Message ID

20181004100452.9713-1-ross.burton@intel.com

State

Accepted

Commit

512869aea6dde1bb2374601f7c4d793ac9edaa42

Headers

Received-SPF: pass (google.com: best guess record for domain of
	openembedded-core-bounces@lists.openembedded.org designates
	140.211.169.62 as permitted sender) client-ip=140.211.169.62; 
From: Ross Burton <ross.burton@intel.com>
To: openembedded-core@lists.openembedded.org
Date: Thu,  4 Oct 2018 11:04:52 +0100
Message-Id: <20181004100452.9713-1-ross.burton@intel.com>
Subject: [OE-core] [PATCH] libxml2: refresh CVE-2017-8872
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: openembedded-core-bounces@lists.openembedded.org
Errors-To: openembedded-core-bounces@lists.openembedded.org

Series

libxml2: refresh CVE-2017-8872 | expand

Commit Message

Ross Burton Oct. 4, 2018, 10:04 a.m. UTC

The patch associated with the CVE-2017-8872 report was never merged into
libxml2, but a slightly different patch for the same problem was.  Cherry-pick
that as a backport, which also fixes the failing test suite.

Signed-off-by: Ross Burton <ross.burton@intel.com>

---
 .../libxml/libxml2/fix-CVE-2017-8872.patch         | 73 +++++++++++++++-------
 1 file changed, 50 insertions(+), 23 deletions(-)

-- 
2.11.0

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

diff --git a/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch b/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch
index b34479f318f..42a4b0ed602 100644
--- a/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch
+++ b/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch
@@ -1,38 +1,65 @@ 
-From b4bee17b158e289e5c4c9045e64e5374ccafe068 Mon Sep 17 00:00:00 2001
-From: Salvatore Bonaccorso <carnil@debian.org>
-Date: Tue, 3 Jul 2018 15:54:03 +0800
-Subject: [PATCH] Out-of-bounds read in htmlParseTryOrFinish (CVE-2017-8872)
+Upstream-Status: Backport
+CVE: CVE-2017-8872
+Signed-off-by: Ross Burton <ross.burton@intel.com>
 
-https://bugzilla.gnome.org/show_bug.cgi?id=775200
-Fixes bug 775200.
+From 123234f2cfcd9e9b9f83047eee1dc17b4c3f4407 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 11 Sep 2018 14:52:07 +0200
+Subject: [PATCH] Free input buffer in xmlHaltParser
 
-Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
+This avoids miscalculation of available bytes.
 
-Upstream-Status: Submitted
-https://bug775200.bugzilla-attachments.gnome.org/attachment.cgi?id=366193
-CVE: CVE-2017-8872
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+Thanks to Yunho Kim for the report.
+
+Closes: #26
 ---
- parser.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
+ parser.c                     |  5 +++++
+ result/errors/759573.xml.err | 17 +++++++----------
+ 2 files changed, 12 insertions(+), 10 deletions(-)
 
 diff --git a/parser.c b/parser.c
-index ca9fde2..fb4c889 100644
+index ca9fde2c..5813a664 100644
 --- a/parser.c
 +++ b/parser.c
-@@ -12464,7 +12464,11 @@ xmlHaltParser(xmlParserCtxtPtr ctxt) {
+@@ -12462,7 +12462,12 @@ xmlHaltParser(xmlParserCtxtPtr ctxt) {
+ 	    ctxt->input->free((xmlChar *) ctxt->input->base);
+ 	    ctxt->input->free = NULL;
  	}
++        if (ctxt->input->buf != NULL) {
++            xmlFreeParserInputBuffer(ctxt->input->buf);
++            ctxt->input->buf = NULL;
++        }
  	ctxt->input->cur = BAD_CAST"";
++        ctxt->input->length = 0;
  	ctxt->input->base = ctxt->input->cur;
--        ctxt->input->end = ctxt->input->cur;
-+	ctxt->input->end = ctxt->input->cur;
-+	if (ctxt->input->buf)
-+	    xmlBufEmpty (ctxt->input->buf->buffer);
-+	else
-+	    ctxt->input->length = 0;
+         ctxt->input->end = ctxt->input->cur;
      }
- }
+diff --git a/result/errors/759573.xml.err b/result/errors/759573.xml.err
+index 554039f6..38ef5c40 100644
+--- a/result/errors/759573.xml.err
++++ b/result/errors/759573.xml.err
+@@ -21,14 +21,11 @@ Entity: line 1:
+             ^
+ ./test/errors/759573.xml:1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
  
+-<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;00
+-     ^
++
++^
+ ./test/errors/759573.xml:1: parser error : DOCTYPE improperly terminated
+-<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;00
+-     ^
+-./test/errors/759573.xml:1: parser error : StartTag: invalid element name
+-<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;00
+-      ^
+-./test/errors/759573.xml:1: parser error : Extra content at the end of the document
+-<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;00
+-      ^
++
++^
++./test/errors/759573.xml:1: parser error : Start tag expected, '<' not found
++
++^
 -- 
-2.7.4
+2.11.0