[OE-core] [PATCH 1/3] libxml2: Necessary changes before fixing CVE-2016-5131 Fix comaparation with root node in xmlXPathCmpNodes and NULL pointer deref in XPointer
Burton, Ross
ross.burton at intel.com
Mon Dec 12 13:44:02 UTC 2016
I see part 1 and 2 but no part 3.
Also, have you asked upstream if they'll be making a point release with
these in?
Ross
On 12 December 2016 at 13:20, Andrej Valek <andrej.valek at siemens.com> wrote:
> xpath:
> - Check for errors after evaluating first operand.
> - Add sanity check for empty stack.
> - Include comparation in changes from xmlXPathCmpNodesExt to
> xmlXPathCmpNodes
>
> Signed-off-by: Andrej Valek <andrej.valek at siemens.com>
> Signed-off-by: Pascal Bach <pascal.bach at siemens.com>
> ---
> .../libxml2/libxml2-fix_node_comparison.patch | 67
> ++++++++++++++++++++++
> meta/recipes-core/libxml/libxml2_2.9.4.bb | 1 +
> 2 files changed, 68 insertions(+)
> create mode 100644 meta/recipes-core/libxml/libxml2/libxml2-fix_node_
> comparison.patch
>
> diff --git a/meta/recipes-core/libxml/libxml2/libxml2-fix_node_comparison.patch
> b/meta/recipes-core/libxml/libxml2/libxml2-fix_node_comparison.patch
> new file mode 100644
> index 0000000..11718bb
> --- /dev/null
> +++ b/meta/recipes-core/libxml/libxml2/libxml2-fix_node_comparison.patch
> @@ -0,0 +1,67 @@
> +libxml2-2.9.4: Fix comparison with root node in xmlXPathCmpNodes and NULL
> pointer deref in XPointer
> +
> +xpath:
> + - Check for errors after evaluating first operand.
> + - Add sanity check for empty stack.
> + - Include comparation in changes from xmlXPathCmpNodesExt to
> xmlXPathCmpNodes
> +
> +Upstream-Status: Backported
> + - [https://git.gnome.org/browse/libxml2/commit/?id=
> c1d1f7121194036608bf555f08d3062a36fd344b]
> + - [https://git.gnome.org/browse/libxml2/commit/?id=
> a005199330b86dada19d162cae15ef9bdcb6baa8]
> +CVE: necessary changes for fixing CVE-2016-5131
> +Signed-off-by: Andrej Valek <andrej.valek at siemens.com>
> +Signed-off-by: Pascal Bach <pascal.bach at siemens.com>
> +
> +diff --git a/result/XPath/xptr/viderror b/result/XPath/xptr/viderror
> +new file mode 100644
> +index 0000000..d589882
> +--- /dev/null
> ++++ b/result/XPath/xptr/viderror
> +@@ -0,0 +1,4 @@
> ++
> ++========================
> ++Expression: xpointer(non-existing-fn()/range-to(id('chapter2')))
> ++Object is empty (NULL)
> +diff --git a/test/XPath/xptr/viderror b/test/XPath/xptr/viderror
> +new file mode 100644
> +index 0000000..da8c53b
> +--- /dev/null
> ++++ b/test/XPath/xptr/viderror
> +@@ -0,0 +1 @@
> ++xpointer(non-existing-fn()/range-to(id('chapter2')))
> +diff --git a/xpath.c b/xpath.c
> +index 113bce6..d992841 100644
> +--- a/xpath.c
> ++++ b/xpath.c
> +@@ -3342,13 +3342,13 @@ xmlXPathCmpNodes(xmlNodePtr node1, xmlNodePtr
> node2) {
> + * compute depth to root
> + */
> + for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) {
> +- if (cur == node1)
> ++ if (cur->parent == node1)
> + return(1);
> + depth2++;
> + }
> + root = cur;
> + for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) {
> +- if (cur == node2)
> ++ if (cur->parent == node2)
> + return(-1);
> + depth1++;
> + }
> +@@ -14005,9 +14005,14 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr
> ctxt, xmlXPathStepOpPtr op)
> + xmlNodeSetPtr oldset;
> + int i, j;
> +
> +- if (op->ch1 != -1)
> ++ if (op->ch1 != -1) {
> + total +=
> + xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]);
> ++ CHECK_ERROR0;
> ++ }
> ++ if (ctxt->value == NULL) {
> ++ XP_ERROR0(XPATH_INVALID_OPERAND);
> ++ }
> + if (op->ch2 == -1)
> + return (total);
> +
> diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb
> b/meta/recipes-core/libxml/libxml2_2.9.4.bb
> index 1fed90b..66a8940 100644
> --- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
> +++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
> @@ -19,6 +19,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/
> libxml2-${PV}.tar.gz;name=libtar \
> file://run-ptest \
> file://python-sitepackages-dir.patch \
> file://libxml-m4-use-pkgconfig.patch \
> + file://libxml2-fix_node_comparison.patch \
> file://libxml2-CVE-2016-5131.patch \
> "
>
> --
> 2.1.4
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20161212/2c2b723c/attachment-0002.html>
More information about the Openembedded-core
mailing list