[OE-core] [PATCH 1/3] libxml2: Necessary changes before fixing CVE-2016-5131 Fix comaparation with root node in xmlXPathCmpNodes and NULL pointer deref in XPointer

Valek, Andrej andrej.valek at siemens.com
Mon Dec 12 13:53:33 UTC 2016 

Hi Ross,

I think, there was a web-page delay. Patch 3/3 is already there: http://lists.openembedded.org/pipermail/openembedded-core/2016-December/130046.html

Andrej

From: Burton, Ross [mailto:ross.burton at intel.com]
Sent: 12. decembra 2016 14:44
To: Valek, Andrej (CT DD DS EU SK BT)
Cc: OE-core
Subject: Re: [OE-core] [PATCH 1/3] libxml2: Necessary changes before fixing CVE-2016-5131 Fix comaparation with root node in xmlXPathCmpNodes and NULL pointer deref in XPointer

I see part 1 and 2 but no part 3.

Also, have you asked upstream if they'll be making a point release with these in?

Ross

On 12 December 2016 at 13:20, Andrej Valek <andrej.valek at siemens.com<mailto:andrej.valek at siemens.com>> wrote:
xpath:
 - Check for errors after evaluating first operand.
 - Add sanity check for empty stack.
 - Include comparation in changes from xmlXPathCmpNodesExt to xmlXPathCmpNodes

Signed-off-by: Andrej Valek <andrej.valek at siemens.com<mailto:andrej.valek at siemens.com>>
Signed-off-by: Pascal Bach <pascal.bach at siemens.com<mailto:pascal.bach at siemens.com>>
---
 .../libxml2/libxml2-fix_node_comparison.patch      | 67 ++++++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.4.bb<http://libxml2_2.9.4.bb>          |  1 +
 2 files changed, 68 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/libxml2-fix_node_comparison.patch

diff --git a/meta/recipes-core/libxml/libxml2/libxml2-fix_node_comparison.patch b/meta/recipes-core/libxml/libxml2/libxml2-fix_node_comparison.patch
new file mode 100644
index 0000000..11718bb
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/libxml2-fix_node_comparison.patch
@@ -0,0 +1,67 @@
+libxml2-2.9.4: Fix comparison with root node in xmlXPathCmpNodes and NULL pointer deref in XPointer
+
+xpath:
+ - Check for errors after evaluating first operand.
+ - Add sanity check for empty stack.
+ - Include comparation in changes from xmlXPathCmpNodesExt to xmlXPathCmpNodes
+
+Upstream-Status: Backported
+ - [https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b]
+ - [https://git.gnome.org/browse/libxml2/commit/?id=a005199330b86dada19d162cae15ef9bdcb6baa8]
+CVE: necessary changes for fixing CVE-2016-5131
+Signed-off-by: Andrej Valek <andrej.valek at siemens.com<mailto:andrej.valek at siemens.com>>
+Signed-off-by: Pascal Bach <pascal.bach at siemens.com<mailto:pascal.bach at siemens.com>>
+
+diff --git a/result/XPath/xptr/viderror b/result/XPath/xptr/viderror
+new file mode 100644
+index 0000000..d589882
+--- /dev/null
++++ b/result/XPath/xptr/viderror
+@@ -0,0 +1,4 @@
++
++========================
++Expression: xpointer(non-existing-fn()/range-to(id('chapter2')))
++Object is empty (NULL)
+diff --git a/test/XPath/xptr/viderror b/test/XPath/xptr/viderror
+new file mode 100644
+index 0000000..da8c53b
+--- /dev/null
++++ b/test/XPath/xptr/viderror
+@@ -0,0 +1 @@
++xpointer(non-existing-fn()/range-to(id('chapter2')))
+diff --git a/xpath.c b/xpath.c
+index 113bce6..d992841 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -3342,13 +3342,13 @@ xmlXPathCmpNodes(xmlNodePtr node1, xmlNodePtr node2) {
+      * compute depth to root
+      */
+     for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) {
+-      if (cur == node1)
++      if (cur->parent == node1)
+           return(1);
+       depth2++;
+     }
+     root = cur;
+     for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) {
+-      if (cur == node2)
++      if (cur->parent == node2)
+           return(-1);
+       depth1++;
+     }
+@@ -14005,9 +14005,14 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+                 xmlNodeSetPtr oldset;
+                 int i, j;
+
+-                if (op->ch1 != -1)
++                if (op->ch1 != -1) {
+                     total +=
+                         xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]);
++                    CHECK_ERROR0;
++                }
++                if (ctxt->value == NULL) {
++                    XP_ERROR0(XPATH_INVALID_OPERAND);
++                }
+                 if (op->ch2 == -1)
+                     return (total);
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb<http://libxml2_2.9.4.bb> b/meta/recipes-core/libxml/libxml2_2.9.4.bb<http://libxml2_2.9.4.bb>
index 1fed90b..66a8940 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.4.bb<http://libxml2_2.9.4.bb>
+++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb<http://libxml2_2.9.4.bb>
@@ -19,6 +19,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
            file://run-ptest \
            file://python-sitepackages-dir.patch \
            file://libxml-m4-use-pkgconfig.patch \
+           file://libxml2-fix_node_comparison.patch \
            file://libxml2-CVE-2016-5131.patch \
           "

--
2.1.4

--
_______________________________________________
Openembedded-core mailing list
Openembedded-core at lists.openembedded.org<mailto:Openembedded-core at lists.openembedded.org>
http://lists.openembedded.org/mailman/listinfo/openembedded-core

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20161212/fe617aa3/attachment-0002.html>

More information about the Openembedded-core mailing list