libxml2: Security fix for CVE-2016-1835

Affects libxml2 < 2.9.4

Signed-off-by: Armin Kuster <akuster@mvista.com>

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-1835.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-1835.patch
new file mode 100644 (file)
index 0000000..158b0aa
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-1835.patch
@@ -0,0 +1,95 @@
+From 38eae571111db3b43ffdeb05487c9f60551906fb Mon Sep 17 00:00:00 2001
+From: Pranjal Jumde <pjumde@apple.com>
+Date: Mon, 7 Mar 2016 14:04:08 -0800
+Subject: [PATCH] Heap use-after-free in xmlSAX2AttributeNs
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=759020
+
+* parser.c:
+(xmlParseStartTag2): Attribute strings are only valid if the
+base does not change, so add another check where the base may
+change.  Make sure to set 'attvalue' to NULL after freeing it.
+* result/errors/759020.xml: Added.
+* result/errors/759020.xml.err: Added.
+* result/errors/759020.xml.str: Added.
+* test/errors/759020.xml: Added test case.
+
+Upstream-Status: Backport
+CVE: CVE-2016-1835
+
+excluded  test/errors/759020.xml: Added test case., they wont apply 
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c                     | 12 ++++++++++--
+ result/errors/759020.xml     |  0
+ result/errors/759020.xml.err |  6 ++++++
+ result/errors/759020.xml.str |  7 +++++++
+ test/errors/759020.xml       | 46 ++++++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 69 insertions(+), 2 deletions(-)
+ create mode 100644 result/errors/759020.xml
+ create mode 100644 result/errors/759020.xml.err
+ create mode 100644 result/errors/759020.xml.str
+ create mode 100644 test/errors/759020.xml
+
+Index: libxml2-2.9.2/parser.c
+===================================================================
+--- libxml2-2.9.2.orig/parser.c
++++ libxml2-2.9.2/parser.c
+@@ -9499,7 +9499,10 @@ reparse:
+               else
+                   if (nsPush(ctxt, NULL, URL) > 0) nbNs++;
+ skip_default_ns:
+-              if (alloc != 0) xmlFree(attvalue);
++              if ((attvalue != NULL) && (alloc != 0)) {
++                  xmlFree(attvalue);
++                  attvalue = NULL;
++              }
+               if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
+                   break;
+               if (!IS_BLANK_CH(RAW)) {
+@@ -9508,6 +9511,8 @@ skip_default_ns:
+                   break;
+               }
+               SKIP_BLANKS;
++              if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
++                  goto base_changed;
+               continue;
+           }
+             if (aprefix == ctxt->str_xmlns) {
+@@ -9579,7 +9584,10 @@ skip_default_ns:
+               else
+                   if (nsPush(ctxt, attname, URL) > 0) nbNs++;
+ skip_ns:
+-              if (alloc != 0) xmlFree(attvalue);
++              if ((attvalue != NULL) && (alloc != 0)) {
++                  xmlFree(attvalue);
++                  attvalue = NULL;
++              }
+               if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
+                   break;
+               if (!IS_BLANK_CH(RAW)) {
+Index: libxml2-2.9.2/result/errors/759020.xml.err
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/result/errors/759020.xml.err
+@@ -0,0 +1,6 @@
++./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute
++0000000000000000000000000000000000000000000000000000000000000000000000000000000'
++                                                                               ^
++./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00 line 2
++
++                                                                   ^
+Index: libxml2-2.9.2/result/errors/759020.xml.str
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/result/errors/759020.xml.str
+@@ -0,0 +1,7 @@
++./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute
++0000000000000000000000000000000000000000000000000000000000000000000000000000000'
++                                                                               ^
++./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00
++
++                                                                   ^
++./test/errors/759020.xml : failed to parse

diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb
index eeed6ac170e4668b34703f95f3f60f647087bf8f..2bbdb0961df7d7f899b0e80f291849417026229d 100644 (file)
--- a/meta/recipes-core/libxml/libxml2_2.9.2.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb
@@ -14,6 +14,7 @@ SRC_URI += "file://CVE-2016-1762.patch \
             file://CVE-2016-1836.patch \
             file://CVE-2016-4449.patch \
             file://CVE-2016-1837.patch \
+            file://CVE-2016-1835.patch \
     "
 
 SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"