libxml2: Fix CVE-2017-8872
fix global-buffer-overflow in htmlParseTryOrFinish (HTMLparser.c:5403) https://bugzilla.gnome.org/show_bug.cgi?id=775200 Here is the reproduce steps on ubuntu 16.04, use clang with "-fsanitize=address" ... export CC="clang" export CFLAGS="-fsanitize=address" ./configure --disable-shared make clean all -j wget https://bugzilla.gnome.org/attachment.cgi?id=340871 -O poc ./xmllint --html --push poc ==2785==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000a0de21 at pc 0x0000006a7f6e bp 0x7ffdfe940c10 sp 0x7ffdfe940c08 READ of size 1 at 0x000000a0de21 thread T0 #0 0x6a7f6d (/home/jiahongxu/Downloads/libxml2-2.9.4/xmllint+0x6a7f6d) #1 0x6a7356 (/home/jiahongxu/Downloads/libxml2-2.9.4/xmllint+0x6a7356) #2 0x4f4504 (/home/jiahongxu/Downloads/libxml2-2.9.4/xmllint+0x4f4504) #3 0x4f045e (/home/jiahongxu/Downloads/libxml2-2.9.4/xmllint+0x4f045e) #4 0x7f81977d682f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #5 0x419ad8 (/home/jiahongxu/Downloads/libxml2-2.9.4/xmllint+0x419ad8) ... (From OE-Core rev: a615b0825927a09a0aa8312d131c9acbaef8956d) (From OE-Core rev: 1c9d891886f35e6cc4485f244180d7d0ffa82cd3) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
6c657b8441
commit
d2b60efe20
|
@ -0,0 +1,37 @@
|
||||||
|
From d2f873a541c72b0f67e15562819bf98b884b30b7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Hongxu Jia <hongxu.jia@windriver.com>
|
||||||
|
Date: Wed, 23 Aug 2017 16:04:49 +0800
|
||||||
|
Subject: [PATCH] fix CVE-2017-8872
|
||||||
|
|
||||||
|
this makes xmlHaltParser "empty" the buffer, as it resets cur and ava
|
||||||
|
il too here.
|
||||||
|
|
||||||
|
this seems to cure this specific issue, and also passes the testsuite
|
||||||
|
|
||||||
|
Signed-off-by: Marcus Meissner <meissner@suse.de>
|
||||||
|
|
||||||
|
https://bugzilla.gnome.org/show_bug.cgi?id=775200
|
||||||
|
Upstream-Status: Backport [https://bugzilla.gnome.org/attachment.cgi?id=355527&action=diff]
|
||||||
|
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
||||||
|
---
|
||||||
|
parser.c | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/parser.c b/parser.c
|
||||||
|
index 9506ead..6c07ffd 100644
|
||||||
|
--- a/parser.c
|
||||||
|
+++ b/parser.c
|
||||||
|
@@ -12664,6 +12664,10 @@ xmlHaltParser(xmlParserCtxtPtr ctxt) {
|
||||||
|
}
|
||||||
|
ctxt->input->cur = BAD_CAST"";
|
||||||
|
ctxt->input->base = ctxt->input->cur;
|
||||||
|
+ if (ctxt->input->buf) {
|
||||||
|
+ xmlBufEmpty (ctxt->input->buf->buffer);
|
||||||
|
+ } else
|
||||||
|
+ ctxt->input->length = 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.7.4
|
||||||
|
|
|
@ -28,6 +28,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
|
||||||
file://libxml2-CVE-2017-9049_CVE-2017-9050.patch \
|
file://libxml2-CVE-2017-9049_CVE-2017-9050.patch \
|
||||||
file://libxml2-CVE-2017-5969.patch \
|
file://libxml2-CVE-2017-5969.patch \
|
||||||
file://libxml2-CVE-2017-0663.patch \
|
file://libxml2-CVE-2017-0663.patch \
|
||||||
|
file://libxml2-CVE-2017-8872.patch \
|
||||||
file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
|
file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue