* [PATCH] libxml2: Fix CVE-2020-24977
@ 2020-09-09 8:11 Ovidiu Panait
2020-09-10 0:07 ` [OE-core] " Khem Raj
0 siblings, 1 reply; 3+ messages in thread
From: Ovidiu Panait @ 2020-09-09 8:11 UTC (permalink / raw)
To: openembedded-core
GNOME project libxml2 v2.9.10 and earlier have a global Buffer Overflow
vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has
been fixed in commit 8e7c20a1 (20910-GITv2.9.10-103-g8e7c20a1).
Reference:
https://gitlab.gnome.org/GNOME/libxml2/-/issues/178
Upstream patch:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
---
.../libxml/libxml2/CVE-2020-24977.patch | 41 +++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.10.bb | 1 +
2 files changed, 42 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2020-24977.patch
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2020-24977.patch b/meta/recipes-core/libxml/libxml2/CVE-2020-24977.patch
new file mode 100644
index 0000000000..8224346660
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2020-24977.patch
@@ -0,0 +1,41 @@
+From 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 7 Aug 2020 21:54:27 +0200
+Subject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout'
+
+Make sure that truncated UTF-8 sequences don't cause an out-of-bounds
+array access.
+
+Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for
+the report.
+
+Fixes #178.
+
+CVE: CVE-2020-24977
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2]
+
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+---
+ xmllint.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/xmllint.c b/xmllint.c
+index f6a8e463..c647486f 100644
+--- a/xmllint.c
++++ b/xmllint.c
+@@ -528,6 +528,12 @@ static void
+ xmlHTMLEncodeSend(void) {
+ char *result;
+
++ /*
++ * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might
++ * end with a truncated UTF-8 sequence. This is a hack to at least avoid
++ * an out-of-bounds read.
++ */
++ memset(&buffer[sizeof(buffer)-4], 0, 4);
+ result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer);
+ if (result) {
+ xmlGenericError(xmlGenericErrorContext, "%s", result);
+--
+2.17.1
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index d11b083e8b..90890ffaed 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -22,6 +22,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
file://fix-execution-of-ptests.patch \
file://CVE-2020-7595.patch \
file://CVE-2019-20388.patch \
+ file://CVE-2020-24977.patch \
"
SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [OE-core] [PATCH] libxml2: Fix CVE-2020-24977
2020-09-09 8:11 [PATCH] libxml2: Fix CVE-2020-24977 Ovidiu Panait
@ 2020-09-10 0:07 ` Khem Raj
2020-09-10 8:01 ` Ovidiu Panait
0 siblings, 1 reply; 3+ messages in thread
From: Khem Raj @ 2020-09-10 0:07 UTC (permalink / raw)
To: Ovidiu Panait, openembedded-core
On 9/9/20 1:11 AM, Ovidiu Panait wrote:
> GNOME project libxml2 v2.9.10 and earlier have a global Buffer Overflow
> vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has
> been fixed in commit 8e7c20a1 (20910-GITv2.9.10-103-g8e7c20a1).
>
> Reference:
> https://gitlab.gnome.org/GNOME/libxml2/-/issues/178
>
> Upstream patch:
> https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2
>
Do we need this on dunfell too ?
> Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
> ---
> .../libxml/libxml2/CVE-2020-24977.patch | 41 +++++++++++++++++++
> meta/recipes-core/libxml/libxml2_2.9.10.bb | 1 +
> 2 files changed, 42 insertions(+)
> create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2020-24977.patch
>
> diff --git a/meta/recipes-core/libxml/libxml2/CVE-2020-24977.patch b/meta/recipes-core/libxml/libxml2/CVE-2020-24977.patch
> new file mode 100644
> index 0000000000..8224346660
> --- /dev/null
> +++ b/meta/recipes-core/libxml/libxml2/CVE-2020-24977.patch
> @@ -0,0 +1,41 @@
> +From 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001
> +From: Nick Wellnhofer <wellnhofer@aevum.de>
> +Date: Fri, 7 Aug 2020 21:54:27 +0200
> +Subject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout'
> +
> +Make sure that truncated UTF-8 sequences don't cause an out-of-bounds
> +array access.
> +
> +Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for
> +the report.
> +
> +Fixes #178.
> +
> +CVE: CVE-2020-24977
> +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2]
> +
> +Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
> +---
> + xmllint.c | 6 ++++++
> + 1 file changed, 6 insertions(+)
> +
> +diff --git a/xmllint.c b/xmllint.c
> +index f6a8e463..c647486f 100644
> +--- a/xmllint.c
> ++++ b/xmllint.c
> +@@ -528,6 +528,12 @@ static void
> + xmlHTMLEncodeSend(void) {
> + char *result;
> +
> ++ /*
> ++ * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might
> ++ * end with a truncated UTF-8 sequence. This is a hack to at least avoid
> ++ * an out-of-bounds read.
> ++ */
> ++ memset(&buffer[sizeof(buffer)-4], 0, 4);
> + result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer);
> + if (result) {
> + xmlGenericError(xmlGenericErrorContext, "%s", result);
> +--
> +2.17.1
> +
> diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
> index d11b083e8b..90890ffaed 100644
> --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
> +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
> @@ -22,6 +22,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
> file://fix-execution-of-ptests.patch \
> file://CVE-2020-7595.patch \
> file://CVE-2019-20388.patch \
> + file://CVE-2020-24977.patch \
> "
>
> SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"
>
>
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [OE-core] [PATCH] libxml2: Fix CVE-2020-24977
2020-09-10 0:07 ` [OE-core] " Khem Raj
@ 2020-09-10 8:01 ` Ovidiu Panait
0 siblings, 0 replies; 3+ messages in thread
From: Ovidiu Panait @ 2020-09-10 8:01 UTC (permalink / raw)
To: Khem Raj, openembedded-core
On 10.09.2020 03:07, Khem Raj wrote:
>
> On 9/9/20 1:11 AM, Ovidiu Panait wrote:
>> GNOME project libxml2 v2.9.10 and earlier have a global Buffer Overflow
>> vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has
>> been fixed in commit 8e7c20a1 (20910-GITv2.9.10-103-g8e7c20a1).
>>
>> Reference:
>> https://gitlab.gnome.org/GNOME/libxml2/-/issues/178
>>
>> Upstream patch:
>> https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2
>>
> Do we need this on dunfell too ?
Yes. I will prepare patches for dunfell and zeus as well.
Ovidiu
>> Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
>> ---
>> .../libxml/libxml2/CVE-2020-24977.patch | 41 +++++++++++++++++++
>> meta/recipes-core/libxml/libxml2_2.9.10.bb | 1 +
>> 2 files changed, 42 insertions(+)
>> create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2020-24977.patch
>>
>> diff --git a/meta/recipes-core/libxml/libxml2/CVE-2020-24977.patch b/meta/recipes-core/libxml/libxml2/CVE-2020-24977.patch
>> new file mode 100644
>> index 0000000000..8224346660
>> --- /dev/null
>> +++ b/meta/recipes-core/libxml/libxml2/CVE-2020-24977.patch
>> @@ -0,0 +1,41 @@
>> +From 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001
>> +From: Nick Wellnhofer <wellnhofer@aevum.de>
>> +Date: Fri, 7 Aug 2020 21:54:27 +0200
>> +Subject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout'
>> +
>> +Make sure that truncated UTF-8 sequences don't cause an out-of-bounds
>> +array access.
>> +
>> +Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for
>> +the report.
>> +
>> +Fixes #178.
>> +
>> +CVE: CVE-2020-24977
>> +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2]
>> +
>> +Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
>> +---
>> + xmllint.c | 6 ++++++
>> + 1 file changed, 6 insertions(+)
>> +
>> +diff --git a/xmllint.c b/xmllint.c
>> +index f6a8e463..c647486f 100644
>> +--- a/xmllint.c
>> ++++ b/xmllint.c
>> +@@ -528,6 +528,12 @@ static void
>> + xmlHTMLEncodeSend(void) {
>> + char *result;
>> +
>> ++ /*
>> ++ * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might
>> ++ * end with a truncated UTF-8 sequence. This is a hack to at least avoid
>> ++ * an out-of-bounds read.
>> ++ */
>> ++ memset(&buffer[sizeof(buffer)-4], 0, 4);
>> + result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer);
>> + if (result) {
>> + xmlGenericError(xmlGenericErrorContext, "%s", result);
>> +--
>> +2.17.1
>> +
>> diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
>> index d11b083e8b..90890ffaed 100644
>> --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
>> +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
>> @@ -22,6 +22,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
>> file://fix-execution-of-ptests.patch \
>> file://CVE-2020-7595.patch \
>> file://CVE-2019-20388.patch \
>> + file://CVE-2020-24977.patch \
>> "
>>
>> SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"
>>
>>
>>
>>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-09-10 8:01 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-09 8:11 [PATCH] libxml2: Fix CVE-2020-24977 Ovidiu Panait
2020-09-10 0:07 ` [OE-core] " Khem Raj
2020-09-10 8:01 ` Ovidiu Panait
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.