* [PATCH] libxml2: fix CVE-2017-8872
@ 2018-07-03 8:10 Hongxu Jia
2018-07-03 9:42 ` Burton, Ross
0 siblings, 1 reply; 5+ messages in thread
From: Hongxu Jia @ 2018-07-03 8:10 UTC (permalink / raw)
To: openembedded-core, ross.burton
The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4
allows attackers to cause a denial of service (buffer over-read) or
information disclosure.
https://bugzilla.gnome.org/show_bug.cgi?id=775200
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
.../libxml/libxml2/fix-CVE-2017-8872.patch | 38 ++++++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.8.bb | 1 +
2 files changed, 39 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch
diff --git a/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch b/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch
new file mode 100644
index 0000000..e34a48e
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch
@@ -0,0 +1,38 @@
+From b4bee17b158e289e5c4c9045e64e5374ccafe068 Mon Sep 17 00:00:00 2001
+From: Salvatore Bonaccorso <carnil@debian.org>
+Date: Tue, 3 Jul 2018 15:54:03 +0800
+Subject: [PATCH] Out-of-bounds read in htmlParseTryOrFinish (CVE-2017-8872)
+
+https://bugzilla.gnome.org/show_bug.cgi?id=775200
+Fixes bug 775200.
+
+Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
+
+Upstream-Status: Backport
+https://bug775200.bugzilla-attachments.gnome.org/attachment.cgi?id=366193
+CVE: CVE-2017-8872
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ parser.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index ca9fde2..fb4c889 100644
+--- a/parser.c
++++ b/parser.c
+@@ -12464,7 +12464,11 @@ xmlHaltParser(xmlParserCtxtPtr ctxt) {
+ }
+ ctxt->input->cur = BAD_CAST"";
+ ctxt->input->base = ctxt->input->cur;
+- ctxt->input->end = ctxt->input->cur;
++ ctxt->input->end = ctxt->input->cur;
++ if (ctxt->input->buf)
++ xmlBufEmpty (ctxt->input->buf->buffer);
++ else
++ ctxt->input->length = 0;
+ }
+ }
+
+--
+2.7.4
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.8.bb b/meta/recipes-core/libxml/libxml2_2.9.8.bb
index d55e650..1f22bb0 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.8.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.8.bb
@@ -20,6 +20,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
file://libxml-m4-use-pkgconfig.patch \
file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
file://fix-execution-of-ptests.patch \
+ file://fix-CVE-2017-8872.patch \
"
SRC_URI[libtar.md5sum] = "b786e353e2aa1b872d70d5d1ca0c740d"
--
2.7.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] libxml2: fix CVE-2017-8872
2018-07-03 8:10 [PATCH] libxml2: fix CVE-2017-8872 Hongxu Jia
@ 2018-07-03 9:42 ` Burton, Ross
2018-07-04 1:39 ` [PATCH V2] " Hongxu Jia
0 siblings, 1 reply; 5+ messages in thread
From: Burton, Ross @ 2018-07-03 9:42 UTC (permalink / raw)
To: Hongxu Jia; +Cc: OE-core
This isn't a backport, it's just a patch that is in bugzilla so should
be marked as Submitted.
Ross
On 3 July 2018 at 09:10, Hongxu Jia <hongxu.jia@windriver.com> wrote:
> The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4
> allows attackers to cause a denial of service (buffer over-read) or
> information disclosure.
>
> https://bugzilla.gnome.org/show_bug.cgi?id=775200
>
> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> ---
> .../libxml/libxml2/fix-CVE-2017-8872.patch | 38 ++++++++++++++++++++++
> meta/recipes-core/libxml/libxml2_2.9.8.bb | 1 +
> 2 files changed, 39 insertions(+)
> create mode 100644 meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch
>
> diff --git a/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch b/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch
> new file mode 100644
> index 0000000..e34a48e
> --- /dev/null
> +++ b/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch
> @@ -0,0 +1,38 @@
> +From b4bee17b158e289e5c4c9045e64e5374ccafe068 Mon Sep 17 00:00:00 2001
> +From: Salvatore Bonaccorso <carnil@debian.org>
> +Date: Tue, 3 Jul 2018 15:54:03 +0800
> +Subject: [PATCH] Out-of-bounds read in htmlParseTryOrFinish (CVE-2017-8872)
> +
> +https://bugzilla.gnome.org/show_bug.cgi?id=775200
> +Fixes bug 775200.
> +
> +Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
> +
> +Upstream-Status: Backport
> +https://bug775200.bugzilla-attachments.gnome.org/attachment.cgi?id=366193
> +CVE: CVE-2017-8872
> +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> +---
> + parser.c | 6 +++++-
> + 1 file changed, 5 insertions(+), 1 deletion(-)
> +
> +diff --git a/parser.c b/parser.c
> +index ca9fde2..fb4c889 100644
> +--- a/parser.c
> ++++ b/parser.c
> +@@ -12464,7 +12464,11 @@ xmlHaltParser(xmlParserCtxtPtr ctxt) {
> + }
> + ctxt->input->cur = BAD_CAST"";
> + ctxt->input->base = ctxt->input->cur;
> +- ctxt->input->end = ctxt->input->cur;
> ++ ctxt->input->end = ctxt->input->cur;
> ++ if (ctxt->input->buf)
> ++ xmlBufEmpty (ctxt->input->buf->buffer);
> ++ else
> ++ ctxt->input->length = 0;
> + }
> + }
> +
> +--
> +2.7.4
> +
> diff --git a/meta/recipes-core/libxml/libxml2_2.9.8.bb b/meta/recipes-core/libxml/libxml2_2.9.8.bb
> index d55e650..1f22bb0 100644
> --- a/meta/recipes-core/libxml/libxml2_2.9.8.bb
> +++ b/meta/recipes-core/libxml/libxml2_2.9.8.bb
> @@ -20,6 +20,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
> file://libxml-m4-use-pkgconfig.patch \
> file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
> file://fix-execution-of-ptests.patch \
> + file://fix-CVE-2017-8872.patch \
> "
>
> SRC_URI[libtar.md5sum] = "b786e353e2aa1b872d70d5d1ca0c740d"
> --
> 2.7.4
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH V2] libxml2: fix CVE-2017-8872
2018-07-03 9:42 ` Burton, Ross
@ 2018-07-04 1:39 ` Hongxu Jia
0 siblings, 0 replies; 5+ messages in thread
From: Hongxu Jia @ 2018-07-04 1:39 UTC (permalink / raw)
To: openembedded-core, ross.burton
The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4
allows attackers to cause a denial of service (buffer over-read) or
information disclosure.
https://bugzilla.gnome.org/show_bug.cgi?id=775200
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
.../libxml/libxml2/fix-CVE-2017-8872.patch | 38 ++++++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.8.bb | 1 +
2 files changed, 39 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch
diff --git a/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch b/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch
new file mode 100644
index 0000000..b34479f
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch
@@ -0,0 +1,38 @@
+From b4bee17b158e289e5c4c9045e64e5374ccafe068 Mon Sep 17 00:00:00 2001
+From: Salvatore Bonaccorso <carnil@debian.org>
+Date: Tue, 3 Jul 2018 15:54:03 +0800
+Subject: [PATCH] Out-of-bounds read in htmlParseTryOrFinish (CVE-2017-8872)
+
+https://bugzilla.gnome.org/show_bug.cgi?id=775200
+Fixes bug 775200.
+
+Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
+
+Upstream-Status: Submitted
+https://bug775200.bugzilla-attachments.gnome.org/attachment.cgi?id=366193
+CVE: CVE-2017-8872
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ parser.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index ca9fde2..fb4c889 100644
+--- a/parser.c
++++ b/parser.c
+@@ -12464,7 +12464,11 @@ xmlHaltParser(xmlParserCtxtPtr ctxt) {
+ }
+ ctxt->input->cur = BAD_CAST"";
+ ctxt->input->base = ctxt->input->cur;
+- ctxt->input->end = ctxt->input->cur;
++ ctxt->input->end = ctxt->input->cur;
++ if (ctxt->input->buf)
++ xmlBufEmpty (ctxt->input->buf->buffer);
++ else
++ ctxt->input->length = 0;
+ }
+ }
+
+--
+2.7.4
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.8.bb b/meta/recipes-core/libxml/libxml2_2.9.8.bb
index d55e650..1f22bb0 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.8.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.8.bb
@@ -20,6 +20,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
file://libxml-m4-use-pkgconfig.patch \
file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
file://fix-execution-of-ptests.patch \
+ file://fix-CVE-2017-8872.patch \
"
SRC_URI[libtar.md5sum] = "b786e353e2aa1b872d70d5d1ca0c740d"
--
2.7.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] libxml2: Fix CVE-2017-8872
2017-06-07 8:51 [PATCH] libxml2: Fix CVE-2017-8872 Fan Xin
@ 2017-06-08 11:10 ` Jussi Kukkonen
0 siblings, 0 replies; 5+ messages in thread
From: Jussi Kukkonen @ 2017-06-08 11:10 UTC (permalink / raw)
To: Fan Xin; +Cc: Patches and discussions about the oe-core layer
[-- Attachment #1: Type: text/plain, Size: 2975 bytes --]
On 7 June 2017 at 11:51, Fan Xin <fan.xin@jp.fujitsu.com> wrote:
>
> CVE: CVE-2017-8872
> The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows
attackers
> to cause a denial of service (buffer over-read) or information disclosure.
>
> External References:
> https://bugzilla.gnome.org/show_bug.cgi?id=77520
This should be
https://bugzilla.gnome.org/show_bug.cgi?id=775200
I have the same question that was asked in the upstream bug comment 6 about
two weeks ago: The patch doesn't seem to have any effect (because the goto
will happen anyway since 'avail' is 0), am I missing something?
Jussi
>
>
> Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
> ---
> .../libxml/libxml2/libxml2-CVE-2017-8872.patch | 23
++++++++++++++++++++++
> meta/recipes-core/libxml/libxml2_2.9.4.bb | 1 +
> 2 files changed, 24 insertions(+)
> create mode 100644
meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch
>
> diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch
b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch
> new file mode 100644
> index 0000000..df05e06
> --- /dev/null
> +++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch
> @@ -0,0 +1,23 @@
> +libxml2-2.9.4: Fix CVE-2017-8872
> +
> +Bug 775200 - (CVE-2017-8872) global-buffer-overflow in
htmlParseTryOrFinish (HTMLparser.c:5403)
> + - [https://bugzilla.gnome.org/show_bug.cgi?id=775200]
> +
> +CVE: CVE-2017-8872
> +Upstream-Status: Submitted
> +
> +Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
> +
> +Index: libxml2-2.9.4/HTMLparser.c
> +===================================================================
> +--- libxml2-2.9.4.orig/HTMLparser.c
> ++++ libxml2-2.9.4/HTMLparser.c
> +@@ -5396,6 +5396,8 @@ htmlParseTryOrFinish(htmlParserCtxtPtr c
> + ctxt->instate = XML_PARSER_EOF;
> + if ((ctxt->sax) && (ctxt->sax->endDocument != NULL))
> + ctxt->sax->endDocument(ctxt->userData);
> ++
> ++ goto done;
> + }
> + }
> + if (avail < 1)
> diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb
b/meta/recipes-core/libxml/libxml2_2.9.4.bb
> index ea0d3b8..0b4cbca 100644
> --- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
> +++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
> @@ -24,6 +24,7 @@ SRC_URI = "
ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
> file://libxml2-CVE-2016-4658.patch \
> file://libxml2-fix_NULL_pointer_derefs.patch \
> file://CVE-2016-9318.patch \
> + file://libxml2-CVE-2017-8872.patch \
> "
>
> SRC_URI[libtar.md5sum] = "ae249165c173b1ff386ee8ad676815f5"
> --
> 1.9.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
[-- Attachment #2: Type: text/html, Size: 4249 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH] libxml2: Fix CVE-2017-8872
@ 2017-06-07 8:51 Fan Xin
2017-06-08 11:10 ` Jussi Kukkonen
0 siblings, 1 reply; 5+ messages in thread
From: Fan Xin @ 2017-06-07 8:51 UTC (permalink / raw)
To: openembedded-core
CVE: CVE-2017-8872
The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers
to cause a denial of service (buffer over-read) or information disclosure.
External References:
https://bugzilla.gnome.org/show_bug.cgi?id=77520
Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
---
.../libxml/libxml2/libxml2-CVE-2017-8872.patch | 23 ++++++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.4.bb | 1 +
2 files changed, 24 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch
diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch
new file mode 100644
index 0000000..df05e06
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch
@@ -0,0 +1,23 @@
+libxml2-2.9.4: Fix CVE-2017-8872
+
+Bug 775200 - (CVE-2017-8872) global-buffer-overflow in htmlParseTryOrFinish (HTMLparser.c:5403)
+ - [https://bugzilla.gnome.org/show_bug.cgi?id=775200]
+
+CVE: CVE-2017-8872
+Upstream-Status: Submitted
+
+Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
+
+Index: libxml2-2.9.4/HTMLparser.c
+===================================================================
+--- libxml2-2.9.4.orig/HTMLparser.c
++++ libxml2-2.9.4/HTMLparser.c
+@@ -5396,6 +5396,8 @@ htmlParseTryOrFinish(htmlParserCtxtPtr c
+ ctxt->instate = XML_PARSER_EOF;
+ if ((ctxt->sax) && (ctxt->sax->endDocument != NULL))
+ ctxt->sax->endDocument(ctxt->userData);
++
++ goto done;
+ }
+ }
+ if (avail < 1)
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb
index ea0d3b8..0b4cbca 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -24,6 +24,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
file://libxml2-CVE-2016-4658.patch \
file://libxml2-fix_NULL_pointer_derefs.patch \
file://CVE-2016-9318.patch \
+ file://libxml2-CVE-2017-8872.patch \
"
SRC_URI[libtar.md5sum] = "ae249165c173b1ff386ee8ad676815f5"
--
1.9.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-07-04 1:29 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-07-03 8:10 [PATCH] libxml2: fix CVE-2017-8872 Hongxu Jia
2018-07-03 9:42 ` Burton, Ross
2018-07-04 1:39 ` [PATCH V2] " Hongxu Jia
-- strict thread matches above, loose matches on Subject: below --
2017-06-07 8:51 [PATCH] libxml2: Fix CVE-2017-8872 Fan Xin
2017-06-08 11:10 ` Jussi Kukkonen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.