All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] libxml2: fix CVE-2017-8872
@ 2018-07-03  8:10 Hongxu Jia
  2018-07-03  9:42 ` Burton, Ross
  0 siblings, 1 reply; 5+ messages in thread
From: Hongxu Jia @ 2018-07-03  8:10 UTC (permalink / raw)
  To: openembedded-core, ross.burton

The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4
allows attackers to cause a denial of service (buffer over-read) or
information disclosure.

https://bugzilla.gnome.org/show_bug.cgi?id=775200

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
 .../libxml/libxml2/fix-CVE-2017-8872.patch         | 38 ++++++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.8.bb          |  1 +
 2 files changed, 39 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch

diff --git a/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch b/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch
new file mode 100644
index 0000000..e34a48e
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch
@@ -0,0 +1,38 @@
+From b4bee17b158e289e5c4c9045e64e5374ccafe068 Mon Sep 17 00:00:00 2001
+From: Salvatore Bonaccorso <carnil@debian.org>
+Date: Tue, 3 Jul 2018 15:54:03 +0800
+Subject: [PATCH] Out-of-bounds read in htmlParseTryOrFinish (CVE-2017-8872)
+
+https://bugzilla.gnome.org/show_bug.cgi?id=775200
+Fixes bug 775200.
+
+Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
+
+Upstream-Status: Backport
+https://bug775200.bugzilla-attachments.gnome.org/attachment.cgi?id=366193
+CVE: CVE-2017-8872
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ parser.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index ca9fde2..fb4c889 100644
+--- a/parser.c
++++ b/parser.c
+@@ -12464,7 +12464,11 @@ xmlHaltParser(xmlParserCtxtPtr ctxt) {
+ 	}
+ 	ctxt->input->cur = BAD_CAST"";
+ 	ctxt->input->base = ctxt->input->cur;
+-        ctxt->input->end = ctxt->input->cur;
++	ctxt->input->end = ctxt->input->cur;
++	if (ctxt->input->buf)
++	    xmlBufEmpty (ctxt->input->buf->buffer);
++	else
++	    ctxt->input->length = 0;
+     }
+ }
+ 
+-- 
+2.7.4
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.8.bb b/meta/recipes-core/libxml/libxml2_2.9.8.bb
index d55e650..1f22bb0 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.8.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.8.bb
@@ -20,6 +20,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
            file://libxml-m4-use-pkgconfig.patch \
            file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
            file://fix-execution-of-ptests.patch \
+           file://fix-CVE-2017-8872.patch \
            "
 
 SRC_URI[libtar.md5sum] = "b786e353e2aa1b872d70d5d1ca0c740d"
-- 
2.7.4



^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH] libxml2: fix CVE-2017-8872
  2018-07-03  8:10 [PATCH] libxml2: fix CVE-2017-8872 Hongxu Jia
@ 2018-07-03  9:42 ` Burton, Ross
  2018-07-04  1:39   ` [PATCH V2] " Hongxu Jia
  0 siblings, 1 reply; 5+ messages in thread
From: Burton, Ross @ 2018-07-03  9:42 UTC (permalink / raw)
  To: Hongxu Jia; +Cc: OE-core

This isn't a backport, it's just a patch that is in bugzilla so should
be marked as Submitted.

Ross



On 3 July 2018 at 09:10, Hongxu Jia <hongxu.jia@windriver.com> wrote:
> The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4
> allows attackers to cause a denial of service (buffer over-read) or
> information disclosure.
>
> https://bugzilla.gnome.org/show_bug.cgi?id=775200
>
> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> ---
>  .../libxml/libxml2/fix-CVE-2017-8872.patch         | 38 ++++++++++++++++++++++
>  meta/recipes-core/libxml/libxml2_2.9.8.bb          |  1 +
>  2 files changed, 39 insertions(+)
>  create mode 100644 meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch
>
> diff --git a/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch b/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch
> new file mode 100644
> index 0000000..e34a48e
> --- /dev/null
> +++ b/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch
> @@ -0,0 +1,38 @@
> +From b4bee17b158e289e5c4c9045e64e5374ccafe068 Mon Sep 17 00:00:00 2001
> +From: Salvatore Bonaccorso <carnil@debian.org>
> +Date: Tue, 3 Jul 2018 15:54:03 +0800
> +Subject: [PATCH] Out-of-bounds read in htmlParseTryOrFinish (CVE-2017-8872)
> +
> +https://bugzilla.gnome.org/show_bug.cgi?id=775200
> +Fixes bug 775200.
> +
> +Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
> +
> +Upstream-Status: Backport
> +https://bug775200.bugzilla-attachments.gnome.org/attachment.cgi?id=366193
> +CVE: CVE-2017-8872
> +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> +---
> + parser.c | 6 +++++-
> + 1 file changed, 5 insertions(+), 1 deletion(-)
> +
> +diff --git a/parser.c b/parser.c
> +index ca9fde2..fb4c889 100644
> +--- a/parser.c
> ++++ b/parser.c
> +@@ -12464,7 +12464,11 @@ xmlHaltParser(xmlParserCtxtPtr ctxt) {
> +       }
> +       ctxt->input->cur = BAD_CAST"";
> +       ctxt->input->base = ctxt->input->cur;
> +-        ctxt->input->end = ctxt->input->cur;
> ++      ctxt->input->end = ctxt->input->cur;
> ++      if (ctxt->input->buf)
> ++          xmlBufEmpty (ctxt->input->buf->buffer);
> ++      else
> ++          ctxt->input->length = 0;
> +     }
> + }
> +
> +--
> +2.7.4
> +
> diff --git a/meta/recipes-core/libxml/libxml2_2.9.8.bb b/meta/recipes-core/libxml/libxml2_2.9.8.bb
> index d55e650..1f22bb0 100644
> --- a/meta/recipes-core/libxml/libxml2_2.9.8.bb
> +++ b/meta/recipes-core/libxml/libxml2_2.9.8.bb
> @@ -20,6 +20,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
>             file://libxml-m4-use-pkgconfig.patch \
>             file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
>             file://fix-execution-of-ptests.patch \
> +           file://fix-CVE-2017-8872.patch \
>             "
>
>  SRC_URI[libtar.md5sum] = "b786e353e2aa1b872d70d5d1ca0c740d"
> --
> 2.7.4
>


^ permalink raw reply	[flat|nested] 5+ messages in thread
* [PATCH V2] libxml2: fix CVE-2017-8872
  2018-07-03  9:42 ` Burton, Ross
@ 2018-07-04  1:39   ` Hongxu Jia
  0 siblings, 0 replies; 5+ messages in thread
From: Hongxu Jia @ 2018-07-04  1:39 UTC (permalink / raw)
  To: openembedded-core, ross.burton

The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4
allows attackers to cause a denial of service (buffer over-read) or
information disclosure.

https://bugzilla.gnome.org/show_bug.cgi?id=775200

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
 .../libxml/libxml2/fix-CVE-2017-8872.patch         | 38 ++++++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.8.bb          |  1 +
 2 files changed, 39 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch

diff --git a/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch b/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch
new file mode 100644
index 0000000..b34479f
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch
@@ -0,0 +1,38 @@
+From b4bee17b158e289e5c4c9045e64e5374ccafe068 Mon Sep 17 00:00:00 2001
+From: Salvatore Bonaccorso <carnil@debian.org>
+Date: Tue, 3 Jul 2018 15:54:03 +0800
+Subject: [PATCH] Out-of-bounds read in htmlParseTryOrFinish (CVE-2017-8872)
+
+https://bugzilla.gnome.org/show_bug.cgi?id=775200
+Fixes bug 775200.
+
+Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
+
+Upstream-Status: Submitted
+https://bug775200.bugzilla-attachments.gnome.org/attachment.cgi?id=366193
+CVE: CVE-2017-8872
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ parser.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index ca9fde2..fb4c889 100644
+--- a/parser.c
++++ b/parser.c
+@@ -12464,7 +12464,11 @@ xmlHaltParser(xmlParserCtxtPtr ctxt) {
+ 	}
+ 	ctxt->input->cur = BAD_CAST"";
+ 	ctxt->input->base = ctxt->input->cur;
+-        ctxt->input->end = ctxt->input->cur;
++	ctxt->input->end = ctxt->input->cur;
++	if (ctxt->input->buf)
++	    xmlBufEmpty (ctxt->input->buf->buffer);
++	else
++	    ctxt->input->length = 0;
+     }
+ }
+ 
+-- 
+2.7.4
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.8.bb b/meta/recipes-core/libxml/libxml2_2.9.8.bb
index d55e650..1f22bb0 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.8.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.8.bb
@@ -20,6 +20,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
            file://libxml-m4-use-pkgconfig.patch \
            file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
            file://fix-execution-of-ptests.patch \
+           file://fix-CVE-2017-8872.patch \
            "
 
 SRC_URI[libtar.md5sum] = "b786e353e2aa1b872d70d5d1ca0c740d"
-- 
2.7.4



^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH] libxml2: Fix CVE-2017-8872
  2017-06-07  8:51 [PATCH] libxml2: Fix CVE-2017-8872 Fan Xin
@ 2017-06-08 11:10 ` Jussi Kukkonen
  0 siblings, 0 replies; 5+ messages in thread
From: Jussi Kukkonen @ 2017-06-08 11:10 UTC (permalink / raw)
  To: Fan Xin; +Cc: Patches and discussions about the oe-core layer

[-- Attachment #1: Type: text/plain, Size: 2975 bytes --]

On 7 June 2017 at 11:51, Fan Xin <fan.xin@jp.fujitsu.com> wrote:
>
> CVE: CVE-2017-8872
> The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows
attackers
> to cause a denial of service (buffer over-read) or information disclosure.
>
> External References:
> https://bugzilla.gnome.org/show_bug.cgi?id=77520


This should be
https://bugzilla.gnome.org/show_bug.cgi?id=775200

I have the same question that was asked in the upstream bug comment 6 about
two weeks ago: The patch doesn't seem to have any effect (because the goto
will happen anyway since 'avail' is 0), am I missing something?

Jussi


>
>
> Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
> ---
>  .../libxml/libxml2/libxml2-CVE-2017-8872.patch     | 23
++++++++++++++++++++++
>  meta/recipes-core/libxml/libxml2_2.9.4.bb          |  1 +
>  2 files changed, 24 insertions(+)
>  create mode 100644
meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch
>
> diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch
b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch
> new file mode 100644
> index 0000000..df05e06
> --- /dev/null
> +++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch
> @@ -0,0 +1,23 @@
> +libxml2-2.9.4: Fix CVE-2017-8872
> +
> +Bug 775200 - (CVE-2017-8872) global-buffer-overflow in
htmlParseTryOrFinish (HTMLparser.c:5403)
> + - [https://bugzilla.gnome.org/show_bug.cgi?id=775200]
> +
> +CVE: CVE-2017-8872
> +Upstream-Status: Submitted
> +
> +Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
> +
> +Index: libxml2-2.9.4/HTMLparser.c
> +===================================================================
> +--- libxml2-2.9.4.orig/HTMLparser.c
> ++++ libxml2-2.9.4/HTMLparser.c
> +@@ -5396,6 +5396,8 @@ htmlParseTryOrFinish(htmlParserCtxtPtr c
> +               ctxt->instate = XML_PARSER_EOF;
> +               if ((ctxt->sax) && (ctxt->sax->endDocument != NULL))
> +                   ctxt->sax->endDocument(ctxt->userData);
> ++
> ++              goto done;
> +           }
> +       }
> +         if (avail < 1)
> diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb
b/meta/recipes-core/libxml/libxml2_2.9.4.bb
> index ea0d3b8..0b4cbca 100644
> --- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
> +++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
> @@ -24,6 +24,7 @@ SRC_URI = "
ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
>             file://libxml2-CVE-2016-4658.patch \
>             file://libxml2-fix_NULL_pointer_derefs.patch \
>             file://CVE-2016-9318.patch \
> +          file://libxml2-CVE-2017-8872.patch \
>            "
>
>  SRC_URI[libtar.md5sum] = "ae249165c173b1ff386ee8ad676815f5"
> --
> 1.9.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

[-- Attachment #2: Type: text/html, Size: 4249 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [PATCH] libxml2: Fix CVE-2017-8872
@ 2017-06-07  8:51 Fan Xin
  2017-06-08 11:10 ` Jussi Kukkonen
  0 siblings, 1 reply; 5+ messages in thread
From: Fan Xin @ 2017-06-07  8:51 UTC (permalink / raw)
  To: openembedded-core

CVE: CVE-2017-8872
The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers
to cause a denial of service (buffer over-read) or information disclosure.

External References:
https://bugzilla.gnome.org/show_bug.cgi?id=77520

Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
---
 .../libxml/libxml2/libxml2-CVE-2017-8872.patch     | 23 ++++++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.4.bb          |  1 +
 2 files changed, 24 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch

diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch
new file mode 100644
index 0000000..df05e06
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch
@@ -0,0 +1,23 @@
+libxml2-2.9.4: Fix CVE-2017-8872
+
+Bug 775200 - (CVE-2017-8872) global-buffer-overflow in htmlParseTryOrFinish (HTMLparser.c:5403) 
+ - [https://bugzilla.gnome.org/show_bug.cgi?id=775200]
+
+CVE: CVE-2017-8872
+Upstream-Status: Submitted
+
+Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
+
+Index: libxml2-2.9.4/HTMLparser.c
+===================================================================
+--- libxml2-2.9.4.orig/HTMLparser.c
++++ libxml2-2.9.4/HTMLparser.c
+@@ -5396,6 +5396,8 @@ htmlParseTryOrFinish(htmlParserCtxtPtr c
+ 		ctxt->instate = XML_PARSER_EOF;
+ 		if ((ctxt->sax) && (ctxt->sax->endDocument != NULL))
+ 		    ctxt->sax->endDocument(ctxt->userData);
++
++		goto done;
+ 	    }
+ 	}
+         if (avail < 1)
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb
index ea0d3b8..0b4cbca 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -24,6 +24,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
            file://libxml2-CVE-2016-4658.patch \
            file://libxml2-fix_NULL_pointer_derefs.patch \
            file://CVE-2016-9318.patch \
+	   file://libxml2-CVE-2017-8872.patch \
           "
 
 SRC_URI[libtar.md5sum] = "ae249165c173b1ff386ee8ad676815f5"
-- 
1.9.1



^ permalink raw reply related	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-07-04  1:29 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-07-03  8:10 [PATCH] libxml2: fix CVE-2017-8872 Hongxu Jia
2018-07-03  9:42 ` Burton, Ross
2018-07-04  1:39   ` [PATCH V2] " Hongxu Jia
  -- strict thread matches above, loose matches on Subject: below --
2017-06-07  8:51 [PATCH] libxml2: Fix CVE-2017-8872 Fan Xin
2017-06-08 11:10 ` Jussi Kukkonen

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.