* [Buildroot] [PATCH] xerces: add upstream security fix
@ 2018-03-26 20:23 Baruch Siach
2018-03-27 7:48 ` Peter Korsgaard
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Baruch Siach @ 2018-03-26 20:23 UTC (permalink / raw)
To: buildroot
CVE-2017-12627: dereference of a NULL pointer while processing the path
to the DTD.
xerces 3.2.1 includes this patch. But this version also added
AC_RUN_IFELSE to its configure script, making cross compilation harder.
Switching to cmake is also problematic since the minimum required cmake
version is 3.2.0. The host dependencies check currently allows minimum
cmake version 3.1.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
package/xerces/0001-fix-CVE-2017-12627.patch | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
create mode 100644 package/xerces/0001-fix-CVE-2017-12627.patch
diff --git a/package/xerces/0001-fix-CVE-2017-12627.patch b/package/xerces/0001-fix-CVE-2017-12627.patch
new file mode 100644
index 000000000000..010be7e3d5ad
--- /dev/null
+++ b/package/xerces/0001-fix-CVE-2017-12627.patch
@@ -0,0 +1,22 @@
+XMLString: Don't call catString if relativePath is null
+
+https://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt
+
+Upstream status: svn revision 1819998
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+
+--- trunk/src/xercesc/util/PlatformUtils.cpp 2018/01/03 18:58:30 1819997
++++ trunk/src/xercesc/util/PlatformUtils.cpp 2018/01/03 18:59:30 1819998
+@@ -920,7 +920,10 @@
+
+ XMLString::subString(tmpBuf, basePath, 0, (basePtr - basePath + 1), manager);
+ tmpBuf[basePtr - basePath + 1] = 0;
+- XMLString::catString(tmpBuf, relativePath);
++ if (relativePath)
++ {
++ XMLString::catString(tmpBuf, relativePath);
++ }
+
+ removeDotSlash(tmpBuf, manager);
+
--
2.16.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH] xerces: add upstream security fix
2018-03-26 20:23 [Buildroot] [PATCH] xerces: add upstream security fix Baruch Siach
@ 2018-03-27 7:48 ` Peter Korsgaard
2018-04-07 15:40 ` Peter Korsgaard
2018-04-11 15:44 ` Peter Korsgaard
2 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2018-03-27 7:48 UTC (permalink / raw)
To: buildroot
>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:
> CVE-2017-12627: dereference of a NULL pointer while processing the path
> to the DTD.
> xerces 3.2.1 includes this patch. But this version also added
> AC_RUN_IFELSE to its configure script, making cross compilation harder.
> Switching to cmake is also problematic since the minimum required cmake
> version is 3.2.0. The host dependencies check currently allows minimum
> cmake version 3.1.
> Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH] xerces: add upstream security fix
2018-03-26 20:23 [Buildroot] [PATCH] xerces: add upstream security fix Baruch Siach
2018-03-27 7:48 ` Peter Korsgaard
@ 2018-04-07 15:40 ` Peter Korsgaard
2018-04-11 15:44 ` Peter Korsgaard
2 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2018-04-07 15:40 UTC (permalink / raw)
To: buildroot
>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:
> CVE-2017-12627: dereference of a NULL pointer while processing the path
> to the DTD.
> xerces 3.2.1 includes this patch. But this version also added
> AC_RUN_IFELSE to its configure script, making cross compilation harder.
> Switching to cmake is also problematic since the minimum required cmake
> version is 3.2.0. The host dependencies check currently allows minimum
> cmake version 3.1.
> Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Committed to 2018.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH] xerces: add upstream security fix
2018-03-26 20:23 [Buildroot] [PATCH] xerces: add upstream security fix Baruch Siach
2018-03-27 7:48 ` Peter Korsgaard
2018-04-07 15:40 ` Peter Korsgaard
@ 2018-04-11 15:44 ` Peter Korsgaard
2 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2018-04-11 15:44 UTC (permalink / raw)
To: buildroot
>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:
> CVE-2017-12627: dereference of a NULL pointer while processing the path
> to the DTD.
> xerces 3.2.1 includes this patch. But this version also added
> AC_RUN_IFELSE to its configure script, making cross compilation harder.
> Switching to cmake is also problematic since the minimum required cmake
> version is 3.2.0. The host dependencies check currently allows minimum
> cmake version 3.1.
> Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Committed to 2017.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-04-11 15:44 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-26 20:23 [Buildroot] [PATCH] xerces: add upstream security fix Baruch Siach
2018-03-27 7:48 ` Peter Korsgaard
2018-04-07 15:40 ` Peter Korsgaard
2018-04-11 15:44 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.