* [PATCH 1/3] libxml2: Necessary changes before fixing CVE-2016-5131 Fix comaparation with root node in xmlXPathCmpNodes and NULL pointer deref in XPointer
@ 2016-12-12 13:20 Andrej Valek
2016-12-12 13:20 ` [PATCH 2/3] libxml2: fix CVE-2016-4658 Disallow namespace nodes in XPointer points and ranges Andrej Valek
` (2 more replies)
0 siblings, 3 replies; 10+ messages in thread
From: Andrej Valek @ 2016-12-12 13:20 UTC (permalink / raw)
To: openembedded-core
xpath:
- Check for errors after evaluating first operand.
- Add sanity check for empty stack.
- Include comparation in changes from xmlXPathCmpNodesExt to xmlXPathCmpNodes
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
---
.../libxml2/libxml2-fix_node_comparison.patch | 67 ++++++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.4.bb | 1 +
2 files changed, 68 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/libxml2-fix_node_comparison.patch
diff --git a/meta/recipes-core/libxml/libxml2/libxml2-fix_node_comparison.patch b/meta/recipes-core/libxml/libxml2/libxml2-fix_node_comparison.patch
new file mode 100644
index 0000000..11718bb
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/libxml2-fix_node_comparison.patch
@@ -0,0 +1,67 @@
+libxml2-2.9.4: Fix comparison with root node in xmlXPathCmpNodes and NULL pointer deref in XPointer
+
+xpath:
+ - Check for errors after evaluating first operand.
+ - Add sanity check for empty stack.
+ - Include comparation in changes from xmlXPathCmpNodesExt to xmlXPathCmpNodes
+
+Upstream-Status: Backported
+ - [https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b]
+ - [https://git.gnome.org/browse/libxml2/commit/?id=a005199330b86dada19d162cae15ef9bdcb6baa8]
+CVE: necessary changes for fixing CVE-2016-5131
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
+
+diff --git a/result/XPath/xptr/viderror b/result/XPath/xptr/viderror
+new file mode 100644
+index 0000000..d589882
+--- /dev/null
++++ b/result/XPath/xptr/viderror
+@@ -0,0 +1,4 @@
++
++========================
++Expression: xpointer(non-existing-fn()/range-to(id('chapter2')))
++Object is empty (NULL)
+diff --git a/test/XPath/xptr/viderror b/test/XPath/xptr/viderror
+new file mode 100644
+index 0000000..da8c53b
+--- /dev/null
++++ b/test/XPath/xptr/viderror
+@@ -0,0 +1 @@
++xpointer(non-existing-fn()/range-to(id('chapter2')))
+diff --git a/xpath.c b/xpath.c
+index 113bce6..d992841 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -3342,13 +3342,13 @@ xmlXPathCmpNodes(xmlNodePtr node1, xmlNodePtr node2) {
+ * compute depth to root
+ */
+ for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) {
+- if (cur == node1)
++ if (cur->parent == node1)
+ return(1);
+ depth2++;
+ }
+ root = cur;
+ for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) {
+- if (cur == node2)
++ if (cur->parent == node2)
+ return(-1);
+ depth1++;
+ }
+@@ -14005,9 +14005,14 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+ xmlNodeSetPtr oldset;
+ int i, j;
+
+- if (op->ch1 != -1)
++ if (op->ch1 != -1) {
+ total +=
+ xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]);
++ CHECK_ERROR0;
++ }
++ if (ctxt->value == NULL) {
++ XP_ERROR0(XPATH_INVALID_OPERAND);
++ }
+ if (op->ch2 == -1)
+ return (total);
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb
index 1fed90b..66a8940 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -19,6 +19,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
file://run-ptest \
file://python-sitepackages-dir.patch \
file://libxml-m4-use-pkgconfig.patch \
+ file://libxml2-fix_node_comparison.patch \
file://libxml2-CVE-2016-5131.patch \
"
--
2.1.4
^ permalink raw reply related [flat|nested] 10+ messages in thread* [PATCH 2/3] libxml2: fix CVE-2016-4658 Disallow namespace nodes in XPointer points and ranges 2016-12-12 13:20 [PATCH 1/3] libxml2: Necessary changes before fixing CVE-2016-5131 Fix comaparation with root node in xmlXPathCmpNodes and NULL pointer deref in XPointer Andrej Valek @ 2016-12-12 13:20 ` Andrej Valek 2016-12-15 19:05 ` Ahsan, Noor 2016-12-12 13:20 ` [PATCH 3/3] libxml2: Fix more NULL pointer derefs Andrej Valek 2016-12-12 13:44 ` [PATCH 1/3] libxml2: Necessary changes before fixing CVE-2016-5131 Fix comaparation with root node in xmlXPathCmpNodes and NULL pointer deref in XPointer Burton, Ross 2 siblings, 1 reply; 10+ messages in thread From: Andrej Valek @ 2016-12-12 13:20 UTC (permalink / raw) To: openembedded-core Namespace nodes must be copied to avoid use-after-free errors. But they don't necessarily have a physical representation in a document, so simply disallow them in XPointer ranges. Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Pascal Bach <pascal.bach@siemens.com> --- .../libxml/libxml2/libxml2-CVE-2016-4658.patch | 269 +++++++++++++++++++++ meta/recipes-core/libxml/libxml2_2.9.4.bb | 1 + 2 files changed, 270 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-4658.patch diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-4658.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-4658.patch new file mode 100644 index 0000000..5412e8c --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-4658.patch @@ -0,0 +1,269 @@ +libxml2-2.9.4: Fix CVE-2016-4658 + +[No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4658 + +xpointer: Disallow namespace nodes in XPointer points and ranges + +Namespace nodes must be copied to avoid use-after-free errors. +But they don't necessarily have a physical representation in a +document, so simply disallow them in XPointer ranges. + +Upstream-Status: Backported + - [https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b] + - [https://git.gnome.org/browse/libxml2/commit/?id=3f8a91036d338e51c059d54397a42d645f019c65] +CVE: CVE-2016-4658 +Signed-off-by: Andrej Valek <andrej.valek@siemens.com> +Signed-off-by: Pascal Bach <pascal.bach@siemens.com> + +diff --git a/xpointer.c b/xpointer.c +index 676c510..911680d 100644 +--- a/xpointer.c ++++ b/xpointer.c +@@ -320,6 +320,45 @@ xmlXPtrRangesEqual(xmlXPathObjectPtr range1, xmlXPathObjectPtr range2) { + } + + /** ++ * xmlXPtrNewRangeInternal: ++ * @start: the starting node ++ * @startindex: the start index ++ * @end: the ending point ++ * @endindex: the ending index ++ * ++ * Internal function to create a new xmlXPathObjectPtr of type range ++ * ++ * Returns the newly created object. ++ */ ++static xmlXPathObjectPtr ++xmlXPtrNewRangeInternal(xmlNodePtr start, int startindex, ++ xmlNodePtr end, int endindex) { ++ xmlXPathObjectPtr ret; ++ ++ /* ++ * Namespace nodes must be copied (see xmlXPathNodeSetDupNs). ++ * Disallow them for now. ++ */ ++ if ((start != NULL) && (start->type == XML_NAMESPACE_DECL)) ++ return(NULL); ++ if ((end != NULL) && (end->type == XML_NAMESPACE_DECL)) ++ return(NULL); ++ ++ ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); ++ if (ret == NULL) { ++ xmlXPtrErrMemory("allocating range"); ++ return(NULL); ++ } ++ memset(ret, 0, sizeof(xmlXPathObject)); ++ ret->type = XPATH_RANGE; ++ ret->user = start; ++ ret->index = startindex; ++ ret->user2 = end; ++ ret->index2 = endindex; ++ return(ret); ++} ++ ++/** + * xmlXPtrNewRange: + * @start: the starting node + * @startindex: the start index +@@ -344,17 +383,7 @@ xmlXPtrNewRange(xmlNodePtr start, int startindex, + if (endindex < 0) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = startindex; +- ret->user2 = end; +- ret->index2 = endindex; ++ ret = xmlXPtrNewRangeInternal(start, startindex, end, endindex); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -381,17 +410,8 @@ xmlXPtrNewRangePoints(xmlXPathObjectPtr start, xmlXPathObjectPtr end) { + if (end->type != XPATH_POINT) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start->user; +- ret->index = start->index; +- ret->user2 = end->user; +- ret->index2 = end->index; ++ ret = xmlXPtrNewRangeInternal(start->user, start->index, end->user, ++ end->index); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -416,17 +436,7 @@ xmlXPtrNewRangePointNode(xmlXPathObjectPtr start, xmlNodePtr end) { + if (start->type != XPATH_POINT) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start->user; +- ret->index = start->index; +- ret->user2 = end; +- ret->index2 = -1; ++ ret = xmlXPtrNewRangeInternal(start->user, start->index, end, -1); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -453,17 +463,7 @@ xmlXPtrNewRangeNodePoint(xmlNodePtr start, xmlXPathObjectPtr end) { + if (end->type != XPATH_POINT) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = -1; +- ret->user2 = end->user; +- ret->index2 = end->index; ++ ret = xmlXPtrNewRangeInternal(start, -1, end->user, end->index); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -486,17 +486,7 @@ xmlXPtrNewRangeNodes(xmlNodePtr start, xmlNodePtr end) { + if (end == NULL) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = -1; +- ret->user2 = end; +- ret->index2 = -1; ++ ret = xmlXPtrNewRangeInternal(start, -1, end, -1); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -516,17 +506,7 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) { + if (start == NULL) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = -1; +- ret->user2 = NULL; +- ret->index2 = -1; ++ ret = xmlXPtrNewRangeInternal(start, -1, NULL, -1); + return(ret); + } + +@@ -541,6 +521,8 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) { + */ + xmlXPathObjectPtr + xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) { ++ xmlNodePtr endNode; ++ int endIndex; + xmlXPathObjectPtr ret; + + if (start == NULL) +@@ -549,7 +531,12 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) { + return(NULL); + switch (end->type) { + case XPATH_POINT: ++ endNode = end->user; ++ endIndex = end->index; ++ break; + case XPATH_RANGE: ++ endNode = end->user2; ++ endIndex = end->index2; + break; + case XPATH_NODESET: + /* +@@ -557,39 +544,15 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) { + */ + if (end->nodesetval->nodeNr <= 0) + return(NULL); ++ endNode = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1]; ++ endIndex = -1; + break; + default: + /* TODO */ + return(NULL); + } + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = -1; +- switch (end->type) { +- case XPATH_POINT: +- ret->user2 = end->user; +- ret->index2 = end->index; +- break; +- case XPATH_RANGE: +- ret->user2 = end->user2; +- ret->index2 = end->index2; +- break; +- case XPATH_NODESET: { +- ret->user2 = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1]; +- ret->index2 = -1; +- break; +- } +- default: +- STRANGE +- return(NULL); +- } ++ ret = xmlXPtrNewRangeInternal(start, -1, endNode, endIndex); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -1835,8 +1798,8 @@ xmlXPtrStartPointFunction(xmlXPathParserContextPtr ctxt, int nargs) { + case XPATH_RANGE: { + xmlNodePtr node = tmp->user; + if (node != NULL) { +- if (node->type == XML_ATTRIBUTE_NODE) { +- /* TODO: Namespace Nodes ??? */ ++ if ((node->type == XML_ATTRIBUTE_NODE) || ++ (node->type == XML_NAMESPACE_DECL)) { + xmlXPathFreeObject(obj); + xmlXPtrFreeLocationSet(newset); + XP_ERROR(XPTR_SYNTAX_ERROR); +@@ -1931,8 +1894,8 @@ xmlXPtrEndPointFunction(xmlXPathParserContextPtr ctxt, int nargs) { + case XPATH_RANGE: { + xmlNodePtr node = tmp->user2; + if (node != NULL) { +- if (node->type == XML_ATTRIBUTE_NODE) { +- /* TODO: Namespace Nodes ??? */ ++ if ((node->type == XML_ATTRIBUTE_NODE) || ++ (node->type == XML_NAMESPACE_DECL)) { + xmlXPathFreeObject(obj); + xmlXPtrFreeLocationSet(newset); + XP_ERROR(XPTR_SYNTAX_ERROR); diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb index 66a8940..a1d1e9e 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.4.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb @@ -21,6 +21,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \ file://libxml-m4-use-pkgconfig.patch \ file://libxml2-fix_node_comparison.patch \ file://libxml2-CVE-2016-5131.patch \ + file://libxml2-CVE-2016-4658.patch \ " SRC_URI[libtar.md5sum] = "ae249165c173b1ff386ee8ad676815f5" -- 2.1.4 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH 2/3] libxml2: fix CVE-2016-4658 Disallow namespace nodes in XPointer points and ranges 2016-12-12 13:20 ` [PATCH 2/3] libxml2: fix CVE-2016-4658 Disallow namespace nodes in XPointer points and ranges Andrej Valek @ 2016-12-15 19:05 ` Ahsan, Noor 2016-12-15 19:33 ` Burton, Ross 0 siblings, 1 reply; 10+ messages in thread From: Ahsan, Noor @ 2016-12-15 19:05 UTC (permalink / raw) To: Andrej Valek, openembedded-core@lists.openembedded.org Can we merge this on morty branch as well? Noor -----Original Message----- From: openembedded-core-bounces@lists.openembedded.org [mailto:openembedded-core-bounces@lists.openembedded.org] On Behalf Of Andrej Valek Sent: Monday, December 12, 2016 6:20 PM To: openembedded-core@lists.openembedded.org Subject: [OE-core] [PATCH 2/3] libxml2: fix CVE-2016-4658 Disallow namespace nodes in XPointer points and ranges Namespace nodes must be copied to avoid use-after-free errors. But they don't necessarily have a physical representation in a document, so simply disallow them in XPointer ranges. Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Pascal Bach <pascal.bach@siemens.com> --- .../libxml/libxml2/libxml2-CVE-2016-4658.patch | 269 +++++++++++++++++++++ meta/recipes-core/libxml/libxml2_2.9.4.bb | 1 + 2 files changed, 270 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-4658.patch diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-4658.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-4658.patch new file mode 100644 index 0000000..5412e8c --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-4658.patch @@ -0,0 +1,269 @@ +libxml2-2.9.4: Fix CVE-2016-4658 + +[No upstream tracking] -- +https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4658 + +xpointer: Disallow namespace nodes in XPointer points and ranges + +Namespace nodes must be copied to avoid use-after-free errors. +But they don't necessarily have a physical representation in a +document, so simply disallow them in XPointer ranges. + +Upstream-Status: Backported + - +[https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf55 +5f08d3062a36fd344b] + - +[https://git.gnome.org/browse/libxml2/commit/?id=3f8a91036d338e51c059d5 +4397a42d645f019c65] +CVE: CVE-2016-4658 +Signed-off-by: Andrej Valek <andrej.valek@siemens.com> +Signed-off-by: Pascal Bach <pascal.bach@siemens.com> + +diff --git a/xpointer.c b/xpointer.c +index 676c510..911680d 100644 +--- a/xpointer.c ++++ b/xpointer.c +@@ -320,6 +320,45 @@ xmlXPtrRangesEqual(xmlXPathObjectPtr range1, +xmlXPathObjectPtr range2) { } + + /** ++ * xmlXPtrNewRangeInternal: ++ * @start: the starting node ++ * @startindex: the start index ++ * @end: the ending point ++ * @endindex: the ending index ++ * ++ * Internal function to create a new xmlXPathObjectPtr of type range ++ * ++ * Returns the newly created object. ++ */ ++static xmlXPathObjectPtr ++xmlXPtrNewRangeInternal(xmlNodePtr start, int startindex, ++ xmlNodePtr end, int endindex) { ++ xmlXPathObjectPtr ret; ++ ++ /* ++ * Namespace nodes must be copied (see xmlXPathNodeSetDupNs). ++ * Disallow them for now. ++ */ ++ if ((start != NULL) && (start->type == XML_NAMESPACE_DECL)) ++ return(NULL); ++ if ((end != NULL) && (end->type == XML_NAMESPACE_DECL)) ++ return(NULL); ++ ++ ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); ++ if (ret == NULL) { ++ xmlXPtrErrMemory("allocating range"); ++ return(NULL); ++ } ++ memset(ret, 0, sizeof(xmlXPathObject)); ++ ret->type = XPATH_RANGE; ++ ret->user = start; ++ ret->index = startindex; ++ ret->user2 = end; ++ ret->index2 = endindex; ++ return(ret); ++} ++ ++/** + * xmlXPtrNewRange: + * @start: the starting node + * @startindex: the start index +@@ -344,17 +383,7 @@ xmlXPtrNewRange(xmlNodePtr start, int startindex, + if (endindex < 0) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = startindex; +- ret->user2 = end; +- ret->index2 = endindex; ++ ret = xmlXPtrNewRangeInternal(start, startindex, end, endindex); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -381,17 +410,8 @@ xmlXPtrNewRangePoints(xmlXPathObjectPtr start, xmlXPathObjectPtr end) { + if (end->type != XPATH_POINT) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start->user; +- ret->index = start->index; +- ret->user2 = end->user; +- ret->index2 = end->index; ++ ret = xmlXPtrNewRangeInternal(start->user, start->index, end->user, ++ end->index); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -416,17 +436,7 @@ xmlXPtrNewRangePointNode(xmlXPathObjectPtr start, xmlNodePtr end) { + if (start->type != XPATH_POINT) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start->user; +- ret->index = start->index; +- ret->user2 = end; +- ret->index2 = -1; ++ ret = xmlXPtrNewRangeInternal(start->user, start->index, end, -1); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -453,17 +463,7 @@ xmlXPtrNewRangeNodePoint(xmlNodePtr start, xmlXPathObjectPtr end) { + if (end->type != XPATH_POINT) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = -1; +- ret->user2 = end->user; +- ret->index2 = end->index; ++ ret = xmlXPtrNewRangeInternal(start, -1, end->user, end->index); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -486,17 +486,7 @@ xmlXPtrNewRangeNodes(xmlNodePtr start, xmlNodePtr end) { + if (end == NULL) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = -1; +- ret->user2 = end; +- ret->index2 = -1; ++ ret = xmlXPtrNewRangeInternal(start, -1, end, -1); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -516,17 +506,7 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) { + if (start == NULL) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = -1; +- ret->user2 = NULL; +- ret->index2 = -1; ++ ret = xmlXPtrNewRangeInternal(start, -1, NULL, -1); + return(ret); + } + +@@ -541,6 +521,8 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) { + */ + xmlXPathObjectPtr + xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) { ++ xmlNodePtr endNode; ++ int endIndex; + xmlXPathObjectPtr ret; + + if (start == NULL) +@@ -549,7 +531,12 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) { + return(NULL); + switch (end->type) { + case XPATH_POINT: ++ endNode = end->user; ++ endIndex = end->index; ++ break; + case XPATH_RANGE: ++ endNode = end->user2; ++ endIndex = end->index2; + break; + case XPATH_NODESET: + /* +@@ -557,39 +544,15 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) { + */ + if (end->nodesetval->nodeNr <= 0) + return(NULL); ++ endNode = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1]; ++ endIndex = -1; + break; + default: + /* TODO */ + return(NULL); + } + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = -1; +- switch (end->type) { +- case XPATH_POINT: +- ret->user2 = end->user; +- ret->index2 = end->index; +- break; +- case XPATH_RANGE: +- ret->user2 = end->user2; +- ret->index2 = end->index2; +- break; +- case XPATH_NODESET: { +- ret->user2 = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1]; +- ret->index2 = -1; +- break; +- } +- default: +- STRANGE +- return(NULL); +- } ++ ret = xmlXPtrNewRangeInternal(start, -1, endNode, endIndex); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -1835,8 +1798,8 @@ xmlXPtrStartPointFunction(xmlXPathParserContextPtr ctxt, int nargs) { + case XPATH_RANGE: { + xmlNodePtr node = tmp->user; + if (node != NULL) { +- if (node->type == XML_ATTRIBUTE_NODE) { +- /* TODO: Namespace Nodes ??? */ ++ if ((node->type == XML_ATTRIBUTE_NODE) || ++ (node->type == XML_NAMESPACE_DECL)) { + xmlXPathFreeObject(obj); + xmlXPtrFreeLocationSet(newset); + XP_ERROR(XPTR_SYNTAX_ERROR); +@@ -1931,8 +1894,8 @@ xmlXPtrEndPointFunction(xmlXPathParserContextPtr ctxt, int nargs) { + case XPATH_RANGE: { + xmlNodePtr node = tmp->user2; + if (node != NULL) { +- if (node->type == XML_ATTRIBUTE_NODE) { +- /* TODO: Namespace Nodes ??? */ ++ if ((node->type == XML_ATTRIBUTE_NODE) || ++ (node->type == XML_NAMESPACE_DECL)) { + xmlXPathFreeObject(obj); + xmlXPtrFreeLocationSet(newset); + XP_ERROR(XPTR_SYNTAX_ERROR); diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb index 66a8940..a1d1e9e 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.4.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb @@ -21,6 +21,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \ file://libxml-m4-use-pkgconfig.patch \ file://libxml2-fix_node_comparison.patch \ file://libxml2-CVE-2016-5131.patch \ + file://libxml2-CVE-2016-4658.patch \ " SRC_URI[libtar.md5sum] = "ae249165c173b1ff386ee8ad676815f5" -- 2.1.4 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH 2/3] libxml2: fix CVE-2016-4658 Disallow namespace nodes in XPointer points and ranges 2016-12-15 19:05 ` Ahsan, Noor @ 2016-12-15 19:33 ` Burton, Ross 2016-12-20 9:06 ` Ahsan, Noor 0 siblings, 1 reply; 10+ messages in thread From: Burton, Ross @ 2016-12-15 19:33 UTC (permalink / raw) To: Ahsan, Noor; +Cc: openembedded-core@lists.openembedded.org [-- Attachment #1: Type: text/plain, Size: 175 bytes --] On 15 December 2016 at 19:05, Ahsan, Noor <Noor_Ahsan@mentor.com> wrote: > Can we merge this on morty branch as well? > Yes, if you ping the morty maintainer. Ross [-- Attachment #2: Type: text/html, Size: 583 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 2/3] libxml2: fix CVE-2016-4658 Disallow namespace nodes in XPointer points and ranges 2016-12-15 19:33 ` Burton, Ross @ 2016-12-20 9:06 ` Ahsan, Noor 2016-12-21 1:38 ` akuster808 0 siblings, 1 reply; 10+ messages in thread From: Ahsan, Noor @ 2016-12-20 9:06 UTC (permalink / raw) To: Burton, Ross Cc: Andrej Valek, Larson, Chris, openembedded-core@lists.openembedded.org [-- Attachment #1: Type: text/plain, Size: 603 bytes --] Armin Kuster, Can you merge this on morty branch? Noor From: Burton, Ross [mailto:ross.burton@intel.com] Sent: Friday, December 16, 2016 12:33 AM To: Ahsan, Noor <Noor_Ahsan@mentor.com> Cc: Andrej Valek <andrej.valek@siemens.com>; openembedded-core@lists.openembedded.org Subject: Re: [OE-core] [PATCH 2/3] libxml2: fix CVE-2016-4658 Disallow namespace nodes in XPointer points and ranges On 15 December 2016 at 19:05, Ahsan, Noor <Noor_Ahsan@mentor.com<mailto:Noor_Ahsan@mentor.com>> wrote: Can we merge this on morty branch as well? Yes, if you ping the morty maintainer. Ross [-- Attachment #2: Type: text/html, Size: 3771 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 2/3] libxml2: fix CVE-2016-4658 Disallow namespace nodes in XPointer points and ranges 2016-12-20 9:06 ` Ahsan, Noor @ 2016-12-21 1:38 ` akuster808 0 siblings, 0 replies; 10+ messages in thread From: akuster808 @ 2016-12-21 1:38 UTC (permalink / raw) To: Ahsan, Noor, Burton, Ross Cc: Andrej Valek, Larson, Chris, openembedded-core@lists.openembedded.org [-- Attachment #1: Type: text/plain, Size: 904 bytes --] On 12/20/2016 01:06 AM, Ahsan, Noor wrote: > > Armin Kuster, > > Can you merge this on morty branch? > yep. its sitting in my stagging. http://git.yoctoproject.org/cgit/cgit.cgi/poky-contrib/commit/?h=akuster/morty-next&id=ef5b3d9a69b6a807abb6b3e997128d484728e9ed -armin > Noor > > *From:*Burton, Ross [mailto:ross.burton@intel.com] > *Sent:* Friday, December 16, 2016 12:33 AM > *To:* Ahsan, Noor <Noor_Ahsan@mentor.com> > *Cc:* Andrej Valek <andrej.valek@siemens.com>; > openembedded-core@lists.openembedded.org > *Subject:* Re: [OE-core] [PATCH 2/3] libxml2: fix CVE-2016-4658 > Disallow namespace nodes in XPointer points and ranges > > On 15 December 2016 at 19:05, Ahsan, Noor <Noor_Ahsan@mentor.com > <mailto:Noor_Ahsan@mentor.com>> wrote: > > Can we merge this on morty branch as well? > > > Yes, if you ping the morty maintainer. > > Ross > > > [-- Attachment #2: Type: text/html, Size: 5688 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH 3/3] libxml2: Fix more NULL pointer derefs 2016-12-12 13:20 [PATCH 1/3] libxml2: Necessary changes before fixing CVE-2016-5131 Fix comaparation with root node in xmlXPathCmpNodes and NULL pointer deref in XPointer Andrej Valek 2016-12-12 13:20 ` [PATCH 2/3] libxml2: fix CVE-2016-4658 Disallow namespace nodes in XPointer points and ranges Andrej Valek @ 2016-12-12 13:20 ` Andrej Valek 2016-12-12 13:44 ` [PATCH 1/3] libxml2: Necessary changes before fixing CVE-2016-5131 Fix comaparation with root node in xmlXPathCmpNodes and NULL pointer deref in XPointer Burton, Ross 2 siblings, 0 replies; 10+ messages in thread From: Andrej Valek @ 2016-12-12 13:20 UTC (permalink / raw) To: openembedded-core The NULL pointer dereferencing could produced some security problems. This is a preventive security fix. Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Pascal Bach <pascal.bach@siemens.com> --- .../libxml2/libxml2-fix_NULL_pointer_derefs.patch | 46 ++++++++++++++++++++++ meta/recipes-core/libxml/libxml2_2.9.4.bb | 1 + 2 files changed, 47 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/libxml2-fix_NULL_pointer_derefs.patch diff --git a/meta/recipes-core/libxml/libxml2/libxml2-fix_NULL_pointer_derefs.patch b/meta/recipes-core/libxml/libxml2/libxml2-fix_NULL_pointer_derefs.patch new file mode 100644 index 0000000..83552ca --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/libxml2-fix_NULL_pointer_derefs.patch @@ -0,0 +1,46 @@ +libxml2-2.9.4: Fix more NULL pointer derefs + +xpointer: Fix more NULL pointer derefs + +Upstream-Status: Backported [https://git.gnome.org/browse/libxml2/commit/?id=e905f08123e4a6e7731549e6f09dadff4cab65bd] +CVE: - +Signed-off-by: Andrej Valek <andrej.valek@siemens.com> +Signed-off-by: Pascal Bach <pascal.bach@siemens.com> + +diff --git a/xpointer.c b/xpointer.c +index 676c510..074db24 100644 +--- a/xpointer.c ++++ b/xpointer.c +@@ -555,7 +555,7 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) { + /* + * Empty set ... + */ +- if (end->nodesetval->nodeNr <= 0) ++ if ((end->nodesetval == NULL) || (end->nodesetval->nodeNr <= 0)) + return(NULL); + break; + default: +@@ -1400,7 +1400,7 @@ xmlXPtrEval(const xmlChar *str, xmlXPathContextPtr ctx) { + */ + xmlNodeSetPtr set; + set = tmp->nodesetval; +- if ((set->nodeNr != 1) || ++ if ((set == NULL) || (set->nodeNr != 1) || + (set->nodeTab[0] != (xmlNodePtr) ctx->doc)) + stack++; + } else +@@ -2073,9 +2073,11 @@ xmlXPtrRangeFunction(xmlXPathParserContextPtr ctxt, int nargs) { + xmlXPathFreeObject(set); + XP_ERROR(XPATH_MEMORY_ERROR); + } +- for (i = 0;i < oldset->locNr;i++) { +- xmlXPtrLocationSetAdd(newset, +- xmlXPtrCoveringRange(ctxt, oldset->locTab[i])); ++ if (oldset != NULL) { ++ for (i = 0;i < oldset->locNr;i++) { ++ xmlXPtrLocationSetAdd(newset, ++ xmlXPtrCoveringRange(ctxt, oldset->locTab[i])); ++ } + } + + /* diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb index a1d1e9e..ba08c9c 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.4.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb @@ -22,6 +22,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \ file://libxml2-fix_node_comparison.patch \ file://libxml2-CVE-2016-5131.patch \ file://libxml2-CVE-2016-4658.patch \ + file://libxml2-fix_NULL_pointer_derefs.patch \ " SRC_URI[libtar.md5sum] = "ae249165c173b1ff386ee8ad676815f5" -- 2.1.4 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH 1/3] libxml2: Necessary changes before fixing CVE-2016-5131 Fix comaparation with root node in xmlXPathCmpNodes and NULL pointer deref in XPointer 2016-12-12 13:20 [PATCH 1/3] libxml2: Necessary changes before fixing CVE-2016-5131 Fix comaparation with root node in xmlXPathCmpNodes and NULL pointer deref in XPointer Andrej Valek 2016-12-12 13:20 ` [PATCH 2/3] libxml2: fix CVE-2016-4658 Disallow namespace nodes in XPointer points and ranges Andrej Valek 2016-12-12 13:20 ` [PATCH 3/3] libxml2: Fix more NULL pointer derefs Andrej Valek @ 2016-12-12 13:44 ` Burton, Ross 2016-12-12 13:53 ` Valek, Andrej 2 siblings, 1 reply; 10+ messages in thread From: Burton, Ross @ 2016-12-12 13:44 UTC (permalink / raw) To: Andrej Valek; +Cc: OE-core [-- Attachment #1: Type: text/plain, Size: 4583 bytes --] I see part 1 and 2 but no part 3. Also, have you asked upstream if they'll be making a point release with these in? Ross On 12 December 2016 at 13:20, Andrej Valek <andrej.valek@siemens.com> wrote: > xpath: > - Check for errors after evaluating first operand. > - Add sanity check for empty stack. > - Include comparation in changes from xmlXPathCmpNodesExt to > xmlXPathCmpNodes > > Signed-off-by: Andrej Valek <andrej.valek@siemens.com> > Signed-off-by: Pascal Bach <pascal.bach@siemens.com> > --- > .../libxml2/libxml2-fix_node_comparison.patch | 67 > ++++++++++++++++++++++ > meta/recipes-core/libxml/libxml2_2.9.4.bb | 1 + > 2 files changed, 68 insertions(+) > create mode 100644 meta/recipes-core/libxml/libxml2/libxml2-fix_node_ > comparison.patch > > diff --git a/meta/recipes-core/libxml/libxml2/libxml2-fix_node_comparison.patch > b/meta/recipes-core/libxml/libxml2/libxml2-fix_node_comparison.patch > new file mode 100644 > index 0000000..11718bb > --- /dev/null > +++ b/meta/recipes-core/libxml/libxml2/libxml2-fix_node_comparison.patch > @@ -0,0 +1,67 @@ > +libxml2-2.9.4: Fix comparison with root node in xmlXPathCmpNodes and NULL > pointer deref in XPointer > + > +xpath: > + - Check for errors after evaluating first operand. > + - Add sanity check for empty stack. > + - Include comparation in changes from xmlXPathCmpNodesExt to > xmlXPathCmpNodes > + > +Upstream-Status: Backported > + - [https://git.gnome.org/browse/libxml2/commit/?id= > c1d1f7121194036608bf555f08d3062a36fd344b] > + - [https://git.gnome.org/browse/libxml2/commit/?id= > a005199330b86dada19d162cae15ef9bdcb6baa8] > +CVE: necessary changes for fixing CVE-2016-5131 > +Signed-off-by: Andrej Valek <andrej.valek@siemens.com> > +Signed-off-by: Pascal Bach <pascal.bach@siemens.com> > + > +diff --git a/result/XPath/xptr/viderror b/result/XPath/xptr/viderror > +new file mode 100644 > +index 0000000..d589882 > +--- /dev/null > ++++ b/result/XPath/xptr/viderror > +@@ -0,0 +1,4 @@ > ++ > ++======================== > ++Expression: xpointer(non-existing-fn()/range-to(id('chapter2'))) > ++Object is empty (NULL) > +diff --git a/test/XPath/xptr/viderror b/test/XPath/xptr/viderror > +new file mode 100644 > +index 0000000..da8c53b > +--- /dev/null > ++++ b/test/XPath/xptr/viderror > +@@ -0,0 +1 @@ > ++xpointer(non-existing-fn()/range-to(id('chapter2'))) > +diff --git a/xpath.c b/xpath.c > +index 113bce6..d992841 100644 > +--- a/xpath.c > ++++ b/xpath.c > +@@ -3342,13 +3342,13 @@ xmlXPathCmpNodes(xmlNodePtr node1, xmlNodePtr > node2) { > + * compute depth to root > + */ > + for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) { > +- if (cur == node1) > ++ if (cur->parent == node1) > + return(1); > + depth2++; > + } > + root = cur; > + for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) { > +- if (cur == node2) > ++ if (cur->parent == node2) > + return(-1); > + depth1++; > + } > +@@ -14005,9 +14005,14 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr > ctxt, xmlXPathStepOpPtr op) > + xmlNodeSetPtr oldset; > + int i, j; > + > +- if (op->ch1 != -1) > ++ if (op->ch1 != -1) { > + total += > + xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]); > ++ CHECK_ERROR0; > ++ } > ++ if (ctxt->value == NULL) { > ++ XP_ERROR0(XPATH_INVALID_OPERAND); > ++ } > + if (op->ch2 == -1) > + return (total); > + > diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb > b/meta/recipes-core/libxml/libxml2_2.9.4.bb > index 1fed90b..66a8940 100644 > --- a/meta/recipes-core/libxml/libxml2_2.9.4.bb > +++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb > @@ -19,6 +19,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/ > libxml2-${PV}.tar.gz;name=libtar \ > file://run-ptest \ > file://python-sitepackages-dir.patch \ > file://libxml-m4-use-pkgconfig.patch \ > + file://libxml2-fix_node_comparison.patch \ > file://libxml2-CVE-2016-5131.patch \ > " > > -- > 2.1.4 > > -- > _______________________________________________ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core > [-- Attachment #2: Type: text/html, Size: 6731 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 1/3] libxml2: Necessary changes before fixing CVE-2016-5131 Fix comaparation with root node in xmlXPathCmpNodes and NULL pointer deref in XPointer 2016-12-12 13:44 ` [PATCH 1/3] libxml2: Necessary changes before fixing CVE-2016-5131 Fix comaparation with root node in xmlXPathCmpNodes and NULL pointer deref in XPointer Burton, Ross @ 2016-12-12 13:53 ` Valek, Andrej 2016-12-12 13:55 ` Burton, Ross 0 siblings, 1 reply; 10+ messages in thread From: Valek, Andrej @ 2016-12-12 13:53 UTC (permalink / raw) To: Burton, Ross; +Cc: OE-core [-- Attachment #1: Type: text/plain, Size: 5156 bytes --] Hi Ross, I think, there was a web-page delay. Patch 3/3 is already there: http://lists.openembedded.org/pipermail/openembedded-core/2016-December/130046.html Andrej From: Burton, Ross [mailto:ross.burton@intel.com] Sent: 12. decembra 2016 14:44 To: Valek, Andrej (CT DD DS EU SK BT) Cc: OE-core Subject: Re: [OE-core] [PATCH 1/3] libxml2: Necessary changes before fixing CVE-2016-5131 Fix comaparation with root node in xmlXPathCmpNodes and NULL pointer deref in XPointer I see part 1 and 2 but no part 3. Also, have you asked upstream if they'll be making a point release with these in? Ross On 12 December 2016 at 13:20, Andrej Valek <andrej.valek@siemens.com<mailto:andrej.valek@siemens.com>> wrote: xpath: - Check for errors after evaluating first operand. - Add sanity check for empty stack. - Include comparation in changes from xmlXPathCmpNodesExt to xmlXPathCmpNodes Signed-off-by: Andrej Valek <andrej.valek@siemens.com<mailto:andrej.valek@siemens.com>> Signed-off-by: Pascal Bach <pascal.bach@siemens.com<mailto:pascal.bach@siemens.com>> --- .../libxml2/libxml2-fix_node_comparison.patch | 67 ++++++++++++++++++++++ meta/recipes-core/libxml/libxml2_2.9.4.bb<http://libxml2_2.9.4.bb> | 1 + 2 files changed, 68 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/libxml2-fix_node_comparison.patch diff --git a/meta/recipes-core/libxml/libxml2/libxml2-fix_node_comparison.patch b/meta/recipes-core/libxml/libxml2/libxml2-fix_node_comparison.patch new file mode 100644 index 0000000..11718bb --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/libxml2-fix_node_comparison.patch @@ -0,0 +1,67 @@ +libxml2-2.9.4: Fix comparison with root node in xmlXPathCmpNodes and NULL pointer deref in XPointer + +xpath: + - Check for errors after evaluating first operand. + - Add sanity check for empty stack. + - Include comparation in changes from xmlXPathCmpNodesExt to xmlXPathCmpNodes + +Upstream-Status: Backported + - [https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b] + - [https://git.gnome.org/browse/libxml2/commit/?id=a005199330b86dada19d162cae15ef9bdcb6baa8] +CVE: necessary changes for fixing CVE-2016-5131 +Signed-off-by: Andrej Valek <andrej.valek@siemens.com<mailto:andrej.valek@siemens.com>> +Signed-off-by: Pascal Bach <pascal.bach@siemens.com<mailto:pascal.bach@siemens.com>> + +diff --git a/result/XPath/xptr/viderror b/result/XPath/xptr/viderror +new file mode 100644 +index 0000000..d589882 +--- /dev/null ++++ b/result/XPath/xptr/viderror +@@ -0,0 +1,4 @@ ++ ++======================== ++Expression: xpointer(non-existing-fn()/range-to(id('chapter2'))) ++Object is empty (NULL) +diff --git a/test/XPath/xptr/viderror b/test/XPath/xptr/viderror +new file mode 100644 +index 0000000..da8c53b +--- /dev/null ++++ b/test/XPath/xptr/viderror +@@ -0,0 +1 @@ ++xpointer(non-existing-fn()/range-to(id('chapter2'))) +diff --git a/xpath.c b/xpath.c +index 113bce6..d992841 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -3342,13 +3342,13 @@ xmlXPathCmpNodes(xmlNodePtr node1, xmlNodePtr node2) { + * compute depth to root + */ + for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) { +- if (cur == node1) ++ if (cur->parent == node1) + return(1); + depth2++; + } + root = cur; + for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) { +- if (cur == node2) ++ if (cur->parent == node2) + return(-1); + depth1++; + } +@@ -14005,9 +14005,14 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + xmlNodeSetPtr oldset; + int i, j; + +- if (op->ch1 != -1) ++ if (op->ch1 != -1) { + total += + xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]); ++ CHECK_ERROR0; ++ } ++ if (ctxt->value == NULL) { ++ XP_ERROR0(XPATH_INVALID_OPERAND); ++ } + if (op->ch2 == -1) + return (total); + diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb<http://libxml2_2.9.4.bb> b/meta/recipes-core/libxml/libxml2_2.9.4.bb<http://libxml2_2.9.4.bb> index 1fed90b..66a8940 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.4.bb<http://libxml2_2.9.4.bb> +++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb<http://libxml2_2.9.4.bb> @@ -19,6 +19,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \ file://run-ptest \ file://python-sitepackages-dir.patch \ file://libxml-m4-use-pkgconfig.patch \ + file://libxml2-fix_node_comparison.patch \ file://libxml2-CVE-2016-5131.patch \ " -- 2.1.4 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org<mailto:Openembedded-core@lists.openembedded.org> http://lists.openembedded.org/mailman/listinfo/openembedded-core [-- Attachment #2: Type: text/html, Size: 11715 bytes --] ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH 1/3] libxml2: Necessary changes before fixing CVE-2016-5131 Fix comaparation with root node in xmlXPathCmpNodes and NULL pointer deref in XPointer 2016-12-12 13:53 ` Valek, Andrej @ 2016-12-12 13:55 ` Burton, Ross 0 siblings, 0 replies; 10+ messages in thread From: Burton, Ross @ 2016-12-12 13:55 UTC (permalink / raw) To: Valek, Andrej; +Cc: OE-core [-- Attachment #1: Type: text/plain, Size: 310 bytes --] On 12 December 2016 at 13:53, Valek, Andrej <andrej.valek@siemens.com> wrote: > I think, there was a web-page delay. Patch 3/3 is already there: > http://lists.openembedded.org/pipermail/openembedded-core/ > 2016-December/130046.html > > Yeah, obviously posting about it meant it arrived. :) Ross [-- Attachment #2: Type: text/html, Size: 949 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2016-12-21 1:38 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-12-12 13:20 [PATCH 1/3] libxml2: Necessary changes before fixing CVE-2016-5131 Fix comaparation with root node in xmlXPathCmpNodes and NULL pointer deref in XPointer Andrej Valek 2016-12-12 13:20 ` [PATCH 2/3] libxml2: fix CVE-2016-4658 Disallow namespace nodes in XPointer points and ranges Andrej Valek 2016-12-15 19:05 ` Ahsan, Noor 2016-12-15 19:33 ` Burton, Ross 2016-12-20 9:06 ` Ahsan, Noor 2016-12-21 1:38 ` akuster808 2016-12-12 13:20 ` [PATCH 3/3] libxml2: Fix more NULL pointer derefs Andrej Valek 2016-12-12 13:44 ` [PATCH 1/3] libxml2: Necessary changes before fixing CVE-2016-5131 Fix comaparation with root node in xmlXPathCmpNodes and NULL pointer deref in XPointer Burton, Ross 2016-12-12 13:53 ` Valek, Andrej 2016-12-12 13:55 ` Burton, Ross
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox