* [PATCH 0/2 v2] libxml2 CVE-2012-2807 @ 2013-06-21 2:28 jackie.huang 2013-06-21 2:28 ` [PATCH 1/2 " jackie.huang 2013-06-21 2:28 ` [PATCH 2/2 v2] Add Upstream-Status for libxml2-CVE-2012-2871.patch jackie.huang 0 siblings, 2 replies; 5+ messages in thread From: jackie.huang @ 2013-06-21 2:28 UTC (permalink / raw) To: openembedded-core From: Jackie Huang <jackie.huang@windriver.com> v2 info: * add Upstream-Status for libxml2-fix-CVE-2012-2807.patch and libxml2-CVE-2012-2871.patch -- The following changes since commit defa05f2085f78d9ec9ada7051c284e1fc72e6c1: bdwgc-native: Add missing pkgconfig DEPENDS (2013-06-19 18:03:21 +0100) are available in the git repository at: git://git.pokylinux.org/poky-contrib jhuang0/r_bbappend_libxml_0620_2 http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=jhuang0/r_bbappend_libxml_0620_2 Jackie Huang (2): libxml2 CVE-2012-2807 Add Upstream-Status for libxml2-CVE-2012-2871.patch .../libxml/libxml2/libxml2-CVE-2012-2871.patch | 2 + .../libxml/libxml2/libxml2-fix-CVE-2012-2807.patch | 80 ++++++++++++++++++++ meta/recipes-core/libxml/libxml2_2.9.1.bb | 1 + 3 files changed, 83 insertions(+), 0 deletions(-) create mode 100644 meta/recipes-core/libxml/libxml2/libxml2-fix-CVE-2012-2807.patch -- 1.7.4.1 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/2 v2] libxml2 CVE-2012-2807 2013-06-21 2:28 [PATCH 0/2 v2] libxml2 CVE-2012-2807 jackie.huang @ 2013-06-21 2:28 ` jackie.huang 2013-06-21 10:06 ` Burton, Ross 2013-06-21 2:28 ` [PATCH 2/2 v2] Add Upstream-Status for libxml2-CVE-2012-2871.patch jackie.huang 1 sibling, 1 reply; 5+ messages in thread From: jackie.huang @ 2013-06-21 2:28 UTC (permalink / raw) To: openembedded-core From: Jackie Huang <jackie.huang@windriver.com> Multiple integer overflows in libxml2, as used in Google Chrome before 20.0.1132.43, on 64-bit Linux platforms allow remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2807 Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Jackie Huang <jackie.huang@windriver.com> --- .../libxml/libxml2/libxml2-fix-CVE-2012-2807.patch | 80 ++++++++++++++++++++ meta/recipes-core/libxml/libxml2_2.9.1.bb | 1 + 2 files changed, 81 insertions(+), 0 deletions(-) create mode 100644 meta/recipes-core/libxml/libxml2/libxml2-fix-CVE-2012-2807.patch diff --git a/meta/recipes-core/libxml/libxml2/libxml2-fix-CVE-2012-2807.patch b/meta/recipes-core/libxml/libxml2/libxml2-fix-CVE-2012-2807.patch new file mode 100644 index 0000000..7fb53c3 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/libxml2-fix-CVE-2012-2807.patch @@ -0,0 +1,80 @@ +Attempt to address libxml crash. + +Upstream-Status: Backport + +BUG=129930 +Review URL: https://chromiumcodereview.appspot.com/10458051 + +https://src.chromium.org/viewvc/chrome?view=rev&revision=142822 + +2012-2807 +Multiple integer overflows in libxml2, as used in Google Chrome +before 20.0.1132.43, on 64-bit Linux platforms allow remote attackers to cause \ +a denial of service or possibly have unspecified other impact via unknown vectors. +http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2807 + +Signed-off-by: Li Wang <li.wang@windriver.com> +--- + globals.c | 25 ++++++++++++++++++++++--- + 1 files changed, 22 insertions(+), 3 deletions(-) + +diff --git a/globals.c b/globals.c +index 69002f0..b369346 100644 +--- a/globals.c ++++ b/globals.c +@@ -86,6 +86,25 @@ xmlMallocFunc xmlMallocAtomic = (xmlMallocFunc) xmlMemMalloc; + xmlReallocFunc xmlRealloc = (xmlReallocFunc) xmlMemRealloc; + xmlStrdupFunc xmlMemStrdup = (xmlStrdupFunc) xmlMemoryStrdup; + #else ++ ++#define MAX_LIBXML_MALLOC (1024*1024*512) ++ ++static void* size_checked_malloc(size_t size) { ++ if (size > MAX_LIBXML_MALLOC) { ++ *(volatile char*)0 = '\0'; ++ return NULL; ++ } ++ return malloc(size); ++} ++ ++static void* size_checked_realloc(void* ptr, size_t size) { ++ if (size > MAX_LIBXML_MALLOC) { ++ *(volatile char*)0 = '\0'; ++ return NULL; ++ } ++ return realloc(ptr, size); ++} ++ + /** + * xmlFree: + * @mem: an already allocated block of memory +@@ -101,7 +120,7 @@ xmlFreeFunc xmlFree = (xmlFreeFunc) free; + * + * Returns a pointer to the newly allocated block or NULL in case of error + */ +-xmlMallocFunc xmlMalloc = (xmlMallocFunc) malloc; ++xmlMallocFunc xmlMalloc = (xmlMallocFunc) size_checked_malloc; + /** + * xmlMallocAtomic: + * @size: the size requested in bytes +@@ -112,7 +131,7 @@ xmlMallocFunc xmlMalloc = (xmlMallocFunc) malloc; + * + * Returns a pointer to the newly allocated block or NULL in case of error + */ +-xmlMallocFunc xmlMallocAtomic = (xmlMallocFunc) malloc; ++xmlMallocFunc xmlMallocAtomic = (xmlMallocFunc) size_checked_malloc; + /** + * xmlRealloc: + * @mem: an already allocated block of memory +@@ -122,7 +141,7 @@ xmlMallocFunc xmlMallocAtomic = (xmlMallocFunc) malloc; + * + * Returns a pointer to the newly reallocated block or NULL in case of error + */ +-xmlReallocFunc xmlRealloc = (xmlReallocFunc) realloc; ++xmlReallocFunc xmlRealloc = (xmlReallocFunc) size_checked_realloc; + /** + * xmlMemStrdup: + * @str: a zero terminated string +-- +1.7.0.5 + diff --git a/meta/recipes-core/libxml/libxml2_2.9.1.bb b/meta/recipes-core/libxml/libxml2_2.9.1.bb index a1093ed..11d8486 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.1.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.1.bb @@ -1,6 +1,7 @@ require libxml2.inc SRC_URI += "file://libxml2-CVE-2012-2871.patch \ + file://libxml2-fix-CVE-2012-2807.patch \ " SRC_URI[md5sum] = "9c0cfef285d5c4a5c80d00904ddab380" -- 1.7.4.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2 v2] libxml2 CVE-2012-2807 2013-06-21 2:28 ` [PATCH 1/2 " jackie.huang @ 2013-06-21 10:06 ` Burton, Ross 2013-06-21 12:24 ` Burton, Ross 0 siblings, 1 reply; 5+ messages in thread From: Burton, Ross @ 2013-06-21 10:06 UTC (permalink / raw) To: jackie.huang; +Cc: openembedded-core On 21 June 2013 03:28, <jackie.huang@windriver.com> wrote: > +Upstream-Status: Backport That's not strictly true. Chromium has applied it to their in-tree fork of libxml2, but it doesn't appear to be applied to libxml2 which is what you're patching here. Ross ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2 v2] libxml2 CVE-2012-2807 2013-06-21 10:06 ` Burton, Ross @ 2013-06-21 12:24 ` Burton, Ross 0 siblings, 0 replies; 5+ messages in thread From: Burton, Ross @ 2013-06-21 12:24 UTC (permalink / raw) To: jackie.huang; +Cc: openembedded-core On 21 June 2013 11:06, Burton, Ross <ross.burton@intel.com> wrote: > On 21 June 2013 03:28, <jackie.huang@windriver.com> wrote: >> +Upstream-Status: Backport I'm now going as far as NACKing this. The fact that a 2012 CVE against a package that is under active development hasn't obviously been merged raised a flag, so I spoke with upstream (crazy, I know!). Basically libxml 2.9.0 introduced a new buffer system, and the patch is Chromium is actually a simplified version of that code. Thus, if we have libxml 2.9.0 onwards we don't need this patch. Ross ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 2/2 v2] Add Upstream-Status for libxml2-CVE-2012-2871.patch 2013-06-21 2:28 [PATCH 0/2 v2] libxml2 CVE-2012-2807 jackie.huang 2013-06-21 2:28 ` [PATCH 1/2 " jackie.huang @ 2013-06-21 2:28 ` jackie.huang 1 sibling, 0 replies; 5+ messages in thread From: jackie.huang @ 2013-06-21 2:28 UTC (permalink / raw) To: openembedded-core From: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Jackie Huang <jackie.huang@windriver.com> --- .../libxml/libxml2/libxml2-CVE-2012-2871.patch | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2012-2871.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2012-2871.patch index 3c66a9c..c425142 100644 --- a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2012-2871.patch +++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2012-2871.patch @@ -1,5 +1,7 @@ libxml2 CVE-2012-2871 +Upstream-Status: Backport + the patch come from: http://src.chromium.org/viewvc/chrome/trunk/src/third_party/libxml/src \ /include/libxml/tree.h?r1=56276&r2=149930 -- 1.7.4.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2013-06-21 12:24 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-06-21 2:28 [PATCH 0/2 v2] libxml2 CVE-2012-2807 jackie.huang 2013-06-21 2:28 ` [PATCH 1/2 " jackie.huang 2013-06-21 10:06 ` Burton, Ross 2013-06-21 12:24 ` Burton, Ross 2013-06-21 2:28 ` [PATCH 2/2 v2] Add Upstream-Status for libxml2-CVE-2012-2871.patch jackie.huang
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox