On 9/9/20 1:11 AM, Ovidiu Panait wrote: > GNOME project libxml2 v2.9.10 and earlier have a global Buffer Overflow > vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue > has > been fixed in commit 8e7c20a1 (20910-GITv2.9.10-103-g8e7c20a1). > > Reference: > https://gitlab.gnome.org/GNOME/libxml2/-/issues/178 > > Upstream patch: > https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2 >
Do we need this on dunfell too ? > Signed-off-by: Ovidiu Panait <ovidiu.pan...@windriver.com> > --- > .../libxml/libxml2/CVE-2020-24977.patch | 41 +++++++++++++++++++ > meta/recipes-core/libxml/libxml2_2.9.10.bb | 1 + > 2 files changed, 42 insertions(+) > create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2020-24977.patch > > diff --git a/meta/recipes-core/libxml/libxml2/CVE-2020-24977.patch > b/meta/recipes-core/libxml/libxml2/CVE-2020-24977.patch > new file mode 100644 > index 0000000000..8224346660 > --- /dev/null > +++ b/meta/recipes-core/libxml/libxml2/CVE-2020-24977.patch > @@ -0,0 +1,41 @@ > +From 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001 > +From: Nick Wellnhofer <wellnho...@aevum.de> > +Date: Fri, 7 Aug 2020 21:54:27 +0200 > +Subject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout' > + > +Make sure that truncated UTF-8 sequences don't cause an out-of-bounds > +array access. > + > +Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for > +the report. > + > +Fixes #178. > + > +CVE: CVE-2020-24977 > +Upstream-Status: Backport > [https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2] > + > +Signed-off-by: Ovidiu Panait <ovidiu.pan...@windriver.com> > +--- > + xmllint.c | 6 ++++++ > + 1 file changed, 6 insertions(+) > + > +diff --git a/xmllint.c b/xmllint.c > +index f6a8e463..c647486f 100644 > +--- a/xmllint.c > ++++ b/xmllint.c > +@@ -528,6 +528,12 @@ static void > + xmlHTMLEncodeSend(void) { > + char *result; > + > ++ /* > ++ * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might > ++ * end with a truncated UTF-8 sequence. This is a hack to at least avoid > ++ * an out-of-bounds read. > ++ */ > ++ memset(&buffer[sizeof(buffer)-4], 0, 4); > + result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer); > + if (result) { > + xmlGenericError(xmlGenericErrorContext, "%s", result); > +-- > +2.17.1 > + > diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb > b/meta/recipes-core/libxml/libxml2_2.9.10.bb > index d11b083e8b..90890ffaed 100644 > --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb > +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb > @@ -22,6 +22,7 @@ SRC_URI = > "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \ > file://fix-execution-of-ptests.patch \ > file://CVE-2020-7595.patch \ > file://CVE-2019-20388.patch \ > + file://CVE-2020-24977.patch \ > " > > SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5" > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#142336): https://lists.openembedded.org/g/openembedded-core/message/142336 Mute This Topic: https://lists.openembedded.org/mt/76728102/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
