From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mail.thorsis.com ([92.198.35.195]) by metis.ext.pengutronix.de with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jEYjF-0001hQ-IQ for ptxdist@pengutronix.de; Wed, 18 Mar 2020 14:27:26 +0100 Received: from localhost (localhost [127.0.0.1]) by mail.thorsis.com (Postfix) with ESMTP id C84624ECF for ; Wed, 18 Mar 2020 14:27:24 +0100 (CET) Received: from mail.thorsis.com ([127.0.0.1]) by localhost (mail.thorsis.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K_Elmth6MMvt for ; Wed, 18 Mar 2020 14:27:24 +0100 (CET) Received: from adahl by ada.ifak-system.com with local (Exim 4.89) (envelope-from ) id 1jEYj6-0002mG-FX for ptxdist@pengutronix.de; Wed, 18 Mar 2020 14:27:16 +0100 From: Alexander Dahl Date: Wed, 18 Mar 2020 14:27:15 +0100 Message-Id: <20200318132716.10624-4-ada@thorsis.com> In-Reply-To: <20200318132716.10624-1-ada@thorsis.com> References: <20200318132716.10624-1-ada@thorsis.com> Subject: [ptxdist] [PATCH 3/4] libxml2: Add upstream patch fixing CVE-2020-7595 List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: ptxdist@pengutronix.de Signed-off-by: Alexander Dahl --- ...e-loop-in-xmlStringLenDecodeEntities.patch | 28 +++++++++++++++++++ patches/libxml2-2.9.10/series | 4 ++- 2 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 patches/libxml2-2.9.10/0001-Fix-infinite-loop-in-xmlStringLenDecodeEntities.patch diff --git a/patches/libxml2-2.9.10/0001-Fix-infinite-loop-in-xmlStringLenDecodeEntities.patch b/patches/libxml2-2.9.10/0001-Fix-infinite-loop-in-xmlStringLenDecodeEntities.patch new file mode 100644 index 000000000..59c864731 --- /dev/null +++ b/patches/libxml2-2.9.10/0001-Fix-infinite-loop-in-xmlStringLenDecodeEntities.patch @@ -0,0 +1,28 @@ +From: Zhipeng Xie +Date: Thu, 12 Dec 2019 17:30:55 +0800 +Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities + +When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef +return NULL which cause a infinite loop in xmlStringLenDecodeEntities + +Found with libFuzzer. + +Signed-off-by: Zhipeng Xie +--- + parser.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index d1c319631fc9..a34bb6cdd81b 100644 +--- a/parser.c ++++ b/parser.c +@@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + else + c = 0; + while ((c != 0) && (c != end) && /* non input consuming loop */ +- (c != end2) && (c != end3)) { ++ (c != end2) && (c != end3) && ++ (ctxt->instate != XML_PARSER_EOF)) { + + if (c == 0) break; + if ((c == '&') && (str[1] == '#')) { diff --git a/patches/libxml2-2.9.10/series b/patches/libxml2-2.9.10/series index 198075fbf..b8e92fb7a 100644 --- a/patches/libxml2-2.9.10/series +++ b/patches/libxml2-2.9.10/series @@ -1,5 +1,7 @@ # generated by git-ptx-patches #tag:base --start-number 1 +#tag:upstream --start-number 1 +0001-Fix-infinite-loop-in-xmlStringLenDecodeEntities.patch #tag:ptx --start-number 200 0200-xml2-config-is-not-SYSROOT-aware.patch -# 9a7de85eef8cb30919e83bc9b2e42cd9 - git-ptx-patches magic +# 0a9081f5db07b8cbb593bc669a7603c7 - git-ptx-patches magic -- 2.20.1 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de