From 615b7c4af59229a14a52f789ce4692dea1828ba3 Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Tue, 4 Feb 2020 16:41:47 +0100 Subject: [PATCH] package/libxml2: add upstream security fix for CVE-2020-7595 Fixes CVE-2020-7595: xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. Signed-off-by: Peter Korsgaard Signed-off-by: Thomas Petazzoni --- ...e-loop-in-xmlStringLenDecodeEntities.patch | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 package/libxml2/0001-Fix-infinite-loop-in-xmlStringLenDecodeEntities.patch diff --git a/package/libxml2/0001-Fix-infinite-loop-in-xmlStringLenDecodeEntities.patch b/package/libxml2/0001-Fix-infinite-loop-in-xmlStringLenDecodeEntities.patch new file mode 100644 index 0000000000..a79adc3f85 --- /dev/null +++ b/package/libxml2/0001-Fix-infinite-loop-in-xmlStringLenDecodeEntities.patch @@ -0,0 +1,36 @@ +From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001 +From: Zhipeng Xie +Date: Thu, 12 Dec 2019 17:30:55 +0800 +Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities + +When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef +return NULL which cause a infinite loop in xmlStringLenDecodeEntities + +Found with libFuzzer. + +Fixes CVE-2020-7595: xmlStringLenDecodeEntities in parser.c in libxml2 +2.9.10 has an infinite loop in a certain end-of-file situation. + +Signed-off-by: Zhipeng Xie +Signed-off-by: Peter Korsgaard +--- + parser.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index d1c31963..a34bb6cd 100644 +--- a/parser.c ++++ b/parser.c +@@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + else + c = 0; + while ((c != 0) && (c != end) && /* non input consuming loop */ +- (c != end2) && (c != end3)) { ++ (c != end2) && (c != end3) && ++ (ctxt->instate != XML_PARSER_EOF)) { + + if (c == 0) break; + if ((c == '&') && (str[1] == '#')) { +-- +2.20.1 + -- 2.30.2