[Buildroot] [PATCH 1/1] libxml2: security bump to version 2.9.3

Thomas Petazzoni thomas.petazzoni at free-electrons.com
Sun Nov 22 12:48:25 UTC 2015


Dear Danomi Manchego,

On Sat, 21 Nov 2015 20:38:28 -0500, Danomi Manchego wrote:
> - Fixes:
>   - CVE-2015-5312 - Another entity expansion issue
>   - CVE-2015-7497 - Avoid an heap buffer overflow in xmlDictComputeFastQKey
>   - CVE-2015-7500 - Fix memory access error due to incorrect entities boundaries
>   - CVE-2015-8242 - Buffer overead with HTML parser in push mode
> 
> - Incorporates upstreamed patches as well, which also fixed:
>   - CVE-2015-1819 - The xmlreader in libxml allows remote attackers to cause
>     a denial of service (memory consumption) via crafted XML data, related
>     to an XML Entity Expansion (XEE) attack.
>   - CVE-2015-7941 - out-of-bounds memory access.
>   - CVE-2015-7942 - heap-buffer-overflow in xmlParseConditionalSections.
>   - CVE-2015-8035 - DoS via crafted xz file.
> 
> Signed-off-by: Danomi Manchego <danomimanchego123 at gmail.com>
> ---
>  ...onfig.cmake.in-update-include-directories.patch |  28 ----
>  ...s-use-forward-declarations-only-for-glibc.patch |  52 ------
>  package/libxml2/0003-fix-CVE-2015-1819.patch       | 178 ---------------------
>  package/libxml2/0004-fix-CVE-2015-7941-1.patch     |  34 ----
>  package/libxml2/0005-fix-CVE-2015-7941-2.patch     |  51 ------
>  package/libxml2/0006-fix-CVE-2015-7942-1.patch     |  34 ----
>  package/libxml2/0007-fix-CVE-2015-7942-2.patch     |  30 ----
>  package/libxml2/0008-fix-CVE-2015-8035.patch       |  33 ----
>  package/libxml2/libxml2.hash                       |   2 +-
>  package/libxml2/libxml2.mk                         |   2 +-
>  10 files changed, 2 insertions(+), 442 deletions(-)
>  delete mode 100644 package/libxml2/0001-libxml2-config.cmake.in-update-include-directories.patch
>  delete mode 100644 package/libxml2/0002-threads-use-forward-declarations-only-for-glibc.patch
>  delete mode 100644 package/libxml2/0003-fix-CVE-2015-1819.patch
>  delete mode 100644 package/libxml2/0004-fix-CVE-2015-7941-1.patch
>  delete mode 100644 package/libxml2/0005-fix-CVE-2015-7941-2.patch
>  delete mode 100644 package/libxml2/0006-fix-CVE-2015-7942-1.patch
>  delete mode 100644 package/libxml2/0007-fix-CVE-2015-7942-2.patch
>  delete mode 100644 package/libxml2/0008-fix-CVE-2015-8035.patch

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com



More information about the buildroot mailing list