xerces: add upstream security fix

CVE-2017-12627: dereference of a NULL pointer while processing the path to the DTD. xerces 3.2.1 includes this patch. But this version also added AC_RUN_IFELSE to its configure script, making cross compilation harder. Switching to cmake is also problematic since the minimum required cmake version is 3.2.0. The host dependencies check currently allows minimum cmake version 3.1. Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-03-26 23:23:02 +03:00 · 2018-03-26 23:23:02 +03:00 · 142c8cc8d5
commit 142c8cc8d5
parent 46680c9dc1
1 changed files with 22 additions and 0 deletions
--- a/package/xerces/0001-fix-CVE-2017-12627.patch
+++ b/package/xerces/0001-fix-CVE-2017-12627.patch
@ -0,0 +1,22 @@
+XMLString: Don't call catString if relativePath is null
+
+https://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt
+
+Upstream status: svn revision 1819998
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+
+--- trunk/src/xercesc/util/PlatformUtils.cpp	2018/01/03 18:58:30	1819997
+++ trunk/src/xercesc/util/PlatformUtils.cpp	2018/01/03 18:59:30	1819998
+@@ -920,7 +920,10 @@
+ 
+     XMLString::subString(tmpBuf, basePath, 0, (basePtr - basePath + 1), manager);
+     tmpBuf[basePtr - basePath + 1] = 0;
+-    XMLString::catString(tmpBuf, relativePath);
+    if (relativePath)
+    {
+        XMLString::catString(tmpBuf, relativePath);
+    }
+ 
+     removeDotSlash(tmpBuf, manager);
+