diff options
author | Jasper Orschulko <jasper@fancydomain.eu> | 2021-06-21 17:33:22 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-07-02 07:44:59 +0100 |
commit | fbb58d5344a17600264529016e75bbe92480b44f (patch) | |
tree | 1d316af80121d36b8c7597ad5520fbb823fe3f55 | |
parent | 8a496e9eb9f0540cb5c319451413812b7c51caf9 (diff) | |
download | poky-fbb58d5344a17600264529016e75bbe92480b44f.tar.gz |
libxml2: Fix CVE-2021-3518
There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.
Upstream-Status: Backport [from fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=1954243]
(From OE-Core rev: ef2a81a473e7c36a36facb209ca907a7439d36f2)
Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch | 112 | ||||
-rw-r--r-- | meta/recipes-core/libxml/libxml2_2.9.10.bb | 1 |
2 files changed, 113 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch new file mode 100644 index 0000000000..40d3debea1 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch | |||
@@ -0,0 +1,112 @@ | |||
1 | From ac82a514e16eb81b4506e2cba1a1ee45b9f025b5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Wed, 10 Jun 2020 16:34:52 +0200 | ||
4 | Subject: [PATCH 1/2] Don't recurse into xi:include children in | ||
5 | xmlXIncludeDoProcess | ||
6 | |||
7 | Otherwise, nested xi:include nodes might result in a use-after-free | ||
8 | if XML_PARSE_NOXINCNODE is specified. | ||
9 | |||
10 | Found with libFuzzer and ASan. | ||
11 | |||
12 | Upstream-Status: Backport [from fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1954243] | ||
13 | |||
14 | The upstream patch 752e5f71d7cea2ca5a7e7c0b8f72ed04ce654be4 has been modified, | ||
15 | as to avoid unnecessary modifications to fallback files. | ||
16 | |||
17 | CVE: CVE-2021-3518 | ||
18 | Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com> | ||
19 | --- | ||
20 | xinclude.c | 24 ++++++++++-------------- | ||
21 | 1 file changed, 10 insertions(+), 14 deletions(-) | ||
22 | |||
23 | diff --git a/xinclude.c b/xinclude.c | ||
24 | index ba850fa5..f260c1a7 100644 | ||
25 | --- a/xinclude.c | ||
26 | +++ b/xinclude.c | ||
27 | @@ -2392,21 +2392,19 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { | ||
28 | * First phase: lookup the elements in the document | ||
29 | */ | ||
30 | cur = tree; | ||
31 | - if (xmlXIncludeTestNode(ctxt, cur) == 1) | ||
32 | - xmlXIncludePreProcessNode(ctxt, cur); | ||
33 | while ((cur != NULL) && (cur != tree->parent)) { | ||
34 | /* TODO: need to work on entities -> stack */ | ||
35 | - if ((cur->children != NULL) && | ||
36 | - (cur->children->type != XML_ENTITY_DECL) && | ||
37 | - (cur->children->type != XML_XINCLUDE_START) && | ||
38 | - (cur->children->type != XML_XINCLUDE_END)) { | ||
39 | - cur = cur->children; | ||
40 | - if (xmlXIncludeTestNode(ctxt, cur)) | ||
41 | - xmlXIncludePreProcessNode(ctxt, cur); | ||
42 | - } else if (cur->next != NULL) { | ||
43 | + if (xmlXIncludeTestNode(ctxt, cur) == 1) { | ||
44 | + xmlXIncludePreProcessNode(ctxt, cur); | ||
45 | + } else if ((cur->children != NULL) && | ||
46 | + (cur->children->type != XML_ENTITY_DECL) && | ||
47 | + (cur->children->type != XML_XINCLUDE_START) && | ||
48 | + (cur->children->type != XML_XINCLUDE_END)) { | ||
49 | + cur = cur->children; | ||
50 | + continue; | ||
51 | + } | ||
52 | + if (cur->next != NULL) { | ||
53 | cur = cur->next; | ||
54 | - if (xmlXIncludeTestNode(ctxt, cur)) | ||
55 | - xmlXIncludePreProcessNode(ctxt, cur); | ||
56 | } else { | ||
57 | if (cur == tree) | ||
58 | break; | ||
59 | @@ -2416,8 +2414,6 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { | ||
60 | break; /* do */ | ||
61 | if (cur->next != NULL) { | ||
62 | cur = cur->next; | ||
63 | - if (xmlXIncludeTestNode(ctxt, cur)) | ||
64 | - xmlXIncludePreProcessNode(ctxt, cur); | ||
65 | break; /* do */ | ||
66 | } | ||
67 | } while (cur != NULL); | ||
68 | -- | ||
69 | 2.32.0 | ||
70 | |||
71 | |||
72 | From 3ad5ac1e39e3cd42f838c1cd27ffd4e9b79e6121 Mon Sep 17 00:00:00 2001 | ||
73 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
74 | Date: Thu, 22 Apr 2021 19:26:28 +0200 | ||
75 | Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude --dropdtd` | ||
76 | |||
77 | The --dropdtd option can leave dangling pointers in entity reference | ||
78 | nodes. Make sure to skip these nodes when processing XIncludes. | ||
79 | |||
80 | This also avoids scanning entity declarations and even modifying | ||
81 | them inadvertently during XInclude processing. | ||
82 | |||
83 | Move from a block list to an allow list approach to avoid descending | ||
84 | into other node types that can't contain elements. | ||
85 | |||
86 | Fixes #237. | ||
87 | Upstream-Status: Backport | ||
88 | CVE: CVE-2021-3518 | ||
89 | Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com> | ||
90 | --- | ||
91 | xinclude.c | 5 ++--- | ||
92 | 1 file changed, 2 insertions(+), 3 deletions(-) | ||
93 | |||
94 | diff --git a/xinclude.c b/xinclude.c | ||
95 | index f260c1a7..d7648529 100644 | ||
96 | --- a/xinclude.c | ||
97 | +++ b/xinclude.c | ||
98 | @@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { | ||
99 | if (xmlXIncludeTestNode(ctxt, cur) == 1) { | ||
100 | xmlXIncludePreProcessNode(ctxt, cur); | ||
101 | } else if ((cur->children != NULL) && | ||
102 | - (cur->children->type != XML_ENTITY_DECL) && | ||
103 | - (cur->children->type != XML_XINCLUDE_START) && | ||
104 | - (cur->children->type != XML_XINCLUDE_END)) { | ||
105 | + ((cur->type == XML_DOCUMENT_NODE) || | ||
106 | + (cur->type == XML_ELEMENT_NODE))) { | ||
107 | cur = cur->children; | ||
108 | continue; | ||
109 | } | ||
110 | -- | ||
111 | 2.32.0 | ||
112 | |||
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb index 097613fb28..b5fb3e6315 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb | |||
@@ -25,6 +25,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \ | |||
25 | file://CVE-2020-24977.patch \ | 25 | file://CVE-2020-24977.patch \ |
26 | file://CVE-2021-3517.patch \ | 26 | file://CVE-2021-3517.patch \ |
27 | file://CVE-2021-3537.patch \ | 27 | file://CVE-2021-3537.patch \ |
28 | file://CVE-2021-3518.patch \ | ||
28 | " | 29 | " |
29 | 30 | ||
30 | SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5" | 31 | SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5" |