diff options
author | Peter Marko <peter.marko@siemens.com> | 2023-05-07 23:40:12 +0200 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-05-16 06:18:21 -1000 |
commit | 97ffdc15190b68cc07f1198e69f239c62f90c8fe (patch) | |
tree | fa769a12c8328fef52e07a9ad429c69c570ae5ef | |
parent | f668b3ab565180698bc9338baa246b3164ccf5af (diff) | |
download | poky-97ffdc15190b68cc07f1198e69f239c62f90c8fe.tar.gz |
libxml2: patch CVE-2023-28484 and CVE-2023-29469
Backports from:
* https://gitlab.gnome.org/GNOME/libxml2/-/commit/e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68
* https://gitlab.gnome.org/GNOME/libxml2/-/commit/547edbf1cbdccd46b2e8ff322a456eaa5931c5df
(From OE-Core rev: c0cfcd3945257efd40745e0ebb84495441acb590)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch | 79 | ||||
-rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch | 42 | ||||
-rw-r--r-- | meta/recipes-core/libxml/libxml2_2.9.10.bb | 2 |
3 files changed, 123 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch new file mode 100644 index 0000000000..907f2c4d47 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch | |||
@@ -0,0 +1,79 @@ | |||
1 | From e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Fri, 7 Apr 2023 11:46:35 +0200 | ||
4 | Subject: [PATCH] [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType | ||
5 | |||
6 | Fix a null pointer dereference when parsing (invalid) XML schemas. | ||
7 | |||
8 | Thanks to Robby Simpson for the report! | ||
9 | |||
10 | Fixes #491. | ||
11 | |||
12 | CVE: CVE-2023-28484 | ||
13 | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68] | ||
14 | |||
15 | Signed-off-by: Peter Marko <peter.marko@siemens.com> | ||
16 | --- | ||
17 | result/schemas/issue491_0_0.err | 1 + | ||
18 | test/schemas/issue491_0.xml | 1 + | ||
19 | test/schemas/issue491_0.xsd | 18 ++++++++++++++++++ | ||
20 | xmlschemas.c | 2 +- | ||
21 | 4 files changed, 21 insertions(+), 1 deletion(-) | ||
22 | create mode 100644 result/schemas/issue491_0_0.err | ||
23 | create mode 100644 test/schemas/issue491_0.xml | ||
24 | create mode 100644 test/schemas/issue491_0.xsd | ||
25 | |||
26 | diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err | ||
27 | new file mode 100644 | ||
28 | index 00000000..9b2bb969 | ||
29 | --- /dev/null | ||
30 | +++ b/result/schemas/issue491_0_0.err | ||
31 | @@ -0,0 +1 @@ | ||
32 | +./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'. | ||
33 | diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml | ||
34 | new file mode 100644 | ||
35 | index 00000000..e2b2fc2e | ||
36 | --- /dev/null | ||
37 | +++ b/test/schemas/issue491_0.xml | ||
38 | @@ -0,0 +1 @@ | ||
39 | +<Child xmlns="http://www.test.com">5</Child> | ||
40 | diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd | ||
41 | new file mode 100644 | ||
42 | index 00000000..81702649 | ||
43 | --- /dev/null | ||
44 | +++ b/test/schemas/issue491_0.xsd | ||
45 | @@ -0,0 +1,18 @@ | ||
46 | +<?xml version='1.0' encoding='UTF-8'?> | ||
47 | +<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://www.test.com" targetNamespace="http://www.test.com" elementFormDefault="qualified" attributeFormDefault="unqualified"> | ||
48 | + <xs:complexType name="BaseType"> | ||
49 | + <xs:simpleContent> | ||
50 | + <xs:extension base="xs:int" /> | ||
51 | + </xs:simpleContent> | ||
52 | + </xs:complexType> | ||
53 | + <xs:complexType name="ChildType"> | ||
54 | + <xs:complexContent> | ||
55 | + <xs:extension base="BaseType"> | ||
56 | + <xs:sequence> | ||
57 | + <xs:element name="bad" type="xs:int" minOccurs="0" maxOccurs="1"/> | ||
58 | + </xs:sequence> | ||
59 | + </xs:extension> | ||
60 | + </xs:complexContent> | ||
61 | + </xs:complexType> | ||
62 | + <xs:element name="Child" type="ChildType" /> | ||
63 | +</xs:schema> | ||
64 | diff --git a/xmlschemas.c b/xmlschemas.c | ||
65 | index 6a353858..a4eaf591 100644 | ||
66 | --- a/xmlschemas.c | ||
67 | +++ b/xmlschemas.c | ||
68 | @@ -18632,7 +18632,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt, | ||
69 | "allowed to appear inside other model groups", | ||
70 | NULL, NULL); | ||
71 | |||
72 | - } else if (! dummySequence) { | ||
73 | + } else if ((!dummySequence) && (baseType->subtypes != NULL)) { | ||
74 | xmlSchemaTreeItemPtr effectiveContent = | ||
75 | (xmlSchemaTreeItemPtr) type->subtypes; | ||
76 | /* | ||
77 | -- | ||
78 | GitLab | ||
79 | |||
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch new file mode 100644 index 0000000000..1252668577 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From 547edbf1cbdccd46b2e8ff322a456eaa5931c5df Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Fri, 7 Apr 2023 11:49:27 +0200 | ||
4 | Subject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't | ||
5 | deterministic | ||
6 | |||
7 | When hashing empty strings which aren't null-terminated, | ||
8 | xmlDictComputeFastKey could produce inconsistent results. This could | ||
9 | lead to various logic or memory errors, including double frees. | ||
10 | |||
11 | For consistency the seed is also taken into account, but this shouldn't | ||
12 | have an impact on security. | ||
13 | |||
14 | Found by OSS-Fuzz. | ||
15 | |||
16 | Fixes #510. | ||
17 | |||
18 | CVE: CVE-2023-29469 | ||
19 | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/547edbf1cbdccd46b2e8ff322a456eaa5931c5df] | ||
20 | |||
21 | Signed-off-by: Peter Marko <peter.marko@siemens.com> | ||
22 | --- | ||
23 | dict.c | 3 ++- | ||
24 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
25 | |||
26 | diff --git a/dict.c b/dict.c | ||
27 | index 86c3f6d7..d7fd1a06 100644 | ||
28 | --- a/dict.c | ||
29 | +++ b/dict.c | ||
30 | @@ -451,7 +451,8 @@ static unsigned long | ||
31 | xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) { | ||
32 | unsigned long value = seed; | ||
33 | |||
34 | - if (name == NULL) return(0); | ||
35 | + if ((name == NULL) || (namelen <= 0)) | ||
36 | + return(value); | ||
37 | value = *name; | ||
38 | value <<= 5; | ||
39 | if (namelen > 10) { | ||
40 | -- | ||
41 | GitLab | ||
42 | |||
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb index 40e3434ead..034192d64e 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb | |||
@@ -36,6 +36,8 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=te | |||
36 | file://CVE-2016-3709.patch \ | 36 | file://CVE-2016-3709.patch \ |
37 | file://CVE-2022-40303.patch \ | 37 | file://CVE-2022-40303.patch \ |
38 | file://CVE-2022-40304.patch \ | 38 | file://CVE-2022-40304.patch \ |
39 | file://CVE-2023-28484.patch \ | ||
40 | file://CVE-2023-29469.patch \ | ||
39 | " | 41 | " |
40 | 42 | ||
41 | SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813" | 43 | SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813" |