libxml2: Fix CVE-2022-23308

The first patch is the fix in version 2.9.13. The second patch was added later and fixes a regression introduced by the first. (From OE-Core rev: 38e97e67f053cc7b86dd487d8e65b9e68237c73b) Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Joe Slater <joe.slater@windriver.com> 2022-03-24 08:32:57 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-04-03 20:49:03 +0100
commit: eb28aafdc9b5872d4f3a06fd611583a1b4252d84 (patch)
tree: 94db5e378673be70213d26f2f582b4b288feb7c1
parent: d6dfaada89d0ae6200843e5202c25a3e8d6dee5a (diff)
download: poky-eb28aafdc9b5872d4f3a06fd611583a1b4252d84.tar.gz
3 files changed, 310 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-23308-fix-regression.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-23308-fix-regression.patch
new file mode 100644
index 0000000000..eefecb9adb
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-23308-fix-regression.patch
@@ -0,0 +1,99 @@
+From 646fe48d1c8a74310c409ddf81fe7df6700052af Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 22 Feb 2022 11:51:08 +0100
+Subject: [PATCH] Fix --without-valid build
+Regressed in commit 652dd12a.
+---
+ valid.c | 58 ++++++++++++++++++++++++++++-----------------------------
+ 1 file changed, 29 insertions(+), 29 deletions(-)
+---
+From https://github.com/GNOME/libxml2.git
+ commit 646fe48d1c8a74310c409ddf81fe7df6700052af
+CVE: CVE-2022-23308
+Upstream-status: Backport
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+diff --git a/valid.c b/valid.c
+index 8e596f1d..9684683a 100644
+--- a/valid.c
+++ b/valid.c
+@@ -479,35 +479,6 @@ nodeVPop(xmlValidCtxtPtr ctxt)
+     return (ret);
+ }
+ 
+-/**
+- * xmlValidNormalizeString:
+- * @str: a string
+- *
+- * Normalize a string in-place.
+- */
+-static void
+-xmlValidNormalizeString(xmlChar *str) {
+-    xmlChar *dst;
+-    const xmlChar *src;
+-
+-    if (str == NULL)
+-        return;
+-    src = str;
+-    dst = str;
+-
+-    while (*src == 0x20) src++;
+-    while (*src != 0) {
+-       if (*src == 0x20) {
+-           while (*src == 0x20) src++;
+-           if (*src != 0)
+-               *dst++ = 0x20;
+-       } else {
+-           *dst++ = *src++;
+-       }
+-    }
+-    *dst = 0;
+-}
+-
+ #ifdef DEBUG_VALID_ALGO
+ static void
+ xmlValidPrintNode(xmlNodePtr cur) {
+@@ -2636,6 +2607,35 @@ xmlDumpNotationTable(xmlBufferPtr buf, xmlNotationTablePtr table) {
+            (xmlDictOwns(dict, (const xmlChar *)(str)) == 0)))  \
+            xmlFree((char *)(str));
+ 
+/**
+ * xmlValidNormalizeString:
+ * @str: a string
+ *
+ * Normalize a string in-place.
+ */
+static void
+xmlValidNormalizeString(xmlChar *str) {
+    xmlChar *dst;
+    const xmlChar *src;
+
+    if (str == NULL)
+        return;
+    src = str;
+    dst = str;
+
+    while (*src == 0x20) src++;
+    while (*src != 0) {
+       if (*src == 0x20) {
+           while (*src == 0x20) src++;
+           if (*src != 0)
+               *dst++ = 0x20;
+       } else {
+           *dst++ = *src++;
+       }
+    }
+    *dst = 0;
+}
+
+ static int
+ xmlIsStreaming(xmlValidCtxtPtr ctxt) {
+     xmlParserCtxtPtr pctxt;
+-- 
+2.35.1
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch
new file mode 100644
index 0000000000..708a98b45a
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch
@@ -0,0 +1,209 @@
+From 652dd12a858989b14eed4e84e453059cd3ba340e Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 8 Feb 2022 03:29:24 +0100
+Subject: [PATCH] [CVE-2022-23308] Use-after-free of ID and IDREF attributes
+If a document is parsed with XML_PARSE_DTDVALID and without
+XML_PARSE_NOENT, the value of ID attributes has to be normalized after
+potentially expanding entities in xmlRemoveID. Otherwise, later calls
+to xmlGetID can return a pointer to previously freed memory.
+ID attributes which are empty or contain only whitespace after
+entity expansion are affected in a similar way. This is fixed by
+not storing such attributes in the ID table.
+The test to detect streaming mode when validating against a DTD was
+broken. In connection with the defects above, this could result in a
+use-after-free when using the xmlReader interface with validation.
+Fix detection of streaming mode to avoid similar issues. (This changes
+the expected result of a test case. But as far as I can tell, using the
+XML reader with XIncludes referencing the root document never worked
+properly, anyway.)
+All of these issues can result in denial of service. Using xmlReader
+with validation could result in disclosure of memory via the error
+channel, typically stderr. The security impact of xmlGetID returning
+a pointer to freed memory depends on the application. The typical use
+case of calling xmlGetID on an unmodified document is not affected.
+---
+ result/XInclude/ns1.xml.rdr |  2 +-
+ valid.c                     | 88 +++++++++++++++++++++++--------------
+ 2 files changed, 56 insertions(+), 34 deletions(-)
+ ---
+ 
+From https://github.com/GNOME/libxml2.git
+ commit 652dd12a858989b14eed4e84e453059cd3ba340e
+Remove patch to ns1.xml.rdr which does not exist in version 2.9.10.
+CVE: CVE-2022-23308
+Upstream-status: Backport
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+diff --git a/valid.c b/valid.c
+index 5ee391c0..8e596f1d 100644
+--- a/valid.c
+++ b/valid.c
+@@ -479,6 +479,35 @@ nodeVPop(xmlValidCtxtPtr ctxt)
+     return (ret);
+ }
+ 
+/**
+ * xmlValidNormalizeString:
+ * @str: a string
+ *
+ * Normalize a string in-place.
+ */
+static void
+xmlValidNormalizeString(xmlChar *str) {
+    xmlChar *dst;
+    const xmlChar *src;
+
+    if (str == NULL)
+        return;
+    src = str;
+    dst = str;
+
+    while (*src == 0x20) src++;
+    while (*src != 0) {
+       if (*src == 0x20) {
+           while (*src == 0x20) src++;
+           if (*src != 0)
+               *dst++ = 0x20;
+       } else {
+           *dst++ = *src++;
+       }
+    }
+    *dst = 0;
+}
+
+ #ifdef DEBUG_VALID_ALGO
+ static void
+ xmlValidPrintNode(xmlNodePtr cur) {
+@@ -2607,6 +2636,24 @@ xmlDumpNotationTable(xmlBufferPtr buf, xmlNotationTablePtr table) {
+            (xmlDictOwns(dict, (const xmlChar *)(str)) == 0)))  \
+            xmlFree((char *)(str));
+ 
+static int
+xmlIsStreaming(xmlValidCtxtPtr ctxt) {
+    xmlParserCtxtPtr pctxt;
+
+    if (ctxt == NULL)
+        return(0);
+    /*
+     * These magic values are also abused to detect whether we're validating
+     * while parsing a document. In this case, userData points to the parser
+     * context.
+     */
+    if ((ctxt->finishDtd != XML_CTXT_FINISH_DTD_0) &&
+        (ctxt->finishDtd != XML_CTXT_FINISH_DTD_1))
+        return(0);
+    pctxt = ctxt->userData;
+    return(pctxt->parseMode == XML_PARSE_READER);
+}
+
+ /**
+  * xmlFreeID:
+  * @not:  A id
+@@ -2650,7 +2697,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
+     if (doc == NULL) {
+        return(NULL);
+     }
+-    if (value == NULL) {
+    if ((value == NULL) || (value[0] == 0)) {
+        return(NULL);
+     }
+     if (attr == NULL) {
+@@ -2681,7 +2728,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
+      */
+     ret->value = xmlStrdup(value);
+     ret->doc = doc;
+-    if ((ctxt != NULL) && (ctxt->vstateNr != 0)) {
+    if (xmlIsStreaming(ctxt)) {
+        /*
+         * Operating in streaming mode, attr is gonna disappear
+         */
+@@ -2820,6 +2867,7 @@ xmlRemoveID(xmlDocPtr doc, xmlAttrPtr attr) {
+     ID = xmlNodeListGetString(doc, attr->children, 1);
+     if (ID == NULL)
+         return(-1);
+    xmlValidNormalizeString(ID);
+ 
+     id = xmlHashLookup(table, ID);
+     if (id == NULL || id->attr != attr) {
+@@ -3009,7 +3057,7 @@ xmlAddRef(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
+      * fill the structure.
+      */
+     ret->value = xmlStrdup(value);
+-    if ((ctxt != NULL) && (ctxt->vstateNr != 0)) {
+    if (xmlIsStreaming(ctxt)) {
+        /*
+         * Operating in streaming mode, attr is gonna disappear
+         */
+@@ -4028,8 +4076,7 @@ xmlValidateAttributeValue2(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+ xmlChar *
+ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+             xmlNodePtr elem, const xmlChar *name, const xmlChar *value) {
+-    xmlChar *ret, *dst;
+-    const xmlChar *src;
+    xmlChar *ret;
+     xmlAttributePtr attrDecl = NULL;
+     int extsubset = 0;
+ 
+@@ -4070,19 +4117,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+     ret = xmlStrdup(value);
+     if (ret == NULL)
+        return(NULL);
+-    src = value;
+-    dst = ret;
+-    while (*src == 0x20) src++;
+-    while (*src != 0) {
+-       if (*src == 0x20) {
+-           while (*src == 0x20) src++;
+-           if (*src != 0)
+-               *dst++ = 0x20;
+-       } else {
+-           *dst++ = *src++;
+-       }
+-    }
+-    *dst = 0;
+    xmlValidNormalizeString(ret);
+     if ((doc->standalone) && (extsubset == 1) && (!xmlStrEqual(value, ret))) {
+        xmlErrValidNode(ctxt, elem, XML_DTD_NOT_STANDALONE,
+ "standalone: %s on %s value had to be normalized based on external subset declaration\n",
+@@ -4114,8 +4149,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+ xmlChar *
+ xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem,
+                                const xmlChar *name, const xmlChar *value) {
+-    xmlChar *ret, *dst;
+-    const xmlChar *src;
+    xmlChar *ret;
+     xmlAttributePtr attrDecl = NULL;
+ 
+     if (doc == NULL) return(NULL);
+@@ -4145,19 +4179,7 @@ xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem,
+     ret = xmlStrdup(value);
+     if (ret == NULL)
+        return(NULL);
+-    src = value;
+-    dst = ret;
+-    while (*src == 0x20) src++;
+-    while (*src != 0) {
+-       if (*src == 0x20) {
+-           while (*src == 0x20) src++;
+-           if (*src != 0)
+-               *dst++ = 0x20;
+-       } else {
+-           *dst++ = *src++;
+-       }
+-    }
+-    *dst = 0;
+    xmlValidNormalizeString(ret);
+     return(ret);
+ }
+ 
+-- 
+2.25.1
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index cabf911816..778312f662 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -30,6 +30,8 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
           file://CVE-2021-3518-0002.patch \
           file://CVE-2021-3537.patch \
           file://CVE-2021-3541.patch \
+           file://CVE-2022-23308.patch \
+           file://CVE-2022-23308-fix-regression.patch \
           "
 SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"
author	Joe Slater <joe.slater@windriver.com>	2022-03-24 08:32:57 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-04-03 20:49:03 +0100
commit	eb28aafdc9b5872d4f3a06fd611583a1b4252d84 (patch)
tree	94db5e378673be70213d26f2f582b4b288feb7c1
parent	d6dfaada89d0ae6200843e5202c25a3e8d6dee5a (diff)
download	poky-eb28aafdc9b5872d4f3a06fd611583a1b4252d84.tar.gz

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-23308-fix-regression.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-23308-fix-regression.patch new file mode 100644 index 0000000000..eefecb9adb --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2022-23308-fix-regression.patch
@@ -0,0 +1,99 @@
		1	From 646fe48d1c8a74310c409ddf81fe7df6700052af Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Tue, 22 Feb 2022 11:51:08 +0100
		4	Subject: [PATCH] Fix --without-valid build
		5
		6	Regressed in commit 652dd12a.
		7	---
		8	valid.c \| 58 ++++++++++++++++++++++++++++-----------------------------
		9	1 file changed, 29 insertions(+), 29 deletions(-)
		10	---
		11
		12	From https://github.com/GNOME/libxml2.git
		13	commit 646fe48d1c8a74310c409ddf81fe7df6700052af
		14
		15	CVE: CVE-2022-23308
		16	Upstream-status: Backport
		17
		18	Signed-off-by: Joe Slater <joe.slater@windriver.com>
		19
		20
		21	diff --git a/valid.c b/valid.c
		22	index 8e596f1d..9684683a 100644
		23	--- a/valid.c
		24	+++ b/valid.c
		25	@@ -479,35 +479,6 @@ nodeVPop(xmlValidCtxtPtr ctxt)
		26	return (ret);
		27	}
		28
		29	-/**
		30	- * xmlValidNormalizeString:
		31	- * @str: a string
		32	- *
		33	- * Normalize a string in-place.
		34	- */
		35	-static void
		36	-xmlValidNormalizeString(xmlChar *str) {
		37	- xmlChar *dst;
		38	- const xmlChar *src;
		39	-
		40	- if (str == NULL)
		41	- return;
		42	- src = str;
		43	- dst = str;
		44	-
		45	- while (*src == 0x20) src++;
		46	- while (*src != 0) {
		47	- if (*src == 0x20) {
		48	- while (*src == 0x20) src++;
		49	- if (*src != 0)
		50	- *dst++ = 0x20;
		51	- } else {
		52	- dst++ = src++;
		53	- }
		54	- }
		55	- *dst = 0;
		56	-}
		57	-
		58	#ifdef DEBUG_VALID_ALGO
		59	static void
		60	xmlValidPrintNode(xmlNodePtr cur) {
		61	@@ -2636,6 +2607,35 @@ xmlDumpNotationTable(xmlBufferPtr buf, xmlNotationTablePtr table) {
		62	(xmlDictOwns(dict, (const xmlChar *)(str)) == 0))) \
		63	xmlFree((char *)(str));
		64
		65	+/**
		66	+ * xmlValidNormalizeString:
		67	+ * @str: a string
		68	+ *
		69	+ * Normalize a string in-place.
		70	+ */
		71	+static void
		72	+xmlValidNormalizeString(xmlChar *str) {
		73	+ xmlChar *dst;
		74	+ const xmlChar *src;
		75	+
		76	+ if (str == NULL)
		77	+ return;
		78	+ src = str;
		79	+ dst = str;
		80	+
		81	+ while (*src == 0x20) src++;
		82	+ while (*src != 0) {
		83	+ if (*src == 0x20) {
		84	+ while (*src == 0x20) src++;
		85	+ if (*src != 0)
		86	+ *dst++ = 0x20;
		87	+ } else {
		88	+ dst++ = src++;
		89	+ }
		90	+ }
		91	+ *dst = 0;
		92	+}
		93	+
		94	static int
		95	xmlIsStreaming(xmlValidCtxtPtr ctxt) {
		96	xmlParserCtxtPtr pctxt;
		97	--
		98	2.35.1
		99


diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch new file mode 100644 index 0000000000..708a98b45a --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch
@@ -0,0 +1,209 @@
		1	From 652dd12a858989b14eed4e84e453059cd3ba340e Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Tue, 8 Feb 2022 03:29:24 +0100
		4	Subject: [PATCH] [CVE-2022-23308] Use-after-free of ID and IDREF attributes
		5
		6	If a document is parsed with XML_PARSE_DTDVALID and without
		7	XML_PARSE_NOENT, the value of ID attributes has to be normalized after
		8	potentially expanding entities in xmlRemoveID. Otherwise, later calls
		9	to xmlGetID can return a pointer to previously freed memory.
		10
		11	ID attributes which are empty or contain only whitespace after
		12	entity expansion are affected in a similar way. This is fixed by
		13	not storing such attributes in the ID table.
		14
		15	The test to detect streaming mode when validating against a DTD was
		16	broken. In connection with the defects above, this could result in a
		17	use-after-free when using the xmlReader interface with validation.
		18	Fix detection of streaming mode to avoid similar issues. (This changes
		19	the expected result of a test case. But as far as I can tell, using the
		20	XML reader with XIncludes referencing the root document never worked
		21	properly, anyway.)
		22
		23	All of these issues can result in denial of service. Using xmlReader
		24	with validation could result in disclosure of memory via the error
		25	channel, typically stderr. The security impact of xmlGetID returning
		26	a pointer to freed memory depends on the application. The typical use
		27	case of calling xmlGetID on an unmodified document is not affected.
		28	---
		29	result/XInclude/ns1.xml.rdr \| 2 +-
		30	valid.c \| 88 +++++++++++++++++++++++--------------
		31	2 files changed, 56 insertions(+), 34 deletions(-)
		32	---
		33
		34	From https://github.com/GNOME/libxml2.git
		35	commit 652dd12a858989b14eed4e84e453059cd3ba340e
		36
		37	Remove patch to ns1.xml.rdr which does not exist in version 2.9.10.
		38
		39	CVE: CVE-2022-23308
		40	Upstream-status: Backport
		41
		42	Signed-off-by: Joe Slater <joe.slater@windriver.com>
		43
		44
		45	diff --git a/valid.c b/valid.c
		46	index 5ee391c0..8e596f1d 100644
		47	--- a/valid.c
		48	+++ b/valid.c
		49	@@ -479,6 +479,35 @@ nodeVPop(xmlValidCtxtPtr ctxt)
		50	return (ret);
		51	}
		52
		53	+/**
		54	+ * xmlValidNormalizeString:
		55	+ * @str: a string
		56	+ *
		57	+ * Normalize a string in-place.
		58	+ */
		59	+static void
		60	+xmlValidNormalizeString(xmlChar *str) {
		61	+ xmlChar *dst;
		62	+ const xmlChar *src;
		63	+
		64	+ if (str == NULL)
		65	+ return;
		66	+ src = str;
		67	+ dst = str;
		68	+
		69	+ while (*src == 0x20) src++;
		70	+ while (*src != 0) {
		71	+ if (*src == 0x20) {
		72	+ while (*src == 0x20) src++;
		73	+ if (*src != 0)
		74	+ *dst++ = 0x20;
		75	+ } else {
		76	+ dst++ = src++;
		77	+ }
		78	+ }
		79	+ *dst = 0;
		80	+}
		81	+
		82	#ifdef DEBUG_VALID_ALGO
		83	static void
		84	xmlValidPrintNode(xmlNodePtr cur) {
		85	@@ -2607,6 +2636,24 @@ xmlDumpNotationTable(xmlBufferPtr buf, xmlNotationTablePtr table) {
		86	(xmlDictOwns(dict, (const xmlChar *)(str)) == 0))) \
		87	xmlFree((char *)(str));
		88
		89	+static int
		90	+xmlIsStreaming(xmlValidCtxtPtr ctxt) {
		91	+ xmlParserCtxtPtr pctxt;
		92	+
		93	+ if (ctxt == NULL)
		94	+ return(0);
		95	+ /*
		96	+ * These magic values are also abused to detect whether we're validating
		97	+ * while parsing a document. In this case, userData points to the parser
		98	+ * context.
		99	+ */
		100	+ if ((ctxt->finishDtd != XML_CTXT_FINISH_DTD_0) &&
		101	+ (ctxt->finishDtd != XML_CTXT_FINISH_DTD_1))
		102	+ return(0);
		103	+ pctxt = ctxt->userData;
		104	+ return(pctxt->parseMode == XML_PARSE_READER);
		105	+}
		106	+
		107	/**
		108	* xmlFreeID:
		109	* @not: A id
		110	@@ -2650,7 +2697,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
		111	if (doc == NULL) {
		112	return(NULL);
		113	}
		114	- if (value == NULL) {
		115	+ if ((value == NULL) \|\| (value[0] == 0)) {
		116	return(NULL);
		117	}
		118	if (attr == NULL) {
		119	@@ -2681,7 +2728,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
		120	*/
		121	ret->value = xmlStrdup(value);
		122	ret->doc = doc;
		123	- if ((ctxt != NULL) && (ctxt->vstateNr != 0)) {
		124	+ if (xmlIsStreaming(ctxt)) {
		125	/*
		126	* Operating in streaming mode, attr is gonna disappear
		127	*/
		128	@@ -2820,6 +2867,7 @@ xmlRemoveID(xmlDocPtr doc, xmlAttrPtr attr) {
		129	ID = xmlNodeListGetString(doc, attr->children, 1);
		130	if (ID == NULL)
		131	return(-1);
		132	+ xmlValidNormalizeString(ID);
		133
		134	id = xmlHashLookup(table, ID);
		135	if (id == NULL \|\| id->attr != attr) {
		136	@@ -3009,7 +3057,7 @@ xmlAddRef(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
		137	* fill the structure.
		138	*/
		139	ret->value = xmlStrdup(value);
		140	- if ((ctxt != NULL) && (ctxt->vstateNr != 0)) {
		141	+ if (xmlIsStreaming(ctxt)) {
		142	/*
		143	* Operating in streaming mode, attr is gonna disappear
		144	*/
		145	@@ -4028,8 +4076,7 @@ xmlValidateAttributeValue2(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
		146	xmlChar *
		147	xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
		148	xmlNodePtr elem, const xmlChar name, const xmlChar value) {
		149	- xmlChar ret, dst;
		150	- const xmlChar *src;
		151	+ xmlChar *ret;
		152	xmlAttributePtr attrDecl = NULL;
		153	int extsubset = 0;
		154
		155	@@ -4070,19 +4117,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
		156	ret = xmlStrdup(value);
		157	if (ret == NULL)
		158	return(NULL);
		159	- src = value;
		160	- dst = ret;
		161	- while (*src == 0x20) src++;
		162	- while (*src != 0) {
		163	- if (*src == 0x20) {
		164	- while (*src == 0x20) src++;
		165	- if (*src != 0)
		166	- *dst++ = 0x20;
		167	- } else {
		168	- dst++ = src++;
		169	- }
		170	- }
		171	- *dst = 0;
		172	+ xmlValidNormalizeString(ret);
		173	if ((doc->standalone) && (extsubset == 1) && (!xmlStrEqual(value, ret))) {
		174	xmlErrValidNode(ctxt, elem, XML_DTD_NOT_STANDALONE,
		175	"standalone: %s on %s value had to be normalized based on external subset declaration\n",
		176	@@ -4114,8 +4149,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
		177	xmlChar *
		178	xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem,
		179	const xmlChar name, const xmlChar value) {
		180	- xmlChar ret, dst;
		181	- const xmlChar *src;
		182	+ xmlChar *ret;
		183	xmlAttributePtr attrDecl = NULL;
		184
		185	if (doc == NULL) return(NULL);
		186	@@ -4145,19 +4179,7 @@ xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem,
		187	ret = xmlStrdup(value);
		188	if (ret == NULL)
		189	return(NULL);
		190	- src = value;
		191	- dst = ret;
		192	- while (*src == 0x20) src++;
		193	- while (*src != 0) {
		194	- if (*src == 0x20) {
		195	- while (*src == 0x20) src++;
		196	- if (*src != 0)
		197	- *dst++ = 0x20;
		198	- } else {
		199	- dst++ = src++;
		200	- }
		201	- }
		202	- *dst = 0;
		203	+ xmlValidNormalizeString(ret);
		204	return(ret);
		205	}
		206
		207	--
		208	2.25.1
		209


diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb index cabf911816..778312f662 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -30,6 +30,8 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
30	file://CVE-2021-3518-0002.patch \	30	file://CVE-2021-3518-0002.patch \
31	file://CVE-2021-3537.patch \	31	file://CVE-2021-3537.patch \
32	file://CVE-2021-3541.patch \	32	file://CVE-2021-3541.patch \
		33	file://CVE-2022-23308.patch \
		34	file://CVE-2022-23308-fix-regression.patch \
33	"	35	"
34		36
35	SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"	37	SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"