libxml2: Fix CVE-2021-3518

This patch fixes CVE-2021-3518. The fix for the CVE is the following 3 lines in 1098c30a: - (cur->children->type != XML_ENTITY_DECL) && - (cur->children->type != XML_XINCLUDE_START) && - (cur->children->type != XML_XINCLUDE_END)) { + ((cur->type == XML_DOCUMENT_NODE) || + (cur->type == XML_ELEMENT_NODE))) { This relies on an updated version of xinclude.c from upstream which also adds several new tests. Those changes are brought in first so that the CVE patch can be applied cleanly. The first patch updates xinclude.c and adds the new tests from upstream, and the second applies the fix for the CVE. CVE: CVE-2021-3518 Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7] (From OE-Core rev: 6c59d33ee158129d5c0cca3cce65824f9bc4e7e3) Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Tony Tascioglu <tony.tascioglu@windriver.com> 2021-05-20 17:45:40 -0400
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-05-30 08:19:35 +0100
commit: ad30955575ccfcb07db11e7d42b5500c605aacbc (patch)
tree: 64f296482c4f26cbd60402b04a896636f764014c
parent: fd33741e279702d8498fce47450cb1ea275e5e6b (diff)
download: poky-ad30955575ccfcb07db11e7d42b5500c605aacbc.tar.gz
3 files changed, 263 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0001.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0001.patch
new file mode 100644
index 0000000000..3d4d3a0237
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0001.patch
@@ -0,0 +1,216 @@
+From 0f9817c75b50a77c6aeb8f36801966fdadad229a Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 10 Jun 2020 16:34:52 +0200
+Subject: [PATCH 1/2] Don't recurse into xi:include children in
+ xmlXIncludeDoProcess
+Otherwise, nested xi:include nodes might result in a use-after-free
+if XML_PARSE_NOXINCNODE is specified.
+Found with libFuzzer and ASan.
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/0f9817c75b50a77c6aeb8f36801966fdadad229a]
+CVE: CVE-2021-3518
+This patch brings in the necessary files to allow the 2nd patch that fixes the CVE to be applied.
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
+---
+ result/XInclude/fallback3.xml     |  8 ++++++++
+ result/XInclude/fallback3.xml.err |  0
+ result/XInclude/fallback3.xml.rdr | 25 +++++++++++++++++++++++++
+ result/XInclude/fallback4.xml     | 10 ++++++++++
+ result/XInclude/fallback4.xml.err |  0
+ result/XInclude/fallback4.xml.rdr | 29 +++++++++++++++++++++++++++++
+ test/XInclude/docs/fallback3.xml  |  9 +++++++++
+ test/XInclude/docs/fallback4.xml  |  7 +++++++
+ xinclude.c                        | 24 ++++++++++--------------
+ 9 files changed, 98 insertions(+), 14 deletions(-)
+ create mode 100644 result/XInclude/fallback3.xml
+ create mode 100644 result/XInclude/fallback3.xml.err
+ create mode 100644 result/XInclude/fallback3.xml.rdr
+ create mode 100644 result/XInclude/fallback4.xml
+ create mode 100644 result/XInclude/fallback4.xml.err
+ create mode 100644 result/XInclude/fallback4.xml.rdr
+ create mode 100644 test/XInclude/docs/fallback3.xml
+ create mode 100644 test/XInclude/docs/fallback4.xml
+diff --git a/result/XInclude/fallback3.xml b/result/XInclude/fallback3.xml
+new file mode 100644
+index 0000000..b423551
+--- /dev/null
+++ b/result/XInclude/fallback3.xml
+@@ -0,0 +1,8 @@
+<?xml version="1.0"?>
+<a>
+    <doc xml:base="../ents/something.xml">
+<p>something</p>
+<p>really</p>
+<p>simple</p>
+</doc>
+</a>
+diff --git a/result/XInclude/fallback3.xml.err b/result/XInclude/fallback3.xml.err
+new file mode 100644
+index 0000000..e69de29
+diff --git a/result/XInclude/fallback3.xml.rdr b/result/XInclude/fallback3.xml.rdr
+new file mode 100644
+index 0000000..aa2f137
+--- /dev/null
+++ b/result/XInclude/fallback3.xml.rdr
+@@ -0,0 +1,25 @@
+0 1 a 0 0
+1 14 #text 0 1 
+    
+1 1 doc 0 0
+2 14 #text 0 1 
+
+2 1 p 0 0
+3 3 #text 0 1 something
+2 15 p 0 0
+2 14 #text 0 1 
+
+2 1 p 0 0
+3 3 #text 0 1 really
+2 15 p 0 0
+2 14 #text 0 1 
+
+2 1 p 0 0
+3 3 #text 0 1 simple
+2 15 p 0 0
+2 14 #text 0 1 
+
+1 15 doc 0 0
+1 14 #text 0 1 
+
+0 15 a 0 0
+diff --git a/result/XInclude/fallback4.xml b/result/XInclude/fallback4.xml
+new file mode 100644
+index 0000000..9883fd5
+--- /dev/null
+++ b/result/XInclude/fallback4.xml
+@@ -0,0 +1,10 @@
+<?xml version="1.0"?>
+<a>
+    
+            <doc xml:base="../ents/something.xml">
+<p>something</p>
+<p>really</p>
+<p>simple</p>
+</doc>
+        
+</a>
+diff --git a/result/XInclude/fallback4.xml.err b/result/XInclude/fallback4.xml.err
+new file mode 100644
+index 0000000..e69de29
+diff --git a/result/XInclude/fallback4.xml.rdr b/result/XInclude/fallback4.xml.rdr
+new file mode 100644
+index 0000000..628b951
+--- /dev/null
+++ b/result/XInclude/fallback4.xml.rdr
+@@ -0,0 +1,29 @@
+0 1 a 0 0
+1 14 #text 0 1 
+    
+1 14 #text 0 1 
+            
+1 1 doc 0 0
+2 14 #text 0 1 
+
+2 1 p 0 0
+3 3 #text 0 1 something
+2 15 p 0 0
+2 14 #text 0 1 
+
+2 1 p 0 0
+3 3 #text 0 1 really
+2 15 p 0 0
+2 14 #text 0 1 
+
+2 1 p 0 0
+3 3 #text 0 1 simple
+2 15 p 0 0
+2 14 #text 0 1 
+
+1 15 doc 0 0
+1 14 #text 0 1 
+        
+1 14 #text 0 1 
+
+0 15 a 0 0
+diff --git a/test/XInclude/docs/fallback3.xml b/test/XInclude/docs/fallback3.xml
+new file mode 100644
+index 0000000..0c8b6c9
+--- /dev/null
+++ b/test/XInclude/docs/fallback3.xml
+@@ -0,0 +1,9 @@
+<a>
+    <xi:include href="../ents/something.xml" xmlns:xi="http://www.w3.org/2001/XInclude">
+        <xi:fallback>
+            <xi:include href="c.xml">
+                <xi:fallback>There is no c.xml ... </xi:fallback>
+            </xi:include>
+        </xi:fallback>
+    </xi:include>
+</a>
+diff --git a/test/XInclude/docs/fallback4.xml b/test/XInclude/docs/fallback4.xml
+new file mode 100644
+index 0000000..b500a63
+--- /dev/null
+++ b/test/XInclude/docs/fallback4.xml
+@@ -0,0 +1,7 @@
+<a>
+    <xi:include href="c.xml" xmlns:xi="http://www.w3.org/2001/XInclude">
+        <xi:fallback>
+            <xi:include href="../ents/something.xml"/>
+        </xi:fallback>
+    </xi:include>
+</a>
+diff --git a/xinclude.c b/xinclude.c
+index 001e992..6ec5d31 100644
+--- a/xinclude.c
+++ b/xinclude.c
+@@ -2382,21 +2382,19 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
+      * First phase: lookup the elements in the document
+      */
+     cur = tree;
+-    if (xmlXIncludeTestNode(ctxt, cur) == 1)
+-       xmlXIncludePreProcessNode(ctxt, cur);
+     while ((cur != NULL) && (cur != tree->parent)) {
+        /* TODO: need to work on entities -> stack */
+-       if ((cur->children != NULL) &&
+-           (cur->children->type != XML_ENTITY_DECL) &&
+-           (cur->children->type != XML_XINCLUDE_START) &&
+-           (cur->children->type != XML_XINCLUDE_END)) {
+-           cur = cur->children;
+-           if (xmlXIncludeTestNode(ctxt, cur))
+-               xmlXIncludePreProcessNode(ctxt, cur);
+-       } else if (cur->next != NULL) {
+        if (xmlXIncludeTestNode(ctxt, cur) == 1) {
+            xmlXIncludePreProcessNode(ctxt, cur);
+        } else if ((cur->children != NULL) &&
+                   (cur->children->type != XML_ENTITY_DECL) &&
+                   (cur->children->type != XML_XINCLUDE_START) &&
+                   (cur->children->type != XML_XINCLUDE_END)) {
+            cur = cur->children;
+            continue;
+        }
+       if (cur->next != NULL) {
+            cur = cur->next;
+-           if (xmlXIncludeTestNode(ctxt, cur))
+-               xmlXIncludePreProcessNode(ctxt, cur);
+        } else {
+            if (cur == tree)
+                break;
+@@ -2406,8 +2404,6 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
+                    break; /* do */
+                if (cur->next != NULL) {
+                    cur = cur->next;
+-                   if (xmlXIncludeTestNode(ctxt, cur))
+-                       xmlXIncludePreProcessNode(ctxt, cur);
+                    break; /* do */
+                }
+            } while (cur != NULL);
+-- 
+2.23.0
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0002.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0002.patch
new file mode 100644
index 0000000000..de5fc0e8cb
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0002.patch
@@ -0,0 +1,45 @@
+From 1098c30a040e72a4654968547f415be4e4c40fe7 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 22 Apr 2021 19:26:28 +0200
+Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude --dropdtd`
+The --dropdtd option can leave dangling pointers in entity reference
+nodes. Make sure to skip these nodes when processing XIncludes.
+This also avoids scanning entity declarations and even modifying
+them inadvertently during XInclude processing.
+Move from a block list to an allow list approach to avoid descending
+into other node types that can't contain elements.
+Fixes #237.
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7]
+CVE: CVE-2021-3518
+[OP: adjusted context]
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
+---
+ xinclude.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+diff --git a/xinclude.c b/xinclude.c
+index 6ec5d31..b8eebcc 100644
+--- a/xinclude.c
+++ b/xinclude.c
+@@ -2387,9 +2387,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
+         if (xmlXIncludeTestNode(ctxt, cur) == 1) {
+             xmlXIncludePreProcessNode(ctxt, cur);
+         } else if ((cur->children != NULL) &&
+-                   (cur->children->type != XML_ENTITY_DECL) &&
+-                   (cur->children->type != XML_XINCLUDE_START) &&
+-                   (cur->children->type != XML_XINCLUDE_END)) {
+                   ((cur->type == XML_DOCUMENT_NODE) ||
+                    (cur->type == XML_ELEMENT_NODE))) {
+             cur = cur->children;
+             continue;
+         }
+-- 
+2.23.0
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index b850164285..a9bff74b55 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -26,6 +26,8 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
           file://fix-python39.patch \
           file://CVE-2021-3517.patch \
           file://CVE-2021-3516.patch \
+           file://CVE-2021-3518-0001.patch \
+           file://CVE-2021-3518-0002.patch \
           file://CVE-2021-3537.patch \
           "
author	Tony Tascioglu <tony.tascioglu@windriver.com>	2021-05-20 17:45:40 -0400
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-05-30 08:19:35 +0100
commit	ad30955575ccfcb07db11e7d42b5500c605aacbc (patch)
tree	64f296482c4f26cbd60402b04a896636f764014c
parent	fd33741e279702d8498fce47450cb1ea275e5e6b (diff)
download	poky-ad30955575ccfcb07db11e7d42b5500c605aacbc.tar.gz

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0001.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0001.patch new file mode 100644 index 0000000000..3d4d3a0237 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0001.patch
@@ -0,0 +1,216 @@
		1	From 0f9817c75b50a77c6aeb8f36801966fdadad229a Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Wed, 10 Jun 2020 16:34:52 +0200
		4	Subject: [PATCH 1/2] Don't recurse into xi:include children in
		5	xmlXIncludeDoProcess
		6
		7	Otherwise, nested xi:include nodes might result in a use-after-free
		8	if XML_PARSE_NOXINCNODE is specified.
		9
		10	Found with libFuzzer and ASan.
		11
		12	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/0f9817c75b50a77c6aeb8f36801966fdadad229a]
		13	CVE: CVE-2021-3518
		14
		15	This patch brings in the necessary files to allow the 2nd patch that fixes the CVE to be applied.
		16
		17	Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
		18	Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
		19	---
		20	result/XInclude/fallback3.xml \| 8 ++++++++
		21	result/XInclude/fallback3.xml.err \| 0
		22	result/XInclude/fallback3.xml.rdr \| 25 +++++++++++++++++++++++++
		23	result/XInclude/fallback4.xml \| 10 ++++++++++
		24	result/XInclude/fallback4.xml.err \| 0
		25	result/XInclude/fallback4.xml.rdr \| 29 +++++++++++++++++++++++++++++
		26	test/XInclude/docs/fallback3.xml \| 9 +++++++++
		27	test/XInclude/docs/fallback4.xml \| 7 +++++++
		28	xinclude.c \| 24 ++++++++++--------------
		29	9 files changed, 98 insertions(+), 14 deletions(-)
		30	create mode 100644 result/XInclude/fallback3.xml
		31	create mode 100644 result/XInclude/fallback3.xml.err
		32	create mode 100644 result/XInclude/fallback3.xml.rdr
		33	create mode 100644 result/XInclude/fallback4.xml
		34	create mode 100644 result/XInclude/fallback4.xml.err
		35	create mode 100644 result/XInclude/fallback4.xml.rdr
		36	create mode 100644 test/XInclude/docs/fallback3.xml
		37	create mode 100644 test/XInclude/docs/fallback4.xml
		38
		39	diff --git a/result/XInclude/fallback3.xml b/result/XInclude/fallback3.xml
		40	new file mode 100644
		41	index 0000000..b423551
		42	--- /dev/null
		43	+++ b/result/XInclude/fallback3.xml
		44	@@ -0,0 +1,8 @@
		45	+<?xml version="1.0"?>
		46	+<a>
		47	+ <doc xml:base="../ents/something.xml">
		48	+<p>something</p>
		49	+<p>really</p>
		50	+<p>simple</p>
		51	+</doc>
		52	+</a>
		53	diff --git a/result/XInclude/fallback3.xml.err b/result/XInclude/fallback3.xml.err
		54	new file mode 100644
		55	index 0000000..e69de29
		56	diff --git a/result/XInclude/fallback3.xml.rdr b/result/XInclude/fallback3.xml.rdr
		57	new file mode 100644
		58	index 0000000..aa2f137
		59	--- /dev/null
		60	+++ b/result/XInclude/fallback3.xml.rdr
		61	@@ -0,0 +1,25 @@
		62	+0 1 a 0 0
		63	+1 14 #text 0 1
		64	+
		65	+1 1 doc 0 0
		66	+2 14 #text 0 1
		67	+
		68	+2 1 p 0 0
		69	+3 3 #text 0 1 something
		70	+2 15 p 0 0
		71	+2 14 #text 0 1
		72	+
		73	+2 1 p 0 0
		74	+3 3 #text 0 1 really
		75	+2 15 p 0 0
		76	+2 14 #text 0 1
		77	+
		78	+2 1 p 0 0
		79	+3 3 #text 0 1 simple
		80	+2 15 p 0 0
		81	+2 14 #text 0 1
		82	+
		83	+1 15 doc 0 0
		84	+1 14 #text 0 1
		85	+
		86	+0 15 a 0 0
		87	diff --git a/result/XInclude/fallback4.xml b/result/XInclude/fallback4.xml
		88	new file mode 100644
		89	index 0000000..9883fd5
		90	--- /dev/null
		91	+++ b/result/XInclude/fallback4.xml
		92	@@ -0,0 +1,10 @@
		93	+<?xml version="1.0"?>
		94	+<a>
		95	+
		96	+ <doc xml:base="../ents/something.xml">
		97	+<p>something</p>
		98	+<p>really</p>
		99	+<p>simple</p>
		100	+</doc>
		101	+
		102	+</a>
		103	diff --git a/result/XInclude/fallback4.xml.err b/result/XInclude/fallback4.xml.err
		104	new file mode 100644
		105	index 0000000..e69de29
		106	diff --git a/result/XInclude/fallback4.xml.rdr b/result/XInclude/fallback4.xml.rdr
		107	new file mode 100644
		108	index 0000000..628b951
		109	--- /dev/null
		110	+++ b/result/XInclude/fallback4.xml.rdr
		111	@@ -0,0 +1,29 @@
		112	+0 1 a 0 0
		113	+1 14 #text 0 1
		114	+
		115	+1 14 #text 0 1
		116	+
		117	+1 1 doc 0 0
		118	+2 14 #text 0 1
		119	+
		120	+2 1 p 0 0
		121	+3 3 #text 0 1 something
		122	+2 15 p 0 0
		123	+2 14 #text 0 1
		124	+
		125	+2 1 p 0 0
		126	+3 3 #text 0 1 really
		127	+2 15 p 0 0
		128	+2 14 #text 0 1
		129	+
		130	+2 1 p 0 0
		131	+3 3 #text 0 1 simple
		132	+2 15 p 0 0
		133	+2 14 #text 0 1
		134	+
		135	+1 15 doc 0 0
		136	+1 14 #text 0 1
		137	+
		138	+1 14 #text 0 1
		139	+
		140	+0 15 a 0 0
		141	diff --git a/test/XInclude/docs/fallback3.xml b/test/XInclude/docs/fallback3.xml
		142	new file mode 100644
		143	index 0000000..0c8b6c9
		144	--- /dev/null
		145	+++ b/test/XInclude/docs/fallback3.xml
		146	@@ -0,0 +1,9 @@
		147	+<a>
		148	+ <xi:include href="../ents/something.xml" xmlns:xi="http://www.w3.org/2001/XInclude">
		149	+ <xi:fallback>
		150	+ <xi:include href="c.xml">
		151	+ <xi:fallback>There is no c.xml ... </xi:fallback>
		152	+ </xi:include>
		153	+ </xi:fallback>
		154	+ </xi:include>
		155	+</a>
		156	diff --git a/test/XInclude/docs/fallback4.xml b/test/XInclude/docs/fallback4.xml
		157	new file mode 100644
		158	index 0000000..b500a63
		159	--- /dev/null
		160	+++ b/test/XInclude/docs/fallback4.xml
		161	@@ -0,0 +1,7 @@
		162	+<a>
		163	+ <xi:include href="c.xml" xmlns:xi="http://www.w3.org/2001/XInclude">
		164	+ <xi:fallback>
		165	+ <xi:include href="../ents/something.xml"/>
		166	+ </xi:fallback>
		167	+ </xi:include>
		168	+</a>
		169	diff --git a/xinclude.c b/xinclude.c
		170	index 001e992..6ec5d31 100644
		171	--- a/xinclude.c
		172	+++ b/xinclude.c
		173	@@ -2382,21 +2382,19 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
		174	* First phase: lookup the elements in the document
		175	*/
		176	cur = tree;
		177	- if (xmlXIncludeTestNode(ctxt, cur) == 1)
		178	- xmlXIncludePreProcessNode(ctxt, cur);
		179	while ((cur != NULL) && (cur != tree->parent)) {
		180	/* TODO: need to work on entities -> stack */
		181	- if ((cur->children != NULL) &&
		182	- (cur->children->type != XML_ENTITY_DECL) &&
		183	- (cur->children->type != XML_XINCLUDE_START) &&
		184	- (cur->children->type != XML_XINCLUDE_END)) {
		185	- cur = cur->children;
		186	- if (xmlXIncludeTestNode(ctxt, cur))
		187	- xmlXIncludePreProcessNode(ctxt, cur);
		188	- } else if (cur->next != NULL) {
		189	+ if (xmlXIncludeTestNode(ctxt, cur) == 1) {
		190	+ xmlXIncludePreProcessNode(ctxt, cur);
		191	+ } else if ((cur->children != NULL) &&
		192	+ (cur->children->type != XML_ENTITY_DECL) &&
		193	+ (cur->children->type != XML_XINCLUDE_START) &&
		194	+ (cur->children->type != XML_XINCLUDE_END)) {
		195	+ cur = cur->children;
		196	+ continue;
		197	+ }
		198	+ if (cur->next != NULL) {
		199	cur = cur->next;
		200	- if (xmlXIncludeTestNode(ctxt, cur))
		201	- xmlXIncludePreProcessNode(ctxt, cur);
		202	} else {
		203	if (cur == tree)
		204	break;
		205	@@ -2406,8 +2404,6 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
		206	break; /* do */
		207	if (cur->next != NULL) {
		208	cur = cur->next;
		209	- if (xmlXIncludeTestNode(ctxt, cur))
		210	- xmlXIncludePreProcessNode(ctxt, cur);
		211	break; /* do */
		212	}
		213	} while (cur != NULL);
		214	--
		215	2.23.0
		216


diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0002.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0002.patch new file mode 100644 index 0000000000..de5fc0e8cb --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0002.patch
@@ -0,0 +1,45 @@
		1	From 1098c30a040e72a4654968547f415be4e4c40fe7 Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Thu, 22 Apr 2021 19:26:28 +0200
		4	Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude --dropdtd`
		5
		6	The --dropdtd option can leave dangling pointers in entity reference
		7	nodes. Make sure to skip these nodes when processing XIncludes.
		8
		9	This also avoids scanning entity declarations and even modifying
		10	them inadvertently during XInclude processing.
		11
		12	Move from a block list to an allow list approach to avoid descending
		13	into other node types that can't contain elements.
		14
		15	Fixes #237.
		16
		17	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7]
		18	CVE: CVE-2021-3518
		19
		20	[OP: adjusted context]
		21	Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
		22	Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
		23	---
		24	xinclude.c \| 5 ++---
		25	1 file changed, 2 insertions(+), 3 deletions(-)
		26
		27	diff --git a/xinclude.c b/xinclude.c
		28	index 6ec5d31..b8eebcc 100644
		29	--- a/xinclude.c
		30	+++ b/xinclude.c
		31	@@ -2387,9 +2387,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
		32	if (xmlXIncludeTestNode(ctxt, cur) == 1) {
		33	xmlXIncludePreProcessNode(ctxt, cur);
		34	} else if ((cur->children != NULL) &&
		35	- (cur->children->type != XML_ENTITY_DECL) &&
		36	- (cur->children->type != XML_XINCLUDE_START) &&
		37	- (cur->children->type != XML_XINCLUDE_END)) {
		38	+ ((cur->type == XML_DOCUMENT_NODE) \|\|
		39	+ (cur->type == XML_ELEMENT_NODE))) {
		40	cur = cur->children;
		41	continue;
		42	}
		43	--
		44	2.23.0
		45


diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb index b850164285..a9bff74b55 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -26,6 +26,8 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
26	file://fix-python39.patch \	26	file://fix-python39.patch \
27	file://CVE-2021-3517.patch \	27	file://CVE-2021-3517.patch \
28	file://CVE-2021-3516.patch \	28	file://CVE-2021-3516.patch \
		29	file://CVE-2021-3518-0001.patch \
		30	file://CVE-2021-3518-0002.patch \
29	file://CVE-2021-3537.patch \	31	file://CVE-2021-3537.patch \
30	"	32	"
31		33