libxml2: fix CVE-2021-3517

Fixes heap-based buffer overflow in xmlEncodeEntitiesInternal() in entities.c CVE: CVE-2021-3517 Upstream-status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2] (From OE-Core rev: 16ad173ba0e8f88b23c62aa8357b8afca36c2161) Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Tony Tascioglu <tony.tascioglu@windriver.com> 2021-05-14 09:14:48 -0400
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-05-22 10:03:10 +0100
commit: bbc1b0ebf719ca5352c2a8004d04a15954dea7cc (patch)
tree: 630a3f933b86a751dff37a2941816b0d7834b135
parent: 70ef9ded892eaa7ac230aa8b3c163458b6746d7c (diff)
download: poky-bbc1b0ebf719ca5352c2a8004d04a15954dea7cc.tar.gz
2 files changed, 55 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch
new file mode 100644
index 0000000000..b6204f655a
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch
@@ -0,0 +1,54 @@
+From df3de1376585f7a273d70023f92a530395957324 Mon Sep 17 00:00:00 2001
+From: Joel Hockey <joel.hockey@gmail.com>
+Date: Sun, 16 Aug 2020 17:19:35 -0700
+Subject: [PATCH 1/3] Validate UTF8 in xmlEncodeEntities
+Code is currently assuming UTF-8 without validating. Truncated UTF-8
+input can cause out-of-bounds array access.
+Adds further checks to partial fix in 50f06b3e.
+Fixes #178
+CVE: CVE-2021-3517
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2]
+Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
+---
+ entities.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+diff --git a/entities.c b/entities.c
+index d575e9d1..7cdbc4de 100644
+--- a/entities.c
+++ b/entities.c
+@@ -666,11 +666,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) {
+            } else {
+                /*
+                 * We assume we have UTF-8 input.
+                * It must match either:
+                *   110xxxxx 10xxxxxx
+                *   1110xxxx 10xxxxxx 10xxxxxx
+                *   11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
+                * That is:
+                *   cur[0] is 11xxxxxx
+                *   cur[1] is 10xxxxxx
+                *   cur[2] is 10xxxxxx if cur[0] is 111xxxxx
+                *   cur[3] is 10xxxxxx if cur[0] is 1111xxxx
+                *   cur[0] is not 11111xxx
+                 */
+                char buf[11], *ptr;
+                int val = 0, l = 1;
+ 
+-               if (*cur < 0xC0) {
+               if (((cur[0] & 0xC0) != 0xC0) ||
+                   ((cur[1] & 0xC0) != 0x80) ||
+                   (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) ||
+                   (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) ||
+                   (((cur[0] & 0xF8) == 0xF8))) {
+                    xmlEntitiesErr(XML_CHECK_NOT_UTF8,
+                            "xmlEncodeEntities: input not UTF-8");
+                    if (doc != NULL)
+-- 
+2.25.1
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index 07ae68610c..ad612379b3 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -24,6 +24,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
           file://CVE-2019-20388.patch \
           file://CVE-2020-24977.patch \
           file://fix-python39.patch \
+           file://CVE-2021-3517.patch \
           "
 SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"
author	Tony Tascioglu <tony.tascioglu@windriver.com>	2021-05-14 09:14:48 -0400
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-05-22 10:03:10 +0100
commit	bbc1b0ebf719ca5352c2a8004d04a15954dea7cc (patch)
tree	630a3f933b86a751dff37a2941816b0d7834b135
parent	70ef9ded892eaa7ac230aa8b3c163458b6746d7c (diff)
download	poky-bbc1b0ebf719ca5352c2a8004d04a15954dea7cc.tar.gz

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch new file mode 100644 index 0000000000..b6204f655a --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch
@@ -0,0 +1,54 @@
		1	From df3de1376585f7a273d70023f92a530395957324 Mon Sep 17 00:00:00 2001
		2	From: Joel Hockey <joel.hockey@gmail.com>
		3	Date: Sun, 16 Aug 2020 17:19:35 -0700
		4	Subject: [PATCH 1/3] Validate UTF8 in xmlEncodeEntities
		5
		6	Code is currently assuming UTF-8 without validating. Truncated UTF-8
		7	input can cause out-of-bounds array access.
		8
		9	Adds further checks to partial fix in 50f06b3e.
		10
		11	Fixes #178
		12
		13	CVE: CVE-2021-3517
		14	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2]
		15
		16	Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
		17	---
		18	entities.c \| 16 +++++++++++++++-
		19	1 file changed, 15 insertions(+), 1 deletion(-)
		20
		21	diff --git a/entities.c b/entities.c
		22	index d575e9d1..7cdbc4de 100644
		23	--- a/entities.c
		24	+++ b/entities.c
		25	@@ -666,11 +666,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) {
		26	} else {
		27	/*
		28	* We assume we have UTF-8 input.
		29	+ * It must match either:
		30	+ * 110xxxxx 10xxxxxx
		31	+ * 1110xxxx 10xxxxxx 10xxxxxx
		32	+ * 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
		33	+ * That is:
		34	+ * cur[0] is 11xxxxxx
		35	+ * cur[1] is 10xxxxxx
		36	+ * cur[2] is 10xxxxxx if cur[0] is 111xxxxx
		37	+ * cur[3] is 10xxxxxx if cur[0] is 1111xxxx
		38	+ * cur[0] is not 11111xxx
		39	*/
		40	char buf[11], *ptr;
		41	int val = 0, l = 1;
		42
		43	- if (*cur < 0xC0) {
		44	+ if (((cur[0] & 0xC0) != 0xC0) \|\|
		45	+ ((cur[1] & 0xC0) != 0x80) \|\|
		46	+ (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) \|\|
		47	+ (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) \|\|
		48	+ (((cur[0] & 0xF8) == 0xF8))) {
		49	xmlEntitiesErr(XML_CHECK_NOT_UTF8,
		50	"xmlEncodeEntities: input not UTF-8");
		51	if (doc != NULL)
		52	--
		53	2.25.1
		54


diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb index 07ae68610c..ad612379b3 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -24,6 +24,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
24	file://CVE-2019-20388.patch \	24	file://CVE-2019-20388.patch \
25	file://CVE-2020-24977.patch \	25	file://CVE-2020-24977.patch \
26	file://fix-python39.patch \	26	file://fix-python39.patch \
		27	file://CVE-2021-3517.patch \
27	"	28	"
28		29
29	SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"	30	SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"