libxml2: Fix CVE-2021-3541

Upstream commit: This is related to parameter entities expansion and following the line of the billion laugh attack. Somehow in that path the counting of parameters was missed and the normal algorithm based on entities "density" was useless. CVE: CVE-2021-3541 Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e] (From OE-Core rev: e1e04de65e24d1596d800d7f8e85f98bb7f72632) Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Tony Tascioglu <tony.tascioglu@windriver.com> 2021-05-20 17:45:42 -0400
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-05-30 08:19:35 +0100
commit: bc872bd77923210831de67cfdc50e753bfa9f1e5 (patch)
tree: 539a31b2ed592551e0a0cca0d5b46fee9ba71b18
parent: ad30955575ccfcb07db11e7d42b5500c605aacbc (diff)
download: poky-bc872bd77923210831de67cfdc50e753bfa9f1e5.tar.gz
2 files changed, 74 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch
new file mode 100644
index 0000000000..3b86278ac4
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch
@@ -0,0 +1,73 @@
+From 8598060bacada41a0eb09d95c97744ff4e428f8e Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Thu, 13 May 2021 14:55:12 +0200
+Subject: [PATCH] Patch for security issue CVE-2021-3541
+This is relapted to parameter entities expansion and following
+the line of the billion laugh attack. Somehow in that path the
+counting of parameters was missed and the normal algorithm based
+on entities "density" was useless.
+CVE: CVE-2021-3541
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e]
+Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
+---
+ parser.c | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+diff --git a/parser.c b/parser.c
+index f5e5e169..c9312fa4 100644
+--- a/parser.c
+++ b/parser.c
+@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+                      xmlEntityPtr ent, size_t replacement)
+ {
+     size_t consumed = 0;
+    int i;
+ 
+     if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE))
+         return (0);
+@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+            rep = NULL;
+        }
+     }
+
+    /*
+     * Prevent entity exponential check, not just replacement while
+     * parsing the DTD
+     * The check is potentially costly so do that only once in a thousand
+     */
+    if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) &&
+        (ctxt->nbentities % 1024 == 0)) {
+       for (i = 0;i < ctxt->inputNr;i++) {
+           consumed += ctxt->inputTab[i]->consumed +
+                      (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base);
+       }
+       if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) {
+           xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
+           ctxt->instate = XML_PARSER_EOF;
+           return (1);
+       }
+       consumed = 0;
+    }
+
+
+
+     if (replacement != 0) {
+        if (replacement < XML_MAX_TEXT_LENGTH)
+            return(0);
+@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+             xmlChar start[4];
+             xmlCharEncoding enc;
+ 
+           if (xmlParserEntityCheck(ctxt, 0, entity, 0))
+               return;
+
+            if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
+                ((ctxt->options & XML_PARSE_NOENT) == 0) &&
+                ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
+-- 
+2.25.1
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index a9bff74b55..ce4f9a3340 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
           file://CVE-2021-3518-0001.patch \
           file://CVE-2021-3518-0002.patch \
           file://CVE-2021-3537.patch \
+           file://CVE-2021-3541.patch \
           "
 SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"
author	Tony Tascioglu <tony.tascioglu@windriver.com>	2021-05-20 17:45:42 -0400
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-05-30 08:19:35 +0100
commit	bc872bd77923210831de67cfdc50e753bfa9f1e5 (patch)
tree	539a31b2ed592551e0a0cca0d5b46fee9ba71b18
parent	ad30955575ccfcb07db11e7d42b5500c605aacbc (diff)
download	poky-bc872bd77923210831de67cfdc50e753bfa9f1e5.tar.gz

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch new file mode 100644 index 0000000000..3b86278ac4 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch
@@ -0,0 +1,73 @@
		1	From 8598060bacada41a0eb09d95c97744ff4e428f8e Mon Sep 17 00:00:00 2001
		2	From: Daniel Veillard <veillard@redhat.com>
		3	Date: Thu, 13 May 2021 14:55:12 +0200
		4	Subject: [PATCH] Patch for security issue CVE-2021-3541
		5
		6	This is relapted to parameter entities expansion and following
		7	the line of the billion laugh attack. Somehow in that path the
		8	counting of parameters was missed and the normal algorithm based
		9	on entities "density" was useless.
		10
		11	CVE: CVE-2021-3541
		12	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e]
		13
		14	Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
		15
		16	---
		17	parser.c \| 26 ++++++++++++++++++++++++++
		18	1 file changed, 26 insertions(+)
		19
		20	diff --git a/parser.c b/parser.c
		21	index f5e5e169..c9312fa4 100644
		22	--- a/parser.c
		23	+++ b/parser.c
		24	@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
		25	xmlEntityPtr ent, size_t replacement)
		26	{
		27	size_t consumed = 0;
		28	+ int i;
		29
		30	if ((ctxt == NULL) \|\| (ctxt->options & XML_PARSE_HUGE))
		31	return (0);
		32	@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
		33	rep = NULL;
		34	}
		35	}
		36	+
		37	+ /*
		38	+ * Prevent entity exponential check, not just replacement while
		39	+ * parsing the DTD
		40	+ * The check is potentially costly so do that only once in a thousand
		41	+ */
		42	+ if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) &&
		43	+ (ctxt->nbentities % 1024 == 0)) {
		44	+ for (i = 0;i < ctxt->inputNr;i++) {
		45	+ consumed += ctxt->inputTab[i]->consumed +
		46	+ (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base);
		47	+ }
		48	+ if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) {
		49	+ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
		50	+ ctxt->instate = XML_PARSER_EOF;
		51	+ return (1);
		52	+ }
		53	+ consumed = 0;
		54	+ }
		55	+
		56	+
		57	+
		58	if (replacement != 0) {
		59	if (replacement < XML_MAX_TEXT_LENGTH)
		60	return(0);
		61	@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
		62	xmlChar start[4];
		63	xmlCharEncoding enc;
		64
		65	+ if (xmlParserEntityCheck(ctxt, 0, entity, 0))
		66	+ return;
		67	+
		68	if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
		69	((ctxt->options & XML_PARSE_NOENT) == 0) &&
		70	((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
		71	--
		72	2.25.1
		73


diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb index a9bff74b55..ce4f9a3340 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
29	file://CVE-2021-3518-0001.patch \	29	file://CVE-2021-3518-0001.patch \
30	file://CVE-2021-3518-0002.patch \	30	file://CVE-2021-3518-0002.patch \
31	file://CVE-2021-3537.patch \	31	file://CVE-2021-3537.patch \
		32	file://CVE-2021-3541.patch \
32	"	33	"
33		34
34	SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"	35	SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"