libxml2: fix CVE-2021-3537

Parsing specially crafted Mixed Content while parsing XML data may lead to invalid data structure being created, as errors were not propagated. This could lead to several NULL Pointer Dereference when post-validating documents parsed in recovery mode. CVE: CVE-2021-3537 Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/babe75030c7f64a37826bb3342317134568bef61] (From OE-Core rev: 6d69f7453f78dcb19f472dcea183e859648c5243) Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Tony Tascioglu <tony.tascioglu@windriver.com> 2021-05-14 09:14:50 -0400
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-05-22 10:03:10 +0100
commit: fd33741e279702d8498fce47450cb1ea275e5e6b (patch)
tree: 193dc646cf8dfe26e11ff1de46be23ff2454d64d
parent: cb3bc91a03fb6fbf3f849ad449274292270cb403 (diff)
download: poky-fd33741e279702d8498fce47450cb1ea275e5e6b.tar.gz
2 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch
new file mode 100644
index 0000000000..defbe7867b
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch
@@ -0,0 +1,49 @@
+From 5ae9c39401f679648301efa6d2d35e09cc376462 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 1 May 2021 16:53:33 +0200
+Subject: [PATCH 3/3] Propagate error in xmlParseElementChildrenContentDeclPriv
+Check return value of recursive calls to
+xmlParseElementChildrenContentDeclPriv and return immediately in case
+of errors. Otherwise, struct xmlElementContent could contain unexpected
+null pointers, leading to a null deref when post-validating documents
+which aren't well-formed and parsed in recovery mode.
+Fixes #243.
+CVE: CVE-2021-3537
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/babe75030c7f64a37826bb3342317134568bef61]
+Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
+---
+ parser.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+diff --git a/parser.c b/parser.c
+index a34bb6cd..bbcff39f 100644
+--- a/parser.c
+++ b/parser.c
+@@ -6195,6 +6195,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
+        SKIP_BLANKS;
+         cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
+                                                            depth + 1);
+        if (cur == NULL)
+            return(NULL);
+        SKIP_BLANKS;
+        GROW;
+     } else {
+@@ -6328,6 +6330,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
+            SKIP_BLANKS;
+            last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
+                                                           depth + 1);
+            if (last == NULL) {
+               if (ret != NULL)
+                   xmlFreeDocElementContent(ctxt->myDoc, ret);
+               return(NULL);
+            }
+            SKIP_BLANKS;
+        } else {
+            elem = xmlParseName(ctxt);
+-- 
+2.25.1
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index 6f1229c2d0..b850164285 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -26,6 +26,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
           file://fix-python39.patch \
           file://CVE-2021-3517.patch \
           file://CVE-2021-3516.patch \
+           file://CVE-2021-3537.patch \
           "
 SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"
author	Tony Tascioglu <tony.tascioglu@windriver.com>	2021-05-14 09:14:50 -0400
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-05-22 10:03:10 +0100
commit	fd33741e279702d8498fce47450cb1ea275e5e6b (patch)
tree	193dc646cf8dfe26e11ff1de46be23ff2454d64d
parent	cb3bc91a03fb6fbf3f849ad449274292270cb403 (diff)
download	poky-fd33741e279702d8498fce47450cb1ea275e5e6b.tar.gz

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch new file mode 100644 index 0000000000..defbe7867b --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch
@@ -0,0 +1,49 @@
		1	From 5ae9c39401f679648301efa6d2d35e09cc376462 Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Sat, 1 May 2021 16:53:33 +0200
		4	Subject: [PATCH 3/3] Propagate error in xmlParseElementChildrenContentDeclPriv
		5
		6	Check return value of recursive calls to
		7	xmlParseElementChildrenContentDeclPriv and return immediately in case
		8	of errors. Otherwise, struct xmlElementContent could contain unexpected
		9	null pointers, leading to a null deref when post-validating documents
		10	which aren't well-formed and parsed in recovery mode.
		11
		12	Fixes #243.
		13
		14	CVE: CVE-2021-3537
		15	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/babe75030c7f64a37826bb3342317134568bef61]
		16
		17	Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
		18	---
		19	parser.c \| 7 +++++++
		20	1 file changed, 7 insertions(+)
		21
		22	diff --git a/parser.c b/parser.c
		23	index a34bb6cd..bbcff39f 100644
		24	--- a/parser.c
		25	+++ b/parser.c
		26	@@ -6195,6 +6195,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
		27	SKIP_BLANKS;
		28	cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
		29	depth + 1);
		30	+ if (cur == NULL)
		31	+ return(NULL);
		32	SKIP_BLANKS;
		33	GROW;
		34	} else {
		35	@@ -6328,6 +6330,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
		36	SKIP_BLANKS;
		37	last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
		38	depth + 1);
		39	+ if (last == NULL) {
		40	+ if (ret != NULL)
		41	+ xmlFreeDocElementContent(ctxt->myDoc, ret);
		42	+ return(NULL);
		43	+ }
		44	SKIP_BLANKS;
		45	} else {
		46	elem = xmlParseName(ctxt);
		47	--
		48	2.25.1
		49


diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb index 6f1229c2d0..b850164285 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -26,6 +26,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
26	file://fix-python39.patch \	26	file://fix-python39.patch \
27	file://CVE-2021-3517.patch \	27	file://CVE-2021-3517.patch \
28	file://CVE-2021-3516.patch \	28	file://CVE-2021-3516.patch \
		29	file://CVE-2021-3537.patch \
29	"	30	"
30		31
31	SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"	32	SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"