diff options
author | Pawan Badganchi <badganchipv@gmail.com> | 2022-08-28 15:01:25 +0530 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-09-03 13:10:37 +0100 |
commit | 211a3fd4db3dc82965845d92f993cb18927dd2bf (patch) | |
tree | 0b99cd4c50a22fcc9b248d2d7059e5346d106dcf | |
parent | 964b78a02d7d1629297d37cff74fccc599615a68 (diff) | |
download | poky-211a3fd4db3dc82965845d92f993cb18927dd2bf.tar.gz |
libxml2: Add fix for CVE-2016-3709
Add below patch to fix CVE-2016-3709
CVE-2016-3709.patch
Link: https://github.com/GNOME/libxml2/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f
(From OE-Core rev: b9312041e4c8d565ad1e1102f8634bcc913adfa7)
Signed-off-by: Pawan Badganchi<pawan.badganchi@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch | 89 | ||||
-rw-r--r-- | meta/recipes-core/libxml/libxml2_2.9.10.bb | 1 |
2 files changed, 90 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch new file mode 100644 index 0000000000..5301d05323 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch | |||
@@ -0,0 +1,89 @@ | |||
1 | From c1ba6f54d32b707ca6d91cb3257ce9de82876b6f Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Sat, 15 Aug 2020 18:32:29 +0200 | ||
4 | Subject: [PATCH] Revert "Do not URI escape in server side includes" | ||
5 | |||
6 | This reverts commit 960f0e275616cadc29671a218d7fb9b69eb35588. | ||
7 | |||
8 | This commit introduced | ||
9 | |||
10 | - an infinite loop, found by OSS-Fuzz, which could be easily fixed. | ||
11 | - an algorithm with quadratic runtime | ||
12 | - a security issue, see | ||
13 | https://bugzilla.gnome.org/show_bug.cgi?id=769760 | ||
14 | |||
15 | A better approach is to add an option not to escape URLs at all | ||
16 | which libxml2 should have possibly done in the first place. | ||
17 | |||
18 | CVE: CVE-2016-3709 | ||
19 | Upstream-Status: Backport [https://github.com/GNOME/libxml2/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f] | ||
20 | Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> | ||
21 | --- | ||
22 | HTMLtree.c | 49 +++++++++++-------------------------------------- | ||
23 | 1 file changed, 11 insertions(+), 38 deletions(-) | ||
24 | |||
25 | diff --git a/HTMLtree.c b/HTMLtree.c | ||
26 | index 8d236bb35..cdb7f86a6 100644 | ||
27 | --- a/HTMLtree.c | ||
28 | +++ b/HTMLtree.c | ||
29 | @@ -706,49 +706,22 @@ htmlAttrDumpOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, xmlAttrPtr cur, | ||
30 | (!xmlStrcasecmp(cur->name, BAD_CAST "src")) || | ||
31 | ((!xmlStrcasecmp(cur->name, BAD_CAST "name")) && | ||
32 | (!xmlStrcasecmp(cur->parent->name, BAD_CAST "a"))))) { | ||
33 | + xmlChar *escaped; | ||
34 | xmlChar *tmp = value; | ||
35 | - /* xmlURIEscapeStr() escapes '"' so it can be safely used. */ | ||
36 | - xmlBufCCat(buf->buffer, "\""); | ||
37 | |||
38 | while (IS_BLANK_CH(*tmp)) tmp++; | ||
39 | |||
40 | - /* URI Escape everything, except server side includes. */ | ||
41 | - for ( ; ; ) { | ||
42 | - xmlChar *escaped; | ||
43 | - xmlChar endChar; | ||
44 | - xmlChar *end = NULL; | ||
45 | - xmlChar *start = (xmlChar *)xmlStrstr(tmp, BAD_CAST "<!--"); | ||
46 | - if (start != NULL) { | ||
47 | - end = (xmlChar *)xmlStrstr(tmp, BAD_CAST "-->"); | ||
48 | - if (end != NULL) { | ||
49 | - *start = '\0'; | ||
50 | - } | ||
51 | - } | ||
52 | - | ||
53 | - /* Escape the whole string, or until start (set to '\0'). */ | ||
54 | - escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+"); | ||
55 | - if (escaped != NULL) { | ||
56 | - xmlBufCat(buf->buffer, escaped); | ||
57 | - xmlFree(escaped); | ||
58 | - } else { | ||
59 | - xmlBufCat(buf->buffer, tmp); | ||
60 | - } | ||
61 | - | ||
62 | - if (end == NULL) { /* Everything has been written. */ | ||
63 | - break; | ||
64 | - } | ||
65 | - | ||
66 | - /* Do not escape anything within server side includes. */ | ||
67 | - *start = '<'; /* Restore the first character of "<!--". */ | ||
68 | - end += 3; /* strlen("-->") */ | ||
69 | - endChar = *end; | ||
70 | - *end = '\0'; | ||
71 | - xmlBufCat(buf->buffer, start); | ||
72 | - *end = endChar; | ||
73 | - tmp = end; | ||
74 | + /* | ||
75 | + * the < and > have already been escaped at the entity level | ||
76 | + * And doing so here breaks server side includes | ||
77 | + */ | ||
78 | + escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+<>"); | ||
79 | + if (escaped != NULL) { | ||
80 | + xmlBufWriteQuotedString(buf->buffer, escaped); | ||
81 | + xmlFree(escaped); | ||
82 | + } else { | ||
83 | + xmlBufWriteQuotedString(buf->buffer, value); | ||
84 | } | ||
85 | - | ||
86 | - xmlBufCCat(buf->buffer, "\""); | ||
87 | } else { | ||
88 | xmlBufWriteQuotedString(buf->buffer, value); | ||
89 | } | ||
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb index d1c1f0884f..dc62991739 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb | |||
@@ -33,6 +33,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=te | |||
33 | file://CVE-2022-29824-dependent.patch \ | 33 | file://CVE-2022-29824-dependent.patch \ |
34 | file://CVE-2022-29824.patch \ | 34 | file://CVE-2022-29824.patch \ |
35 | file://0001-Port-gentest.py-to-Python-3.patch \ | 35 | file://0001-Port-gentest.py-to-Python-3.patch \ |
36 | file://CVE-2016-3709.patch \ | ||
36 | " | 37 | " |
37 | 38 | ||
38 | SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813" | 39 | SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813" |