libxml2: Add fix for CVE-2016-3709

Add below patch to fix CVE-2016-3709 CVE-2016-3709.patch Link: https://github.com/GNOME/libxml2/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f (From OE-Core rev: b9312041e4c8d565ad1e1102f8634bcc913adfa7) Signed-off-by: Pawan Badganchi<pawan.badganchi@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Pawan Badganchi <badganchipv@gmail.com> 2022-08-28 15:01:25 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-09-03 13:10:37 +0100
commit: 211a3fd4db3dc82965845d92f993cb18927dd2bf (patch)
tree: 0b99cd4c50a22fcc9b248d2d7059e5346d106dcf
parent: 964b78a02d7d1629297d37cff74fccc599615a68 (diff)
download: poky-211a3fd4db3dc82965845d92f993cb18927dd2bf.tar.gz
2 files changed, 90 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch
new file mode 100644
index 0000000000..5301d05323
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch
@@ -0,0 +1,89 @@
+From c1ba6f54d32b707ca6d91cb3257ce9de82876b6f Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 15 Aug 2020 18:32:29 +0200
+Subject: [PATCH] Revert "Do not URI escape in server side includes"
+This reverts commit 960f0e275616cadc29671a218d7fb9b69eb35588.
+This commit introduced
+- an infinite loop, found by OSS-Fuzz, which could be easily fixed.
+- an algorithm with quadratic runtime
+- a security issue, see
+  https://bugzilla.gnome.org/show_bug.cgi?id=769760
+A better approach is to add an option not to escape URLs at all
+which libxml2 should have possibly done in the first place.
+CVE: CVE-2016-3709
+Upstream-Status: Backport [https://github.com/GNOME/libxml2/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f]
+Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
+---
+ HTMLtree.c | 49 +++++++++++--------------------------------------
+ 1 file changed, 11 insertions(+), 38 deletions(-)
+diff --git a/HTMLtree.c b/HTMLtree.c
+index 8d236bb35..cdb7f86a6 100644
+--- a/HTMLtree.c
+++ b/HTMLtree.c
+@@ -706,49 +706,22 @@ htmlAttrDumpOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, xmlAttrPtr cur,
+                 (!xmlStrcasecmp(cur->name, BAD_CAST "src")) ||
+                 ((!xmlStrcasecmp(cur->name, BAD_CAST "name")) &&
+                  (!xmlStrcasecmp(cur->parent->name, BAD_CAST "a"))))) {
+               xmlChar *escaped;
+                xmlChar *tmp = value;
+-               /* xmlURIEscapeStr() escapes '"' so it can be safely used. */
+-               xmlBufCCat(buf->buffer, "\"");
+                while (IS_BLANK_CH(*tmp)) tmp++;
+-               /* URI Escape everything, except server side includes. */
+-               for ( ; ; ) {
+-                   xmlChar *escaped;
+-                   xmlChar endChar;
+-                   xmlChar *end = NULL;
+-                   xmlChar *start = (xmlChar *)xmlStrstr(tmp, BAD_CAST "<!--");
+-                   if (start != NULL) {
+-                       end = (xmlChar *)xmlStrstr(tmp, BAD_CAST "-->");
+-                       if (end != NULL) {
+-                           *start = '\0';
+-                       }
+-                   }
+-
+-                   /* Escape the whole string, or until start (set to '\0'). */
+-                   escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+");
+-                   if (escaped != NULL) {
+-                       xmlBufCat(buf->buffer, escaped);
+-                       xmlFree(escaped);
+-                   } else {
+-                       xmlBufCat(buf->buffer, tmp);
+-                   }
+-
+-                   if (end == NULL) { /* Everything has been written. */
+-                       break;
+-                   }
+-
+-                   /* Do not escape anything within server side includes. */
+-                   *start = '<'; /* Restore the first character of "<!--". */
+-                   end += 3; /* strlen("-->") */
+-                   endChar = *end;
+-                   *end = '\0';
+-                   xmlBufCat(buf->buffer, start);
+-                   *end = endChar;
+-                   tmp = end;
+               /*
+                * the < and > have already been escaped at the entity level
+                * And doing so here breaks server side includes
+                */
+               escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+<>");
+               if (escaped != NULL) {
+                   xmlBufWriteQuotedString(buf->buffer, escaped);
+                   xmlFree(escaped);
+               } else {
+                   xmlBufWriteQuotedString(buf->buffer, value);
+                }
+-
+-               xmlBufCCat(buf->buffer, "\"");
+            } else {
+                xmlBufWriteQuotedString(buf->buffer, value);
+            }
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index d1c1f0884f..dc62991739 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -33,6 +33,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=te
           file://CVE-2022-29824-dependent.patch \
           file://CVE-2022-29824.patch \
           file://0001-Port-gentest.py-to-Python-3.patch \
+           file://CVE-2016-3709.patch \
           "
 SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813"
author	Pawan Badganchi <badganchipv@gmail.com>	2022-08-28 15:01:25 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-09-03 13:10:37 +0100
commit	211a3fd4db3dc82965845d92f993cb18927dd2bf (patch)
tree	0b99cd4c50a22fcc9b248d2d7059e5346d106dcf
parent	964b78a02d7d1629297d37cff74fccc599615a68 (diff)
download	poky-211a3fd4db3dc82965845d92f993cb18927dd2bf.tar.gz

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch new file mode 100644 index 0000000000..5301d05323 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch
@@ -0,0 +1,89 @@
		1	From c1ba6f54d32b707ca6d91cb3257ce9de82876b6f Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Sat, 15 Aug 2020 18:32:29 +0200
		4	Subject: [PATCH] Revert "Do not URI escape in server side includes"
		5
		6	This reverts commit 960f0e275616cadc29671a218d7fb9b69eb35588.
		7
		8	This commit introduced
		9
		10	- an infinite loop, found by OSS-Fuzz, which could be easily fixed.
		11	- an algorithm with quadratic runtime
		12	- a security issue, see
		13	https://bugzilla.gnome.org/show_bug.cgi?id=769760
		14
		15	A better approach is to add an option not to escape URLs at all
		16	which libxml2 should have possibly done in the first place.
		17
		18	CVE: CVE-2016-3709
		19	Upstream-Status: Backport [https://github.com/GNOME/libxml2/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f]
		20	Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
		21	---
		22	HTMLtree.c \| 49 +++++++++++--------------------------------------
		23	1 file changed, 11 insertions(+), 38 deletions(-)
		24
		25	diff --git a/HTMLtree.c b/HTMLtree.c
		26	index 8d236bb35..cdb7f86a6 100644
		27	--- a/HTMLtree.c
		28	+++ b/HTMLtree.c
		29	@@ -706,49 +706,22 @@ htmlAttrDumpOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, xmlAttrPtr cur,
		30	(!xmlStrcasecmp(cur->name, BAD_CAST "src")) \|\|
		31	((!xmlStrcasecmp(cur->name, BAD_CAST "name")) &&
		32	(!xmlStrcasecmp(cur->parent->name, BAD_CAST "a"))))) {
		33	+ xmlChar *escaped;
		34	xmlChar *tmp = value;
		35	- /* xmlURIEscapeStr() escapes '"' so it can be safely used. */
		36	- xmlBufCCat(buf->buffer, "\"");
		37
		38	while (IS_BLANK_CH(*tmp)) tmp++;
		39
		40	- /* URI Escape everything, except server side includes. */
		41	- for ( ; ; ) {
		42	- xmlChar *escaped;
		43	- xmlChar endChar;
		44	- xmlChar *end = NULL;
		45	- xmlChar start = (xmlChar )xmlStrstr(tmp, BAD_CAST "<!--");
		46	- if (start != NULL) {
		47	- end = (xmlChar *)xmlStrstr(tmp, BAD_CAST "-->");
		48	- if (end != NULL) {
		49	- *start = '\0';
		50	- }
		51	- }
		52	-
		53	- /* Escape the whole string, or until start (set to '\0'). */
		54	- escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+");
		55	- if (escaped != NULL) {
		56	- xmlBufCat(buf->buffer, escaped);
		57	- xmlFree(escaped);
		58	- } else {
		59	- xmlBufCat(buf->buffer, tmp);
		60	- }
		61	-
		62	- if (end == NULL) { /* Everything has been written. */
		63	- break;
		64	- }
		65	-
		66	- /* Do not escape anything within server side includes. */
		67	- start = '<'; / Restore the first character of "<!--". */
		68	- end += 3; /* strlen("-->") */
		69	- endChar = *end;
		70	- *end = '\0';
		71	- xmlBufCat(buf->buffer, start);
		72	- *end = endChar;
		73	- tmp = end;
		74	+ /*
		75	+ * the < and > have already been escaped at the entity level
		76	+ * And doing so here breaks server side includes
		77	+ */
		78	+ escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+<>");
		79	+ if (escaped != NULL) {
		80	+ xmlBufWriteQuotedString(buf->buffer, escaped);
		81	+ xmlFree(escaped);
		82	+ } else {
		83	+ xmlBufWriteQuotedString(buf->buffer, value);
		84	}
		85	-
		86	- xmlBufCCat(buf->buffer, "\"");
		87	} else {
		88	xmlBufWriteQuotedString(buf->buffer, value);
		89	}


diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb index d1c1f0884f..dc62991739 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -33,6 +33,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=te
33	file://CVE-2022-29824-dependent.patch \	33	file://CVE-2022-29824-dependent.patch \
34	file://CVE-2022-29824.patch \	34	file://CVE-2022-29824.patch \
35	file://0001-Port-gentest.py-to-Python-3.patch \	35	file://0001-Port-gentest.py-to-Python-3.patch \
		36	file://CVE-2016-3709.patch \
36	"	37	"
37		38
38	SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813"	39	SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813"