diff options
author | Joe Slater <joe.slater@windriver.com> | 2022-03-24 08:32:57 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-04-03 20:49:03 +0100 |
commit | eb28aafdc9b5872d4f3a06fd611583a1b4252d84 (patch) | |
tree | 94db5e378673be70213d26f2f582b4b288feb7c1 | |
parent | d6dfaada89d0ae6200843e5202c25a3e8d6dee5a (diff) | |
download | poky-eb28aafdc9b5872d4f3a06fd611583a1b4252d84.tar.gz |
libxml2: Fix CVE-2022-23308
The first patch is the fix in version 2.9.13. The second
patch was added later and fixes a regression introduced
by the first.
(From OE-Core rev: 38e97e67f053cc7b86dd487d8e65b9e68237c73b)
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
3 files changed, 310 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-23308-fix-regression.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-23308-fix-regression.patch new file mode 100644 index 0000000000..eefecb9adb --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2022-23308-fix-regression.patch | |||
@@ -0,0 +1,99 @@ | |||
1 | From 646fe48d1c8a74310c409ddf81fe7df6700052af Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Tue, 22 Feb 2022 11:51:08 +0100 | ||
4 | Subject: [PATCH] Fix --without-valid build | ||
5 | |||
6 | Regressed in commit 652dd12a. | ||
7 | --- | ||
8 | valid.c | 58 ++++++++++++++++++++++++++++----------------------------- | ||
9 | 1 file changed, 29 insertions(+), 29 deletions(-) | ||
10 | --- | ||
11 | |||
12 | From https://github.com/GNOME/libxml2.git | ||
13 | commit 646fe48d1c8a74310c409ddf81fe7df6700052af | ||
14 | |||
15 | CVE: CVE-2022-23308 | ||
16 | Upstream-status: Backport | ||
17 | |||
18 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | ||
19 | |||
20 | |||
21 | diff --git a/valid.c b/valid.c | ||
22 | index 8e596f1d..9684683a 100644 | ||
23 | --- a/valid.c | ||
24 | +++ b/valid.c | ||
25 | @@ -479,35 +479,6 @@ nodeVPop(xmlValidCtxtPtr ctxt) | ||
26 | return (ret); | ||
27 | } | ||
28 | |||
29 | -/** | ||
30 | - * xmlValidNormalizeString: | ||
31 | - * @str: a string | ||
32 | - * | ||
33 | - * Normalize a string in-place. | ||
34 | - */ | ||
35 | -static void | ||
36 | -xmlValidNormalizeString(xmlChar *str) { | ||
37 | - xmlChar *dst; | ||
38 | - const xmlChar *src; | ||
39 | - | ||
40 | - if (str == NULL) | ||
41 | - return; | ||
42 | - src = str; | ||
43 | - dst = str; | ||
44 | - | ||
45 | - while (*src == 0x20) src++; | ||
46 | - while (*src != 0) { | ||
47 | - if (*src == 0x20) { | ||
48 | - while (*src == 0x20) src++; | ||
49 | - if (*src != 0) | ||
50 | - *dst++ = 0x20; | ||
51 | - } else { | ||
52 | - *dst++ = *src++; | ||
53 | - } | ||
54 | - } | ||
55 | - *dst = 0; | ||
56 | -} | ||
57 | - | ||
58 | #ifdef DEBUG_VALID_ALGO | ||
59 | static void | ||
60 | xmlValidPrintNode(xmlNodePtr cur) { | ||
61 | @@ -2636,6 +2607,35 @@ xmlDumpNotationTable(xmlBufferPtr buf, xmlNotationTablePtr table) { | ||
62 | (xmlDictOwns(dict, (const xmlChar *)(str)) == 0))) \ | ||
63 | xmlFree((char *)(str)); | ||
64 | |||
65 | +/** | ||
66 | + * xmlValidNormalizeString: | ||
67 | + * @str: a string | ||
68 | + * | ||
69 | + * Normalize a string in-place. | ||
70 | + */ | ||
71 | +static void | ||
72 | +xmlValidNormalizeString(xmlChar *str) { | ||
73 | + xmlChar *dst; | ||
74 | + const xmlChar *src; | ||
75 | + | ||
76 | + if (str == NULL) | ||
77 | + return; | ||
78 | + src = str; | ||
79 | + dst = str; | ||
80 | + | ||
81 | + while (*src == 0x20) src++; | ||
82 | + while (*src != 0) { | ||
83 | + if (*src == 0x20) { | ||
84 | + while (*src == 0x20) src++; | ||
85 | + if (*src != 0) | ||
86 | + *dst++ = 0x20; | ||
87 | + } else { | ||
88 | + *dst++ = *src++; | ||
89 | + } | ||
90 | + } | ||
91 | + *dst = 0; | ||
92 | +} | ||
93 | + | ||
94 | static int | ||
95 | xmlIsStreaming(xmlValidCtxtPtr ctxt) { | ||
96 | xmlParserCtxtPtr pctxt; | ||
97 | -- | ||
98 | 2.35.1 | ||
99 | |||
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch new file mode 100644 index 0000000000..708a98b45a --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch | |||
@@ -0,0 +1,209 @@ | |||
1 | From 652dd12a858989b14eed4e84e453059cd3ba340e Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Tue, 8 Feb 2022 03:29:24 +0100 | ||
4 | Subject: [PATCH] [CVE-2022-23308] Use-after-free of ID and IDREF attributes | ||
5 | |||
6 | If a document is parsed with XML_PARSE_DTDVALID and without | ||
7 | XML_PARSE_NOENT, the value of ID attributes has to be normalized after | ||
8 | potentially expanding entities in xmlRemoveID. Otherwise, later calls | ||
9 | to xmlGetID can return a pointer to previously freed memory. | ||
10 | |||
11 | ID attributes which are empty or contain only whitespace after | ||
12 | entity expansion are affected in a similar way. This is fixed by | ||
13 | not storing such attributes in the ID table. | ||
14 | |||
15 | The test to detect streaming mode when validating against a DTD was | ||
16 | broken. In connection with the defects above, this could result in a | ||
17 | use-after-free when using the xmlReader interface with validation. | ||
18 | Fix detection of streaming mode to avoid similar issues. (This changes | ||
19 | the expected result of a test case. But as far as I can tell, using the | ||
20 | XML reader with XIncludes referencing the root document never worked | ||
21 | properly, anyway.) | ||
22 | |||
23 | All of these issues can result in denial of service. Using xmlReader | ||
24 | with validation could result in disclosure of memory via the error | ||
25 | channel, typically stderr. The security impact of xmlGetID returning | ||
26 | a pointer to freed memory depends on the application. The typical use | ||
27 | case of calling xmlGetID on an unmodified document is not affected. | ||
28 | --- | ||
29 | result/XInclude/ns1.xml.rdr | 2 +- | ||
30 | valid.c | 88 +++++++++++++++++++++++-------------- | ||
31 | 2 files changed, 56 insertions(+), 34 deletions(-) | ||
32 | --- | ||
33 | |||
34 | From https://github.com/GNOME/libxml2.git | ||
35 | commit 652dd12a858989b14eed4e84e453059cd3ba340e | ||
36 | |||
37 | Remove patch to ns1.xml.rdr which does not exist in version 2.9.10. | ||
38 | |||
39 | CVE: CVE-2022-23308 | ||
40 | Upstream-status: Backport | ||
41 | |||
42 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | ||
43 | |||
44 | |||
45 | diff --git a/valid.c b/valid.c | ||
46 | index 5ee391c0..8e596f1d 100644 | ||
47 | --- a/valid.c | ||
48 | +++ b/valid.c | ||
49 | @@ -479,6 +479,35 @@ nodeVPop(xmlValidCtxtPtr ctxt) | ||
50 | return (ret); | ||
51 | } | ||
52 | |||
53 | +/** | ||
54 | + * xmlValidNormalizeString: | ||
55 | + * @str: a string | ||
56 | + * | ||
57 | + * Normalize a string in-place. | ||
58 | + */ | ||
59 | +static void | ||
60 | +xmlValidNormalizeString(xmlChar *str) { | ||
61 | + xmlChar *dst; | ||
62 | + const xmlChar *src; | ||
63 | + | ||
64 | + if (str == NULL) | ||
65 | + return; | ||
66 | + src = str; | ||
67 | + dst = str; | ||
68 | + | ||
69 | + while (*src == 0x20) src++; | ||
70 | + while (*src != 0) { | ||
71 | + if (*src == 0x20) { | ||
72 | + while (*src == 0x20) src++; | ||
73 | + if (*src != 0) | ||
74 | + *dst++ = 0x20; | ||
75 | + } else { | ||
76 | + *dst++ = *src++; | ||
77 | + } | ||
78 | + } | ||
79 | + *dst = 0; | ||
80 | +} | ||
81 | + | ||
82 | #ifdef DEBUG_VALID_ALGO | ||
83 | static void | ||
84 | xmlValidPrintNode(xmlNodePtr cur) { | ||
85 | @@ -2607,6 +2636,24 @@ xmlDumpNotationTable(xmlBufferPtr buf, xmlNotationTablePtr table) { | ||
86 | (xmlDictOwns(dict, (const xmlChar *)(str)) == 0))) \ | ||
87 | xmlFree((char *)(str)); | ||
88 | |||
89 | +static int | ||
90 | +xmlIsStreaming(xmlValidCtxtPtr ctxt) { | ||
91 | + xmlParserCtxtPtr pctxt; | ||
92 | + | ||
93 | + if (ctxt == NULL) | ||
94 | + return(0); | ||
95 | + /* | ||
96 | + * These magic values are also abused to detect whether we're validating | ||
97 | + * while parsing a document. In this case, userData points to the parser | ||
98 | + * context. | ||
99 | + */ | ||
100 | + if ((ctxt->finishDtd != XML_CTXT_FINISH_DTD_0) && | ||
101 | + (ctxt->finishDtd != XML_CTXT_FINISH_DTD_1)) | ||
102 | + return(0); | ||
103 | + pctxt = ctxt->userData; | ||
104 | + return(pctxt->parseMode == XML_PARSE_READER); | ||
105 | +} | ||
106 | + | ||
107 | /** | ||
108 | * xmlFreeID: | ||
109 | * @not: A id | ||
110 | @@ -2650,7 +2697,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value, | ||
111 | if (doc == NULL) { | ||
112 | return(NULL); | ||
113 | } | ||
114 | - if (value == NULL) { | ||
115 | + if ((value == NULL) || (value[0] == 0)) { | ||
116 | return(NULL); | ||
117 | } | ||
118 | if (attr == NULL) { | ||
119 | @@ -2681,7 +2728,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value, | ||
120 | */ | ||
121 | ret->value = xmlStrdup(value); | ||
122 | ret->doc = doc; | ||
123 | - if ((ctxt != NULL) && (ctxt->vstateNr != 0)) { | ||
124 | + if (xmlIsStreaming(ctxt)) { | ||
125 | /* | ||
126 | * Operating in streaming mode, attr is gonna disappear | ||
127 | */ | ||
128 | @@ -2820,6 +2867,7 @@ xmlRemoveID(xmlDocPtr doc, xmlAttrPtr attr) { | ||
129 | ID = xmlNodeListGetString(doc, attr->children, 1); | ||
130 | if (ID == NULL) | ||
131 | return(-1); | ||
132 | + xmlValidNormalizeString(ID); | ||
133 | |||
134 | id = xmlHashLookup(table, ID); | ||
135 | if (id == NULL || id->attr != attr) { | ||
136 | @@ -3009,7 +3057,7 @@ xmlAddRef(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value, | ||
137 | * fill the structure. | ||
138 | */ | ||
139 | ret->value = xmlStrdup(value); | ||
140 | - if ((ctxt != NULL) && (ctxt->vstateNr != 0)) { | ||
141 | + if (xmlIsStreaming(ctxt)) { | ||
142 | /* | ||
143 | * Operating in streaming mode, attr is gonna disappear | ||
144 | */ | ||
145 | @@ -4028,8 +4076,7 @@ xmlValidateAttributeValue2(xmlValidCtxtPtr ctxt, xmlDocPtr doc, | ||
146 | xmlChar * | ||
147 | xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc, | ||
148 | xmlNodePtr elem, const xmlChar *name, const xmlChar *value) { | ||
149 | - xmlChar *ret, *dst; | ||
150 | - const xmlChar *src; | ||
151 | + xmlChar *ret; | ||
152 | xmlAttributePtr attrDecl = NULL; | ||
153 | int extsubset = 0; | ||
154 | |||
155 | @@ -4070,19 +4117,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc, | ||
156 | ret = xmlStrdup(value); | ||
157 | if (ret == NULL) | ||
158 | return(NULL); | ||
159 | - src = value; | ||
160 | - dst = ret; | ||
161 | - while (*src == 0x20) src++; | ||
162 | - while (*src != 0) { | ||
163 | - if (*src == 0x20) { | ||
164 | - while (*src == 0x20) src++; | ||
165 | - if (*src != 0) | ||
166 | - *dst++ = 0x20; | ||
167 | - } else { | ||
168 | - *dst++ = *src++; | ||
169 | - } | ||
170 | - } | ||
171 | - *dst = 0; | ||
172 | + xmlValidNormalizeString(ret); | ||
173 | if ((doc->standalone) && (extsubset == 1) && (!xmlStrEqual(value, ret))) { | ||
174 | xmlErrValidNode(ctxt, elem, XML_DTD_NOT_STANDALONE, | ||
175 | "standalone: %s on %s value had to be normalized based on external subset declaration\n", | ||
176 | @@ -4114,8 +4149,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc, | ||
177 | xmlChar * | ||
178 | xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem, | ||
179 | const xmlChar *name, const xmlChar *value) { | ||
180 | - xmlChar *ret, *dst; | ||
181 | - const xmlChar *src; | ||
182 | + xmlChar *ret; | ||
183 | xmlAttributePtr attrDecl = NULL; | ||
184 | |||
185 | if (doc == NULL) return(NULL); | ||
186 | @@ -4145,19 +4179,7 @@ xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem, | ||
187 | ret = xmlStrdup(value); | ||
188 | if (ret == NULL) | ||
189 | return(NULL); | ||
190 | - src = value; | ||
191 | - dst = ret; | ||
192 | - while (*src == 0x20) src++; | ||
193 | - while (*src != 0) { | ||
194 | - if (*src == 0x20) { | ||
195 | - while (*src == 0x20) src++; | ||
196 | - if (*src != 0) | ||
197 | - *dst++ = 0x20; | ||
198 | - } else { | ||
199 | - *dst++ = *src++; | ||
200 | - } | ||
201 | - } | ||
202 | - *dst = 0; | ||
203 | + xmlValidNormalizeString(ret); | ||
204 | return(ret); | ||
205 | } | ||
206 | |||
207 | -- | ||
208 | 2.25.1 | ||
209 | |||
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb index cabf911816..778312f662 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb | |||
@@ -30,6 +30,8 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \ | |||
30 | file://CVE-2021-3518-0002.patch \ | 30 | file://CVE-2021-3518-0002.patch \ |
31 | file://CVE-2021-3537.patch \ | 31 | file://CVE-2021-3537.patch \ |
32 | file://CVE-2021-3541.patch \ | 32 | file://CVE-2021-3541.patch \ |
33 | file://CVE-2022-23308.patch \ | ||
34 | file://CVE-2022-23308-fix-regression.patch \ | ||
33 | " | 35 | " |
34 | 36 | ||
35 | SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5" | 37 | SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5" |