libxml2: Patch CVE-2023-45322

Backport patch for gitlab issue mentioned in NVD CVE report. * https://gitlab.gnome.org/GNOME/libxml2/-/issues/583 Backport also one of 14 patches for older issue with similar errors to have clean cherry-pick without patch fuzz. * https://gitlab.gnome.org/GNOME/libxml2/-/issues/344 The CVE is disputed because the maintainer does not think that errors after memory allocation failures are not critical enough to warrant a CVE ID. This patch will formally fix reported error case, trying to backport another 13 patches and resolve conflicts would be probably overkill due to disputed state. This CVE was ignored on master branch (as diputed). (From OE-Core rev: d29a89412b37995857269d617e16ada116f14270) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Peter Marko <peter.marko@siemens.com> 2023-10-30 00:39:43 +0100
committer: Steve Sakoman <steve@sakoman.com> 2023-11-03 04:26:13 -1000
commit: f948c66f7556610d24cefe56ecd06a4d26a6d134 (patch)
tree: 0d0140369787fdeaebcc46dd9a76e407691a2b6e
parent: b1ddd4178d469cf0c14e8c31d0fd2ba1b53bf293 (diff)
download: poky-f948c66f7556610d24cefe56ecd06a4d26a6d134.tar.gz
3 files changed, 130 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
new file mode 100644
index 0000000000..5f1cb72534
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
@@ -0,0 +1,49 @@
+From a22bd982bf10291deea8ba0c61bf75b898c604ce Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 2 Nov 2022 15:44:42 +0100
+Subject: [PATCH] malloc-fail: Fix memory leak in xmlStaticCopyNodeList
+Found with libFuzzer, see #344.
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/a22bd982bf10291deea8ba0c61bf75b898c604ce]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ tree.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+diff --git a/tree.c b/tree.c
+index 507869efe..647288ce3 100644
+--- a/tree.c
+++ b/tree.c
+@@ -4461,7 +4461,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+            }
+            if (doc->intSubset == NULL) {
+                q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+-               if (q == NULL) return(NULL);
+               if (q == NULL) goto error;
+                q->doc = doc;
+                q->parent = parent;
+                doc->intSubset = (xmlDtdPtr) q;
+@@ -4473,7 +4473,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+        } else
+ #endif /* LIBXML_TREE_ENABLED */
+            q = xmlStaticCopyNode(node, doc, parent, 1);
+-       if (q == NULL) return(NULL);
+       if (q == NULL) goto error;
+        if (ret == NULL) {
+            q->prev = NULL;
+            ret = p = q;
+@@ -4486,6 +4486,9 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+        node = node->next;
+     }
+     return(ret);
+error:
+    xmlFreeNodeList(ret);
+    return(NULL);
+ }
+ 
+ /**
+-- 
+GitLab
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
new file mode 100644
index 0000000000..845fd70c66
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
@@ -0,0 +1,79 @@
+From d39f78069dff496ec865c73aa44d7110e429bce9 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 23 Aug 2023 20:24:24 +0200
+Subject: [PATCH] tree: Fix copying of DTDs
+- Don't create multiple DTD nodes.
+- Fix UAF if malloc fails.
+- Skip DTD nodes if tree module is disabled.
+Fixes #583.
+CVE: CVE-2023-45322
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ tree.c | 31 ++++++++++++++++---------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+diff --git a/tree.c b/tree.c
+index 6c8a875b9..02c1b5791 100644
+--- a/tree.c
+++ b/tree.c
+@@ -4471,29 +4471,28 @@ xmlNodePtr
+ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+     xmlNodePtr ret = NULL;
+     xmlNodePtr p = NULL,q;
+    xmlDtdPtr newSubset = NULL;
+ 
+     while (node != NULL) {
+-#ifdef LIBXML_TREE_ENABLED
+        if (node->type == XML_DTD_NODE ) {
+-           if (doc == NULL) {
+#ifdef LIBXML_TREE_ENABLED
+           if ((doc == NULL) || (doc->intSubset != NULL)) {
+                node = node->next;
+                continue;
+            }
+-           if (doc->intSubset == NULL) {
+-               q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+-               if (q == NULL) goto error;
+-               q->doc = doc;
+-               q->parent = parent;
+-               doc->intSubset = (xmlDtdPtr) q;
+-               xmlAddChild(parent, q);
+-           } else {
+-               q = (xmlNodePtr) doc->intSubset;
+-               xmlAddChild(parent, q);
+-           }
+-       } else
+            q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+            if (q == NULL) goto error;
+            q->doc = doc;
+            q->parent = parent;
+            newSubset = (xmlDtdPtr) q;
+#else
+            node = node->next;
+            continue;
+ #endif /* LIBXML_TREE_ENABLED */
+       } else {
+            q = xmlStaticCopyNode(node, doc, parent, 1);
+-       if (q == NULL) goto error;
+           if (q == NULL) goto error;
+        }
+        if (ret == NULL) {
+            q->prev = NULL;
+            ret = p = q;
+@@ -4505,6 +4504,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+        }
+        node = node->next;
+     }
+    if (newSubset != NULL)
+        doc->intSubset = newSubset;
+     return(ret);
+ error:
+     xmlFreeNodeList(ret);
+-- 
+GitLab
diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb
index 437bccf4ed..533a6dae01 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.14.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb
@@ -29,6 +29,8 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt
           file://CVE-2023-29469.patch \
           file://CVE-2023-39615-0001.patch \
           file://CVE-2023-39615-0002.patch \
+           file://CVE-2023-45322-1.patch \
+           file://CVE-2023-45322-2.patch \
           "
 SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"
author	Peter Marko <peter.marko@siemens.com>	2023-10-30 00:39:43 +0100
committer	Steve Sakoman <steve@sakoman.com>	2023-11-03 04:26:13 -1000
commit	f948c66f7556610d24cefe56ecd06a4d26a6d134 (patch)
tree	0d0140369787fdeaebcc46dd9a76e407691a2b6e
parent	b1ddd4178d469cf0c14e8c31d0fd2ba1b53bf293 (diff)
download	poky-f948c66f7556610d24cefe56ecd06a4d26a6d134.tar.gz

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch new file mode 100644 index 0000000000..5f1cb72534 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
@@ -0,0 +1,49 @@
		1	From a22bd982bf10291deea8ba0c61bf75b898c604ce Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Wed, 2 Nov 2022 15:44:42 +0100
		4	Subject: [PATCH] malloc-fail: Fix memory leak in xmlStaticCopyNodeList
		5
		6	Found with libFuzzer, see #344.
		7
		8	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/a22bd982bf10291deea8ba0c61bf75b898c604ce]
		9
		10	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		11	---
		12	tree.c \| 7 +++++--
		13	1 file changed, 5 insertions(+), 2 deletions(-)
		14
		15	diff --git a/tree.c b/tree.c
		16	index 507869efe..647288ce3 100644
		17	--- a/tree.c
		18	+++ b/tree.c
		19	@@ -4461,7 +4461,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
		20	}
		21	if (doc->intSubset == NULL) {
		22	q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
		23	- if (q == NULL) return(NULL);
		24	+ if (q == NULL) goto error;
		25	q->doc = doc;
		26	q->parent = parent;
		27	doc->intSubset = (xmlDtdPtr) q;
		28	@@ -4473,7 +4473,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
		29	} else
		30	#endif /* LIBXML_TREE_ENABLED */
		31	q = xmlStaticCopyNode(node, doc, parent, 1);
		32	- if (q == NULL) return(NULL);
		33	+ if (q == NULL) goto error;
		34	if (ret == NULL) {
		35	q->prev = NULL;
		36	ret = p = q;
		37	@@ -4486,6 +4486,9 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
		38	node = node->next;
		39	}
		40	return(ret);
		41	+error:
		42	+ xmlFreeNodeList(ret);
		43	+ return(NULL);
		44	}
		45
		46	/**
		47	--
		48	GitLab
		49


diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch new file mode 100644 index 0000000000..845fd70c66 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
@@ -0,0 +1,79 @@
		1	From d39f78069dff496ec865c73aa44d7110e429bce9 Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Wed, 23 Aug 2023 20:24:24 +0200
		4	Subject: [PATCH] tree: Fix copying of DTDs
		5
		6	- Don't create multiple DTD nodes.
		7	- Fix UAF if malloc fails.
		8	- Skip DTD nodes if tree module is disabled.
		9
		10	Fixes #583.
		11
		12	CVE: CVE-2023-45322
		13	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9]
		14
		15	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		16	---
		17	tree.c \| 31 ++++++++++++++++---------------
		18	1 file changed, 16 insertions(+), 15 deletions(-)
		19
		20	diff --git a/tree.c b/tree.c
		21	index 6c8a875b9..02c1b5791 100644
		22	--- a/tree.c
		23	+++ b/tree.c
		24	@@ -4471,29 +4471,28 @@ xmlNodePtr
		25	xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
		26	xmlNodePtr ret = NULL;
		27	xmlNodePtr p = NULL,q;
		28	+ xmlDtdPtr newSubset = NULL;
		29
		30	while (node != NULL) {
		31	-#ifdef LIBXML_TREE_ENABLED
		32	if (node->type == XML_DTD_NODE ) {
		33	- if (doc == NULL) {
		34	+#ifdef LIBXML_TREE_ENABLED
		35	+ if ((doc == NULL) \|\| (doc->intSubset != NULL)) {
		36	node = node->next;
		37	continue;
		38	}
		39	- if (doc->intSubset == NULL) {
		40	- q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
		41	- if (q == NULL) goto error;
		42	- q->doc = doc;
		43	- q->parent = parent;
		44	- doc->intSubset = (xmlDtdPtr) q;
		45	- xmlAddChild(parent, q);
		46	- } else {
		47	- q = (xmlNodePtr) doc->intSubset;
		48	- xmlAddChild(parent, q);
		49	- }
		50	- } else
		51	+ q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
		52	+ if (q == NULL) goto error;
		53	+ q->doc = doc;
		54	+ q->parent = parent;
		55	+ newSubset = (xmlDtdPtr) q;
		56	+#else
		57	+ node = node->next;
		58	+ continue;
		59	#endif /* LIBXML_TREE_ENABLED */
		60	+ } else {
		61	q = xmlStaticCopyNode(node, doc, parent, 1);
		62	- if (q == NULL) goto error;
		63	+ if (q == NULL) goto error;
		64	+ }
		65	if (ret == NULL) {
		66	q->prev = NULL;
		67	ret = p = q;
		68	@@ -4505,6 +4504,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
		69	}
		70	node = node->next;
		71	}
		72	+ if (newSubset != NULL)
		73	+ doc->intSubset = newSubset;
		74	return(ret);
		75	error:
		76	xmlFreeNodeList(ret);
		77	--
		78	GitLab
		79


diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb index 437bccf4ed..533a6dae01 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.14.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb
@@ -29,6 +29,8 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt
29	file://CVE-2023-29469.patch \	29	file://CVE-2023-29469.patch \
30	file://CVE-2023-39615-0001.patch \	30	file://CVE-2023-39615-0001.patch \
31	file://CVE-2023-39615-0002.patch \	31	file://CVE-2023-39615-0002.patch \
		32	file://CVE-2023-45322-1.patch \
		33	file://CVE-2023-45322-2.patch \
32	"	34	"
33		35
34	SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"	36	SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"