diff options
author | Siddharth Doshi <sdoshi@mvista.com> | 2023-09-13 20:58:04 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-09-29 04:29:01 -1000 |
commit | 0734868d9d9365c63cadf51ff8272fb0662e11a7 (patch) | |
tree | 327cc68f5fe4698741a865abaafbe4f50253d433 /meta/recipes-core | |
parent | 007a6e2dadf0b3cf1e7312d85226cb26a5259417 (diff) | |
download | poky-0734868d9d9365c63cadf51ff8272fb0662e11a7.tar.gz |
libxml2: Fix CVE-2023-39615
Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d0c3f01e110d54415611c5fa0040cdf4a56053f9, https://gitlab.gnome.org/GNOME/libxml2/-/commit/235b15a590eecf97b09e87bdb7e4f8333e9de129]
CVE: CVE-2023-39615
(From OE-Core rev: d8a585a8c3712cdce9d9a5241ae7e620bc014ed9)
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-core')
4 files changed, 154 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch new file mode 100644 index 0000000000..9689cec67d --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From d0c3f01e110d54415611c5fa0040cdf4a56053f9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Sat, 6 May 2023 17:47:37 +0200 | ||
4 | Subject: [PATCH] parser: Fix old SAX1 parser with custom callbacks | ||
5 | |||
6 | For some reason, xmlCtxtUseOptionsInternal set the start and end element | ||
7 | SAX handlers to the internal DOM builder functions when XML_PARSE_SAX1 | ||
8 | was specified. This means that custom SAX handlers could never work with | ||
9 | that flag because these functions would receive the wrong user data | ||
10 | argument and crash immediately. | ||
11 | |||
12 | Fixes #535. | ||
13 | |||
14 | Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d0c3f01e110d54415611c5fa0040cdf4a56053f9] | ||
15 | CVE: CVE-2023-39615 | ||
16 | Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> | ||
17 | --- | ||
18 | parser.c | 2 -- | ||
19 | 1 file changed, 2 deletions(-) | ||
20 | |||
21 | diff --git a/parser.c b/parser.c | ||
22 | index 6e09208..7814e6e 100644 | ||
23 | --- a/parser.c | ||
24 | +++ b/parser.c | ||
25 | @@ -15156,8 +15156,6 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi | ||
26 | } | ||
27 | #ifdef LIBXML_SAX1_ENABLED | ||
28 | if (options & XML_PARSE_SAX1) { | ||
29 | - ctxt->sax->startElement = xmlSAX2StartElement; | ||
30 | - ctxt->sax->endElement = xmlSAX2EndElement; | ||
31 | ctxt->sax->startElementNs = NULL; | ||
32 | ctxt->sax->endElementNs = NULL; | ||
33 | ctxt->sax->initialized = 1; | ||
34 | -- | ||
35 | 2.24.4 | ||
36 | |||
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch new file mode 100644 index 0000000000..ebd9868fac --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch | |||
@@ -0,0 +1,71 @@ | |||
1 | From 235b15a590eecf97b09e87bdb7e4f8333e9de129 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Mon, 8 May 2023 17:58:02 +0200 | ||
4 | Subject: [PATCH] SAX: Always initialize SAX1 element handlers | ||
5 | |||
6 | Follow-up to commit d0c3f01e. A parser context will be initialized to | ||
7 | SAX version 2, but this can be overridden with XML_PARSE_SAX1 later, | ||
8 | so we must initialize the SAX1 element handlers as well. | ||
9 | |||
10 | Change the check in xmlDetectSAX2 to only look for XML_SAX2_MAGIC, so | ||
11 | we don't switch to SAX1 if the SAX2 element handlers are NULL. | ||
12 | |||
13 | Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/libxml2/-/commit/235b15a590eecf97b09e87bdb7e4f8333e9de129] | ||
14 | CVE: CVE-2023-39615 | ||
15 | Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> | ||
16 | --- | ||
17 | SAX2.c | 11 +++++++---- | ||
18 | parser.c | 5 +---- | ||
19 | 2 files changed, 8 insertions(+), 8 deletions(-) | ||
20 | |||
21 | diff --git a/SAX2.c b/SAX2.c | ||
22 | index 5f141f9..902d34d 100644 | ||
23 | --- a/SAX2.c | ||
24 | +++ b/SAX2.c | ||
25 | @@ -2869,20 +2869,23 @@ xmlSAXVersion(xmlSAXHandler *hdlr, int version) | ||
26 | { | ||
27 | if (hdlr == NULL) return(-1); | ||
28 | if (version == 2) { | ||
29 | - hdlr->startElement = NULL; | ||
30 | - hdlr->endElement = NULL; | ||
31 | hdlr->startElementNs = xmlSAX2StartElementNs; | ||
32 | hdlr->endElementNs = xmlSAX2EndElementNs; | ||
33 | hdlr->serror = NULL; | ||
34 | hdlr->initialized = XML_SAX2_MAGIC; | ||
35 | #ifdef LIBXML_SAX1_ENABLED | ||
36 | } else if (version == 1) { | ||
37 | - hdlr->startElement = xmlSAX2StartElement; | ||
38 | - hdlr->endElement = xmlSAX2EndElement; | ||
39 | hdlr->initialized = 1; | ||
40 | #endif /* LIBXML_SAX1_ENABLED */ | ||
41 | } else | ||
42 | return(-1); | ||
43 | +#ifdef LIBXML_SAX1_ENABLED | ||
44 | + hdlr->startElement = xmlSAX2StartElement; | ||
45 | + hdlr->endElement = xmlSAX2EndElement; | ||
46 | +#else | ||
47 | + hdlr->startElement = NULL; | ||
48 | + hdlr->endElement = NULL; | ||
49 | +#endif /* LIBXML_SAX1_ENABLED */ | ||
50 | hdlr->internalSubset = xmlSAX2InternalSubset; | ||
51 | hdlr->externalSubset = xmlSAX2ExternalSubset; | ||
52 | hdlr->isStandalone = xmlSAX2IsStandalone; | ||
53 | diff --git a/parser.c b/parser.c | ||
54 | index 7814e6e..cf0fb38 100644 | ||
55 | --- a/parser.c | ||
56 | +++ b/parser.c | ||
57 | @@ -1102,10 +1102,7 @@ xmlDetectSAX2(xmlParserCtxtPtr ctxt) { | ||
58 | if (ctxt == NULL) return; | ||
59 | sax = ctxt->sax; | ||
60 | #ifdef LIBXML_SAX1_ENABLED | ||
61 | - if ((sax) && (sax->initialized == XML_SAX2_MAGIC) && | ||
62 | - ((sax->startElementNs != NULL) || | ||
63 | - (sax->endElementNs != NULL) || | ||
64 | - ((sax->startElement == NULL) && (sax->endElement == NULL)))) | ||
65 | + if ((sax) && (sax->initialized == XML_SAX2_MAGIC)) | ||
66 | ctxt->sax2 = 1; | ||
67 | #else | ||
68 | ctxt->sax2 = 1; | ||
69 | -- | ||
70 | 2.24.4 | ||
71 | |||
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-39615-pre.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-pre.patch new file mode 100644 index 0000000000..b177cdaba0 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-pre.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | From 99fc048d7f7292c5ee18e44c400bd73bc63a47ed Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Fri, 14 Aug 2020 14:18:50 +0200 | ||
4 | Subject: [PATCH] Don't use SAX1 if all element handlers are NULL | ||
5 | |||
6 | Running xmllint with "--sax --noout" installs a SAX2 handler with all | ||
7 | callbacks set to NULL. In this case or similar situations, we don't want | ||
8 | to switch to SAX1 parsing. | ||
9 | |||
10 | Note: This patch is needed for "CVE-2023-39615-0002" patch to apply. | ||
11 | Without this patch the build will fail with undefined sax error. | ||
12 | |||
13 | Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/libxml2/-/commit/99fc048d7f7292c5ee18e44c400bd73bc63a47ed] | ||
14 | Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> | ||
15 | --- | ||
16 | parser.c | 10 +++++++--- | ||
17 | 1 file changed, 7 insertions(+), 3 deletions(-) | ||
18 | |||
19 | diff --git a/parser.c b/parser.c | ||
20 | index bb677b0..6e09208 100644 | ||
21 | --- a/parser.c | ||
22 | +++ b/parser.c | ||
23 | @@ -1098,11 +1098,15 @@ xmlHasFeature(xmlFeature feature) | ||
24 | */ | ||
25 | static void | ||
26 | xmlDetectSAX2(xmlParserCtxtPtr ctxt) { | ||
27 | + xmlSAXHandlerPtr sax; | ||
28 | if (ctxt == NULL) return; | ||
29 | + sax = ctxt->sax; | ||
30 | #ifdef LIBXML_SAX1_ENABLED | ||
31 | - if ((ctxt->sax) && (ctxt->sax->initialized == XML_SAX2_MAGIC) && | ||
32 | - ((ctxt->sax->startElementNs != NULL) || | ||
33 | - (ctxt->sax->endElementNs != NULL))) ctxt->sax2 = 1; | ||
34 | + if ((sax) && (sax->initialized == XML_SAX2_MAGIC) && | ||
35 | + ((sax->startElementNs != NULL) || | ||
36 | + (sax->endElementNs != NULL) || | ||
37 | + ((sax->startElement == NULL) && (sax->endElement == NULL)))) | ||
38 | + ctxt->sax2 = 1; | ||
39 | #else | ||
40 | ctxt->sax2 = 1; | ||
41 | #endif /* LIBXML_SAX1_ENABLED */ | ||
42 | -- | ||
43 | 2.24.4 | ||
44 | |||
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb index 034192d64e..5eac864098 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb | |||
@@ -38,6 +38,9 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=te | |||
38 | file://CVE-2022-40304.patch \ | 38 | file://CVE-2022-40304.patch \ |
39 | file://CVE-2023-28484.patch \ | 39 | file://CVE-2023-28484.patch \ |
40 | file://CVE-2023-29469.patch \ | 40 | file://CVE-2023-29469.patch \ |
41 | file://CVE-2023-39615-pre.patch \ | ||
42 | file://CVE-2023-39615-0001.patch \ | ||
43 | file://CVE-2023-39615-0002.patch \ | ||
41 | " | 44 | " |
42 | 45 | ||
43 | SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813" | 46 | SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813" |