diff options
author | Steve Sakoman <steve@sakoman.com> | 2022-02-28 05:31:13 -1000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-03-09 17:30:48 +0000 |
commit | 746111afa001dc99c95fc56dc242b5f00a0bc1b9 (patch) | |
tree | 84219a53467479ab47a4a62826da401782e8d52a /meta/recipes-core | |
parent | e8fef0c8cfe6d110d9c63ded1bc329fd4b77df48 (diff) | |
download | poky-746111afa001dc99c95fc56dc242b5f00a0bc1b9.tar.gz |
expat: fix CVE-2022-25236
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows
attackers to insert namespace-separator characters into
namespace URIs.
Backport patches from:
https://github.com/libexpat/libexpat/pull/561/commits
CVE: CVE-2022-25236
(From OE-Core rev: 72ab213c128ef75669447eadcae8219a9f87f941)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core')
-rw-r--r-- | meta/recipes-core/expat/expat/CVE-2022-25236.patch | 129 | ||||
-rw-r--r-- | meta/recipes-core/expat/expat_2.2.9.bb | 1 |
2 files changed, 130 insertions, 0 deletions
diff --git a/meta/recipes-core/expat/expat/CVE-2022-25236.patch b/meta/recipes-core/expat/expat/CVE-2022-25236.patch new file mode 100644 index 0000000000..ba6443fc6a --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2022-25236.patch | |||
@@ -0,0 +1,129 @@ | |||
1 | From 6881a4fc8596307ab9ff2e85e605afa2e413ab71 Mon Sep 17 00:00:00 2001 | ||
2 | From: Sebastian Pipping <sebastian@pipping.org> | ||
3 | Date: Sat, 12 Feb 2022 00:19:13 +0100 | ||
4 | Subject: [PATCH] lib: Fix (harmless) use of uninitialized memory | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | https://github.com/libexpat/libexpat/pull/561/commits | ||
8 | |||
9 | CVE: CVE-2022-25236 | ||
10 | |||
11 | Signed-off-by: Steve Sakoman <steve@sakoman.com> | ||
12 | |||
13 | --- | ||
14 | expat/lib/xmlparse.c | 6 ++---- | ||
15 | 1 file changed, 2 insertions(+), 4 deletions(-) | ||
16 | |||
17 | diff --git a/lib/xmlparse.c b/lib/xmlparse.c | ||
18 | index 902895d5..c768f856 100644 | ||
19 | --- a/lib/xmlparse.c | ||
20 | +++ b/lib/xmlparse.c | ||
21 | @@ -718,8 +718,7 @@ XML_ParserCreate(const XML_Char *encodingName) { | ||
22 | |||
23 | XML_Parser XMLCALL | ||
24 | XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep) { | ||
25 | - XML_Char tmp[2]; | ||
26 | - *tmp = nsSep; | ||
27 | + XML_Char tmp[2] = {nsSep, 0}; | ||
28 | return XML_ParserCreate_MM(encodingName, NULL, tmp); | ||
29 | } | ||
30 | |||
31 | @@ -1344,8 +1343,7 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context, | ||
32 | would be otherwise. | ||
33 | */ | ||
34 | if (parser->m_ns) { | ||
35 | - XML_Char tmp[2]; | ||
36 | - *tmp = parser->m_namespaceSeparator; | ||
37 | + XML_Char tmp[2] = {parser->m_namespaceSeparator, 0}; | ||
38 | parser = parserCreate(encodingName, &parser->m_mem, tmp, newDtd); | ||
39 | } else { | ||
40 | parser = parserCreate(encodingName, &parser->m_mem, NULL, newDtd); | ||
41 | From a2fe525e660badd64b6c557c2b1ec26ddc07f6e4 Mon Sep 17 00:00:00 2001 | ||
42 | From: Sebastian Pipping <sebastian@pipping.org> | ||
43 | Date: Sat, 12 Feb 2022 01:09:29 +0100 | ||
44 | Subject: [PATCH] lib: Protect against malicious namespace declarations | ||
45 | (CVE-2022-25236) | ||
46 | |||
47 | --- | ||
48 | expat/lib/xmlparse.c | 11 +++++++++++ | ||
49 | 1 file changed, 11 insertions(+) | ||
50 | |||
51 | diff --git a/lib/xmlparse.c b/lib/xmlparse.c | ||
52 | index c768f856..a3aef88c 100644 | ||
53 | --- a/lib/xmlparse.c | ||
54 | +++ b/lib/xmlparse.c | ||
55 | @@ -3754,6 +3754,17 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId, | ||
56 | if (! mustBeXML && isXMLNS | ||
57 | && (len > xmlnsLen || uri[len] != xmlnsNamespace[len])) | ||
58 | isXMLNS = XML_FALSE; | ||
59 | + | ||
60 | + // NOTE: While Expat does not validate namespace URIs against RFC 3986, | ||
61 | + // we have to at least make sure that the XML processor on top of | ||
62 | + // Expat (that is splitting tag names by namespace separator into | ||
63 | + // 2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused | ||
64 | + // by an attacker putting additional namespace separator characters | ||
65 | + // into namespace declarations. That would be ambiguous and not to | ||
66 | + // be expected. | ||
67 | + if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) { | ||
68 | + return XML_ERROR_SYNTAX; | ||
69 | + } | ||
70 | } | ||
71 | isXML = isXML && len == xmlLen; | ||
72 | isXMLNS = isXMLNS && len == xmlnsLen; | ||
73 | From 2de077423fb22750ebea599677d523b53cb93b1d Mon Sep 17 00:00:00 2001 | ||
74 | From: Sebastian Pipping <sebastian@pipping.org> | ||
75 | Date: Sat, 12 Feb 2022 00:51:43 +0100 | ||
76 | Subject: [PATCH] tests: Cover CVE-2022-25236 | ||
77 | |||
78 | --- | ||
79 | expat/tests/runtests.c | 30 ++++++++++++++++++++++++++++++ | ||
80 | 1 file changed, 30 insertions(+) | ||
81 | |||
82 | diff --git a/tests/runtests.c b/tests/runtests.c | ||
83 | index d07203f2..bc5344b1 100644 | ||
84 | --- a/tests/runtests.c | ||
85 | +++ b/tests/runtests.c | ||
86 | @@ -7220,6 +7220,35 @@ START_TEST(test_ns_double_colon_doctype) { | ||
87 | } | ||
88 | END_TEST | ||
89 | |||
90 | +START_TEST(test_ns_separator_in_uri) { | ||
91 | + struct test_case { | ||
92 | + enum XML_Status expectedStatus; | ||
93 | + const char *doc; | ||
94 | + }; | ||
95 | + struct test_case cases[] = { | ||
96 | + {XML_STATUS_OK, "<doc xmlns='one_two' />"}, | ||
97 | + {XML_STATUS_ERROR, "<doc xmlns='one
two' />"}, | ||
98 | + }; | ||
99 | + | ||
100 | + size_t i = 0; | ||
101 | + size_t failCount = 0; | ||
102 | + for (; i < sizeof(cases) / sizeof(cases[0]); i++) { | ||
103 | + XML_Parser parser = XML_ParserCreateNS(NULL, '\n'); | ||
104 | + XML_SetElementHandler(parser, dummy_start_element, dummy_end_element); | ||
105 | + if (XML_Parse(parser, cases[i].doc, (int)strlen(cases[i].doc), | ||
106 | + /*isFinal*/ XML_TRUE) | ||
107 | + != cases[i].expectedStatus) { | ||
108 | + failCount++; | ||
109 | + } | ||
110 | + XML_ParserFree(parser); | ||
111 | + } | ||
112 | + | ||
113 | + if (failCount) { | ||
114 | + fail("Namespace separator handling is broken"); | ||
115 | + } | ||
116 | +} | ||
117 | +END_TEST | ||
118 | + | ||
119 | /* Control variable; the number of times duff_allocator() will successfully | ||
120 | * allocate */ | ||
121 | #define ALLOC_ALWAYS_SUCCEED (-1) | ||
122 | @@ -11905,6 +11934,7 @@ make_suite(void) { | ||
123 | tcase_add_test(tc_namespace, test_ns_utf16_doctype); | ||
124 | tcase_add_test(tc_namespace, test_ns_invalid_doctype); | ||
125 | tcase_add_test(tc_namespace, test_ns_double_colon_doctype); | ||
126 | + tcase_add_test(tc_namespace, test_ns_separator_in_uri); | ||
127 | |||
128 | suite_add_tcase(s, tc_misc); | ||
129 | tcase_add_checked_fixture(tc_misc, NULL, basic_teardown); | ||
diff --git a/meta/recipes-core/expat/expat_2.2.9.bb b/meta/recipes-core/expat/expat_2.2.9.bb index e59ff93df0..c0103767b1 100644 --- a/meta/recipes-core/expat/expat_2.2.9.bb +++ b/meta/recipes-core/expat/expat_2.2.9.bb | |||
@@ -14,6 +14,7 @@ SRC_URI = "git://github.com/libexpat/libexpat.git;protocol=https;branch=master \ | |||
14 | file://CVE-2022-23852.patch \ | 14 | file://CVE-2022-23852.patch \ |
15 | file://CVE-2022-23990.patch \ | 15 | file://CVE-2022-23990.patch \ |
16 | file://CVE-2022-25235.patch \ | 16 | file://CVE-2022-25235.patch \ |
17 | file://CVE-2022-25236.patch \ | ||
17 | file://libtool-tag.patch \ | 18 | file://libtool-tag.patch \ |
18 | " | 19 | " |
19 | 20 | ||