libxml: fix CVE-2021-3517 CVE-2021-3537

(From OE-Core rev: f177c0ec321f005dd9ce63aec2d700fd53c993ff) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Lee Chee Yang <chee.yang.lee@intel.com> 2021-06-04 17:54:23 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-06-11 22:45:27 +0100
commit: 4ad8edab0bce7e41a671f32cdddc32ee322d33b8 (patch)
tree: 4241b8a14b5ccd70092a544a446ad9c41f237e18 /meta
parent: 0e7201d43a0af436f450512fe444e3f271b20b24 (diff)
download: poky-4ad8edab0bce7e41a671f32cdddc32ee322d33b8.tar.gz
3 files changed, 105 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch
new file mode 100644
index 0000000000..e88a8ae7c6
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch
@@ -0,0 +1,53 @@
+From bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2 Mon Sep 17 00:00:00 2001
+From: Joel Hockey <joel.hockey@gmail.com>
+Date: Sun, 16 Aug 2020 17:19:35 -0700
+Subject: [PATCH] Validate UTF8 in xmlEncodeEntities
+Code is currently assuming UTF-8 without validating. Truncated UTF-8
+input can cause out-of-bounds array access.
+Adds further checks to partial fix in 50f06b3e.
+Fixes #178
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2]
+CVE: CVE-2021-3517
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ entities.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+diff --git a/entities.c b/entities.c
+index 37b99a56..1a8f86f0 100644
+--- a/entities.c
+++ b/entities.c
+@@ -704,11 +704,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) {
+            } else {
+                /*
+                 * We assume we have UTF-8 input.
+                * It must match either:
+                *   110xxxxx 10xxxxxx
+                *   1110xxxx 10xxxxxx 10xxxxxx
+                *   11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
+                * That is:
+                *   cur[0] is 11xxxxxx
+                *   cur[1] is 10xxxxxx
+                *   cur[2] is 10xxxxxx if cur[0] is 111xxxxx
+                *   cur[3] is 10xxxxxx if cur[0] is 1111xxxx
+                *   cur[0] is not 11111xxx
+                 */
+                char buf[11], *ptr;
+                int val = 0, l = 1;
+ 
+-               if (*cur < 0xC0) {
+               if (((cur[0] & 0xC0) != 0xC0) ||
+                   ((cur[1] & 0xC0) != 0x80) ||
+                   (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) ||
+                   (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) ||
+                   (((cur[0] & 0xF8) == 0xF8))) {
+                    xmlEntitiesErr(XML_CHECK_NOT_UTF8,
+                            "xmlEncodeEntities: input not UTF-8");
+                    if (doc != NULL)
+-- 
+GitLab
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch
new file mode 100644
index 0000000000..9e64c2a36d
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch
@@ -0,0 +1,50 @@
+From babe75030c7f64a37826bb3342317134568bef61 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 1 May 2021 16:53:33 +0200
+Subject: [PATCH] Propagate error in xmlParseElementChildrenContentDeclPriv
+Check return value of recursive calls to
+xmlParseElementChildrenContentDeclPriv and return immediately in case
+of errors. Otherwise, struct xmlElementContent could contain unexpected
+null pointers, leading to a null deref when post-validating documents
+which aren't well-formed and parsed in recovery mode.
+Fixes #243.
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/libxml2/-/commit/babe75030c7f64a37826bb3342317134568bef61]
+CVE: CVE-2021-3537
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ parser.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+diff --git a/parser.c b/parser.c
+index b42e6043..73c27edd 100644
+--- a/parser.c
+++ b/parser.c
+@@ -6208,6 +6208,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
+        SKIP_BLANKS;
+         cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
+                                                            depth + 1);
+        if (cur == NULL)
+            return(NULL);
+        SKIP_BLANKS;
+        GROW;
+     } else {
+@@ -6341,6 +6343,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
+            SKIP_BLANKS;
+            last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
+                                                           depth + 1);
+            if (last == NULL) {
+               if (ret != NULL)
+                   xmlFreeDocElementContent(ctxt->myDoc, ret);
+               return(NULL);
+            }
+            SKIP_BLANKS;
+        } else {
+            elem = xmlParseName(ctxt);
+-- 
+GitLab
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index db660b9869..097613fb28 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -23,6 +23,8 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
           file://CVE-2020-7595.patch \
           file://CVE-2019-20388.patch \
           file://CVE-2020-24977.patch \
+           file://CVE-2021-3517.patch \
+           file://CVE-2021-3537.patch \
           "
 SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"
author	Lee Chee Yang <chee.yang.lee@intel.com>	2021-06-04 17:54:23 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-06-11 22:45:27 +0100
commit	4ad8edab0bce7e41a671f32cdddc32ee322d33b8 (patch)
tree	4241b8a14b5ccd70092a544a446ad9c41f237e18 /meta
parent	0e7201d43a0af436f450512fe444e3f271b20b24 (diff)
download	poky-4ad8edab0bce7e41a671f32cdddc32ee322d33b8.tar.gz

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch new file mode 100644 index 0000000000..e88a8ae7c6 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch
@@ -0,0 +1,53 @@
		1	From bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2 Mon Sep 17 00:00:00 2001
		2	From: Joel Hockey <joel.hockey@gmail.com>
		3	Date: Sun, 16 Aug 2020 17:19:35 -0700
		4	Subject: [PATCH] Validate UTF8 in xmlEncodeEntities
		5
		6	Code is currently assuming UTF-8 without validating. Truncated UTF-8
		7	input can cause out-of-bounds array access.
		8
		9	Adds further checks to partial fix in 50f06b3e.
		10
		11	Fixes #178
		12	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2]
		13	CVE: CVE-2021-3517
		14	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		15
		16	---
		17	entities.c \| 16 +++++++++++++++-
		18	1 file changed, 15 insertions(+), 1 deletion(-)
		19
		20	diff --git a/entities.c b/entities.c
		21	index 37b99a56..1a8f86f0 100644
		22	--- a/entities.c
		23	+++ b/entities.c
		24	@@ -704,11 +704,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) {
		25	} else {
		26	/*
		27	* We assume we have UTF-8 input.
		28	+ * It must match either:
		29	+ * 110xxxxx 10xxxxxx
		30	+ * 1110xxxx 10xxxxxx 10xxxxxx
		31	+ * 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
		32	+ * That is:
		33	+ * cur[0] is 11xxxxxx
		34	+ * cur[1] is 10xxxxxx
		35	+ * cur[2] is 10xxxxxx if cur[0] is 111xxxxx
		36	+ * cur[3] is 10xxxxxx if cur[0] is 1111xxxx
		37	+ * cur[0] is not 11111xxx
		38	*/
		39	char buf[11], *ptr;
		40	int val = 0, l = 1;
		41
		42	- if (*cur < 0xC0) {
		43	+ if (((cur[0] & 0xC0) != 0xC0) \|\|
		44	+ ((cur[1] & 0xC0) != 0x80) \|\|
		45	+ (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) \|\|
		46	+ (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) \|\|
		47	+ (((cur[0] & 0xF8) == 0xF8))) {
		48	xmlEntitiesErr(XML_CHECK_NOT_UTF8,
		49	"xmlEncodeEntities: input not UTF-8");
		50	if (doc != NULL)
		51	--
		52	GitLab
		53


diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch new file mode 100644 index 0000000000..9e64c2a36d --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch
@@ -0,0 +1,50 @@
		1	From babe75030c7f64a37826bb3342317134568bef61 Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Sat, 1 May 2021 16:53:33 +0200
		4	Subject: [PATCH] Propagate error in xmlParseElementChildrenContentDeclPriv
		5
		6	Check return value of recursive calls to
		7	xmlParseElementChildrenContentDeclPriv and return immediately in case
		8	of errors. Otherwise, struct xmlElementContent could contain unexpected
		9	null pointers, leading to a null deref when post-validating documents
		10	which aren't well-formed and parsed in recovery mode.
		11
		12	Fixes #243.
		13
		14	Upstream-Status: Backport
		15	[https://gitlab.gnome.org/GNOME/libxml2/-/commit/babe75030c7f64a37826bb3342317134568bef61]
		16	CVE: CVE-2021-3537
		17	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		18
		19	---
		20	parser.c \| 7 +++++++
		21	1 file changed, 7 insertions(+)
		22
		23	diff --git a/parser.c b/parser.c
		24	index b42e6043..73c27edd 100644
		25	--- a/parser.c
		26	+++ b/parser.c
		27	@@ -6208,6 +6208,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
		28	SKIP_BLANKS;
		29	cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
		30	depth + 1);
		31	+ if (cur == NULL)
		32	+ return(NULL);
		33	SKIP_BLANKS;
		34	GROW;
		35	} else {
		36	@@ -6341,6 +6343,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
		37	SKIP_BLANKS;
		38	last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
		39	depth + 1);
		40	+ if (last == NULL) {
		41	+ if (ret != NULL)
		42	+ xmlFreeDocElementContent(ctxt->myDoc, ret);
		43	+ return(NULL);
		44	+ }
		45	SKIP_BLANKS;
		46	} else {
		47	elem = xmlParseName(ctxt);
		48	--
		49	GitLab
		50


diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb index db660b9869..097613fb28 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -23,6 +23,8 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
23	file://CVE-2020-7595.patch \	23	file://CVE-2020-7595.patch \
24	file://CVE-2019-20388.patch \	24	file://CVE-2019-20388.patch \
25	file://CVE-2020-24977.patch \	25	file://CVE-2020-24977.patch \
		26	file://CVE-2021-3517.patch \
		27	file://CVE-2021-3537.patch \
26	"	28	"
27		29
28	SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"	30	SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"