diff options
author | Peter Marko <peter.marko@siemens.com> | 2023-05-07 23:40:39 +0200 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-05-12 04:04:52 -1000 |
commit | a30cde8c0ca7051cc8618c2bd0ffc9d46fb87900 (patch) | |
tree | 63d7adc9075c3ceebca2a5b2a489a6a46ae47517 /meta | |
parent | 6d618c1b8b64cf285aa6878c9b0fd61a7c7757cf (diff) | |
download | poky-a30cde8c0ca7051cc8618c2bd0ffc9d46fb87900.tar.gz |
libxml2: patch CVE-2023-28484 and CVE-2023-29469
Backports from:
* https://gitlab.gnome.org/GNOME/libxml2/-/commit/e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68
* https://gitlab.gnome.org/GNOME/libxml2/-/commit/547edbf1cbdccd46b2e8ff322a456eaa5931c5df
(From OE-Core rev: 7d03d5dbc98aa701869c73c1c55a5868c70c5287)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch | 79 | ||||
-rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch | 42 | ||||
-rw-r--r-- | meta/recipes-core/libxml/libxml2_2.9.14.bb | 2 |
3 files changed, 123 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch new file mode 100644 index 0000000000..907f2c4d47 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch | |||
@@ -0,0 +1,79 @@ | |||
1 | From e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Fri, 7 Apr 2023 11:46:35 +0200 | ||
4 | Subject: [PATCH] [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType | ||
5 | |||
6 | Fix a null pointer dereference when parsing (invalid) XML schemas. | ||
7 | |||
8 | Thanks to Robby Simpson for the report! | ||
9 | |||
10 | Fixes #491. | ||
11 | |||
12 | CVE: CVE-2023-28484 | ||
13 | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68] | ||
14 | |||
15 | Signed-off-by: Peter Marko <peter.marko@siemens.com> | ||
16 | --- | ||
17 | result/schemas/issue491_0_0.err | 1 + | ||
18 | test/schemas/issue491_0.xml | 1 + | ||
19 | test/schemas/issue491_0.xsd | 18 ++++++++++++++++++ | ||
20 | xmlschemas.c | 2 +- | ||
21 | 4 files changed, 21 insertions(+), 1 deletion(-) | ||
22 | create mode 100644 result/schemas/issue491_0_0.err | ||
23 | create mode 100644 test/schemas/issue491_0.xml | ||
24 | create mode 100644 test/schemas/issue491_0.xsd | ||
25 | |||
26 | diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err | ||
27 | new file mode 100644 | ||
28 | index 00000000..9b2bb969 | ||
29 | --- /dev/null | ||
30 | +++ b/result/schemas/issue491_0_0.err | ||
31 | @@ -0,0 +1 @@ | ||
32 | +./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'. | ||
33 | diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml | ||
34 | new file mode 100644 | ||
35 | index 00000000..e2b2fc2e | ||
36 | --- /dev/null | ||
37 | +++ b/test/schemas/issue491_0.xml | ||
38 | @@ -0,0 +1 @@ | ||
39 | +<Child xmlns="http://www.test.com">5</Child> | ||
40 | diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd | ||
41 | new file mode 100644 | ||
42 | index 00000000..81702649 | ||
43 | --- /dev/null | ||
44 | +++ b/test/schemas/issue491_0.xsd | ||
45 | @@ -0,0 +1,18 @@ | ||
46 | +<?xml version='1.0' encoding='UTF-8'?> | ||
47 | +<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://www.test.com" targetNamespace="http://www.test.com" elementFormDefault="qualified" attributeFormDefault="unqualified"> | ||
48 | + <xs:complexType name="BaseType"> | ||
49 | + <xs:simpleContent> | ||
50 | + <xs:extension base="xs:int" /> | ||
51 | + </xs:simpleContent> | ||
52 | + </xs:complexType> | ||
53 | + <xs:complexType name="ChildType"> | ||
54 | + <xs:complexContent> | ||
55 | + <xs:extension base="BaseType"> | ||
56 | + <xs:sequence> | ||
57 | + <xs:element name="bad" type="xs:int" minOccurs="0" maxOccurs="1"/> | ||
58 | + </xs:sequence> | ||
59 | + </xs:extension> | ||
60 | + </xs:complexContent> | ||
61 | + </xs:complexType> | ||
62 | + <xs:element name="Child" type="ChildType" /> | ||
63 | +</xs:schema> | ||
64 | diff --git a/xmlschemas.c b/xmlschemas.c | ||
65 | index 6a353858..a4eaf591 100644 | ||
66 | --- a/xmlschemas.c | ||
67 | +++ b/xmlschemas.c | ||
68 | @@ -18632,7 +18632,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt, | ||
69 | "allowed to appear inside other model groups", | ||
70 | NULL, NULL); | ||
71 | |||
72 | - } else if (! dummySequence) { | ||
73 | + } else if ((!dummySequence) && (baseType->subtypes != NULL)) { | ||
74 | xmlSchemaTreeItemPtr effectiveContent = | ||
75 | (xmlSchemaTreeItemPtr) type->subtypes; | ||
76 | /* | ||
77 | -- | ||
78 | GitLab | ||
79 | |||
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch new file mode 100644 index 0000000000..f60d160c49 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From 547edbf1cbdccd46b2e8ff322a456eaa5931c5df Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Fri, 7 Apr 2023 11:49:27 +0200 | ||
4 | Subject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't | ||
5 | deterministic | ||
6 | |||
7 | When hashing empty strings which aren't null-terminated, | ||
8 | xmlDictComputeFastKey could produce inconsistent results. This could | ||
9 | lead to various logic or memory errors, including double frees. | ||
10 | |||
11 | For consistency the seed is also taken into account, but this shouldn't | ||
12 | have an impact on security. | ||
13 | |||
14 | Found by OSS-Fuzz. | ||
15 | |||
16 | Fixes #510. | ||
17 | |||
18 | CVE: CVE-2023-29469 | ||
19 | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/547edbf1cbdccd46b2e8ff322a456eaa5931c5df] | ||
20 | |||
21 | Signed-off-by: Peter Marko <peter.marko@siemens.com> | ||
22 | --- | ||
23 | dict.c | 3 ++- | ||
24 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
25 | |||
26 | diff --git a/dict.c b/dict.c | ||
27 | index 86c3f6d7..d7fd1a06 100644 | ||
28 | --- a/dict.c | ||
29 | +++ b/dict.c | ||
30 | @@ -433,7 +433,8 @@ static unsigned long | ||
31 | xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) { | ||
32 | unsigned long value = seed; | ||
33 | |||
34 | - if (name == NULL) return(0); | ||
35 | + if ((name == NULL) || (namelen <= 0)) | ||
36 | + return(value); | ||
37 | value += *name; | ||
38 | value <<= 5; | ||
39 | if (namelen > 10) { | ||
40 | -- | ||
41 | GitLab | ||
42 | |||
diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb index e15f8eb13f..9241b279e4 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.14.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb | |||
@@ -25,6 +25,8 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt | |||
25 | file://0001-Port-gentest.py-to-Python-3.patch \ | 25 | file://0001-Port-gentest.py-to-Python-3.patch \ |
26 | file://CVE-2022-40303.patch \ | 26 | file://CVE-2022-40303.patch \ |
27 | file://CVE-2022-40304.patch \ | 27 | file://CVE-2022-40304.patch \ |
28 | file://CVE-2023-28484.patch \ | ||
29 | file://CVE-2023-29469.patch \ | ||
28 | " | 30 | " |
29 | 31 | ||
30 | SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee" | 32 | SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee" |