2 files changed, 74 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch
new file mode 100644
index 0000000000..3b86278ac4
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch
@@ -0,0 +1,73 @@
+From 8598060bacada41a0eb09d95c97744ff4e428f8e Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Thu, 13 May 2021 14:55:12 +0200
+Subject: [PATCH] Patch for security issue CVE-2021-3541
+This is relapted to parameter entities expansion and following
+the line of the billion laugh attack. Somehow in that path the
+counting of parameters was missed and the normal algorithm based
+on entities "density" was useless.
+CVE: CVE-2021-3541
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e]
+Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
+---
+ parser.c | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+diff --git a/parser.c b/parser.c
+index f5e5e169..c9312fa4 100644
+--- a/parser.c
+++ b/parser.c
+@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+                      xmlEntityPtr ent, size_t replacement)
+ {
+     size_t consumed = 0;
+    int i;
+ 
+     if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE))
+         return (0);
+@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+            rep = NULL;
+        }
+     }
+
+    /*
+     * Prevent entity exponential check, not just replacement while
+     * parsing the DTD
+     * The check is potentially costly so do that only once in a thousand
+     */
+    if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) &&
+        (ctxt->nbentities % 1024 == 0)) {
+       for (i = 0;i < ctxt->inputNr;i++) {
+           consumed += ctxt->inputTab[i]->consumed +
+                      (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base);
+       }
+       if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) {
+           xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
+           ctxt->instate = XML_PARSER_EOF;
+           return (1);
+       }
+       consumed = 0;
+    }
+
+
+
+     if (replacement != 0) {
+        if (replacement < XML_MAX_TEXT_LENGTH)
+            return(0);
+@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+             xmlChar start[4];
+             xmlCharEncoding enc;
+ 
+           if (xmlParserEntityCheck(ctxt, 0, entity, 0))
+               return;
+
+            if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
+                ((ctxt->options & XML_PARSE_NOENT) == 0) &&
+                ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
+-- 
+2.25.1
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index a9bff74b55..ce4f9a3340 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
           file://CVE-2021-3518-0001.patch \
           file://CVE-2021-3518-0002.patch \
           file://CVE-2021-3537.patch \
+           file://CVE-2021-3541.patch \
           "
 SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch new file mode 100644 index 0000000000..3b86278ac4 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch
@@ -0,0 +1,73 @@
		1	From 8598060bacada41a0eb09d95c97744ff4e428f8e Mon Sep 17 00:00:00 2001
		2	From: Daniel Veillard <veillard@redhat.com>
		3	Date: Thu, 13 May 2021 14:55:12 +0200
		4	Subject: [PATCH] Patch for security issue CVE-2021-3541
		5
		6	This is relapted to parameter entities expansion and following
		7	the line of the billion laugh attack. Somehow in that path the
		8	counting of parameters was missed and the normal algorithm based
		9	on entities "density" was useless.
		10
		11	CVE: CVE-2021-3541
		12	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e]
		13
		14	Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
		15
		16	---
		17	parser.c \| 26 ++++++++++++++++++++++++++
		18	1 file changed, 26 insertions(+)
		19
		20	diff --git a/parser.c b/parser.c
		21	index f5e5e169..c9312fa4 100644
		22	--- a/parser.c
		23	+++ b/parser.c
		24	@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
		25	xmlEntityPtr ent, size_t replacement)
		26	{
		27	size_t consumed = 0;
		28	+ int i;
		29
		30	if ((ctxt == NULL) \|\| (ctxt->options & XML_PARSE_HUGE))
		31	return (0);
		32	@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
		33	rep = NULL;
		34	}
		35	}
		36	+
		37	+ /*
		38	+ * Prevent entity exponential check, not just replacement while
		39	+ * parsing the DTD
		40	+ * The check is potentially costly so do that only once in a thousand
		41	+ */
		42	+ if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) &&
		43	+ (ctxt->nbentities % 1024 == 0)) {
		44	+ for (i = 0;i < ctxt->inputNr;i++) {
		45	+ consumed += ctxt->inputTab[i]->consumed +
		46	+ (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base);
		47	+ }
		48	+ if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) {
		49	+ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
		50	+ ctxt->instate = XML_PARSER_EOF;
		51	+ return (1);
		52	+ }
		53	+ consumed = 0;
		54	+ }
		55	+
		56	+
		57	+
		58	if (replacement != 0) {
		59	if (replacement < XML_MAX_TEXT_LENGTH)
		60	return(0);
		61	@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
		62	xmlChar start[4];
		63	xmlCharEncoding enc;
		64
		65	+ if (xmlParserEntityCheck(ctxt, 0, entity, 0))
		66	+ return;
		67	+
		68	if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
		69	((ctxt->options & XML_PARSE_NOENT) == 0) &&
		70	((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
		71	--
		72	2.25.1
		73


diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb index a9bff74b55..ce4f9a3340 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
29	file://CVE-2021-3518-0001.patch \	29	file://CVE-2021-3518-0001.patch \
30	file://CVE-2021-3518-0002.patch \	30	file://CVE-2021-3518-0002.patch \
31	file://CVE-2021-3537.patch \	31	file://CVE-2021-3537.patch \
		32	file://CVE-2021-3541.patch \
32	"	33	"
33		34
34	SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"	35	SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"