diff options
Diffstat (limited to 'meta/recipes-core/expat/expat/CVE-2022-25236-1.patch')
-rw-r--r-- | meta/recipes-core/expat/expat/CVE-2022-25236-1.patch | 116 |
1 files changed, 116 insertions, 0 deletions
diff --git a/meta/recipes-core/expat/expat/CVE-2022-25236-1.patch b/meta/recipes-core/expat/expat/CVE-2022-25236-1.patch new file mode 100644 index 0000000000..ab53d99c8f --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2022-25236-1.patch | |||
@@ -0,0 +1,116 @@ | |||
1 | Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/2cc97e87] | ||
2 | CVE: CVE-2022-25236 | ||
3 | |||
4 | The commit is a merge commit, and this patch is created by: | ||
5 | |||
6 | $ git diff -p --stat 2cc97e87~ 2cc97e87 | ||
7 | |||
8 | Remove modification for expat/Changes which fails to be applied. | ||
9 | |||
10 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
11 | |||
12 | commit 2cc97e875ef84da4bcf55156c83599116f7523b4 (from d477fdd284468f2ab822024e75702f2c1b254f42) | ||
13 | Merge: d477fdd2 e4d7e497 | ||
14 | Author: Sebastian Pipping <sebastian@pipping.org> | ||
15 | Date: Fri Feb 18 18:01:27 2022 +0100 | ||
16 | |||
17 | Merge pull request #561 from libexpat/namesep-security | ||
18 | |||
19 | [CVE-2022-25236] lib: Protect against insertion of namesep characters into namespace URIs | ||
20 | |||
21 | --- | ||
22 | expat/Changes | 16 ++++++++++++++++ | ||
23 | expat/lib/xmlparse.c | 17 +++++++++++++---- | ||
24 | expat/tests/runtests.c | 30 ++++++++++++++++++++++++++++++ | ||
25 | 3 files changed, 59 insertions(+), 4 deletions(-) | ||
26 | |||
27 | diff --git a/lib/xmlparse.c b/lib/xmlparse.c | ||
28 | index 7376aab1..c98e2e9f 100644 | ||
29 | --- a/lib/xmlparse.c | ||
30 | +++ b/lib/xmlparse.c | ||
31 | @@ -718,8 +718,7 @@ XML_ParserCreate(const XML_Char *encodingName) { | ||
32 | |||
33 | XML_Parser XMLCALL | ||
34 | XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep) { | ||
35 | - XML_Char tmp[2]; | ||
36 | - *tmp = nsSep; | ||
37 | + XML_Char tmp[2] = {nsSep, 0}; | ||
38 | return XML_ParserCreate_MM(encodingName, NULL, tmp); | ||
39 | } | ||
40 | |||
41 | @@ -1344,8 +1343,7 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context, | ||
42 | would be otherwise. | ||
43 | */ | ||
44 | if (parser->m_ns) { | ||
45 | - XML_Char tmp[2]; | ||
46 | - *tmp = parser->m_namespaceSeparator; | ||
47 | + XML_Char tmp[2] = {parser->m_namespaceSeparator, 0}; | ||
48 | parser = parserCreate(encodingName, &parser->m_mem, tmp, newDtd); | ||
49 | } else { | ||
50 | parser = parserCreate(encodingName, &parser->m_mem, NULL, newDtd); | ||
51 | @@ -3761,6 +3759,17 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId, | ||
52 | if (! mustBeXML && isXMLNS | ||
53 | && (len > xmlnsLen || uri[len] != xmlnsNamespace[len])) | ||
54 | isXMLNS = XML_FALSE; | ||
55 | + | ||
56 | + // NOTE: While Expat does not validate namespace URIs against RFC 3986, | ||
57 | + // we have to at least make sure that the XML processor on top of | ||
58 | + // Expat (that is splitting tag names by namespace separator into | ||
59 | + // 2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused | ||
60 | + // by an attacker putting additional namespace separator characters | ||
61 | + // into namespace declarations. That would be ambiguous and not to | ||
62 | + // be expected. | ||
63 | + if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) { | ||
64 | + return XML_ERROR_SYNTAX; | ||
65 | + } | ||
66 | } | ||
67 | isXML = isXML && len == xmlLen; | ||
68 | isXMLNS = isXMLNS && len == xmlnsLen; | ||
69 | diff --git a/tests/runtests.c b/tests/runtests.c | ||
70 | index d07203f2..bc5344b1 100644 | ||
71 | --- a/tests/runtests.c | ||
72 | +++ b/tests/runtests.c | ||
73 | @@ -7220,6 +7220,35 @@ START_TEST(test_ns_double_colon_doctype) { | ||
74 | } | ||
75 | END_TEST | ||
76 | |||
77 | +START_TEST(test_ns_separator_in_uri) { | ||
78 | + struct test_case { | ||
79 | + enum XML_Status expectedStatus; | ||
80 | + const char *doc; | ||
81 | + }; | ||
82 | + struct test_case cases[] = { | ||
83 | + {XML_STATUS_OK, "<doc xmlns='one_two' />"}, | ||
84 | + {XML_STATUS_ERROR, "<doc xmlns='one
two' />"}, | ||
85 | + }; | ||
86 | + | ||
87 | + size_t i = 0; | ||
88 | + size_t failCount = 0; | ||
89 | + for (; i < sizeof(cases) / sizeof(cases[0]); i++) { | ||
90 | + XML_Parser parser = XML_ParserCreateNS(NULL, '\n'); | ||
91 | + XML_SetElementHandler(parser, dummy_start_element, dummy_end_element); | ||
92 | + if (XML_Parse(parser, cases[i].doc, (int)strlen(cases[i].doc), | ||
93 | + /*isFinal*/ XML_TRUE) | ||
94 | + != cases[i].expectedStatus) { | ||
95 | + failCount++; | ||
96 | + } | ||
97 | + XML_ParserFree(parser); | ||
98 | + } | ||
99 | + | ||
100 | + if (failCount) { | ||
101 | + fail("Namespace separator handling is broken"); | ||
102 | + } | ||
103 | +} | ||
104 | +END_TEST | ||
105 | + | ||
106 | /* Control variable; the number of times duff_allocator() will successfully | ||
107 | * allocate */ | ||
108 | #define ALLOC_ALWAYS_SUCCEED (-1) | ||
109 | @@ -11905,6 +11934,7 @@ make_suite(void) { | ||
110 | tcase_add_test(tc_namespace, test_ns_utf16_doctype); | ||
111 | tcase_add_test(tc_namespace, test_ns_invalid_doctype); | ||
112 | tcase_add_test(tc_namespace, test_ns_double_colon_doctype); | ||
113 | + tcase_add_test(tc_namespace, test_ns_separator_in_uri); | ||
114 | |||
115 | suite_add_tcase(s, tc_misc); | ||
116 | tcase_add_checked_fixture(tc_misc, NULL, basic_teardown); | ||