1 files changed, 116 insertions, 0 deletions
diff --git a/meta/recipes-core/expat/expat/CVE-2022-25236-1.patch b/meta/recipes-core/expat/expat/CVE-2022-25236-1.patch
new file mode 100644
index 0000000000..ab53d99c8f
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-25236-1.patch
@@ -0,0 +1,116 @@
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/2cc97e87]
+CVE: CVE-2022-25236
+The commit is a merge commit, and this patch is created by:
+$ git diff -p --stat 2cc97e87~ 2cc97e87
+Remove modification for expat/Changes which fails to be applied.
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+commit 2cc97e875ef84da4bcf55156c83599116f7523b4 (from d477fdd284468f2ab822024e75702f2c1b254f42)
+Merge: d477fdd2 e4d7e497
+Author: Sebastian Pipping <sebastian@pipping.org>
+Date:   Fri Feb 18 18:01:27 2022 +0100
+    Merge pull request #561 from libexpat/namesep-security
+    
+    [CVE-2022-25236] lib: Protect against insertion of namesep characters into namespace URIs
+---
+ expat/Changes          | 16 ++++++++++++++++
+ expat/lib/xmlparse.c   | 17 +++++++++++++----
+ expat/tests/runtests.c | 30 ++++++++++++++++++++++++++++++
+ 3 files changed, 59 insertions(+), 4 deletions(-)
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 7376aab1..c98e2e9f 100644
+--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
+@@ -718,8 +718,7 @@ XML_ParserCreate(const XML_Char *encodingName) {
+ 
+ XML_Parser XMLCALL
+ XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep) {
+-  XML_Char tmp[2];
+-  *tmp = nsSep;
+  XML_Char tmp[2] = {nsSep, 0};
+   return XML_ParserCreate_MM(encodingName, NULL, tmp);
+ }
+ 
+@@ -1344,8 +1343,7 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context,
+      would be otherwise.
+   */
+   if (parser->m_ns) {
+-    XML_Char tmp[2];
+-    *tmp = parser->m_namespaceSeparator;
+    XML_Char tmp[2] = {parser->m_namespaceSeparator, 0};
+     parser = parserCreate(encodingName, &parser->m_mem, tmp, newDtd);
+   } else {
+     parser = parserCreate(encodingName, &parser->m_mem, NULL, newDtd);
+@@ -3761,6 +3759,17 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
+     if (! mustBeXML && isXMLNS
+         && (len > xmlnsLen || uri[len] != xmlnsNamespace[len]))
+       isXMLNS = XML_FALSE;
+
+    // NOTE: While Expat does not validate namespace URIs against RFC 3986,
+    //       we have to at least make sure that the XML processor on top of
+    //       Expat (that is splitting tag names by namespace separator into
+    //       2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused
+    //       by an attacker putting additional namespace separator characters
+    //       into namespace declarations.  That would be ambiguous and not to
+    //       be expected.
+    if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) {
+      return XML_ERROR_SYNTAX;
+    }
+   }
+   isXML = isXML && len == xmlLen;
+   isXMLNS = isXMLNS && len == xmlnsLen;
+diff --git a/tests/runtests.c b/tests/runtests.c
+index d07203f2..bc5344b1 100644
+--- a/tests/runtests.c
+++ b/tests/runtests.c
+@@ -7220,6 +7220,35 @@ START_TEST(test_ns_double_colon_doctype) {
+ }
+ END_TEST
+ 
+START_TEST(test_ns_separator_in_uri) {
+  struct test_case {
+    enum XML_Status expectedStatus;
+    const char *doc;
+  };
+  struct test_case cases[] = {
+      {XML_STATUS_OK, "<doc xmlns='one_two' />"},
+      {XML_STATUS_ERROR, "<doc xmlns='one&#x0A;two' />"},
+  };
+
+  size_t i = 0;
+  size_t failCount = 0;
+  for (; i < sizeof(cases) / sizeof(cases[0]); i++) {
+    XML_Parser parser = XML_ParserCreateNS(NULL, '\n');
+    XML_SetElementHandler(parser, dummy_start_element, dummy_end_element);
+    if (XML_Parse(parser, cases[i].doc, (int)strlen(cases[i].doc),
+                  /*isFinal*/ XML_TRUE)
+        != cases[i].expectedStatus) {
+      failCount++;
+    }
+    XML_ParserFree(parser);
+  }
+
+  if (failCount) {
+    fail("Namespace separator handling is broken");
+  }
+}
+END_TEST
+
+ /* Control variable; the number of times duff_allocator() will successfully
+  * allocate */
+ #define ALLOC_ALWAYS_SUCCEED (-1)
+@@ -11905,6 +11934,7 @@ make_suite(void) {
+   tcase_add_test(tc_namespace, test_ns_utf16_doctype);
+   tcase_add_test(tc_namespace, test_ns_invalid_doctype);
+   tcase_add_test(tc_namespace, test_ns_double_colon_doctype);
+  tcase_add_test(tc_namespace, test_ns_separator_in_uri);
+ 
+   suite_add_tcase(s, tc_misc);
+   tcase_add_checked_fixture(tc_misc, NULL, basic_teardown);

diff --git a/meta/recipes-core/expat/expat/CVE-2022-25236-1.patch b/meta/recipes-core/expat/expat/CVE-2022-25236-1.patch new file mode 100644 index 0000000000..ab53d99c8f --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2022-25236-1.patch
@@ -0,0 +1,116 @@
	1	Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/2cc97e87]
	2	CVE: CVE-2022-25236
	3
	4	The commit is a merge commit, and this patch is created by:
	5
	6	$ git diff -p --stat 2cc97e87~ 2cc97e87
	7
	8	Remove modification for expat/Changes which fails to be applied.
	9
	10	Signed-off-by: Kai Kang <kai.kang@windriver.com>
	11
	12	commit 2cc97e875ef84da4bcf55156c83599116f7523b4 (from d477fdd284468f2ab822024e75702f2c1b254f42)
	13	Merge: d477fdd2 e4d7e497
	14	Author: Sebastian Pipping <sebastian@pipping.org>
	15	Date: Fri Feb 18 18:01:27 2022 +0100
	16
	17	Merge pull request #561 from libexpat/namesep-security
	18
	19	[CVE-2022-25236] lib: Protect against insertion of namesep characters into namespace URIs
	20
	21	---
	22	expat/Changes \| 16 ++++++++++++++++
	23	expat/lib/xmlparse.c \| 17 +++++++++++++----
	24	expat/tests/runtests.c \| 30 ++++++++++++++++++++++++++++++
	25	3 files changed, 59 insertions(+), 4 deletions(-)
	26
	27	diff --git a/lib/xmlparse.c b/lib/xmlparse.c
	28	index 7376aab1..c98e2e9f 100644
	29	--- a/lib/xmlparse.c
	30	+++ b/lib/xmlparse.c
	31	@@ -718,8 +718,7 @@ XML_ParserCreate(const XML_Char *encodingName) {
	32
	33	XML_Parser XMLCALL
	34	XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep) {
	35	- XML_Char tmp[2];
	36	- *tmp = nsSep;
	37	+ XML_Char tmp[2] = {nsSep, 0};
	38	return XML_ParserCreate_MM(encodingName, NULL, tmp);
	39	}
	40
	41	@@ -1344,8 +1343,7 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context,
	42	would be otherwise.
	43	*/
	44	if (parser->m_ns) {
	45	- XML_Char tmp[2];
	46	- *tmp = parser->m_namespaceSeparator;
	47	+ XML_Char tmp[2] = {parser->m_namespaceSeparator, 0};
	48	parser = parserCreate(encodingName, &parser->m_mem, tmp, newDtd);
	49	} else {
	50	parser = parserCreate(encodingName, &parser->m_mem, NULL, newDtd);
	51	@@ -3761,6 +3759,17 @@ addBinding(XML_Parser parser, PREFIX prefix, const ATTRIBUTE_ID attId,
	52	if (! mustBeXML && isXMLNS
	53	&& (len > xmlnsLen \|\| uri[len] != xmlnsNamespace[len]))
	54	isXMLNS = XML_FALSE;
	55	+
	56	+ // NOTE: While Expat does not validate namespace URIs against RFC 3986,
	57	+ // we have to at least make sure that the XML processor on top of
	58	+ // Expat (that is splitting tag names by namespace separator into
	59	+ // 2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused
	60	+ // by an attacker putting additional namespace separator characters
	61	+ // into namespace declarations. That would be ambiguous and not to
	62	+ // be expected.
	63	+ if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) {
	64	+ return XML_ERROR_SYNTAX;
	65	+ }
	66	}
	67	isXML = isXML && len == xmlLen;
	68	isXMLNS = isXMLNS && len == xmlnsLen;
	69	diff --git a/tests/runtests.c b/tests/runtests.c
	70	index d07203f2..bc5344b1 100644
	71	--- a/tests/runtests.c
	72	+++ b/tests/runtests.c
	73	@@ -7220,6 +7220,35 @@ START_TEST(test_ns_double_colon_doctype) {
	74	}
	75	END_TEST
	76
	77	+START_TEST(test_ns_separator_in_uri) {
	78	+ struct test_case {
	79	+ enum XML_Status expectedStatus;
	80	+ const char *doc;
	81	+ };
	82	+ struct test_case cases[] = {
	83	+ {XML_STATUS_OK, "<doc xmlns='one_two' />"},
	84	+ {XML_STATUS_ERROR, "<doc xmlns='one two' />"},
	85	+ };
	86	+
	87	+ size_t i = 0;
	88	+ size_t failCount = 0;
	89	+ for (; i < sizeof(cases) / sizeof(cases[0]); i++) {
	90	+ XML_Parser parser = XML_ParserCreateNS(NULL, '\n');
	91	+ XML_SetElementHandler(parser, dummy_start_element, dummy_end_element);
	92	+ if (XML_Parse(parser, cases[i].doc, (int)strlen(cases[i].doc),
	93	+ /isFinal/ XML_TRUE)
	94	+ != cases[i].expectedStatus) {
	95	+ failCount++;
	96	+ }
	97	+ XML_ParserFree(parser);
	98	+ }
	99	+
	100	+ if (failCount) {
	101	+ fail("Namespace separator handling is broken");
	102	+ }
	103	+}
	104	+END_TEST
	105	+
	106	/* Control variable; the number of times duff_allocator() will successfully
	107	* allocate */
	108	#define ALLOC_ALWAYS_SUCCEED (-1)
	109	@@ -11905,6 +11934,7 @@ make_suite(void) {
	110	tcase_add_test(tc_namespace, test_ns_utf16_doctype);
	111	tcase_add_test(tc_namespace, test_ns_invalid_doctype);
	112	tcase_add_test(tc_namespace, test_ns_double_colon_doctype);
	113	+ tcase_add_test(tc_namespace, test_ns_separator_in_uri);
	114
	115	suite_add_tcase(s, tc_misc);
	116	tcase_add_checked_fixture(tc_misc, NULL, basic_teardown);