1 files changed, 129 insertions, 0 deletions
diff --git a/meta/recipes-core/expat/expat/CVE-2022-25236.patch b/meta/recipes-core/expat/expat/CVE-2022-25236.patch
new file mode 100644
index 0000000000..ba6443fc6a
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-25236.patch
@@ -0,0 +1,129 @@
+From 6881a4fc8596307ab9ff2e85e605afa2e413ab71 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sat, 12 Feb 2022 00:19:13 +0100
+Subject: [PATCH] lib: Fix (harmless) use of uninitialized memory
+Upstream-Status: Backport
+https://github.com/libexpat/libexpat/pull/561/commits
+CVE: CVE-2022-25236
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+---
+ expat/lib/xmlparse.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 902895d5..c768f856 100644
+--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
+@@ -718,8 +718,7 @@ XML_ParserCreate(const XML_Char *encodingName) {
+ 
+ XML_Parser XMLCALL
+ XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep) {
+-  XML_Char tmp[2];
+-  *tmp = nsSep;
+  XML_Char tmp[2] = {nsSep, 0};
+   return XML_ParserCreate_MM(encodingName, NULL, tmp);
+ }
+ 
+@@ -1344,8 +1343,7 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context,
+      would be otherwise.
+   */
+   if (parser->m_ns) {
+-    XML_Char tmp[2];
+-    *tmp = parser->m_namespaceSeparator;
+    XML_Char tmp[2] = {parser->m_namespaceSeparator, 0};
+     parser = parserCreate(encodingName, &parser->m_mem, tmp, newDtd);
+   } else {
+     parser = parserCreate(encodingName, &parser->m_mem, NULL, newDtd);
+From a2fe525e660badd64b6c557c2b1ec26ddc07f6e4 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sat, 12 Feb 2022 01:09:29 +0100
+Subject: [PATCH] lib: Protect against malicious namespace declarations
+ (CVE-2022-25236)
+---
+ expat/lib/xmlparse.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index c768f856..a3aef88c 100644
+--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
+@@ -3754,6 +3754,17 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
+     if (! mustBeXML && isXMLNS
+         && (len > xmlnsLen || uri[len] != xmlnsNamespace[len]))
+       isXMLNS = XML_FALSE;
+
+    // NOTE: While Expat does not validate namespace URIs against RFC 3986,
+    //       we have to at least make sure that the XML processor on top of
+    //       Expat (that is splitting tag names by namespace separator into
+    //       2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused
+    //       by an attacker putting additional namespace separator characters
+    //       into namespace declarations.  That would be ambiguous and not to
+    //       be expected.
+    if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) {
+      return XML_ERROR_SYNTAX;
+    }
+   }
+   isXML = isXML && len == xmlLen;
+   isXMLNS = isXMLNS && len == xmlnsLen;
+From 2de077423fb22750ebea599677d523b53cb93b1d Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sat, 12 Feb 2022 00:51:43 +0100
+Subject: [PATCH] tests: Cover CVE-2022-25236
+---
+ expat/tests/runtests.c | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+diff --git a/tests/runtests.c b/tests/runtests.c
+index d07203f2..bc5344b1 100644
+--- a/tests/runtests.c
+++ b/tests/runtests.c
+@@ -7220,6 +7220,35 @@ START_TEST(test_ns_double_colon_doctype) {
+ }
+ END_TEST
+ 
+START_TEST(test_ns_separator_in_uri) {
+  struct test_case {
+    enum XML_Status expectedStatus;
+    const char *doc;
+  };
+  struct test_case cases[] = {
+      {XML_STATUS_OK, "<doc xmlns='one_two' />"},
+      {XML_STATUS_ERROR, "<doc xmlns='one&#x0A;two' />"},
+  };
+
+  size_t i = 0;
+  size_t failCount = 0;
+  for (; i < sizeof(cases) / sizeof(cases[0]); i++) {
+    XML_Parser parser = XML_ParserCreateNS(NULL, '\n');
+    XML_SetElementHandler(parser, dummy_start_element, dummy_end_element);
+    if (XML_Parse(parser, cases[i].doc, (int)strlen(cases[i].doc),
+                  /*isFinal*/ XML_TRUE)
+        != cases[i].expectedStatus) {
+      failCount++;
+    }
+    XML_ParserFree(parser);
+  }
+
+  if (failCount) {
+    fail("Namespace separator handling is broken");
+  }
+}
+END_TEST
+
+ /* Control variable; the number of times duff_allocator() will successfully
+  * allocate */
+ #define ALLOC_ALWAYS_SUCCEED (-1)
+@@ -11905,6 +11934,7 @@ make_suite(void) {
+   tcase_add_test(tc_namespace, test_ns_utf16_doctype);
+   tcase_add_test(tc_namespace, test_ns_invalid_doctype);
+   tcase_add_test(tc_namespace, test_ns_double_colon_doctype);
+  tcase_add_test(tc_namespace, test_ns_separator_in_uri);
+ 
+   suite_add_tcase(s, tc_misc);
+   tcase_add_checked_fixture(tc_misc, NULL, basic_teardown);

diff --git a/meta/recipes-core/expat/expat/CVE-2022-25236.patch b/meta/recipes-core/expat/expat/CVE-2022-25236.patch new file mode 100644 index 0000000000..ba6443fc6a --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2022-25236.patch
@@ -0,0 +1,129 @@
	1	From 6881a4fc8596307ab9ff2e85e605afa2e413ab71 Mon Sep 17 00:00:00 2001
	2	From: Sebastian Pipping <sebastian@pipping.org>
	3	Date: Sat, 12 Feb 2022 00:19:13 +0100
	4	Subject: [PATCH] lib: Fix (harmless) use of uninitialized memory
	5
	6	Upstream-Status: Backport
	7	https://github.com/libexpat/libexpat/pull/561/commits
	8
	9	CVE: CVE-2022-25236
	10
	11	Signed-off-by: Steve Sakoman <steve@sakoman.com>
	12
	13	---
	14	expat/lib/xmlparse.c \| 6 ++----
	15	1 file changed, 2 insertions(+), 4 deletions(-)
	16
	17	diff --git a/lib/xmlparse.c b/lib/xmlparse.c
	18	index 902895d5..c768f856 100644
	19	--- a/lib/xmlparse.c
	20	+++ b/lib/xmlparse.c
	21	@@ -718,8 +718,7 @@ XML_ParserCreate(const XML_Char *encodingName) {
	22
	23	XML_Parser XMLCALL
	24	XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep) {
	25	- XML_Char tmp[2];
	26	- *tmp = nsSep;
	27	+ XML_Char tmp[2] = {nsSep, 0};
	28	return XML_ParserCreate_MM(encodingName, NULL, tmp);
	29	}
	30
	31	@@ -1344,8 +1343,7 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context,
	32	would be otherwise.
	33	*/
	34	if (parser->m_ns) {
	35	- XML_Char tmp[2];
	36	- *tmp = parser->m_namespaceSeparator;
	37	+ XML_Char tmp[2] = {parser->m_namespaceSeparator, 0};
	38	parser = parserCreate(encodingName, &parser->m_mem, tmp, newDtd);
	39	} else {
	40	parser = parserCreate(encodingName, &parser->m_mem, NULL, newDtd);
	41	From a2fe525e660badd64b6c557c2b1ec26ddc07f6e4 Mon Sep 17 00:00:00 2001
	42	From: Sebastian Pipping <sebastian@pipping.org>
	43	Date: Sat, 12 Feb 2022 01:09:29 +0100
	44	Subject: [PATCH] lib: Protect against malicious namespace declarations
	45	(CVE-2022-25236)
	46
	47	---
	48	expat/lib/xmlparse.c \| 11 +++++++++++
	49	1 file changed, 11 insertions(+)
	50
	51	diff --git a/lib/xmlparse.c b/lib/xmlparse.c
	52	index c768f856..a3aef88c 100644
	53	--- a/lib/xmlparse.c
	54	+++ b/lib/xmlparse.c
	55	@@ -3754,6 +3754,17 @@ addBinding(XML_Parser parser, PREFIX prefix, const ATTRIBUTE_ID attId,
	56	if (! mustBeXML && isXMLNS
	57	&& (len > xmlnsLen \|\| uri[len] != xmlnsNamespace[len]))
	58	isXMLNS = XML_FALSE;
	59	+
	60	+ // NOTE: While Expat does not validate namespace URIs against RFC 3986,
	61	+ // we have to at least make sure that the XML processor on top of
	62	+ // Expat (that is splitting tag names by namespace separator into
	63	+ // 2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused
	64	+ // by an attacker putting additional namespace separator characters
	65	+ // into namespace declarations. That would be ambiguous and not to
	66	+ // be expected.
	67	+ if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) {
	68	+ return XML_ERROR_SYNTAX;
	69	+ }
	70	}
	71	isXML = isXML && len == xmlLen;
	72	isXMLNS = isXMLNS && len == xmlnsLen;
	73	From 2de077423fb22750ebea599677d523b53cb93b1d Mon Sep 17 00:00:00 2001
	74	From: Sebastian Pipping <sebastian@pipping.org>
	75	Date: Sat, 12 Feb 2022 00:51:43 +0100
	76	Subject: [PATCH] tests: Cover CVE-2022-25236
	77
	78	---
	79	expat/tests/runtests.c \| 30 ++++++++++++++++++++++++++++++
	80	1 file changed, 30 insertions(+)
	81
	82	diff --git a/tests/runtests.c b/tests/runtests.c
	83	index d07203f2..bc5344b1 100644
	84	--- a/tests/runtests.c
	85	+++ b/tests/runtests.c
	86	@@ -7220,6 +7220,35 @@ START_TEST(test_ns_double_colon_doctype) {
	87	}
	88	END_TEST
	89
	90	+START_TEST(test_ns_separator_in_uri) {
	91	+ struct test_case {
	92	+ enum XML_Status expectedStatus;
	93	+ const char *doc;
	94	+ };
	95	+ struct test_case cases[] = {
	96	+ {XML_STATUS_OK, "<doc xmlns='one_two' />"},
	97	+ {XML_STATUS_ERROR, "<doc xmlns='one two' />"},
	98	+ };
	99	+
	100	+ size_t i = 0;
	101	+ size_t failCount = 0;
	102	+ for (; i < sizeof(cases) / sizeof(cases[0]); i++) {
	103	+ XML_Parser parser = XML_ParserCreateNS(NULL, '\n');
	104	+ XML_SetElementHandler(parser, dummy_start_element, dummy_end_element);
	105	+ if (XML_Parse(parser, cases[i].doc, (int)strlen(cases[i].doc),
	106	+ /isFinal/ XML_TRUE)
	107	+ != cases[i].expectedStatus) {
	108	+ failCount++;
	109	+ }
	110	+ XML_ParserFree(parser);
	111	+ }
	112	+
	113	+ if (failCount) {
	114	+ fail("Namespace separator handling is broken");
	115	+ }
	116	+}
	117	+END_TEST
	118	+
	119	/* Control variable; the number of times duff_allocator() will successfully
	120	* allocate */
	121	#define ALLOC_ALWAYS_SUCCEED (-1)
	122	@@ -11905,6 +11934,7 @@ make_suite(void) {
	123	tcase_add_test(tc_namespace, test_ns_utf16_doctype);
	124	tcase_add_test(tc_namespace, test_ns_invalid_doctype);
	125	tcase_add_test(tc_namespace, test_ns_double_colon_doctype);
	126	+ tcase_add_test(tc_namespace, test_ns_separator_in_uri);
	127
	128	suite_add_tcase(s, tc_misc);
	129	tcase_add_checked_fixture(tc_misc, NULL, basic_teardown);