1 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-core/expat/expat/CVE-2022-40674.patch b/meta/recipes-core/expat/expat/CVE-2022-40674.patch
new file mode 100644
index 0000000000..8b95f5f198
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-40674.patch
@@ -0,0 +1,53 @@
+From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001
+From: Rhodri James <rhodri@wildebeest.org.uk>
+Date: Wed, 17 Aug 2022 18:26:18 +0100
+Subject: [PATCH] Ensure raw tagnames are safe exiting internalEntityParser
+It is possible to concoct a situation in which parsing is
+suspended while substituting in an internal entity, so that
+XML_ResumeParser directly uses internalEntityProcessor as
+its processor.  If the subsequent parse includes some unclosed
+tags, this will return without calling storeRawNames to ensure
+that the raw versions of the tag names are stored in memory other
+than the parse buffer itself.  If the parse buffer is then changed
+or reallocated (for example if processing a file line by line),
+badness will ensue.
+This patch ensures storeRawNames is always called when needed
+after calling doContent.  The earlier call do doContent does
+not need the same protection; it only deals with entity
+substitution, which cannot leave unbalanced tags, and in any
+case the raw names will be pointing into the stored entity
+value not the parse buffer.
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/4a32da87e931ba54393d465bb77c40b5c33d343b]
+CVE: CVE-2022-40674
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+---
+ expat/lib/xmlparse.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+Index: expat/lib/xmlparse.c
+===================================================================
+--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
+@@ -5657,10 +5657,15 @@ internalEntityProcessor(XML_Parser parse
+   {
+     parser->m_processor = contentProcessor;
+     /* see externalEntityContentProcessor vs contentProcessor */
+-    return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding,
+-                     s, end, nextPtr,
+-                     (XML_Bool)! parser->m_parsingStatus.finalBuffer,
+-                     XML_ACCOUNT_DIRECT);
+    result = doContent(parser, parser->m_parentParser ? 1 : 0,
+                       parser->m_encoding, s, end, nextPtr,
+                       (XML_Bool)! parser->m_parsingStatus.finalBuffer,
+                       XML_ACCOUNT_DIRECT);
+    if (result == XML_ERROR_NONE) {
+      if (! storeRawNames(parser))
+        return XML_ERROR_NO_MEMORY;
+    }
+    return result;
+   }
+ }
+

diff --git a/meta/recipes-core/expat/expat/CVE-2022-40674.patch b/meta/recipes-core/expat/expat/CVE-2022-40674.patch new file mode 100644 index 0000000000..8b95f5f198 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2022-40674.patch
@@ -0,0 +1,53 @@
	1	From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001
	2	From: Rhodri James <rhodri@wildebeest.org.uk>
	3	Date: Wed, 17 Aug 2022 18:26:18 +0100
	4	Subject: [PATCH] Ensure raw tagnames are safe exiting internalEntityParser
	5
	6	It is possible to concoct a situation in which parsing is
	7	suspended while substituting in an internal entity, so that
	8	XML_ResumeParser directly uses internalEntityProcessor as
	9	its processor. If the subsequent parse includes some unclosed
	10	tags, this will return without calling storeRawNames to ensure
	11	that the raw versions of the tag names are stored in memory other
	12	than the parse buffer itself. If the parse buffer is then changed
	13	or reallocated (for example if processing a file line by line),
	14	badness will ensue.
	15
	16	This patch ensures storeRawNames is always called when needed
	17	after calling doContent. The earlier call do doContent does
	18	not need the same protection; it only deals with entity
	19	substitution, which cannot leave unbalanced tags, and in any
	20	case the raw names will be pointing into the stored entity
	21	value not the parse buffer.
	22
	23	Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/4a32da87e931ba54393d465bb77c40b5c33d343b]
	24	CVE: CVE-2022-40674
	25	Signed-off-by: Virendra Thakur <virendrak@kpit.com>
	26	---
	27	expat/lib/xmlparse.c \| 13 +++++++++----
	28	1 file changed, 9 insertions(+), 4 deletions(-)
	29
	30	Index: expat/lib/xmlparse.c
	31	===================================================================
	32	--- a/lib/xmlparse.c
	33	+++ b/lib/xmlparse.c
	34	@@ -5657,10 +5657,15 @@ internalEntityProcessor(XML_Parser parse
	35	{
	36	parser->m_processor = contentProcessor;
	37	/* see externalEntityContentProcessor vs contentProcessor */
	38	- return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding,
	39	- s, end, nextPtr,
	40	- (XML_Bool)! parser->m_parsingStatus.finalBuffer,
	41	- XML_ACCOUNT_DIRECT);
	42	+ result = doContent(parser, parser->m_parentParser ? 1 : 0,
	43	+ parser->m_encoding, s, end, nextPtr,
	44	+ (XML_Bool)! parser->m_parsingStatus.finalBuffer,
	45	+ XML_ACCOUNT_DIRECT);
	46	+ if (result == XML_ERROR_NONE) {
	47	+ if (! storeRawNames(parser))
	48	+ return XML_ERROR_NO_MEMORY;
	49	+ }
	50	+ return result;
	51	}
	52	}
	53