diff options
Diffstat (limited to 'meta/recipes-core/libxml/libxml2/CVE-2021-3518-0001.patch')
-rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2021-3518-0001.patch | 216 |
1 files changed, 216 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0001.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0001.patch new file mode 100644 index 0000000000..3d4d3a0237 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0001.patch | |||
@@ -0,0 +1,216 @@ | |||
1 | From 0f9817c75b50a77c6aeb8f36801966fdadad229a Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Wed, 10 Jun 2020 16:34:52 +0200 | ||
4 | Subject: [PATCH 1/2] Don't recurse into xi:include children in | ||
5 | xmlXIncludeDoProcess | ||
6 | |||
7 | Otherwise, nested xi:include nodes might result in a use-after-free | ||
8 | if XML_PARSE_NOXINCNODE is specified. | ||
9 | |||
10 | Found with libFuzzer and ASan. | ||
11 | |||
12 | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/0f9817c75b50a77c6aeb8f36801966fdadad229a] | ||
13 | CVE: CVE-2021-3518 | ||
14 | |||
15 | This patch brings in the necessary files to allow the 2nd patch that fixes the CVE to be applied. | ||
16 | |||
17 | Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> | ||
18 | Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com> | ||
19 | --- | ||
20 | result/XInclude/fallback3.xml | 8 ++++++++ | ||
21 | result/XInclude/fallback3.xml.err | 0 | ||
22 | result/XInclude/fallback3.xml.rdr | 25 +++++++++++++++++++++++++ | ||
23 | result/XInclude/fallback4.xml | 10 ++++++++++ | ||
24 | result/XInclude/fallback4.xml.err | 0 | ||
25 | result/XInclude/fallback4.xml.rdr | 29 +++++++++++++++++++++++++++++ | ||
26 | test/XInclude/docs/fallback3.xml | 9 +++++++++ | ||
27 | test/XInclude/docs/fallback4.xml | 7 +++++++ | ||
28 | xinclude.c | 24 ++++++++++-------------- | ||
29 | 9 files changed, 98 insertions(+), 14 deletions(-) | ||
30 | create mode 100644 result/XInclude/fallback3.xml | ||
31 | create mode 100644 result/XInclude/fallback3.xml.err | ||
32 | create mode 100644 result/XInclude/fallback3.xml.rdr | ||
33 | create mode 100644 result/XInclude/fallback4.xml | ||
34 | create mode 100644 result/XInclude/fallback4.xml.err | ||
35 | create mode 100644 result/XInclude/fallback4.xml.rdr | ||
36 | create mode 100644 test/XInclude/docs/fallback3.xml | ||
37 | create mode 100644 test/XInclude/docs/fallback4.xml | ||
38 | |||
39 | diff --git a/result/XInclude/fallback3.xml b/result/XInclude/fallback3.xml | ||
40 | new file mode 100644 | ||
41 | index 0000000..b423551 | ||
42 | --- /dev/null | ||
43 | +++ b/result/XInclude/fallback3.xml | ||
44 | @@ -0,0 +1,8 @@ | ||
45 | +<?xml version="1.0"?> | ||
46 | +<a> | ||
47 | + <doc xml:base="../ents/something.xml"> | ||
48 | +<p>something</p> | ||
49 | +<p>really</p> | ||
50 | +<p>simple</p> | ||
51 | +</doc> | ||
52 | +</a> | ||
53 | diff --git a/result/XInclude/fallback3.xml.err b/result/XInclude/fallback3.xml.err | ||
54 | new file mode 100644 | ||
55 | index 0000000..e69de29 | ||
56 | diff --git a/result/XInclude/fallback3.xml.rdr b/result/XInclude/fallback3.xml.rdr | ||
57 | new file mode 100644 | ||
58 | index 0000000..aa2f137 | ||
59 | --- /dev/null | ||
60 | +++ b/result/XInclude/fallback3.xml.rdr | ||
61 | @@ -0,0 +1,25 @@ | ||
62 | +0 1 a 0 0 | ||
63 | +1 14 #text 0 1 | ||
64 | + | ||
65 | +1 1 doc 0 0 | ||
66 | +2 14 #text 0 1 | ||
67 | + | ||
68 | +2 1 p 0 0 | ||
69 | +3 3 #text 0 1 something | ||
70 | +2 15 p 0 0 | ||
71 | +2 14 #text 0 1 | ||
72 | + | ||
73 | +2 1 p 0 0 | ||
74 | +3 3 #text 0 1 really | ||
75 | +2 15 p 0 0 | ||
76 | +2 14 #text 0 1 | ||
77 | + | ||
78 | +2 1 p 0 0 | ||
79 | +3 3 #text 0 1 simple | ||
80 | +2 15 p 0 0 | ||
81 | +2 14 #text 0 1 | ||
82 | + | ||
83 | +1 15 doc 0 0 | ||
84 | +1 14 #text 0 1 | ||
85 | + | ||
86 | +0 15 a 0 0 | ||
87 | diff --git a/result/XInclude/fallback4.xml b/result/XInclude/fallback4.xml | ||
88 | new file mode 100644 | ||
89 | index 0000000..9883fd5 | ||
90 | --- /dev/null | ||
91 | +++ b/result/XInclude/fallback4.xml | ||
92 | @@ -0,0 +1,10 @@ | ||
93 | +<?xml version="1.0"?> | ||
94 | +<a> | ||
95 | + | ||
96 | + <doc xml:base="../ents/something.xml"> | ||
97 | +<p>something</p> | ||
98 | +<p>really</p> | ||
99 | +<p>simple</p> | ||
100 | +</doc> | ||
101 | + | ||
102 | +</a> | ||
103 | diff --git a/result/XInclude/fallback4.xml.err b/result/XInclude/fallback4.xml.err | ||
104 | new file mode 100644 | ||
105 | index 0000000..e69de29 | ||
106 | diff --git a/result/XInclude/fallback4.xml.rdr b/result/XInclude/fallback4.xml.rdr | ||
107 | new file mode 100644 | ||
108 | index 0000000..628b951 | ||
109 | --- /dev/null | ||
110 | +++ b/result/XInclude/fallback4.xml.rdr | ||
111 | @@ -0,0 +1,29 @@ | ||
112 | +0 1 a 0 0 | ||
113 | +1 14 #text 0 1 | ||
114 | + | ||
115 | +1 14 #text 0 1 | ||
116 | + | ||
117 | +1 1 doc 0 0 | ||
118 | +2 14 #text 0 1 | ||
119 | + | ||
120 | +2 1 p 0 0 | ||
121 | +3 3 #text 0 1 something | ||
122 | +2 15 p 0 0 | ||
123 | +2 14 #text 0 1 | ||
124 | + | ||
125 | +2 1 p 0 0 | ||
126 | +3 3 #text 0 1 really | ||
127 | +2 15 p 0 0 | ||
128 | +2 14 #text 0 1 | ||
129 | + | ||
130 | +2 1 p 0 0 | ||
131 | +3 3 #text 0 1 simple | ||
132 | +2 15 p 0 0 | ||
133 | +2 14 #text 0 1 | ||
134 | + | ||
135 | +1 15 doc 0 0 | ||
136 | +1 14 #text 0 1 | ||
137 | + | ||
138 | +1 14 #text 0 1 | ||
139 | + | ||
140 | +0 15 a 0 0 | ||
141 | diff --git a/test/XInclude/docs/fallback3.xml b/test/XInclude/docs/fallback3.xml | ||
142 | new file mode 100644 | ||
143 | index 0000000..0c8b6c9 | ||
144 | --- /dev/null | ||
145 | +++ b/test/XInclude/docs/fallback3.xml | ||
146 | @@ -0,0 +1,9 @@ | ||
147 | +<a> | ||
148 | + <xi:include href="../ents/something.xml" xmlns:xi="http://www.w3.org/2001/XInclude"> | ||
149 | + <xi:fallback> | ||
150 | + <xi:include href="c.xml"> | ||
151 | + <xi:fallback>There is no c.xml ... </xi:fallback> | ||
152 | + </xi:include> | ||
153 | + </xi:fallback> | ||
154 | + </xi:include> | ||
155 | +</a> | ||
156 | diff --git a/test/XInclude/docs/fallback4.xml b/test/XInclude/docs/fallback4.xml | ||
157 | new file mode 100644 | ||
158 | index 0000000..b500a63 | ||
159 | --- /dev/null | ||
160 | +++ b/test/XInclude/docs/fallback4.xml | ||
161 | @@ -0,0 +1,7 @@ | ||
162 | +<a> | ||
163 | + <xi:include href="c.xml" xmlns:xi="http://www.w3.org/2001/XInclude"> | ||
164 | + <xi:fallback> | ||
165 | + <xi:include href="../ents/something.xml"/> | ||
166 | + </xi:fallback> | ||
167 | + </xi:include> | ||
168 | +</a> | ||
169 | diff --git a/xinclude.c b/xinclude.c | ||
170 | index 001e992..6ec5d31 100644 | ||
171 | --- a/xinclude.c | ||
172 | +++ b/xinclude.c | ||
173 | @@ -2382,21 +2382,19 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { | ||
174 | * First phase: lookup the elements in the document | ||
175 | */ | ||
176 | cur = tree; | ||
177 | - if (xmlXIncludeTestNode(ctxt, cur) == 1) | ||
178 | - xmlXIncludePreProcessNode(ctxt, cur); | ||
179 | while ((cur != NULL) && (cur != tree->parent)) { | ||
180 | /* TODO: need to work on entities -> stack */ | ||
181 | - if ((cur->children != NULL) && | ||
182 | - (cur->children->type != XML_ENTITY_DECL) && | ||
183 | - (cur->children->type != XML_XINCLUDE_START) && | ||
184 | - (cur->children->type != XML_XINCLUDE_END)) { | ||
185 | - cur = cur->children; | ||
186 | - if (xmlXIncludeTestNode(ctxt, cur)) | ||
187 | - xmlXIncludePreProcessNode(ctxt, cur); | ||
188 | - } else if (cur->next != NULL) { | ||
189 | + if (xmlXIncludeTestNode(ctxt, cur) == 1) { | ||
190 | + xmlXIncludePreProcessNode(ctxt, cur); | ||
191 | + } else if ((cur->children != NULL) && | ||
192 | + (cur->children->type != XML_ENTITY_DECL) && | ||
193 | + (cur->children->type != XML_XINCLUDE_START) && | ||
194 | + (cur->children->type != XML_XINCLUDE_END)) { | ||
195 | + cur = cur->children; | ||
196 | + continue; | ||
197 | + } | ||
198 | + if (cur->next != NULL) { | ||
199 | cur = cur->next; | ||
200 | - if (xmlXIncludeTestNode(ctxt, cur)) | ||
201 | - xmlXIncludePreProcessNode(ctxt, cur); | ||
202 | } else { | ||
203 | if (cur == tree) | ||
204 | break; | ||
205 | @@ -2406,8 +2404,6 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { | ||
206 | break; /* do */ | ||
207 | if (cur->next != NULL) { | ||
208 | cur = cur->next; | ||
209 | - if (xmlXIncludeTestNode(ctxt, cur)) | ||
210 | - xmlXIncludePreProcessNode(ctxt, cur); | ||
211 | break; /* do */ | ||
212 | } | ||
213 | } while (cur != NULL); | ||
214 | -- | ||
215 | 2.23.0 | ||
216 | |||