diff options
Diffstat (limited to 'meta/recipes-core/libxml/libxml2/CVE-2021-3518-0002.patch')
-rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2021-3518-0002.patch | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0002.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0002.patch new file mode 100644 index 0000000000..de5fc0e8cb --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0002.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | From 1098c30a040e72a4654968547f415be4e4c40fe7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Thu, 22 Apr 2021 19:26:28 +0200 | ||
4 | Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude --dropdtd` | ||
5 | |||
6 | The --dropdtd option can leave dangling pointers in entity reference | ||
7 | nodes. Make sure to skip these nodes when processing XIncludes. | ||
8 | |||
9 | This also avoids scanning entity declarations and even modifying | ||
10 | them inadvertently during XInclude processing. | ||
11 | |||
12 | Move from a block list to an allow list approach to avoid descending | ||
13 | into other node types that can't contain elements. | ||
14 | |||
15 | Fixes #237. | ||
16 | |||
17 | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7] | ||
18 | CVE: CVE-2021-3518 | ||
19 | |||
20 | [OP: adjusted context] | ||
21 | Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> | ||
22 | Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com> | ||
23 | --- | ||
24 | xinclude.c | 5 ++--- | ||
25 | 1 file changed, 2 insertions(+), 3 deletions(-) | ||
26 | |||
27 | diff --git a/xinclude.c b/xinclude.c | ||
28 | index 6ec5d31..b8eebcc 100644 | ||
29 | --- a/xinclude.c | ||
30 | +++ b/xinclude.c | ||
31 | @@ -2387,9 +2387,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { | ||
32 | if (xmlXIncludeTestNode(ctxt, cur) == 1) { | ||
33 | xmlXIncludePreProcessNode(ctxt, cur); | ||
34 | } else if ((cur->children != NULL) && | ||
35 | - (cur->children->type != XML_ENTITY_DECL) && | ||
36 | - (cur->children->type != XML_XINCLUDE_START) && | ||
37 | - (cur->children->type != XML_XINCLUDE_END)) { | ||
38 | + ((cur->type == XML_DOCUMENT_NODE) || | ||
39 | + (cur->type == XML_ELEMENT_NODE))) { | ||
40 | cur = cur->children; | ||
41 | continue; | ||
42 | } | ||
43 | -- | ||
44 | 2.23.0 | ||
45 | |||