1 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0002.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0002.patch
new file mode 100644
index 0000000000..de5fc0e8cb
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0002.patch
@@ -0,0 +1,45 @@
+From 1098c30a040e72a4654968547f415be4e4c40fe7 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 22 Apr 2021 19:26:28 +0200
+Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude --dropdtd`
+The --dropdtd option can leave dangling pointers in entity reference
+nodes. Make sure to skip these nodes when processing XIncludes.
+This also avoids scanning entity declarations and even modifying
+them inadvertently during XInclude processing.
+Move from a block list to an allow list approach to avoid descending
+into other node types that can't contain elements.
+Fixes #237.
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7]
+CVE: CVE-2021-3518
+[OP: adjusted context]
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
+---
+ xinclude.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+diff --git a/xinclude.c b/xinclude.c
+index 6ec5d31..b8eebcc 100644
+--- a/xinclude.c
+++ b/xinclude.c
+@@ -2387,9 +2387,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
+         if (xmlXIncludeTestNode(ctxt, cur) == 1) {
+             xmlXIncludePreProcessNode(ctxt, cur);
+         } else if ((cur->children != NULL) &&
+-                   (cur->children->type != XML_ENTITY_DECL) &&
+-                   (cur->children->type != XML_XINCLUDE_START) &&
+-                   (cur->children->type != XML_XINCLUDE_END)) {
+                   ((cur->type == XML_DOCUMENT_NODE) ||
+                    (cur->type == XML_ELEMENT_NODE))) {
+             cur = cur->children;
+             continue;
+         }
+-- 
+2.23.0

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0002.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0002.patch new file mode 100644 index 0000000000..de5fc0e8cb --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0002.patch
@@ -0,0 +1,45 @@
	1	From 1098c30a040e72a4654968547f415be4e4c40fe7 Mon Sep 17 00:00:00 2001
	2	From: Nick Wellnhofer <wellnhofer@aevum.de>
	3	Date: Thu, 22 Apr 2021 19:26:28 +0200
	4	Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude --dropdtd`
	5
	6	The --dropdtd option can leave dangling pointers in entity reference
	7	nodes. Make sure to skip these nodes when processing XIncludes.
	8
	9	This also avoids scanning entity declarations and even modifying
	10	them inadvertently during XInclude processing.
	11
	12	Move from a block list to an allow list approach to avoid descending
	13	into other node types that can't contain elements.
	14
	15	Fixes #237.
	16
	17	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7]
	18	CVE: CVE-2021-3518
	19
	20	[OP: adjusted context]
	21	Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
	22	Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
	23	---
	24	xinclude.c \| 5 ++---
	25	1 file changed, 2 insertions(+), 3 deletions(-)
	26
	27	diff --git a/xinclude.c b/xinclude.c
	28	index 6ec5d31..b8eebcc 100644
	29	--- a/xinclude.c
	30	+++ b/xinclude.c
	31	@@ -2387,9 +2387,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
	32	if (xmlXIncludeTestNode(ctxt, cur) == 1) {
	33	xmlXIncludePreProcessNode(ctxt, cur);
	34	} else if ((cur->children != NULL) &&
	35	- (cur->children->type != XML_ENTITY_DECL) &&
	36	- (cur->children->type != XML_XINCLUDE_START) &&
	37	- (cur->children->type != XML_XINCLUDE_END)) {
	38	+ ((cur->type == XML_DOCUMENT_NODE) \|\|
	39	+ (cur->type == XML_ELEMENT_NODE))) {
	40	cur = cur->children;
	41	continue;
	42	}
	43	--
	44	2.23.0
	45