diff options
Diffstat (limited to 'meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch')
-rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch | 112 |
1 files changed, 112 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch new file mode 100644 index 0000000000..40d3debea1 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch | |||
@@ -0,0 +1,112 @@ | |||
1 | From ac82a514e16eb81b4506e2cba1a1ee45b9f025b5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Wed, 10 Jun 2020 16:34:52 +0200 | ||
4 | Subject: [PATCH 1/2] Don't recurse into xi:include children in | ||
5 | xmlXIncludeDoProcess | ||
6 | |||
7 | Otherwise, nested xi:include nodes might result in a use-after-free | ||
8 | if XML_PARSE_NOXINCNODE is specified. | ||
9 | |||
10 | Found with libFuzzer and ASan. | ||
11 | |||
12 | Upstream-Status: Backport [from fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1954243] | ||
13 | |||
14 | The upstream patch 752e5f71d7cea2ca5a7e7c0b8f72ed04ce654be4 has been modified, | ||
15 | as to avoid unnecessary modifications to fallback files. | ||
16 | |||
17 | CVE: CVE-2021-3518 | ||
18 | Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com> | ||
19 | --- | ||
20 | xinclude.c | 24 ++++++++++-------------- | ||
21 | 1 file changed, 10 insertions(+), 14 deletions(-) | ||
22 | |||
23 | diff --git a/xinclude.c b/xinclude.c | ||
24 | index ba850fa5..f260c1a7 100644 | ||
25 | --- a/xinclude.c | ||
26 | +++ b/xinclude.c | ||
27 | @@ -2392,21 +2392,19 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { | ||
28 | * First phase: lookup the elements in the document | ||
29 | */ | ||
30 | cur = tree; | ||
31 | - if (xmlXIncludeTestNode(ctxt, cur) == 1) | ||
32 | - xmlXIncludePreProcessNode(ctxt, cur); | ||
33 | while ((cur != NULL) && (cur != tree->parent)) { | ||
34 | /* TODO: need to work on entities -> stack */ | ||
35 | - if ((cur->children != NULL) && | ||
36 | - (cur->children->type != XML_ENTITY_DECL) && | ||
37 | - (cur->children->type != XML_XINCLUDE_START) && | ||
38 | - (cur->children->type != XML_XINCLUDE_END)) { | ||
39 | - cur = cur->children; | ||
40 | - if (xmlXIncludeTestNode(ctxt, cur)) | ||
41 | - xmlXIncludePreProcessNode(ctxt, cur); | ||
42 | - } else if (cur->next != NULL) { | ||
43 | + if (xmlXIncludeTestNode(ctxt, cur) == 1) { | ||
44 | + xmlXIncludePreProcessNode(ctxt, cur); | ||
45 | + } else if ((cur->children != NULL) && | ||
46 | + (cur->children->type != XML_ENTITY_DECL) && | ||
47 | + (cur->children->type != XML_XINCLUDE_START) && | ||
48 | + (cur->children->type != XML_XINCLUDE_END)) { | ||
49 | + cur = cur->children; | ||
50 | + continue; | ||
51 | + } | ||
52 | + if (cur->next != NULL) { | ||
53 | cur = cur->next; | ||
54 | - if (xmlXIncludeTestNode(ctxt, cur)) | ||
55 | - xmlXIncludePreProcessNode(ctxt, cur); | ||
56 | } else { | ||
57 | if (cur == tree) | ||
58 | break; | ||
59 | @@ -2416,8 +2414,6 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { | ||
60 | break; /* do */ | ||
61 | if (cur->next != NULL) { | ||
62 | cur = cur->next; | ||
63 | - if (xmlXIncludeTestNode(ctxt, cur)) | ||
64 | - xmlXIncludePreProcessNode(ctxt, cur); | ||
65 | break; /* do */ | ||
66 | } | ||
67 | } while (cur != NULL); | ||
68 | -- | ||
69 | 2.32.0 | ||
70 | |||
71 | |||
72 | From 3ad5ac1e39e3cd42f838c1cd27ffd4e9b79e6121 Mon Sep 17 00:00:00 2001 | ||
73 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
74 | Date: Thu, 22 Apr 2021 19:26:28 +0200 | ||
75 | Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude --dropdtd` | ||
76 | |||
77 | The --dropdtd option can leave dangling pointers in entity reference | ||
78 | nodes. Make sure to skip these nodes when processing XIncludes. | ||
79 | |||
80 | This also avoids scanning entity declarations and even modifying | ||
81 | them inadvertently during XInclude processing. | ||
82 | |||
83 | Move from a block list to an allow list approach to avoid descending | ||
84 | into other node types that can't contain elements. | ||
85 | |||
86 | Fixes #237. | ||
87 | Upstream-Status: Backport | ||
88 | CVE: CVE-2021-3518 | ||
89 | Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com> | ||
90 | --- | ||
91 | xinclude.c | 5 ++--- | ||
92 | 1 file changed, 2 insertions(+), 3 deletions(-) | ||
93 | |||
94 | diff --git a/xinclude.c b/xinclude.c | ||
95 | index f260c1a7..d7648529 100644 | ||
96 | --- a/xinclude.c | ||
97 | +++ b/xinclude.c | ||
98 | @@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { | ||
99 | if (xmlXIncludeTestNode(ctxt, cur) == 1) { | ||
100 | xmlXIncludePreProcessNode(ctxt, cur); | ||
101 | } else if ((cur->children != NULL) && | ||
102 | - (cur->children->type != XML_ENTITY_DECL) && | ||
103 | - (cur->children->type != XML_XINCLUDE_START) && | ||
104 | - (cur->children->type != XML_XINCLUDE_END)) { | ||
105 | + ((cur->type == XML_DOCUMENT_NODE) || | ||
106 | + (cur->type == XML_ELEMENT_NODE))) { | ||
107 | cur = cur->children; | ||
108 | continue; | ||
109 | } | ||
110 | -- | ||
111 | 2.32.0 | ||
112 | |||