1 files changed, 112 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
new file mode 100644
index 0000000000..40d3debea1
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
@@ -0,0 +1,112 @@
+From ac82a514e16eb81b4506e2cba1a1ee45b9f025b5 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 10 Jun 2020 16:34:52 +0200
+Subject: [PATCH 1/2] Don't recurse into xi:include children in
+ xmlXIncludeDoProcess
+Otherwise, nested xi:include nodes might result in a use-after-free
+if XML_PARSE_NOXINCNODE is specified.
+Found with libFuzzer and ASan.
+Upstream-Status: Backport [from fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1954243]
+The upstream patch 752e5f71d7cea2ca5a7e7c0b8f72ed04ce654be4 has been modified,
+as to avoid unnecessary modifications to fallback files.
+CVE: CVE-2021-3518
+Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
+---
+ xinclude.c | 24 ++++++++++--------------
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+diff --git a/xinclude.c b/xinclude.c
+index ba850fa5..f260c1a7 100644
+--- a/xinclude.c
+++ b/xinclude.c
+@@ -2392,21 +2392,19 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
+      * First phase: lookup the elements in the document
+      */
+     cur = tree;
+-    if (xmlXIncludeTestNode(ctxt, cur) == 1)
+-       xmlXIncludePreProcessNode(ctxt, cur);
+     while ((cur != NULL) && (cur != tree->parent)) {
+        /* TODO: need to work on entities -> stack */
+-       if ((cur->children != NULL) &&
+-           (cur->children->type != XML_ENTITY_DECL) &&
+-           (cur->children->type != XML_XINCLUDE_START) &&
+-           (cur->children->type != XML_XINCLUDE_END)) {
+-           cur = cur->children;
+-           if (xmlXIncludeTestNode(ctxt, cur))
+-               xmlXIncludePreProcessNode(ctxt, cur);
+-       } else if (cur->next != NULL) {
+        if (xmlXIncludeTestNode(ctxt, cur) == 1) {
+            xmlXIncludePreProcessNode(ctxt, cur);
+        } else if ((cur->children != NULL) &&
+                   (cur->children->type != XML_ENTITY_DECL) &&
+                   (cur->children->type != XML_XINCLUDE_START) &&
+                   (cur->children->type != XML_XINCLUDE_END)) {
+            cur = cur->children;
+            continue;
+        }
+       if (cur->next != NULL) {
+            cur = cur->next;
+-           if (xmlXIncludeTestNode(ctxt, cur))
+-               xmlXIncludePreProcessNode(ctxt, cur);
+        } else {
+            if (cur == tree)
+                break;
+@@ -2416,8 +2414,6 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
+                    break; /* do */
+                if (cur->next != NULL) {
+                    cur = cur->next;
+-                   if (xmlXIncludeTestNode(ctxt, cur))
+-                       xmlXIncludePreProcessNode(ctxt, cur);
+                    break; /* do */
+                }
+            } while (cur != NULL);
+-- 
+2.32.0
+From 3ad5ac1e39e3cd42f838c1cd27ffd4e9b79e6121 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 22 Apr 2021 19:26:28 +0200
+Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude --dropdtd`
+The --dropdtd option can leave dangling pointers in entity reference
+nodes. Make sure to skip these nodes when processing XIncludes.
+This also avoids scanning entity declarations and even modifying
+them inadvertently during XInclude processing.
+Move from a block list to an allow list approach to avoid descending
+into other node types that can't contain elements.
+Fixes #237.
+Upstream-Status: Backport
+CVE: CVE-2021-3518
+Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
+---
+ xinclude.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+diff --git a/xinclude.c b/xinclude.c
+index f260c1a7..d7648529 100644
+--- a/xinclude.c
+++ b/xinclude.c
+@@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
+         if (xmlXIncludeTestNode(ctxt, cur) == 1) {
+             xmlXIncludePreProcessNode(ctxt, cur);
+         } else if ((cur->children != NULL) &&
+-                   (cur->children->type != XML_ENTITY_DECL) &&
+-                   (cur->children->type != XML_XINCLUDE_START) &&
+-                   (cur->children->type != XML_XINCLUDE_END)) {
+                   ((cur->type == XML_DOCUMENT_NODE) ||
+                    (cur->type == XML_ELEMENT_NODE))) {
+             cur = cur->children;
+             continue;
+         }
+-- 
+2.32.0

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch new file mode 100644 index 0000000000..40d3debea1 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
@@ -0,0 +1,112 @@
	1	From ac82a514e16eb81b4506e2cba1a1ee45b9f025b5 Mon Sep 17 00:00:00 2001
	2	From: Nick Wellnhofer <wellnhofer@aevum.de>
	3	Date: Wed, 10 Jun 2020 16:34:52 +0200
	4	Subject: [PATCH 1/2] Don't recurse into xi:include children in
	5	xmlXIncludeDoProcess
	6
	7	Otherwise, nested xi:include nodes might result in a use-after-free
	8	if XML_PARSE_NOXINCNODE is specified.
	9
	10	Found with libFuzzer and ASan.
	11
	12	Upstream-Status: Backport [from fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1954243]
	13
	14	The upstream patch 752e5f71d7cea2ca5a7e7c0b8f72ed04ce654be4 has been modified,
	15	as to avoid unnecessary modifications to fallback files.
	16
	17	CVE: CVE-2021-3518
	18	Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
	19	---
	20	xinclude.c \| 24 ++++++++++--------------
	21	1 file changed, 10 insertions(+), 14 deletions(-)
	22
	23	diff --git a/xinclude.c b/xinclude.c
	24	index ba850fa5..f260c1a7 100644
	25	--- a/xinclude.c
	26	+++ b/xinclude.c
	27	@@ -2392,21 +2392,19 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
	28	* First phase: lookup the elements in the document
	29	*/
	30	cur = tree;
	31	- if (xmlXIncludeTestNode(ctxt, cur) == 1)
	32	- xmlXIncludePreProcessNode(ctxt, cur);
	33	while ((cur != NULL) && (cur != tree->parent)) {
	34	/* TODO: need to work on entities -> stack */
	35	- if ((cur->children != NULL) &&
	36	- (cur->children->type != XML_ENTITY_DECL) &&
	37	- (cur->children->type != XML_XINCLUDE_START) &&
	38	- (cur->children->type != XML_XINCLUDE_END)) {
	39	- cur = cur->children;
	40	- if (xmlXIncludeTestNode(ctxt, cur))
	41	- xmlXIncludePreProcessNode(ctxt, cur);
	42	- } else if (cur->next != NULL) {
	43	+ if (xmlXIncludeTestNode(ctxt, cur) == 1) {
	44	+ xmlXIncludePreProcessNode(ctxt, cur);
	45	+ } else if ((cur->children != NULL) &&
	46	+ (cur->children->type != XML_ENTITY_DECL) &&
	47	+ (cur->children->type != XML_XINCLUDE_START) &&
	48	+ (cur->children->type != XML_XINCLUDE_END)) {
	49	+ cur = cur->children;
	50	+ continue;
	51	+ }
	52	+ if (cur->next != NULL) {
	53	cur = cur->next;
	54	- if (xmlXIncludeTestNode(ctxt, cur))
	55	- xmlXIncludePreProcessNode(ctxt, cur);
	56	} else {
	57	if (cur == tree)
	58	break;
	59	@@ -2416,8 +2414,6 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
	60	break; /* do */
	61	if (cur->next != NULL) {
	62	cur = cur->next;
	63	- if (xmlXIncludeTestNode(ctxt, cur))
	64	- xmlXIncludePreProcessNode(ctxt, cur);
	65	break; /* do */
	66	}
	67	} while (cur != NULL);
	68	--
	69	2.32.0
	70
	71
	72	From 3ad5ac1e39e3cd42f838c1cd27ffd4e9b79e6121 Mon Sep 17 00:00:00 2001
	73	From: Nick Wellnhofer <wellnhofer@aevum.de>
	74	Date: Thu, 22 Apr 2021 19:26:28 +0200
	75	Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude --dropdtd`
	76
	77	The --dropdtd option can leave dangling pointers in entity reference
	78	nodes. Make sure to skip these nodes when processing XIncludes.
	79
	80	This also avoids scanning entity declarations and even modifying
	81	them inadvertently during XInclude processing.
	82
	83	Move from a block list to an allow list approach to avoid descending
	84	into other node types that can't contain elements.
	85
	86	Fixes #237.
	87	Upstream-Status: Backport
	88	CVE: CVE-2021-3518
	89	Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
	90	---
	91	xinclude.c \| 5 ++---
	92	1 file changed, 2 insertions(+), 3 deletions(-)
	93
	94	diff --git a/xinclude.c b/xinclude.c
	95	index f260c1a7..d7648529 100644
	96	--- a/xinclude.c
	97	+++ b/xinclude.c
	98	@@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
	99	if (xmlXIncludeTestNode(ctxt, cur) == 1) {
	100	xmlXIncludePreProcessNode(ctxt, cur);
	101	} else if ((cur->children != NULL) &&
	102	- (cur->children->type != XML_ENTITY_DECL) &&
	103	- (cur->children->type != XML_XINCLUDE_START) &&
	104	- (cur->children->type != XML_XINCLUDE_END)) {
	105	+ ((cur->type == XML_DOCUMENT_NODE) \|\|
	106	+ (cur->type == XML_ELEMENT_NODE))) {
	107	cur = cur->children;
	108	continue;
	109	}
	110	--
	111	2.32.0
	112