diff options
Diffstat (limited to 'meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch')
| -rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch | 104 |
1 files changed, 104 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch new file mode 100644 index 0000000000..c19726fe9f --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch | |||
| @@ -0,0 +1,104 @@ | |||
| 1 | From 1b41ec4e9433b05bb0376be4725804c54ef1d80b Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
| 3 | Date: Wed, 31 Aug 2022 22:11:25 +0200 | ||
| 4 | Subject: [PATCH] [CVE-2022-40304] Fix dict corruption caused by entity | ||
| 5 | reference cycles | ||
| 6 | |||
| 7 | When an entity reference cycle is detected, the entity content is | ||
| 8 | cleared by setting its first byte to zero. But the entity content might | ||
| 9 | be allocated from a dict. In this case, the dict entry becomes corrupted | ||
| 10 | leading to all kinds of logic errors, including memory errors like | ||
| 11 | double-frees. | ||
| 12 | |||
| 13 | Stop storing entity content, orig, ExternalID and SystemID in a dict. | ||
| 14 | These values are unlikely to occur multiple times in a document, so they | ||
| 15 | shouldn't have been stored in a dict in the first place. | ||
| 16 | |||
| 17 | Thanks to Ned Williamson and Nathan Wachholz working with Google Project | ||
| 18 | Zero for the report! | ||
| 19 | |||
| 20 | CVE: CVE-2022-40304 | ||
| 21 | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1b41ec4e9433b05bb0376be4725804c54ef1d80b] | ||
| 22 | Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> | ||
| 23 | --- | ||
| 24 | entities.c | 55 ++++++++++++++++-------------------------------------- | ||
| 25 | 1 file changed, 16 insertions(+), 39 deletions(-) | ||
| 26 | |||
| 27 | diff --git a/entities.c b/entities.c | ||
| 28 | index 84435515..d4e5412e 100644 | ||
| 29 | --- a/entities.c | ||
| 30 | +++ b/entities.c | ||
| 31 | @@ -128,36 +128,19 @@ xmlFreeEntity(xmlEntityPtr entity) | ||
| 32 | if ((entity->children) && (entity->owner == 1) && | ||
| 33 | (entity == (xmlEntityPtr) entity->children->parent)) | ||
| 34 | xmlFreeNodeList(entity->children); | ||
| 35 | - if (dict != NULL) { | ||
| 36 | - if ((entity->name != NULL) && (!xmlDictOwns(dict, entity->name))) | ||
| 37 | - xmlFree((char *) entity->name); | ||
| 38 | - if ((entity->ExternalID != NULL) && | ||
| 39 | - (!xmlDictOwns(dict, entity->ExternalID))) | ||
| 40 | - xmlFree((char *) entity->ExternalID); | ||
| 41 | - if ((entity->SystemID != NULL) && | ||
| 42 | - (!xmlDictOwns(dict, entity->SystemID))) | ||
| 43 | - xmlFree((char *) entity->SystemID); | ||
| 44 | - if ((entity->URI != NULL) && (!xmlDictOwns(dict, entity->URI))) | ||
| 45 | - xmlFree((char *) entity->URI); | ||
| 46 | - if ((entity->content != NULL) | ||
| 47 | - && (!xmlDictOwns(dict, entity->content))) | ||
| 48 | - xmlFree((char *) entity->content); | ||
| 49 | - if ((entity->orig != NULL) && (!xmlDictOwns(dict, entity->orig))) | ||
| 50 | - xmlFree((char *) entity->orig); | ||
| 51 | - } else { | ||
| 52 | - if (entity->name != NULL) | ||
| 53 | - xmlFree((char *) entity->name); | ||
| 54 | - if (entity->ExternalID != NULL) | ||
| 55 | - xmlFree((char *) entity->ExternalID); | ||
| 56 | - if (entity->SystemID != NULL) | ||
| 57 | - xmlFree((char *) entity->SystemID); | ||
| 58 | - if (entity->URI != NULL) | ||
| 59 | - xmlFree((char *) entity->URI); | ||
| 60 | - if (entity->content != NULL) | ||
| 61 | - xmlFree((char *) entity->content); | ||
| 62 | - if (entity->orig != NULL) | ||
| 63 | - xmlFree((char *) entity->orig); | ||
| 64 | - } | ||
| 65 | + if ((entity->name != NULL) && | ||
| 66 | + ((dict == NULL) || (!xmlDictOwns(dict, entity->name)))) | ||
| 67 | + xmlFree((char *) entity->name); | ||
| 68 | + if (entity->ExternalID != NULL) | ||
| 69 | + xmlFree((char *) entity->ExternalID); | ||
| 70 | + if (entity->SystemID != NULL) | ||
| 71 | + xmlFree((char *) entity->SystemID); | ||
| 72 | + if (entity->URI != NULL) | ||
| 73 | + xmlFree((char *) entity->URI); | ||
| 74 | + if (entity->content != NULL) | ||
| 75 | + xmlFree((char *) entity->content); | ||
| 76 | + if (entity->orig != NULL) | ||
| 77 | + xmlFree((char *) entity->orig); | ||
| 78 | xmlFree(entity); | ||
| 79 | } | ||
| 80 | |||
| 81 | @@ -193,18 +176,12 @@ xmlCreateEntity(xmlDictPtr dict, const xmlChar *name, int type, | ||
| 82 | ret->SystemID = xmlStrdup(SystemID); | ||
| 83 | } else { | ||
| 84 | ret->name = xmlDictLookup(dict, name, -1); | ||
| 85 | - if (ExternalID != NULL) | ||
| 86 | - ret->ExternalID = xmlDictLookup(dict, ExternalID, -1); | ||
| 87 | - if (SystemID != NULL) | ||
| 88 | - ret->SystemID = xmlDictLookup(dict, SystemID, -1); | ||
| 89 | + ret->ExternalID = xmlStrdup(ExternalID); | ||
| 90 | + ret->SystemID = xmlStrdup(SystemID); | ||
| 91 | } | ||
| 92 | if (content != NULL) { | ||
| 93 | ret->length = xmlStrlen(content); | ||
| 94 | - if ((dict != NULL) && (ret->length < 5)) | ||
| 95 | - ret->content = (xmlChar *) | ||
| 96 | - xmlDictLookup(dict, content, ret->length); | ||
| 97 | - else | ||
| 98 | - ret->content = xmlStrndup(content, ret->length); | ||
| 99 | + ret->content = xmlStrndup(content, ret->length); | ||
| 100 | } else { | ||
| 101 | ret->length = 0; | ||
| 102 | ret->content = NULL; | ||
| 103 | -- | ||
| 104 | GitLab | ||