1 files changed, 80 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
new file mode 100644
index 0000000000..c7e9681e6a
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
@@ -0,0 +1,80 @@
+From d39f78069dff496ec865c73aa44d7110e429bce9 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 23 Aug 2023 20:24:24 +0200
+Subject: [PATCH] tree: Fix copying of DTDs
+- Don't create multiple DTD nodes.
+- Fix UAF if malloc fails.
+- Skip DTD nodes if tree module is disabled.
+Fixes #583.
+CVE: CVE-2023-45322
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ tree.c | 31 ++++++++++++++++---------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+diff --git a/tree.c b/tree.c
+index 6c8a875b9..02c1b5791 100644
+--- a/tree.c
+++ b/tree.c
+@@ -4471,29 +4471,28 @@ xmlNodePtr
+ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+     xmlNodePtr ret = NULL;
+     xmlNodePtr p = NULL,q;
+    xmlDtdPtr newSubset = NULL;
+ 
+     while (node != NULL) {
+-#ifdef LIBXML_TREE_ENABLED
+        if (node->type == XML_DTD_NODE ) {
+-           if (doc == NULL) {
+#ifdef LIBXML_TREE_ENABLED
+           if ((doc == NULL) || (doc->intSubset != NULL)) {
+                node = node->next;
+                continue;
+            }
+-           if (doc->intSubset == NULL) {
+-               q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+-               if (q == NULL) goto error;
+-               q->doc = doc;
+-               q->parent = parent;
+-               doc->intSubset = (xmlDtdPtr) q;
+-               xmlAddChild(parent, q);
+-           } else {
+-               q = (xmlNodePtr) doc->intSubset;
+-               xmlAddChild(parent, q);
+-           }
+-       } else
+            q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+            if (q == NULL) goto error;
+            q->doc = doc;
+            q->parent = parent;
+            newSubset = (xmlDtdPtr) q;
+#else
+            node = node->next;
+            continue;
+ #endif /* LIBXML_TREE_ENABLED */
+       } else {
+            q = xmlStaticCopyNode(node, doc, parent, 1);
+-       if (q == NULL) goto error;
+           if (q == NULL) goto error;
+        }
+        if (ret == NULL) {
+            q->prev = NULL;
+            ret = p = q;
+@@ -4505,6 +4504,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+        }
+        node = node->next;
+     }
+    if (newSubset != NULL)
+        doc->intSubset = newSubset;
+     return(ret);
+ error:
+     xmlFreeNodeList(ret);
+-- 
+GitLab

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch new file mode 100644 index 0000000000..c7e9681e6a --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
@@ -0,0 +1,80 @@
	1	From d39f78069dff496ec865c73aa44d7110e429bce9 Mon Sep 17 00:00:00 2001
	2	From: Nick Wellnhofer <wellnhofer@aevum.de>
	3	Date: Wed, 23 Aug 2023 20:24:24 +0200
	4	Subject: [PATCH] tree: Fix copying of DTDs
	5
	6	- Don't create multiple DTD nodes.
	7	- Fix UAF if malloc fails.
	8	- Skip DTD nodes if tree module is disabled.
	9
	10	Fixes #583.
	11
	12	CVE: CVE-2023-45322
	13	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9]
	14
	15	Signed-off-by: Peter Marko <peter.marko@siemens.com>
	16	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	17	---
	18	tree.c \| 31 ++++++++++++++++---------------
	19	1 file changed, 16 insertions(+), 15 deletions(-)
	20
	21	diff --git a/tree.c b/tree.c
	22	index 6c8a875b9..02c1b5791 100644
	23	--- a/tree.c
	24	+++ b/tree.c
	25	@@ -4471,29 +4471,28 @@ xmlNodePtr
	26	xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
	27	xmlNodePtr ret = NULL;
	28	xmlNodePtr p = NULL,q;
	29	+ xmlDtdPtr newSubset = NULL;
	30
	31	while (node != NULL) {
	32	-#ifdef LIBXML_TREE_ENABLED
	33	if (node->type == XML_DTD_NODE ) {
	34	- if (doc == NULL) {
	35	+#ifdef LIBXML_TREE_ENABLED
	36	+ if ((doc == NULL) \|\| (doc->intSubset != NULL)) {
	37	node = node->next;
	38	continue;
	39	}
	40	- if (doc->intSubset == NULL) {
	41	- q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
	42	- if (q == NULL) goto error;
	43	- q->doc = doc;
	44	- q->parent = parent;
	45	- doc->intSubset = (xmlDtdPtr) q;
	46	- xmlAddChild(parent, q);
	47	- } else {
	48	- q = (xmlNodePtr) doc->intSubset;
	49	- xmlAddChild(parent, q);
	50	- }
	51	- } else
	52	+ q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
	53	+ if (q == NULL) goto error;
	54	+ q->doc = doc;
	55	+ q->parent = parent;
	56	+ newSubset = (xmlDtdPtr) q;
	57	+#else
	58	+ node = node->next;
	59	+ continue;
	60	#endif /* LIBXML_TREE_ENABLED */
	61	+ } else {
	62	q = xmlStaticCopyNode(node, doc, parent, 1);
	63	- if (q == NULL) goto error;
	64	+ if (q == NULL) goto error;
	65	+ }
	66	if (ret == NULL) {
	67	q->prev = NULL;
	68	ret = p = q;
	69	@@ -4505,6 +4504,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
	70	}
	71	node = node->next;
	72	}
	73	+ if (newSubset != NULL)
	74	+ doc->intSubset = newSubset;
	75	return(ret);
	76	error:
	77	xmlFreeNodeList(ret);
	78	--
	79	GitLab
	80