3 files changed, 132 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
new file mode 100644
index 0000000000..182bb29abd
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
@@ -0,0 +1,50 @@
+From a22bd982bf10291deea8ba0c61bf75b898c604ce Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 2 Nov 2022 15:44:42 +0100
+Subject: [PATCH] malloc-fail: Fix memory leak in xmlStaticCopyNodeList
+Found with libFuzzer, see #344.
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/a22bd982bf10291deea8ba0c61bf75b898c604ce]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ tree.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+diff --git a/tree.c b/tree.c
+index 507869efe..647288ce3 100644
+--- a/tree.c
+++ b/tree.c
+@@ -4461,7 +4461,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+            }
+            if (doc->intSubset == NULL) {
+                q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+-               if (q == NULL) return(NULL);
+               if (q == NULL) goto error;
+                q->doc = doc;
+                q->parent = parent;
+                doc->intSubset = (xmlDtdPtr) q;
+@@ -4473,7 +4473,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+        } else
+ #endif /* LIBXML_TREE_ENABLED */
+            q = xmlStaticCopyNode(node, doc, parent, 1);
+-       if (q == NULL) return(NULL);
+       if (q == NULL) goto error;
+        if (ret == NULL) {
+            q->prev = NULL;
+            ret = p = q;
+@@ -4486,6 +4486,9 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+        node = node->next;
+     }
+     return(ret);
+error:
+    xmlFreeNodeList(ret);
+    return(NULL);
+ }
+ 
+ /**
+-- 
+GitLab
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
new file mode 100644
index 0000000000..c7e9681e6a
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
@@ -0,0 +1,80 @@
+From d39f78069dff496ec865c73aa44d7110e429bce9 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 23 Aug 2023 20:24:24 +0200
+Subject: [PATCH] tree: Fix copying of DTDs
+- Don't create multiple DTD nodes.
+- Fix UAF if malloc fails.
+- Skip DTD nodes if tree module is disabled.
+Fixes #583.
+CVE: CVE-2023-45322
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ tree.c | 31 ++++++++++++++++---------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+diff --git a/tree.c b/tree.c
+index 6c8a875b9..02c1b5791 100644
+--- a/tree.c
+++ b/tree.c
+@@ -4471,29 +4471,28 @@ xmlNodePtr
+ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+     xmlNodePtr ret = NULL;
+     xmlNodePtr p = NULL,q;
+    xmlDtdPtr newSubset = NULL;
+ 
+     while (node != NULL) {
+-#ifdef LIBXML_TREE_ENABLED
+        if (node->type == XML_DTD_NODE ) {
+-           if (doc == NULL) {
+#ifdef LIBXML_TREE_ENABLED
+           if ((doc == NULL) || (doc->intSubset != NULL)) {
+                node = node->next;
+                continue;
+            }
+-           if (doc->intSubset == NULL) {
+-               q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+-               if (q == NULL) goto error;
+-               q->doc = doc;
+-               q->parent = parent;
+-               doc->intSubset = (xmlDtdPtr) q;
+-               xmlAddChild(parent, q);
+-           } else {
+-               q = (xmlNodePtr) doc->intSubset;
+-               xmlAddChild(parent, q);
+-           }
+-       } else
+            q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+            if (q == NULL) goto error;
+            q->doc = doc;
+            q->parent = parent;
+            newSubset = (xmlDtdPtr) q;
+#else
+            node = node->next;
+            continue;
+ #endif /* LIBXML_TREE_ENABLED */
+       } else {
+            q = xmlStaticCopyNode(node, doc, parent, 1);
+-       if (q == NULL) goto error;
+           if (q == NULL) goto error;
+        }
+        if (ret == NULL) {
+            q->prev = NULL;
+            ret = p = q;
+@@ -4505,6 +4504,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+        }
+        node = node->next;
+     }
+    if (newSubset != NULL)
+        doc->intSubset = newSubset;
+     return(ret);
+ error:
+     xmlFreeNodeList(ret);
+-- 
+GitLab
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index aa17cd8cca..90d30f1ea7 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -42,6 +42,8 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=te
           file://CVE-2023-39615-0001.patch \
           file://CVE-2023-39615-0002.patch \
           file://CVE-2021-3516.patch \
+           file://CVE-2023-45322-1.patch \
+           file://CVE-2023-45322-2.patch \
           "
 SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813"

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch new file mode 100644 index 0000000000..182bb29abd --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
@@ -0,0 +1,50 @@
		1	From a22bd982bf10291deea8ba0c61bf75b898c604ce Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Wed, 2 Nov 2022 15:44:42 +0100
		4	Subject: [PATCH] malloc-fail: Fix memory leak in xmlStaticCopyNodeList
		5
		6	Found with libFuzzer, see #344.
		7
		8	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/a22bd982bf10291deea8ba0c61bf75b898c604ce]
		9
		10	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		11	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		12	---
		13	tree.c \| 7 +++++--
		14	1 file changed, 5 insertions(+), 2 deletions(-)
		15
		16	diff --git a/tree.c b/tree.c
		17	index 507869efe..647288ce3 100644
		18	--- a/tree.c
		19	+++ b/tree.c
		20	@@ -4461,7 +4461,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
		21	}
		22	if (doc->intSubset == NULL) {
		23	q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
		24	- if (q == NULL) return(NULL);
		25	+ if (q == NULL) goto error;
		26	q->doc = doc;
		27	q->parent = parent;
		28	doc->intSubset = (xmlDtdPtr) q;
		29	@@ -4473,7 +4473,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
		30	} else
		31	#endif /* LIBXML_TREE_ENABLED */
		32	q = xmlStaticCopyNode(node, doc, parent, 1);
		33	- if (q == NULL) return(NULL);
		34	+ if (q == NULL) goto error;
		35	if (ret == NULL) {
		36	q->prev = NULL;
		37	ret = p = q;
		38	@@ -4486,6 +4486,9 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
		39	node = node->next;
		40	}
		41	return(ret);
		42	+error:
		43	+ xmlFreeNodeList(ret);
		44	+ return(NULL);
		45	}
		46
		47	/**
		48	--
		49	GitLab
		50


diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch new file mode 100644 index 0000000000..c7e9681e6a --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
@@ -0,0 +1,80 @@
		1	From d39f78069dff496ec865c73aa44d7110e429bce9 Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Wed, 23 Aug 2023 20:24:24 +0200
		4	Subject: [PATCH] tree: Fix copying of DTDs
		5
		6	- Don't create multiple DTD nodes.
		7	- Fix UAF if malloc fails.
		8	- Skip DTD nodes if tree module is disabled.
		9
		10	Fixes #583.
		11
		12	CVE: CVE-2023-45322
		13	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9]
		14
		15	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		16	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		17	---
		18	tree.c \| 31 ++++++++++++++++---------------
		19	1 file changed, 16 insertions(+), 15 deletions(-)
		20
		21	diff --git a/tree.c b/tree.c
		22	index 6c8a875b9..02c1b5791 100644
		23	--- a/tree.c
		24	+++ b/tree.c
		25	@@ -4471,29 +4471,28 @@ xmlNodePtr
		26	xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
		27	xmlNodePtr ret = NULL;
		28	xmlNodePtr p = NULL,q;
		29	+ xmlDtdPtr newSubset = NULL;
		30
		31	while (node != NULL) {
		32	-#ifdef LIBXML_TREE_ENABLED
		33	if (node->type == XML_DTD_NODE ) {
		34	- if (doc == NULL) {
		35	+#ifdef LIBXML_TREE_ENABLED
		36	+ if ((doc == NULL) \|\| (doc->intSubset != NULL)) {
		37	node = node->next;
		38	continue;
		39	}
		40	- if (doc->intSubset == NULL) {
		41	- q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
		42	- if (q == NULL) goto error;
		43	- q->doc = doc;
		44	- q->parent = parent;
		45	- doc->intSubset = (xmlDtdPtr) q;
		46	- xmlAddChild(parent, q);
		47	- } else {
		48	- q = (xmlNodePtr) doc->intSubset;
		49	- xmlAddChild(parent, q);
		50	- }
		51	- } else
		52	+ q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
		53	+ if (q == NULL) goto error;
		54	+ q->doc = doc;
		55	+ q->parent = parent;
		56	+ newSubset = (xmlDtdPtr) q;
		57	+#else
		58	+ node = node->next;
		59	+ continue;
		60	#endif /* LIBXML_TREE_ENABLED */
		61	+ } else {
		62	q = xmlStaticCopyNode(node, doc, parent, 1);
		63	- if (q == NULL) goto error;
		64	+ if (q == NULL) goto error;
		65	+ }
		66	if (ret == NULL) {
		67	q->prev = NULL;
		68	ret = p = q;
		69	@@ -4505,6 +4504,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
		70	}
		71	node = node->next;
		72	}
		73	+ if (newSubset != NULL)
		74	+ doc->intSubset = newSubset;
		75	return(ret);
		76	error:
		77	xmlFreeNodeList(ret);
		78	--
		79	GitLab
		80


diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb index aa17cd8cca..90d30f1ea7 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -42,6 +42,8 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=te
42	file://CVE-2023-39615-0001.patch \	42	file://CVE-2023-39615-0001.patch \
43	file://CVE-2023-39615-0002.patch \	43	file://CVE-2023-39615-0002.patch \
44	file://CVE-2021-3516.patch \	44	file://CVE-2021-3516.patch \
		45	file://CVE-2023-45322-1.patch \
		46	file://CVE-2023-45322-2.patch \
45	"	47	"
46		48
47	SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813"	49	SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813"