diff options
Diffstat (limited to 'meta/recipes-core')
-rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch | 50 | ||||
-rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch | 80 | ||||
-rw-r--r-- | meta/recipes-core/libxml/libxml2_2.9.10.bb | 2 |
3 files changed, 132 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch new file mode 100644 index 0000000000..182bb29abd --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | From a22bd982bf10291deea8ba0c61bf75b898c604ce Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Wed, 2 Nov 2022 15:44:42 +0100 | ||
4 | Subject: [PATCH] malloc-fail: Fix memory leak in xmlStaticCopyNodeList | ||
5 | |||
6 | Found with libFuzzer, see #344. | ||
7 | |||
8 | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/a22bd982bf10291deea8ba0c61bf75b898c604ce] | ||
9 | |||
10 | Signed-off-by: Peter Marko <peter.marko@siemens.com> | ||
11 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
12 | --- | ||
13 | tree.c | 7 +++++-- | ||
14 | 1 file changed, 5 insertions(+), 2 deletions(-) | ||
15 | |||
16 | diff --git a/tree.c b/tree.c | ||
17 | index 507869efe..647288ce3 100644 | ||
18 | --- a/tree.c | ||
19 | +++ b/tree.c | ||
20 | @@ -4461,7 +4461,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { | ||
21 | } | ||
22 | if (doc->intSubset == NULL) { | ||
23 | q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node ); | ||
24 | - if (q == NULL) return(NULL); | ||
25 | + if (q == NULL) goto error; | ||
26 | q->doc = doc; | ||
27 | q->parent = parent; | ||
28 | doc->intSubset = (xmlDtdPtr) q; | ||
29 | @@ -4473,7 +4473,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { | ||
30 | } else | ||
31 | #endif /* LIBXML_TREE_ENABLED */ | ||
32 | q = xmlStaticCopyNode(node, doc, parent, 1); | ||
33 | - if (q == NULL) return(NULL); | ||
34 | + if (q == NULL) goto error; | ||
35 | if (ret == NULL) { | ||
36 | q->prev = NULL; | ||
37 | ret = p = q; | ||
38 | @@ -4486,6 +4486,9 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { | ||
39 | node = node->next; | ||
40 | } | ||
41 | return(ret); | ||
42 | +error: | ||
43 | + xmlFreeNodeList(ret); | ||
44 | + return(NULL); | ||
45 | } | ||
46 | |||
47 | /** | ||
48 | -- | ||
49 | GitLab | ||
50 | |||
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch new file mode 100644 index 0000000000..c7e9681e6a --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch | |||
@@ -0,0 +1,80 @@ | |||
1 | From d39f78069dff496ec865c73aa44d7110e429bce9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Wed, 23 Aug 2023 20:24:24 +0200 | ||
4 | Subject: [PATCH] tree: Fix copying of DTDs | ||
5 | |||
6 | - Don't create multiple DTD nodes. | ||
7 | - Fix UAF if malloc fails. | ||
8 | - Skip DTD nodes if tree module is disabled. | ||
9 | |||
10 | Fixes #583. | ||
11 | |||
12 | CVE: CVE-2023-45322 | ||
13 | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9] | ||
14 | |||
15 | Signed-off-by: Peter Marko <peter.marko@siemens.com> | ||
16 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
17 | --- | ||
18 | tree.c | 31 ++++++++++++++++--------------- | ||
19 | 1 file changed, 16 insertions(+), 15 deletions(-) | ||
20 | |||
21 | diff --git a/tree.c b/tree.c | ||
22 | index 6c8a875b9..02c1b5791 100644 | ||
23 | --- a/tree.c | ||
24 | +++ b/tree.c | ||
25 | @@ -4471,29 +4471,28 @@ xmlNodePtr | ||
26 | xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { | ||
27 | xmlNodePtr ret = NULL; | ||
28 | xmlNodePtr p = NULL,q; | ||
29 | + xmlDtdPtr newSubset = NULL; | ||
30 | |||
31 | while (node != NULL) { | ||
32 | -#ifdef LIBXML_TREE_ENABLED | ||
33 | if (node->type == XML_DTD_NODE ) { | ||
34 | - if (doc == NULL) { | ||
35 | +#ifdef LIBXML_TREE_ENABLED | ||
36 | + if ((doc == NULL) || (doc->intSubset != NULL)) { | ||
37 | node = node->next; | ||
38 | continue; | ||
39 | } | ||
40 | - if (doc->intSubset == NULL) { | ||
41 | - q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node ); | ||
42 | - if (q == NULL) goto error; | ||
43 | - q->doc = doc; | ||
44 | - q->parent = parent; | ||
45 | - doc->intSubset = (xmlDtdPtr) q; | ||
46 | - xmlAddChild(parent, q); | ||
47 | - } else { | ||
48 | - q = (xmlNodePtr) doc->intSubset; | ||
49 | - xmlAddChild(parent, q); | ||
50 | - } | ||
51 | - } else | ||
52 | + q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node ); | ||
53 | + if (q == NULL) goto error; | ||
54 | + q->doc = doc; | ||
55 | + q->parent = parent; | ||
56 | + newSubset = (xmlDtdPtr) q; | ||
57 | +#else | ||
58 | + node = node->next; | ||
59 | + continue; | ||
60 | #endif /* LIBXML_TREE_ENABLED */ | ||
61 | + } else { | ||
62 | q = xmlStaticCopyNode(node, doc, parent, 1); | ||
63 | - if (q == NULL) goto error; | ||
64 | + if (q == NULL) goto error; | ||
65 | + } | ||
66 | if (ret == NULL) { | ||
67 | q->prev = NULL; | ||
68 | ret = p = q; | ||
69 | @@ -4505,6 +4504,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { | ||
70 | } | ||
71 | node = node->next; | ||
72 | } | ||
73 | + if (newSubset != NULL) | ||
74 | + doc->intSubset = newSubset; | ||
75 | return(ret); | ||
76 | error: | ||
77 | xmlFreeNodeList(ret); | ||
78 | -- | ||
79 | GitLab | ||
80 | |||
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb index aa17cd8cca..90d30f1ea7 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb | |||
@@ -42,6 +42,8 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=te | |||
42 | file://CVE-2023-39615-0001.patch \ | 42 | file://CVE-2023-39615-0001.patch \ |
43 | file://CVE-2023-39615-0002.patch \ | 43 | file://CVE-2023-39615-0002.patch \ |
44 | file://CVE-2021-3516.patch \ | 44 | file://CVE-2021-3516.patch \ |
45 | file://CVE-2023-45322-1.patch \ | ||
46 | file://CVE-2023-45322-2.patch \ | ||
45 | " | 47 | " |
46 | 48 | ||
47 | SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813" | 49 | SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813" |