2 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch
new file mode 100644
index 0000000000..defbe7867b
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch
@@ -0,0 +1,49 @@
+From 5ae9c39401f679648301efa6d2d35e09cc376462 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 1 May 2021 16:53:33 +0200
+Subject: [PATCH 3/3] Propagate error in xmlParseElementChildrenContentDeclPriv
+Check return value of recursive calls to
+xmlParseElementChildrenContentDeclPriv and return immediately in case
+of errors. Otherwise, struct xmlElementContent could contain unexpected
+null pointers, leading to a null deref when post-validating documents
+which aren't well-formed and parsed in recovery mode.
+Fixes #243.
+CVE: CVE-2021-3537
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/babe75030c7f64a37826bb3342317134568bef61]
+Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
+---
+ parser.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+diff --git a/parser.c b/parser.c
+index a34bb6cd..bbcff39f 100644
+--- a/parser.c
+++ b/parser.c
+@@ -6195,6 +6195,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
+        SKIP_BLANKS;
+         cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
+                                                            depth + 1);
+        if (cur == NULL)
+            return(NULL);
+        SKIP_BLANKS;
+        GROW;
+     } else {
+@@ -6328,6 +6330,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
+            SKIP_BLANKS;
+            last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
+                                                           depth + 1);
+            if (last == NULL) {
+               if (ret != NULL)
+                   xmlFreeDocElementContent(ctxt->myDoc, ret);
+               return(NULL);
+            }
+            SKIP_BLANKS;
+        } else {
+            elem = xmlParseName(ctxt);
+-- 
+2.25.1
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index 6f1229c2d0..b850164285 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -26,6 +26,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
           file://fix-python39.patch \
           file://CVE-2021-3517.patch \
           file://CVE-2021-3516.patch \
+           file://CVE-2021-3537.patch \
           "
 SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch new file mode 100644 index 0000000000..defbe7867b --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch
@@ -0,0 +1,49 @@
		1	From 5ae9c39401f679648301efa6d2d35e09cc376462 Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Sat, 1 May 2021 16:53:33 +0200
		4	Subject: [PATCH 3/3] Propagate error in xmlParseElementChildrenContentDeclPriv
		5
		6	Check return value of recursive calls to
		7	xmlParseElementChildrenContentDeclPriv and return immediately in case
		8	of errors. Otherwise, struct xmlElementContent could contain unexpected
		9	null pointers, leading to a null deref when post-validating documents
		10	which aren't well-formed and parsed in recovery mode.
		11
		12	Fixes #243.
		13
		14	CVE: CVE-2021-3537
		15	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/babe75030c7f64a37826bb3342317134568bef61]
		16
		17	Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
		18	---
		19	parser.c \| 7 +++++++
		20	1 file changed, 7 insertions(+)
		21
		22	diff --git a/parser.c b/parser.c
		23	index a34bb6cd..bbcff39f 100644
		24	--- a/parser.c
		25	+++ b/parser.c
		26	@@ -6195,6 +6195,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
		27	SKIP_BLANKS;
		28	cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
		29	depth + 1);
		30	+ if (cur == NULL)
		31	+ return(NULL);
		32	SKIP_BLANKS;
		33	GROW;
		34	} else {
		35	@@ -6328,6 +6330,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
		36	SKIP_BLANKS;
		37	last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
		38	depth + 1);
		39	+ if (last == NULL) {
		40	+ if (ret != NULL)
		41	+ xmlFreeDocElementContent(ctxt->myDoc, ret);
		42	+ return(NULL);
		43	+ }
		44	SKIP_BLANKS;
		45	} else {
		46	elem = xmlParseName(ctxt);
		47	--
		48	2.25.1
		49


diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb index 6f1229c2d0..b850164285 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -26,6 +26,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
26	file://fix-python39.patch \	26	file://fix-python39.patch \
27	file://CVE-2021-3517.patch \	27	file://CVE-2021-3517.patch \
28	file://CVE-2021-3516.patch \	28	file://CVE-2021-3516.patch \
		29	file://CVE-2021-3537.patch \
29	"	30	"
30		31
31	SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"	32	SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"