summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPeter Marko <peter.marko@siemens.com>2025-01-10 20:06:03 +0100
committerGyorgy Sarvari <skandigraun@gmail.com>2025-10-01 19:40:58 +0200
commit91e03d42a320f552a650ef4470c64dfe3d0e6fe6 (patch)
tree8f97be97818e8f069ec2312d51efbf0c454fd827
parent505f2defdc0b6b3a10ce2669bb7f83bf16c721af (diff)
downloadmeta-openembedded-91e03d42a320f552a650ef4470c64dfe3d0e6fe6.tar.gz
libtinyxml: patch CVE-2021-42260
Take patch from Debian: https://salsa.debian.org/debian/tinyxml/-/commit/38db99c12e43d7d6e349403ce4d39a706708603d Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 066cf35ae588ef5f81266b216624b95d37777661) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
-rw-r--r--meta-oe/recipes-support/libtinyxml/libtinyxml/CVE-2021-42260.patch27
-rw-r--r--meta-oe/recipes-support/libtinyxml/libtinyxml_2.6.2.bb4
2 files changed, 30 insertions, 1 deletions
diff --git a/meta-oe/recipes-support/libtinyxml/libtinyxml/CVE-2021-42260.patch b/meta-oe/recipes-support/libtinyxml/libtinyxml/CVE-2021-42260.patch
new file mode 100644
index 0000000000..8fc623744c
--- /dev/null
+++ b/meta-oe/recipes-support/libtinyxml/libtinyxml/CVE-2021-42260.patch
@@ -0,0 +1,27 @@
1Description: In stamp always advance the pointer if *p= 0xef
2 .
3 The current implementation only advanced if 0xef is followed
4 by two non-zero bytes. In case of malformed input (0xef should be
5 the start byte of a three byte character) this leads to an infinite
6 loop. (CVE-2021-42260)
7Origin: https://sourceforge.net/p/tinyxml/git/merge-requests/1/
8
9CVE: CVE-2021-42260
10Upstream-Status: Inactive-Upstream [lastrelease: 2011]
11Signed-off-by: Peter Marko <peter.marko@siemens.com>
12
13--- a/tinyxmlparser.cpp
14+++ b/tinyxmlparser.cpp
15@@ -274,6 +274,12 @@ void TiXmlParsingData::Stamp( const char* now, TiXmlEncoding encoding )
16 else
17 { p +=3; ++col; } // A normal character.
18 }
19+ else
20+ {
21+ // TIXML_UTF_LEAD_0 (239) is the start character of a 3 byte sequence, so
22+ // there is something wrong here. Just advance the pointer to evade infinite loops
23+ ++p;
24+ }
25 }
26 else
27 {
diff --git a/meta-oe/recipes-support/libtinyxml/libtinyxml_2.6.2.bb b/meta-oe/recipes-support/libtinyxml/libtinyxml_2.6.2.bb
index 138df9f300..96c765299b 100644
--- a/meta-oe/recipes-support/libtinyxml/libtinyxml_2.6.2.bb
+++ b/meta-oe/recipes-support/libtinyxml/libtinyxml_2.6.2.bb
@@ -10,7 +10,9 @@ PR = "r5"
10 10
11SRC_URI = "${SOURCEFORGE_MIRROR}/tinyxml/tinyxml_${@'${PV}'.replace('.', '_')}.tar.gz \ 11SRC_URI = "${SOURCEFORGE_MIRROR}/tinyxml/tinyxml_${@'${PV}'.replace('.', '_')}.tar.gz \
12 file://enforce-use-stl.patch \ 12 file://enforce-use-stl.patch \
13 file://entity-encoding.patch" 13 file://entity-encoding.patch \
14 file://CVE-2021-42260.patch \
15"
14SRC_URI[md5sum] = "c1b864c96804a10526540c664ade67f0" 16SRC_URI[md5sum] = "c1b864c96804a10526540c664ade67f0"
15SRC_URI[sha256sum] = "15bdfdcec58a7da30adc87ac2b078e4417dbe5392f3afb719f9ba6d062645593" 17SRC_URI[sha256sum] = "15bdfdcec58a7da30adc87ac2b078e4417dbe5392f3afb719f9ba6d062645593"
16 18