libxml2: Fix CVE-2021-3518

There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability. Upstream-Status: Backport [from fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1954243] (From OE-Core rev: ef2a81a473e7c36a36facb209ca907a7439d36f2) Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Jasper Orschulko <jasper@fancydomain.eu> 2021-06-21 17:33:22 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-07-02 07:44:59 +0100
commit: fbb58d5344a17600264529016e75bbe92480b44f (patch)
tree: 1d316af80121d36b8c7597ad5520fbb823fe3f55
parent: 8a496e9eb9f0540cb5c319451413812b7c51caf9 (diff)
download: poky-fbb58d5344a17600264529016e75bbe92480b44f.tar.gz
2 files changed, 113 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
new file mode 100644
index 0000000000..40d3debea1
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
@@ -0,0 +1,112 @@
+From ac82a514e16eb81b4506e2cba1a1ee45b9f025b5 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 10 Jun 2020 16:34:52 +0200
+Subject: [PATCH 1/2] Don't recurse into xi:include children in
+ xmlXIncludeDoProcess
+Otherwise, nested xi:include nodes might result in a use-after-free
+if XML_PARSE_NOXINCNODE is specified.
+Found with libFuzzer and ASan.
+Upstream-Status: Backport [from fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1954243]
+The upstream patch 752e5f71d7cea2ca5a7e7c0b8f72ed04ce654be4 has been modified,
+as to avoid unnecessary modifications to fallback files.
+CVE: CVE-2021-3518
+Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
+---
+ xinclude.c | 24 ++++++++++--------------
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+diff --git a/xinclude.c b/xinclude.c
+index ba850fa5..f260c1a7 100644
+--- a/xinclude.c
+++ b/xinclude.c
+@@ -2392,21 +2392,19 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
+      * First phase: lookup the elements in the document
+      */
+     cur = tree;
+-    if (xmlXIncludeTestNode(ctxt, cur) == 1)
+-       xmlXIncludePreProcessNode(ctxt, cur);
+     while ((cur != NULL) && (cur != tree->parent)) {
+        /* TODO: need to work on entities -> stack */
+-       if ((cur->children != NULL) &&
+-           (cur->children->type != XML_ENTITY_DECL) &&
+-           (cur->children->type != XML_XINCLUDE_START) &&
+-           (cur->children->type != XML_XINCLUDE_END)) {
+-           cur = cur->children;
+-           if (xmlXIncludeTestNode(ctxt, cur))
+-               xmlXIncludePreProcessNode(ctxt, cur);
+-       } else if (cur->next != NULL) {
+        if (xmlXIncludeTestNode(ctxt, cur) == 1) {
+            xmlXIncludePreProcessNode(ctxt, cur);
+        } else if ((cur->children != NULL) &&
+                   (cur->children->type != XML_ENTITY_DECL) &&
+                   (cur->children->type != XML_XINCLUDE_START) &&
+                   (cur->children->type != XML_XINCLUDE_END)) {
+            cur = cur->children;
+            continue;
+        }
+       if (cur->next != NULL) {
+            cur = cur->next;
+-           if (xmlXIncludeTestNode(ctxt, cur))
+-               xmlXIncludePreProcessNode(ctxt, cur);
+        } else {
+            if (cur == tree)
+                break;
+@@ -2416,8 +2414,6 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
+                    break; /* do */
+                if (cur->next != NULL) {
+                    cur = cur->next;
+-                   if (xmlXIncludeTestNode(ctxt, cur))
+-                       xmlXIncludePreProcessNode(ctxt, cur);
+                    break; /* do */
+                }
+            } while (cur != NULL);
+-- 
+2.32.0
+From 3ad5ac1e39e3cd42f838c1cd27ffd4e9b79e6121 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 22 Apr 2021 19:26:28 +0200
+Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude --dropdtd`
+The --dropdtd option can leave dangling pointers in entity reference
+nodes. Make sure to skip these nodes when processing XIncludes.
+This also avoids scanning entity declarations and even modifying
+them inadvertently during XInclude processing.
+Move from a block list to an allow list approach to avoid descending
+into other node types that can't contain elements.
+Fixes #237.
+Upstream-Status: Backport
+CVE: CVE-2021-3518
+Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
+---
+ xinclude.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+diff --git a/xinclude.c b/xinclude.c
+index f260c1a7..d7648529 100644
+--- a/xinclude.c
+++ b/xinclude.c
+@@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
+         if (xmlXIncludeTestNode(ctxt, cur) == 1) {
+             xmlXIncludePreProcessNode(ctxt, cur);
+         } else if ((cur->children != NULL) &&
+-                   (cur->children->type != XML_ENTITY_DECL) &&
+-                   (cur->children->type != XML_XINCLUDE_START) &&
+-                   (cur->children->type != XML_XINCLUDE_END)) {
+                   ((cur->type == XML_DOCUMENT_NODE) ||
+                    (cur->type == XML_ELEMENT_NODE))) {
+             cur = cur->children;
+             continue;
+         }
+-- 
+2.32.0
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index 097613fb28..b5fb3e6315 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -25,6 +25,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
           file://CVE-2020-24977.patch \
           file://CVE-2021-3517.patch \
           file://CVE-2021-3537.patch \
+           file://CVE-2021-3518.patch \
           "
 SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"
author	Jasper Orschulko <jasper@fancydomain.eu>	2021-06-21 17:33:22 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-07-02 07:44:59 +0100
commit	fbb58d5344a17600264529016e75bbe92480b44f (patch)
tree	1d316af80121d36b8c7597ad5520fbb823fe3f55
parent	8a496e9eb9f0540cb5c319451413812b7c51caf9 (diff)
download	poky-fbb58d5344a17600264529016e75bbe92480b44f.tar.gz

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch new file mode 100644 index 0000000000..40d3debea1 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
@@ -0,0 +1,112 @@
		1	From ac82a514e16eb81b4506e2cba1a1ee45b9f025b5 Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Wed, 10 Jun 2020 16:34:52 +0200
		4	Subject: [PATCH 1/2] Don't recurse into xi:include children in
		5	xmlXIncludeDoProcess
		6
		7	Otherwise, nested xi:include nodes might result in a use-after-free
		8	if XML_PARSE_NOXINCNODE is specified.
		9
		10	Found with libFuzzer and ASan.
		11
		12	Upstream-Status: Backport [from fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1954243]
		13
		14	The upstream patch 752e5f71d7cea2ca5a7e7c0b8f72ed04ce654be4 has been modified,
		15	as to avoid unnecessary modifications to fallback files.
		16
		17	CVE: CVE-2021-3518
		18	Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
		19	---
		20	xinclude.c \| 24 ++++++++++--------------
		21	1 file changed, 10 insertions(+), 14 deletions(-)
		22
		23	diff --git a/xinclude.c b/xinclude.c
		24	index ba850fa5..f260c1a7 100644
		25	--- a/xinclude.c
		26	+++ b/xinclude.c
		27	@@ -2392,21 +2392,19 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
		28	* First phase: lookup the elements in the document
		29	*/
		30	cur = tree;
		31	- if (xmlXIncludeTestNode(ctxt, cur) == 1)
		32	- xmlXIncludePreProcessNode(ctxt, cur);
		33	while ((cur != NULL) && (cur != tree->parent)) {
		34	/* TODO: need to work on entities -> stack */
		35	- if ((cur->children != NULL) &&
		36	- (cur->children->type != XML_ENTITY_DECL) &&
		37	- (cur->children->type != XML_XINCLUDE_START) &&
		38	- (cur->children->type != XML_XINCLUDE_END)) {
		39	- cur = cur->children;
		40	- if (xmlXIncludeTestNode(ctxt, cur))
		41	- xmlXIncludePreProcessNode(ctxt, cur);
		42	- } else if (cur->next != NULL) {
		43	+ if (xmlXIncludeTestNode(ctxt, cur) == 1) {
		44	+ xmlXIncludePreProcessNode(ctxt, cur);
		45	+ } else if ((cur->children != NULL) &&
		46	+ (cur->children->type != XML_ENTITY_DECL) &&
		47	+ (cur->children->type != XML_XINCLUDE_START) &&
		48	+ (cur->children->type != XML_XINCLUDE_END)) {
		49	+ cur = cur->children;
		50	+ continue;
		51	+ }
		52	+ if (cur->next != NULL) {
		53	cur = cur->next;
		54	- if (xmlXIncludeTestNode(ctxt, cur))
		55	- xmlXIncludePreProcessNode(ctxt, cur);
		56	} else {
		57	if (cur == tree)
		58	break;
		59	@@ -2416,8 +2414,6 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
		60	break; /* do */
		61	if (cur->next != NULL) {
		62	cur = cur->next;
		63	- if (xmlXIncludeTestNode(ctxt, cur))
		64	- xmlXIncludePreProcessNode(ctxt, cur);
		65	break; /* do */
		66	}
		67	} while (cur != NULL);
		68	--
		69	2.32.0
		70
		71
		72	From 3ad5ac1e39e3cd42f838c1cd27ffd4e9b79e6121 Mon Sep 17 00:00:00 2001
		73	From: Nick Wellnhofer <wellnhofer@aevum.de>
		74	Date: Thu, 22 Apr 2021 19:26:28 +0200
		75	Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude --dropdtd`
		76
		77	The --dropdtd option can leave dangling pointers in entity reference
		78	nodes. Make sure to skip these nodes when processing XIncludes.
		79
		80	This also avoids scanning entity declarations and even modifying
		81	them inadvertently during XInclude processing.
		82
		83	Move from a block list to an allow list approach to avoid descending
		84	into other node types that can't contain elements.
		85
		86	Fixes #237.
		87	Upstream-Status: Backport
		88	CVE: CVE-2021-3518
		89	Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
		90	---
		91	xinclude.c \| 5 ++---
		92	1 file changed, 2 insertions(+), 3 deletions(-)
		93
		94	diff --git a/xinclude.c b/xinclude.c
		95	index f260c1a7..d7648529 100644
		96	--- a/xinclude.c
		97	+++ b/xinclude.c
		98	@@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
		99	if (xmlXIncludeTestNode(ctxt, cur) == 1) {
		100	xmlXIncludePreProcessNode(ctxt, cur);
		101	} else if ((cur->children != NULL) &&
		102	- (cur->children->type != XML_ENTITY_DECL) &&
		103	- (cur->children->type != XML_XINCLUDE_START) &&
		104	- (cur->children->type != XML_XINCLUDE_END)) {
		105	+ ((cur->type == XML_DOCUMENT_NODE) \|\|
		106	+ (cur->type == XML_ELEMENT_NODE))) {
		107	cur = cur->children;
		108	continue;
		109	}
		110	--
		111	2.32.0
		112


diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb index 097613fb28..b5fb3e6315 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -25,6 +25,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
25	file://CVE-2020-24977.patch \	25	file://CVE-2020-24977.patch \
26	file://CVE-2021-3517.patch \	26	file://CVE-2021-3517.patch \
27	file://CVE-2021-3537.patch \	27	file://CVE-2021-3537.patch \
		28	file://CVE-2021-3518.patch \
28	"	29	"
29		30
30	SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"	31	SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"