expat: Fix CVE-2022-40674

Add patch file to fix CVE-2022-40674 Link: https://github.com/libexpat/libexpat/pull/629/commits/4a32da87e931ba54393d465bb77c40b5c33d343b (From OE-Core rev: 4efa4490becea956a62d45e1476f7b602be53eee) Signed-off-by: Virendra Thakur <virendrak@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Virendra Thakur <virendrak@kpit.com> 2022-09-21 18:27:05 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-09-23 16:22:59 +0100
commit: 2fef664dd9d3903704ee3e1f7b8714a1fa783d57 (patch)
tree: 96797cbffde977a24a8b919ed8cebb65c7ac9b87 /meta
parent: 915a752d3789fb3f3f4faa21fce9497e21d51401 (diff)
download: poky-2fef664dd9d3903704ee3e1f7b8714a1fa783d57.tar.gz
2 files changed, 54 insertions, 0 deletions
diff --git a/meta/recipes-core/expat/expat/CVE-2022-40674.patch b/meta/recipes-core/expat/expat/CVE-2022-40674.patch
new file mode 100644
index 0000000000..8b95f5f198
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-40674.patch
@@ -0,0 +1,53 @@
+From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001
+From: Rhodri James <rhodri@wildebeest.org.uk>
+Date: Wed, 17 Aug 2022 18:26:18 +0100
+Subject: [PATCH] Ensure raw tagnames are safe exiting internalEntityParser
+It is possible to concoct a situation in which parsing is
+suspended while substituting in an internal entity, so that
+XML_ResumeParser directly uses internalEntityProcessor as
+its processor.  If the subsequent parse includes some unclosed
+tags, this will return without calling storeRawNames to ensure
+that the raw versions of the tag names are stored in memory other
+than the parse buffer itself.  If the parse buffer is then changed
+or reallocated (for example if processing a file line by line),
+badness will ensue.
+This patch ensures storeRawNames is always called when needed
+after calling doContent.  The earlier call do doContent does
+not need the same protection; it only deals with entity
+substitution, which cannot leave unbalanced tags, and in any
+case the raw names will be pointing into the stored entity
+value not the parse buffer.
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/4a32da87e931ba54393d465bb77c40b5c33d343b]
+CVE: CVE-2022-40674
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+---
+ expat/lib/xmlparse.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+Index: expat/lib/xmlparse.c
+===================================================================
+--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
+@@ -5657,10 +5657,15 @@ internalEntityProcessor(XML_Parser parse
+   {
+     parser->m_processor = contentProcessor;
+     /* see externalEntityContentProcessor vs contentProcessor */
+-    return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding,
+-                     s, end, nextPtr,
+-                     (XML_Bool)! parser->m_parsingStatus.finalBuffer,
+-                     XML_ACCOUNT_DIRECT);
+    result = doContent(parser, parser->m_parentParser ? 1 : 0,
+                       parser->m_encoding, s, end, nextPtr,
+                       (XML_Bool)! parser->m_parsingStatus.finalBuffer,
+                       XML_ACCOUNT_DIRECT);
+    if (result == XML_ERROR_NONE) {
+      if (! storeRawNames(parser))
+        return XML_ERROR_NO_MEMORY;
+    }
+    return result;
+   }
+ }
+ 
diff --git a/meta/recipes-core/expat/expat_2.2.9.bb b/meta/recipes-core/expat/expat_2.2.9.bb
index f50e535922..578edfcbff 100644
--- a/meta/recipes-core/expat/expat_2.2.9.bb
+++ b/meta/recipes-core/expat/expat_2.2.9.bb
@@ -20,6 +20,7 @@ SRC_URI = "git://github.com/libexpat/libexpat.git;protocol=https;branch=master \
           file://CVE-2022-25314.patch \
           file://CVE-2022-25315.patch \
           file://libtool-tag.patch \
+           file://CVE-2022-40674.patch \
         "
 SRCREV = "a7bc26b69768f7fb24f0c7976fae24b157b85b13"
author	Virendra Thakur <virendrak@kpit.com>	2022-09-21 18:27:05 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-09-23 16:22:59 +0100
commit	2fef664dd9d3903704ee3e1f7b8714a1fa783d57 (patch)
tree	96797cbffde977a24a8b919ed8cebb65c7ac9b87 /meta
parent	915a752d3789fb3f3f4faa21fce9497e21d51401 (diff)
download	poky-2fef664dd9d3903704ee3e1f7b8714a1fa783d57.tar.gz

diff --git a/meta/recipes-core/expat/expat/CVE-2022-40674.patch b/meta/recipes-core/expat/expat/CVE-2022-40674.patch new file mode 100644 index 0000000000..8b95f5f198 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2022-40674.patch
@@ -0,0 +1,53 @@
		1	From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001
		2	From: Rhodri James <rhodri@wildebeest.org.uk>
		3	Date: Wed, 17 Aug 2022 18:26:18 +0100
		4	Subject: [PATCH] Ensure raw tagnames are safe exiting internalEntityParser
		5
		6	It is possible to concoct a situation in which parsing is
		7	suspended while substituting in an internal entity, so that
		8	XML_ResumeParser directly uses internalEntityProcessor as
		9	its processor. If the subsequent parse includes some unclosed
		10	tags, this will return without calling storeRawNames to ensure
		11	that the raw versions of the tag names are stored in memory other
		12	than the parse buffer itself. If the parse buffer is then changed
		13	or reallocated (for example if processing a file line by line),
		14	badness will ensue.
		15
		16	This patch ensures storeRawNames is always called when needed
		17	after calling doContent. The earlier call do doContent does
		18	not need the same protection; it only deals with entity
		19	substitution, which cannot leave unbalanced tags, and in any
		20	case the raw names will be pointing into the stored entity
		21	value not the parse buffer.
		22
		23	Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/4a32da87e931ba54393d465bb77c40b5c33d343b]
		24	CVE: CVE-2022-40674
		25	Signed-off-by: Virendra Thakur <virendrak@kpit.com>
		26	---
		27	expat/lib/xmlparse.c \| 13 +++++++++----
		28	1 file changed, 9 insertions(+), 4 deletions(-)
		29
		30	Index: expat/lib/xmlparse.c
		31	===================================================================
		32	--- a/lib/xmlparse.c
		33	+++ b/lib/xmlparse.c
		34	@@ -5657,10 +5657,15 @@ internalEntityProcessor(XML_Parser parse
		35	{
		36	parser->m_processor = contentProcessor;
		37	/* see externalEntityContentProcessor vs contentProcessor */
		38	- return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding,
		39	- s, end, nextPtr,
		40	- (XML_Bool)! parser->m_parsingStatus.finalBuffer,
		41	- XML_ACCOUNT_DIRECT);
		42	+ result = doContent(parser, parser->m_parentParser ? 1 : 0,
		43	+ parser->m_encoding, s, end, nextPtr,
		44	+ (XML_Bool)! parser->m_parsingStatus.finalBuffer,
		45	+ XML_ACCOUNT_DIRECT);
		46	+ if (result == XML_ERROR_NONE) {
		47	+ if (! storeRawNames(parser))
		48	+ return XML_ERROR_NO_MEMORY;
		49	+ }
		50	+ return result;
		51	}
		52	}
		53


diff --git a/meta/recipes-core/expat/expat_2.2.9.bb b/meta/recipes-core/expat/expat_2.2.9.bb index f50e535922..578edfcbff 100644 --- a/meta/recipes-core/expat/expat_2.2.9.bb +++ b/meta/recipes-core/expat/expat_2.2.9.bb
@@ -20,6 +20,7 @@ SRC_URI = "git://github.com/libexpat/libexpat.git;protocol=https;branch=master \
20	file://CVE-2022-25314.patch \	20	file://CVE-2022-25314.patch \
21	file://CVE-2022-25315.patch \	21	file://CVE-2022-25315.patch \
22	file://libtool-tag.patch \	22	file://libtool-tag.patch \
		23	file://CVE-2022-40674.patch \
23	"	24	"
24		25
25	SRCREV = "a7bc26b69768f7fb24f0c7976fae24b157b85b13"	26	SRCREV = "a7bc26b69768f7fb24f0c7976fae24b157b85b13"