3 files changed, 130 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
new file mode 100644
index 0000000000..5f1cb72534
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
@@ -0,0 +1,49 @@
+From a22bd982bf10291deea8ba0c61bf75b898c604ce Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 2 Nov 2022 15:44:42 +0100
+Subject: [PATCH] malloc-fail: Fix memory leak in xmlStaticCopyNodeList
+Found with libFuzzer, see #344.
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/a22bd982bf10291deea8ba0c61bf75b898c604ce]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ tree.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+diff --git a/tree.c b/tree.c
+index 507869efe..647288ce3 100644
+--- a/tree.c
+++ b/tree.c
+@@ -4461,7 +4461,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+            }
+            if (doc->intSubset == NULL) {
+                q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+-               if (q == NULL) return(NULL);
+               if (q == NULL) goto error;
+                q->doc = doc;
+                q->parent = parent;
+                doc->intSubset = (xmlDtdPtr) q;
+@@ -4473,7 +4473,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+        } else
+ #endif /* LIBXML_TREE_ENABLED */
+            q = xmlStaticCopyNode(node, doc, parent, 1);
+-       if (q == NULL) return(NULL);
+       if (q == NULL) goto error;
+        if (ret == NULL) {
+            q->prev = NULL;
+            ret = p = q;
+@@ -4486,6 +4486,9 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+        node = node->next;
+     }
+     return(ret);
+error:
+    xmlFreeNodeList(ret);
+    return(NULL);
+ }
+ 
+ /**
+-- 
+GitLab
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
new file mode 100644
index 0000000000..845fd70c66
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
@@ -0,0 +1,79 @@
+From d39f78069dff496ec865c73aa44d7110e429bce9 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 23 Aug 2023 20:24:24 +0200
+Subject: [PATCH] tree: Fix copying of DTDs
+- Don't create multiple DTD nodes.
+- Fix UAF if malloc fails.
+- Skip DTD nodes if tree module is disabled.
+Fixes #583.
+CVE: CVE-2023-45322
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ tree.c | 31 ++++++++++++++++---------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+diff --git a/tree.c b/tree.c
+index 6c8a875b9..02c1b5791 100644
+--- a/tree.c
+++ b/tree.c
+@@ -4471,29 +4471,28 @@ xmlNodePtr
+ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+     xmlNodePtr ret = NULL;
+     xmlNodePtr p = NULL,q;
+    xmlDtdPtr newSubset = NULL;
+ 
+     while (node != NULL) {
+-#ifdef LIBXML_TREE_ENABLED
+        if (node->type == XML_DTD_NODE ) {
+-           if (doc == NULL) {
+#ifdef LIBXML_TREE_ENABLED
+           if ((doc == NULL) || (doc->intSubset != NULL)) {
+                node = node->next;
+                continue;
+            }
+-           if (doc->intSubset == NULL) {
+-               q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+-               if (q == NULL) goto error;
+-               q->doc = doc;
+-               q->parent = parent;
+-               doc->intSubset = (xmlDtdPtr) q;
+-               xmlAddChild(parent, q);
+-           } else {
+-               q = (xmlNodePtr) doc->intSubset;
+-               xmlAddChild(parent, q);
+-           }
+-       } else
+            q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+            if (q == NULL) goto error;
+            q->doc = doc;
+            q->parent = parent;
+            newSubset = (xmlDtdPtr) q;
+#else
+            node = node->next;
+            continue;
+ #endif /* LIBXML_TREE_ENABLED */
+       } else {
+            q = xmlStaticCopyNode(node, doc, parent, 1);
+-       if (q == NULL) goto error;
+           if (q == NULL) goto error;
+        }
+        if (ret == NULL) {
+            q->prev = NULL;
+            ret = p = q;
+@@ -4505,6 +4504,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+        }
+        node = node->next;
+     }
+    if (newSubset != NULL)
+        doc->intSubset = newSubset;
+     return(ret);
+ error:
+     xmlFreeNodeList(ret);
+-- 
+GitLab
diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb
index 437bccf4ed..533a6dae01 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.14.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb
@@ -29,6 +29,8 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt
           file://CVE-2023-29469.patch \
           file://CVE-2023-39615-0001.patch \
           file://CVE-2023-39615-0002.patch \
+           file://CVE-2023-45322-1.patch \
+           file://CVE-2023-45322-2.patch \
           "
 SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch new file mode 100644 index 0000000000..5f1cb72534 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
@@ -0,0 +1,49 @@
		1	From a22bd982bf10291deea8ba0c61bf75b898c604ce Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Wed, 2 Nov 2022 15:44:42 +0100
		4	Subject: [PATCH] malloc-fail: Fix memory leak in xmlStaticCopyNodeList
		5
		6	Found with libFuzzer, see #344.
		7
		8	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/a22bd982bf10291deea8ba0c61bf75b898c604ce]
		9
		10	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		11	---
		12	tree.c \| 7 +++++--
		13	1 file changed, 5 insertions(+), 2 deletions(-)
		14
		15	diff --git a/tree.c b/tree.c
		16	index 507869efe..647288ce3 100644
		17	--- a/tree.c
		18	+++ b/tree.c
		19	@@ -4461,7 +4461,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
		20	}
		21	if (doc->intSubset == NULL) {
		22	q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
		23	- if (q == NULL) return(NULL);
		24	+ if (q == NULL) goto error;
		25	q->doc = doc;
		26	q->parent = parent;
		27	doc->intSubset = (xmlDtdPtr) q;
		28	@@ -4473,7 +4473,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
		29	} else
		30	#endif /* LIBXML_TREE_ENABLED */
		31	q = xmlStaticCopyNode(node, doc, parent, 1);
		32	- if (q == NULL) return(NULL);
		33	+ if (q == NULL) goto error;
		34	if (ret == NULL) {
		35	q->prev = NULL;
		36	ret = p = q;
		37	@@ -4486,6 +4486,9 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
		38	node = node->next;
		39	}
		40	return(ret);
		41	+error:
		42	+ xmlFreeNodeList(ret);
		43	+ return(NULL);
		44	}
		45
		46	/**
		47	--
		48	GitLab
		49


diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch new file mode 100644 index 0000000000..845fd70c66 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
@@ -0,0 +1,79 @@
		1	From d39f78069dff496ec865c73aa44d7110e429bce9 Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Wed, 23 Aug 2023 20:24:24 +0200
		4	Subject: [PATCH] tree: Fix copying of DTDs
		5
		6	- Don't create multiple DTD nodes.
		7	- Fix UAF if malloc fails.
		8	- Skip DTD nodes if tree module is disabled.
		9
		10	Fixes #583.
		11
		12	CVE: CVE-2023-45322
		13	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9]
		14
		15	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		16	---
		17	tree.c \| 31 ++++++++++++++++---------------
		18	1 file changed, 16 insertions(+), 15 deletions(-)
		19
		20	diff --git a/tree.c b/tree.c
		21	index 6c8a875b9..02c1b5791 100644
		22	--- a/tree.c
		23	+++ b/tree.c
		24	@@ -4471,29 +4471,28 @@ xmlNodePtr
		25	xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
		26	xmlNodePtr ret = NULL;
		27	xmlNodePtr p = NULL,q;
		28	+ xmlDtdPtr newSubset = NULL;
		29
		30	while (node != NULL) {
		31	-#ifdef LIBXML_TREE_ENABLED
		32	if (node->type == XML_DTD_NODE ) {
		33	- if (doc == NULL) {
		34	+#ifdef LIBXML_TREE_ENABLED
		35	+ if ((doc == NULL) \|\| (doc->intSubset != NULL)) {
		36	node = node->next;
		37	continue;
		38	}
		39	- if (doc->intSubset == NULL) {
		40	- q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
		41	- if (q == NULL) goto error;
		42	- q->doc = doc;
		43	- q->parent = parent;
		44	- doc->intSubset = (xmlDtdPtr) q;
		45	- xmlAddChild(parent, q);
		46	- } else {
		47	- q = (xmlNodePtr) doc->intSubset;
		48	- xmlAddChild(parent, q);
		49	- }
		50	- } else
		51	+ q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
		52	+ if (q == NULL) goto error;
		53	+ q->doc = doc;
		54	+ q->parent = parent;
		55	+ newSubset = (xmlDtdPtr) q;
		56	+#else
		57	+ node = node->next;
		58	+ continue;
		59	#endif /* LIBXML_TREE_ENABLED */
		60	+ } else {
		61	q = xmlStaticCopyNode(node, doc, parent, 1);
		62	- if (q == NULL) goto error;
		63	+ if (q == NULL) goto error;
		64	+ }
		65	if (ret == NULL) {
		66	q->prev = NULL;
		67	ret = p = q;
		68	@@ -4505,6 +4504,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
		69	}
		70	node = node->next;
		71	}
		72	+ if (newSubset != NULL)
		73	+ doc->intSubset = newSubset;
		74	return(ret);
		75	error:
		76	xmlFreeNodeList(ret);
		77	--
		78	GitLab
		79


diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb index 437bccf4ed..533a6dae01 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.14.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb
@@ -29,6 +29,8 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt
29	file://CVE-2023-29469.patch \	29	file://CVE-2023-29469.patch \
30	file://CVE-2023-39615-0001.patch \	30	file://CVE-2023-39615-0001.patch \
31	file://CVE-2023-39615-0002.patch \	31	file://CVE-2023-39615-0002.patch \
		32	file://CVE-2023-45322-1.patch \
		33	file://CVE-2023-45322-2.patch \
32	"	34	"
33		35
34	SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"	36	SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"