1 files changed, 73 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch
new file mode 100644
index 0000000000..3b86278ac4
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch
@@ -0,0 +1,73 @@
+From 8598060bacada41a0eb09d95c97744ff4e428f8e Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Thu, 13 May 2021 14:55:12 +0200
+Subject: [PATCH] Patch for security issue CVE-2021-3541
+This is relapted to parameter entities expansion and following
+the line of the billion laugh attack. Somehow in that path the
+counting of parameters was missed and the normal algorithm based
+on entities "density" was useless.
+CVE: CVE-2021-3541
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e]
+Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
+---
+ parser.c | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+diff --git a/parser.c b/parser.c
+index f5e5e169..c9312fa4 100644
+--- a/parser.c
+++ b/parser.c
+@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+                      xmlEntityPtr ent, size_t replacement)
+ {
+     size_t consumed = 0;
+    int i;
+ 
+     if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE))
+         return (0);
+@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+            rep = NULL;
+        }
+     }
+
+    /*
+     * Prevent entity exponential check, not just replacement while
+     * parsing the DTD
+     * The check is potentially costly so do that only once in a thousand
+     */
+    if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) &&
+        (ctxt->nbentities % 1024 == 0)) {
+       for (i = 0;i < ctxt->inputNr;i++) {
+           consumed += ctxt->inputTab[i]->consumed +
+                      (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base);
+       }
+       if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) {
+           xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
+           ctxt->instate = XML_PARSER_EOF;
+           return (1);
+       }
+       consumed = 0;
+    }
+
+
+
+     if (replacement != 0) {
+        if (replacement < XML_MAX_TEXT_LENGTH)
+            return(0);
+@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+             xmlChar start[4];
+             xmlCharEncoding enc;
+ 
+           if (xmlParserEntityCheck(ctxt, 0, entity, 0))
+               return;
+
+            if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
+                ((ctxt->options & XML_PARSE_NOENT) == 0) &&
+                ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
+-- 
+2.25.1

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch new file mode 100644 index 0000000000..3b86278ac4 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch
@@ -0,0 +1,73 @@
	1	From 8598060bacada41a0eb09d95c97744ff4e428f8e Mon Sep 17 00:00:00 2001
	2	From: Daniel Veillard <veillard@redhat.com>
	3	Date: Thu, 13 May 2021 14:55:12 +0200
	4	Subject: [PATCH] Patch for security issue CVE-2021-3541
	5
	6	This is relapted to parameter entities expansion and following
	7	the line of the billion laugh attack. Somehow in that path the
	8	counting of parameters was missed and the normal algorithm based
	9	on entities "density" was useless.
	10
	11	CVE: CVE-2021-3541
	12	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e]
	13
	14	Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
	15
	16	---
	17	parser.c \| 26 ++++++++++++++++++++++++++
	18	1 file changed, 26 insertions(+)
	19
	20	diff --git a/parser.c b/parser.c
	21	index f5e5e169..c9312fa4 100644
	22	--- a/parser.c
	23	+++ b/parser.c
	24	@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
	25	xmlEntityPtr ent, size_t replacement)
	26	{
	27	size_t consumed = 0;
	28	+ int i;
	29
	30	if ((ctxt == NULL) \|\| (ctxt->options & XML_PARSE_HUGE))
	31	return (0);
	32	@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
	33	rep = NULL;
	34	}
	35	}
	36	+
	37	+ /*
	38	+ * Prevent entity exponential check, not just replacement while
	39	+ * parsing the DTD
	40	+ * The check is potentially costly so do that only once in a thousand
	41	+ */
	42	+ if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) &&
	43	+ (ctxt->nbentities % 1024 == 0)) {
	44	+ for (i = 0;i < ctxt->inputNr;i++) {
	45	+ consumed += ctxt->inputTab[i]->consumed +
	46	+ (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base);
	47	+ }
	48	+ if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) {
	49	+ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
	50	+ ctxt->instate = XML_PARSER_EOF;
	51	+ return (1);
	52	+ }
	53	+ consumed = 0;
	54	+ }
	55	+
	56	+
	57	+
	58	if (replacement != 0) {
	59	if (replacement < XML_MAX_TEXT_LENGTH)
	60	return(0);
	61	@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
	62	xmlChar start[4];
	63	xmlCharEncoding enc;
	64
	65	+ if (xmlParserEntityCheck(ctxt, 0, entity, 0))
	66	+ return;
	67	+
	68	if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
	69	((ctxt->options & XML_PARSE_NOENT) == 0) &&
	70	((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
	71	--
	72	2.25.1
	73