1 files changed, 257 insertions, 0 deletions
diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2023-40403-001.patch b/meta/recipes-support/libxslt/libxslt/CVE-2023-40403-001.patch
new file mode 100644
index 0000000000..044e100373
--- /dev/null
+++ b/meta/recipes-support/libxslt/libxslt/CVE-2023-40403-001.patch
@@ -0,0 +1,257 @@
+From 4f26166f9e253aa62f8c121a6a25c76df5aa8142 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 31 Aug 2022 15:29:57 +0200
+Subject: [PATCH] Infrastructure to store extra data in source nodes
+Provide a mechanism to store bit flags in nodes from the source
+document. This will later be used to store key and id status.
+Provide a function to find the psvi member of a node.
+Revert any changes to the source document after the transformation.
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/-/commit/adebe45f6ef9f9d036acacd8aec7411d4ea84e25]
+CVE: CVE-2023-40403
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ libxslt/transform.c     |  34 ++++++++++
+ libxslt/xsltInternals.h |   1 +
+ libxslt/xsltutils.c     | 135 ++++++++++++++++++++++++++++++++++++++++
+ libxslt/xsltutils.h     |  13 ++++
+ 4 files changed, 183 insertions(+)
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 57f05bf..40ab810 100644
+--- a/libxslt/transform.c
+++ b/libxslt/transform.c
+@@ -5747,6 +5747,37 @@ xsltCountKeys(xsltTransformContextPtr ctxt)
+     return(ctxt->nbKeys);
+ }
+ 
+/**
+ * xsltCleanupSourceDoc:
+ * @doc:  Document
+ *
+ * Resets source node flags and ids stored in 'psvi' member.
+ */
+static void
+xsltCleanupSourceDoc(xmlDocPtr doc) {
+    xmlNodePtr cur = (xmlNodePtr) doc;
+    void **psviPtr;
+
+    while (1) {
+        xsltClearSourceNodeFlags(cur, XSLT_SOURCE_NODE_MASK);
+        psviPtr = xsltGetPSVIPtr(cur);
+        if (psviPtr)
+            *psviPtr = NULL;
+
+        if (cur->children != NULL && cur->type != XML_ENTITY_REF_NODE) {
+            cur = cur->children;
+        } else {
+            while (cur->next == NULL) {
+                cur = cur->parent;
+                if (cur == (xmlNodePtr) doc)
+                    return;
+            }
+
+            cur = cur->next;
+        }
+    }
+}
+
+ /**
+  * xsltApplyStylesheetInternal:
+  * @style:  a parsed XSLT stylesheet
+@@ -6145,6 +6176,9 @@ xsltApplyStylesheetInternal(xsltStylesheetPtr style, xmlDocPtr doc,
+     printf("# Reused variables     : %d\n", ctxt->cache->dbgReusedVars);
+ #endif
+ 
+    if (ctxt->sourceDocDirty)
+        xsltCleanupSourceDoc(doc);
+
+     if ((ctxt != NULL) && (userCtxt == NULL))
+        xsltFreeTransformContext(ctxt);
+ 
+diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h
+index 14343d2..b0125c2 100644
+--- a/libxslt/xsltInternals.h
+++ b/libxslt/xsltInternals.h
+@@ -1786,6 +1786,7 @@ struct _xsltTransformContext {
+     int maxTemplateVars;
+     unsigned long opLimit;
+     unsigned long opCount;
+    int sourceDocDirty;
+ };
+ 
+ /**
+diff --git a/libxslt/xsltutils.c b/libxslt/xsltutils.c
+index 9faa6b2..a879aa8 100644
+--- a/libxslt/xsltutils.c
+++ b/libxslt/xsltutils.c
+@@ -1835,6 +1835,141 @@ xsltSaveResultToString(xmlChar **doc_txt_ptr, int * doc_txt_len,
+     return 0;
+ }
+ 
+/**
+ * xsltGetSourceNodeFlags:
+ * @node:  Node from source document
+ *
+ * Returns the flags for a source node.
+ */
+int
+xsltGetSourceNodeFlags(xmlNodePtr node) {
+    /*
+     * Squeeze the bit flags into the upper bits of
+     *
+     * - 'int properties' member in struct _xmlDoc
+     * - 'xmlAttributeType atype' member in struct _xmlAttr
+     * - 'unsigned short extra' member in struct _xmlNode
+     */
+    switch (node->type) {
+        case XML_DOCUMENT_NODE:
+        case XML_HTML_DOCUMENT_NODE:
+            return ((xmlDocPtr) node)->properties >> 27;
+
+        case XML_ATTRIBUTE_NODE:
+            return ((xmlAttrPtr) node)->atype >> 27;
+
+        case XML_ELEMENT_NODE:
+        case XML_TEXT_NODE:
+        case XML_CDATA_SECTION_NODE:
+        case XML_PI_NODE:
+        case XML_COMMENT_NODE:
+            return node->extra >> 12;
+
+        default:
+            return 0;
+    }
+}
+
+/**
+ * xsltSetSourceNodeFlags:
+ * @node:  Node from source document
+ * @flags:  Flags
+ *
+ * Sets the specified flags to 1.
+ *
+ * Returns 0 on success, -1 on error.
+ */
+int
+xsltSetSourceNodeFlags(xsltTransformContextPtr ctxt, xmlNodePtr node,
+                       int flags) {
+    if (node->doc == ctxt->initialContextDoc)
+        ctxt->sourceDocDirty = 1;
+
+    switch (node->type) {
+        case XML_DOCUMENT_NODE:
+        case XML_HTML_DOCUMENT_NODE:
+            ((xmlDocPtr) node)->properties |= flags << 27;
+            return 0;
+
+        case XML_ATTRIBUTE_NODE:
+            ((xmlAttrPtr) node)->atype |= flags << 27;
+            return 0;
+
+        case XML_ELEMENT_NODE:
+        case XML_TEXT_NODE:
+        case XML_CDATA_SECTION_NODE:
+        case XML_PI_NODE:
+        case XML_COMMENT_NODE:
+            node->extra |= flags << 12;
+            return 0;
+
+        default:
+            return -1;
+    }
+}
+
+/**
+ * xsltClearSourceNodeFlags:
+ * @node:  Node from source document
+ * @flags:  Flags
+ *
+ * Sets the specified flags to 0.
+ *
+ * Returns 0 on success, -1 on error.
+ */
+int
+xsltClearSourceNodeFlags(xmlNodePtr node, int flags) {
+    switch (node->type) {
+        case XML_DOCUMENT_NODE:
+        case XML_HTML_DOCUMENT_NODE:
+            ((xmlDocPtr) node)->properties &= ~(flags << 27);
+            return 0;
+
+        case XML_ATTRIBUTE_NODE:
+            ((xmlAttrPtr) node)->atype &= ~(flags << 27);
+            return 0;
+
+        case XML_ELEMENT_NODE:
+        case XML_TEXT_NODE:
+        case XML_CDATA_SECTION_NODE:
+        case XML_PI_NODE:
+        case XML_COMMENT_NODE:
+            node->extra &= ~(flags << 12);
+            return 0;
+
+        default:
+            return -1;
+    }
+}
+
+/**
+ * xsltGetPSVIPtr:
+ * @cur:  Node
+ *
+ * Returns a pointer to the psvi member of a node or NULL on error.
+ */
+void **
+xsltGetPSVIPtr(xmlNodePtr cur) {
+    switch (cur->type) {
+        case XML_DOCUMENT_NODE:
+        case XML_HTML_DOCUMENT_NODE:
+            return &((xmlDocPtr) cur)->psvi;
+
+        case XML_ATTRIBUTE_NODE:
+            return &((xmlAttrPtr) cur)->psvi;
+
+        case XML_ELEMENT_NODE:
+        case XML_TEXT_NODE:
+        case XML_CDATA_SECTION_NODE:
+        case XML_PI_NODE:
+        case XML_COMMENT_NODE:
+            return &cur->psvi;
+
+        default:
+            return NULL;
+    }
+}
+
+ #ifdef WITH_PROFILER
+ 
+ /************************************************************************
+diff --git a/libxslt/xsltutils.h b/libxslt/xsltutils.h
+index ea6c374..202694f 100644
+--- a/libxslt/xsltutils.h
+++ b/libxslt/xsltutils.h
+@@ -247,6 +247,19 @@ XSLTPUBFUN xmlXPathCompExprPtr XSLTCALL
+                                                 const xmlChar *str,
+                                                 int flags);
+ 
+#ifdef IN_LIBXSLT
+#define XSLT_SOURCE_NODE_MASK       15
+int
+xsltGetSourceNodeFlags(xmlNodePtr node);
+int
+xsltSetSourceNodeFlags(xsltTransformContextPtr ctxt, xmlNodePtr node,
+                       int flags);
+int
+xsltClearSourceNodeFlags(xmlNodePtr node, int flags);
+void **
+xsltGetPSVIPtr(xmlNodePtr cur);
+#endif
+
+ /*
+  * Profiling.
+  */

diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2023-40403-001.patch b/meta/recipes-support/libxslt/libxslt/CVE-2023-40403-001.patch new file mode 100644 index 0000000000..044e100373 --- /dev/null +++ b/meta/recipes-support/libxslt/libxslt/CVE-2023-40403-001.patch
@@ -0,0 +1,257 @@
	1	From 4f26166f9e253aa62f8c121a6a25c76df5aa8142 Mon Sep 17 00:00:00 2001
	2	From: Nick Wellnhofer <wellnhofer@aevum.de>
	3	Date: Wed, 31 Aug 2022 15:29:57 +0200
	4	Subject: [PATCH] Infrastructure to store extra data in source nodes
	5
	6	Provide a mechanism to store bit flags in nodes from the source
	7	document. This will later be used to store key and id status.
	8
	9	Provide a function to find the psvi member of a node.
	10
	11	Revert any changes to the source document after the transformation.
	12
	13	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/-/commit/adebe45f6ef9f9d036acacd8aec7411d4ea84e25]
	14	CVE: CVE-2023-40403
	15	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	16
	17	---
	18	libxslt/transform.c \| 34 ++++++++++
	19	libxslt/xsltInternals.h \| 1 +
	20	libxslt/xsltutils.c \| 135 ++++++++++++++++++++++++++++++++++++++++
	21	libxslt/xsltutils.h \| 13 ++++
	22	4 files changed, 183 insertions(+)
	23
	24	diff --git a/libxslt/transform.c b/libxslt/transform.c
	25	index 57f05bf..40ab810 100644
	26	--- a/libxslt/transform.c
	27	+++ b/libxslt/transform.c
	28	@@ -5747,6 +5747,37 @@ xsltCountKeys(xsltTransformContextPtr ctxt)
	29	return(ctxt->nbKeys);
	30	}
	31
	32	+/**
	33	+ * xsltCleanupSourceDoc:
	34	+ * @doc: Document
	35	+ *
	36	+ * Resets source node flags and ids stored in 'psvi' member.
	37	+ */
	38	+static void
	39	+xsltCleanupSourceDoc(xmlDocPtr doc) {
	40	+ xmlNodePtr cur = (xmlNodePtr) doc;
	41	+ void **psviPtr;
	42	+
	43	+ while (1) {
	44	+ xsltClearSourceNodeFlags(cur, XSLT_SOURCE_NODE_MASK);
	45	+ psviPtr = xsltGetPSVIPtr(cur);
	46	+ if (psviPtr)
	47	+ *psviPtr = NULL;
	48	+
	49	+ if (cur->children != NULL && cur->type != XML_ENTITY_REF_NODE) {
	50	+ cur = cur->children;
	51	+ } else {
	52	+ while (cur->next == NULL) {
	53	+ cur = cur->parent;
	54	+ if (cur == (xmlNodePtr) doc)
	55	+ return;
	56	+ }
	57	+
	58	+ cur = cur->next;
	59	+ }
	60	+ }
	61	+}
	62	+
	63	/**
	64	* xsltApplyStylesheetInternal:
	65	* @style: a parsed XSLT stylesheet
	66	@@ -6145,6 +6176,9 @@ xsltApplyStylesheetInternal(xsltStylesheetPtr style, xmlDocPtr doc,
	67	printf("# Reused variables : %d\n", ctxt->cache->dbgReusedVars);
	68	#endif
	69
	70	+ if (ctxt->sourceDocDirty)
	71	+ xsltCleanupSourceDoc(doc);
	72	+
	73	if ((ctxt != NULL) && (userCtxt == NULL))
	74	xsltFreeTransformContext(ctxt);
	75
	76	diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h
	77	index 14343d2..b0125c2 100644
	78	--- a/libxslt/xsltInternals.h
	79	+++ b/libxslt/xsltInternals.h
	80	@@ -1786,6 +1786,7 @@ struct _xsltTransformContext {
	81	int maxTemplateVars;
	82	unsigned long opLimit;
	83	unsigned long opCount;
	84	+ int sourceDocDirty;
	85	};
	86
	87	/**
	88	diff --git a/libxslt/xsltutils.c b/libxslt/xsltutils.c
	89	index 9faa6b2..a879aa8 100644
	90	--- a/libxslt/xsltutils.c
	91	+++ b/libxslt/xsltutils.c
	92	@@ -1835,6 +1835,141 @@ xsltSaveResultToString(xmlChar *doc_txt_ptr, int doc_txt_len,
	93	return 0;
	94	}
	95
	96	+/**
	97	+ * xsltGetSourceNodeFlags:
	98	+ * @node: Node from source document
	99	+ *
	100	+ * Returns the flags for a source node.
	101	+ */
	102	+int
	103	+xsltGetSourceNodeFlags(xmlNodePtr node) {
	104	+ /*
	105	+ * Squeeze the bit flags into the upper bits of
	106	+ *
	107	+ * - 'int properties' member in struct _xmlDoc
	108	+ * - 'xmlAttributeType atype' member in struct _xmlAttr
	109	+ * - 'unsigned short extra' member in struct _xmlNode
	110	+ */
	111	+ switch (node->type) {
	112	+ case XML_DOCUMENT_NODE:
	113	+ case XML_HTML_DOCUMENT_NODE:
	114	+ return ((xmlDocPtr) node)->properties >> 27;
	115	+
	116	+ case XML_ATTRIBUTE_NODE:
	117	+ return ((xmlAttrPtr) node)->atype >> 27;
	118	+
	119	+ case XML_ELEMENT_NODE:
	120	+ case XML_TEXT_NODE:
	121	+ case XML_CDATA_SECTION_NODE:
	122	+ case XML_PI_NODE:
	123	+ case XML_COMMENT_NODE:
	124	+ return node->extra >> 12;
	125	+
	126	+ default:
	127	+ return 0;
	128	+ }
	129	+}
	130	+
	131	+/**
	132	+ * xsltSetSourceNodeFlags:
	133	+ * @node: Node from source document
	134	+ * @flags: Flags
	135	+ *
	136	+ * Sets the specified flags to 1.
	137	+ *
	138	+ * Returns 0 on success, -1 on error.
	139	+ */
	140	+int
	141	+xsltSetSourceNodeFlags(xsltTransformContextPtr ctxt, xmlNodePtr node,
	142	+ int flags) {
	143	+ if (node->doc == ctxt->initialContextDoc)
	144	+ ctxt->sourceDocDirty = 1;
	145	+
	146	+ switch (node->type) {
	147	+ case XML_DOCUMENT_NODE:
	148	+ case XML_HTML_DOCUMENT_NODE:
	149	+ ((xmlDocPtr) node)->properties \|= flags << 27;
	150	+ return 0;
	151	+
	152	+ case XML_ATTRIBUTE_NODE:
	153	+ ((xmlAttrPtr) node)->atype \|= flags << 27;
	154	+ return 0;
	155	+
	156	+ case XML_ELEMENT_NODE:
	157	+ case XML_TEXT_NODE:
	158	+ case XML_CDATA_SECTION_NODE:
	159	+ case XML_PI_NODE:
	160	+ case XML_COMMENT_NODE:
	161	+ node->extra \|= flags << 12;
	162	+ return 0;
	163	+
	164	+ default:
	165	+ return -1;
	166	+ }
	167	+}
	168	+
	169	+/**
	170	+ * xsltClearSourceNodeFlags:
	171	+ * @node: Node from source document
	172	+ * @flags: Flags
	173	+ *
	174	+ * Sets the specified flags to 0.
	175	+ *
	176	+ * Returns 0 on success, -1 on error.
	177	+ */
	178	+int
	179	+xsltClearSourceNodeFlags(xmlNodePtr node, int flags) {
	180	+ switch (node->type) {
	181	+ case XML_DOCUMENT_NODE:
	182	+ case XML_HTML_DOCUMENT_NODE:
	183	+ ((xmlDocPtr) node)->properties &= ~(flags << 27);
	184	+ return 0;
	185	+
	186	+ case XML_ATTRIBUTE_NODE:
	187	+ ((xmlAttrPtr) node)->atype &= ~(flags << 27);
	188	+ return 0;
	189	+
	190	+ case XML_ELEMENT_NODE:
	191	+ case XML_TEXT_NODE:
	192	+ case XML_CDATA_SECTION_NODE:
	193	+ case XML_PI_NODE:
	194	+ case XML_COMMENT_NODE:
	195	+ node->extra &= ~(flags << 12);
	196	+ return 0;
	197	+
	198	+ default:
	199	+ return -1;
	200	+ }
	201	+}
	202	+
	203	+/**
	204	+ * xsltGetPSVIPtr:
	205	+ * @cur: Node
	206	+ *
	207	+ * Returns a pointer to the psvi member of a node or NULL on error.
	208	+ */
	209	+void **
	210	+xsltGetPSVIPtr(xmlNodePtr cur) {
	211	+ switch (cur->type) {
	212	+ case XML_DOCUMENT_NODE:
	213	+ case XML_HTML_DOCUMENT_NODE:
	214	+ return &((xmlDocPtr) cur)->psvi;
	215	+
	216	+ case XML_ATTRIBUTE_NODE:
	217	+ return &((xmlAttrPtr) cur)->psvi;
	218	+
	219	+ case XML_ELEMENT_NODE:
	220	+ case XML_TEXT_NODE:
	221	+ case XML_CDATA_SECTION_NODE:
	222	+ case XML_PI_NODE:
	223	+ case XML_COMMENT_NODE:
	224	+ return &cur->psvi;
	225	+
	226	+ default:
	227	+ return NULL;
	228	+ }
	229	+}
	230	+
	231	#ifdef WITH_PROFILER
	232
	233	/************************************************************************
	234	diff --git a/libxslt/xsltutils.h b/libxslt/xsltutils.h
	235	index ea6c374..202694f 100644
	236	--- a/libxslt/xsltutils.h
	237	+++ b/libxslt/xsltutils.h
	238	@@ -247,6 +247,19 @@ XSLTPUBFUN xmlXPathCompExprPtr XSLTCALL
	239	const xmlChar *str,
	240	int flags);
	241
	242	+#ifdef IN_LIBXSLT
	243	+#define XSLT_SOURCE_NODE_MASK 15
	244	+int
	245	+xsltGetSourceNodeFlags(xmlNodePtr node);
	246	+int
	247	+xsltSetSourceNodeFlags(xsltTransformContextPtr ctxt, xmlNodePtr node,
	248	+ int flags);
	249	+int
	250	+xsltClearSourceNodeFlags(xmlNodePtr node, int flags);
	251	+void **
	252	+xsltGetPSVIPtr(xmlNodePtr cur);
	253	+#endif
	254	+
	255	/*
	256	* Profiling.
	257	*/