mirror of
https://git.yoctoproject.org/poky
synced 2026-04-21 21:32:12 +02:00
libxml2: Fix CVE-2021-3518
There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability. Upstream-Status: Backport [from fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1954243] (From OE-Core rev: ef2a81a473e7c36a36facb209ca907a7439d36f2) Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Jasper Orschulko
committed by
Richard Purdie
Richard Purdie
parent
8a496e9eb9
commit
fbb58d5344
112
meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
Normal file
112
meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
Normal file
@@ -0,0 +1,112 @@
|
||||
From ac82a514e16eb81b4506e2cba1a1ee45b9f025b5 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Wed, 10 Jun 2020 16:34:52 +0200
|
||||
Subject: [PATCH 1/2] Don't recurse into xi:include children in
|
||||
xmlXIncludeDoProcess
|
||||
|
||||
Otherwise, nested xi:include nodes might result in a use-after-free
|
||||
if XML_PARSE_NOXINCNODE is specified.
|
||||
|
||||
Found with libFuzzer and ASan.
|
||||
|
||||
Upstream-Status: Backport [from fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1954243]
|
||||
|
||||
The upstream patch 752e5f71d7cea2ca5a7e7c0b8f72ed04ce654be4 has been modified,
|
||||
as to avoid unnecessary modifications to fallback files.
|
||||
|
||||
CVE: CVE-2021-3518
|
||||
Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
|
||||
---
|
||||
xinclude.c | 24 ++++++++++--------------
|
||||
1 file changed, 10 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/xinclude.c b/xinclude.c
|
||||
index ba850fa5..f260c1a7 100644
|
||||
--- a/xinclude.c
|
||||
+++ b/xinclude.c
|
||||
@@ -2392,21 +2392,19 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
|
||||
* First phase: lookup the elements in the document
|
||||
*/
|
||||
cur = tree;
|
||||
- if (xmlXIncludeTestNode(ctxt, cur) == 1)
|
||||
- xmlXIncludePreProcessNode(ctxt, cur);
|
||||
while ((cur != NULL) && (cur != tree->parent)) {
|
||||
/* TODO: need to work on entities -> stack */
|
||||
- if ((cur->children != NULL) &&
|
||||
- (cur->children->type != XML_ENTITY_DECL) &&
|
||||
- (cur->children->type != XML_XINCLUDE_START) &&
|
||||
- (cur->children->type != XML_XINCLUDE_END)) {
|
||||
- cur = cur->children;
|
||||
- if (xmlXIncludeTestNode(ctxt, cur))
|
||||
- xmlXIncludePreProcessNode(ctxt, cur);
|
||||
- } else if (cur->next != NULL) {
|
||||
+ if (xmlXIncludeTestNode(ctxt, cur) == 1) {
|
||||
+ xmlXIncludePreProcessNode(ctxt, cur);
|
||||
+ } else if ((cur->children != NULL) &&
|
||||
+ (cur->children->type != XML_ENTITY_DECL) &&
|
||||
+ (cur->children->type != XML_XINCLUDE_START) &&
|
||||
+ (cur->children->type != XML_XINCLUDE_END)) {
|
||||
+ cur = cur->children;
|
||||
+ continue;
|
||||
+ }
|
||||
+ if (cur->next != NULL) {
|
||||
cur = cur->next;
|
||||
- if (xmlXIncludeTestNode(ctxt, cur))
|
||||
- xmlXIncludePreProcessNode(ctxt, cur);
|
||||
} else {
|
||||
if (cur == tree)
|
||||
break;
|
||||
@@ -2416,8 +2414,6 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
|
||||
break; /* do */
|
||||
if (cur->next != NULL) {
|
||||
cur = cur->next;
|
||||
- if (xmlXIncludeTestNode(ctxt, cur))
|
||||
- xmlXIncludePreProcessNode(ctxt, cur);
|
||||
break; /* do */
|
||||
}
|
||||
} while (cur != NULL);
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
||||
From 3ad5ac1e39e3cd42f838c1cd27ffd4e9b79e6121 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Thu, 22 Apr 2021 19:26:28 +0200
|
||||
Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude --dropdtd`
|
||||
|
||||
The --dropdtd option can leave dangling pointers in entity reference
|
||||
nodes. Make sure to skip these nodes when processing XIncludes.
|
||||
|
||||
This also avoids scanning entity declarations and even modifying
|
||||
them inadvertently during XInclude processing.
|
||||
|
||||
Move from a block list to an allow list approach to avoid descending
|
||||
into other node types that can't contain elements.
|
||||
|
||||
Fixes #237.
|
||||
Upstream-Status: Backport
|
||||
CVE: CVE-2021-3518
|
||||
Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
|
||||
---
|
||||
xinclude.c | 5 ++---
|
||||
1 file changed, 2 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/xinclude.c b/xinclude.c
|
||||
index f260c1a7..d7648529 100644
|
||||
--- a/xinclude.c
|
||||
+++ b/xinclude.c
|
||||
@@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
|
||||
if (xmlXIncludeTestNode(ctxt, cur) == 1) {
|
||||
xmlXIncludePreProcessNode(ctxt, cur);
|
||||
} else if ((cur->children != NULL) &&
|
||||
- (cur->children->type != XML_ENTITY_DECL) &&
|
||||
- (cur->children->type != XML_XINCLUDE_START) &&
|
||||
- (cur->children->type != XML_XINCLUDE_END)) {
|
||||
+ ((cur->type == XML_DOCUMENT_NODE) ||
|
||||
+ (cur->type == XML_ELEMENT_NODE))) {
|
||||
cur = cur->children;
|
||||
continue;
|
||||
}
|
||||
--
|
||||
2.32.0
|
||||
|
||||
@@ -25,6 +25,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
|
||||
file://CVE-2020-24977.patch \
|
||||
file://CVE-2021-3517.patch \
|
||||
file://CVE-2021-3537.patch \
|
||||
file://CVE-2021-3518.patch \
|
||||
"
|
||||
|
||||
SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"
|
||||
|
||||
Reference in New Issue
Block a user