mirror of
https://git.yoctoproject.org/poky
synced 2026-03-29 14:02:22 +02:00
ad30955575
This patch fixes CVE-2021-3518. The fix for the CVE is the
following 3 lines in 1098c30a:
- (cur->children->type != XML_ENTITY_DECL) &&
- (cur->children->type != XML_XINCLUDE_START) &&
- (cur->children->type != XML_XINCLUDE_END)) {
+ ((cur->type == XML_DOCUMENT_NODE) ||
+ (cur->type == XML_ELEMENT_NODE))) {
This relies on an updated version of xinclude.c from upstream which
also adds several new tests. Those changes are brought in first so
that the CVE patch can be applied cleanly.
The first patch updates xinclude.c and adds the new tests from
upstream, and the second applies the fix for the CVE.
CVE: CVE-2021-3518
Upstream-Status: Backport
[1098c30a04]
(From OE-Core rev: 6c59d33ee158129d5c0cca3cce65824f9bc4e7e3)
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
46 lines
1.7 KiB
Diff
46 lines
1.7 KiB
Diff
From 1098c30a040e72a4654968547f415be4e4c40fe7 Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Thu, 22 Apr 2021 19:26:28 +0200
|
|
Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude --dropdtd`
|
|
|
|
The --dropdtd option can leave dangling pointers in entity reference
|
|
nodes. Make sure to skip these nodes when processing XIncludes.
|
|
|
|
This also avoids scanning entity declarations and even modifying
|
|
them inadvertently during XInclude processing.
|
|
|
|
Move from a block list to an allow list approach to avoid descending
|
|
into other node types that can't contain elements.
|
|
|
|
Fixes #237.
|
|
|
|
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7]
|
|
CVE: CVE-2021-3518
|
|
|
|
[OP: adjusted context]
|
|
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
|
|
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
|
|
---
|
|
xinclude.c | 5 ++---
|
|
1 file changed, 2 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/xinclude.c b/xinclude.c
|
|
index 6ec5d31..b8eebcc 100644
|
|
--- a/xinclude.c
|
|
+++ b/xinclude.c
|
|
@@ -2387,9 +2387,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
|
|
if (xmlXIncludeTestNode(ctxt, cur) == 1) {
|
|
xmlXIncludePreProcessNode(ctxt, cur);
|
|
} else if ((cur->children != NULL) &&
|
|
- (cur->children->type != XML_ENTITY_DECL) &&
|
|
- (cur->children->type != XML_XINCLUDE_START) &&
|
|
- (cur->children->type != XML_XINCLUDE_END)) {
|
|
+ ((cur->type == XML_DOCUMENT_NODE) ||
|
|
+ (cur->type == XML_ELEMENT_NODE))) {
|
|
cur = cur->children;
|
|
continue;
|
|
}
|
|
--
|
|
2.23.0
|
|
|