summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVirendra Thakur <virendrak@kpit.com>2022-09-21 18:27:05 +0530
committerSteve Sakoman <steve@sakoman.com>2022-09-22 04:40:18 -1000
commit4efa4490becea956a62d45e1476f7b602be53eee (patch)
tree8ea2faf9106c65bcf2f8a07d80833a180091e52f
parentb42ea2b7f9149f9066662e95fd0159d7c3d1fc84 (diff)
downloadopenembedded-core-contrib-4efa4490becea956a62d45e1476f7b602be53eee.tar.gz
expat: Fix CVE-2022-40674
Add patch file to fix CVE-2022-40674 Link: https://github.com/libexpat/libexpat/pull/629/commits/4a32da87e931ba54393d465bb77c40b5c33d343b Signed-off-by: Virendra Thakur <virendrak@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r--meta/recipes-core/expat/expat/CVE-2022-40674.patch53
-rw-r--r--meta/recipes-core/expat/expat_2.2.9.bb1
2 files changed, 54 insertions, 0 deletions
diff --git a/meta/recipes-core/expat/expat/CVE-2022-40674.patch b/meta/recipes-core/expat/expat/CVE-2022-40674.patch
new file mode 100644
index 0000000000..8b95f5f198
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-40674.patch
@@ -0,0 +1,53 @@
+From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001
+From: Rhodri James <rhodri@wildebeest.org.uk>
+Date: Wed, 17 Aug 2022 18:26:18 +0100
+Subject: [PATCH] Ensure raw tagnames are safe exiting internalEntityParser
+
+It is possible to concoct a situation in which parsing is
+suspended while substituting in an internal entity, so that
+XML_ResumeParser directly uses internalEntityProcessor as
+its processor. If the subsequent parse includes some unclosed
+tags, this will return without calling storeRawNames to ensure
+that the raw versions of the tag names are stored in memory other
+than the parse buffer itself. If the parse buffer is then changed
+or reallocated (for example if processing a file line by line),
+badness will ensue.
+
+This patch ensures storeRawNames is always called when needed
+after calling doContent. The earlier call do doContent does
+not need the same protection; it only deals with entity
+substitution, which cannot leave unbalanced tags, and in any
+case the raw names will be pointing into the stored entity
+value not the parse buffer.
+
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/4a32da87e931ba54393d465bb77c40b5c33d343b]
+CVE: CVE-2022-40674
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+---
+ expat/lib/xmlparse.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+Index: expat/lib/xmlparse.c
+===================================================================
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -5657,10 +5657,15 @@ internalEntityProcessor(XML_Parser parse
+ {
+ parser->m_processor = contentProcessor;
+ /* see externalEntityContentProcessor vs contentProcessor */
+- return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding,
+- s, end, nextPtr,
+- (XML_Bool)! parser->m_parsingStatus.finalBuffer,
+- XML_ACCOUNT_DIRECT);
++ result = doContent(parser, parser->m_parentParser ? 1 : 0,
++ parser->m_encoding, s, end, nextPtr,
++ (XML_Bool)! parser->m_parsingStatus.finalBuffer,
++ XML_ACCOUNT_DIRECT);
++ if (result == XML_ERROR_NONE) {
++ if (! storeRawNames(parser))
++ return XML_ERROR_NO_MEMORY;
++ }
++ return result;
+ }
+ }
+
diff --git a/meta/recipes-core/expat/expat_2.2.9.bb b/meta/recipes-core/expat/expat_2.2.9.bb
index f50e535922..578edfcbff 100644
--- a/meta/recipes-core/expat/expat_2.2.9.bb
+++ b/meta/recipes-core/expat/expat_2.2.9.bb
@@ -20,6 +20,7 @@ SRC_URI = "git://github.com/libexpat/libexpat.git;protocol=https;branch=master \
file://CVE-2022-25314.patch \
file://CVE-2022-25315.patch \
file://libtool-tag.patch \
+ file://CVE-2022-40674.patch \
"
SRCREV = "a7bc26b69768f7fb24f0c7976fae24b157b85b13"