diff options
author | Peter Marko <peter.marko@siemens.com> | 2024-03-13 23:39:24 +0100 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2024-03-14 07:26:19 -1000 |
commit | c02175e97348836429cecbfad15d89be040bbd92 (patch) | |
tree | 430b592dfde9f323622768d54cfd21bf9062d5f7 | |
parent | 2501534c9581c6c3439f525d630be11554a57d24 (diff) | |
download | openembedded-core-c02175e97348836429cecbfad15d89be040bbd92.tar.gz |
expat: patch CVE-2024-28757
Picked patch from https://github.com/libexpat/libexpat/pull/842
which is referenced in the NVD CVE report.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rwxr-xr-x | meta/recipes-core/expat/expat/CVE-2024-28757.patch | 58 | ||||
-rw-r--r-- | meta/recipes-core/expat/expat_2.5.0.bb | 1 |
2 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-core/expat/expat/CVE-2024-28757.patch b/meta/recipes-core/expat/expat/CVE-2024-28757.patch new file mode 100755 index 0000000000..768dab0c84 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2024-28757.patch @@ -0,0 +1,58 @@ +From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Mon, 4 Mar 2024 23:49:06 +0100 +Subject: [PATCH] lib/xmlparse.c: Detect billion laughs attack with isolated + external parser + +When parsing DTD content with code like .. + + XML_Parser parser = XML_ParserCreate(NULL); + XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL); + enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE); + +.. there are 0 bytes accounted as direct input and all input from `doc` accounted +as indirect input. Now function accountingGetCurrentAmplification cannot calculate +the current amplification ratio as "(direct + indirect) / direct", and it did refuse +to divide by 0 as one would expect, but it returned 1.0 for this case to indicate +no amplification over direct input. As a result, billion laughs attacks from +DTD-only input were not detected with this isolated way of using an external parser. + +The new approach is to assume direct input of length not 0 but 22 -- derived from +ghost input "<!ENTITY a SYSTEM 'b'>", the shortest possible way to include an external +DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22". + +GitHub issue #839 has more details on this issue and its origin in ClusterFuzz +finding 66812. + +CVE: CVE-2024-28757 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/1d50b80cf31de87750103656f6eb693746854aa8] + +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + lib/xmlparse.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index b884d82b5..d44baa68d 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -7655,6 +7655,8 @@ copyString(const XML_Char *s, const XML_Memory_Handling_Suite *memsuite) { + + static float + accountingGetCurrentAmplification(XML_Parser rootParser) { ++ // 1.........1.........12 => 22 ++ const size_t lenOfShortestInclude = sizeof("<!ENTITY a SYSTEM 'b'>") - 1; + const XmlBigCount countBytesOutput + = rootParser->m_accounting.countBytesDirect + + rootParser->m_accounting.countBytesIndirect; +@@ -7662,7 +7664,9 @@ accountingGetCurrentAmplification(XML_Parser rootParser) { + = rootParser->m_accounting.countBytesDirect + ? (countBytesOutput + / (float)(rootParser->m_accounting.countBytesDirect)) +- : 1.0f; ++ : ((lenOfShortestInclude ++ + rootParser->m_accounting.countBytesIndirect) ++ / (float)lenOfShortestInclude); + assert(! rootParser->m_parentParser); + return amplificationFactor; + } diff --git a/meta/recipes-core/expat/expat_2.5.0.bb b/meta/recipes-core/expat/expat_2.5.0.bb index 7080f934d1..eb7ce1436e 100644 --- a/meta/recipes-core/expat/expat_2.5.0.bb +++ b/meta/recipes-core/expat/expat_2.5.0.bb @@ -10,6 +10,7 @@ VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}" SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://run-ptest \ + file://CVE-2024-28757.patch \ " UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/" |