diff options
author | Meenali Gupta <meenali.gupta@windriver.com> | 2024-03-17 15:47:25 +0000 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2024-03-18 06:13:57 -1000 |
commit | aa20dd9eb68f04a5f1556123ad1b2398de911d93 (patch) | |
tree | 0d01e81c32d12be4eb38cc5e7402b0bd34e2452f /meta/recipes-core/expat/expat/CVE-2023-52426-008.patch | |
parent | c02175e97348836429cecbfad15d89be040bbd92 (diff) | |
download | openembedded-core-aa20dd9eb68f04a5f1556123ad1b2398de911d93.tar.gz |
expat: fix CVE-2023-52426
A flaw was found in Expat (libexpat). If XML_DTD is undefined at compile time, a
recursive XML Entity Expansion condition can be triggered.This issue may lead to
a condition where data is expanded exponentially, which will quickly consume system
resources and cause a denial of service.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-52426
https://github.com/libexpat/libexpat/pull/777
Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-core/expat/expat/CVE-2023-52426-008.patch')
-rw-r--r-- | meta/recipes-core/expat/expat/CVE-2023-52426-008.patch | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426-008.patch b/meta/recipes-core/expat/expat/CVE-2023-52426-008.patch new file mode 100644 index 0000000000..d07c62ccf0 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2023-52426-008.patch @@ -0,0 +1,37 @@ +From 2848dc4e7067de503934b388717e7a3d8d0c5bca Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Fri, 27 Oct 2023 18:45:50 +0200 +Subject: [PATCH] Simplify "! defined(XML_DTD) && XML_GE == 0" to "XML_GE == 0" + +CVE: CVE-2023-52426 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/2848dc4e7067de503934b388717e7a3d8d0c5bca] + +Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> +--- + xmlwf/xmlwf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/xmlwf/xmlwf.c b/xmlwf/xmlwf.c +index be23f5a..04ca759 100644 +--- a/xmlwf/xmlwf.c ++++ b/xmlwf/xmlwf.c +@@ -1062,7 +1062,7 @@ tmain(int argc, XML_Char **argv) { + " (needs a floating point number greater or equal than 1.0)")); + exit(XMLWF_EXIT_USAGE_ERROR); + } +-#if ! defined(XML_DTD) && XML_GE == 0 ++#if XML_GE == 0 + ftprintf(stderr, + T("Warning: Given amplification limit ignored") + T(", xmlwf has been compiled without DTD/GE support.\n")); +@@ -1084,7 +1084,7 @@ tmain(int argc, XML_Char **argv) { + exit(XMLWF_EXIT_USAGE_ERROR); + } + attackThresholdGiven = XML_TRUE; +-#if ! defined(XML_DTD) && XML_GE == 0 ++#if XML_GE == 0 + ftprintf(stderr, + T("Warning: Given attack threshold ignored") + T(", xmlwf has been compiled without DTD/GE support.\n")); +-- +2.40.0 |