diff options
author | Virendra Thakur <virendrak@kpit.com> | 2022-09-21 18:27:05 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2022-09-22 04:40:18 -1000 |
commit | 4efa4490becea956a62d45e1476f7b602be53eee (patch) | |
tree | 8ea2faf9106c65bcf2f8a07d80833a180091e52f | |
parent | b42ea2b7f9149f9066662e95fd0159d7c3d1fc84 (diff) | |
download | openembedded-core-contrib-4efa4490becea956a62d45e1476f7b602be53eee.tar.gz |
expat: Fix CVE-2022-40674
Add patch file to fix CVE-2022-40674
Link: https://github.com/libexpat/libexpat/pull/629/commits/4a32da87e931ba54393d465bb77c40b5c33d343b
Signed-off-by: Virendra Thakur <virendrak@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r-- | meta/recipes-core/expat/expat/CVE-2022-40674.patch | 53 | ||||
-rw-r--r-- | meta/recipes-core/expat/expat_2.2.9.bb | 1 |
2 files changed, 54 insertions, 0 deletions
diff --git a/meta/recipes-core/expat/expat/CVE-2022-40674.patch b/meta/recipes-core/expat/expat/CVE-2022-40674.patch new file mode 100644 index 0000000000..8b95f5f198 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2022-40674.patch @@ -0,0 +1,53 @@ +From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001 +From: Rhodri James <rhodri@wildebeest.org.uk> +Date: Wed, 17 Aug 2022 18:26:18 +0100 +Subject: [PATCH] Ensure raw tagnames are safe exiting internalEntityParser + +It is possible to concoct a situation in which parsing is +suspended while substituting in an internal entity, so that +XML_ResumeParser directly uses internalEntityProcessor as +its processor. If the subsequent parse includes some unclosed +tags, this will return without calling storeRawNames to ensure +that the raw versions of the tag names are stored in memory other +than the parse buffer itself. If the parse buffer is then changed +or reallocated (for example if processing a file line by line), +badness will ensue. + +This patch ensures storeRawNames is always called when needed +after calling doContent. The earlier call do doContent does +not need the same protection; it only deals with entity +substitution, which cannot leave unbalanced tags, and in any +case the raw names will be pointing into the stored entity +value not the parse buffer. + +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/4a32da87e931ba54393d465bb77c40b5c33d343b] +CVE: CVE-2022-40674 +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +--- + expat/lib/xmlparse.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +Index: expat/lib/xmlparse.c +=================================================================== +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -5657,10 +5657,15 @@ internalEntityProcessor(XML_Parser parse + { + parser->m_processor = contentProcessor; + /* see externalEntityContentProcessor vs contentProcessor */ +- return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding, +- s, end, nextPtr, +- (XML_Bool)! parser->m_parsingStatus.finalBuffer, +- XML_ACCOUNT_DIRECT); ++ result = doContent(parser, parser->m_parentParser ? 1 : 0, ++ parser->m_encoding, s, end, nextPtr, ++ (XML_Bool)! parser->m_parsingStatus.finalBuffer, ++ XML_ACCOUNT_DIRECT); ++ if (result == XML_ERROR_NONE) { ++ if (! storeRawNames(parser)) ++ return XML_ERROR_NO_MEMORY; ++ } ++ return result; + } + } + diff --git a/meta/recipes-core/expat/expat_2.2.9.bb b/meta/recipes-core/expat/expat_2.2.9.bb index f50e535922..578edfcbff 100644 --- a/meta/recipes-core/expat/expat_2.2.9.bb +++ b/meta/recipes-core/expat/expat_2.2.9.bb @@ -20,6 +20,7 @@ SRC_URI = "git://github.com/libexpat/libexpat.git;protocol=https;branch=master \ file://CVE-2022-25314.patch \ file://CVE-2022-25315.patch \ file://libtool-tag.patch \ + file://CVE-2022-40674.patch \ " SRCREV = "a7bc26b69768f7fb24f0c7976fae24b157b85b13" |