Message ID | 20240308000807.1078261-1-meenali.gupta@windriver.com |
---|---|
State | Changes Requested |
Delegated to: | Steve Sakoman |
Headers | show |
Series | [kirkstone,1/1] expat: fix CVE-2023-52426 | expand |
On Thu, 2024-03-07 at 16:08 -0800, Meenali Gupta via lists.openembedded.org wrote: > From: Meenali Gupta <meenali.gupta@windriver.com> > > A flaw was found in Expat (libexpat). If XML_DTD is undefined at > compile time, a recursive XML Entity > Expansion condition can be triggered. This issue may lead to a > condition where data is expanded exponentially, > which will quickly consume system resources and cause a denial of > service. > > Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> > --- > .../expat/expat/CVE-2023-52426.patch | 429 > ++++++++++++++++++ > meta/recipes-core/expat/expat_2.5.0.bb | 1 + > 2 files changed, 430 insertions(+) > create mode 100644 meta/recipes-core/expat/expat/CVE-2023- > 52426.patch > > diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426.patch > b/meta/recipes-core/expat/expat/CVE-2023-52426.patch > new file mode 100644 > index 0000000000..b78a8ee0dc > --- /dev/null > +++ b/meta/recipes-core/expat/expat/CVE-2023-52426.patch > @@ -0,0 +1,429 @@ > +From 0f075ec8ecb5e43f8fdca5182f8cca4703da0404 Mon Sep 17 00:00:00 > 2001 > +From: Sebastian Pipping <sebastian@pipping.org> > +Date: Thu, 26 Oct 2023 00:43:22 +0200 > +Subject: [PATCH] lib|xmlwf|cmake: Extend scope of billion laughs > attack > + protection > + > +.. from "defined(XML_DTD)" to "defined(XML_DTD) || XML_GE==1". > + > +CVE: CVE-2023-52426 > +Upstream-Status: Backport > [https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca518 > 2f8cca4703da0404] The PR that this commit is part of includes other commits as well. Is there any reason why only this is included or required? I didn't check in detail but as an example, it seems this commit uses EXPAT_GE which was introduced in an earlier commit in that PR: https://github.com/libexpat/libexpat/pull/777/commits/daa89e42c005cc7f4f7af9eee271ae0723d30300 So, is this supposed to work as intended? Thanks, Anuj > + > +Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> > +--- > + CMakeLists.txt | 8 ++++- > + lib/expat.h | 8 +++-- > + lib/internal.h | 2 +- > + lib/libexpat.def.cmake | 4 +-- > + lib/xmlparse.c | 71 ++++++++++++++++++++++----------------- > --- > + xmlwf/xmlwf.c | 18 ++++++----- > + 6 files changed, 62 insertions(+), 49 deletions(-) > + > +diff --git a/CMakeLists.txt b/CMakeLists.txt > +index 2b4c13c..183c5c2 100644 > +--- a/CMakeLists.txt > ++++ b/CMakeLists.txt > +@@ -381,7 +381,13 @@ if(EXPAT_SHARED_LIBS) > + endif() > + endmacro() > + > +- _expat_def_file_toggle(EXPAT_DTD _EXPAT_COMMENT_DTD) > ++ if(EXPAT_DTD OR EXPAT_GE) > ++ set(_EXPAT_DTD_OR_GE TRUE) > ++ else() > ++ set(_EXPAT_DTD_OR_GE FALSE) > ++ endif() > ++ > ++ _expat_def_file_toggle(_EXPAT_DTD_OR_GE > _EXPAT_COMMENT_DTD_OR_GE) > + _expat_def_file_toggle(EXPAT_ATTR_INFO > _EXPAT_COMMENT_ATTR_INFO) > + > + > configure_file("${CMAKE_CURRENT_SOURCE_DIR}/lib/libexpat.def.cmake" > "${CMAKE_CURRENT_BINARY_DIR}/lib/libexpat.def") > +diff --git a/lib/expat.h b/lib/expat.h > +index 1c83563..33c94af 100644 > +--- a/lib/expat.h > ++++ b/lib/expat.h > +@@ -1038,13 +1038,15 @@ typedef struct { > + XMLPARSEAPI(const XML_Feature *) > + XML_GetFeatureList(void); > + > +-#ifdef XML_DTD > +-/* Added in Expat 2.4.0. */ > ++#if defined(XML_DTD) || XML_GE == 1 > ++/* Added in Expat 2.4.0 for XML_DTD defined and > ++ * added in Expat 2.6.0 for XML_GE == 1. */ > + XMLPARSEAPI(XML_Bool) > + XML_SetBillionLaughsAttackProtectionMaximumAmplification( > + XML_Parser parser, float maximumAmplificationFactor); > + > +-/* Added in Expat 2.4.0. */ > ++/* Added in Expat 2.4.0 for XML_DTD defined and > ++ * added in Expat 2.6.0 for XML_GE == 1. */ > + XMLPARSEAPI(XML_Bool) > + XML_SetBillionLaughsAttackProtectionActivationThreshold( > + XML_Parser parser, unsigned long long > activationThresholdBytes); > +diff --git a/lib/internal.h b/lib/internal.h > +index e09f533..1851925 100644 > +--- a/lib/internal.h > ++++ b/lib/internal.h > +@@ -154,7 +154,7 @@ extern "C" { > + void _INTERNAL_trim_to_complete_utf8_characters(const char *from, > + const char > **fromLimRef); > + > +-#if defined(XML_DTD) > ++#if defined(XML_DTD) || XML_GE == 1 > + unsigned long long testingAccountingGetCountBytesDirect(XML_Parser > parser); > + unsigned long long > testingAccountingGetCountBytesIndirect(XML_Parser parser); > + const char *unsignedCharToPrintable(unsigned char c); > +diff --git a/lib/libexpat.def.cmake b/lib/libexpat.def.cmake > +index cf434a2..61a4f00 100644 > +--- a/lib/libexpat.def.cmake > ++++ b/lib/libexpat.def.cmake > +@@ -75,5 +75,5 @@ EXPORTS > + XML_SetHashSalt @67 > + ; internal @68 removed with version 2.3.1 > + ; added with version 2.4.0 > +-@_EXPAT_COMMENT_DTD@ > XML_SetBillionLaughsAttackProtectionActivationThreshold @69 > +-@_EXPAT_COMMENT_DTD@ > XML_SetBillionLaughsAttackProtectionMaximumAmplification @70 > ++@_EXPAT_COMMENT_DTD_OR_GE@ > XML_SetBillionLaughsAttackProtectionActivationThreshold @69 > ++@_EXPAT_COMMENT_DTD_OR_GE@ > XML_SetBillionLaughsAttackProtectionMaximumAmplification @70 > +diff --git a/lib/xmlparse.c b/lib/xmlparse.c > +index b6c2eca..e23441e 100644 > +--- a/lib/xmlparse.c > ++++ b/lib/xmlparse.c > +@@ -408,7 +408,7 @@ enum XML_Account { > + XML_ACCOUNT_NONE /* i.e. do not account, was > accounted already */ > + }; > + > +-#ifdef XML_DTD > ++#if defined(XML_DTD) || XML_GE == 1 > + typedef unsigned long long XmlBigCount; > + typedef struct accounting { > + XmlBigCount countBytesDirect; > +@@ -424,7 +424,7 @@ typedef struct entity_stats { > + unsigned int maximumDepthSeen; > + int debugLevel; > + } ENTITY_STATS; > +-#endif /* XML_DTD */ > ++#endif /* defined(XML_DTD) || XML_GE == 1 */ > + > + typedef enum XML_Error PTRCALL Processor(XML_Parser parser, const > char *start, > + const char *end, const > char **endPtr); > +@@ -562,7 +562,7 @@ static XML_Parser parserCreate(const XML_Char > *encodingName, > + > + static void parserInit(XML_Parser parser, const XML_Char > *encodingName); > + > +-#ifdef XML_DTD > ++#if defined(XML_DTD) || XML_GE == 1 > + static float accountingGetCurrentAmplification(XML_Parser > rootParser); > + static void accountingReportStats(XML_Parser originParser, const > char *epilog); > + static void accountingOnAbort(XML_Parser originParser); > +@@ -585,7 +585,7 @@ static void entityTrackingOnClose(XML_Parser > parser, ENTITY *entity, > + > + static XML_Parser getRootParserOf(XML_Parser parser, > + unsigned int *outLevelDiff); > +-#endif /* XML_DTD */ > ++#endif /* defined(XML_DTD) || XML_GE == 1 */ > + > + static unsigned long getDebugLevel(const char *variableName, > + unsigned long > defaultDebugLevel); > +@@ -703,7 +703,7 @@ struct XML_ParserStruct { > + enum XML_ParamEntityParsing m_paramEntityParsing; > + #endif > + unsigned long m_hash_secret_salt; > +-#ifdef XML_DTD > ++#if defined(XML_DTD) || XML_GE == 1 > + ACCOUNTING m_accounting; > + ENTITY_STATS m_entity_stats; > + #endif > +@@ -1163,7 +1163,7 @@ parserInit(XML_Parser parser, const XML_Char > *encodingName) { > + #endif > + parser->m_hash_secret_salt = 0; > + > +-#ifdef XML_DTD > ++#if defined(XML_DTD) || XML_GE == 1 > + memset(&parser->m_accounting, 0, sizeof(ACCOUNTING)); > + parser->m_accounting.debugLevel = > getDebugLevel("EXPAT_ACCOUNTING_DEBUG", 0u); > + parser->m_accounting.maximumAmplificationFactor > +@@ -2522,8 +2522,9 @@ XML_GetFeatureList(void) { > + #ifdef XML_ATTR_INFO > + {XML_FEATURE_ATTR_INFO, XML_L("XML_ATTR_INFO"), 0}, > + #endif > +-#ifdef XML_DTD > +- /* Added in Expat 2.4.0. */ > ++#if defined(XML_DTD) || XML_GE == 1 > ++ /* Added in Expat 2.4.0 for XML_DTD defined and > ++ * added in Expat 2.6.0 for XML_GE == 1. */ > + > {XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_D > EFAULT, > + XML_L("XML_BLAP_MAX_AMP"), > + (long int) > +@@ -2537,7 +2538,7 @@ XML_GetFeatureList(void) { > + return features; > + } > + > +-#ifdef XML_DTD > ++#if defined(XML_DTD) || XML_GE == 1 > + XML_Bool XMLCALL > + XML_SetBillionLaughsAttackProtectionMaximumAmplification( > + XML_Parser parser, float maximumAmplificationFactor) { > +@@ -2559,7 +2560,7 @@ > XML_SetBillionLaughsAttackProtectionActivationThreshold( > + parser->m_accounting.activationThresholdBytes = > activationThresholdBytes; > + return XML_TRUE; > + } > +-#endif /* XML_DTD */ > ++#endif /* defined(XML_DTD) || XML_GE == 1 */ > + > + /* Initially tag->rawName always points into the parse buffer; > + for those TAG instances opened while the current parse buffer > was > +@@ -2645,13 +2646,13 @@ externalEntityInitProcessor2(XML_Parser > parser, const char *start, > + int tok = XmlContentTok(parser->m_encoding, start, end, &next); > + switch (tok) { > + case XML_TOK_BOM: > +-#ifdef XML_DTD > ++#if defined(XML_DTD) || XML_GE == 1 > + if (! accountingDiffTolerated(parser, tok, start, next, > __LINE__, > + XML_ACCOUNT_DIRECT)) { > + accountingOnAbort(parser); > + return XML_ERROR_AMPLIFICATION_LIMIT_BREACH; > + } > +-#endif /* XML_DTD */ > ++#endif /* defined(XML_DTD) || XML_GE == 1 */ > + > + /* If we are at the end of the buffer, this would cause the > next stage, > + i.e. externalEntityInitProcessor3, to pass control directly > to > +@@ -2765,7 +2766,7 @@ doContent(XML_Parser parser, int > startTagLevel, const ENCODING *enc, > + for (;;) { > + const char *next = s; /* XmlContentTok doesn't always set the > last arg */ > + int tok = XmlContentTok(enc, s, end, &next); > +-#ifdef XML_DTD > ++#if defined(XML_DTD) || XML_GE == 1 > + const char *accountAfter > + = ((tok == XML_TOK_TRAILING_RSQB) || (tok == > XML_TOK_TRAILING_CR)) > + ? (haveMore ? s /* i.e. 0 bytes */ : end) > +@@ -2831,14 +2832,14 @@ doContent(XML_Parser parser, int > startTagLevel, const ENCODING *enc, > + XML_Char ch = (XML_Char)XmlPredefinedEntityName( > + enc, s + enc->minBytesPerChar, next - enc- > >minBytesPerChar); > + if (ch) { > +-#ifdef XML_DTD > ++#if defined(XML_DTD) || XML_GE == 1 > + /* NOTE: We are replacing 4-6 characters original input for > 1 character > + * so there is no amplification and hence recording > without > + * protection. */ > + accountingDiffTolerated(parser, tok, (char *)&ch, > + ((char *)&ch) + sizeof(XML_Char), > __LINE__, > + XML_ACCOUNT_ENTITY_EXPANSION); > +-#endif /* XML_DTD */ > ++#endif /* defined(XML_DTD) || XML_GE == 1 */ > + if (parser->m_characterDataHandler) > + parser->m_characterDataHandler(parser->m_handlerArg, &ch, > 1); > + else if (parser->m_defaultHandler) > +@@ -4040,7 +4041,7 @@ doCdataSection(XML_Parser parser, const > ENCODING *enc, const char **startPtr, > + for (;;) { > + const char *next = s; /* in case of XML_TOK_NONE or > XML_TOK_PARTIAL */ > + int tok = XmlCdataSectionTok(enc, s, end, &next); > +-#ifdef XML_DTD > ++#if defined(XML_DTD) || XML_GE == 1 > + if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, > account)) { > + accountingOnAbort(parser); > + return XML_ERROR_AMPLIFICATION_LIMIT_BREACH; > +@@ -4192,7 +4193,7 @@ doIgnoreSection(XML_Parser parser, const > ENCODING *enc, const char **startPtr, > + *eventPP = s; > + *startPtr = NULL; > + tok = XmlIgnoreSectionTok(enc, s, end, &next); > +-# ifdef XML_DTD > ++#if defined(XML_DTD) || XML_GE == 1 > + if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, > + XML_ACCOUNT_DIRECT)) { > + accountingOnAbort(parser); > +@@ -4284,7 +4285,7 @@ processXmlDecl(XML_Parser parser, int > isGeneralTextEntity, const char *s, > + const XML_Char *storedversion = NULL; > + int standalone = -1; > + > +-#ifdef XML_DTD > ++#if defined(XML_DTD) || XML_GE == 1 > + if (! accountingDiffTolerated(parser, XML_TOK_XML_DECL, s, next, > __LINE__, > + XML_ACCOUNT_DIRECT)) { > + accountingOnAbort(parser); > +@@ -4491,7 +4492,7 @@ entityValueInitProcessor(XML_Parser parser, > const char *s, const char *end, > + */ > + else if (tok == XML_TOK_BOM && next == end > + && ! parser->m_parsingStatus.finalBuffer) { > +-# ifdef XML_DTD > ++# if defined(XML_DTD) || XML_GE == 1 > + if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, > + XML_ACCOUNT_DIRECT)) { > + accountingOnAbort(parser); > +@@ -4707,11 +4708,13 @@ doProlog(XML_Parser parser, const ENCODING > *enc, const char *s, const char *end, > + } > + } > + role = XmlTokenRole(&parser->m_prologState, tok, s, next, enc); > +-#ifdef XML_DTD > ++#if defined(XML_DTD) || XML_GE == 1 > + switch (role) { > + case XML_ROLE_INSTANCE_START: // bytes accounted in > contentProcessor > + case XML_ROLE_XML_DECL: // bytes accounted in > processXmlDecl > +- case XML_ROLE_TEXT_DECL: // bytes accounted in > processXmlDecl > ++ # ifdef XML_DTD > ++ case XML_ROLE_TEXT_DECL: // bytes accounted in processXmlDecl > ++# endif > + break; > + default: > + if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, > account)) { > +@@ -5648,7 +5651,7 @@ epilogProcessor(XML_Parser parser, const char > *s, const char *end, > + for (;;) { > + const char *next = NULL; > + int tok = XmlPrologTok(parser->m_encoding, s, end, &next); > +-#ifdef XML_DTD > ++#if defined(XML_DTD) || XML_GE == 1 > + if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, > + XML_ACCOUNT_DIRECT)) { > + accountingOnAbort(parser); > +@@ -5728,7 +5731,7 @@ processInternalEntity(XML_Parser parser, > ENTITY *entity, XML_Bool betweenDecl) { > + return XML_ERROR_NO_MEMORY; > + } > + entity->open = XML_TRUE; > +-#ifdef XML_DTD > ++#if defined(XML_DTD) || XML_GE == 1 > + entityTrackingOnOpen(parser, entity, __LINE__); > + #endif > + entity->processed = 0; > +@@ -5762,9 +5765,9 @@ processInternalEntity(XML_Parser parser, > ENTITY *entity, XML_Bool betweenDecl) { > + entity->processed = (int)(next - textStart); > + parser->m_processor = internalEntityProcessor; > + } else { > +-#ifdef XML_DTD > ++#if defined(XML_DTD) || XML_GE == 1 > + entityTrackingOnClose(parser, entity, __LINE__); > +-#endif /* XML_DTD */ > ++#endif /* defined(XML_DTD) || XML_GE == 1 */ > + entity->open = XML_FALSE; > + parser->m_openInternalEntities = openEntity->next; > + /* put openEntity back in list of free instances */ > +@@ -5813,7 +5816,7 @@ internalEntityProcessor(XML_Parser parser, > const char *s, const char *end, > + return result; > + } > + > +-#ifdef XML_DTD > ++#if defined(XML_DTD) || XML_GE == 1 > + entityTrackingOnClose(parser, entity, __LINE__); > + #endif > + entity->open = XML_FALSE; > +@@ -5892,7 +5895,7 @@ appendAttributeValue(XML_Parser parser, const > ENCODING *enc, XML_Bool isCdata, > + const char *next > + = ptr; /* XmlAttributeValueTok doesn't always set the last > arg */ > + int tok = XmlAttributeValueTok(enc, ptr, end, &next); > +-#ifdef XML_DTD > ++#if defined(XML_DTD) || XML_GE == 1 > + if (! accountingDiffTolerated(parser, tok, ptr, next, __LINE__, > account)) { > + accountingOnAbort(parser); > + return XML_ERROR_AMPLIFICATION_LIMIT_BREACH; > +@@ -5957,14 +5960,14 @@ appendAttributeValue(XML_Parser parser, > const ENCODING *enc, XML_Bool isCdata, > + XML_Char ch = (XML_Char)XmlPredefinedEntityName( > + enc, ptr + enc->minBytesPerChar, next - enc- > >minBytesPerChar); > + if (ch) { > +-#ifdef XML_DTD > ++#if defined(XML_DTD) || XML_GE == 1 > + /* NOTE: We are replacing 4-6 characters original input for > 1 character > + * so there is no amplification and hence recording > without > + * protection. */ > + accountingDiffTolerated(parser, tok, (char *)&ch, > + ((char *)&ch) + sizeof(XML_Char), > __LINE__, > + XML_ACCOUNT_ENTITY_EXPANSION); > +-#endif /* XML_DTD */ > ++#endif /* defined(XML_DTD) || XML_GE == 1 */ > + if (! poolAppendChar(pool, ch)) > + return XML_ERROR_NO_MEMORY; > + break; > +@@ -6042,14 +6045,14 @@ appendAttributeValue(XML_Parser parser, > const ENCODING *enc, XML_Bool isCdata, > + enum XML_Error result; > + const XML_Char *textEnd = entity->textPtr + entity- > >textLen; > + entity->open = XML_TRUE; > +-#ifdef XML_DTD > ++#if defined(XML_DTD) || XML_GE == 1 > + entityTrackingOnOpen(parser, entity, __LINE__); > + #endif > + result = appendAttributeValue(parser, parser- > >m_internalEncoding, > + isCdata, (const char > *)entity->textPtr, > + (const char *)textEnd, pool, > + > XML_ACCOUNT_ENTITY_EXPANSION); > +-#ifdef XML_DTD > ++#if defined(XML_DTD) || XML_GE == 1 > + entityTrackingOnClose(parser, entity, __LINE__); > + #endif > + entity->open = XML_FALSE; > +@@ -6105,7 +6108,7 @@ storeEntityValue(XML_Parser parser, const > ENCODING *enc, > + = entityTextPtr; /* XmlEntityValueTok doesn't always set > the last arg */ > + int tok = XmlEntityValueTok(enc, entityTextPtr, entityTextEnd, > &next); > + > +-#ifdef XML_DTD > ++#if defined(XML_DTD) || XML_GE == 1 > + if (! accountingDiffTolerated(parser, tok, entityTextPtr, next, > __LINE__, > + account)) { > + accountingOnAbort(parser); > +@@ -7651,7 +7654,7 @@ copyString(const XML_Char *s, const > XML_Memory_Handling_Suite *memsuite) { > + return result; > + } > + > +-#ifdef XML_DTD > ++#if defined(XML_DTD) || XML_GE == 1 > + > + static float > + accountingGetCurrentAmplification(XML_Parser rootParser) { > +@@ -8382,7 +8385,7 @@ unsignedCharToPrintable(unsigned char c) { > + assert(0); /* never gets here */ > + } > + > +-#endif /* XML_DTD */ > ++#endif /* defined(XML_DTD) || XML_GE == 1 */ > + > + static unsigned long > + getDebugLevel(const char *variableName, unsigned long > defaultDebugLevel) { > +diff --git a/xmlwf/xmlwf.c b/xmlwf/xmlwf.c > +index 471f2a2..be23f5a 100644 > +--- a/xmlwf/xmlwf.c > ++++ b/xmlwf/xmlwf.c > +@@ -1062,9 +1062,10 @@ tmain(int argc, XML_Char **argv) { > + " (needs a floating point number greater or equal than > 1.0)")); > + exit(XMLWF_EXIT_USAGE_ERROR); > + } > +-#ifndef XML_DTD > +- ftprintf(stderr, T("Warning: Given amplification limit > ignored") T( > +- ", xmlwf has been compiled without DTD > support.\n")); > ++#if ! defined(XML_DTD) && XML_GE == 0 > ++ ftprintf(stderr, > ++ T("Warning: Given amplification limit ignored") > ++ T(", xmlwf has been compiled without DTD/GE > support.\n")); > + #endif > + break; > + } > +@@ -1083,9 +1084,10 @@ tmain(int argc, XML_Char **argv) { > + exit(XMLWF_EXIT_USAGE_ERROR); > + } > + attackThresholdGiven = XML_TRUE; > +-#ifndef XML_DTD > +- ftprintf(stderr, T("Warning: Given attack threshold ignored") > T( > +- ", xmlwf has been compiled without DTD > support.\n")); > ++#if ! defined(XML_DTD) && XML_GE == 0 > ++ ftprintf(stderr, > ++ T("Warning: Given attack threshold ignored") > ++ T(", xmlwf has been compiled without DTD/GE > support.\n")); > + #endif > + break; > + } > +@@ -1120,13 +1122,13 @@ tmain(int argc, XML_Char **argv) { > + } > + > + if (attackMaximumAmplification != -1.0f) { > +-#ifdef XML_DTD > ++#if defined(XML_DTD) || XML_GE == 1 > + XML_SetBillionLaughsAttackProtectionMaximumAmplification( > + parser, attackMaximumAmplification); > + #endif > + } > + if (attackThresholdGiven) { > +-#ifdef XML_DTD > ++#if defined(XML_DTD) || XML_GE == 1 > + XML_SetBillionLaughsAttackProtectionActivationThreshold( > + parser, attackThresholdBytes); > + #else > +-- > +2.40.0 > diff --git a/meta/recipes-core/expat/expat_2.5.0.bb b/meta/recipes- > core/expat/expat_2.5.0.bb > index 7080f934d1..e427020534 100644 > --- a/meta/recipes-core/expat/expat_2.5.0.bb > +++ b/meta/recipes-core/expat/expat_2.5.0.bb > @@ -10,6 +10,7 @@ VERSION_TAG = "${@d.getVar('PV').replace('.', > '_')}" > > SRC_URI = > "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_T > AG}/expat-${PV}.tar.bz2 \ > file://run-ptest \ > + file://CVE-2023-52426.patch \ > " > > UPSTREAM_CHECK_URI = > "https://github.com/libexpat/libexpat/releases/" > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#196837): > https://lists.openembedded.org/g/openembedded-core/message/196837 > Mute This Topic: https://lists.openembedded.org/mt/104800121/3616702 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: > https://lists.openembedded.org/g/openembedded-core/unsub [ > anuj.mittal@intel.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Hi Anuj, I have sent the upgrade to 2.6.0 , it includes the complete security fix for CVE-2023-52426 and CVE-2023-52425. Regards Meenali
On Tue, Mar 12, 2024, 03:58 Meenali Gupta via lists.openembedded.org <meenali.gupta=windriver.com@lists.openembedded.org> wrote: > Hi Anuj, > > I have sent the upgrade to 2.6.0 , it includes the complete security fix > for CVE-2023-52426 and CVE-2023-52425. > Unfortunately that update changes the so version number, so it isn't acceptable for kirkstone. #775 #776 Version info bumped from 9:10:8 (libexpat*.so.1.8.10) to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/ for what these numbers do I think you will have to carefully back-port the two CVE fixes. It looks like Debian devs may have already back-ported at least one of these CVs to version 2.5.0-x https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063238 Thanks, ../Randy > Regards > Meenali > ------------------------------ > *From:* Mittal, Anuj <anuj.mittal@intel.com> > *Sent:* 11 March 2024 08:37 > *To:* Gupta, Meenali <Meenali.Gupta@windriver.com>; > openembedded-core@lists.openembedded.org < > openembedded-core@lists.openembedded.org> > *Subject:* Re: [oe-core][kirkstone][PATCH 1/1] expat: fix CVE-2023-52426 > > CAUTION: This email comes from a non Wind River email account! > Do not click links or open attachments unless you recognize the sender and > know the content is safe. > > On Thu, 2024-03-07 at 16:08 -0800, Meenali Gupta via > lists.openembedded.org wrote: > > From: Meenali Gupta <meenali.gupta@windriver.com> > > > > A flaw was found in Expat (libexpat). If XML_DTD is undefined at > > compile time, a recursive XML Entity > > Expansion condition can be triggered. This issue may lead to a > > condition where data is expanded exponentially, > > which will quickly consume system resources and cause a denial of > > service. > > > > Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> > > --- > > .../expat/expat/CVE-2023-52426.patch | 429 > > ++++++++++++++++++ > > meta/recipes-core/expat/expat_2.5.0.bb | 1 + > > 2 files changed, 430 insertions(+) > > create mode 100644 meta/recipes-core/expat/expat/CVE-2023- > > 52426.patch > > > > diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426.patch > > b/meta/recipes-core/expat/expat/CVE-2023-52426.patch > > new file mode 100644 > > index 0000000000..b78a8ee0dc > > --- /dev/null > > +++ b/meta/recipes-core/expat/expat/CVE-2023-52426.patch > > @@ -0,0 +1,429 @@ > > +From 0f075ec8ecb5e43f8fdca5182f8cca4703da0404 Mon Sep 17 00:00:00 > > 2001 > > +From: Sebastian Pipping <sebastian@pipping.org> > > +Date: Thu, 26 Oct 2023 00:43:22 +0200 > > +Subject: [PATCH] lib|xmlwf|cmake: Extend scope of billion laughs > > attack > > + protection > > + > > +.. from "defined(XML_DTD)" to "defined(XML_DTD) || XML_GE==1". > > + > > +CVE: CVE-2023-52426 > > +Upstream-Status: Backport > > [https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca518 > > 2f8cca4703da0404] > > The PR that this commit is part of includes other commits as well. Is > there any reason why only this is included or required? > > I didn't check in detail but as an example, it seems this commit uses > EXPAT_GE which was introduced in an earlier commit in that PR: > > > https://github.com/libexpat/libexpat/pull/777/commits/daa89e42c005cc7f4f7af9eee271ae0723d30300 > > So, is this supposed to work as intended? > > Thanks, > > Anuj > > > + > > +Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> > > +--- > > + CMakeLists.txt | 8 ++++- > > + lib/expat.h | 8 +++-- > > + lib/internal.h | 2 +- > > + lib/libexpat.def.cmake | 4 +-- > > + lib/xmlparse.c | 71 ++++++++++++++++++++++----------------- > > --- > > + xmlwf/xmlwf.c | 18 ++++++----- > > + 6 files changed, 62 insertions(+), 49 deletions(-) > > + > > +diff --git a/CMakeLists.txt b/CMakeLists.txt > > +index 2b4c13c..183c5c2 100644 > > +--- a/CMakeLists.txt > > ++++ b/CMakeLists.txt > > +@@ -381,7 +381,13 @@ if(EXPAT_SHARED_LIBS) > > + endif() > > + endmacro() > > + > > +- _expat_def_file_toggle(EXPAT_DTD _EXPAT_COMMENT_DTD) > > ++ if(EXPAT_DTD OR EXPAT_GE) > > ++ set(_EXPAT_DTD_OR_GE TRUE) > > ++ else() > > ++ set(_EXPAT_DTD_OR_GE FALSE) > > ++ endif() > > ++ > > ++ _expat_def_file_toggle(_EXPAT_DTD_OR_GE > > _EXPAT_COMMENT_DTD_OR_GE) > > + _expat_def_file_toggle(EXPAT_ATTR_INFO > > _EXPAT_COMMENT_ATTR_INFO) > > + > > + > > configure_file("${CMAKE_CURRENT_SOURCE_DIR}/lib/libexpat.def.cmake" > > "${CMAKE_CURRENT_BINARY_DIR}/lib/libexpat.def") > > +diff --git a/lib/expat.h b/lib/expat.h > > +index 1c83563..33c94af 100644 > > +--- a/lib/expat.h > > ++++ b/lib/expat.h > > +@@ -1038,13 +1038,15 @@ typedef struct { > > + XMLPARSEAPI(const XML_Feature *) > > + XML_GetFeatureList(void); > > + > > +-#ifdef XML_DTD > > +-/* Added in Expat 2.4.0. */ > > ++#if defined(XML_DTD) || XML_GE == 1 > > ++/* Added in Expat 2.4.0 for XML_DTD defined and > > ++ * added in Expat 2.6.0 for XML_GE == 1. */ > > + XMLPARSEAPI(XML_Bool) > > + XML_SetBillionLaughsAttackProtectionMaximumAmplification( > > + XML_Parser parser, float maximumAmplificationFactor); > > + > > +-/* Added in Expat 2.4.0. */ > > ++/* Added in Expat 2.4.0 for XML_DTD defined and > > ++ * added in Expat 2.6.0 for XML_GE == 1. */ > > + XMLPARSEAPI(XML_Bool) > > + XML_SetBillionLaughsAttackProtectionActivationThreshold( > > + XML_Parser parser, unsigned long long > > activationThresholdBytes); > > +diff --git a/lib/internal.h b/lib/internal.h > > +index e09f533..1851925 100644 > > +--- a/lib/internal.h > > ++++ b/lib/internal.h > > +@@ -154,7 +154,7 @@ extern "C" { > > + void _INTERNAL_trim_to_complete_utf8_characters(const char *from, > > + const char > > **fromLimRef); > > + > > +-#if defined(XML_DTD) > > ++#if defined(XML_DTD) || XML_GE == 1 > > + unsigned long long testingAccountingGetCountBytesDirect(XML_Parser > > parser); > > + unsigned long long > > testingAccountingGetCountBytesIndirect(XML_Parser parser); > > + const char *unsignedCharToPrintable(unsigned char c); > > +diff --git a/lib/libexpat.def.cmake b/lib/libexpat.def.cmake > > +index cf434a2..61a4f00 100644 > > +--- a/lib/libexpat.def.cmake > > ++++ b/lib/libexpat.def.cmake > > +@@ -75,5 +75,5 @@ EXPORTS > > + XML_SetHashSalt @67 > > + ; internal @68 removed with version 2.3.1 > > + ; added with version 2.4.0 > > +-@_EXPAT_COMMENT_DTD@ > > XML_SetBillionLaughsAttackProtectionActivationThreshold @69 > > +-@_EXPAT_COMMENT_DTD@ > > XML_SetBillionLaughsAttackProtectionMaximumAmplification @70 > > ++@_EXPAT_COMMENT_DTD_OR_GE@ > > XML_SetBillionLaughsAttackProtectionActivationThreshold @69 > > ++@_EXPAT_COMMENT_DTD_OR_GE@ > > XML_SetBillionLaughsAttackProtectionMaximumAmplification @70 > > +diff --git a/lib/xmlparse.c b/lib/xmlparse.c > > +index b6c2eca..e23441e 100644 > > +--- a/lib/xmlparse.c > > ++++ b/lib/xmlparse.c > > +@@ -408,7 +408,7 @@ enum XML_Account { > > + XML_ACCOUNT_NONE /* i.e. do not account, was > > accounted already */ > > + }; > > + > > +-#ifdef XML_DTD > > ++#if defined(XML_DTD) || XML_GE == 1 > > + typedef unsigned long long XmlBigCount; > > + typedef struct accounting { > > + XmlBigCount countBytesDirect; > > +@@ -424,7 +424,7 @@ typedef struct entity_stats { > > + unsigned int maximumDepthSeen; > > + int debugLevel; > > + } ENTITY_STATS; > > +-#endif /* XML_DTD */ > > ++#endif /* defined(XML_DTD) || XML_GE == 1 */ > > + > > + typedef enum XML_Error PTRCALL Processor(XML_Parser parser, const > > char *start, > > + const char *end, const > > char **endPtr); > > +@@ -562,7 +562,7 @@ static XML_Parser parserCreate(const XML_Char > > *encodingName, > > + > > + static void parserInit(XML_Parser parser, const XML_Char > > *encodingName); > > + > > +-#ifdef XML_DTD > > ++#if defined(XML_DTD) || XML_GE == 1 > > + static float accountingGetCurrentAmplification(XML_Parser > > rootParser); > > + static void accountingReportStats(XML_Parser originParser, const > > char *epilog); > > + static void accountingOnAbort(XML_Parser originParser); > > +@@ -585,7 +585,7 @@ static void entityTrackingOnClose(XML_Parser > > parser, ENTITY *entity, > > + > > + static XML_Parser getRootParserOf(XML_Parser parser, > > + unsigned int *outLevelDiff); > > +-#endif /* XML_DTD */ > > ++#endif /* defined(XML_DTD) || XML_GE == 1 */ > > + > > + static unsigned long getDebugLevel(const char *variableName, > > + unsigned long > > defaultDebugLevel); > > +@@ -703,7 +703,7 @@ struct XML_ParserStruct { > > + enum XML_ParamEntityParsing m_paramEntityParsing; > > + #endif > > + unsigned long m_hash_secret_salt; > > +-#ifdef XML_DTD > > ++#if defined(XML_DTD) || XML_GE == 1 > > + ACCOUNTING m_accounting; > > + ENTITY_STATS m_entity_stats; > > + #endif > > +@@ -1163,7 +1163,7 @@ parserInit(XML_Parser parser, const XML_Char > > *encodingName) { > > + #endif > > + parser->m_hash_secret_salt = 0; > > + > > +-#ifdef XML_DTD > > ++#if defined(XML_DTD) || XML_GE == 1 > > + memset(&parser->m_accounting, 0, sizeof(ACCOUNTING)); > > + parser->m_accounting.debugLevel = > > getDebugLevel("EXPAT_ACCOUNTING_DEBUG", 0u); > > + parser->m_accounting.maximumAmplificationFactor > > +@@ -2522,8 +2522,9 @@ XML_GetFeatureList(void) { > > + #ifdef XML_ATTR_INFO > > + {XML_FEATURE_ATTR_INFO, XML_L("XML_ATTR_INFO"), 0}, > > + #endif > > +-#ifdef XML_DTD > > +- /* Added in Expat 2.4.0. */ > > ++#if defined(XML_DTD) || XML_GE == 1 > > ++ /* Added in Expat 2.4.0 for XML_DTD defined and > > ++ * added in Expat 2.6.0 for XML_GE == 1. */ > > + > > {XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_D > > EFAULT, > > + XML_L("XML_BLAP_MAX_AMP"), > > + (long int) > > +@@ -2537,7 +2538,7 @@ XML_GetFeatureList(void) { > > + return features; > > + } > > + > > +-#ifdef XML_DTD > > ++#if defined(XML_DTD) || XML_GE == 1 > > + XML_Bool XMLCALL > > + XML_SetBillionLaughsAttackProtectionMaximumAmplification( > > + XML_Parser parser, float maximumAmplificationFactor) { > > +@@ -2559,7 +2560,7 @@ > > XML_SetBillionLaughsAttackProtectionActivationThreshold( > > + parser->m_accounting.activationThresholdBytes = > > activationThresholdBytes; > > + return XML_TRUE; > > + } > > +-#endif /* XML_DTD */ > > ++#endif /* defined(XML_DTD) || XML_GE == 1 */ > > + > > + /* Initially tag->rawName always points into the parse buffer; > > + for those TAG instances opened while the current parse buffer > > was > > +@@ -2645,13 +2646,13 @@ externalEntityInitProcessor2(XML_Parser > > parser, const char *start, > > + int tok = XmlContentTok(parser->m_encoding, start, end, &next); > > + switch (tok) { > > + case XML_TOK_BOM: > > +-#ifdef XML_DTD > > ++#if defined(XML_DTD) || XML_GE == 1 > > + if (! accountingDiffTolerated(parser, tok, start, next, > > __LINE__, > > + XML_ACCOUNT_DIRECT)) { > > + accountingOnAbort(parser); > > + return XML_ERROR_AMPLIFICATION_LIMIT_BREACH; > > + } > > +-#endif /* XML_DTD */ > > ++#endif /* defined(XML_DTD) || XML_GE == 1 */ > > + > > + /* If we are at the end of the buffer, this would cause the > > next stage, > > + i.e. externalEntityInitProcessor3, to pass control directly > > to > > +@@ -2765,7 +2766,7 @@ doContent(XML_Parser parser, int > > startTagLevel, const ENCODING *enc, > > + for (;;) { > > + const char *next = s; /* XmlContentTok doesn't always set the > > last arg */ > > + int tok = XmlContentTok(enc, s, end, &next); > > +-#ifdef XML_DTD > > ++#if defined(XML_DTD) || XML_GE == 1 > > + const char *accountAfter > > + = ((tok == XML_TOK_TRAILING_RSQB) || (tok == > > XML_TOK_TRAILING_CR)) > > + ? (haveMore ? s /* i.e. 0 bytes */ : end) > > +@@ -2831,14 +2832,14 @@ doContent(XML_Parser parser, int > > startTagLevel, const ENCODING *enc, > > + XML_Char ch = (XML_Char)XmlPredefinedEntityName( > > + enc, s + enc->minBytesPerChar, next - enc- > > >minBytesPerChar); > > + if (ch) { > > +-#ifdef XML_DTD > > ++#if defined(XML_DTD) || XML_GE == 1 > > + /* NOTE: We are replacing 4-6 characters original input for > > 1 character > > + * so there is no amplification and hence recording > > without > > + * protection. */ > > + accountingDiffTolerated(parser, tok, (char *)&ch, > > + ((char *)&ch) + sizeof(XML_Char), > > __LINE__, > > + XML_ACCOUNT_ENTITY_EXPANSION); > > +-#endif /* XML_DTD */ > > ++#endif /* defined(XML_DTD) || XML_GE == 1 */ > > + if (parser->m_characterDataHandler) > > + parser->m_characterDataHandler(parser->m_handlerArg, &ch, > > 1); > > + else if (parser->m_defaultHandler) > > +@@ -4040,7 +4041,7 @@ doCdataSection(XML_Parser parser, const > > ENCODING *enc, const char **startPtr, > > + for (;;) { > > + const char *next = s; /* in case of XML_TOK_NONE or > > XML_TOK_PARTIAL */ > > + int tok = XmlCdataSectionTok(enc, s, end, &next); > > +-#ifdef XML_DTD > > ++#if defined(XML_DTD) || XML_GE == 1 > > + if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, > > account)) { > > + accountingOnAbort(parser); > > + return XML_ERROR_AMPLIFICATION_LIMIT_BREACH; > > +@@ -4192,7 +4193,7 @@ doIgnoreSection(XML_Parser parser, const > > ENCODING *enc, const char **startPtr, > > + *eventPP = s; > > + *startPtr = NULL; > > + tok = XmlIgnoreSectionTok(enc, s, end, &next); > > +-# ifdef XML_DTD > > ++#if defined(XML_DTD) || XML_GE == 1 > > + if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, > > + XML_ACCOUNT_DIRECT)) { > > + accountingOnAbort(parser); > > +@@ -4284,7 +4285,7 @@ processXmlDecl(XML_Parser parser, int > > isGeneralTextEntity, const char *s, > > + const XML_Char *storedversion = NULL; > > + int standalone = -1; > > + > > +-#ifdef XML_DTD > > ++#if defined(XML_DTD) || XML_GE == 1 > > + if (! accountingDiffTolerated(parser, XML_TOK_XML_DECL, s, next, > > __LINE__, > > + XML_ACCOUNT_DIRECT)) { > > + accountingOnAbort(parser); > > +@@ -4491,7 +4492,7 @@ entityValueInitProcessor(XML_Parser parser, > > const char *s, const char *end, > > + */ > > + else if (tok == XML_TOK_BOM && next == end > > + && ! parser->m_parsingStatus.finalBuffer) { > > +-# ifdef XML_DTD > > ++# if defined(XML_DTD) || XML_GE == 1 > > + if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, > > + XML_ACCOUNT_DIRECT)) { > > + accountingOnAbort(parser); > > +@@ -4707,11 +4708,13 @@ doProlog(XML_Parser parser, const ENCODING > > *enc, const char *s, const char *end, > > + } > > + } > > + role = XmlTokenRole(&parser->m_prologState, tok, s, next, enc); > > +-#ifdef XML_DTD > > ++#if defined(XML_DTD) || XML_GE == 1 > > + switch (role) { > > + case XML_ROLE_INSTANCE_START: // bytes accounted in > > contentProcessor > > + case XML_ROLE_XML_DECL: // bytes accounted in > > processXmlDecl > > +- case XML_ROLE_TEXT_DECL: // bytes accounted in > > processXmlDecl > > ++ # ifdef XML_DTD > > ++ case XML_ROLE_TEXT_DECL: // bytes accounted in processXmlDecl > > ++# endif > > + break; > > + default: > > + if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, > > account)) { > > +@@ -5648,7 +5651,7 @@ epilogProcessor(XML_Parser parser, const char > > *s, const char *end, > > + for (;;) { > > + const char *next = NULL; > > + int tok = XmlPrologTok(parser->m_encoding, s, end, &next); > > +-#ifdef XML_DTD > > ++#if defined(XML_DTD) || XML_GE == 1 > > + if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, > > + XML_ACCOUNT_DIRECT)) { > > + accountingOnAbort(parser); > > +@@ -5728,7 +5731,7 @@ processInternalEntity(XML_Parser parser, > > ENTITY *entity, XML_Bool betweenDecl) { > > + return XML_ERROR_NO_MEMORY; > > + } > > + entity->open = XML_TRUE; > > +-#ifdef XML_DTD > > ++#if defined(XML_DTD) || XML_GE == 1 > > + entityTrackingOnOpen(parser, entity, __LINE__); > > + #endif > > + entity->processed = 0; > > +@@ -5762,9 +5765,9 @@ processInternalEntity(XML_Parser parser, > > ENTITY *entity, XML_Bool betweenDecl) { > > + entity->processed = (int)(next - textStart); > > + parser->m_processor = internalEntityProcessor; > > + } else { > > +-#ifdef XML_DTD > > ++#if defined(XML_DTD) || XML_GE == 1 > > + entityTrackingOnClose(parser, entity, __LINE__); > > +-#endif /* XML_DTD */ > > ++#endif /* defined(XML_DTD) || XML_GE == 1 */ > > + entity->open = XML_FALSE; > > + parser->m_openInternalEntities = openEntity->next; > > + /* put openEntity back in list of free instances */ > > +@@ -5813,7 +5816,7 @@ internalEntityProcessor(XML_Parser parser, > > const char *s, const char *end, > > + return result; > > + } > > + > > +-#ifdef XML_DTD > > ++#if defined(XML_DTD) || XML_GE == 1 > > + entityTrackingOnClose(parser, entity, __LINE__); > > + #endif > > + entity->open = XML_FALSE; > > +@@ -5892,7 +5895,7 @@ appendAttributeValue(XML_Parser parser, const > > ENCODING *enc, XML_Bool isCdata, > > + const char *next > > + = ptr; /* XmlAttributeValueTok doesn't always set the last > > arg */ > > + int tok = XmlAttributeValueTok(enc, ptr, end, &next); > > +-#ifdef XML_DTD > > ++#if defined(XML_DTD) || XML_GE == 1 > > + if (! accountingDiffTolerated(parser, tok, ptr, next, __LINE__, > > account)) { > > + accountingOnAbort(parser); > > + return XML_ERROR_AMPLIFICATION_LIMIT_BREACH; > > +@@ -5957,14 +5960,14 @@ appendAttributeValue(XML_Parser parser, > > const ENCODING *enc, XML_Bool isCdata, > > + XML_Char ch = (XML_Char)XmlPredefinedEntityName( > > + enc, ptr + enc->minBytesPerChar, next - enc- > > >minBytesPerChar); > > + if (ch) { > > +-#ifdef XML_DTD > > ++#if defined(XML_DTD) || XML_GE == 1 > > + /* NOTE: We are replacing 4-6 characters original input for > > 1 character > > + * so there is no amplification and hence recording > > without > > + * protection. */ > > + accountingDiffTolerated(parser, tok, (char *)&ch, > > + ((char *)&ch) + sizeof(XML_Char), > > __LINE__, > > + XML_ACCOUNT_ENTITY_EXPANSION); > > +-#endif /* XML_DTD */ > > ++#endif /* defined(XML_DTD) || XML_GE == 1 */ > > + if (! poolAppendChar(pool, ch)) > > + return XML_ERROR_NO_MEMORY; > > + break; > > +@@ -6042,14 +6045,14 @@ appendAttributeValue(XML_Parser parser, > > const ENCODING *enc, XML_Bool isCdata, > > + enum XML_Error result; > > + const XML_Char *textEnd = entity->textPtr + entity- > > >textLen; > > + entity->open = XML_TRUE; > > +-#ifdef XML_DTD > > ++#if defined(XML_DTD) || XML_GE == 1 > > + entityTrackingOnOpen(parser, entity, __LINE__); > > + #endif > > + result = appendAttributeValue(parser, parser- > > >m_internalEncoding, > > + isCdata, (const char > > *)entity->textPtr, > > + (const char *)textEnd, pool, > > + > > XML_ACCOUNT_ENTITY_EXPANSION); > > +-#ifdef XML_DTD > > ++#if defined(XML_DTD) || XML_GE == 1 > > + entityTrackingOnClose(parser, entity, __LINE__); > > + #endif > > + entity->open = XML_FALSE; > > +@@ -6105,7 +6108,7 @@ storeEntityValue(XML_Parser parser, const > > ENCODING *enc, > > + = entityTextPtr; /* XmlEntityValueTok doesn't always set > > the last arg */ > > + int tok = XmlEntityValueTok(enc, entityTextPtr, entityTextEnd, > > &next); > > + > > +-#ifdef XML_DTD > > ++#if defined(XML_DTD) || XML_GE == 1 > > + if (! accountingDiffTolerated(parser, tok, entityTextPtr, next, > > __LINE__, > > + account)) { > > + accountingOnAbort(parser); > > +@@ -7651,7 +7654,7 @@ copyString(const XML_Char *s, const > > XML_Memory_Handling_Suite *memsuite) { > > + return result; > > + } > > + > > +-#ifdef XML_DTD > > ++#if defined(XML_DTD) || XML_GE == 1 > > + > > + static float > > + accountingGetCurrentAmplification(XML_Parser rootParser) { > > +@@ -8382,7 +8385,7 @@ unsignedCharToPrintable(unsigned char c) { > > + assert(0); /* never gets here */ > > + } > > + > > +-#endif /* XML_DTD */ > > ++#endif /* defined(XML_DTD) || XML_GE == 1 */ > > + > > + static unsigned long > > + getDebugLevel(const char *variableName, unsigned long > > defaultDebugLevel) { > > +diff --git a/xmlwf/xmlwf.c b/xmlwf/xmlwf.c > > +index 471f2a2..be23f5a 100644 > > +--- a/xmlwf/xmlwf.c > > ++++ b/xmlwf/xmlwf.c > > +@@ -1062,9 +1062,10 @@ tmain(int argc, XML_Char **argv) { > > + " (needs a floating point number greater or equal than > > 1.0)")); > > + exit(XMLWF_EXIT_USAGE_ERROR); > > + } > > +-#ifndef XML_DTD > > +- ftprintf(stderr, T("Warning: Given amplification limit > > ignored") T( > > +- ", xmlwf has been compiled without DTD > > support.\n")); > > ++#if ! defined(XML_DTD) && XML_GE == 0 > > ++ ftprintf(stderr, > > ++ T("Warning: Given amplification limit ignored") > > ++ T(", xmlwf has been compiled without DTD/GE > > support.\n")); > > + #endif > > + break; > > + } > > +@@ -1083,9 +1084,10 @@ tmain(int argc, XML_Char **argv) { > > + exit(XMLWF_EXIT_USAGE_ERROR); > > + } > > + attackThresholdGiven = XML_TRUE; > > +-#ifndef XML_DTD > > +- ftprintf(stderr, T("Warning: Given attack threshold ignored") > > T( > > +- ", xmlwf has been compiled without DTD > > support.\n")); > > ++#if ! defined(XML_DTD) && XML_GE == 0 > > ++ ftprintf(stderr, > > ++ T("Warning: Given attack threshold ignored") > > ++ T(", xmlwf has been compiled without DTD/GE > > support.\n")); > > + #endif > > + break; > > + } > > +@@ -1120,13 +1122,13 @@ tmain(int argc, XML_Char **argv) { > > + } > > + > > + if (attackMaximumAmplification != -1.0f) { > > +-#ifdef XML_DTD > > ++#if defined(XML_DTD) || XML_GE == 1 > > + XML_SetBillionLaughsAttackProtectionMaximumAmplification( > > + parser, attackMaximumAmplification); > > + #endif > > + } > > + if (attackThresholdGiven) { > > +-#ifdef XML_DTD > > ++#if defined(XML_DTD) || XML_GE == 1 > > + XML_SetBillionLaughsAttackProtectionActivationThreshold( > > + parser, attackThresholdBytes); > > + #else > > +-- > > +2.40.0 > > diff --git a/meta/recipes-core/expat/expat_2.5.0.bb b/meta/recipes- > > core/expat/expat_2.5.0.bb > > index 7080f934d1..e427020534 100644 > > --- a/meta/recipes-core/expat/expat_2.5.0.bb > > +++ b/meta/recipes-core/expat/expat_2.5.0.bb > > @@ -10,6 +10,7 @@ VERSION_TAG = "${@d.getVar('PV').replace('.', > > '_')}" > > > > SRC_URI = > > "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_T > > AG}/expat-${PV}.tar.bz2 \ > > file://run-ptest \ > > + file://CVE-2023-52426.patch \ > > " > > > > UPSTREAM_CHECK_URI = > > "https://github.com/libexpat/libexpat/releases/" > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#196973): > https://lists.openembedded.org/g/openembedded-core/message/196973 > Mute This Topic: https://lists.openembedded.org/mt/104800121/953399 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > rwmacleod@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426.patch b/meta/recipes-core/expat/expat/CVE-2023-52426.patch new file mode 100644 index 0000000000..b78a8ee0dc --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2023-52426.patch @@ -0,0 +1,429 @@ +From 0f075ec8ecb5e43f8fdca5182f8cca4703da0404 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Thu, 26 Oct 2023 00:43:22 +0200 +Subject: [PATCH] lib|xmlwf|cmake: Extend scope of billion laughs attack + protection + +.. from "defined(XML_DTD)" to "defined(XML_DTD) || XML_GE==1". + +CVE: CVE-2023-52426 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404] + +Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> +--- + CMakeLists.txt | 8 ++++- + lib/expat.h | 8 +++-- + lib/internal.h | 2 +- + lib/libexpat.def.cmake | 4 +-- + lib/xmlparse.c | 71 ++++++++++++++++++++++-------------------- + xmlwf/xmlwf.c | 18 ++++++----- + 6 files changed, 62 insertions(+), 49 deletions(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 2b4c13c..183c5c2 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -381,7 +381,13 @@ if(EXPAT_SHARED_LIBS) + endif() + endmacro() + +- _expat_def_file_toggle(EXPAT_DTD _EXPAT_COMMENT_DTD) ++ if(EXPAT_DTD OR EXPAT_GE) ++ set(_EXPAT_DTD_OR_GE TRUE) ++ else() ++ set(_EXPAT_DTD_OR_GE FALSE) ++ endif() ++ ++ _expat_def_file_toggle(_EXPAT_DTD_OR_GE _EXPAT_COMMENT_DTD_OR_GE) + _expat_def_file_toggle(EXPAT_ATTR_INFO _EXPAT_COMMENT_ATTR_INFO) + + configure_file("${CMAKE_CURRENT_SOURCE_DIR}/lib/libexpat.def.cmake" "${CMAKE_CURRENT_BINARY_DIR}/lib/libexpat.def") +diff --git a/lib/expat.h b/lib/expat.h +index 1c83563..33c94af 100644 +--- a/lib/expat.h ++++ b/lib/expat.h +@@ -1038,13 +1038,15 @@ typedef struct { + XMLPARSEAPI(const XML_Feature *) + XML_GetFeatureList(void); + +-#ifdef XML_DTD +-/* Added in Expat 2.4.0. */ ++#if defined(XML_DTD) || XML_GE == 1 ++/* Added in Expat 2.4.0 for XML_DTD defined and ++ * added in Expat 2.6.0 for XML_GE == 1. */ + XMLPARSEAPI(XML_Bool) + XML_SetBillionLaughsAttackProtectionMaximumAmplification( + XML_Parser parser, float maximumAmplificationFactor); + +-/* Added in Expat 2.4.0. */ ++/* Added in Expat 2.4.0 for XML_DTD defined and ++ * added in Expat 2.6.0 for XML_GE == 1. */ + XMLPARSEAPI(XML_Bool) + XML_SetBillionLaughsAttackProtectionActivationThreshold( + XML_Parser parser, unsigned long long activationThresholdBytes); +diff --git a/lib/internal.h b/lib/internal.h +index e09f533..1851925 100644 +--- a/lib/internal.h ++++ b/lib/internal.h +@@ -154,7 +154,7 @@ extern "C" { + void _INTERNAL_trim_to_complete_utf8_characters(const char *from, + const char **fromLimRef); + +-#if defined(XML_DTD) ++#if defined(XML_DTD) || XML_GE == 1 + unsigned long long testingAccountingGetCountBytesDirect(XML_Parser parser); + unsigned long long testingAccountingGetCountBytesIndirect(XML_Parser parser); + const char *unsignedCharToPrintable(unsigned char c); +diff --git a/lib/libexpat.def.cmake b/lib/libexpat.def.cmake +index cf434a2..61a4f00 100644 +--- a/lib/libexpat.def.cmake ++++ b/lib/libexpat.def.cmake +@@ -75,5 +75,5 @@ EXPORTS + XML_SetHashSalt @67 + ; internal @68 removed with version 2.3.1 + ; added with version 2.4.0 +-@_EXPAT_COMMENT_DTD@ XML_SetBillionLaughsAttackProtectionActivationThreshold @69 +-@_EXPAT_COMMENT_DTD@ XML_SetBillionLaughsAttackProtectionMaximumAmplification @70 ++@_EXPAT_COMMENT_DTD_OR_GE@ XML_SetBillionLaughsAttackProtectionActivationThreshold @69 ++@_EXPAT_COMMENT_DTD_OR_GE@ XML_SetBillionLaughsAttackProtectionMaximumAmplification @70 +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index b6c2eca..e23441e 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -408,7 +408,7 @@ enum XML_Account { + XML_ACCOUNT_NONE /* i.e. do not account, was accounted already */ + }; + +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + typedef unsigned long long XmlBigCount; + typedef struct accounting { + XmlBigCount countBytesDirect; +@@ -424,7 +424,7 @@ typedef struct entity_stats { + unsigned int maximumDepthSeen; + int debugLevel; + } ENTITY_STATS; +-#endif /* XML_DTD */ ++#endif /* defined(XML_DTD) || XML_GE == 1 */ + + typedef enum XML_Error PTRCALL Processor(XML_Parser parser, const char *start, + const char *end, const char **endPtr); +@@ -562,7 +562,7 @@ static XML_Parser parserCreate(const XML_Char *encodingName, + + static void parserInit(XML_Parser parser, const XML_Char *encodingName); + +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + static float accountingGetCurrentAmplification(XML_Parser rootParser); + static void accountingReportStats(XML_Parser originParser, const char *epilog); + static void accountingOnAbort(XML_Parser originParser); +@@ -585,7 +585,7 @@ static void entityTrackingOnClose(XML_Parser parser, ENTITY *entity, + + static XML_Parser getRootParserOf(XML_Parser parser, + unsigned int *outLevelDiff); +-#endif /* XML_DTD */ ++#endif /* defined(XML_DTD) || XML_GE == 1 */ + + static unsigned long getDebugLevel(const char *variableName, + unsigned long defaultDebugLevel); +@@ -703,7 +703,7 @@ struct XML_ParserStruct { + enum XML_ParamEntityParsing m_paramEntityParsing; + #endif + unsigned long m_hash_secret_salt; +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + ACCOUNTING m_accounting; + ENTITY_STATS m_entity_stats; + #endif +@@ -1163,7 +1163,7 @@ parserInit(XML_Parser parser, const XML_Char *encodingName) { + #endif + parser->m_hash_secret_salt = 0; + +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + memset(&parser->m_accounting, 0, sizeof(ACCOUNTING)); + parser->m_accounting.debugLevel = getDebugLevel("EXPAT_ACCOUNTING_DEBUG", 0u); + parser->m_accounting.maximumAmplificationFactor +@@ -2522,8 +2522,9 @@ XML_GetFeatureList(void) { + #ifdef XML_ATTR_INFO + {XML_FEATURE_ATTR_INFO, XML_L("XML_ATTR_INFO"), 0}, + #endif +-#ifdef XML_DTD +- /* Added in Expat 2.4.0. */ ++#if defined(XML_DTD) || XML_GE == 1 ++ /* Added in Expat 2.4.0 for XML_DTD defined and ++ * added in Expat 2.6.0 for XML_GE == 1. */ + {XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT, + XML_L("XML_BLAP_MAX_AMP"), + (long int) +@@ -2537,7 +2538,7 @@ XML_GetFeatureList(void) { + return features; + } + +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + XML_Bool XMLCALL + XML_SetBillionLaughsAttackProtectionMaximumAmplification( + XML_Parser parser, float maximumAmplificationFactor) { +@@ -2559,7 +2560,7 @@ XML_SetBillionLaughsAttackProtectionActivationThreshold( + parser->m_accounting.activationThresholdBytes = activationThresholdBytes; + return XML_TRUE; + } +-#endif /* XML_DTD */ ++#endif /* defined(XML_DTD) || XML_GE == 1 */ + + /* Initially tag->rawName always points into the parse buffer; + for those TAG instances opened while the current parse buffer was +@@ -2645,13 +2646,13 @@ externalEntityInitProcessor2(XML_Parser parser, const char *start, + int tok = XmlContentTok(parser->m_encoding, start, end, &next); + switch (tok) { + case XML_TOK_BOM: +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + if (! accountingDiffTolerated(parser, tok, start, next, __LINE__, + XML_ACCOUNT_DIRECT)) { + accountingOnAbort(parser); + return XML_ERROR_AMPLIFICATION_LIMIT_BREACH; + } +-#endif /* XML_DTD */ ++#endif /* defined(XML_DTD) || XML_GE == 1 */ + + /* If we are at the end of the buffer, this would cause the next stage, + i.e. externalEntityInitProcessor3, to pass control directly to +@@ -2765,7 +2766,7 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc, + for (;;) { + const char *next = s; /* XmlContentTok doesn't always set the last arg */ + int tok = XmlContentTok(enc, s, end, &next); +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + const char *accountAfter + = ((tok == XML_TOK_TRAILING_RSQB) || (tok == XML_TOK_TRAILING_CR)) + ? (haveMore ? s /* i.e. 0 bytes */ : end) +@@ -2831,14 +2832,14 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc, + XML_Char ch = (XML_Char)XmlPredefinedEntityName( + enc, s + enc->minBytesPerChar, next - enc->minBytesPerChar); + if (ch) { +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + /* NOTE: We are replacing 4-6 characters original input for 1 character + * so there is no amplification and hence recording without + * protection. */ + accountingDiffTolerated(parser, tok, (char *)&ch, + ((char *)&ch) + sizeof(XML_Char), __LINE__, + XML_ACCOUNT_ENTITY_EXPANSION); +-#endif /* XML_DTD */ ++#endif /* defined(XML_DTD) || XML_GE == 1 */ + if (parser->m_characterDataHandler) + parser->m_characterDataHandler(parser->m_handlerArg, &ch, 1); + else if (parser->m_defaultHandler) +@@ -4040,7 +4041,7 @@ doCdataSection(XML_Parser parser, const ENCODING *enc, const char **startPtr, + for (;;) { + const char *next = s; /* in case of XML_TOK_NONE or XML_TOK_PARTIAL */ + int tok = XmlCdataSectionTok(enc, s, end, &next); +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, account)) { + accountingOnAbort(parser); + return XML_ERROR_AMPLIFICATION_LIMIT_BREACH; +@@ -4192,7 +4193,7 @@ doIgnoreSection(XML_Parser parser, const ENCODING *enc, const char **startPtr, + *eventPP = s; + *startPtr = NULL; + tok = XmlIgnoreSectionTok(enc, s, end, &next); +-# ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, + XML_ACCOUNT_DIRECT)) { + accountingOnAbort(parser); +@@ -4284,7 +4285,7 @@ processXmlDecl(XML_Parser parser, int isGeneralTextEntity, const char *s, + const XML_Char *storedversion = NULL; + int standalone = -1; + +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + if (! accountingDiffTolerated(parser, XML_TOK_XML_DECL, s, next, __LINE__, + XML_ACCOUNT_DIRECT)) { + accountingOnAbort(parser); +@@ -4491,7 +4492,7 @@ entityValueInitProcessor(XML_Parser parser, const char *s, const char *end, + */ + else if (tok == XML_TOK_BOM && next == end + && ! parser->m_parsingStatus.finalBuffer) { +-# ifdef XML_DTD ++# if defined(XML_DTD) || XML_GE == 1 + if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, + XML_ACCOUNT_DIRECT)) { + accountingOnAbort(parser); +@@ -4707,11 +4708,13 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + } + } + role = XmlTokenRole(&parser->m_prologState, tok, s, next, enc); +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + switch (role) { + case XML_ROLE_INSTANCE_START: // bytes accounted in contentProcessor + case XML_ROLE_XML_DECL: // bytes accounted in processXmlDecl +- case XML_ROLE_TEXT_DECL: // bytes accounted in processXmlDecl ++ # ifdef XML_DTD ++ case XML_ROLE_TEXT_DECL: // bytes accounted in processXmlDecl ++# endif + break; + default: + if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, account)) { +@@ -5648,7 +5651,7 @@ epilogProcessor(XML_Parser parser, const char *s, const char *end, + for (;;) { + const char *next = NULL; + int tok = XmlPrologTok(parser->m_encoding, s, end, &next); +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, + XML_ACCOUNT_DIRECT)) { + accountingOnAbort(parser); +@@ -5728,7 +5731,7 @@ processInternalEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl) { + return XML_ERROR_NO_MEMORY; + } + entity->open = XML_TRUE; +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + entityTrackingOnOpen(parser, entity, __LINE__); + #endif + entity->processed = 0; +@@ -5762,9 +5765,9 @@ processInternalEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl) { + entity->processed = (int)(next - textStart); + parser->m_processor = internalEntityProcessor; + } else { +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + entityTrackingOnClose(parser, entity, __LINE__); +-#endif /* XML_DTD */ ++#endif /* defined(XML_DTD) || XML_GE == 1 */ + entity->open = XML_FALSE; + parser->m_openInternalEntities = openEntity->next; + /* put openEntity back in list of free instances */ +@@ -5813,7 +5816,7 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end, + return result; + } + +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + entityTrackingOnClose(parser, entity, __LINE__); + #endif + entity->open = XML_FALSE; +@@ -5892,7 +5895,7 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata, + const char *next + = ptr; /* XmlAttributeValueTok doesn't always set the last arg */ + int tok = XmlAttributeValueTok(enc, ptr, end, &next); +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + if (! accountingDiffTolerated(parser, tok, ptr, next, __LINE__, account)) { + accountingOnAbort(parser); + return XML_ERROR_AMPLIFICATION_LIMIT_BREACH; +@@ -5957,14 +5960,14 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata, + XML_Char ch = (XML_Char)XmlPredefinedEntityName( + enc, ptr + enc->minBytesPerChar, next - enc->minBytesPerChar); + if (ch) { +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + /* NOTE: We are replacing 4-6 characters original input for 1 character + * so there is no amplification and hence recording without + * protection. */ + accountingDiffTolerated(parser, tok, (char *)&ch, + ((char *)&ch) + sizeof(XML_Char), __LINE__, + XML_ACCOUNT_ENTITY_EXPANSION); +-#endif /* XML_DTD */ ++#endif /* defined(XML_DTD) || XML_GE == 1 */ + if (! poolAppendChar(pool, ch)) + return XML_ERROR_NO_MEMORY; + break; +@@ -6042,14 +6045,14 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata, + enum XML_Error result; + const XML_Char *textEnd = entity->textPtr + entity->textLen; + entity->open = XML_TRUE; +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + entityTrackingOnOpen(parser, entity, __LINE__); + #endif + result = appendAttributeValue(parser, parser->m_internalEncoding, + isCdata, (const char *)entity->textPtr, + (const char *)textEnd, pool, + XML_ACCOUNT_ENTITY_EXPANSION); +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + entityTrackingOnClose(parser, entity, __LINE__); + #endif + entity->open = XML_FALSE; +@@ -6105,7 +6108,7 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc, + = entityTextPtr; /* XmlEntityValueTok doesn't always set the last arg */ + int tok = XmlEntityValueTok(enc, entityTextPtr, entityTextEnd, &next); + +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + if (! accountingDiffTolerated(parser, tok, entityTextPtr, next, __LINE__, + account)) { + accountingOnAbort(parser); +@@ -7651,7 +7654,7 @@ copyString(const XML_Char *s, const XML_Memory_Handling_Suite *memsuite) { + return result; + } + +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + + static float + accountingGetCurrentAmplification(XML_Parser rootParser) { +@@ -8382,7 +8385,7 @@ unsignedCharToPrintable(unsigned char c) { + assert(0); /* never gets here */ + } + +-#endif /* XML_DTD */ ++#endif /* defined(XML_DTD) || XML_GE == 1 */ + + static unsigned long + getDebugLevel(const char *variableName, unsigned long defaultDebugLevel) { +diff --git a/xmlwf/xmlwf.c b/xmlwf/xmlwf.c +index 471f2a2..be23f5a 100644 +--- a/xmlwf/xmlwf.c ++++ b/xmlwf/xmlwf.c +@@ -1062,9 +1062,10 @@ tmain(int argc, XML_Char **argv) { + " (needs a floating point number greater or equal than 1.0)")); + exit(XMLWF_EXIT_USAGE_ERROR); + } +-#ifndef XML_DTD +- ftprintf(stderr, T("Warning: Given amplification limit ignored") T( +- ", xmlwf has been compiled without DTD support.\n")); ++#if ! defined(XML_DTD) && XML_GE == 0 ++ ftprintf(stderr, ++ T("Warning: Given amplification limit ignored") ++ T(", xmlwf has been compiled without DTD/GE support.\n")); + #endif + break; + } +@@ -1083,9 +1084,10 @@ tmain(int argc, XML_Char **argv) { + exit(XMLWF_EXIT_USAGE_ERROR); + } + attackThresholdGiven = XML_TRUE; +-#ifndef XML_DTD +- ftprintf(stderr, T("Warning: Given attack threshold ignored") T( +- ", xmlwf has been compiled without DTD support.\n")); ++#if ! defined(XML_DTD) && XML_GE == 0 ++ ftprintf(stderr, ++ T("Warning: Given attack threshold ignored") ++ T(", xmlwf has been compiled without DTD/GE support.\n")); + #endif + break; + } +@@ -1120,13 +1122,13 @@ tmain(int argc, XML_Char **argv) { + } + + if (attackMaximumAmplification != -1.0f) { +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + XML_SetBillionLaughsAttackProtectionMaximumAmplification( + parser, attackMaximumAmplification); + #endif + } + if (attackThresholdGiven) { +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + XML_SetBillionLaughsAttackProtectionActivationThreshold( + parser, attackThresholdBytes); + #else +-- +2.40.0 diff --git a/meta/recipes-core/expat/expat_2.5.0.bb b/meta/recipes-core/expat/expat_2.5.0.bb index 7080f934d1..e427020534 100644 --- a/meta/recipes-core/expat/expat_2.5.0.bb +++ b/meta/recipes-core/expat/expat_2.5.0.bb @@ -10,6 +10,7 @@ VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}" SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://run-ptest \ + file://CVE-2023-52426.patch \ " UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"