[kirkstone,1/3] expat: fix CVE-2024-45490

Message ID	20240906132930.2926495-1-archana.polampalli@windriver.com
State	Superseded
Delegated to:	Steve Sakoman
Headers	show Return-Path: <archana.polampalli@windriver.com> ip: 205.220.178.238, mailfrom: prvs=9979a097e3=archana.polampalli@windriver.com) From: <archana.polampalli@windriver.com> To: <openembedded-core@lists.openembedded.org> Subject: [oe-core][kirkstone][PATCH 1/3] expat: fix CVE-2024-45490 Date: Fri, 6 Sep 2024 13:29:28 +0000 Message-ID: <20240906132930.2926495-1-archana.polampalli@windriver.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	[kirkstone,1/3] expat: fix CVE-2024-45490 \| expand [kirkstone,1/3] expat: fix CVE-2024-45490 [kirkstone,2/3] expat: fix CVE-2024-45491 [kirkstone,3/3] expat: fix CVE-2024-45492

Message ID

20240906132930.2926495-1-archana.polampalli@windriver.com

State

Superseded

Delegated to:

Steve Sakoman

Headers

From: <archana.polampalli@windriver.com>
To: <openembedded-core@lists.openembedded.org>
Subject: [oe-core][kirkstone][PATCH 1/3] expat: fix CVE-2024-45490
Date: Fri, 6 Sep 2024 13:29:28 +0000
Message-ID: <20240906132930.2926495-1-archana.polampalli@windriver.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain

Series

[kirkstone,1/3] expat: fix CVE-2024-45490 | expand

Commit Message

Polampalli, Archana Sept. 6, 2024, 1:29 p.m. UTC

From: Archana Polampalli <archana.polampalli@windriver.com>

An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject
a negative length for XML_ParseBuffer.

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
 .../expat/expat/CVE-2024-45490-0001.patch     | 35 +++++++++++++
 .../expat/expat/CVE-2024-45490-0002.patch     | 49 +++++++++++++++++++
 meta/recipes-core/expat/expat_2.5.0.bb        |  2 +
 3 files changed, 86 insertions(+)
 create mode 100644 meta/recipes-core/expat/expat/CVE-2024-45490-0001.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2024-45490-0002.patch

Comments

Siddharth Doshi Sept. 7, 2024, 6:55 a.m. UTC | #1

Hi Archana,

The fix for this CVE consists of 3 commits (fix in file, test to check for issue and doc update)
(ref-> https://github.com/libexpat/libexpat/pull/890/commits )

Out of which you have backported only 2 (Fix in file and doc update). the commit for "test to check len<0" is not added in the patch

is there any specific reason to exclude it ? if not, could you send a v2 incorporting the missing commit too ?

BR,
Siddharth

Polampalli, Archana Sept. 8, 2024, 4:52 p.m. UTC | #2

expat/tests/basic_tests.c is not present in recipe version, will add these changes to runtests.c and will send V2.

Thanks,
Archana

Siddharth Doshi Sept. 8, 2024, 5:10 p.m. UTC | #3

> 
> expat/tests/basic_tests.c is not present in recipe version, will add these
> changes to runtests.c and will send V2.
> 
> 

- Yes, expat/tests/basic_tests.c seperated out from runtests.c from version 2.6.0.

- Afaik, the patch will apply directly to runtests.c as not major change except seperation was done in expat.

Thank-you for your work :) and sending V2 :)

BR,
Siddharth

diff --git a/meta/recipes-core/expat/expat/CVE-2024-45490-0001.patch b/meta/recipes-core/expat/expat/CVE-2024-45490-0001.patch
new file mode 100644
index 0000000000..acdeb5b7df
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2024-45490-0001.patch
@@ -0,0 +1,35 @@ 
+From 1d4f03d21b4f42031716522a6b96346b7a60d4c4 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:26:07 +0200
+Subject: [PATCH] lib: Reject negative len for XML_ParseBuffer
+
+Reported by TaiYou
+
+CVE: CVE-2024-45490
+
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/5c1a31642e243f4870c0bd1f2afc7597976521bf]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ lib/xmlparse.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 9984d02..6f0440b 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -1996,6 +1996,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) {
+
+   if (parser == NULL)
+     return XML_STATUS_ERROR;
++
++  if (len < 0) {
++    parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT;
++    return XML_STATUS_ERROR;
++  }
++
+   switch (parser->m_parsingStatus.parsing) {
+   case XML_SUSPENDED:
+     parser->m_errorCode = XML_ERROR_SUSPENDED;
+--
+2.40.0
diff --git a/meta/recipes-core/expat/expat/CVE-2024-45490-0002.patch b/meta/recipes-core/expat/expat/CVE-2024-45490-0002.patch
new file mode 100644
index 0000000000..e769182087
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2024-45490-0002.patch
@@ -0,0 +1,49 @@ 
+From 2db233019f551fe4c701bbbc5eb0fa58ff349daa Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 25 Aug 2024 19:09:51 +0200
+Subject: [PATCH] doc: Document that XML_Parse/XML_ParseBuffer reject "len < 0"
+
+CVE: CVE-2024-45490
+
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/2db233019f551fe4c701bbbc5eb0fa58ff349daa]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ doc/reference.html | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/doc/reference.html b/doc/reference.html
+index cdf3983..ebae824 100644
+--- a/doc/reference.html
++++ b/doc/reference.html
+@@ -1097,7 +1097,9 @@ containing part (or perhaps all) of the document. The number of bytes of s
+ that are part of the document is indicated by <code>len</code>. This means
+ that <code>s</code> doesn't have to be null terminated. It also means that
+ if <code>len</code> is larger than the number of bytes in the block of
+-memory that <code>s</code> points at, then a memory fault is likely. The
++memory that <code>s</code> points at, then a memory fault is likely.
++Negative values for <code>len</code> are rejected since Expat 2.2.1.
++The
+ <code>isFinal</code> parameter informs the parser that this is the last
+ piece of the document. Frequently, the last piece is empty (i.e.
+ <code>len</code> is zero.)
+@@ -1113,11 +1115,17 @@ XML_ParseBuffer(XML_Parser p,
+                 int isFinal);
+ </pre>
+ <div class="fcndef">
++<p>
+ This is just like <code><a href= "#XML_Parse" >XML_Parse</a></code>,
+ except in this case Expat provides the buffer.  By obtaining the
+ buffer from Expat with the <code><a href= "#XML_GetBuffer"
+ >XML_GetBuffer</a></code> function, the application can avoid double
+ copying of the input.
++</p>
++
++<p>
++Negative values for <code>len</code> are rejected since Expat 2.6.3.
++</p>
+ </div>
+
+ <h4 id="XML_GetBuffer">XML_GetBuffer</h4>
+--
+2.40.0
diff --git a/meta/recipes-core/expat/expat_2.5.0.bb b/meta/recipes-core/expat/expat_2.5.0.bb
index 31e989cfe2..6d927ec8c8 100644
--- a/meta/recipes-core/expat/expat_2.5.0.bb
+++ b/meta/recipes-core/expat/expat_2.5.0.bb
@@ -22,6 +22,8 @@  SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TA
 	   file://CVE-2023-52426-009.patch \
 	   file://CVE-2023-52426-010.patch \
 	   file://CVE-2023-52426-011.patch \
+	   file://CVE-2024-45490-0001.patch \
+	   file://CVE-2024-45490-0002.patch \
            "
 
 UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"

[kirkstone,1/3] expat: fix CVE-2024-45490

Commit Message

Comments

Patch