| Message ID | 20220920110856.18019-1-florin.diaconescu009@gmail.com |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [kirkstone] expat: CVE-2022-40674 | expand |
2.4.9 looks to have landed w/ this change in it. On Tue, Sep 20, 2022 at 12:09 PM Florin Diaconescu <florin.diaconescu009@gmail.com> wrote: > > Upstream-Status: Accepted > [https://github.com/libexpat/libexpat/pull/629/commits/4a32da87e931ba54393d465bb77c40b5c33d343b] > > Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com> > --- > .../expat/expat/CVE-2022-40674.patch | 56 +++++++++++++++++++ > meta/recipes-core/expat/expat_2.4.8.bb | 1 + > 2 files changed, 57 insertions(+) > create mode 100644 meta/recipes-core/expat/expat/CVE-2022-40674.patch > > diff --git a/meta/recipes-core/expat/expat/CVE-2022-40674.patch b/meta/recipes-core/expat/expat/CVE-2022-40674.patch > new file mode 100644 > index 0000000000..468811fefa > --- /dev/null > +++ b/meta/recipes-core/expat/expat/CVE-2022-40674.patch > @@ -0,0 +1,56 @@ > +From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001 > +From: Rhodri James <rhodri@wildebeest.org.uk> > +Date: Wed, 17 Aug 2022 18:26:18 +0100 > +Subject: [PATCH] Ensure raw tagnames are safe exiting internalEntityParser > + > +It is possible to concoct a situation in which parsing is > +suspended while substituting in an internal entity, so that > +XML_ResumeParser directly uses internalEntityProcessor as > +its processor. If the subsequent parse includes some unclosed > +tags, this will return without calling storeRawNames to ensure > +that the raw versions of the tag names are stored in memory other > +than the parse buffer itself. If the parse buffer is then changed > +or reallocated (for example if processing a file line by line), > +badness will ensue. > + > +This patch ensures storeRawNames is always called when needed > +after calling doContent. The earlier call do doContent does > +not need the same protection; it only deals with entity > +substitution, which cannot leave unbalanced tags, and in any > +case the raw names will be pointing into the stored entity > +value not the parse buffer. > + > +CVE: CVE-2022-40674 > +Upstream-Status: Accepted [https://github.com/libexpat/libexpat/pull/629/commits/4a32da87e931ba54393d465bb77c40b5c33d343b] > + > +Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com> > +--- > + lib/xmlparse.c | 13 +++++++++---- > + 1 file changed, 9 insertions(+), 4 deletions(-) > + > +diff --git a/lib/xmlparse.c b/lib/xmlparse.c > +index e986156..eabe0fc 100644 > +--- a/lib/xmlparse.c > ++++ b/lib/xmlparse.c > +@@ -5826,10 +5826,15 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end, > + { > + parser->m_processor = contentProcessor; > + /* see externalEntityContentProcessor vs contentProcessor */ > +- return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding, > +- s, end, nextPtr, > +- (XML_Bool)! parser->m_parsingStatus.finalBuffer, > +- XML_ACCOUNT_DIRECT); > ++ result = doContent(parser, parser->m_parentParser ? 1 : 0, > ++ parser->m_encoding, s, end, nextPtr, > ++ (XML_Bool)! parser->m_parsingStatus.finalBuffer, > ++ XML_ACCOUNT_DIRECT); > ++ if (result == XML_ERROR_NONE) { > ++ if (! storeRawNames(parser)) > ++ return XML_ERROR_NO_MEMORY; > ++ } > ++ return result; > + } > + } > + > +-- > +2.35.1 > diff --git a/meta/recipes-core/expat/expat_2.4.8.bb b/meta/recipes-core/expat/expat_2.4.8.bb > index 980c488640..93a2f98b38 100644 > --- a/meta/recipes-core/expat/expat_2.4.8.bb > +++ b/meta/recipes-core/expat/expat_2.4.8.bb > @@ -10,6 +10,7 @@ VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}" > > SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ > file://run-ptest \ > + file://CVE-2022-40674.patch \ > " > > UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/" > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#170894): https://lists.openembedded.org/g/openembedded-core/message/170894 > Mute This Topic: https://lists.openembedded.org/mt/93800770/3618097 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kiernan@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Just saw the new release, I will submit another patch with the 2.4.9 upgrade. Thanks for letting me know! Florin On Tue, Sep 20, 2022 at 6:57 PM Alex Kiernan <alex.kiernan@gmail.com> wrote: > 2.4.9 looks to have landed w/ this change in it. > > On Tue, Sep 20, 2022 at 12:09 PM Florin Diaconescu > <florin.diaconescu009@gmail.com> wrote: > > > > Upstream-Status: Accepted > > [ > https://github.com/libexpat/libexpat/pull/629/commits/4a32da87e931ba54393d465bb77c40b5c33d343b > ] > > > > Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com> > > --- > > .../expat/expat/CVE-2022-40674.patch | 56 +++++++++++++++++++ > > meta/recipes-core/expat/expat_2.4.8.bb | 1 + > > 2 files changed, 57 insertions(+) > > create mode 100644 meta/recipes-core/expat/expat/CVE-2022-40674.patch > > > > diff --git a/meta/recipes-core/expat/expat/CVE-2022-40674.patch > b/meta/recipes-core/expat/expat/CVE-2022-40674.patch > > new file mode 100644 > > index 0000000000..468811fefa > > --- /dev/null > > +++ b/meta/recipes-core/expat/expat/CVE-2022-40674.patch > > @@ -0,0 +1,56 @@ > > +From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001 > > +From: Rhodri James <rhodri@wildebeest.org.uk> > > +Date: Wed, 17 Aug 2022 18:26:18 +0100 > > +Subject: [PATCH] Ensure raw tagnames are safe exiting > internalEntityParser > > + > > +It is possible to concoct a situation in which parsing is > > +suspended while substituting in an internal entity, so that > > +XML_ResumeParser directly uses internalEntityProcessor as > > +its processor. If the subsequent parse includes some unclosed > > +tags, this will return without calling storeRawNames to ensure > > +that the raw versions of the tag names are stored in memory other > > +than the parse buffer itself. If the parse buffer is then changed > > +or reallocated (for example if processing a file line by line), > > +badness will ensue. > > + > > +This patch ensures storeRawNames is always called when needed > > +after calling doContent. The earlier call do doContent does > > +not need the same protection; it only deals with entity > > +substitution, which cannot leave unbalanced tags, and in any > > +case the raw names will be pointing into the stored entity > > +value not the parse buffer. > > + > > +CVE: CVE-2022-40674 > > +Upstream-Status: Accepted [ > https://github.com/libexpat/libexpat/pull/629/commits/4a32da87e931ba54393d465bb77c40b5c33d343b > ] > > + > > +Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com> > > +--- > > + lib/xmlparse.c | 13 +++++++++---- > > + 1 file changed, 9 insertions(+), 4 deletions(-) > > + > > +diff --git a/lib/xmlparse.c b/lib/xmlparse.c > > +index e986156..eabe0fc 100644 > > +--- a/lib/xmlparse.c > > ++++ b/lib/xmlparse.c > > +@@ -5826,10 +5826,15 @@ internalEntityProcessor(XML_Parser parser, > const char *s, const char *end, > > + { > > + parser->m_processor = contentProcessor; > > + /* see externalEntityContentProcessor vs contentProcessor */ > > +- return doContent(parser, parser->m_parentParser ? 1 : 0, > parser->m_encoding, > > +- s, end, nextPtr, > > +- (XML_Bool)! parser->m_parsingStatus.finalBuffer, > > +- XML_ACCOUNT_DIRECT); > > ++ result = doContent(parser, parser->m_parentParser ? 1 : 0, > > ++ parser->m_encoding, s, end, nextPtr, > > ++ (XML_Bool)! parser->m_parsingStatus.finalBuffer, > > ++ XML_ACCOUNT_DIRECT); > > ++ if (result == XML_ERROR_NONE) { > > ++ if (! storeRawNames(parser)) > > ++ return XML_ERROR_NO_MEMORY; > > ++ } > > ++ return result; > > + } > > + } > > + > > +-- > > +2.35.1 > > diff --git a/meta/recipes-core/expat/expat_2.4.8.bb > b/meta/recipes-core/expat/expat_2.4.8.bb > > index 980c488640..93a2f98b38 100644 > > --- a/meta/recipes-core/expat/expat_2.4.8.bb > > +++ b/meta/recipes-core/expat/expat_2.4.8.bb > > @@ -10,6 +10,7 @@ VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}" > > > > SRC_URI = " > https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 > \ > > file://run-ptest \ > > + file://CVE-2022-40674.patch \ > > " > > > > UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/" > > -- > > 2.25.1 > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#170894): > https://lists.openembedded.org/g/openembedded-core/message/170894 > > Mute This Topic: https://lists.openembedded.org/mt/93800770/3618097 > > Group Owner: openembedded-core+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > alex.kiernan@gmail.com] > > -=-=-=-=-=-=-=-=-=-=-=- > > > > > -- > Alex Kiernan >
diff --git a/meta/recipes-core/expat/expat/CVE-2022-40674.patch b/meta/recipes-core/expat/expat/CVE-2022-40674.patch new file mode 100644 index 0000000000..468811fefa --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2022-40674.patch @@ -0,0 +1,56 @@ +From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001 +From: Rhodri James <rhodri@wildebeest.org.uk> +Date: Wed, 17 Aug 2022 18:26:18 +0100 +Subject: [PATCH] Ensure raw tagnames are safe exiting internalEntityParser + +It is possible to concoct a situation in which parsing is +suspended while substituting in an internal entity, so that +XML_ResumeParser directly uses internalEntityProcessor as +its processor. If the subsequent parse includes some unclosed +tags, this will return without calling storeRawNames to ensure +that the raw versions of the tag names are stored in memory other +than the parse buffer itself. If the parse buffer is then changed +or reallocated (for example if processing a file line by line), +badness will ensue. + +This patch ensures storeRawNames is always called when needed +after calling doContent. The earlier call do doContent does +not need the same protection; it only deals with entity +substitution, which cannot leave unbalanced tags, and in any +case the raw names will be pointing into the stored entity +value not the parse buffer. + +CVE: CVE-2022-40674 +Upstream-Status: Accepted [https://github.com/libexpat/libexpat/pull/629/commits/4a32da87e931ba54393d465bb77c40b5c33d343b] + +Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com> +--- + lib/xmlparse.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index e986156..eabe0fc 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -5826,10 +5826,15 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end, + { + parser->m_processor = contentProcessor; + /* see externalEntityContentProcessor vs contentProcessor */ +- return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding, +- s, end, nextPtr, +- (XML_Bool)! parser->m_parsingStatus.finalBuffer, +- XML_ACCOUNT_DIRECT); ++ result = doContent(parser, parser->m_parentParser ? 1 : 0, ++ parser->m_encoding, s, end, nextPtr, ++ (XML_Bool)! parser->m_parsingStatus.finalBuffer, ++ XML_ACCOUNT_DIRECT); ++ if (result == XML_ERROR_NONE) { ++ if (! storeRawNames(parser)) ++ return XML_ERROR_NO_MEMORY; ++ } ++ return result; + } + } + +-- +2.35.1 diff --git a/meta/recipes-core/expat/expat_2.4.8.bb b/meta/recipes-core/expat/expat_2.4.8.bb index 980c488640..93a2f98b38 100644 --- a/meta/recipes-core/expat/expat_2.4.8.bb +++ b/meta/recipes-core/expat/expat_2.4.8.bb @@ -10,6 +10,7 @@ VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}" SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://run-ptest \ + file://CVE-2022-40674.patch \ " UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"
Upstream-Status: Accepted [https://github.com/libexpat/libexpat/pull/629/commits/4a32da87e931ba54393d465bb77c40b5c33d343b] Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com> --- .../expat/expat/CVE-2022-40674.patch | 56 +++++++++++++++++++ meta/recipes-core/expat/expat_2.4.8.bb | 1 + 2 files changed, 57 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2022-40674.patch