[kirkstone] expat: CVE-2022-40674

Upstream-Status: Accepted
[https://github.com/libexpat/libexpat/pull/629/commits/4a32da87e931ba54393d465bb77c40b5c33d343b]

Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com>
---
 .../expat/expat/CVE-2022-40674.patch          | 56 +++++++++++++++++++
 meta/recipes-core/expat/expat_2.4.8.bb        |  1 +
 2 files changed, 57 insertions(+)
 create mode 100644 meta/recipes-core/expat/expat/CVE-2022-40674.patch

2.4.9 looks to have landed w/ this change in it.

On Tue, Sep 20, 2022 at 12:09 PM Florin Diaconescu
<florin.diaconescu009@gmail.com> wrote:
>
> Upstream-Status: Accepted
> [https://github.com/libexpat/libexpat/pull/629/commits/4a32da87e931ba54393d465bb77c40b5c33d343b]
>
> Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com>
> ---
>  .../expat/expat/CVE-2022-40674.patch          | 56 +++++++++++++++++++
>  meta/recipes-core/expat/expat_2.4.8.bb        |  1 +
>  2 files changed, 57 insertions(+)
>  create mode 100644 meta/recipes-core/expat/expat/CVE-2022-40674.patch
>
> diff --git a/meta/recipes-core/expat/expat/CVE-2022-40674.patch b/meta/recipes-core/expat/expat/CVE-2022-40674.patch
> new file mode 100644
> index 0000000000..468811fefa
> --- /dev/null
> +++ b/meta/recipes-core/expat/expat/CVE-2022-40674.patch
> @@ -0,0 +1,56 @@
> +From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001
> +From: Rhodri James <rhodri@wildebeest.org.uk>
> +Date: Wed, 17 Aug 2022 18:26:18 +0100
> +Subject: [PATCH] Ensure raw tagnames are safe exiting internalEntityParser
> +
> +It is possible to concoct a situation in which parsing is
> +suspended while substituting in an internal entity, so that
> +XML_ResumeParser directly uses internalEntityProcessor as
> +its processor.  If the subsequent parse includes some unclosed
> +tags, this will return without calling storeRawNames to ensure
> +that the raw versions of the tag names are stored in memory other
> +than the parse buffer itself.  If the parse buffer is then changed
> +or reallocated (for example if processing a file line by line),
> +badness will ensue.
> +
> +This patch ensures storeRawNames is always called when needed
> +after calling doContent.  The earlier call do doContent does
> +not need the same protection; it only deals with entity
> +substitution, which cannot leave unbalanced tags, and in any
> +case the raw names will be pointing into the stored entity
> +value not the parse buffer.
> +
> +CVE: CVE-2022-40674
> +Upstream-Status: Accepted [https://github.com/libexpat/libexpat/pull/629/commits/4a32da87e931ba54393d465bb77c40b5c33d343b]
> +
> +Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com>
> +---
> + lib/xmlparse.c | 13 +++++++++----
> + 1 file changed, 9 insertions(+), 4 deletions(-)
> +
> +diff --git a/lib/xmlparse.c b/lib/xmlparse.c
> +index e986156..eabe0fc 100644
> +--- a/lib/xmlparse.c
> ++++ b/lib/xmlparse.c
> +@@ -5826,10 +5826,15 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end,
> +   {
> +     parser->m_processor = contentProcessor;
> +     /* see externalEntityContentProcessor vs contentProcessor */
> +-    return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding,
> +-                     s, end, nextPtr,
> +-                     (XML_Bool)! parser->m_parsingStatus.finalBuffer,
> +-                     XML_ACCOUNT_DIRECT);
> ++    result = doContent(parser, parser->m_parentParser ? 1 : 0,
> ++                       parser->m_encoding, s, end, nextPtr,
> ++                       (XML_Bool)! parser->m_parsingStatus.finalBuffer,
> ++                       XML_ACCOUNT_DIRECT);
> ++    if (result == XML_ERROR_NONE) {
> ++      if (! storeRawNames(parser))
> ++        return XML_ERROR_NO_MEMORY;
> ++    }
> ++    return result;
> +   }
> + }
> +
> +--
> +2.35.1
> diff --git a/meta/recipes-core/expat/expat_2.4.8.bb b/meta/recipes-core/expat/expat_2.4.8.bb
> index 980c488640..93a2f98b38 100644
> --- a/meta/recipes-core/expat/expat_2.4.8.bb
> +++ b/meta/recipes-core/expat/expat_2.4.8.bb
> @@ -10,6 +10,7 @@ VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}"
>
>  SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2  \
>             file://run-ptest \
> +           file://CVE-2022-40674.patch \
>             "
>
>  UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#170894): https://lists.openembedded.org/g/openembedded-core/message/170894
> Mute This Topic: https://lists.openembedded.org/mt/93800770/3618097
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kiernan@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Just saw the new release, I will submit another patch with the 2.4.9
upgrade. Thanks for letting me know!

Florin

On Tue, Sep 20, 2022 at 6:57 PM Alex Kiernan <alex.kiernan@gmail.com> wrote:

> 2.4.9 looks to have landed w/ this change in it.
>
> On Tue, Sep 20, 2022 at 12:09 PM Florin Diaconescu
> <florin.diaconescu009@gmail.com> wrote:
> >
> > Upstream-Status: Accepted
> > [
> https://github.com/libexpat/libexpat/pull/629/commits/4a32da87e931ba54393d465bb77c40b5c33d343b
> ]
> >
> > Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com>
> > ---
> >  .../expat/expat/CVE-2022-40674.patch          | 56 +++++++++++++++++++
> >  meta/recipes-core/expat/expat_2.4.8.bb        |  1 +
> >  2 files changed, 57 insertions(+)
> >  create mode 100644 meta/recipes-core/expat/expat/CVE-2022-40674.patch
> >
> > diff --git a/meta/recipes-core/expat/expat/CVE-2022-40674.patch
> b/meta/recipes-core/expat/expat/CVE-2022-40674.patch
> > new file mode 100644
> > index 0000000000..468811fefa
> > --- /dev/null
> > +++ b/meta/recipes-core/expat/expat/CVE-2022-40674.patch
> > @@ -0,0 +1,56 @@
> > +From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001
> > +From: Rhodri James <rhodri@wildebeest.org.uk>
> > +Date: Wed, 17 Aug 2022 18:26:18 +0100
> > +Subject: [PATCH] Ensure raw tagnames are safe exiting
> internalEntityParser
> > +
> > +It is possible to concoct a situation in which parsing is
> > +suspended while substituting in an internal entity, so that
> > +XML_ResumeParser directly uses internalEntityProcessor as
> > +its processor.  If the subsequent parse includes some unclosed
> > +tags, this will return without calling storeRawNames to ensure
> > +that the raw versions of the tag names are stored in memory other
> > +than the parse buffer itself.  If the parse buffer is then changed
> > +or reallocated (for example if processing a file line by line),
> > +badness will ensue.
> > +
> > +This patch ensures storeRawNames is always called when needed
> > +after calling doContent.  The earlier call do doContent does
> > +not need the same protection; it only deals with entity
> > +substitution, which cannot leave unbalanced tags, and in any
> > +case the raw names will be pointing into the stored entity
> > +value not the parse buffer.
> > +
> > +CVE: CVE-2022-40674
> > +Upstream-Status: Accepted [
> https://github.com/libexpat/libexpat/pull/629/commits/4a32da87e931ba54393d465bb77c40b5c33d343b
> ]
> > +
> > +Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com>
> > +---
> > + lib/xmlparse.c | 13 +++++++++----
> > + 1 file changed, 9 insertions(+), 4 deletions(-)
> > +
> > +diff --git a/lib/xmlparse.c b/lib/xmlparse.c
> > +index e986156..eabe0fc 100644
> > +--- a/lib/xmlparse.c
> > ++++ b/lib/xmlparse.c
> > +@@ -5826,10 +5826,15 @@ internalEntityProcessor(XML_Parser parser,
> const char *s, const char *end,
> > +   {
> > +     parser->m_processor = contentProcessor;
> > +     /* see externalEntityContentProcessor vs contentProcessor */
> > +-    return doContent(parser, parser->m_parentParser ? 1 : 0,
> parser->m_encoding,
> > +-                     s, end, nextPtr,
> > +-                     (XML_Bool)! parser->m_parsingStatus.finalBuffer,
> > +-                     XML_ACCOUNT_DIRECT);
> > ++    result = doContent(parser, parser->m_parentParser ? 1 : 0,
> > ++                       parser->m_encoding, s, end, nextPtr,
> > ++                       (XML_Bool)! parser->m_parsingStatus.finalBuffer,
> > ++                       XML_ACCOUNT_DIRECT);
> > ++    if (result == XML_ERROR_NONE) {
> > ++      if (! storeRawNames(parser))
> > ++        return XML_ERROR_NO_MEMORY;
> > ++    }
> > ++    return result;
> > +   }
> > + }
> > +
> > +--
> > +2.35.1
> > diff --git a/meta/recipes-core/expat/expat_2.4.8.bb
> b/meta/recipes-core/expat/expat_2.4.8.bb
> > index 980c488640..93a2f98b38 100644
> > --- a/meta/recipes-core/expat/expat_2.4.8.bb
> > +++ b/meta/recipes-core/expat/expat_2.4.8.bb
> > @@ -10,6 +10,7 @@ VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}"
> >
> >  SRC_URI = "
> https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2
> \
> >             file://run-ptest \
> > +           file://CVE-2022-40674.patch \
> >             "
> >
> >  UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"
> > --
> > 2.25.1
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#170894):
> https://lists.openembedded.org/g/openembedded-core/message/170894
> > Mute This Topic: https://lists.openembedded.org/mt/93800770/3618097
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> alex.kiernan@gmail.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
>
>
> --
> Alex Kiernan
>