[kirkstone,04/19] expat: patch CVE-2024-50602

Message ID	2cf8325876aa4d43151f5a327a21834db37bf0cb.1731467662.git.steve@sakoman.com
State	RFC
Delegated to:	Steve Sakoman
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.210.180, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 04/19] expat: patch CVE-2024-50602 Date: Tue, 12 Nov 2024 19:15:57 -0800 Message-Id: <2cf8325876aa4d43151f5a327a21834db37bf0cb.1731467662.git.steve@sakoman.com> In-Reply-To: <cover.1731467662.git.steve@sakoman.com> References: <cover.1731467662.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[kirkstone,01/19] ghostscript: fix CVE-2023-46361 \| expand [kirkstone,01/19] ghostscript: fix CVE-2023-46361 [kirkstone,02/19] curl: patch CVE-2024-9681 [kirkstone,03/19] gstreamer1.0: ignore CVE-2024-0444 [kirkstone,04/19] expat: patch CVE-2024-50602 [kirkstone,05/19] glib-2.0: patch regression of CVE-2023-32665 [kirkstone,06/19] patch.py: Use shlex instead of deprecated pipe [kirkstone,07/19] cmake: Fix sporadic issues when determining compiler internals [kirkstone,08/19] pseudo: Update to pull in linux-libc-headers race fix [kirkstone,09/19] pseudo: Disable LFS on 32bit arches [kirkstone,10/19] pseudo: Switch back to the master branch [kirkstone,11/19] pseudo: Update to include logic fix [kirkstone,12/19] pseudo: Update to pull in fd leak fix [kirkstone,13/19] pseudo: Update to pull in syncfs probe fix [kirkstone,14/19] pseudo: Update to pull in gcc14 fix and missing statvfs64 intercept [kirkstone,15/19] pseudo: Update to pull in fchmodat fix [kirkstone,16/19] pseudo: Update to pull in python 3.12+ fix [kirkstone,17/19] pseudo: Fix to work with glibc 2.40 [kirkstone,18/19] pseudo: Update to include open symlink handling bugfix [kirkstone,19/19] pseudo: Fix envp bug and add posix_spawn wrapper

Message ID

2cf8325876aa4d43151f5a327a21834db37bf0cb.1731467662.git.steve@sakoman.com

State

RFC

Delegated to:

Steve Sakoman

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 04/19] expat: patch CVE-2024-50602
Date: Tue, 12 Nov 2024 19:15:57 -0800
Message-Id: 
 <2cf8325876aa4d43151f5a327a21834db37bf0cb.1731467662.git.steve@sakoman.com>
In-Reply-To: <cover.1731467662.git.steve@sakoman.com>
References: <cover.1731467662.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[kirkstone,01/19] ghostscript: fix CVE-2023-46361 | expand

Commit Message

Steve Sakoman Nov. 13, 2024, 3:15 a.m. UTC

From: Peter Marko <peter.marko@siemens.com>

Pick commits from https://github.com/libexpat/libexpat/pull/915

Not picking test is suboptimal, but test structure was changed meanwhile
so we'd have to invent new code.
Skipping tests was already done in previous expat/kirkstone CVE patches.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../expat/expat/CVE-2024-50602-01.patch       | 56 +++++++++++++++++++
 .../expat/expat/CVE-2024-50602-02.patch       | 38 +++++++++++++
 meta/recipes-core/expat/expat_2.5.0.bb        |  2 +
 3 files changed, 96 insertions(+)
 create mode 100644 meta/recipes-core/expat/expat/CVE-2024-50602-01.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2024-50602-02.patch

diff --git a/meta/recipes-core/expat/expat/CVE-2024-50602-01.patch b/meta/recipes-core/expat/expat/CVE-2024-50602-01.patch
new file mode 100644
index 0000000000..6abaa85261
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2024-50602-01.patch
@@ -0,0 +1,56 @@ 
+From 51c7019069b862e88d94ed228659e70bddd5de09 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 21 Oct 2024 01:42:54 +0200
+Subject: [PATCH 1/2] lib: Make XML_StopParser refuse to stop/suspend an
+ unstarted parser
+
+CVE: CVE-2024-50602
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/51c7019069b862e88d94ed228659e70bddd5de09]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ expat/lib/expat.h    | 4 +++-
+ expat/lib/xmlparse.c | 6 ++++++
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/lib/expat.h b/lib/expat.h
+index d0d6015a..3ba61304 100644
+--- a/lib/expat.h
++++ b/lib/expat.h
+@@ -127,7 +127,9 @@ enum XML_Error {
+   /* Added in 2.3.0. */
+   XML_ERROR_NO_BUFFER,
+   /* Added in 2.4.0. */
+-  XML_ERROR_AMPLIFICATION_LIMIT_BREACH
++  XML_ERROR_AMPLIFICATION_LIMIT_BREACH,
++  /* Added in 2.6.4. */
++  XML_ERROR_NOT_STARTED,
+ };
+ 
+ enum XML_Content_Type {
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index d9285b21..fa02537f 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -2189,6 +2189,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) {
+   if (parser == NULL)
+     return XML_STATUS_ERROR;
+   switch (parser->m_parsingStatus.parsing) {
++  case XML_INITIALIZED:
++    parser->m_errorCode = XML_ERROR_NOT_STARTED;
++    return XML_STATUS_ERROR;
+   case XML_SUSPENDED:
+     if (resumable) {
+       parser->m_errorCode = XML_ERROR_SUSPENDED;
+@@ -2474,6 +2477,9 @@ XML_ErrorString(enum XML_Error code) {
+   case XML_ERROR_AMPLIFICATION_LIMIT_BREACH:
+     return XML_L(
+         "limit on input amplification factor (from DTD and entities) breached");
++  /* Added in 2.6.4. */
++  case XML_ERROR_NOT_STARTED:
++    return XML_L("parser not started");
+   }
+   return NULL;
+ }
+-- 
+2.30.2
+
diff --git a/meta/recipes-core/expat/expat/CVE-2024-50602-02.patch b/meta/recipes-core/expat/expat/CVE-2024-50602-02.patch
new file mode 100644
index 0000000000..4d99eb738c
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2024-50602-02.patch
@@ -0,0 +1,38 @@ 
+From 5fb89e7b3afa1c314b34834fe729cd063f65a4d4 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 21 Oct 2024 01:46:11 +0200
+Subject: [PATCH 2/2] lib: Be explicit about XML_PARSING in XML_StopParser
+
+CVE: CVE-2024-50602
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/5fb89e7b3afa1c314b34834fe729cd063f65a4d4]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ expat/lib/xmlparse.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index fa02537f..983f6df0 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -2202,7 +2202,7 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) {
+   case XML_FINISHED:
+     parser->m_errorCode = XML_ERROR_FINISHED;
+     return XML_STATUS_ERROR;
+-  default:
++  case XML_PARSING:
+     if (resumable) {
+ #ifdef XML_DTD
+       if (parser->m_isParamEntity) {
+@@ -2213,6 +2213,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) {
+       parser->m_parsingStatus.parsing = XML_SUSPENDED;
+     } else
+       parser->m_parsingStatus.parsing = XML_FINISHED;
++    break;
++  default:
++    assert(0);
+   }
+   return XML_STATUS_OK;
+ }
+-- 
+2.30.2
+
diff --git a/meta/recipes-core/expat/expat_2.5.0.bb b/meta/recipes-core/expat/expat_2.5.0.bb
index 26190383e3..33207ff0da 100644
--- a/meta/recipes-core/expat/expat_2.5.0.bb
+++ b/meta/recipes-core/expat/expat_2.5.0.bb
@@ -28,6 +28,8 @@  SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TA
 	   file://CVE-2024-45490-0004.patch \
 	   file://CVE-2024-45491.patch \
 	   file://CVE-2024-45492.patch \
+	   file://CVE-2024-50602-01.patch \
+	   file://CVE-2024-50602-02.patch \
            "
 
 UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"

[kirkstone,04/19] expat: patch CVE-2024-50602

Commit Message

Patch