From patchwork Mon Sep 9 06:55:57 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 48827 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3D2AEE6FE49 for ; Mon, 9 Sep 2024 06:56:12 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web10.47035.1725864964070202853 for ; Sun, 08 Sep 2024 23:56:04 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=99820ca432=archana.polampalli@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 4896eCAA026474 for ; Sun, 8 Sep 2024 23:56:03 -0700 Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 41gj449by5-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Sun, 08 Sep 2024 23:56:03 -0700 (PDT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Sun, 8 Sep 2024 23:56:02 -0700 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.39 via Frontend Transport; Sun, 8 Sep 2024 23:56:01 -0700 From: To: Subject: [oe-core][kirkstone][PATCH V2 1/3] expat: fix CVE-2024-45490 Date: Mon, 9 Sep 2024 06:55:57 +0000 Message-ID: <20240909065559.3812653-1-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 MIME-Version: 1.0 X-Proofpoint-GUID: MQilUelN8P6ZFqlE95HKA02rhcN9nj6i X-Authority-Analysis: v=2.4 cv=DZxFqetW c=1 sm=1 tr=0 ts=66de9c03 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=EaEq8P2WXUwA:10 a=t7CeM3EgAAAA:8 a=-Xy8Vmf_AAAA:8 a=NEAV23lmAAAA:8 a=z6gsHLkEAAAA:8 a=Tzw07M3fAAAA:8 a=jzP4twMlAAAA:8 a=FP58Ms26AAAA:8 a=n_dTbAftAAAA:8 a=gxx7FDCMAAAA:8 a=8AHkEIZyAAAA:8 a=AKa0Nuy-UVy5TmE5beAA:9 a=P1MOjjBuS2L0cWyB:21 a=FdTzh2GWekK77mhwV6Dw:22 a=UVb-SS9ExmY72c4GIYVd:22 a=ncq8zBFl_jtwAmNURGWa:22 a=3BRkFlFvmUjyeM0GrpFv:22 a=GL4hmVyncYcWakg4Cb9O:22 a=BAbzH4kRY79NysI6YsYE:22 X-Proofpoint-ORIG-GUID: MQilUelN8P6ZFqlE95HKA02rhcN9nj6i X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.60.29 definitions=2024-09-08_10,2024-09-06_01,2024-09-02_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 mlxlogscore=999 lowpriorityscore=0 mlxscore=0 spamscore=0 priorityscore=1501 impostorscore=0 adultscore=0 clxscore=1015 phishscore=0 bulkscore=0 malwarescore=0 classifier=spam authscore=0 adjust=0 reason=mlx scancount=1 engine=8.21.0-2408220000 definitions=main-2409090054 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Sep 2024 06:56:12 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204309 From: Archana Polampalli An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. Added tests patch and its dependent patch[c803b93e8736e] Signed-off-by: Archana Polampalli --- .../expat/expat/CVE-2024-45490-0001.patch | 35 +++ .../expat/expat/CVE-2024-45490-0002.patch | 250 ++++++++++++++++++ .../expat/expat/CVE-2024-45490-0003.patch | 91 +++++++ .../expat/expat/CVE-2024-45490-0004.patch | 49 ++++ meta/recipes-core/expat/expat_2.5.0.bb | 4 + 5 files changed, 429 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2024-45490-0001.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2024-45490-0002.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2024-45490-0003.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2024-45490-0004.patch diff --git a/meta/recipes-core/expat/expat/CVE-2024-45490-0001.patch b/meta/recipes-core/expat/expat/CVE-2024-45490-0001.patch new file mode 100644 index 0000000000..acdeb5b7df --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2024-45490-0001.patch @@ -0,0 +1,35 @@ +From 1d4f03d21b4f42031716522a6b96346b7a60d4c4 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 19 Aug 2024 22:26:07 +0200 +Subject: [PATCH] lib: Reject negative len for XML_ParseBuffer + +Reported by TaiYou + +CVE: CVE-2024-45490 + +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/5c1a31642e243f4870c0bd1f2afc7597976521bf] + +Signed-off-by: Archana Polampalli +--- + lib/xmlparse.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 9984d02..6f0440b 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -1996,6 +1996,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) { + + if (parser == NULL) + return XML_STATUS_ERROR; ++ ++ if (len < 0) { ++ parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT; ++ return XML_STATUS_ERROR; ++ } ++ + switch (parser->m_parsingStatus.parsing) { + case XML_SUSPENDED: + parser->m_errorCode = XML_ERROR_SUSPENDED; +-- +2.40.0 diff --git a/meta/recipes-core/expat/expat/CVE-2024-45490-0002.patch b/meta/recipes-core/expat/expat/CVE-2024-45490-0002.patch new file mode 100644 index 0000000000..6be8771a59 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2024-45490-0002.patch @@ -0,0 +1,250 @@ +From c803b93e8736ed255ff1a6db5ab6add7ccea736c Mon Sep 17 00:00:00 2001 +From: Snild Dolkow +Date: Fri, 25 Aug 2023 14:49:29 +0200 +Subject: [PATCH] minicheck: Add simple subtest support + +This will be useful when a test runs through several examples and +fails somewhere in the middle. The subtest string replaces the +phase_info string (i.e. "during actual test") in the failure output. + +Added subtest info to various tests where I found for loops. + +CVE: CVE-2024-45490 + +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/c803b93e8736ed255ff1a6db5ab6add7ccea736c] + +Signed-off-by: Archana Polampalli +--- + tests/minicheck.c | 25 +++++++++++++++++++++++++ + tests/minicheck.h | 16 ++++++++++++++++ + tests/runtests.c | 13 +++++++++++++ + 3 files changed, 54 insertions(+) + +diff --git a/tests/minicheck.c b/tests/minicheck.c +index 1c65748..46db355 100644 +--- a/tests/minicheck.c ++++ b/tests/minicheck.c +@@ -15,6 +15,7 @@ + Copyright (c) 2017 Rhodri James + Copyright (c) 2018 Marco Maggi + Copyright (c) 2019 David Loffredo ++ Copyright (c) 2023 Sony Corporation / Snild Dolkow + Licensed under the MIT license: + + Permission is hereby granted, free of charge, to any person obtaining +@@ -37,6 +38,7 @@ + USE OR OTHER DEALINGS IN THE SOFTWARE. + */ + ++#include + #include + #include + #include +@@ -132,17 +134,35 @@ srunner_create(Suite *suite) { + + static jmp_buf env; + ++#define SUBTEST_LEN (50) // informative, but not too long + static char const *_check_current_function = NULL; ++static char _check_current_subtest[SUBTEST_LEN]; + static int _check_current_lineno = -1; + static char const *_check_current_filename = NULL; + + void + _check_set_test_info(char const *function, char const *filename, int lineno) { + _check_current_function = function; ++ set_subtest("%s", ""); + _check_current_lineno = lineno; + _check_current_filename = filename; + } + ++void ++set_subtest(char const *fmt, ...) { ++ va_list ap; ++ va_start(ap, fmt); ++ vsnprintf(_check_current_subtest, SUBTEST_LEN, fmt, ap); ++ va_end(ap); ++ // replace line feeds with spaces, for nicer error logs ++ for (size_t i = 0; i < SUBTEST_LEN; ++i) { ++ if (_check_current_subtest[i] == '\n') { ++ _check_current_subtest[i] = ' '; ++ } ++ } ++ _check_current_subtest[SUBTEST_LEN - 1] = '\0'; // ensure termination ++} ++ + static void + handle_success(int verbosity) { + if (verbosity >= CK_VERBOSE) { +@@ -154,6 +174,9 @@ static void + handle_failure(SRunner *runner, int verbosity, const char *phase_info) { + runner->nfailures++; + if (verbosity != CK_SILENT) { ++ if (strlen(_check_current_subtest) != 0) { ++ phase_info = _check_current_subtest; ++ } + printf("FAIL: %s (%s at %s:%d)\n", _check_current_function, phase_info, + _check_current_filename, _check_current_lineno); + } +@@ -170,6 +193,7 @@ srunner_run_all(SRunner *runner, int verbosity) { + volatile int i; + for (i = 0; i < tc->ntests; ++i) { + runner->nchecks++; ++ set_subtest("%s", ""); + + if (tc->setup != NULL) { + /* setup */ +@@ -185,6 +209,7 @@ srunner_run_all(SRunner *runner, int verbosity) { + continue; + } + (tc->tests[i])(); ++ set_subtest("%s", ""); + + /* teardown */ + if (tc->teardown != NULL) { +diff --git a/tests/minicheck.h b/tests/minicheck.h +index cc1f835..a0ff333 100644 +--- a/tests/minicheck.h ++++ b/tests/minicheck.h +@@ -15,6 +15,7 @@ + Copyright (c) 2004-2006 Fred L. Drake, Jr. + Copyright (c) 2006-2012 Karl Waclawek + Copyright (c) 2016-2017 Sebastian Pipping ++ Copyright (c) 2023 Sony Corporation / Snild Dolkow + Licensed under the MIT license: + + Permission is hereby granted, free of charge, to any person obtaining +@@ -56,6 +57,19 @@ extern "C" { + # define __func__ __FUNCTION__ + #endif + ++/* PRINTF_LIKE has two effects: ++ 1. Make clang's -Wformat-nonliteral stop warning about non-literal format ++ strings in annotated functions' code. ++ 2. Make both clang and gcc's -Wformat-nonliteral warn about *callers* of ++ the annotated function that use a non-literal format string. ++*/ ++# if defined(__GNUC__) ++# define PRINTF_LIKE(fmtpos, argspos) \ ++ __attribute__((format(printf, fmtpos, argspos))) ++# else ++# define PRINTF_LIKE(fmtpos, argspos) ++# endif ++ + #define START_TEST(testname) \ + static void testname(void) { \ + _check_set_test_info(__func__, __FILE__, __LINE__); \ +@@ -64,6 +78,8 @@ extern "C" { + } \ + } + ++void PRINTF_LIKE(1, 2) set_subtest(char const *fmt, ...); ++ + #define fail(msg) _fail_unless(0, __FILE__, __LINE__, msg) + + typedef void (*tcase_setup_function)(void); +diff --git a/tests/runtests.c b/tests/runtests.c +index 915fa52..3e610f7 100644 +--- a/tests/runtests.c ++++ b/tests/runtests.c +@@ -18,6 +18,7 @@ + Copyright (c) 2019 David Loffredo + Copyright (c) 2020 Tim Gates + Copyright (c) 2021 Dong-hee Na ++ Copyright (c) 2023 Sony Corporation / Snild Dolkow + Licensed under the MIT license: + + Permission is hereby granted, free of charge, to any person obtaining +@@ -1804,6 +1805,7 @@ START_TEST(test_ext_entity_invalid_parse) { + const ExtFaults *fault = faults; + + for (; fault->parse_text != NULL; fault++) { ++ set_subtest("\"%s\"", fault->parse_text); + XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS); + XML_SetExternalEntityRefHandler(g_parser, external_entity_faulter); + XML_SetUserData(g_parser, (void *)fault); +@@ -1904,6 +1906,7 @@ START_TEST(test_dtd_attr_handling) { + AttTest *test; + + for (test = attr_data; test->definition != NULL; test++) { ++ set_subtest("%s", test->definition); + XML_SetAttlistDeclHandler(g_parser, verify_attlist_decl_handler); + XML_SetUserData(g_parser, test); + if (_XML_Parse_SINGLE_BYTES(g_parser, prolog, (int)strlen(prolog), +@@ -2356,6 +2359,7 @@ START_TEST(test_bad_cdata) { + + size_t i = 0; + for (; i < sizeof(cases) / sizeof(struct CaseData); i++) { ++ set_subtest("%s", cases[i].text); + const enum XML_Status actualStatus = _XML_Parse_SINGLE_BYTES( + g_parser, cases[i].text, (int)strlen(cases[i].text), XML_TRUE); + const enum XML_Error actualError = XML_GetErrorCode(g_parser); +@@ -2423,6 +2427,7 @@ START_TEST(test_bad_cdata_utf16) { + size_t i; + + for (i = 0; i < sizeof(cases) / sizeof(struct CaseData); i++) { ++ set_subtest("case %lu", (long unsigned)(i + 1)); + enum XML_Status actual_status; + enum XML_Error actual_error; + +@@ -3323,6 +3328,7 @@ START_TEST(test_ext_entity_invalid_suspended_parse) { + ExtFaults *fault; + + for (fault = &faults[0]; fault->parse_text != NULL; fault++) { ++ set_subtest("%s", fault->parse_text); + XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS); + XML_SetExternalEntityRefHandler(g_parser, + external_entity_suspending_faulter); +@@ -4311,6 +4317,7 @@ START_TEST(test_bad_ignore_section) { + ExtFaults *fault; + + for (fault = &faults[0]; fault->parse_text != NULL; fault++) { ++ set_subtest("%s", fault->parse_text); + XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS); + XML_SetExternalEntityRefHandler(g_parser, external_entity_faulter); + XML_SetUserData(g_parser, fault); +@@ -4400,6 +4407,7 @@ START_TEST(test_external_entity_values) { + int i; + + for (i = 0; data_004_2[i].parse_text != NULL; i++) { ++ set_subtest("%s", data_004_2[i].parse_text); + XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS); + XML_SetExternalEntityRefHandler(g_parser, external_entity_valuer); + XML_SetUserData(g_parser, &data_004_2[i]); +@@ -7585,6 +7593,7 @@ START_TEST(test_ns_separator_in_uri) { + size_t i = 0; + size_t failCount = 0; + for (; i < sizeof(cases) / sizeof(cases[0]); i++) { ++ set_subtest("%s", cases[i].doc); + XML_Parser parser = XML_ParserCreateNS(NULL, cases[i].namesep); + XML_SetElementHandler(parser, dummy_start_element, dummy_end_element); + if (XML_Parse(parser, cases[i].doc, (int)strlen(cases[i].doc), +@@ -7932,6 +7941,7 @@ START_TEST(test_misc_deny_internal_entity_closing_doctype_issue_317) { + size_t inputIndex = 0; + + for (; inputIndex < sizeof(inputs) / sizeof(inputs[0]); inputIndex++) { ++ set_subtest("%s", inputs[inputIndex]); + XML_Parser parser; + enum XML_Status parseResult; + int setParamEntityResult; +@@ -12078,6 +12088,7 @@ START_TEST(test_helper_unsigned_char_to_printable) { + // Smoke test + unsigned char uc = 0; + for (; uc < (unsigned char)-1; uc++) { ++ set_subtest("char %u", (unsigned)uc); + const char *const printable = unsignedCharToPrintable(uc); + if (printable == NULL) + fail("unsignedCharToPrintable returned NULL"); +@@ -12086,8 +12097,10 @@ START_TEST(test_helper_unsigned_char_to_printable) { + } + + // Two concrete samples ++ set_subtest("char 'A'"); + if (strcmp(unsignedCharToPrintable('A'), "A") != 0) + fail("unsignedCharToPrintable result mistaken"); ++ set_subtest("char '\\'"); + if (strcmp(unsignedCharToPrintable('\\'), "\\\\") != 0) + fail("unsignedCharToPrintable result mistaken"); + } +-- +2.40.0 diff --git a/meta/recipes-core/expat/expat/CVE-2024-45490-0003.patch b/meta/recipes-core/expat/expat/CVE-2024-45490-0003.patch new file mode 100644 index 0000000000..276badc80b --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2024-45490-0003.patch @@ -0,0 +1,91 @@ +From c12f039b8024d6b9a11c20858370495ff6ff5245 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Tue, 20 Aug 2024 22:57:12 +0200 +Subject: [PATCH] tests: Cover "len < 0" for both XML_Parse and XML_ParseBuffer + +CVE: CVE-2024-45490 + +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/c12f039b8024d6b9a11c20858370495ff6ff5245] + +Signed-off-by: Archana Polampalli +--- + tests/runtests.c | 57 ++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 57 insertions(+) + +diff --git a/tests/runtests.c b/tests/runtests.c +index 915fa52..2479341 100644 +--- a/tests/runtests.c ++++ b/tests/runtests.c +@@ -3813,6 +3813,61 @@ START_TEST(test_empty_parse) { + } + END_TEST + ++/* Test XML_Parse for len < 0 */ ++START_TEST(test_negative_len_parse) { ++ const char *const doc = ""; ++ for (int isFinal = 0; isFinal < 2; isFinal++) { ++ set_subtest("isFinal=%d", isFinal); ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_NONE) ++ fail("There was not supposed to be any initial parse error."); ++ ++ const enum XML_Status status = XML_Parse(parser, doc, -1, isFinal); ++ ++ if (status != XML_STATUS_ERROR) ++ fail("Negative len was expected to fail the parse but did not."); ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT) ++ fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT."); ++ ++ XML_ParserFree(parser); ++ } ++} ++END_TEST ++ ++/* Test XML_ParseBuffer for len < 0 */ ++START_TEST(test_negative_len_parse_buffer) { ++ const char *const doc = ""; ++ for (int isFinal = 0; isFinal < 2; isFinal++) { ++ set_subtest("isFinal=%d", isFinal); ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_NONE) ++ fail("There was not supposed to be any initial parse error."); ++ ++ void *const buffer = XML_GetBuffer(parser, (int)strlen(doc)); ++ ++ if (buffer == NULL) ++ fail("XML_GetBuffer failed."); ++ ++ memcpy(buffer, doc, strlen(doc)); ++ ++ const enum XML_Status status = XML_ParseBuffer(parser, -1, isFinal); ++ ++ if (status != XML_STATUS_ERROR) ++ fail("Negative len was expected to fail the parse but did not."); ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT) ++ fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT."); ++ ++ XML_ParserFree(parser); ++ } ++} ++END_TEST ++ + /* Test odd corners of the XML_GetBuffer interface */ + static enum XML_Status + get_feature(enum XML_FeatureEnum feature_id, long *presult) { +@@ -12214,6 +12269,8 @@ make_suite(void) { + tcase_add_test__ifdef_xml_dtd(tc_basic, test_user_parameters); + tcase_add_test__ifdef_xml_dtd(tc_basic, test_ext_entity_ref_parameter); + tcase_add_test(tc_basic, test_empty_parse); ++ tcase_add_test(tc_basic, test_negative_len_parse); ++ tcase_add_test(tc_basic, test_negative_len_parse_buffer); + tcase_add_test(tc_basic, test_get_buffer_1); + tcase_add_test(tc_basic, test_get_buffer_2); + #if defined(XML_CONTEXT_BYTES) +-- +2.40.0 diff --git a/meta/recipes-core/expat/expat/CVE-2024-45490-0004.patch b/meta/recipes-core/expat/expat/CVE-2024-45490-0004.patch new file mode 100644 index 0000000000..e769182087 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2024-45490-0004.patch @@ -0,0 +1,49 @@ +From 2db233019f551fe4c701bbbc5eb0fa58ff349daa Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Sun, 25 Aug 2024 19:09:51 +0200 +Subject: [PATCH] doc: Document that XML_Parse/XML_ParseBuffer reject "len < 0" + +CVE: CVE-2024-45490 + +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/2db233019f551fe4c701bbbc5eb0fa58ff349daa] + +Signed-off-by: Archana Polampalli +--- + doc/reference.html | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/doc/reference.html b/doc/reference.html +index cdf3983..ebae824 100644 +--- a/doc/reference.html ++++ b/doc/reference.html +@@ -1097,7 +1097,9 @@ containing part (or perhaps all) of the document. The number of bytes of s + that are part of the document is indicated by len. This means + that s doesn't have to be null terminated. It also means that + if len is larger than the number of bytes in the block of +-memory that s points at, then a memory fault is likely. The ++memory that s points at, then a memory fault is likely. ++Negative values for len are rejected since Expat 2.2.1. ++The + isFinal parameter informs the parser that this is the last + piece of the document. Frequently, the last piece is empty (i.e. + len is zero.) +@@ -1113,11 +1115,17 @@ XML_ParseBuffer(XML_Parser p, + int isFinal); + +
++

+ This is just like XML_Parse, + except in this case Expat provides the buffer. By obtaining the + buffer from Expat with the XML_GetBuffer function, the application can avoid double + copying of the input. ++

++ ++

++Negative values for len are rejected since Expat 2.6.3. ++

+
+ +

XML_GetBuffer

+-- +2.40.0 diff --git a/meta/recipes-core/expat/expat_2.5.0.bb b/meta/recipes-core/expat/expat_2.5.0.bb index 31e989cfe2..24d5c85d74 100644 --- a/meta/recipes-core/expat/expat_2.5.0.bb +++ b/meta/recipes-core/expat/expat_2.5.0.bb @@ -22,6 +22,10 @@ SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TA file://CVE-2023-52426-009.patch \ file://CVE-2023-52426-010.patch \ file://CVE-2023-52426-011.patch \ + file://CVE-2024-45490-0001.patch \ + file://CVE-2024-45490-0002.patch \ + file://CVE-2024-45490-0003.patch \ + file://CVE-2024-45490-0004.patch \ " UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/" From patchwork Mon Sep 9 06:55:58 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 48826 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 54006CE7AB0 for ; Mon, 9 Sep 2024 06:56:12 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.46981.1725864965350598206 for ; Sun, 08 Sep 2024 23:56:05 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=99820ca432=archana.polampalli@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 4895wpRe032570 for ; Sun, 8 Sep 2024 23:56:05 -0700 Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 41gj449by6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Sun, 08 Sep 2024 23:56:04 -0700 (PDT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Sun, 8 Sep 2024 23:56:04 -0700 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.39 via Frontend Transport; Sun, 8 Sep 2024 23:56:03 -0700 From: To: Subject: [oe-core][kirkstone][PATCH V2 2/3] expat: fix CVE-2024-45491 Date: Mon, 9 Sep 2024 06:55:58 +0000 Message-ID: <20240909065559.3812653-2-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20240909065559.3812653-1-archana.polampalli@windriver.com> References: <20240909065559.3812653-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: qs5vGn3KK5FOGDbOsfm1cU26PkMNA_La X-Authority-Analysis: v=2.4 cv=DZxFqetW c=1 sm=1 tr=0 ts=66de9c04 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=EaEq8P2WXUwA:10 a=t7CeM3EgAAAA:8 a=-Xy8Vmf_AAAA:8 a=NEAV23lmAAAA:8 a=EUKjJy_nlKG3vu2rpI0A:9 a=FdTzh2GWekK77mhwV6Dw:22 a=UVb-SS9ExmY72c4GIYVd:22 X-Proofpoint-ORIG-GUID: qs5vGn3KK5FOGDbOsfm1cU26PkMNA_La X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.60.29 definitions=2024-09-08_10,2024-09-06_01,2024-09-02_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 mlxlogscore=999 lowpriorityscore=0 mlxscore=0 spamscore=0 priorityscore=1501 impostorscore=0 adultscore=0 clxscore=1015 phishscore=0 bulkscore=0 malwarescore=0 classifier=spam authscore=0 adjust=0 reason=mlx scancount=1 engine=8.21.0-2408220000 definitions=main-2409090054 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Sep 2024 06:56:12 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204310 From: Archana Polampalli An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). Signed-off-by: Archana Polampalli --- .../expat/expat/CVE-2024-45491.patch | 39 +++++++++++++++++++ meta/recipes-core/expat/expat_2.5.0.bb | 1 + 2 files changed, 40 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2024-45491.patch diff --git a/meta/recipes-core/expat/expat/CVE-2024-45491.patch b/meta/recipes-core/expat/expat/CVE-2024-45491.patch new file mode 100644 index 0000000000..2231722f12 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2024-45491.patch @@ -0,0 +1,39 @@ +From 17e29cb8ff58a8356ad8ea363c169e227e93e444 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 19 Aug 2024 22:34:13 +0200 +Subject: [PATCH] lib: Detect integer overflow in dtdCopy + +Reported by TaiYou + +CVE: CVE-2024-45491 + +Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/891/commits/8e439a9947e9dc80] + +Signed-off-by: Archana Polampalli +--- + lib/xmlparse.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 6f0440b..adb27e3 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -6913,6 +6913,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, + if (! newE) + return 0; + if (oldE->nDefaultAtts) { ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if ((size_t)oldE->nDefaultAtts ++ > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) { ++ return 0; ++ } ++#endif + newE->defaultAtts + = ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE)); + if (! newE->defaultAtts) { +-- +2.40.0 diff --git a/meta/recipes-core/expat/expat_2.5.0.bb b/meta/recipes-core/expat/expat_2.5.0.bb index 24d5c85d74..f670f94685 100644 --- a/meta/recipes-core/expat/expat_2.5.0.bb +++ b/meta/recipes-core/expat/expat_2.5.0.bb @@ -26,6 +26,7 @@ SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TA file://CVE-2024-45490-0002.patch \ file://CVE-2024-45490-0003.patch \ file://CVE-2024-45490-0004.patch \ + file://CVE-2024-45491.patch \ " UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/" From patchwork Mon Sep 9 06:55:59 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 48828 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3C596CD4F4C for ; Mon, 9 Sep 2024 06:56:12 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.46982.1725864967180471253 for ; Sun, 08 Sep 2024 23:56:07 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=99820ca432=archana.polampalli@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 489502ju012376 for ; Sun, 8 Sep 2024 23:56:07 -0700 Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 41gj449bya-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Sun, 08 Sep 2024 23:56:06 -0700 (PDT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Sun, 8 Sep 2024 23:56:05 -0700 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.39 via Frontend Transport; Sun, 8 Sep 2024 23:56:04 -0700 From: To: Subject: [oe-core][kirkstone][PATCH V2 3/3] expat: fix CVE-2024-45492 Date: Mon, 9 Sep 2024 06:55:59 +0000 Message-ID: <20240909065559.3812653-3-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20240909065559.3812653-1-archana.polampalli@windriver.com> References: <20240909065559.3812653-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: RiI169Zce2YJwhfKdIt4v2z9F2Gr_j86 X-Authority-Analysis: v=2.4 cv=DZxFqetW c=1 sm=1 tr=0 ts=66de9c06 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=EaEq8P2WXUwA:10 a=t7CeM3EgAAAA:8 a=-Xy8Vmf_AAAA:8 a=NEAV23lmAAAA:8 a=5-Qf2w1J9VIl8_qhsxwA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=UVb-SS9ExmY72c4GIYVd:22 X-Proofpoint-ORIG-GUID: RiI169Zce2YJwhfKdIt4v2z9F2Gr_j86 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.60.29 definitions=2024-09-08_10,2024-09-06_01,2024-09-02_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 mlxlogscore=999 lowpriorityscore=0 mlxscore=0 spamscore=0 priorityscore=1501 impostorscore=0 adultscore=0 clxscore=1015 phishscore=0 bulkscore=0 malwarescore=0 classifier=spam authscore=0 adjust=0 reason=mlx scancount=1 engine=8.21.0-2408220000 definitions=main-2409090054 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Sep 2024 06:56:12 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204311 From: Archana Polampalli An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). Signed-off-by: Archana Polampalli --- .../expat/expat/CVE-2024-45492.patch | 38 +++++++++++++++++++ meta/recipes-core/expat/expat_2.5.0.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2024-45492.patch diff --git a/meta/recipes-core/expat/expat/CVE-2024-45492.patch b/meta/recipes-core/expat/expat/CVE-2024-45492.patch new file mode 100644 index 0000000000..a569f18067 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2024-45492.patch @@ -0,0 +1,38 @@ +From 9b0615959a4df00b4719c5beae286eb52fd32fe0 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 19 Aug 2024 22:37:16 +0200 +Subject: [PATCH] lib: Detect integer overflow in function nextScaffoldPart + +Reported by TaiYou + +CVE: CVE-2024-45492 + +Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/892/commits/9bf0f2c16ee86f64] + +Signed-off-by: Archana Polampalli +--- + lib/xmlparse.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index adb27e3..6d7e92f 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -7465,6 +7465,15 @@ nextScaffoldPart(XML_Parser parser) { + int next; + + if (! dtd->scaffIndex) { ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) { ++ return -1; ++ } ++#endif + dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * sizeof(int)); + if (! dtd->scaffIndex) + return -1; +-- +2.40.0 diff --git a/meta/recipes-core/expat/expat_2.5.0.bb b/meta/recipes-core/expat/expat_2.5.0.bb index f670f94685..26190383e3 100644 --- a/meta/recipes-core/expat/expat_2.5.0.bb +++ b/meta/recipes-core/expat/expat_2.5.0.bb @@ -27,6 +27,7 @@ SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TA file://CVE-2024-45490-0003.patch \ file://CVE-2024-45490-0004.patch \ file://CVE-2024-45491.patch \ + file://CVE-2024-45492.patch \ " UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"