* [meta-oe][master][PATCH] libcroco: Add fix for CVE-2020-12825
@ 2021-03-24 17:17 Neetika.Singh
0 siblings, 0 replies; 8+ messages in thread
From: Neetika.Singh @ 2021-03-24 17:17 UTC (permalink / raw)
To: openembedded-devel, raj.khem; +Cc: nisha.parrakat, Neetika.Singh
From: "Neetika.Singh" <Neetika.Singh@partner.bmw.de>
Added refreshed patch for CVE issue CVE-2020-12825
Link: https://gitlab.com/inkscape/inkscape/-/commit/203d62efefe6f79080863dda61593003b4c31f25
Signed-off-by: Neetika.Singh <Neetika.Singh@kpit.com>
---
.../libcroco/libcroco/CVE-2020-12825.patch | 190 +++++++++++++++++++++
meta/recipes-support/libcroco/libcroco_0.6.13.bb | 2 +
2 files changed, 192 insertions(+)
create mode 100644 meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
diff --git a/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
new file mode 100644
index 0000000..f6c6a55
--- /dev/null
+++ b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
@@ -0,0 +1,190 @@
+From 203d62efefe6f79080863dda61593003b4c31f25 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@gnome.org>
+Date: Thu, 13 Aug 2020 20:03:05 -0500
+Subject: [PATCH] libcroco parser: limit recursion in block and any productions
+
+If we don't have any limits, we can recurse forever and overflow the
+stack.
+
+This is for CVE-2020-12825: Stack overflow in cr_parser_parse_any_core
+in cr-parser.c.
+
+Bug: https://gitlab.gnome.org/Archive/libcroco/-/issues/8
+Patch from https://gitlab.gnome.org/Archive/libcroco/-/merge_requests/5
+
+CVE: CVE-2020-12825
+Upstream Status: Backport [https://gitlab.com/inkscape/inkscape/-/commit/203d62efefe6f79080863dda61593003b4c31f25.patch]
+---
+ src/cr-parser.c | 44 ++++++++++++++++++++-----------
+ 1 file changed, 29 insertions(+), 15 deletions(-)
+
+diff --git a/src/cr-parser.c b/src/cr-parser.c
+index d85e71f0fc..cd7b6ebd4a 100644
+--- a/src/cr-parser.c
++++ b/src/cr-parser.c
+@@ -136,6 +136,8 @@ struct _CRParserPriv {
+
+ #define CHARS_TAB_SIZE 12
+
++#define RECURSIVE_CALLERS_LIMIT 100
++
+ /**
+ * IS_NUM:
+ *@a_char: the char to test.
+@@ -343,9 +345,11 @@ static enum CRStatus cr_parser_parse_selector_core (CRParser * a_this);
+
+ static enum CRStatus cr_parser_parse_declaration_core (CRParser * a_this);
+
+-static enum CRStatus cr_parser_parse_any_core (CRParser * a_this);
++static enum CRStatus cr_parser_parse_any_core (CRParser * a_this,
++ guint n_calls);
+
+-static enum CRStatus cr_parser_parse_block_core (CRParser * a_this);
++static enum CRStatus cr_parser_parse_block_core (CRParser * a_this,
++ guint n_calls);
+
+ static enum CRStatus cr_parser_parse_value_core (CRParser * a_this);
+
+@@ -783,7 +787,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
+ cr_parser_try_to_skip_spaces_and_comments (a_this);
+
+ do {
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, 0);
+ } while (status == CR_OK);
+
+ status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr,
+@@ -794,7 +798,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
+ cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
+ token);
+ token = NULL;
+- status = cr_parser_parse_block_core (a_this);
++ status = cr_parser_parse_block_core (a_this, 0);
+ CHECK_PARSING_STATUS (status,
+ FALSE);
+ goto done;
+@@ -929,11 +933,11 @@ cr_parser_parse_selector_core (CRParser * a_this)
+
+ RECORD_INITIAL_POS (a_this, &init_pos);
+
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, 0);
+ CHECK_PARSING_STATUS (status, FALSE);
+
+ do {
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, 0);
+
+ } while (status == CR_OK);
+
+@@ -955,10 +959,12 @@ cr_parser_parse_selector_core (CRParser * a_this)
+ *in chapter 4.1 of the css2 spec.
+ *block ::= '{' S* [ any | block | ATKEYWORD S* | ';' ]* '}' S*;
+ *@param a_this the current instance of #CRParser.
++ *@param n_calls used to limit recursion depth
+ *FIXME: code this function.
+ */
+ static enum CRStatus
+-cr_parser_parse_block_core (CRParser * a_this)
++cr_parser_parse_block_core (CRParser * a_this,
++ guint n_calls)
+ {
+ CRToken *token = NULL;
+ CRInputPos init_pos;
+@@ -966,6 +972,9 @@ cr_parser_parse_block_core (CRParser * a_this)
+
+ g_return_val_if_fail (a_this && PRIVATE (a_this), CR_BAD_PARAM_ERROR);
+
++ if (n_calls > RECURSIVE_CALLERS_LIMIT)
++ return CR_ERROR;
++
+ RECORD_INITIAL_POS (a_this, &init_pos);
+
+ status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token);
+@@ -995,13 +1004,13 @@ cr_parser_parse_block_core (CRParser * a_this)
+ } else if (token->type == CBO_TK) {
+ cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
+ token = NULL;
+- status = cr_parser_parse_block_core (a_this);
++ status = cr_parser_parse_block_core (a_this, n_calls + 1);
+ CHECK_PARSING_STATUS (status, FALSE);
+ goto parse_block_content;
+ } else {
+ cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
+ token = NULL;
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
+ CHECK_PARSING_STATUS (status, FALSE);
+ goto parse_block_content;
+ }
+@@ -1108,7 +1117,7 @@ cr_parser_parse_value_core (CRParser * a_this)
+ status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
+ token);
+ token = NULL;
+- status = cr_parser_parse_block_core (a_this);
++ status = cr_parser_parse_block_core (a_this, 0);
+ CHECK_PARSING_STATUS (status, FALSE);
+ ref++;
+ goto continue_parsing;
+@@ -1122,7 +1131,7 @@ cr_parser_parse_value_core (CRParser * a_this)
+ status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
+ token);
+ token = NULL;
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, 0);
+ if (status == CR_OK) {
+ ref++;
+ goto continue_parsing;
+@@ -1162,10 +1162,12 @@
+ * | FUNCTION | DASHMATCH | '(' any* ')' | '[' any* ']' ] S*;
+ *
+ *@param a_this the current instance of #CRParser.
++ *@param n_calls used to limit recursion depth
+ *@return CR_OK upon successfull completion, an error code otherwise.
+ */
+ static enum CRStatus
+-cr_parser_parse_any_core (CRParser * a_this)
++cr_parser_parse_any_core (CRParser * a_this,
++ guint n_calls)
+ {
+ CRToken *token1 = NULL,
+ *token2 = NULL;
+@@ -1173,6 +1184,9 @@ cr_parser_parse_any_core (CRParser * a_this)
+
+ g_return_val_if_fail (a_this, CR_BAD_PARAM_ERROR);
+
++ if (n_calls > RECURSIVE_CALLERS_LIMIT)
++ return CR_ERROR;
++
+ RECORD_INITIAL_POS (a_this, &init_pos);
+
+ status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token1);
+@@ -1211,7 +1225,7 @@ cr_parser_parse_any_core (CRParser * a_this)
+ *We consider parameter as being an "any*" production.
+ */
+ do {
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
+ } while (status == CR_OK);
+
+ ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
+@@ -1236,7 +1250,7 @@ cr_parser_parse_any_core (CRParser * a_this)
+ }
+
+ do {
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
+ } while (status == CR_OK);
+
+ ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
+@@ -1264,7 +1278,7 @@ cr_parser_parse_any_core (CRParser * a_this)
+ }
+
+ do {
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
+ } while (status == CR_OK);
+
+ ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
+--
+GitLab
diff --git a/meta/recipes-support/libcroco/libcroco_0.6.13.bb b/meta/recipes-support/libcroco/libcroco_0.6.13.bb
index 66ee647..2f61f87 100644
--- a/meta/recipes-support/libcroco/libcroco_0.6.13.bb
+++ b/meta/recipes-support/libcroco/libcroco_0.6.13.bb
@@ -19,6 +19,8 @@ BINCONFIG = "${bindir}/croco-0.6-config"
inherit gnomebase gtk-doc binconfig-disabled
+SRC_URI += "file://CVE-2020-12825.patch"
+
SRC_URI[archive.md5sum] = "c80c5a8385011a0260dce6bd0da93dce"
SRC_URI[archive.sha256sum] = "767ec234ae7aa684695b3a735548224888132e063f92db585759b422570621d4"
--
2.7.4
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [meta-oe][master][PATCH] libcroco: Add fix for CVE-2020-12825
2021-03-29 14:48 ` Khem Raj
@ 2021-03-29 15:04 ` Neetika.Singh
0 siblings, 0 replies; 8+ messages in thread
From: Neetika.Singh @ 2021-03-29 15:04 UTC (permalink / raw)
To: Khem Raj; +Cc: Patches and discussions about the oe-core layer, Nisha Parrakat
[-- Attachment #1: Type: text/plain, Size: 15274 bytes --]
Hi Raj,
I have verified locally and these changes are showing to me as up to date on latest oe-core master branch.
git log origin/master..HEAD
commit 1abebf8d3ce044609ae29d7dee7a9b268e510ebd
Author: Neetika Singh <Neetika.Singh@kpit.com>
Date: Fri Nov 20 18:35:15 2020 +0530
libcroco: Add fix for CVE-2020-12825
Added refreshed patch for CVE issue CVE-2020-12825
Link: https://gitlab.com/inkscape/inkscape/-/commit/203d62efefe6f79080863dda61593003b4c31f25
Signed-off-by: Neetika.Singh <Neetika.Singh@kpit.com>
Thanks & Regards,
Neetika Singh
Product Engineering Services (PES)
KPIT Technologies Limited
________________________________
From: Khem Raj <raj.khem@gmail.com>
Sent: 29 March 2021 20:18
To: Neetika Singh <Neetika.Singh@kpit.com>
Cc: Patches and discussions about the oe-core layer <openembedded-core@lists.openembedded.org>; Nisha Parrakat <Nisha.Parrakat@kpit.com>
Subject: Re: [meta-oe][master][PATCH] libcroco: Add fix for CVE-2020-12825
On Mon, Mar 29, 2021 at 7:42 AM Neetika.Singh <Neetika.Singh@kpit.com> wrote:
>
> From: Neetika Singh <Neetika.Singh@kpit.com>
>
> Added refreshed patch for CVE issue CVE-2020-12825
> Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.com%2Finkscape%2Finkscape%2F-%2Fcommit%2F203d62efefe6f79080863dda61593003b4c31f25&data=04%7C01%7CNeetika.Singh%40kpit.com%7C8e558ea4a71d4cec7dad08d8f2c1d822%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637526261735464157%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=OkTKj7JQfH35aD1GkovrszMEQxQVkATiTjdo6VpiCEk%3D&reserved=0
>
> Signed-off-by: Neetika.Singh <Neetika.Singh@kpit.com>
> ---
> .../libcroco/libcroco/CVE-2020-12825.patch | 192 +++++++++++++++++++++
> meta/recipes-support/libcroco/libcroco_0.6.13.bb | 22 +++
> 2 files changed, 214 insertions(+)
> create mode 100644 meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
> create mode 100644 meta/recipes-support/libcroco/libcroco_0.6.13.bb
libcroco is already there in oe-core, perhaps you can rebase this
patch on top of latest oe-core master branch and resend.
>
> diff --git a/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
> new file mode 100644
> index 0000000..f813ded
> --- /dev/null
> +++ b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
> @@ -0,0 +1,192 @@
> +From 203d62efefe6f79080863dda61593003b4c31f25 Mon Sep 17 00:00:00 2001
> +From: Michael Catanzaro <mcatanzaro@gnome.org>
> +Date: Thu, 13 Aug 2020 20:03:05 -0500
> +Subject: [PATCH] libcroco parser: limit recursion in block and any productions
> +
> +If we don't have any limits, we can recurse forever and overflow the
> +stack.
> +
> +This is for CVE-2020-12825: Stack overflow in cr_parser_parse_any_core
> +in cr-parser.c.
> +
> +Bug: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.gnome.org%2FArchive%2Flibcroco%2F-%2Fissues%2F8&data=04%7C01%7CNeetika.Singh%40kpit.com%7C8e558ea4a71d4cec7dad08d8f2c1d822%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637526261735464157%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=1JQbRwD7xiTrBT1%2F9Kx8Nop84lOd3JT5ImU7eOYAfiU%3D&reserved=0
> +Patch from https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.gnome.org%2FArchive%2Flibcroco%2F-%2Fmerge_requests%2F5&data=04%7C01%7CNeetika.Singh%40kpit.com%7C8e558ea4a71d4cec7dad08d8f2c1d822%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637526261735474152%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=7jcaMq8meYRVhbA4o%2BN0XZZ1Hxz0jxqg31jxZUVHIV4%3D&reserved=0
> +
> +CVE: CVE-2020-12825
> +Upstream Status: Backport [https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.com%2Finkscape%2Finkscape%2F-%2Fcommit%2F203d62efefe6f79080863dda61593003b4c31f25.patch&data=04%7C01%7CNeetika.Singh%40kpit.com%7C8e558ea4a71d4cec7dad08d8f2c1d822%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637526261735474152%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=HF%2FyBXMAOe4xpTBIMhyc25pEPaLSc2buc4ho910zbxk%3D&reserved=0]
> +
> +Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
> +---
> + src/cr-parser.c | 44 ++++++++++++++++++++-----------
> + 1 file changed, 29 insertions(+), 15 deletions(-)
> +
> +diff --git a/src/cr-parser.c b/src/cr-parser.c
> +index d85e71f0fc..cd7b6ebd4a 100644
> +--- a/src/cr-parser.c
> ++++ b/src/cr-parser.c
> +@@ -136,6 +136,8 @@ struct _CRParserPriv {
> +
> + #define CHARS_TAB_SIZE 12
> +
> ++#define RECURSIVE_CALLERS_LIMIT 100
> ++
> + /**
> + * IS_NUM:
> + *@a_char: the char to test.
> +@@ -343,9 +345,11 @@ static enum CRStatus cr_parser_parse_selector_core (CRParser * a_this);
> +
> + static enum CRStatus cr_parser_parse_declaration_core (CRParser * a_this);
> +
> +-static enum CRStatus cr_parser_parse_any_core (CRParser * a_this);
> ++static enum CRStatus cr_parser_parse_any_core (CRParser * a_this,
> ++ guint n_calls);
> +
> +-static enum CRStatus cr_parser_parse_block_core (CRParser * a_this);
> ++static enum CRStatus cr_parser_parse_block_core (CRParser * a_this,
> ++ guint n_calls);
> +
> + static enum CRStatus cr_parser_parse_value_core (CRParser * a_this);
> +
> +@@ -783,7 +787,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
> + cr_parser_try_to_skip_spaces_and_comments (a_this);
> +
> + do {
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, 0);
> + } while (status == CR_OK);
> +
> + status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr,
> +@@ -794,7 +798,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
> + cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
> + token);
> + token = NULL;
> +- status = cr_parser_parse_block_core (a_this);
> ++ status = cr_parser_parse_block_core (a_this, 0);
> + CHECK_PARSING_STATUS (status,
> + FALSE);
> + goto done;
> +@@ -929,11 +933,11 @@ cr_parser_parse_selector_core (CRParser * a_this)
> +
> + RECORD_INITIAL_POS (a_this, &init_pos);
> +
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, 0);
> + CHECK_PARSING_STATUS (status, FALSE);
> +
> + do {
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, 0);
> +
> + } while (status == CR_OK);
> +
> +@@ -955,10 +959,12 @@ cr_parser_parse_selector_core (CRParser * a_this)
> + *in chapter 4.1 of the css2 spec.
> + *block ::= '{' S* [ any | block | ATKEYWORD S* | ';' ]* '}' S*;
> + *@param a_this the current instance of #CRParser.
> ++ *@param n_calls used to limit recursion depth
> + *FIXME: code this function.
> + */
> + static enum CRStatus
> +-cr_parser_parse_block_core (CRParser * a_this)
> ++cr_parser_parse_block_core (CRParser * a_this,
> ++ guint n_calls)
> + {
> + CRToken *token = NULL;
> + CRInputPos init_pos;
> +@@ -966,6 +972,9 @@ cr_parser_parse_block_core (CRParser * a_this)
> +
> + g_return_val_if_fail (a_this && PRIVATE (a_this), CR_BAD_PARAM_ERROR);
> +
> ++ if (n_calls > RECURSIVE_CALLERS_LIMIT)
> ++ return CR_ERROR;
> ++
> + RECORD_INITIAL_POS (a_this, &init_pos);
> +
> + status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token);
> +@@ -995,13 +1004,13 @@ cr_parser_parse_block_core (CRParser * a_this)
> + } else if (token->type == CBO_TK) {
> + cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
> + token = NULL;
> +- status = cr_parser_parse_block_core (a_this);
> ++ status = cr_parser_parse_block_core (a_this, n_calls + 1);
> + CHECK_PARSING_STATUS (status, FALSE);
> + goto parse_block_content;
> + } else {
> + cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
> + token = NULL;
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
> + CHECK_PARSING_STATUS (status, FALSE);
> + goto parse_block_content;
> + }
> +@@ -1108,7 +1117,7 @@ cr_parser_parse_value_core (CRParser * a_this)
> + status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
> + token);
> + token = NULL;
> +- status = cr_parser_parse_block_core (a_this);
> ++ status = cr_parser_parse_block_core (a_this, 0);
> + CHECK_PARSING_STATUS (status, FALSE);
> + ref++;
> + goto continue_parsing;
> +@@ -1122,7 +1131,7 @@ cr_parser_parse_value_core (CRParser * a_this)
> + status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
> + token);
> + token = NULL;
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, 0);
> + if (status == CR_OK) {
> + ref++;
> + goto continue_parsing;
> +@@ -1162,10 +1162,12 @@
> + * | FUNCTION | DASHMATCH | '(' any* ')' | '[' any* ']' ] S*;
> + *
> + *@param a_this the current instance of #CRParser.
> ++ *@param n_calls used to limit recursion depth
> + *@return CR_OK upon successfull completion, an error code otherwise.
> + */
> + static enum CRStatus
> +-cr_parser_parse_any_core (CRParser * a_this)
> ++cr_parser_parse_any_core (CRParser * a_this,
> ++ guint n_calls)
> + {
> + CRToken *token1 = NULL,
> + *token2 = NULL;
> +@@ -1173,6 +1184,9 @@ cr_parser_parse_any_core (CRParser * a_this)
> +
> + g_return_val_if_fail (a_this, CR_BAD_PARAM_ERROR);
> +
> ++ if (n_calls > RECURSIVE_CALLERS_LIMIT)
> ++ return CR_ERROR;
> ++
> + RECORD_INITIAL_POS (a_this, &init_pos);
> +
> + status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token1);
> +@@ -1211,7 +1225,7 @@ cr_parser_parse_any_core (CRParser * a_this)
> + *We consider parameter as being an "any*" production.
> + */
> + do {
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
> + } while (status == CR_OK);
> +
> + ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
> +@@ -1236,7 +1250,7 @@ cr_parser_parse_any_core (CRParser * a_this)
> + }
> +
> + do {
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
> + } while (status == CR_OK);
> +
> + ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
> +@@ -1264,7 +1278,7 @@ cr_parser_parse_any_core (CRParser * a_this)
> + }
> +
> + do {
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
> + } while (status == CR_OK);
> +
> + ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
> +--
> +GitLab
> diff --git a/meta/recipes-support/libcroco/libcroco_0.6.13.bb b/meta/recipes-support/libcroco/libcroco_0.6.13.bb
> new file mode 100644
> index 0000000..fd5927e
> --- /dev/null
> +++ b/meta/recipes-support/libcroco/libcroco_0.6.13.bb
> @@ -0,0 +1,22 @@
> +SUMMARY = "Cascading Style Sheet (CSS) parsing and manipulation toolkit"
> +HOMEPAGE = "https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.gnome.org%2F&data=04%7C01%7CNeetika.Singh%40kpit.com%7C8e558ea4a71d4cec7dad08d8f2c1d822%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637526261735474152%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Z9wmwFLA%2BuBT243Dv5a666ng67OAfytEYyAVv3sn4GA%3D&reserved=0"
> +BUGTRACKER = "https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.gnome.org%2F&data=04%7C01%7CNeetika.Singh%40kpit.com%7C8e558ea4a71d4cec7dad08d8f2c1d822%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637526261735474152%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ynFHfdJS8RUpg8kqJOBlTsQPz3%2FxMvoBgBiVMLAC0u4%3D&reserved=0"
> +
> +LICENSE = "LGPLv2 & LGPLv2.1"
> +LIC_FILES_CHKSUM = "file://COPYING;md5=55ca817ccb7d5b5b66355690e9abc605 \
> + file://src/cr-rgb.c;endline=22;md5=31d5f0944d556c8589d04ea6055fcc66 \
> + file://tests/cr-test-utils.c;endline=21;md5=2382c27934cae1d3792fcb17a6142c4e"
> +
> +SECTION = "x11/utils"
> +DEPENDS = "glib-2.0 libxml2 zlib"
> +BBCLASSEXTEND = "native nativesdk"
> +EXTRA_OECONF += "--enable-Bsymbolic=auto"
> +
> +BINCONFIG = "${bindir}/croco-0.6-config"
> +
> +inherit gnomebase gtk-doc binconfig-disabled
> +
> +SRC_URI += "file://CVE-2020-12825.patch"
> +
> +SRC_URI[archive.md5sum] = "c80c5a8385011a0260dce6bd0da93dce"
> +SRC_URI[archive.sha256sum] = "767ec234ae7aa684695b3a735548224888132e063f92db585759b422570621d4"
> --
> 2.7.4
>
> This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
[-- Attachment #2: Type: text/html, Size: 31343 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [meta-oe][master][PATCH] libcroco: Add fix for CVE-2020-12825
2021-03-29 14:42 Neetika.Singh
@ 2021-03-29 14:48 ` Khem Raj
2021-03-29 15:04 ` Neetika.Singh
0 siblings, 1 reply; 8+ messages in thread
From: Khem Raj @ 2021-03-29 14:48 UTC (permalink / raw)
To: Neetika.Singh
Cc: Patches and discussions about the oe-core layer, Nisha Parrakat
On Mon, Mar 29, 2021 at 7:42 AM Neetika.Singh <Neetika.Singh@kpit.com> wrote:
>
> From: Neetika Singh <Neetika.Singh@kpit.com>
>
> Added refreshed patch for CVE issue CVE-2020-12825
> Link: https://gitlab.com/inkscape/inkscape/-/commit/203d62efefe6f79080863dda61593003b4c31f25
>
> Signed-off-by: Neetika.Singh <Neetika.Singh@kpit.com>
> ---
> .../libcroco/libcroco/CVE-2020-12825.patch | 192 +++++++++++++++++++++
> meta/recipes-support/libcroco/libcroco_0.6.13.bb | 22 +++
> 2 files changed, 214 insertions(+)
> create mode 100644 meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
> create mode 100644 meta/recipes-support/libcroco/libcroco_0.6.13.bb
libcroco is already there in oe-core, perhaps you can rebase this
patch on top of latest oe-core master branch and resend.
>
> diff --git a/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
> new file mode 100644
> index 0000000..f813ded
> --- /dev/null
> +++ b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
> @@ -0,0 +1,192 @@
> +From 203d62efefe6f79080863dda61593003b4c31f25 Mon Sep 17 00:00:00 2001
> +From: Michael Catanzaro <mcatanzaro@gnome.org>
> +Date: Thu, 13 Aug 2020 20:03:05 -0500
> +Subject: [PATCH] libcroco parser: limit recursion in block and any productions
> +
> +If we don't have any limits, we can recurse forever and overflow the
> +stack.
> +
> +This is for CVE-2020-12825: Stack overflow in cr_parser_parse_any_core
> +in cr-parser.c.
> +
> +Bug: https://gitlab.gnome.org/Archive/libcroco/-/issues/8
> +Patch from https://gitlab.gnome.org/Archive/libcroco/-/merge_requests/5
> +
> +CVE: CVE-2020-12825
> +Upstream Status: Backport [https://gitlab.com/inkscape/inkscape/-/commit/203d62efefe6f79080863dda61593003b4c31f25.patch]
> +
> +Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
> +---
> + src/cr-parser.c | 44 ++++++++++++++++++++-----------
> + 1 file changed, 29 insertions(+), 15 deletions(-)
> +
> +diff --git a/src/cr-parser.c b/src/cr-parser.c
> +index d85e71f0fc..cd7b6ebd4a 100644
> +--- a/src/cr-parser.c
> ++++ b/src/cr-parser.c
> +@@ -136,6 +136,8 @@ struct _CRParserPriv {
> +
> + #define CHARS_TAB_SIZE 12
> +
> ++#define RECURSIVE_CALLERS_LIMIT 100
> ++
> + /**
> + * IS_NUM:
> + *@a_char: the char to test.
> +@@ -343,9 +345,11 @@ static enum CRStatus cr_parser_parse_selector_core (CRParser * a_this);
> +
> + static enum CRStatus cr_parser_parse_declaration_core (CRParser * a_this);
> +
> +-static enum CRStatus cr_parser_parse_any_core (CRParser * a_this);
> ++static enum CRStatus cr_parser_parse_any_core (CRParser * a_this,
> ++ guint n_calls);
> +
> +-static enum CRStatus cr_parser_parse_block_core (CRParser * a_this);
> ++static enum CRStatus cr_parser_parse_block_core (CRParser * a_this,
> ++ guint n_calls);
> +
> + static enum CRStatus cr_parser_parse_value_core (CRParser * a_this);
> +
> +@@ -783,7 +787,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
> + cr_parser_try_to_skip_spaces_and_comments (a_this);
> +
> + do {
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, 0);
> + } while (status == CR_OK);
> +
> + status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr,
> +@@ -794,7 +798,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
> + cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
> + token);
> + token = NULL;
> +- status = cr_parser_parse_block_core (a_this);
> ++ status = cr_parser_parse_block_core (a_this, 0);
> + CHECK_PARSING_STATUS (status,
> + FALSE);
> + goto done;
> +@@ -929,11 +933,11 @@ cr_parser_parse_selector_core (CRParser * a_this)
> +
> + RECORD_INITIAL_POS (a_this, &init_pos);
> +
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, 0);
> + CHECK_PARSING_STATUS (status, FALSE);
> +
> + do {
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, 0);
> +
> + } while (status == CR_OK);
> +
> +@@ -955,10 +959,12 @@ cr_parser_parse_selector_core (CRParser * a_this)
> + *in chapter 4.1 of the css2 spec.
> + *block ::= '{' S* [ any | block | ATKEYWORD S* | ';' ]* '}' S*;
> + *@param a_this the current instance of #CRParser.
> ++ *@param n_calls used to limit recursion depth
> + *FIXME: code this function.
> + */
> + static enum CRStatus
> +-cr_parser_parse_block_core (CRParser * a_this)
> ++cr_parser_parse_block_core (CRParser * a_this,
> ++ guint n_calls)
> + {
> + CRToken *token = NULL;
> + CRInputPos init_pos;
> +@@ -966,6 +972,9 @@ cr_parser_parse_block_core (CRParser * a_this)
> +
> + g_return_val_if_fail (a_this && PRIVATE (a_this), CR_BAD_PARAM_ERROR);
> +
> ++ if (n_calls > RECURSIVE_CALLERS_LIMIT)
> ++ return CR_ERROR;
> ++
> + RECORD_INITIAL_POS (a_this, &init_pos);
> +
> + status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token);
> +@@ -995,13 +1004,13 @@ cr_parser_parse_block_core (CRParser * a_this)
> + } else if (token->type == CBO_TK) {
> + cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
> + token = NULL;
> +- status = cr_parser_parse_block_core (a_this);
> ++ status = cr_parser_parse_block_core (a_this, n_calls + 1);
> + CHECK_PARSING_STATUS (status, FALSE);
> + goto parse_block_content;
> + } else {
> + cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
> + token = NULL;
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
> + CHECK_PARSING_STATUS (status, FALSE);
> + goto parse_block_content;
> + }
> +@@ -1108,7 +1117,7 @@ cr_parser_parse_value_core (CRParser * a_this)
> + status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
> + token);
> + token = NULL;
> +- status = cr_parser_parse_block_core (a_this);
> ++ status = cr_parser_parse_block_core (a_this, 0);
> + CHECK_PARSING_STATUS (status, FALSE);
> + ref++;
> + goto continue_parsing;
> +@@ -1122,7 +1131,7 @@ cr_parser_parse_value_core (CRParser * a_this)
> + status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
> + token);
> + token = NULL;
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, 0);
> + if (status == CR_OK) {
> + ref++;
> + goto continue_parsing;
> +@@ -1162,10 +1162,12 @@
> + * | FUNCTION | DASHMATCH | '(' any* ')' | '[' any* ']' ] S*;
> + *
> + *@param a_this the current instance of #CRParser.
> ++ *@param n_calls used to limit recursion depth
> + *@return CR_OK upon successfull completion, an error code otherwise.
> + */
> + static enum CRStatus
> +-cr_parser_parse_any_core (CRParser * a_this)
> ++cr_parser_parse_any_core (CRParser * a_this,
> ++ guint n_calls)
> + {
> + CRToken *token1 = NULL,
> + *token2 = NULL;
> +@@ -1173,6 +1184,9 @@ cr_parser_parse_any_core (CRParser * a_this)
> +
> + g_return_val_if_fail (a_this, CR_BAD_PARAM_ERROR);
> +
> ++ if (n_calls > RECURSIVE_CALLERS_LIMIT)
> ++ return CR_ERROR;
> ++
> + RECORD_INITIAL_POS (a_this, &init_pos);
> +
> + status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token1);
> +@@ -1211,7 +1225,7 @@ cr_parser_parse_any_core (CRParser * a_this)
> + *We consider parameter as being an "any*" production.
> + */
> + do {
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
> + } while (status == CR_OK);
> +
> + ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
> +@@ -1236,7 +1250,7 @@ cr_parser_parse_any_core (CRParser * a_this)
> + }
> +
> + do {
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
> + } while (status == CR_OK);
> +
> + ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
> +@@ -1264,7 +1278,7 @@ cr_parser_parse_any_core (CRParser * a_this)
> + }
> +
> + do {
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
> + } while (status == CR_OK);
> +
> + ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
> +--
> +GitLab
> diff --git a/meta/recipes-support/libcroco/libcroco_0.6.13.bb b/meta/recipes-support/libcroco/libcroco_0.6.13.bb
> new file mode 100644
> index 0000000..fd5927e
> --- /dev/null
> +++ b/meta/recipes-support/libcroco/libcroco_0.6.13.bb
> @@ -0,0 +1,22 @@
> +SUMMARY = "Cascading Style Sheet (CSS) parsing and manipulation toolkit"
> +HOMEPAGE = "http://www.gnome.org/"
> +BUGTRACKER = "https://bugzilla.gnome.org/"
> +
> +LICENSE = "LGPLv2 & LGPLv2.1"
> +LIC_FILES_CHKSUM = "file://COPYING;md5=55ca817ccb7d5b5b66355690e9abc605 \
> + file://src/cr-rgb.c;endline=22;md5=31d5f0944d556c8589d04ea6055fcc66 \
> + file://tests/cr-test-utils.c;endline=21;md5=2382c27934cae1d3792fcb17a6142c4e"
> +
> +SECTION = "x11/utils"
> +DEPENDS = "glib-2.0 libxml2 zlib"
> +BBCLASSEXTEND = "native nativesdk"
> +EXTRA_OECONF += "--enable-Bsymbolic=auto"
> +
> +BINCONFIG = "${bindir}/croco-0.6-config"
> +
> +inherit gnomebase gtk-doc binconfig-disabled
> +
> +SRC_URI += "file://CVE-2020-12825.patch"
> +
> +SRC_URI[archive.md5sum] = "c80c5a8385011a0260dce6bd0da93dce"
> +SRC_URI[archive.sha256sum] = "767ec234ae7aa684695b3a735548224888132e063f92db585759b422570621d4"
> --
> 2.7.4
>
> This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [meta-oe][master][PATCH] libcroco: Add fix for CVE-2020-12825
@ 2021-03-29 14:42 Neetika.Singh
2021-03-29 14:48 ` Khem Raj
0 siblings, 1 reply; 8+ messages in thread
From: Neetika.Singh @ 2021-03-29 14:42 UTC (permalink / raw)
To: openembedded-core, raj.khem; +Cc: nisha.parrakat, Neetika Singh
From: Neetika Singh <Neetika.Singh@kpit.com>
Added refreshed patch for CVE issue CVE-2020-12825
Link: https://gitlab.com/inkscape/inkscape/-/commit/203d62efefe6f79080863dda61593003b4c31f25
Signed-off-by: Neetika.Singh <Neetika.Singh@kpit.com>
---
.../libcroco/libcroco/CVE-2020-12825.patch | 192 +++++++++++++++++++++
meta/recipes-support/libcroco/libcroco_0.6.13.bb | 22 +++
2 files changed, 214 insertions(+)
create mode 100644 meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
create mode 100644 meta/recipes-support/libcroco/libcroco_0.6.13.bb
diff --git a/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
new file mode 100644
index 0000000..f813ded
--- /dev/null
+++ b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
@@ -0,0 +1,192 @@
+From 203d62efefe6f79080863dda61593003b4c31f25 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@gnome.org>
+Date: Thu, 13 Aug 2020 20:03:05 -0500
+Subject: [PATCH] libcroco parser: limit recursion in block and any productions
+
+If we don't have any limits, we can recurse forever and overflow the
+stack.
+
+This is for CVE-2020-12825: Stack overflow in cr_parser_parse_any_core
+in cr-parser.c.
+
+Bug: https://gitlab.gnome.org/Archive/libcroco/-/issues/8
+Patch from https://gitlab.gnome.org/Archive/libcroco/-/merge_requests/5
+
+CVE: CVE-2020-12825
+Upstream Status: Backport [https://gitlab.com/inkscape/inkscape/-/commit/203d62efefe6f79080863dda61593003b4c31f25.patch]
+
+Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
+---
+ src/cr-parser.c | 44 ++++++++++++++++++++-----------
+ 1 file changed, 29 insertions(+), 15 deletions(-)
+
+diff --git a/src/cr-parser.c b/src/cr-parser.c
+index d85e71f0fc..cd7b6ebd4a 100644
+--- a/src/cr-parser.c
++++ b/src/cr-parser.c
+@@ -136,6 +136,8 @@ struct _CRParserPriv {
+
+ #define CHARS_TAB_SIZE 12
+
++#define RECURSIVE_CALLERS_LIMIT 100
++
+ /**
+ * IS_NUM:
+ *@a_char: the char to test.
+@@ -343,9 +345,11 @@ static enum CRStatus cr_parser_parse_selector_core (CRParser * a_this);
+
+ static enum CRStatus cr_parser_parse_declaration_core (CRParser * a_this);
+
+-static enum CRStatus cr_parser_parse_any_core (CRParser * a_this);
++static enum CRStatus cr_parser_parse_any_core (CRParser * a_this,
++ guint n_calls);
+
+-static enum CRStatus cr_parser_parse_block_core (CRParser * a_this);
++static enum CRStatus cr_parser_parse_block_core (CRParser * a_this,
++ guint n_calls);
+
+ static enum CRStatus cr_parser_parse_value_core (CRParser * a_this);
+
+@@ -783,7 +787,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
+ cr_parser_try_to_skip_spaces_and_comments (a_this);
+
+ do {
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, 0);
+ } while (status == CR_OK);
+
+ status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr,
+@@ -794,7 +798,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
+ cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
+ token);
+ token = NULL;
+- status = cr_parser_parse_block_core (a_this);
++ status = cr_parser_parse_block_core (a_this, 0);
+ CHECK_PARSING_STATUS (status,
+ FALSE);
+ goto done;
+@@ -929,11 +933,11 @@ cr_parser_parse_selector_core (CRParser * a_this)
+
+ RECORD_INITIAL_POS (a_this, &init_pos);
+
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, 0);
+ CHECK_PARSING_STATUS (status, FALSE);
+
+ do {
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, 0);
+
+ } while (status == CR_OK);
+
+@@ -955,10 +959,12 @@ cr_parser_parse_selector_core (CRParser * a_this)
+ *in chapter 4.1 of the css2 spec.
+ *block ::= '{' S* [ any | block | ATKEYWORD S* | ';' ]* '}' S*;
+ *@param a_this the current instance of #CRParser.
++ *@param n_calls used to limit recursion depth
+ *FIXME: code this function.
+ */
+ static enum CRStatus
+-cr_parser_parse_block_core (CRParser * a_this)
++cr_parser_parse_block_core (CRParser * a_this,
++ guint n_calls)
+ {
+ CRToken *token = NULL;
+ CRInputPos init_pos;
+@@ -966,6 +972,9 @@ cr_parser_parse_block_core (CRParser * a_this)
+
+ g_return_val_if_fail (a_this && PRIVATE (a_this), CR_BAD_PARAM_ERROR);
+
++ if (n_calls > RECURSIVE_CALLERS_LIMIT)
++ return CR_ERROR;
++
+ RECORD_INITIAL_POS (a_this, &init_pos);
+
+ status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token);
+@@ -995,13 +1004,13 @@ cr_parser_parse_block_core (CRParser * a_this)
+ } else if (token->type == CBO_TK) {
+ cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
+ token = NULL;
+- status = cr_parser_parse_block_core (a_this);
++ status = cr_parser_parse_block_core (a_this, n_calls + 1);
+ CHECK_PARSING_STATUS (status, FALSE);
+ goto parse_block_content;
+ } else {
+ cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
+ token = NULL;
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
+ CHECK_PARSING_STATUS (status, FALSE);
+ goto parse_block_content;
+ }
+@@ -1108,7 +1117,7 @@ cr_parser_parse_value_core (CRParser * a_this)
+ status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
+ token);
+ token = NULL;
+- status = cr_parser_parse_block_core (a_this);
++ status = cr_parser_parse_block_core (a_this, 0);
+ CHECK_PARSING_STATUS (status, FALSE);
+ ref++;
+ goto continue_parsing;
+@@ -1122,7 +1131,7 @@ cr_parser_parse_value_core (CRParser * a_this)
+ status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
+ token);
+ token = NULL;
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, 0);
+ if (status == CR_OK) {
+ ref++;
+ goto continue_parsing;
+@@ -1162,10 +1162,12 @@
+ * | FUNCTION | DASHMATCH | '(' any* ')' | '[' any* ']' ] S*;
+ *
+ *@param a_this the current instance of #CRParser.
++ *@param n_calls used to limit recursion depth
+ *@return CR_OK upon successfull completion, an error code otherwise.
+ */
+ static enum CRStatus
+-cr_parser_parse_any_core (CRParser * a_this)
++cr_parser_parse_any_core (CRParser * a_this,
++ guint n_calls)
+ {
+ CRToken *token1 = NULL,
+ *token2 = NULL;
+@@ -1173,6 +1184,9 @@ cr_parser_parse_any_core (CRParser * a_this)
+
+ g_return_val_if_fail (a_this, CR_BAD_PARAM_ERROR);
+
++ if (n_calls > RECURSIVE_CALLERS_LIMIT)
++ return CR_ERROR;
++
+ RECORD_INITIAL_POS (a_this, &init_pos);
+
+ status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token1);
+@@ -1211,7 +1225,7 @@ cr_parser_parse_any_core (CRParser * a_this)
+ *We consider parameter as being an "any*" production.
+ */
+ do {
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
+ } while (status == CR_OK);
+
+ ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
+@@ -1236,7 +1250,7 @@ cr_parser_parse_any_core (CRParser * a_this)
+ }
+
+ do {
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
+ } while (status == CR_OK);
+
+ ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
+@@ -1264,7 +1278,7 @@ cr_parser_parse_any_core (CRParser * a_this)
+ }
+
+ do {
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
+ } while (status == CR_OK);
+
+ ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
+--
+GitLab
diff --git a/meta/recipes-support/libcroco/libcroco_0.6.13.bb b/meta/recipes-support/libcroco/libcroco_0.6.13.bb
new file mode 100644
index 0000000..fd5927e
--- /dev/null
+++ b/meta/recipes-support/libcroco/libcroco_0.6.13.bb
@@ -0,0 +1,22 @@
+SUMMARY = "Cascading Style Sheet (CSS) parsing and manipulation toolkit"
+HOMEPAGE = "http://www.gnome.org/"
+BUGTRACKER = "https://bugzilla.gnome.org/"
+
+LICENSE = "LGPLv2 & LGPLv2.1"
+LIC_FILES_CHKSUM = "file://COPYING;md5=55ca817ccb7d5b5b66355690e9abc605 \
+ file://src/cr-rgb.c;endline=22;md5=31d5f0944d556c8589d04ea6055fcc66 \
+ file://tests/cr-test-utils.c;endline=21;md5=2382c27934cae1d3792fcb17a6142c4e"
+
+SECTION = "x11/utils"
+DEPENDS = "glib-2.0 libxml2 zlib"
+BBCLASSEXTEND = "native nativesdk"
+EXTRA_OECONF += "--enable-Bsymbolic=auto"
+
+BINCONFIG = "${bindir}/croco-0.6-config"
+
+inherit gnomebase gtk-doc binconfig-disabled
+
+SRC_URI += "file://CVE-2020-12825.patch"
+
+SRC_URI[archive.md5sum] = "c80c5a8385011a0260dce6bd0da93dce"
+SRC_URI[archive.sha256sum] = "767ec234ae7aa684695b3a735548224888132e063f92db585759b422570621d4"
--
2.7.4
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [meta-oe][master][PATCH] libcroco: Add fix for CVE-2020-12825
2021-03-28 13:03 Neetika.Singh
@ 2021-03-29 5:23 ` Khem Raj
0 siblings, 0 replies; 8+ messages in thread
From: Khem Raj @ 2021-03-29 5:23 UTC (permalink / raw)
To: Neetika.Singh; +Cc: openembeded-devel, Nisha Parrakat
please send this to openembedde-core mailing list as this recipe
belongs to oe-core layer.
On Sun, Mar 28, 2021 at 6:04 AM Neetika.Singh <Neetika.Singh@kpit.com> wrote:
>
> From: Neetika Singh <Neetika.Singh@kpit.com>
>
> Added refreshed patch for CVE issue CVE-2020-12825
> Link: https://gitlab.com/inkscape/inkscape/-/commit/203d62efefe6f79080863dda61593003b4c31f25
>
> Signed-off-by: Neetika.Singh <Neetika.Singh@kpit.com>
> ---
> .../libcroco/libcroco/CVE-2020-12825.patch | 190 +++++++++++++++++++++
> meta/recipes-support/libcroco/libcroco_0.6.13.bb | 22 +++
> 2 files changed, 212 insertions(+)
> create mode 100644 meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
> create mode 100644 meta/recipes-support/libcroco/libcroco_0.6.13.bb
>
> diff --git a/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
> new file mode 100644
> index 0000000..f6c6a55
> --- /dev/null
> +++ b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
> @@ -0,0 +1,190 @@
> +From 203d62efefe6f79080863dda61593003b4c31f25 Mon Sep 17 00:00:00 2001
> +From: Michael Catanzaro <mcatanzaro@gnome.org>
> +Date: Thu, 13 Aug 2020 20:03:05 -0500
> +Subject: [PATCH] libcroco parser: limit recursion in block and any productions
> +
> +If we don't have any limits, we can recurse forever and overflow the
> +stack.
> +
> +This is for CVE-2020-12825: Stack overflow in cr_parser_parse_any_core
> +in cr-parser.c.
> +
> +Bug: https://gitlab.gnome.org/Archive/libcroco/-/issues/8
> +Patch from https://gitlab.gnome.org/Archive/libcroco/-/merge_requests/5
> +
> +CVE: CVE-2020-12825
> +Upstream Status: Backport [https://gitlab.com/inkscape/inkscape/-/commit/203d62efefe6f79080863dda61593003b4c31f25.patch]
> +---
> + src/cr-parser.c | 44 ++++++++++++++++++++-----------
> + 1 file changed, 29 insertions(+), 15 deletions(-)
> +
> +diff --git a/src/cr-parser.c b/src/cr-parser.c
> +index d85e71f0fc..cd7b6ebd4a 100644
> +--- a/src/cr-parser.c
> ++++ b/src/cr-parser.c
> +@@ -136,6 +136,8 @@ struct _CRParserPriv {
> +
> + #define CHARS_TAB_SIZE 12
> +
> ++#define RECURSIVE_CALLERS_LIMIT 100
> ++
> + /**
> + * IS_NUM:
> + *@a_char: the char to test.
> +@@ -343,9 +345,11 @@ static enum CRStatus cr_parser_parse_selector_core (CRParser * a_this);
> +
> + static enum CRStatus cr_parser_parse_declaration_core (CRParser * a_this);
> +
> +-static enum CRStatus cr_parser_parse_any_core (CRParser * a_this);
> ++static enum CRStatus cr_parser_parse_any_core (CRParser * a_this,
> ++ guint n_calls);
> +
> +-static enum CRStatus cr_parser_parse_block_core (CRParser * a_this);
> ++static enum CRStatus cr_parser_parse_block_core (CRParser * a_this,
> ++ guint n_calls);
> +
> + static enum CRStatus cr_parser_parse_value_core (CRParser * a_this);
> +
> +@@ -783,7 +787,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
> + cr_parser_try_to_skip_spaces_and_comments (a_this);
> +
> + do {
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, 0);
> + } while (status == CR_OK);
> +
> + status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr,
> +@@ -794,7 +798,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
> + cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
> + token);
> + token = NULL;
> +- status = cr_parser_parse_block_core (a_this);
> ++ status = cr_parser_parse_block_core (a_this, 0);
> + CHECK_PARSING_STATUS (status,
> + FALSE);
> + goto done;
> +@@ -929,11 +933,11 @@ cr_parser_parse_selector_core (CRParser * a_this)
> +
> + RECORD_INITIAL_POS (a_this, &init_pos);
> +
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, 0);
> + CHECK_PARSING_STATUS (status, FALSE);
> +
> + do {
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, 0);
> +
> + } while (status == CR_OK);
> +
> +@@ -955,10 +959,12 @@ cr_parser_parse_selector_core (CRParser * a_this)
> + *in chapter 4.1 of the css2 spec.
> + *block ::= '{' S* [ any | block | ATKEYWORD S* | ';' ]* '}' S*;
> + *@param a_this the current instance of #CRParser.
> ++ *@param n_calls used to limit recursion depth
> + *FIXME: code this function.
> + */
> + static enum CRStatus
> +-cr_parser_parse_block_core (CRParser * a_this)
> ++cr_parser_parse_block_core (CRParser * a_this,
> ++ guint n_calls)
> + {
> + CRToken *token = NULL;
> + CRInputPos init_pos;
> +@@ -966,6 +972,9 @@ cr_parser_parse_block_core (CRParser * a_this)
> +
> + g_return_val_if_fail (a_this && PRIVATE (a_this), CR_BAD_PARAM_ERROR);
> +
> ++ if (n_calls > RECURSIVE_CALLERS_LIMIT)
> ++ return CR_ERROR;
> ++
> + RECORD_INITIAL_POS (a_this, &init_pos);
> +
> + status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token);
> +@@ -995,13 +1004,13 @@ cr_parser_parse_block_core (CRParser * a_this)
> + } else if (token->type == CBO_TK) {
> + cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
> + token = NULL;
> +- status = cr_parser_parse_block_core (a_this);
> ++ status = cr_parser_parse_block_core (a_this, n_calls + 1);
> + CHECK_PARSING_STATUS (status, FALSE);
> + goto parse_block_content;
> + } else {
> + cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
> + token = NULL;
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
> + CHECK_PARSING_STATUS (status, FALSE);
> + goto parse_block_content;
> + }
> +@@ -1108,7 +1117,7 @@ cr_parser_parse_value_core (CRParser * a_this)
> + status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
> + token);
> + token = NULL;
> +- status = cr_parser_parse_block_core (a_this);
> ++ status = cr_parser_parse_block_core (a_this, 0);
> + CHECK_PARSING_STATUS (status, FALSE);
> + ref++;
> + goto continue_parsing;
> +@@ -1122,7 +1131,7 @@ cr_parser_parse_value_core (CRParser * a_this)
> + status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
> + token);
> + token = NULL;
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, 0);
> + if (status == CR_OK) {
> + ref++;
> + goto continue_parsing;
> +@@ -1162,10 +1162,12 @@
> + * | FUNCTION | DASHMATCH | '(' any* ')' | '[' any* ']' ] S*;
> + *
> + *@param a_this the current instance of #CRParser.
> ++ *@param n_calls used to limit recursion depth
> + *@return CR_OK upon successfull completion, an error code otherwise.
> + */
> + static enum CRStatus
> +-cr_parser_parse_any_core (CRParser * a_this)
> ++cr_parser_parse_any_core (CRParser * a_this,
> ++ guint n_calls)
> + {
> + CRToken *token1 = NULL,
> + *token2 = NULL;
> +@@ -1173,6 +1184,9 @@ cr_parser_parse_any_core (CRParser * a_this)
> +
> + g_return_val_if_fail (a_this, CR_BAD_PARAM_ERROR);
> +
> ++ if (n_calls > RECURSIVE_CALLERS_LIMIT)
> ++ return CR_ERROR;
> ++
> + RECORD_INITIAL_POS (a_this, &init_pos);
> +
> + status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token1);
> +@@ -1211,7 +1225,7 @@ cr_parser_parse_any_core (CRParser * a_this)
> + *We consider parameter as being an "any*" production.
> + */
> + do {
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
> + } while (status == CR_OK);
> +
> + ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
> +@@ -1236,7 +1250,7 @@ cr_parser_parse_any_core (CRParser * a_this)
> + }
> +
> + do {
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
> + } while (status == CR_OK);
> +
> + ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
> +@@ -1264,7 +1278,7 @@ cr_parser_parse_any_core (CRParser * a_this)
> + }
> +
> + do {
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
> + } while (status == CR_OK);
> +
> + ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
> +--
> +GitLab
> diff --git a/meta/recipes-support/libcroco/libcroco_0.6.13.bb b/meta/recipes-support/libcroco/libcroco_0.6.13.bb
> new file mode 100644
> index 0000000..fd5927e
> --- /dev/null
> +++ b/meta/recipes-support/libcroco/libcroco_0.6.13.bb
> @@ -0,0 +1,22 @@
> +SUMMARY = "Cascading Style Sheet (CSS) parsing and manipulation toolkit"
> +HOMEPAGE = "http://www.gnome.org/"
> +BUGTRACKER = "https://bugzilla.gnome.org/"
> +
> +LICENSE = "LGPLv2 & LGPLv2.1"
> +LIC_FILES_CHKSUM = "file://COPYING;md5=55ca817ccb7d5b5b66355690e9abc605 \
> + file://src/cr-rgb.c;endline=22;md5=31d5f0944d556c8589d04ea6055fcc66 \
> + file://tests/cr-test-utils.c;endline=21;md5=2382c27934cae1d3792fcb17a6142c4e"
> +
> +SECTION = "x11/utils"
> +DEPENDS = "glib-2.0 libxml2 zlib"
> +BBCLASSEXTEND = "native nativesdk"
> +EXTRA_OECONF += "--enable-Bsymbolic=auto"
> +
> +BINCONFIG = "${bindir}/croco-0.6-config"
> +
> +inherit gnomebase gtk-doc binconfig-disabled
> +
> +SRC_URI += "file://CVE-2020-12825.patch"
> +
> +SRC_URI[archive.md5sum] = "c80c5a8385011a0260dce6bd0da93dce"
> +SRC_URI[archive.sha256sum] = "767ec234ae7aa684695b3a735548224888132e063f92db585759b422570621d4"
> --
> 2.7.4
>
> This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [meta-oe][master][PATCH] libcroco: Add fix for CVE-2020-12825
@ 2021-03-28 13:03 Neetika.Singh
2021-03-29 5:23 ` Khem Raj
0 siblings, 1 reply; 8+ messages in thread
From: Neetika.Singh @ 2021-03-28 13:03 UTC (permalink / raw)
To: openembedded-devel, raj.khem; +Cc: nisha.parrakat, Neetika Singh
From: Neetika Singh <Neetika.Singh@kpit.com>
Added refreshed patch for CVE issue CVE-2020-12825
Link: https://gitlab.com/inkscape/inkscape/-/commit/203d62efefe6f79080863dda61593003b4c31f25
Signed-off-by: Neetika.Singh <Neetika.Singh@kpit.com>
---
.../libcroco/libcroco/CVE-2020-12825.patch | 190 +++++++++++++++++++++
meta/recipes-support/libcroco/libcroco_0.6.13.bb | 22 +++
2 files changed, 212 insertions(+)
create mode 100644 meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
create mode 100644 meta/recipes-support/libcroco/libcroco_0.6.13.bb
diff --git a/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
new file mode 100644
index 0000000..f6c6a55
--- /dev/null
+++ b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
@@ -0,0 +1,190 @@
+From 203d62efefe6f79080863dda61593003b4c31f25 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@gnome.org>
+Date: Thu, 13 Aug 2020 20:03:05 -0500
+Subject: [PATCH] libcroco parser: limit recursion in block and any productions
+
+If we don't have any limits, we can recurse forever and overflow the
+stack.
+
+This is for CVE-2020-12825: Stack overflow in cr_parser_parse_any_core
+in cr-parser.c.
+
+Bug: https://gitlab.gnome.org/Archive/libcroco/-/issues/8
+Patch from https://gitlab.gnome.org/Archive/libcroco/-/merge_requests/5
+
+CVE: CVE-2020-12825
+Upstream Status: Backport [https://gitlab.com/inkscape/inkscape/-/commit/203d62efefe6f79080863dda61593003b4c31f25.patch]
+---
+ src/cr-parser.c | 44 ++++++++++++++++++++-----------
+ 1 file changed, 29 insertions(+), 15 deletions(-)
+
+diff --git a/src/cr-parser.c b/src/cr-parser.c
+index d85e71f0fc..cd7b6ebd4a 100644
+--- a/src/cr-parser.c
++++ b/src/cr-parser.c
+@@ -136,6 +136,8 @@ struct _CRParserPriv {
+
+ #define CHARS_TAB_SIZE 12
+
++#define RECURSIVE_CALLERS_LIMIT 100
++
+ /**
+ * IS_NUM:
+ *@a_char: the char to test.
+@@ -343,9 +345,11 @@ static enum CRStatus cr_parser_parse_selector_core (CRParser * a_this);
+
+ static enum CRStatus cr_parser_parse_declaration_core (CRParser * a_this);
+
+-static enum CRStatus cr_parser_parse_any_core (CRParser * a_this);
++static enum CRStatus cr_parser_parse_any_core (CRParser * a_this,
++ guint n_calls);
+
+-static enum CRStatus cr_parser_parse_block_core (CRParser * a_this);
++static enum CRStatus cr_parser_parse_block_core (CRParser * a_this,
++ guint n_calls);
+
+ static enum CRStatus cr_parser_parse_value_core (CRParser * a_this);
+
+@@ -783,7 +787,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
+ cr_parser_try_to_skip_spaces_and_comments (a_this);
+
+ do {
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, 0);
+ } while (status == CR_OK);
+
+ status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr,
+@@ -794,7 +798,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
+ cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
+ token);
+ token = NULL;
+- status = cr_parser_parse_block_core (a_this);
++ status = cr_parser_parse_block_core (a_this, 0);
+ CHECK_PARSING_STATUS (status,
+ FALSE);
+ goto done;
+@@ -929,11 +933,11 @@ cr_parser_parse_selector_core (CRParser * a_this)
+
+ RECORD_INITIAL_POS (a_this, &init_pos);
+
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, 0);
+ CHECK_PARSING_STATUS (status, FALSE);
+
+ do {
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, 0);
+
+ } while (status == CR_OK);
+
+@@ -955,10 +959,12 @@ cr_parser_parse_selector_core (CRParser * a_this)
+ *in chapter 4.1 of the css2 spec.
+ *block ::= '{' S* [ any | block | ATKEYWORD S* | ';' ]* '}' S*;
+ *@param a_this the current instance of #CRParser.
++ *@param n_calls used to limit recursion depth
+ *FIXME: code this function.
+ */
+ static enum CRStatus
+-cr_parser_parse_block_core (CRParser * a_this)
++cr_parser_parse_block_core (CRParser * a_this,
++ guint n_calls)
+ {
+ CRToken *token = NULL;
+ CRInputPos init_pos;
+@@ -966,6 +972,9 @@ cr_parser_parse_block_core (CRParser * a_this)
+
+ g_return_val_if_fail (a_this && PRIVATE (a_this), CR_BAD_PARAM_ERROR);
+
++ if (n_calls > RECURSIVE_CALLERS_LIMIT)
++ return CR_ERROR;
++
+ RECORD_INITIAL_POS (a_this, &init_pos);
+
+ status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token);
+@@ -995,13 +1004,13 @@ cr_parser_parse_block_core (CRParser * a_this)
+ } else if (token->type == CBO_TK) {
+ cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
+ token = NULL;
+- status = cr_parser_parse_block_core (a_this);
++ status = cr_parser_parse_block_core (a_this, n_calls + 1);
+ CHECK_PARSING_STATUS (status, FALSE);
+ goto parse_block_content;
+ } else {
+ cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
+ token = NULL;
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
+ CHECK_PARSING_STATUS (status, FALSE);
+ goto parse_block_content;
+ }
+@@ -1108,7 +1117,7 @@ cr_parser_parse_value_core (CRParser * a_this)
+ status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
+ token);
+ token = NULL;
+- status = cr_parser_parse_block_core (a_this);
++ status = cr_parser_parse_block_core (a_this, 0);
+ CHECK_PARSING_STATUS (status, FALSE);
+ ref++;
+ goto continue_parsing;
+@@ -1122,7 +1131,7 @@ cr_parser_parse_value_core (CRParser * a_this)
+ status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
+ token);
+ token = NULL;
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, 0);
+ if (status == CR_OK) {
+ ref++;
+ goto continue_parsing;
+@@ -1162,10 +1162,12 @@
+ * | FUNCTION | DASHMATCH | '(' any* ')' | '[' any* ']' ] S*;
+ *
+ *@param a_this the current instance of #CRParser.
++ *@param n_calls used to limit recursion depth
+ *@return CR_OK upon successfull completion, an error code otherwise.
+ */
+ static enum CRStatus
+-cr_parser_parse_any_core (CRParser * a_this)
++cr_parser_parse_any_core (CRParser * a_this,
++ guint n_calls)
+ {
+ CRToken *token1 = NULL,
+ *token2 = NULL;
+@@ -1173,6 +1184,9 @@ cr_parser_parse_any_core (CRParser * a_this)
+
+ g_return_val_if_fail (a_this, CR_BAD_PARAM_ERROR);
+
++ if (n_calls > RECURSIVE_CALLERS_LIMIT)
++ return CR_ERROR;
++
+ RECORD_INITIAL_POS (a_this, &init_pos);
+
+ status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token1);
+@@ -1211,7 +1225,7 @@ cr_parser_parse_any_core (CRParser * a_this)
+ *We consider parameter as being an "any*" production.
+ */
+ do {
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
+ } while (status == CR_OK);
+
+ ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
+@@ -1236,7 +1250,7 @@ cr_parser_parse_any_core (CRParser * a_this)
+ }
+
+ do {
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
+ } while (status == CR_OK);
+
+ ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
+@@ -1264,7 +1278,7 @@ cr_parser_parse_any_core (CRParser * a_this)
+ }
+
+ do {
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
+ } while (status == CR_OK);
+
+ ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
+--
+GitLab
diff --git a/meta/recipes-support/libcroco/libcroco_0.6.13.bb b/meta/recipes-support/libcroco/libcroco_0.6.13.bb
new file mode 100644
index 0000000..fd5927e
--- /dev/null
+++ b/meta/recipes-support/libcroco/libcroco_0.6.13.bb
@@ -0,0 +1,22 @@
+SUMMARY = "Cascading Style Sheet (CSS) parsing and manipulation toolkit"
+HOMEPAGE = "http://www.gnome.org/"
+BUGTRACKER = "https://bugzilla.gnome.org/"
+
+LICENSE = "LGPLv2 & LGPLv2.1"
+LIC_FILES_CHKSUM = "file://COPYING;md5=55ca817ccb7d5b5b66355690e9abc605 \
+ file://src/cr-rgb.c;endline=22;md5=31d5f0944d556c8589d04ea6055fcc66 \
+ file://tests/cr-test-utils.c;endline=21;md5=2382c27934cae1d3792fcb17a6142c4e"
+
+SECTION = "x11/utils"
+DEPENDS = "glib-2.0 libxml2 zlib"
+BBCLASSEXTEND = "native nativesdk"
+EXTRA_OECONF += "--enable-Bsymbolic=auto"
+
+BINCONFIG = "${bindir}/croco-0.6-config"
+
+inherit gnomebase gtk-doc binconfig-disabled
+
+SRC_URI += "file://CVE-2020-12825.patch"
+
+SRC_URI[archive.md5sum] = "c80c5a8385011a0260dce6bd0da93dce"
+SRC_URI[archive.sha256sum] = "767ec234ae7aa684695b3a735548224888132e063f92db585759b422570621d4"
--
2.7.4
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [meta-oe][master][PATCH] libcroco: Add fix for CVE-2020-12825
2021-03-24 17:38 Neetika.Singh
@ 2021-03-24 18:13 ` Khem Raj
0 siblings, 0 replies; 8+ messages in thread
From: Khem Raj @ 2021-03-24 18:13 UTC (permalink / raw)
To: Neetika.Singh, openembedded-devel; +Cc: nisha.parrakat
Does not apply cleanly on master. Please rebase it on latest master or
master-next and resend.
On 3/24/21 10:38 AM, Neetika.Singh wrote:
> From: Neetika Singh <Neetika.Singh@kpit.com>
>
> Added refreshed patch for CVE issue CVE-2020-12825
> Link: https://gitlab.com/inkscape/inkscape/-/commit/203d62efefe6f79080863dda61593003b4c31f25
>
> Signed-off-by: Neetika.Singh <Neetika.Singh@kpit.com>
> ---
> .../libcroco/libcroco/CVE-2020-12825.patch | 190 +++++++++++++++++++++
> meta/recipes-support/libcroco/libcroco_0.6.13.bb | 2 +
> 2 files changed, 192 insertions(+)
> create mode 100644 meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
>
> diff --git a/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
> new file mode 100644
> index 0000000..f6c6a55
> --- /dev/null
> +++ b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
> @@ -0,0 +1,190 @@
> +From 203d62efefe6f79080863dda61593003b4c31f25 Mon Sep 17 00:00:00 2001
> +From: Michael Catanzaro <mcatanzaro@gnome.org>
> +Date: Thu, 13 Aug 2020 20:03:05 -0500
> +Subject: [PATCH] libcroco parser: limit recursion in block and any productions
> +
> +If we don't have any limits, we can recurse forever and overflow the
> +stack.
> +
> +This is for CVE-2020-12825: Stack overflow in cr_parser_parse_any_core
> +in cr-parser.c.
> +
> +Bug: https://gitlab.gnome.org/Archive/libcroco/-/issues/8
> +Patch from https://gitlab.gnome.org/Archive/libcroco/-/merge_requests/5
> +
> +CVE: CVE-2020-12825
> +Upstream Status: Backport [https://gitlab.com/inkscape/inkscape/-/commit/203d62efefe6f79080863dda61593003b4c31f25.patch]
> +---
> + src/cr-parser.c | 44 ++++++++++++++++++++-----------
> + 1 file changed, 29 insertions(+), 15 deletions(-)
> +
> +diff --git a/src/cr-parser.c b/src/cr-parser.c
> +index d85e71f0fc..cd7b6ebd4a 100644
> +--- a/src/cr-parser.c
> ++++ b/src/cr-parser.c
> +@@ -136,6 +136,8 @@ struct _CRParserPriv {
> +
> + #define CHARS_TAB_SIZE 12
> +
> ++#define RECURSIVE_CALLERS_LIMIT 100
> ++
> + /**
> + * IS_NUM:
> + *@a_char: the char to test.
> +@@ -343,9 +345,11 @@ static enum CRStatus cr_parser_parse_selector_core (CRParser * a_this);
> +
> + static enum CRStatus cr_parser_parse_declaration_core (CRParser * a_this);
> +
> +-static enum CRStatus cr_parser_parse_any_core (CRParser * a_this);
> ++static enum CRStatus cr_parser_parse_any_core (CRParser * a_this,
> ++ guint n_calls);
> +
> +-static enum CRStatus cr_parser_parse_block_core (CRParser * a_this);
> ++static enum CRStatus cr_parser_parse_block_core (CRParser * a_this,
> ++ guint n_calls);
> +
> + static enum CRStatus cr_parser_parse_value_core (CRParser * a_this);
> +
> +@@ -783,7 +787,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
> + cr_parser_try_to_skip_spaces_and_comments (a_this);
> +
> + do {
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, 0);
> + } while (status == CR_OK);
> +
> + status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr,
> +@@ -794,7 +798,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
> + cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
> + token);
> + token = NULL;
> +- status = cr_parser_parse_block_core (a_this);
> ++ status = cr_parser_parse_block_core (a_this, 0);
> + CHECK_PARSING_STATUS (status,
> + FALSE);
> + goto done;
> +@@ -929,11 +933,11 @@ cr_parser_parse_selector_core (CRParser * a_this)
> +
> + RECORD_INITIAL_POS (a_this, &init_pos);
> +
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, 0);
> + CHECK_PARSING_STATUS (status, FALSE);
> +
> + do {
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, 0);
> +
> + } while (status == CR_OK);
> +
> +@@ -955,10 +959,12 @@ cr_parser_parse_selector_core (CRParser * a_this)
> + *in chapter 4.1 of the css2 spec.
> + *block ::= '{' S* [ any | block | ATKEYWORD S* | ';' ]* '}' S*;
> + *@param a_this the current instance of #CRParser.
> ++ *@param n_calls used to limit recursion depth
> + *FIXME: code this function.
> + */
> + static enum CRStatus
> +-cr_parser_parse_block_core (CRParser * a_this)
> ++cr_parser_parse_block_core (CRParser * a_this,
> ++ guint n_calls)
> + {
> + CRToken *token = NULL;
> + CRInputPos init_pos;
> +@@ -966,6 +972,9 @@ cr_parser_parse_block_core (CRParser * a_this)
> +
> + g_return_val_if_fail (a_this && PRIVATE (a_this), CR_BAD_PARAM_ERROR);
> +
> ++ if (n_calls > RECURSIVE_CALLERS_LIMIT)
> ++ return CR_ERROR;
> ++
> + RECORD_INITIAL_POS (a_this, &init_pos);
> +
> + status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token);
> +@@ -995,13 +1004,13 @@ cr_parser_parse_block_core (CRParser * a_this)
> + } else if (token->type == CBO_TK) {
> + cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
> + token = NULL;
> +- status = cr_parser_parse_block_core (a_this);
> ++ status = cr_parser_parse_block_core (a_this, n_calls + 1);
> + CHECK_PARSING_STATUS (status, FALSE);
> + goto parse_block_content;
> + } else {
> + cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
> + token = NULL;
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
> + CHECK_PARSING_STATUS (status, FALSE);
> + goto parse_block_content;
> + }
> +@@ -1108,7 +1117,7 @@ cr_parser_parse_value_core (CRParser * a_this)
> + status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
> + token);
> + token = NULL;
> +- status = cr_parser_parse_block_core (a_this);
> ++ status = cr_parser_parse_block_core (a_this, 0);
> + CHECK_PARSING_STATUS (status, FALSE);
> + ref++;
> + goto continue_parsing;
> +@@ -1122,7 +1131,7 @@ cr_parser_parse_value_core (CRParser * a_this)
> + status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
> + token);
> + token = NULL;
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, 0);
> + if (status == CR_OK) {
> + ref++;
> + goto continue_parsing;
> +@@ -1162,10 +1162,12 @@
> + * | FUNCTION | DASHMATCH | '(' any* ')' | '[' any* ']' ] S*;
> + *
> + *@param a_this the current instance of #CRParser.
> ++ *@param n_calls used to limit recursion depth
> + *@return CR_OK upon successfull completion, an error code otherwise.
> + */
> + static enum CRStatus
> +-cr_parser_parse_any_core (CRParser * a_this)
> ++cr_parser_parse_any_core (CRParser * a_this,
> ++ guint n_calls)
> + {
> + CRToken *token1 = NULL,
> + *token2 = NULL;
> +@@ -1173,6 +1184,9 @@ cr_parser_parse_any_core (CRParser * a_this)
> +
> + g_return_val_if_fail (a_this, CR_BAD_PARAM_ERROR);
> +
> ++ if (n_calls > RECURSIVE_CALLERS_LIMIT)
> ++ return CR_ERROR;
> ++
> + RECORD_INITIAL_POS (a_this, &init_pos);
> +
> + status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token1);
> +@@ -1211,7 +1225,7 @@ cr_parser_parse_any_core (CRParser * a_this)
> + *We consider parameter as being an "any*" production.
> + */
> + do {
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
> + } while (status == CR_OK);
> +
> + ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
> +@@ -1236,7 +1250,7 @@ cr_parser_parse_any_core (CRParser * a_this)
> + }
> +
> + do {
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
> + } while (status == CR_OK);
> +
> + ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
> +@@ -1264,7 +1278,7 @@ cr_parser_parse_any_core (CRParser * a_this)
> + }
> +
> + do {
> +- status = cr_parser_parse_any_core (a_this);
> ++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
> + } while (status == CR_OK);
> +
> + ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
> +--
> +GitLab
> diff --git a/meta/recipes-support/libcroco/libcroco_0.6.13.bb b/meta/recipes-support/libcroco/libcroco_0.6.13.bb
> index 66ee647..2f61f87 100644
> --- a/meta/recipes-support/libcroco/libcroco_0.6.13.bb
> +++ b/meta/recipes-support/libcroco/libcroco_0.6.13.bb
> @@ -19,6 +19,8 @@ BINCONFIG = "${bindir}/croco-0.6-config"
>
> inherit gnomebase gtk-doc binconfig-disabled
>
> +SRC_URI += "file://CVE-2020-12825.patch"
> +
> SRC_URI[archive.md5sum] = "c80c5a8385011a0260dce6bd0da93dce"
> SRC_URI[archive.sha256sum] = "767ec234ae7aa684695b3a735548224888132e063f92db585759b422570621d4"
>
> --
> 2.7.4
>
> This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* [meta-oe][master][PATCH] libcroco: Add fix for CVE-2020-12825
@ 2021-03-24 17:38 Neetika.Singh
2021-03-24 18:13 ` Khem Raj
0 siblings, 1 reply; 8+ messages in thread
From: Neetika.Singh @ 2021-03-24 17:38 UTC (permalink / raw)
To: openembedded-devel, raj.khem; +Cc: nisha.parrakat, Neetika Singh
From: Neetika Singh <Neetika.Singh@kpit.com>
Added refreshed patch for CVE issue CVE-2020-12825
Link: https://gitlab.com/inkscape/inkscape/-/commit/203d62efefe6f79080863dda61593003b4c31f25
Signed-off-by: Neetika.Singh <Neetika.Singh@kpit.com>
---
.../libcroco/libcroco/CVE-2020-12825.patch | 190 +++++++++++++++++++++
meta/recipes-support/libcroco/libcroco_0.6.13.bb | 2 +
2 files changed, 192 insertions(+)
create mode 100644 meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
diff --git a/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
new file mode 100644
index 0000000..f6c6a55
--- /dev/null
+++ b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
@@ -0,0 +1,190 @@
+From 203d62efefe6f79080863dda61593003b4c31f25 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@gnome.org>
+Date: Thu, 13 Aug 2020 20:03:05 -0500
+Subject: [PATCH] libcroco parser: limit recursion in block and any productions
+
+If we don't have any limits, we can recurse forever and overflow the
+stack.
+
+This is for CVE-2020-12825: Stack overflow in cr_parser_parse_any_core
+in cr-parser.c.
+
+Bug: https://gitlab.gnome.org/Archive/libcroco/-/issues/8
+Patch from https://gitlab.gnome.org/Archive/libcroco/-/merge_requests/5
+
+CVE: CVE-2020-12825
+Upstream Status: Backport [https://gitlab.com/inkscape/inkscape/-/commit/203d62efefe6f79080863dda61593003b4c31f25.patch]
+---
+ src/cr-parser.c | 44 ++++++++++++++++++++-----------
+ 1 file changed, 29 insertions(+), 15 deletions(-)
+
+diff --git a/src/cr-parser.c b/src/cr-parser.c
+index d85e71f0fc..cd7b6ebd4a 100644
+--- a/src/cr-parser.c
++++ b/src/cr-parser.c
+@@ -136,6 +136,8 @@ struct _CRParserPriv {
+
+ #define CHARS_TAB_SIZE 12
+
++#define RECURSIVE_CALLERS_LIMIT 100
++
+ /**
+ * IS_NUM:
+ *@a_char: the char to test.
+@@ -343,9 +345,11 @@ static enum CRStatus cr_parser_parse_selector_core (CRParser * a_this);
+
+ static enum CRStatus cr_parser_parse_declaration_core (CRParser * a_this);
+
+-static enum CRStatus cr_parser_parse_any_core (CRParser * a_this);
++static enum CRStatus cr_parser_parse_any_core (CRParser * a_this,
++ guint n_calls);
+
+-static enum CRStatus cr_parser_parse_block_core (CRParser * a_this);
++static enum CRStatus cr_parser_parse_block_core (CRParser * a_this,
++ guint n_calls);
+
+ static enum CRStatus cr_parser_parse_value_core (CRParser * a_this);
+
+@@ -783,7 +787,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
+ cr_parser_try_to_skip_spaces_and_comments (a_this);
+
+ do {
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, 0);
+ } while (status == CR_OK);
+
+ status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr,
+@@ -794,7 +798,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
+ cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
+ token);
+ token = NULL;
+- status = cr_parser_parse_block_core (a_this);
++ status = cr_parser_parse_block_core (a_this, 0);
+ CHECK_PARSING_STATUS (status,
+ FALSE);
+ goto done;
+@@ -929,11 +933,11 @@ cr_parser_parse_selector_core (CRParser * a_this)
+
+ RECORD_INITIAL_POS (a_this, &init_pos);
+
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, 0);
+ CHECK_PARSING_STATUS (status, FALSE);
+
+ do {
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, 0);
+
+ } while (status == CR_OK);
+
+@@ -955,10 +959,12 @@ cr_parser_parse_selector_core (CRParser * a_this)
+ *in chapter 4.1 of the css2 spec.
+ *block ::= '{' S* [ any | block | ATKEYWORD S* | ';' ]* '}' S*;
+ *@param a_this the current instance of #CRParser.
++ *@param n_calls used to limit recursion depth
+ *FIXME: code this function.
+ */
+ static enum CRStatus
+-cr_parser_parse_block_core (CRParser * a_this)
++cr_parser_parse_block_core (CRParser * a_this,
++ guint n_calls)
+ {
+ CRToken *token = NULL;
+ CRInputPos init_pos;
+@@ -966,6 +972,9 @@ cr_parser_parse_block_core (CRParser * a_this)
+
+ g_return_val_if_fail (a_this && PRIVATE (a_this), CR_BAD_PARAM_ERROR);
+
++ if (n_calls > RECURSIVE_CALLERS_LIMIT)
++ return CR_ERROR;
++
+ RECORD_INITIAL_POS (a_this, &init_pos);
+
+ status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token);
+@@ -995,13 +1004,13 @@ cr_parser_parse_block_core (CRParser * a_this)
+ } else if (token->type == CBO_TK) {
+ cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
+ token = NULL;
+- status = cr_parser_parse_block_core (a_this);
++ status = cr_parser_parse_block_core (a_this, n_calls + 1);
+ CHECK_PARSING_STATUS (status, FALSE);
+ goto parse_block_content;
+ } else {
+ cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
+ token = NULL;
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
+ CHECK_PARSING_STATUS (status, FALSE);
+ goto parse_block_content;
+ }
+@@ -1108,7 +1117,7 @@ cr_parser_parse_value_core (CRParser * a_this)
+ status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
+ token);
+ token = NULL;
+- status = cr_parser_parse_block_core (a_this);
++ status = cr_parser_parse_block_core (a_this, 0);
+ CHECK_PARSING_STATUS (status, FALSE);
+ ref++;
+ goto continue_parsing;
+@@ -1122,7 +1131,7 @@ cr_parser_parse_value_core (CRParser * a_this)
+ status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
+ token);
+ token = NULL;
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, 0);
+ if (status == CR_OK) {
+ ref++;
+ goto continue_parsing;
+@@ -1162,10 +1162,12 @@
+ * | FUNCTION | DASHMATCH | '(' any* ')' | '[' any* ']' ] S*;
+ *
+ *@param a_this the current instance of #CRParser.
++ *@param n_calls used to limit recursion depth
+ *@return CR_OK upon successfull completion, an error code otherwise.
+ */
+ static enum CRStatus
+-cr_parser_parse_any_core (CRParser * a_this)
++cr_parser_parse_any_core (CRParser * a_this,
++ guint n_calls)
+ {
+ CRToken *token1 = NULL,
+ *token2 = NULL;
+@@ -1173,6 +1184,9 @@ cr_parser_parse_any_core (CRParser * a_this)
+
+ g_return_val_if_fail (a_this, CR_BAD_PARAM_ERROR);
+
++ if (n_calls > RECURSIVE_CALLERS_LIMIT)
++ return CR_ERROR;
++
+ RECORD_INITIAL_POS (a_this, &init_pos);
+
+ status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token1);
+@@ -1211,7 +1225,7 @@ cr_parser_parse_any_core (CRParser * a_this)
+ *We consider parameter as being an "any*" production.
+ */
+ do {
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
+ } while (status == CR_OK);
+
+ ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
+@@ -1236,7 +1250,7 @@ cr_parser_parse_any_core (CRParser * a_this)
+ }
+
+ do {
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
+ } while (status == CR_OK);
+
+ ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
+@@ -1264,7 +1278,7 @@ cr_parser_parse_any_core (CRParser * a_this)
+ }
+
+ do {
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
+ } while (status == CR_OK);
+
+ ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
+--
+GitLab
diff --git a/meta/recipes-support/libcroco/libcroco_0.6.13.bb b/meta/recipes-support/libcroco/libcroco_0.6.13.bb
index 66ee647..2f61f87 100644
--- a/meta/recipes-support/libcroco/libcroco_0.6.13.bb
+++ b/meta/recipes-support/libcroco/libcroco_0.6.13.bb
@@ -19,6 +19,8 @@ BINCONFIG = "${bindir}/croco-0.6-config"
inherit gnomebase gtk-doc binconfig-disabled
+SRC_URI += "file://CVE-2020-12825.patch"
+
SRC_URI[archive.md5sum] = "c80c5a8385011a0260dce6bd0da93dce"
SRC_URI[archive.sha256sum] = "767ec234ae7aa684695b3a735548224888132e063f92db585759b422570621d4"
--
2.7.4
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
^ permalink raw reply related [flat|nested] 8+ messages in thread
end of thread, other threads:[~2021-03-29 15:04 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-24 17:17 [meta-oe][master][PATCH] libcroco: Add fix for CVE-2020-12825 Neetika.Singh
2021-03-24 17:38 Neetika.Singh
2021-03-24 18:13 ` Khem Raj
2021-03-28 13:03 Neetika.Singh
2021-03-29 5:23 ` Khem Raj
2021-03-29 14:42 Neetika.Singh
2021-03-29 14:48 ` Khem Raj
2021-03-29 15:04 ` Neetika.Singh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.