All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Richard Purdie" <richard.purdie@linuxfoundation.org>
To: openembedded-core@lists.openembedded.org
Cc: Tony Tascioglu <tony.tascioglu@windriver.com>
Subject: [hardknott] [PATCH 06/28] libxml2: fix CVE-2021-3517
Date: Thu, 20 May 2021 21:48:40 +0100	[thread overview]
Message-ID: <20210520204902.2527687-6-richard.purdie@linuxfoundation.org> (raw)
In-Reply-To: <20210520204902.2527687-1-richard.purdie@linuxfoundation.org>

From: Tony Tascioglu <tony.tascioglu@windriver.com>

Fixes heap-based buffer overflow in xmlEncodeEntitiesInternal() in entities.c

CVE: CVE-2021-3517
Upstream-status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2]

Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 .../libxml/libxml2/CVE-2021-3517.patch        | 54 +++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.10.bb    |  1 +
 2 files changed, 55 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch
new file mode 100644
index 00000000000..b6204f655a9
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch
@@ -0,0 +1,54 @@
+From df3de1376585f7a273d70023f92a530395957324 Mon Sep 17 00:00:00 2001
+From: Joel Hockey <joel.hockey@gmail.com>
+Date: Sun, 16 Aug 2020 17:19:35 -0700
+Subject: [PATCH 1/3] Validate UTF8 in xmlEncodeEntities
+
+Code is currently assuming UTF-8 without validating. Truncated UTF-8
+input can cause out-of-bounds array access.
+
+Adds further checks to partial fix in 50f06b3e.
+
+Fixes #178
+
+CVE: CVE-2021-3517
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2]
+
+Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
+---
+ entities.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/entities.c b/entities.c
+index d575e9d1..7cdbc4de 100644
+--- a/entities.c
++++ b/entities.c
+@@ -666,11 +666,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) {
+ 	    } else {
+ 		/*
+ 		 * We assume we have UTF-8 input.
++		 * It must match either:
++		 *   110xxxxx 10xxxxxx
++		 *   1110xxxx 10xxxxxx 10xxxxxx
++		 *   11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
++		 * That is:
++		 *   cur[0] is 11xxxxxx
++		 *   cur[1] is 10xxxxxx
++		 *   cur[2] is 10xxxxxx if cur[0] is 111xxxxx
++		 *   cur[3] is 10xxxxxx if cur[0] is 1111xxxx
++		 *   cur[0] is not 11111xxx
+ 		 */
+ 		char buf[11], *ptr;
+ 		int val = 0, l = 1;
+ 
+-		if (*cur < 0xC0) {
++		if (((cur[0] & 0xC0) != 0xC0) ||
++		    ((cur[1] & 0xC0) != 0x80) ||
++		    (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) ||
++		    (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) ||
++		    (((cur[0] & 0xF8) == 0xF8))) {
+ 		    xmlEntitiesErr(XML_CHECK_NOT_UTF8,
+ 			    "xmlEncodeEntities: input not UTF-8");
+ 		    if (doc != NULL)
+-- 
+2.25.1
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index 07ae68610c8..ad612379b3f 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -24,6 +24,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
            file://CVE-2019-20388.patch \
            file://CVE-2020-24977.patch \
            file://fix-python39.patch \
+           file://CVE-2021-3517.patch \
            "
 
 SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"
-- 
2.30.2


  parent reply	other threads:[~2021-05-20 20:49 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-20 20:48 [hardknott] [PATCH 01/28] uninative: Upgrade to 3.2 (gcc11 support) Richard Purdie
2021-05-20 20:48 ` [hardknott] [PATCH 02/28] glibc: Add 8GB VM usage cap for usermode test suite Richard Purdie
2021-05-20 20:48 ` [hardknott] [PATCH 03/28] cups: whitelist CVE-2021-25317 Richard Purdie
2021-05-20 20:48 ` [hardknott] [PATCH 04/28] sstate: Handle manifest 'corruption' issue Richard Purdie
2021-05-20 20:48 ` [hardknott] [PATCH 05/28] ccache: add packageconfig docs option Richard Purdie
2021-05-20 20:48 ` Richard Purdie [this message]
2021-05-20 20:48 ` [hardknott] [PATCH 07/28] libxml2: fix CVE-2021-3516 Richard Purdie
2021-05-20 20:48 ` [hardknott] [PATCH 08/28] libxml2: fix CVE-2021-3537 Richard Purdie
2021-05-20 20:48 ` [hardknott] [PATCH 09/28] glibc: Document and whitelist CVE-2019-1010022-25 Richard Purdie
2021-05-20 20:48 ` [hardknott] [PATCH 10/28] libnotify: whitelist CVE-2013-7381 (specific to the NodeJS bindings) Richard Purdie
2021-05-20 20:48 ` [hardknott] [PATCH 11/28] builder: whitelist CVE-2008-4178 (a different builder) Richard Purdie
2021-05-20 20:48 ` [hardknott] [PATCH 12/28] qemu: Exclude CVE-2017-5957 from cve-check Richard Purdie
2021-05-20 20:48 ` [hardknott] [PATCH 13/28] qemu: Exclude CVE-2007-0998 " Richard Purdie
2021-05-20 20:48 ` [hardknott] [PATCH 14/28] qemu: Exclude CVE-2018-18438 " Richard Purdie
2021-05-20 20:48 ` [hardknott] [PATCH 15/28] jquery: Exclude CVE-2007-2379 " Richard Purdie
2021-05-20 20:48 ` [hardknott] [PATCH 16/28] logrotate: Exclude CVE-2011-1548,1549,1550 " Richard Purdie
2021-05-20 20:48 ` [hardknott] [PATCH 17/28] openssh: Exclude CVE-2007-2768 " Richard Purdie
2021-05-20 20:48 ` [hardknott] [PATCH 18/28] openssh: Exclude CVE-2008-3844 " Richard Purdie
2021-05-20 20:48 ` [hardknott] [PATCH 19/28] unzip: Exclude CVE-2008-0888 " Richard Purdie
2021-05-20 20:48 ` [hardknott] [PATCH 20/28] cpio: Exclude CVE-2010-4226 " Richard Purdie
2021-05-20 20:48 ` [hardknott] [PATCH 21/28] ghostscript: Exclude CVE-2013-6629 " Richard Purdie
2021-05-20 20:48 ` [hardknott] [PATCH 22/28] bluez: Exclude CVE-2020-12352 CVE-2020-24490 " Richard Purdie
2021-05-20 20:48 ` [hardknott] [PATCH 23/28] tiff: Exclude CVE-2015-7313 " Richard Purdie
2021-05-20 20:48 ` [hardknott] [PATCH 24/28] coreutils: Exclude CVE-2016-2781 " Richard Purdie
2021-05-20 20:48 ` [hardknott] [PATCH 25/28] librsvg: Exclude CVE-2018-1000041 " Richard Purdie
2021-05-20 20:49 ` [hardknott] [PATCH 26/28] avahi: Exclude CVE-2021-26720 " Richard Purdie
2021-05-20 20:49 ` [hardknott] [PATCH 27/28] image.bbclass: fix comment "pacackages" -> "packages" Richard Purdie
2021-05-20 20:49 ` [hardknott] [PATCH 28/28] meta/lib/oe/rootfs.py: Fix typo "Restoreing" -> "Restoring" Richard Purdie

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210520204902.2527687-6-richard.purdie@linuxfoundation.org \
    --to=richard.purdie@linuxfoundation.org \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=tony.tascioglu@windriver.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.