* [OE-core][dunfell][PATCH 1/2] libxslt: Fix CVE-2021-30560
@ 2022-06-03 12:17 Omkar Patil
2022-06-03 12:17 ` [OE-core][dunfell][PATCH 2/2] libxslt: Mark CVE-2022-29824 as not applying Omkar Patil
0 siblings, 1 reply; 5+ messages in thread
From: Omkar Patil @ 2022-06-03 12:17 UTC (permalink / raw)
To: openembedded-core, omkar.patil; +Cc: ranjitsinh.rathod
From: omkar patil <omkar.patil@kpit.com>
CVE: CVE-2021-30560
Signed-off-by: omkar patil <omkar.patil@kpit.com>
---
.../libxslt/libxslt/CVE-2021-30560.patch | 201 ++++++++++++++++++
.../recipes-support/libxslt/libxslt_1.1.34.bb | 1 +
2 files changed, 202 insertions(+)
create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2021-30560.patch
diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2021-30560.patch b/meta/recipes-support/libxslt/libxslt/CVE-2021-30560.patch
new file mode 100644
index 0000000000..614047ea7a
--- /dev/null
+++ b/meta/recipes-support/libxslt/libxslt/CVE-2021-30560.patch
@@ -0,0 +1,201 @@
+From 50f9c9cd3b7dfe9b3c8c795247752d1fdcadcac8 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 12 Jun 2021 20:02:53 +0200
+Subject: [PATCH] Fix use-after-free in xsltApplyTemplates
+
+xsltApplyTemplates without a select expression could delete nodes in
+the source document.
+
+1. Text nodes with strippable whitespace
+
+Whitespace from input documents is already stripped, so there's no
+need to strip it again. Under certain circumstances, xsltApplyTemplates
+could be fooled into deleting text nodes that are still referenced,
+resulting in a use-after-free.
+
+2. The DTD
+
+The DTD was only unlinked, but there's no good reason to do this just
+now. Maybe it was meant as a micro-optimization.
+
+3. Unknown nodes
+
+Useless and dangerous as well, especially with XInclude nodes.
+See https://gitlab.gnome.org/GNOME/libxml2/-/issues/268
+
+Simply stop trying to uselessly delete nodes when applying a template.
+This part of the code is probably a leftover from a time where
+xsltApplyStripSpaces wasn't implemented yet. Also note that
+xsltApplyTemplates with a select expression never tried to delete
+nodes.
+
+Also stop xsltDefaultProcessOneNode from deleting nodes for the same
+reasons.
+
+This fixes CVE-2021-30560.
+
+CVE: CVE-2021-30560
+Upstream-Status: Backport [https://github.com/GNOME/libxslt/commit/50f9c9cd3b7dfe9b3c8c795247752d1fdcadcac8.patch]
+Comment: No change in any hunk
+Signed-off-by: Omkar Patil <Omkar.Patil@kpit.com>
+
+---
+ libxslt/transform.c | 119 +++-----------------------------------------
+ 1 file changed, 7 insertions(+), 112 deletions(-)
+
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 04522154..3aba354f 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -1895,7 +1895,7 @@ static void
+ xsltDefaultProcessOneNode(xsltTransformContextPtr ctxt, xmlNodePtr node,
+ xsltStackElemPtr params) {
+ xmlNodePtr copy;
+- xmlNodePtr delete = NULL, cur;
++ xmlNodePtr cur;
+ int nbchild = 0, oldSize;
+ int childno = 0, oldPos;
+ xsltTemplatePtr template;
+@@ -1968,54 +1968,13 @@ xsltDefaultProcessOneNode(xsltTransformContextPtr ctxt, xmlNodePtr node,
+ return;
+ }
+ /*
+- * Handling of Elements: first pass, cleanup and counting
++ * Handling of Elements: first pass, counting
+ */
+ cur = node->children;
+ while (cur != NULL) {
+- switch (cur->type) {
+- case XML_TEXT_NODE:
+- case XML_CDATA_SECTION_NODE:
+- case XML_DOCUMENT_NODE:
+- case XML_HTML_DOCUMENT_NODE:
+- case XML_ELEMENT_NODE:
+- case XML_PI_NODE:
+- case XML_COMMENT_NODE:
+- nbchild++;
+- break;
+- case XML_DTD_NODE:
+- /* Unlink the DTD, it's still reachable using doc->intSubset */
+- if (cur->next != NULL)
+- cur->next->prev = cur->prev;
+- if (cur->prev != NULL)
+- cur->prev->next = cur->next;
+- break;
+- default:
+-#ifdef WITH_XSLT_DEBUG_PROCESS
+- XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext,
+- "xsltDefaultProcessOneNode: skipping node type %d\n",
+- cur->type));
+-#endif
+- delete = cur;
+- }
++ if (IS_XSLT_REAL_NODE(cur))
++ nbchild++;
+ cur = cur->next;
+- if (delete != NULL) {
+-#ifdef WITH_XSLT_DEBUG_PROCESS
+- XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext,
+- "xsltDefaultProcessOneNode: removing ignorable blank node\n"));
+-#endif
+- xmlUnlinkNode(delete);
+- xmlFreeNode(delete);
+- delete = NULL;
+- }
+- }
+- if (delete != NULL) {
+-#ifdef WITH_XSLT_DEBUG_PROCESS
+- XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext,
+- "xsltDefaultProcessOneNode: removing ignorable blank node\n"));
+-#endif
+- xmlUnlinkNode(delete);
+- xmlFreeNode(delete);
+- delete = NULL;
+ }
+
+ /*
+@@ -4864,7 +4823,7 @@ xsltApplyTemplates(xsltTransformContextPtr ctxt, xmlNodePtr node,
+ xsltStylePreCompPtr comp = (xsltStylePreCompPtr) castedComp;
+ #endif
+ int i;
+- xmlNodePtr cur, delNode = NULL, oldContextNode;
++ xmlNodePtr cur, oldContextNode;
+ xmlNodeSetPtr list = NULL, oldList;
+ xsltStackElemPtr withParams = NULL;
+ int oldXPProximityPosition, oldXPContextSize;
+@@ -4998,73 +4957,9 @@ xsltApplyTemplates(xsltTransformContextPtr ctxt, xmlNodePtr node,
+ else
+ cur = NULL;
+ while (cur != NULL) {
+- switch (cur->type) {
+- case XML_TEXT_NODE:
+- if ((IS_BLANK_NODE(cur)) &&
+- (cur->parent != NULL) &&
+- (cur->parent->type == XML_ELEMENT_NODE) &&
+- (ctxt->style->stripSpaces != NULL)) {
+- const xmlChar *val;
+-
+- if (cur->parent->ns != NULL) {
+- val = (const xmlChar *)
+- xmlHashLookup2(ctxt->style->stripSpaces,
+- cur->parent->name,
+- cur->parent->ns->href);
+- if (val == NULL) {
+- val = (const xmlChar *)
+- xmlHashLookup2(ctxt->style->stripSpaces,
+- BAD_CAST "*",
+- cur->parent->ns->href);
+- }
+- } else {
+- val = (const xmlChar *)
+- xmlHashLookup2(ctxt->style->stripSpaces,
+- cur->parent->name, NULL);
+- }
+- if ((val != NULL) &&
+- (xmlStrEqual(val, (xmlChar *) "strip"))) {
+- delNode = cur;
+- break;
+- }
+- }
+- /* Intentional fall-through */
+- case XML_ELEMENT_NODE:
+- case XML_DOCUMENT_NODE:
+- case XML_HTML_DOCUMENT_NODE:
+- case XML_CDATA_SECTION_NODE:
+- case XML_PI_NODE:
+- case XML_COMMENT_NODE:
+- xmlXPathNodeSetAddUnique(list, cur);
+- break;
+- case XML_DTD_NODE:
+- /* Unlink the DTD, it's still reachable
+- * using doc->intSubset */
+- if (cur->next != NULL)
+- cur->next->prev = cur->prev;
+- if (cur->prev != NULL)
+- cur->prev->next = cur->next;
+- break;
+- case XML_NAMESPACE_DECL:
+- break;
+- default:
+-#ifdef WITH_XSLT_DEBUG_PROCESS
+- XSLT_TRACE(ctxt,XSLT_TRACE_APPLY_TEMPLATES,xsltGenericDebug(xsltGenericDebugContext,
+- "xsltApplyTemplates: skipping cur type %d\n",
+- cur->type));
+-#endif
+- delNode = cur;
+- }
++ if (IS_XSLT_REAL_NODE(cur))
++ xmlXPathNodeSetAddUnique(list, cur);
+ cur = cur->next;
+- if (delNode != NULL) {
+-#ifdef WITH_XSLT_DEBUG_PROCESS
+- XSLT_TRACE(ctxt,XSLT_TRACE_APPLY_TEMPLATES,xsltGenericDebug(xsltGenericDebugContext,
+- "xsltApplyTemplates: removing ignorable blank cur\n"));
+-#endif
+- xmlUnlinkNode(delNode);
+- xmlFreeNode(delNode);
+- delNode = NULL;
+- }
+ }
+ }
+
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.34.bb b/meta/recipes-support/libxslt/libxslt_1.1.34.bb
index 63cce6fe06..62afec5755 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.34.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.34.bb
@@ -14,6 +14,7 @@ SECTION = "libs"
DEPENDS = "libxml2"
SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \
+ file://CVE-2021-30560.patch \
"
SRC_URI[md5sum] = "db8765c8d076f1b6caafd9f2542a304a"
--
2.17.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [OE-core][dunfell][PATCH 2/2] libxslt: Mark CVE-2022-29824 as not applying
2022-06-03 12:17 [OE-core][dunfell][PATCH 1/2] libxslt: Fix CVE-2021-30560 Omkar Patil
@ 2022-06-03 12:17 ` Omkar Patil
0 siblings, 0 replies; 5+ messages in thread
From: Omkar Patil @ 2022-06-03 12:17 UTC (permalink / raw)
To: openembedded-core, omkar.patil
Cc: ranjitsinh.rathod, Richard Purdie, Omkar Patil
From: Richard Purdie <richard.purdie@linuxfoundation.org>
We have libxml2 2.9.10 and we don't link statically against libxml2 anyway
so the CVE doesn't apply to libxslt.
(From OE-Core rev: c6315d8a2a1429a0fb7563b1d6352ceee7bc222c)
Signed-off-by: Omkar Patil <Omkar.Patil@kpit.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ad63694e6df4f284879f7220962a821f97928eb0)
---
meta/recipes-support/libxslt/libxslt_1.1.34.bb | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.34.bb b/meta/recipes-support/libxslt/libxslt_1.1.34.bb
index 62afec5755..4755677bec 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.34.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.34.bb
@@ -22,6 +22,10 @@ SRC_URI[sha256sum] = "98b1bd46d6792925ad2dfe9a87452ea2adebf69dcb9919ffd55bf926a7
UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar"
+# We have libxml2 2.9.10 and we don't link statically with it anyway
+# so this isn't an issue.
+CVE_CHECK_WHITELIST += "CVE-2022-29824"
+
S = "${WORKDIR}/libxslt-${PV}"
BINCONFIG = "${bindir}/xslt-config"
--
2.17.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [OE-core][dunfell][PATCH 2/2] libxslt: Mark CVE-2022-29824 as not applying
[not found] ` <16F487B15DA54383.31706@lists.openembedded.org>
@ 2022-06-01 15:16 ` Steve Sakoman
0 siblings, 0 replies; 5+ messages in thread
From: Steve Sakoman @ 2022-06-01 15:16 UTC (permalink / raw)
To: steve
Cc: omkar, openembedded-core, omkar.patil, ranjitsinh.rathod, Richard Purdie
On Wed, Jun 1, 2022 at 5:09 AM Steve Sakoman via
lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
wrote:
>
> On Wed, Jun 1, 2022 at 12:53 AM omkar <omkarpatil10.93@gmail.com> wrote:
> >
> > From: Richard Purdie <richard.purdie@linuxfoundation.org>
> >
> > We have libxml2 2.9.14 and we don't link statically against libxml2 anyway
> > so the CVE doesn't apply to libxslt.
>
> dunfell libxml2 is version 2.9.10!
I just noticed that we have a libxml2 patch submitted to fix CVE-2022-29824:
https://lists.openembedded.org/g/openembedded-core/message/166376
So you can adjust this patch to reflect this and resubmit it.
Steve
>
> Steve
>
> > (From OE-Core rev: c6315d8a2a1429a0fb7563b1d6352ceee7bc222c)
> >
> > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> > (cherry picked from commit ad63694e6df4f284879f7220962a821f97928eb0)
> > Signed-off-by: Omkar Patil <omkarpatil10.93@gmail.com>
> > ---
> > meta/recipes-support/libxslt/libxslt_1.1.35.bb | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/meta/recipes-support/libxslt/libxslt_1.1.35.bb b/meta/recipes-support/libxslt/libxslt_1.1.35.bb
> > index 0f25043743..47a38deb13 100644
> > --- a/meta/recipes-support/libxslt/libxslt_1.1.35.bb
> > +++ b/meta/recipes-support/libxslt/libxslt_1.1.35.bb
> > @@ -19,6 +19,10 @@ SRC_URI[sha256sum] = "8247f33e9a872c6ac859aa45018bc4c4d00b97e2feac9eebc10c93ce1f
> >
> > UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar"
> >
> > +# We have libxml2 2.9.14 and we don't link statically with it anyway
> > +# so this isn't an issue.
> > +CVE_CHECK_WHITELIST += "CVE-2022-29824"
> > +
> > S = "${WORKDIR}/libxslt-${PV}"
> >
> > BINCONFIG = "${bindir}/xslt-config"
> > --
> > 2.17.1
> >
> >
> >
> >
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#166383): https://lists.openembedded.org/g/openembedded-core/message/166383
> Mute This Topic: https://lists.openembedded.org/mt/91472462/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [OE-core][dunfell][PATCH 2/2] libxslt: Mark CVE-2022-29824 as not applying
2022-06-01 10:53 ` [OE-core][dunfell][PATCH 2/2] libxslt: Mark CVE-2022-29824 as not applying Omkar Patil
@ 2022-06-01 15:09 ` Steve Sakoman
[not found] ` <16F487B15DA54383.31706@lists.openembedded.org>
1 sibling, 0 replies; 5+ messages in thread
From: Steve Sakoman @ 2022-06-01 15:09 UTC (permalink / raw)
To: omkar; +Cc: openembedded-core, omkar.patil, ranjitsinh.rathod, Richard Purdie
On Wed, Jun 1, 2022 at 12:53 AM omkar <omkarpatil10.93@gmail.com> wrote:
>
> From: Richard Purdie <richard.purdie@linuxfoundation.org>
>
> We have libxml2 2.9.14 and we don't link statically against libxml2 anyway
> so the CVE doesn't apply to libxslt.
dunfell libxml2 is version 2.9.10!
Steve
> (From OE-Core rev: c6315d8a2a1429a0fb7563b1d6352ceee7bc222c)
>
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> (cherry picked from commit ad63694e6df4f284879f7220962a821f97928eb0)
> Signed-off-by: Omkar Patil <omkarpatil10.93@gmail.com>
> ---
> meta/recipes-support/libxslt/libxslt_1.1.35.bb | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/meta/recipes-support/libxslt/libxslt_1.1.35.bb b/meta/recipes-support/libxslt/libxslt_1.1.35.bb
> index 0f25043743..47a38deb13 100644
> --- a/meta/recipes-support/libxslt/libxslt_1.1.35.bb
> +++ b/meta/recipes-support/libxslt/libxslt_1.1.35.bb
> @@ -19,6 +19,10 @@ SRC_URI[sha256sum] = "8247f33e9a872c6ac859aa45018bc4c4d00b97e2feac9eebc10c93ce1f
>
> UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar"
>
> +# We have libxml2 2.9.14 and we don't link statically with it anyway
> +# so this isn't an issue.
> +CVE_CHECK_WHITELIST += "CVE-2022-29824"
> +
> S = "${WORKDIR}/libxslt-${PV}"
>
> BINCONFIG = "${bindir}/xslt-config"
> --
> 2.17.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#166373): https://lists.openembedded.org/g/openembedded-core/message/166373
> Mute This Topic: https://lists.openembedded.org/mt/91472462/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* [OE-core][dunfell][PATCH 2/2] libxslt: Mark CVE-2022-29824 as not applying
2022-06-01 10:53 [OE-core][dunfell][PATCH 1/2] libxslt: update to v1.1.35 Omkar Patil
@ 2022-06-01 10:53 ` Omkar Patil
2022-06-01 15:09 ` Steve Sakoman
[not found] ` <16F487B15DA54383.31706@lists.openembedded.org>
0 siblings, 2 replies; 5+ messages in thread
From: Omkar Patil @ 2022-06-01 10:53 UTC (permalink / raw)
To: openembedded-core, omkar.patil; +Cc: ranjitsinh.rathod, Richard Purdie
From: Richard Purdie <richard.purdie@linuxfoundation.org>
We have libxml2 2.9.14 and we don't link statically against libxml2 anyway
so the CVE doesn't apply to libxslt.
(From OE-Core rev: c6315d8a2a1429a0fb7563b1d6352ceee7bc222c)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ad63694e6df4f284879f7220962a821f97928eb0)
Signed-off-by: Omkar Patil <omkarpatil10.93@gmail.com>
---
meta/recipes-support/libxslt/libxslt_1.1.35.bb | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.35.bb b/meta/recipes-support/libxslt/libxslt_1.1.35.bb
index 0f25043743..47a38deb13 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.35.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.35.bb
@@ -19,6 +19,10 @@ SRC_URI[sha256sum] = "8247f33e9a872c6ac859aa45018bc4c4d00b97e2feac9eebc10c93ce1f
UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar"
+# We have libxml2 2.9.14 and we don't link statically with it anyway
+# so this isn't an issue.
+CVE_CHECK_WHITELIST += "CVE-2022-29824"
+
S = "${WORKDIR}/libxslt-${PV}"
BINCONFIG = "${bindir}/xslt-config"
--
2.17.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-06-03 12:18 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-03 12:17 [OE-core][dunfell][PATCH 1/2] libxslt: Fix CVE-2021-30560 Omkar Patil
2022-06-03 12:17 ` [OE-core][dunfell][PATCH 2/2] libxslt: Mark CVE-2022-29824 as not applying Omkar Patil
-- strict thread matches above, loose matches on Subject: below --
2022-06-01 10:53 [OE-core][dunfell][PATCH 1/2] libxslt: update to v1.1.35 Omkar Patil
2022-06-01 10:53 ` [OE-core][dunfell][PATCH 2/2] libxslt: Mark CVE-2022-29824 as not applying Omkar Patil
2022-06-01 15:09 ` Steve Sakoman
[not found] ` <16F487B15DA54383.31706@lists.openembedded.org>
2022-06-01 15:16 ` Steve Sakoman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.