* [kirkstone][PATCH] expat: CVE-2022-40674
@ 2022-09-20 11:08 Florin Diaconescu
2022-09-20 15:56 ` [OE-core] " Alex Kiernan
0 siblings, 1 reply; 3+ messages in thread
From: Florin Diaconescu @ 2022-09-20 11:08 UTC (permalink / raw)
To: openembedded-core; +Cc: Florin Diaconescu
Upstream-Status: Accepted
[https://github.com/libexpat/libexpat/pull/629/commits/4a32da87e931ba54393d465bb77c40b5c33d343b]
Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com>
---
.../expat/expat/CVE-2022-40674.patch | 56 +++++++++++++++++++
meta/recipes-core/expat/expat_2.4.8.bb | 1 +
2 files changed, 57 insertions(+)
create mode 100644 meta/recipes-core/expat/expat/CVE-2022-40674.patch
diff --git a/meta/recipes-core/expat/expat/CVE-2022-40674.patch b/meta/recipes-core/expat/expat/CVE-2022-40674.patch
new file mode 100644
index 0000000000..468811fefa
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-40674.patch
@@ -0,0 +1,56 @@
+From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001
+From: Rhodri James <rhodri@wildebeest.org.uk>
+Date: Wed, 17 Aug 2022 18:26:18 +0100
+Subject: [PATCH] Ensure raw tagnames are safe exiting internalEntityParser
+
+It is possible to concoct a situation in which parsing is
+suspended while substituting in an internal entity, so that
+XML_ResumeParser directly uses internalEntityProcessor as
+its processor. If the subsequent parse includes some unclosed
+tags, this will return without calling storeRawNames to ensure
+that the raw versions of the tag names are stored in memory other
+than the parse buffer itself. If the parse buffer is then changed
+or reallocated (for example if processing a file line by line),
+badness will ensue.
+
+This patch ensures storeRawNames is always called when needed
+after calling doContent. The earlier call do doContent does
+not need the same protection; it only deals with entity
+substitution, which cannot leave unbalanced tags, and in any
+case the raw names will be pointing into the stored entity
+value not the parse buffer.
+
+CVE: CVE-2022-40674
+Upstream-Status: Accepted [https://github.com/libexpat/libexpat/pull/629/commits/4a32da87e931ba54393d465bb77c40b5c33d343b]
+
+Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com>
+---
+ lib/xmlparse.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index e986156..eabe0fc 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -5826,10 +5826,15 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end,
+ {
+ parser->m_processor = contentProcessor;
+ /* see externalEntityContentProcessor vs contentProcessor */
+- return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding,
+- s, end, nextPtr,
+- (XML_Bool)! parser->m_parsingStatus.finalBuffer,
+- XML_ACCOUNT_DIRECT);
++ result = doContent(parser, parser->m_parentParser ? 1 : 0,
++ parser->m_encoding, s, end, nextPtr,
++ (XML_Bool)! parser->m_parsingStatus.finalBuffer,
++ XML_ACCOUNT_DIRECT);
++ if (result == XML_ERROR_NONE) {
++ if (! storeRawNames(parser))
++ return XML_ERROR_NO_MEMORY;
++ }
++ return result;
+ }
+ }
+
+--
+2.35.1
diff --git a/meta/recipes-core/expat/expat_2.4.8.bb b/meta/recipes-core/expat/expat_2.4.8.bb
index 980c488640..93a2f98b38 100644
--- a/meta/recipes-core/expat/expat_2.4.8.bb
+++ b/meta/recipes-core/expat/expat_2.4.8.bb
@@ -10,6 +10,7 @@ VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}"
SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \
file://run-ptest \
+ file://CVE-2022-40674.patch \
"
UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [OE-core] [kirkstone][PATCH] expat: CVE-2022-40674
2022-09-20 11:08 [kirkstone][PATCH] expat: CVE-2022-40674 Florin Diaconescu
@ 2022-09-20 15:56 ` Alex Kiernan
2022-09-20 21:15 ` Florin Diaconescu
0 siblings, 1 reply; 3+ messages in thread
From: Alex Kiernan @ 2022-09-20 15:56 UTC (permalink / raw)
To: Florin Diaconescu; +Cc: openembedded-core
2.4.9 looks to have landed w/ this change in it.
On Tue, Sep 20, 2022 at 12:09 PM Florin Diaconescu
<florin.diaconescu009@gmail.com> wrote:
>
> Upstream-Status: Accepted
> [https://github.com/libexpat/libexpat/pull/629/commits/4a32da87e931ba54393d465bb77c40b5c33d343b]
>
> Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com>
> ---
> .../expat/expat/CVE-2022-40674.patch | 56 +++++++++++++++++++
> meta/recipes-core/expat/expat_2.4.8.bb | 1 +
> 2 files changed, 57 insertions(+)
> create mode 100644 meta/recipes-core/expat/expat/CVE-2022-40674.patch
>
> diff --git a/meta/recipes-core/expat/expat/CVE-2022-40674.patch b/meta/recipes-core/expat/expat/CVE-2022-40674.patch
> new file mode 100644
> index 0000000000..468811fefa
> --- /dev/null
> +++ b/meta/recipes-core/expat/expat/CVE-2022-40674.patch
> @@ -0,0 +1,56 @@
> +From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001
> +From: Rhodri James <rhodri@wildebeest.org.uk>
> +Date: Wed, 17 Aug 2022 18:26:18 +0100
> +Subject: [PATCH] Ensure raw tagnames are safe exiting internalEntityParser
> +
> +It is possible to concoct a situation in which parsing is
> +suspended while substituting in an internal entity, so that
> +XML_ResumeParser directly uses internalEntityProcessor as
> +its processor. If the subsequent parse includes some unclosed
> +tags, this will return without calling storeRawNames to ensure
> +that the raw versions of the tag names are stored in memory other
> +than the parse buffer itself. If the parse buffer is then changed
> +or reallocated (for example if processing a file line by line),
> +badness will ensue.
> +
> +This patch ensures storeRawNames is always called when needed
> +after calling doContent. The earlier call do doContent does
> +not need the same protection; it only deals with entity
> +substitution, which cannot leave unbalanced tags, and in any
> +case the raw names will be pointing into the stored entity
> +value not the parse buffer.
> +
> +CVE: CVE-2022-40674
> +Upstream-Status: Accepted [https://github.com/libexpat/libexpat/pull/629/commits/4a32da87e931ba54393d465bb77c40b5c33d343b]
> +
> +Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com>
> +---
> + lib/xmlparse.c | 13 +++++++++----
> + 1 file changed, 9 insertions(+), 4 deletions(-)
> +
> +diff --git a/lib/xmlparse.c b/lib/xmlparse.c
> +index e986156..eabe0fc 100644
> +--- a/lib/xmlparse.c
> ++++ b/lib/xmlparse.c
> +@@ -5826,10 +5826,15 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end,
> + {
> + parser->m_processor = contentProcessor;
> + /* see externalEntityContentProcessor vs contentProcessor */
> +- return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding,
> +- s, end, nextPtr,
> +- (XML_Bool)! parser->m_parsingStatus.finalBuffer,
> +- XML_ACCOUNT_DIRECT);
> ++ result = doContent(parser, parser->m_parentParser ? 1 : 0,
> ++ parser->m_encoding, s, end, nextPtr,
> ++ (XML_Bool)! parser->m_parsingStatus.finalBuffer,
> ++ XML_ACCOUNT_DIRECT);
> ++ if (result == XML_ERROR_NONE) {
> ++ if (! storeRawNames(parser))
> ++ return XML_ERROR_NO_MEMORY;
> ++ }
> ++ return result;
> + }
> + }
> +
> +--
> +2.35.1
> diff --git a/meta/recipes-core/expat/expat_2.4.8.bb b/meta/recipes-core/expat/expat_2.4.8.bb
> index 980c488640..93a2f98b38 100644
> --- a/meta/recipes-core/expat/expat_2.4.8.bb
> +++ b/meta/recipes-core/expat/expat_2.4.8.bb
> @@ -10,6 +10,7 @@ VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}"
>
> SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \
> file://run-ptest \
> + file://CVE-2022-40674.patch \
> "
>
> UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#170894): https://lists.openembedded.org/g/openembedded-core/message/170894
> Mute This Topic: https://lists.openembedded.org/mt/93800770/3618097
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kiernan@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
--
Alex Kiernan
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [OE-core] [kirkstone][PATCH] expat: CVE-2022-40674
2022-09-20 15:56 ` [OE-core] " Alex Kiernan
@ 2022-09-20 21:15 ` Florin Diaconescu
0 siblings, 0 replies; 3+ messages in thread
From: Florin Diaconescu @ 2022-09-20 21:15 UTC (permalink / raw)
To: Alex Kiernan; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 4849 bytes --]
Just saw the new release, I will submit another patch with the 2.4.9
upgrade. Thanks for letting me know!
Florin
On Tue, Sep 20, 2022 at 6:57 PM Alex Kiernan <alex.kiernan@gmail.com> wrote:
> 2.4.9 looks to have landed w/ this change in it.
>
> On Tue, Sep 20, 2022 at 12:09 PM Florin Diaconescu
> <florin.diaconescu009@gmail.com> wrote:
> >
> > Upstream-Status: Accepted
> > [
> https://github.com/libexpat/libexpat/pull/629/commits/4a32da87e931ba54393d465bb77c40b5c33d343b
> ]
> >
> > Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com>
> > ---
> > .../expat/expat/CVE-2022-40674.patch | 56 +++++++++++++++++++
> > meta/recipes-core/expat/expat_2.4.8.bb | 1 +
> > 2 files changed, 57 insertions(+)
> > create mode 100644 meta/recipes-core/expat/expat/CVE-2022-40674.patch
> >
> > diff --git a/meta/recipes-core/expat/expat/CVE-2022-40674.patch
> b/meta/recipes-core/expat/expat/CVE-2022-40674.patch
> > new file mode 100644
> > index 0000000000..468811fefa
> > --- /dev/null
> > +++ b/meta/recipes-core/expat/expat/CVE-2022-40674.patch
> > @@ -0,0 +1,56 @@
> > +From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001
> > +From: Rhodri James <rhodri@wildebeest.org.uk>
> > +Date: Wed, 17 Aug 2022 18:26:18 +0100
> > +Subject: [PATCH] Ensure raw tagnames are safe exiting
> internalEntityParser
> > +
> > +It is possible to concoct a situation in which parsing is
> > +suspended while substituting in an internal entity, so that
> > +XML_ResumeParser directly uses internalEntityProcessor as
> > +its processor. If the subsequent parse includes some unclosed
> > +tags, this will return without calling storeRawNames to ensure
> > +that the raw versions of the tag names are stored in memory other
> > +than the parse buffer itself. If the parse buffer is then changed
> > +or reallocated (for example if processing a file line by line),
> > +badness will ensue.
> > +
> > +This patch ensures storeRawNames is always called when needed
> > +after calling doContent. The earlier call do doContent does
> > +not need the same protection; it only deals with entity
> > +substitution, which cannot leave unbalanced tags, and in any
> > +case the raw names will be pointing into the stored entity
> > +value not the parse buffer.
> > +
> > +CVE: CVE-2022-40674
> > +Upstream-Status: Accepted [
> https://github.com/libexpat/libexpat/pull/629/commits/4a32da87e931ba54393d465bb77c40b5c33d343b
> ]
> > +
> > +Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com>
> > +---
> > + lib/xmlparse.c | 13 +++++++++----
> > + 1 file changed, 9 insertions(+), 4 deletions(-)
> > +
> > +diff --git a/lib/xmlparse.c b/lib/xmlparse.c
> > +index e986156..eabe0fc 100644
> > +--- a/lib/xmlparse.c
> > ++++ b/lib/xmlparse.c
> > +@@ -5826,10 +5826,15 @@ internalEntityProcessor(XML_Parser parser,
> const char *s, const char *end,
> > + {
> > + parser->m_processor = contentProcessor;
> > + /* see externalEntityContentProcessor vs contentProcessor */
> > +- return doContent(parser, parser->m_parentParser ? 1 : 0,
> parser->m_encoding,
> > +- s, end, nextPtr,
> > +- (XML_Bool)! parser->m_parsingStatus.finalBuffer,
> > +- XML_ACCOUNT_DIRECT);
> > ++ result = doContent(parser, parser->m_parentParser ? 1 : 0,
> > ++ parser->m_encoding, s, end, nextPtr,
> > ++ (XML_Bool)! parser->m_parsingStatus.finalBuffer,
> > ++ XML_ACCOUNT_DIRECT);
> > ++ if (result == XML_ERROR_NONE) {
> > ++ if (! storeRawNames(parser))
> > ++ return XML_ERROR_NO_MEMORY;
> > ++ }
> > ++ return result;
> > + }
> > + }
> > +
> > +--
> > +2.35.1
> > diff --git a/meta/recipes-core/expat/expat_2.4.8.bb
> b/meta/recipes-core/expat/expat_2.4.8.bb
> > index 980c488640..93a2f98b38 100644
> > --- a/meta/recipes-core/expat/expat_2.4.8.bb
> > +++ b/meta/recipes-core/expat/expat_2.4.8.bb
> > @@ -10,6 +10,7 @@ VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}"
> >
> > SRC_URI = "
> https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2
> \
> > file://run-ptest \
> > + file://CVE-2022-40674.patch \
> > "
> >
> > UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"
> > --
> > 2.25.1
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#170894):
> https://lists.openembedded.org/g/openembedded-core/message/170894
> > Mute This Topic: https://lists.openembedded.org/mt/93800770/3618097
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> alex.kiernan@gmail.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
>
>
> --
> Alex Kiernan
>
[-- Attachment #2: Type: text/html, Size: 7579 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-09-20 21:16 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-20 11:08 [kirkstone][PATCH] expat: CVE-2022-40674 Florin Diaconescu
2022-09-20 15:56 ` [OE-core] " Alex Kiernan
2022-09-20 21:15 ` Florin Diaconescu
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.