* [Buildroot] [PATCH v2,1/1] package/expat: fix CVE-2022-40674
@ 2022-09-18 10:23 Fabrice Fontaine
2022-09-18 12:50 ` Yann E. MORIN
2022-09-29 13:52 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2022-09-18 10:23 UTC (permalink / raw)
To: buildroot; +Cc: Fabrice Fontaine
libexpat before 2.4.9 has a use-after-free in the doContent function in
xmlparse.c.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
Changes v1 -> v2:
- Fix path in patch
...re-safe-exiting-internalEntityParser.patch | 53 +++++++++++++++++++
package/expat/expat.mk | 3 ++
2 files changed, 56 insertions(+)
create mode 100644 package/expat/0001-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch
diff --git a/package/expat/0001-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch b/package/expat/0001-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch
new file mode 100644
index 0000000000..ca86e85115
--- /dev/null
+++ b/package/expat/0001-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch
@@ -0,0 +1,53 @@
+From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001
+From: Rhodri James <rhodri@wildebeest.org.uk>
+Date: Wed, 17 Aug 2022 18:26:18 +0100
+Subject: [PATCH] Ensure raw tagnames are safe exiting internalEntityParser
+
+It is possible to concoct a situation in which parsing is
+suspended while substituting in an internal entity, so that
+XML_ResumeParser directly uses internalEntityProcessor as
+its processor. If the subsequent parse includes some unclosed
+tags, this will return without calling storeRawNames to ensure
+that the raw versions of the tag names are stored in memory other
+than the parse buffer itself. If the parse buffer is then changed
+or reallocated (for example if processing a file line by line),
+badness will ensue.
+
+This patch ensures storeRawNames is always called when needed
+after calling doContent. The earlier call do doContent does
+not need the same protection; it only deals with entity
+substitution, which cannot leave unbalanced tags, and in any
+case the raw names will be pointing into the stored entity
+value not the parse buffer.
+
+[Retrieved from:
+https://github.com/libexpat/libexpat/commit/4a32da87e931ba54393d465bb77c40b5c33d343b]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ expat/lib/xmlparse.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 7bcabf7f4..d73f419cf 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -5826,10 +5826,15 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end,
+ {
+ parser->m_processor = contentProcessor;
+ /* see externalEntityContentProcessor vs contentProcessor */
+- return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding,
+- s, end, nextPtr,
+- (XML_Bool)! parser->m_parsingStatus.finalBuffer,
+- XML_ACCOUNT_DIRECT);
++ result = doContent(parser, parser->m_parentParser ? 1 : 0,
++ parser->m_encoding, s, end, nextPtr,
++ (XML_Bool)! parser->m_parsingStatus.finalBuffer,
++ XML_ACCOUNT_DIRECT);
++ if (result == XML_ERROR_NONE) {
++ if (! storeRawNames(parser))
++ return XML_ERROR_NO_MEMORY;
++ }
++ return result;
+ }
+ }
+
diff --git a/package/expat/expat.mk b/package/expat/expat.mk
index e89de81da7..61735a5fdb 100644
--- a/package/expat/expat.mk
+++ b/package/expat/expat.mk
@@ -13,6 +13,9 @@ EXPAT_LICENSE_FILES = COPYING
EXPAT_CPE_ID_VENDOR = libexpat_project
EXPAT_CPE_ID_PRODUCT = libexpat
+# 0001-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch
+EXPAT_IGNORE_CVES += CVE-2022-40674
+
EXPAT_CONF_OPTS = \
--without-docbook --without-examples --without-tests --without-xmlwf
HOST_EXPAT_CONF_OPTS = --without-docbook --without-examples --without-tests
--
2.35.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH v2,1/1] package/expat: fix CVE-2022-40674
2022-09-18 10:23 [Buildroot] [PATCH v2,1/1] package/expat: fix CVE-2022-40674 Fabrice Fontaine
@ 2022-09-18 12:50 ` Yann E. MORIN
2022-09-29 13:52 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Yann E. MORIN @ 2022-09-18 12:50 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: buildroot
Fabrice, All,
On 2022-09-18 12:23 +0200, Fabrice Fontaine spake thusly:
> libexpat before 2.4.9 has a use-after-free in the doContent function in
^^^^^^^^^^^^^^^^^^^^^
So I was wondering why we did not simply update to use 2.4.9.
That's because it is not yet released, so the sentence is confusing.
I've added a little blurb to make it obvious.
Applied to master, thanks.
Regards,
Yann E. MORIN.
> xmlparse.c.
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
> Changes v1 -> v2:
> - Fix path in patch
>
> ...re-safe-exiting-internalEntityParser.patch | 53 +++++++++++++++++++
> package/expat/expat.mk | 3 ++
> 2 files changed, 56 insertions(+)
> create mode 100644 package/expat/0001-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch
>
> diff --git a/package/expat/0001-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch b/package/expat/0001-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch
> new file mode 100644
> index 0000000000..ca86e85115
> --- /dev/null
> +++ b/package/expat/0001-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch
> @@ -0,0 +1,53 @@
> +From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001
> +From: Rhodri James <rhodri@wildebeest.org.uk>
> +Date: Wed, 17 Aug 2022 18:26:18 +0100
> +Subject: [PATCH] Ensure raw tagnames are safe exiting internalEntityParser
> +
> +It is possible to concoct a situation in which parsing is
> +suspended while substituting in an internal entity, so that
> +XML_ResumeParser directly uses internalEntityProcessor as
> +its processor. If the subsequent parse includes some unclosed
> +tags, this will return without calling storeRawNames to ensure
> +that the raw versions of the tag names are stored in memory other
> +than the parse buffer itself. If the parse buffer is then changed
> +or reallocated (for example if processing a file line by line),
> +badness will ensue.
> +
> +This patch ensures storeRawNames is always called when needed
> +after calling doContent. The earlier call do doContent does
> +not need the same protection; it only deals with entity
> +substitution, which cannot leave unbalanced tags, and in any
> +case the raw names will be pointing into the stored entity
> +value not the parse buffer.
> +
> +[Retrieved from:
> +https://github.com/libexpat/libexpat/commit/4a32da87e931ba54393d465bb77c40b5c33d343b]
> +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> +---
> + expat/lib/xmlparse.c | 13 +++++++++----
> + 1 file changed, 9 insertions(+), 4 deletions(-)
> +
> +diff --git a/lib/xmlparse.c b/lib/xmlparse.c
> +index 7bcabf7f4..d73f419cf 100644
> +--- a/lib/xmlparse.c
> ++++ b/lib/xmlparse.c
> +@@ -5826,10 +5826,15 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end,
> + {
> + parser->m_processor = contentProcessor;
> + /* see externalEntityContentProcessor vs contentProcessor */
> +- return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding,
> +- s, end, nextPtr,
> +- (XML_Bool)! parser->m_parsingStatus.finalBuffer,
> +- XML_ACCOUNT_DIRECT);
> ++ result = doContent(parser, parser->m_parentParser ? 1 : 0,
> ++ parser->m_encoding, s, end, nextPtr,
> ++ (XML_Bool)! parser->m_parsingStatus.finalBuffer,
> ++ XML_ACCOUNT_DIRECT);
> ++ if (result == XML_ERROR_NONE) {
> ++ if (! storeRawNames(parser))
> ++ return XML_ERROR_NO_MEMORY;
> ++ }
> ++ return result;
> + }
> + }
> +
> diff --git a/package/expat/expat.mk b/package/expat/expat.mk
> index e89de81da7..61735a5fdb 100644
> --- a/package/expat/expat.mk
> +++ b/package/expat/expat.mk
> @@ -13,6 +13,9 @@ EXPAT_LICENSE_FILES = COPYING
> EXPAT_CPE_ID_VENDOR = libexpat_project
> EXPAT_CPE_ID_PRODUCT = libexpat
>
> +# 0001-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch
> +EXPAT_IGNORE_CVES += CVE-2022-40674
> +
> EXPAT_CONF_OPTS = \
> --without-docbook --without-examples --without-tests --without-xmlwf
> HOST_EXPAT_CONF_OPTS = --without-docbook --without-examples --without-tests
> --
> 2.35.1
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH v2,1/1] package/expat: fix CVE-2022-40674
2022-09-18 10:23 [Buildroot] [PATCH v2,1/1] package/expat: fix CVE-2022-40674 Fabrice Fontaine
2022-09-18 12:50 ` Yann E. MORIN
@ 2022-09-29 13:52 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2022-09-29 13:52 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> libexpat before 2.4.9 has a use-after-free in the doContent function in
> xmlparse.c.
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
> Changes v1 -> v2:
> - Fix path in patch
Committed to 2022.02.x, 2022.05.x and 2022.08.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-09-29 13:52 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-18 10:23 [Buildroot] [PATCH v2,1/1] package/expat: fix CVE-2022-40674 Fabrice Fontaine
2022-09-18 12:50 ` Yann E. MORIN
2022-09-29 13:52 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.