[meta][dunfell][PATCH] libxml2: Add fix for CVE-2016-3709

[meta][dunfell][PATCH] libxml2: Add fix for CVE-2016-3709

[pawan]

From: Pawan Badganchi <badganchipv@gmail.com>

Add below patch to fix CVE-2016-3709

CVE-2016-3709.patch
Link: https://github.com/GNOME/libxml2/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f

Signed-off-by: Pawan Badganchi<badganchipv@gmail.com>
---
 .../libxml/libxml2/CVE-2016-3709.patch        | 89 +++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.10.bb    |  2 +-
 2 files changed, 90 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch
new file mode 100644
index 0000000000..5301d05323
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch
@@ -0,0 +1,89 @@
+From c1ba6f54d32b707ca6d91cb3257ce9de82876b6f Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 15 Aug 2020 18:32:29 +0200
+Subject: [PATCH] Revert "Do not URI escape in server side includes"
+
+This reverts commit 960f0e275616cadc29671a218d7fb9b69eb35588.
+
+This commit introduced
+
+- an infinite loop, found by OSS-Fuzz, which could be easily fixed.
+- an algorithm with quadratic runtime
+- a security issue, see
+  https://bugzilla.gnome.org/show_bug.cgi?id=769760
+
+A better approach is to add an option not to escape URLs at all
+which libxml2 should have possibly done in the first place.
+
+CVE: CVE-2016-3709
+Upstream-Status: Backport [https://github.com/GNOME/libxml2/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f]
+Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
+---
+ HTMLtree.c | 49 +++++++++++--------------------------------------
+ 1 file changed, 11 insertions(+), 38 deletions(-)
+
+diff --git a/HTMLtree.c b/HTMLtree.c
+index 8d236bb35..cdb7f86a6 100644
+--- a/HTMLtree.c
++++ b/HTMLtree.c
+@@ -706,49 +706,22 @@ htmlAttrDumpOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, xmlAttrPtr cur,
+ 		 (!xmlStrcasecmp(cur->name, BAD_CAST "src")) ||
+ 		 ((!xmlStrcasecmp(cur->name, BAD_CAST "name")) &&
+ 		  (!xmlStrcasecmp(cur->parent->name, BAD_CAST "a"))))) {
++		xmlChar *escaped;
+ 		xmlChar *tmp = value;
+-		/* xmlURIEscapeStr() escapes '"' so it can be safely used. */
+-		xmlBufCCat(buf->buffer, "\"");
+
+ 		while (IS_BLANK_CH(*tmp)) tmp++;
+
+-		/* URI Escape everything, except server side includes. */
+-		for ( ; ; ) {
+-		    xmlChar *escaped;
+-		    xmlChar endChar;
+-		    xmlChar *end = NULL;
+-		    xmlChar *start = (xmlChar *)xmlStrstr(tmp, BAD_CAST "<!--");
+-		    if (start != NULL) {
+-			end = (xmlChar *)xmlStrstr(tmp, BAD_CAST "-->");
+-			if (end != NULL) {
+-			    *start = '\0';
+-			}
+-		    }
+-
+-		    /* Escape the whole string, or until start (set to '\0'). */
+-		    escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+");
+-		    if (escaped != NULL) {
+-		        xmlBufCat(buf->buffer, escaped);
+-		        xmlFree(escaped);
+-		    } else {
+-		        xmlBufCat(buf->buffer, tmp);
+-		    }
+-
+-		    if (end == NULL) { /* Everything has been written. */
+-			break;
+-		    }
+-
+-		    /* Do not escape anything within server side includes. */
+-		    *start = '<'; /* Restore the first character of "<!--". */
+-		    end += 3; /* strlen("-->") */
+-		    endChar = *end;
+-		    *end = '\0';
+-		    xmlBufCat(buf->buffer, start);
+-		    *end = endChar;
+-		    tmp = end;
++		/*
++		 * the < and > have already been escaped at the entity level
++		 * And doing so here breaks server side includes
++		 */
++		escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+<>");
++		if (escaped != NULL) {
++		    xmlBufWriteQuotedString(buf->buffer, escaped);
++		    xmlFree(escaped);
++		} else {
++		    xmlBufWriteQuotedString(buf->buffer, value);
+ 		}
+-
+-		xmlBufCCat(buf->buffer, "\"");
+ 	    } else {
+ 		xmlBufWriteQuotedString(buf->buffer, value);
+ 	    }
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index d1c1f0884f..adeef5bda2 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -32,7 +32,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=te
            file://CVE-2022-23308-fix-regression.patch \
            file://CVE-2022-29824-dependent.patch \
            file://CVE-2022-29824.patch \
-           file://0001-Port-gentest.py-to-Python-3.patch \
+           file://CVE-2016-3709.patch \
            "
 
 SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813"
-- 
2.37.1

Re: [OE-core] [meta][dunfell][PATCH] libxml2: Add fix for CVE-2016-3709

[Robert Joslyn]

> On Aug 24, 2022, at 4:53 AM, Pawan Badganchi <badganchipv@gmail.com> wrote:
> 
> From: Pawan Badganchi <badganchipv@gmail.com>
> 
> Add below patch to fix CVE-2016-3709
> 
> CVE-2016-3709.patch
> Link: https://github.com/GNOME/libxml2/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f
> 
> Signed-off-by: Pawan Badganchi<badganchipv@gmail.com>
> ---
> .../libxml/libxml2/CVE-2016-3709.patch        | 89 +++++++++++++++++++
> meta/recipes-core/libxml/libxml2_2.9.10.bb    |  2 +-
> 2 files changed, 90 insertions(+), 1 deletion(-)
> create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch
> 
> diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch
> new file mode 100644
> index 0000000000..5301d05323
> --- /dev/null
> +++ b/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch
> @@ -0,0 +1,89 @@
> +From c1ba6f54d32b707ca6d91cb3257ce9de82876b6f Mon Sep 17 00:00:00 2001
> +From: Nick Wellnhofer <wellnhofer@aevum.de>
> +Date: Sat, 15 Aug 2020 18:32:29 +0200
> +Subject: [PATCH] Revert "Do not URI escape in server side includes"
> +
> +This reverts commit 960f0e275616cadc29671a218d7fb9b69eb35588.
> +
> +This commit introduced
> +
> +- an infinite loop, found by OSS-Fuzz, which could be easily fixed.
> +- an algorithm with quadratic runtime
> +- a security issue, see
> +  https://bugzilla.gnome.org/show_bug.cgi?id=769760
> +
> +A better approach is to add an option not to escape URLs at all
> +which libxml2 should have possibly done in the first place.
> +
> +CVE: CVE-2016-3709
> +Upstream-Status: Backport [https://github.com/GNOME/libxml2/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f]
> +Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
> +---
> + HTMLtree.c | 49 +++++++++++--------------------------------------
> + 1 file changed, 11 insertions(+), 38 deletions(-)
> +
> +diff --git a/HTMLtree.c b/HTMLtree.c
> +index 8d236bb35..cdb7f86a6 100644
> +--- a/HTMLtree.c
> ++++ b/HTMLtree.c
> +@@ -706,49 +706,22 @@ htmlAttrDumpOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, xmlAttrPtr cur,
> + 		 (!xmlStrcasecmp(cur->name, BAD_CAST "src")) ||
> + 		 ((!xmlStrcasecmp(cur->name, BAD_CAST "name")) &&
> + 		  (!xmlStrcasecmp(cur->parent->name, BAD_CAST "a"))))) {
> ++		xmlChar *escaped;
> + 		xmlChar *tmp = value;
> +-		/* xmlURIEscapeStr() escapes '"' so it can be safely used. */
> +-		xmlBufCCat(buf->buffer, "\"");
> +
> + 		while (IS_BLANK_CH(*tmp)) tmp++;
> +
> +-		/* URI Escape everything, except server side includes. */
> +-		for ( ; ; ) {
> +-		    xmlChar *escaped;
> +-		    xmlChar endChar;
> +-		    xmlChar *end = NULL;
> +-		    xmlChar *start = (xmlChar *)xmlStrstr(tmp, BAD_CAST "<!--");
> +-		    if (start != NULL) {
> +-			end = (xmlChar *)xmlStrstr(tmp, BAD_CAST "-->");
> +-			if (end != NULL) {
> +-			    *start = '\0';
> +-			}
> +-		    }
> +-
> +-		    /* Escape the whole string, or until start (set to '\0'). */
> +-		    escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+");
> +-		    if (escaped != NULL) {
> +-		        xmlBufCat(buf->buffer, escaped);
> +-		        xmlFree(escaped);
> +-		    } else {
> +-		        xmlBufCat(buf->buffer, tmp);
> +-		    }
> +-
> +-		    if (end == NULL) { /* Everything has been written. */
> +-			break;
> +-		    }
> +-
> +-		    /* Do not escape anything within server side includes. */
> +-		    *start = '<'; /* Restore the first character of "<!--". */
> +-		    end += 3; /* strlen("-->") */
> +-		    endChar = *end;
> +-		    *end = '\0';
> +-		    xmlBufCat(buf->buffer, start);
> +-		    *end = endChar;
> +-		    tmp = end;
> ++		/*
> ++		 * the < and > have already been escaped at the entity level
> ++		 * And doing so here breaks server side includes
> ++		 */
> ++		escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+<>");
> ++		if (escaped != NULL) {
> ++		    xmlBufWriteQuotedString(buf->buffer, escaped);
> ++		    xmlFree(escaped);
> ++		} else {
> ++		    xmlBufWriteQuotedString(buf->buffer, value);
> + 		}
> +-
> +-		xmlBufCCat(buf->buffer, "\"");
> + 	    } else {
> + 		xmlBufWriteQuotedString(buf->buffer, value);
> + 	    }
> diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
> index d1c1f0884f..adeef5bda2 100644
> --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
> +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
> @@ -32,7 +32,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=te
>            file://CVE-2022-23308-fix-regression.patch \
>            file://CVE-2022-29824-dependent.patch \
>            file://CVE-2022-29824.patch \
> -           file://0001-Port-gentest.py-to-Python-3.patch \

Did you intend to remove applying this patch? I assume not, but maybe there is something I’m not seeing. If you did intend to remove it, the patch file is still in the repo and the commit message doesn’t mention why it was removed.

Thanks,
Robert


> +           file://CVE-2016-3709.patch \
>            "
> 
> SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813"
> -- 
> 2.37.1
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#169808): https://lists.openembedded.org/g/openembedded-core/message/169808
> Mute This Topic: https://lists.openembedded.org/mt/93224781/1348415
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [robert.joslyn@redrectangle.org]
> -=-=-=-=-=-=-=-=-=-=-=-
> 

Re: [meta][dunfell][PATCH] libxml2: Add fix for CVE-2016-3709

[Pawan]

[-- Attachment #1: Type: text/plain, Size: 179 bytes --]

Hello Robert,
I have created new patch and sent. Please add that to in dunfell branch.
This patch 0001-Port-gentest.py-to-Python-3.patch should not be removed. Sorry for that.

[-- Attachment #2: Type: text/html, Size: 236 bytes --]

Re: [meta][dunfell][PATCH] libxml2: Add fix for CVE-2016-3709

[Pawan]

[-- Attachment #1: Type: text/plain, Size: 156 bytes --]

Hello Robert,
I have created new patch and sent. Please ignore this patch.
new patch: https://lists.openembedded.org/g/openembedded-core/message/169977

[-- Attachment #2: Type: text/html, Size: 168 bytes --]