* [oe-core][dunfell][PATCH] libxml2: Fix CVE-2021-3518
@ 2021-06-21 14:10 Jasper Orschulko
2021-06-21 15:26 ` Steve Sakoman
0 siblings, 1 reply; 4+ messages in thread
From: Jasper Orschulko @ 2021-06-21 14:10 UTC (permalink / raw)
To: openembedded-core; +Cc: Jasper Orschulko
There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.
Upstream-Status: Backport [from fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=1954243]
Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
---
.../libxml/libxml2/CVE-2021-3518.patch | 108 ++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.10.bb | 1 +
2 files changed, 109 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
new file mode 100644
index 0000000000..c22cccf1b1
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
@@ -0,0 +1,108 @@
+From ac82a514e16eb81b4506e2cba1a1ee45b9f025b5 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 10 Jun 2020 16:34:52 +0200
+Subject: [PATCH 1/2] Don't recurse into xi:include children in
+ xmlXIncludeDoProcess
+
+Otherwise, nested xi:include nodes might result in a use-after-free
+if XML_PARSE_NOXINCNODE is specified.
+
+Found with libFuzzer and ASan.
+
+The upstream patch 752e5f71d7cea2ca5a7e7c0b8f72ed04ce654be4 has been modified,
+as to avoid unnecessary modifications to fallback files.
+
+Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
+---
+ xinclude.c | 24 ++++++++++--------------
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+diff --git a/xinclude.c b/xinclude.c
+index ba850fa5..f260c1a7 100644
+--- a/xinclude.c
++++ b/xinclude.c
+@@ -2392,21 +2392,19 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
+ * First phase: lookup the elements in the document
+ */
+ cur = tree;
+- if (xmlXIncludeTestNode(ctxt, cur) == 1)
+- xmlXIncludePreProcessNode(ctxt, cur);
+ while ((cur != NULL) && (cur != tree->parent)) {
+ /* TODO: need to work on entities -> stack */
+- if ((cur->children != NULL) &&
+- (cur->children->type != XML_ENTITY_DECL) &&
+- (cur->children->type != XML_XINCLUDE_START) &&
+- (cur->children->type != XML_XINCLUDE_END)) {
+- cur = cur->children;
+- if (xmlXIncludeTestNode(ctxt, cur))
+- xmlXIncludePreProcessNode(ctxt, cur);
+- } else if (cur->next != NULL) {
++ if (xmlXIncludeTestNode(ctxt, cur) == 1) {
++ xmlXIncludePreProcessNode(ctxt, cur);
++ } else if ((cur->children != NULL) &&
++ (cur->children->type != XML_ENTITY_DECL) &&
++ (cur->children->type != XML_XINCLUDE_START) &&
++ (cur->children->type != XML_XINCLUDE_END)) {
++ cur = cur->children;
++ continue;
++ }
++ if (cur->next != NULL) {
+ cur = cur->next;
+- if (xmlXIncludeTestNode(ctxt, cur))
+- xmlXIncludePreProcessNode(ctxt, cur);
+ } else {
+ if (cur == tree)
+ break;
+@@ -2416,8 +2414,6 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
+ break; /* do */
+ if (cur->next != NULL) {
+ cur = cur->next;
+- if (xmlXIncludeTestNode(ctxt, cur))
+- xmlXIncludePreProcessNode(ctxt, cur);
+ break; /* do */
+ }
+ } while (cur != NULL);
+--
+2.32.0
+
+
+From 3ad5ac1e39e3cd42f838c1cd27ffd4e9b79e6121 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 22 Apr 2021 19:26:28 +0200
+Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude --dropdtd`
+
+The --dropdtd option can leave dangling pointers in entity reference
+nodes. Make sure to skip these nodes when processing XIncludes.
+
+This also avoids scanning entity declarations and even modifying
+them inadvertently during XInclude processing.
+
+Move from a block list to an allow list approach to avoid descending
+into other node types that can't contain elements.
+
+Fixes #237.
+
+Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
+---
+ xinclude.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/xinclude.c b/xinclude.c
+index f260c1a7..d7648529 100644
+--- a/xinclude.c
++++ b/xinclude.c
+@@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
+ if (xmlXIncludeTestNode(ctxt, cur) == 1) {
+ xmlXIncludePreProcessNode(ctxt, cur);
+ } else if ((cur->children != NULL) &&
+- (cur->children->type != XML_ENTITY_DECL) &&
+- (cur->children->type != XML_XINCLUDE_START) &&
+- (cur->children->type != XML_XINCLUDE_END)) {
++ ((cur->type == XML_DOCUMENT_NODE) ||
++ (cur->type == XML_ELEMENT_NODE))) {
+ cur = cur->children;
+ continue;
+ }
+--
+2.32.0
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index 4ebfb9e556..04d32ade69 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -23,6 +23,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
file://CVE-2020-7595.patch \
file://CVE-2019-20388.patch \
file://CVE-2020-24977.patch \
+ file://CVE-2021-3518.patch \
"
SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"
--
2.32.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [oe-core][dunfell][PATCH] libxml2: Fix CVE-2021-3518
2021-06-21 14:10 [oe-core][dunfell][PATCH] libxml2: Fix CVE-2021-3518 Jasper Orschulko
@ 2021-06-21 15:26 ` Steve Sakoman
2021-06-21 15:37 ` Jasper Orschulko
0 siblings, 1 reply; 4+ messages in thread
From: Steve Sakoman @ 2021-06-21 15:26 UTC (permalink / raw)
To: jasper; +Cc: Patches and discussions about the oe-core layer
Sadly this patch won't apply.
Could you rebase it on the current head of dunfell? It seems you
generated this patch with an older version of dunfell that is missing
"libxml: fix CVE-2021-3517 CVE-2021-3537":
https://git.openembedded.org/openembedded-core-contrib/commit/?h=stable/dunfell-nut&id=f177c0ec321f005dd9ce63aec2d700fd53c993ff
Thanks again for helping with CVEs!
Steve
On Mon, Jun 21, 2021 at 4:11 AM Jasper Orschulko via
lists.openembedded.org <jasper=fancydomain.eu@lists.openembedded.org>
wrote:
>
> There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.
>
> Upstream-Status: Backport [from fedora:
> https://bugzilla.redhat.com/show_bug.cgi?id=1954243]
>
> Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
> ---
> .../libxml/libxml2/CVE-2021-3518.patch | 108 ++++++++++++++++++
> meta/recipes-core/libxml/libxml2_2.9.10.bb | 1 +
> 2 files changed, 109 insertions(+)
> create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
>
> diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
> new file mode 100644
> index 0000000000..c22cccf1b1
> --- /dev/null
> +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
> @@ -0,0 +1,108 @@
> +From ac82a514e16eb81b4506e2cba1a1ee45b9f025b5 Mon Sep 17 00:00:00 2001
> +From: Nick Wellnhofer <wellnhofer@aevum.de>
> +Date: Wed, 10 Jun 2020 16:34:52 +0200
> +Subject: [PATCH 1/2] Don't recurse into xi:include children in
> + xmlXIncludeDoProcess
> +
> +Otherwise, nested xi:include nodes might result in a use-after-free
> +if XML_PARSE_NOXINCNODE is specified.
> +
> +Found with libFuzzer and ASan.
> +
> +The upstream patch 752e5f71d7cea2ca5a7e7c0b8f72ed04ce654be4 has been modified,
> +as to avoid unnecessary modifications to fallback files.
> +
> +Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
> +---
> + xinclude.c | 24 ++++++++++--------------
> + 1 file changed, 10 insertions(+), 14 deletions(-)
> +
> +diff --git a/xinclude.c b/xinclude.c
> +index ba850fa5..f260c1a7 100644
> +--- a/xinclude.c
> ++++ b/xinclude.c
> +@@ -2392,21 +2392,19 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
> + * First phase: lookup the elements in the document
> + */
> + cur = tree;
> +- if (xmlXIncludeTestNode(ctxt, cur) == 1)
> +- xmlXIncludePreProcessNode(ctxt, cur);
> + while ((cur != NULL) && (cur != tree->parent)) {
> + /* TODO: need to work on entities -> stack */
> +- if ((cur->children != NULL) &&
> +- (cur->children->type != XML_ENTITY_DECL) &&
> +- (cur->children->type != XML_XINCLUDE_START) &&
> +- (cur->children->type != XML_XINCLUDE_END)) {
> +- cur = cur->children;
> +- if (xmlXIncludeTestNode(ctxt, cur))
> +- xmlXIncludePreProcessNode(ctxt, cur);
> +- } else if (cur->next != NULL) {
> ++ if (xmlXIncludeTestNode(ctxt, cur) == 1) {
> ++ xmlXIncludePreProcessNode(ctxt, cur);
> ++ } else if ((cur->children != NULL) &&
> ++ (cur->children->type != XML_ENTITY_DECL) &&
> ++ (cur->children->type != XML_XINCLUDE_START) &&
> ++ (cur->children->type != XML_XINCLUDE_END)) {
> ++ cur = cur->children;
> ++ continue;
> ++ }
> ++ if (cur->next != NULL) {
> + cur = cur->next;
> +- if (xmlXIncludeTestNode(ctxt, cur))
> +- xmlXIncludePreProcessNode(ctxt, cur);
> + } else {
> + if (cur == tree)
> + break;
> +@@ -2416,8 +2414,6 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
> + break; /* do */
> + if (cur->next != NULL) {
> + cur = cur->next;
> +- if (xmlXIncludeTestNode(ctxt, cur))
> +- xmlXIncludePreProcessNode(ctxt, cur);
> + break; /* do */
> + }
> + } while (cur != NULL);
> +--
> +2.32.0
> +
> +
> +From 3ad5ac1e39e3cd42f838c1cd27ffd4e9b79e6121 Mon Sep 17 00:00:00 2001
> +From: Nick Wellnhofer <wellnhofer@aevum.de>
> +Date: Thu, 22 Apr 2021 19:26:28 +0200
> +Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude --dropdtd`
> +
> +The --dropdtd option can leave dangling pointers in entity reference
> +nodes. Make sure to skip these nodes when processing XIncludes.
> +
> +This also avoids scanning entity declarations and even modifying
> +them inadvertently during XInclude processing.
> +
> +Move from a block list to an allow list approach to avoid descending
> +into other node types that can't contain elements.
> +
> +Fixes #237.
> +
> +Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
> +---
> + xinclude.c | 5 ++---
> + 1 file changed, 2 insertions(+), 3 deletions(-)
> +
> +diff --git a/xinclude.c b/xinclude.c
> +index f260c1a7..d7648529 100644
> +--- a/xinclude.c
> ++++ b/xinclude.c
> +@@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
> + if (xmlXIncludeTestNode(ctxt, cur) == 1) {
> + xmlXIncludePreProcessNode(ctxt, cur);
> + } else if ((cur->children != NULL) &&
> +- (cur->children->type != XML_ENTITY_DECL) &&
> +- (cur->children->type != XML_XINCLUDE_START) &&
> +- (cur->children->type != XML_XINCLUDE_END)) {
> ++ ((cur->type == XML_DOCUMENT_NODE) ||
> ++ (cur->type == XML_ELEMENT_NODE))) {
> + cur = cur->children;
> + continue;
> + }
> +--
> +2.32.0
> +
> diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
> index 4ebfb9e556..04d32ade69 100644
> --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
> +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
> @@ -23,6 +23,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
> file://CVE-2020-7595.patch \
> file://CVE-2019-20388.patch \
> file://CVE-2020-24977.patch \
> + file://CVE-2021-3518.patch \
> "
>
> SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"
> --
> 2.32.0
>
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [oe-core][dunfell][PATCH] libxml2: Fix CVE-2021-3518
2021-06-21 15:26 ` Steve Sakoman
@ 2021-06-21 15:37 ` Jasper Orschulko
2021-06-21 15:58 ` Steve Sakoman
0 siblings, 1 reply; 4+ messages in thread
From: Jasper Orschulko @ 2021-06-21 15:37 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 7150 bytes --]
Hi Steve,
sorry about that. Accidental checkout of dunfell-next. I sent a new patch.
Best regards,
Jasper
On 21 June 2021 17:26:14 CEST, Steve Sakoman <sakoman@gmail.com> wrote:
>Sadly this patch won't apply.
>
>Could you rebase it on the current head of dunfell? It seems you
>generated this patch with an older version of dunfell that is missing
>"libxml: fix CVE-2021-3517 CVE-2021-3537":
>
>https://git.openembedded.org/openembedded-core-contrib/commit/?h=stable/dunfell-nut&id=f177c0ec321f005dd9ce63aec2d700fd53c993ff
>
>Thanks again for helping with CVEs!
>
>Steve
>
>On Mon, Jun 21, 2021 at 4:11 AM Jasper Orschulko via
>lists.openembedded.org <jasper=fancydomain.eu@lists.openembedded.org>
>wrote:
>>
>> There's a flaw in libxml2 in versions before 2.9.11. An attacker who
>is able to submit a crafted file to be processed by an application
>linked with libxml2 could trigger a use-after-free. The greatest impact
>from this flaw is to confidentiality, integrity, and availability.
>>
>> Upstream-Status: Backport [from fedora:
>> https://bugzilla.redhat.com/show_bug.cgi?id=1954243]
>>
>> Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
>> ---
>> .../libxml/libxml2/CVE-2021-3518.patch | 108
>++++++++++++++++++
>> meta/recipes-core/libxml/libxml2_2.9.10.bb | 1 +
>> 2 files changed, 109 insertions(+)
>> create mode 100644
>meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
>>
>> diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
>b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
>> new file mode 100644
>> index 0000000000..c22cccf1b1
>> --- /dev/null
>> +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
>> @@ -0,0 +1,108 @@
>> +From ac82a514e16eb81b4506e2cba1a1ee45b9f025b5 Mon Sep 17 00:00:00
>2001
>> +From: Nick Wellnhofer <wellnhofer@aevum.de>
>> +Date: Wed, 10 Jun 2020 16:34:52 +0200
>> +Subject: [PATCH 1/2] Don't recurse into xi:include children in
>> + xmlXIncludeDoProcess
>> +
>> +Otherwise, nested xi:include nodes might result in a use-after-free
>> +if XML_PARSE_NOXINCNODE is specified.
>> +
>> +Found with libFuzzer and ASan.
>> +
>> +The upstream patch 752e5f71d7cea2ca5a7e7c0b8f72ed04ce654be4 has been
>modified,
>> +as to avoid unnecessary modifications to fallback files.
>> +
>> +Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
>> +---
>> + xinclude.c | 24 ++++++++++--------------
>> + 1 file changed, 10 insertions(+), 14 deletions(-)
>> +
>> +diff --git a/xinclude.c b/xinclude.c
>> +index ba850fa5..f260c1a7 100644
>> +--- a/xinclude.c
>> ++++ b/xinclude.c
>> +@@ -2392,21 +2392,19 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr
>ctxt, xmlDocPtr doc, xmlNodePtr tree) {
>> + * First phase: lookup the elements in the document
>> + */
>> + cur = tree;
>> +- if (xmlXIncludeTestNode(ctxt, cur) == 1)
>> +- xmlXIncludePreProcessNode(ctxt, cur);
>> + while ((cur != NULL) && (cur != tree->parent)) {
>> + /* TODO: need to work on entities -> stack */
>> +- if ((cur->children != NULL) &&
>> +- (cur->children->type != XML_ENTITY_DECL) &&
>> +- (cur->children->type != XML_XINCLUDE_START) &&
>> +- (cur->children->type != XML_XINCLUDE_END)) {
>> +- cur = cur->children;
>> +- if (xmlXIncludeTestNode(ctxt, cur))
>> +- xmlXIncludePreProcessNode(ctxt, cur);
>> +- } else if (cur->next != NULL) {
>> ++ if (xmlXIncludeTestNode(ctxt, cur) == 1) {
>> ++ xmlXIncludePreProcessNode(ctxt, cur);
>> ++ } else if ((cur->children != NULL) &&
>> ++ (cur->children->type != XML_ENTITY_DECL) &&
>> ++ (cur->children->type != XML_XINCLUDE_START) &&
>> ++ (cur->children->type != XML_XINCLUDE_END)) {
>> ++ cur = cur->children;
>> ++ continue;
>> ++ }
>> ++ if (cur->next != NULL) {
>> + cur = cur->next;
>> +- if (xmlXIncludeTestNode(ctxt, cur))
>> +- xmlXIncludePreProcessNode(ctxt, cur);
>> + } else {
>> + if (cur == tree)
>> + break;
>> +@@ -2416,8 +2414,6 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt,
>xmlDocPtr doc, xmlNodePtr tree) {
>> + break; /* do */
>> + if (cur->next != NULL) {
>> + cur = cur->next;
>> +- if (xmlXIncludeTestNode(ctxt, cur))
>> +- xmlXIncludePreProcessNode(ctxt, cur);
>> + break; /* do */
>> + }
>> + } while (cur != NULL);
>> +--
>> +2.32.0
>> +
>> +
>> +From 3ad5ac1e39e3cd42f838c1cd27ffd4e9b79e6121 Mon Sep 17 00:00:00
>2001
>> +From: Nick Wellnhofer <wellnhofer@aevum.de>
>> +Date: Thu, 22 Apr 2021 19:26:28 +0200
>> +Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude
>--dropdtd`
>> +
>> +The --dropdtd option can leave dangling pointers in entity reference
>> +nodes. Make sure to skip these nodes when processing XIncludes.
>> +
>> +This also avoids scanning entity declarations and even modifying
>> +them inadvertently during XInclude processing.
>> +
>> +Move from a block list to an allow list approach to avoid descending
>> +into other node types that can't contain elements.
>> +
>> +Fixes #237.
>> +
>> +Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
>> +---
>> + xinclude.c | 5 ++---
>> + 1 file changed, 2 insertions(+), 3 deletions(-)
>> +
>> +diff --git a/xinclude.c b/xinclude.c
>> +index f260c1a7..d7648529 100644
>> +--- a/xinclude.c
>> ++++ b/xinclude.c
>> +@@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt,
>xmlDocPtr doc, xmlNodePtr tree) {
>> + if (xmlXIncludeTestNode(ctxt, cur) == 1) {
>> + xmlXIncludePreProcessNode(ctxt, cur);
>> + } else if ((cur->children != NULL) &&
>> +- (cur->children->type != XML_ENTITY_DECL) &&
>> +- (cur->children->type != XML_XINCLUDE_START) &&
>> +- (cur->children->type != XML_XINCLUDE_END)) {
>> ++ ((cur->type == XML_DOCUMENT_NODE) ||
>> ++ (cur->type == XML_ELEMENT_NODE))) {
>> + cur = cur->children;
>> + continue;
>> + }
>> +--
>> +2.32.0
>> +
>> diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb
>b/meta/recipes-core/libxml/libxml2_2.9.10.bb
>> index 4ebfb9e556..04d32ade69 100644
>> --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
>> +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
>> @@ -23,6 +23,7 @@ SRC_URI =
>"http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
>> file://CVE-2020-7595.patch \
>> file://CVE-2019-20388.patch \
>> file://CVE-2020-24977.patch \
>> + file://CVE-2021-3518.patch \
>> "
>>
>> SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"
>> --
>> 2.32.0
>>
>>
>>
>>
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
[-- Attachment #2: Type: text/html, Size: 7951 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [oe-core][dunfell][PATCH] libxml2: Fix CVE-2021-3518
2021-06-21 15:37 ` Jasper Orschulko
@ 2021-06-21 15:58 ` Steve Sakoman
0 siblings, 0 replies; 4+ messages in thread
From: Steve Sakoman @ 2021-06-21 15:58 UTC (permalink / raw)
To: jasper; +Cc: Patches and discussions about the oe-core layer
On Mon, Jun 21, 2021 at 5:38 AM Jasper Orschulko via
lists.openembedded.org <jasper=fancydomain.eu@lists.openembedded.org>
wrote:
>
> Hi Steve,
>
> sorry about that. Accidental checkout of dunfell-next. I sent a new patch.
No worries! V2 applied without issue.
Thanks,
Steve
>
> Best regards,
> Jasper
>
> On 21 June 2021 17:26:14 CEST, Steve Sakoman <sakoman@gmail.com> wrote:
>>
>> Sadly this patch won't apply.
>>
>> Could you rebase it on the current head of dunfell? It seems you
>> generated this patch with an older version of dunfell that is missing
>> "libxml: fix CVE-2021-3517 CVE-2021-3537":
>>
>> https://git.openembedded.org/openembedded-core-contrib/commit/?h=stable/dunfell-nut&id=f177c0ec321f005dd9ce63aec2d700fd53c993ff
>>
>> Thanks again for helping with CVEs!
>>
>> Steve
>>
>> On Mon, Jun 21, 2021 at 4:11 AM Jasper Orschulko via
>> lists.openembedded.org <jasper=fancydomain.eu@lists.openembedded.org>
>> wrote:
>>>
>>>
>>> There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.
>>>
>>> Upstream-Status: Backport [from fedora:
>>> https://bugzilla.redhat.com/show_bug.cgi?id=1954243]
>>>
>>> Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
>>> ________________________________
>>> .../libxml/libxml2/CVE-2021-3518.patch | 108 ++++++++++++++++++
>>> meta/recipes-core/libxml/libxml2_2.9.10.bb | 1 +
>>> 2 files changed, 109 insertions(+)
>>> create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
>>>
>>> diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
>>> new file mode 100644
>>> index 0000000000..c22cccf1b1
>>> --- /dev/null
>>> +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
>>> @@ -0,0 +1,108 @@
>>> +From ac82a514e16eb81b4506e2cba1a1ee45b9f025b5 Mon Sep 17 00:00:00 2001
>>> +From: Nick Wellnhofer <wellnhofer@aevum.de>
>>> +Date: Wed, 10 Jun 2020 16:34:52 +0200
>>> +Subject: [PATCH 1/2] Don't recurse into xi:include children in
>>> + xmlXIncludeDoProcess
>>> +
>>> +Otherwise, nested xi:include nodes might result in a use-after-free
>>> +if XML_PARSE_NOXINCNODE is specified.
>>> +
>>> +Found with libFuzzer and ASan.
>>> +
>>> +The upstream patch 752e5f71d7cea2ca5a7e7c0b8f72ed04ce654be4 has been modified,
>>> +as to avoid unnecessary modifications to fallback files.
>>> +
>>> +Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
>>> +---
>>> + xinclude.c | 24 ++++++++++--------------
>>> + 1 file changed, 10 insertions(+), 14 deletions(-)
>>> +
>>> +diff --git a/xinclude.c b/xinclude.c
>>> +index ba850fa5..f260c1a7 100644
>>> +--- a/xinclude.c
>>> ++++ b/xinclude.c
>>> +@@ -2392,21 +2392,19 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
>>> + * First phase: lookup the elements in the document
>>> + */
>>> + cur = tree;
>>> +- if (xmlXIncludeTestNode(ctxt, cur) == 1)
>>> +- xmlXIncludePreProcessNode(ctxt, cur);
>>> + while ((cur != NULL) && (cur != tree->parent)) {
>>> + /* TODO: need to work on entities -> stack */
>>> +- if ((cur->children != NULL) &&
>>> +- (cur->children->type != XML_ENTITY_DECL) &&
>>> +- (cur->children->type != XML_XINCLUDE_START) &&
>>> +- (cur->children->type != XML_XINCLUDE_END)) {
>>> +- cur = cur->children;
>>> +- if (xmlXIncludeTestNode(ctxt, cur))
>>> +- xmlXIncludePreProcessNode(ctxt, cur);
>>> +- } else if (cur->next != NULL) {
>>> ++ if (xmlXIncludeTestNode(ctxt, cur) == 1) {
>>> ++ xmlXIncludePreProcessNode(ctxt, cur);
>>> ++ } else if ((cur->children != NULL) &&
>>> ++ (cur->children->type != XML_ENTITY_DECL) &&
>>> ++ (cur->children->type != XML_XINCLUDE_START) &&
>>> ++ (cur->children->type != XML_XINCLUDE_END)) {
>>> ++ cur = cur->children;
>>> ++ continue;
>>> ++ }
>>> ++ if (cur->next != NULL) {
>>> + cur = cur->next;
>>> +- if (xmlXIncludeTestNode(ctxt, cur))
>>> +- xmlXIncludePreProcessNode(ctxt, cur);
>>> + } else {
>>> + if (cur == tree)
>>> + break;
>>> +@@ -2416,8 +2414,6 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
>>> + break; /* do */
>>> + if (cur->next != NULL) {
>>> + cur = cur->next;
>>> +- if (xmlXIncludeTestNode(ctxt, cur))
>>> +- xmlXIncludePreProcessNode(ctxt, cur);
>>> + break; /* do */
>>> + }
>>> + } while (cur != NULL);
>>> +--
>>> +2.32.0
>>> +
>>> +
>>> +From 3ad5ac1e39e3cd42f838c1cd27ffd4e9b79e6121 Mon Sep 17 00:00:00 2001
>>> +From: Nick Wellnhofer <wellnhofer@aevum.de>
>>> +Date: Thu, 22 Apr 2021 19:26:28 +0200
>>> +Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude --dropdtd`
>>> +
>>> +The --dropdtd option can leave dangling pointers in entity reference
>>> +nodes. Make sure to skip these nodes when processing XIncludes.
>>> +
>>> +This also avoids scanning entity declarations and even modifying
>>> +them inadvertently during XInclude processing.
>>> +
>>> +Move from a block list to an allow list approach to avoid descending
>>> +into other node types that can't contain elements.
>>> +
>>> +Fixes #237.
>>> +
>>> +Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
>>> +---
>>> + xinclude.c | 5 ++---
>>> + 1 file changed, 2 insertions(+), 3 deletions(-)
>>> +
>>> +diff --git a/xinclude.c b/xinclude.c
>>> +index f260c1a7..d7648529 100644
>>> +--- a/xinclude.c
>>> ++++ b/xinclude.c
>>> +@@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
>>> + if (xmlXIncludeTestNode(ctxt, cur) == 1) {
>>> + xmlXIncludePreProcessNode(ctxt, cur);
>>> + } else if ((cur->children != NULL) &&
>>> +- (cur->children->type != XML_ENTITY_DECL) &&
>>> +- (cur->children->type != XML_XINCLUDE_START) &&
>>> +- (cur->children->type != XML_XINCLUDE_END)) {
>>> ++ ((cur->type == XML_DOCUMENT_NODE) ||
>>> ++ (cur->type == XML_ELEMENT_NODE))) {
>>> + cur = cur->children;
>>> + continue;
>>> + }
>>> +--
>>> +2.32.0
>>> +
>>> diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
>>> index 4ebfb9e556..04d32ade69 100644
>>> --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
>>> +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
>>> @@ -23,6 +23,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
>>> file://CVE-2020-7595.patch \
>>> file://CVE-2019-20388.patch \
>>> file://CVE-2020-24977.patch \
>>> + file://CVE-2021-3518.patch \
>>> "
>>>
>>> SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"
>>> --
>>> 2.32.0
>>>
>>>
>>>
>>>
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-06-21 15:58 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-21 14:10 [oe-core][dunfell][PATCH] libxml2: Fix CVE-2021-3518 Jasper Orschulko
2021-06-21 15:26 ` Steve Sakoman
2021-06-21 15:37 ` Jasper Orschulko
2021-06-21 15:58 ` Steve Sakoman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.