Hi Steve, sorry about that. Accidental checkout of dunfell-next. I sent a new patch. Best regards, Jasper On 21 June 2021 17:26:14 CEST, Steve Sakoman wrote: >Sadly this patch won't apply. > >Could you rebase it on the current head of dunfell? It seems you >generated this patch with an older version of dunfell that is missing >"libxml: fix CVE-2021-3517 CVE-2021-3537": > >https://git.openembedded.org/openembedded-core-contrib/commit/?h=stable/dunfell-nut&id=f177c0ec321f005dd9ce63aec2d700fd53c993ff > >Thanks again for helping with CVEs! > >Steve > >On Mon, Jun 21, 2021 at 4:11 AM Jasper Orschulko via >lists.openembedded.org >wrote: >> >> There's a flaw in libxml2 in versions before 2.9.11. An attacker who >is able to submit a crafted file to be processed by an application >linked with libxml2 could trigger a use-after-free. The greatest impact >from this flaw is to confidentiality, integrity, and availability. >> >> Upstream-Status: Backport [from fedora: >> https://bugzilla.redhat.com/show_bug.cgi?id=1954243] >> >> Signed-off-by: Jasper Orschulko >> --- >> .../libxml/libxml2/CVE-2021-3518.patch | 108 >++++++++++++++++++ >> meta/recipes-core/libxml/libxml2_2.9.10.bb | 1 + >> 2 files changed, 109 insertions(+) >> create mode 100644 >meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch >> >> diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch >b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch >> new file mode 100644 >> index 0000000000..c22cccf1b1 >> --- /dev/null >> +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch >> @@ -0,0 +1,108 @@ >> +From ac82a514e16eb81b4506e2cba1a1ee45b9f025b5 Mon Sep 17 00:00:00 >2001 >> +From: Nick Wellnhofer >> +Date: Wed, 10 Jun 2020 16:34:52 +0200 >> +Subject: [PATCH 1/2] Don't recurse into xi:include children in >> + xmlXIncludeDoProcess >> + >> +Otherwise, nested xi:include nodes might result in a use-after-free >> +if XML_PARSE_NOXINCNODE is specified. >> + >> +Found with libFuzzer and ASan. >> + >> +The upstream patch 752e5f71d7cea2ca5a7e7c0b8f72ed04ce654be4 has been >modified, >> +as to avoid unnecessary modifications to fallback files. >> + >> +Signed-off-by: Jasper Orschulko >> +--- >> + xinclude.c | 24 ++++++++++-------------- >> + 1 file changed, 10 insertions(+), 14 deletions(-) >> + >> +diff --git a/xinclude.c b/xinclude.c >> +index ba850fa5..f260c1a7 100644 >> +--- a/xinclude.c >> ++++ b/xinclude.c >> +@@ -2392,21 +2392,19 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr >ctxt, xmlDocPtr doc, xmlNodePtr tree) { >> + * First phase: lookup the elements in the document >> + */ >> + cur = tree; >> +- if (xmlXIncludeTestNode(ctxt, cur) == 1) >> +- xmlXIncludePreProcessNode(ctxt, cur); >> + while ((cur != NULL) && (cur != tree->parent)) { >> + /* TODO: need to work on entities -> stack */ >> +- if ((cur->children != NULL) && >> +- (cur->children->type != XML_ENTITY_DECL) && >> +- (cur->children->type != XML_XINCLUDE_START) && >> +- (cur->children->type != XML_XINCLUDE_END)) { >> +- cur = cur->children; >> +- if (xmlXIncludeTestNode(ctxt, cur)) >> +- xmlXIncludePreProcessNode(ctxt, cur); >> +- } else if (cur->next != NULL) { >> ++ if (xmlXIncludeTestNode(ctxt, cur) == 1) { >> ++ xmlXIncludePreProcessNode(ctxt, cur); >> ++ } else if ((cur->children != NULL) && >> ++ (cur->children->type != XML_ENTITY_DECL) && >> ++ (cur->children->type != XML_XINCLUDE_START) && >> ++ (cur->children->type != XML_XINCLUDE_END)) { >> ++ cur = cur->children; >> ++ continue; >> ++ } >> ++ if (cur->next != NULL) { >> + cur = cur->next; >> +- if (xmlXIncludeTestNode(ctxt, cur)) >> +- xmlXIncludePreProcessNode(ctxt, cur); >> + } else { >> + if (cur == tree) >> + break; >> +@@ -2416,8 +2414,6 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, >xmlDocPtr doc, xmlNodePtr tree) { >> + break; /* do */ >> + if (cur->next != NULL) { >> + cur = cur->next; >> +- if (xmlXIncludeTestNode(ctxt, cur)) >> +- xmlXIncludePreProcessNode(ctxt, cur); >> + break; /* do */ >> + } >> + } while (cur != NULL); >> +-- >> +2.32.0 >> + >> + >> +From 3ad5ac1e39e3cd42f838c1cd27ffd4e9b79e6121 Mon Sep 17 00:00:00 >2001 >> +From: Nick Wellnhofer >> +Date: Thu, 22 Apr 2021 19:26:28 +0200 >> +Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude >--dropdtd` >> + >> +The --dropdtd option can leave dangling pointers in entity reference >> +nodes. Make sure to skip these nodes when processing XIncludes. >> + >> +This also avoids scanning entity declarations and even modifying >> +them inadvertently during XInclude processing. >> + >> +Move from a block list to an allow list approach to avoid descending >> +into other node types that can't contain elements. >> + >> +Fixes #237. >> + >> +Signed-off-by: Jasper Orschulko >> +--- >> + xinclude.c | 5 ++--- >> + 1 file changed, 2 insertions(+), 3 deletions(-) >> + >> +diff --git a/xinclude.c b/xinclude.c >> +index f260c1a7..d7648529 100644 >> +--- a/xinclude.c >> ++++ b/xinclude.c >> +@@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, >xmlDocPtr doc, xmlNodePtr tree) { >> + if (xmlXIncludeTestNode(ctxt, cur) == 1) { >> + xmlXIncludePreProcessNode(ctxt, cur); >> + } else if ((cur->children != NULL) && >> +- (cur->children->type != XML_ENTITY_DECL) && >> +- (cur->children->type != XML_XINCLUDE_START) && >> +- (cur->children->type != XML_XINCLUDE_END)) { >> ++ ((cur->type == XML_DOCUMENT_NODE) || >> ++ (cur->type == XML_ELEMENT_NODE))) { >> + cur = cur->children; >> + continue; >> + } >> +-- >> +2.32.0 >> + >> diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb >b/meta/recipes-core/libxml/libxml2_2.9.10.bb >> index 4ebfb9e556..04d32ade69 100644 >> --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb >> +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb >> @@ -23,6 +23,7 @@ SRC_URI = >"http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \ >> file://CVE-2020-7595.patch \ >> file://CVE-2019-20388.patch \ >> file://CVE-2020-24977.patch \ >> + file://CVE-2021-3518.patch \ >> " >> >> SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5" >> -- >> 2.32.0 >> >> >> >> -- Sent from my Android device with K-9 Mail. Please excuse my brevity.