From: Neetika Singh <neetika.si...@kpit.com> Added refreshed patch for CVE issue CVE-2020-12825 Link: https://gitlab.com/inkscape/inkscape/-/commit/203d62efefe6f79080863dda61593003b4c31f25
Signed-off-by: Neetika.Singh <neetika.si...@kpit.com> --- .../libcroco/libcroco/CVE-2020-12825.patch | 192 +++++++++++++++++++++ meta/recipes-support/libcroco/libcroco_0.6.13.bb | 22 +++ 2 files changed, 214 insertions(+) create mode 100644 meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch create mode 100644 meta/recipes-support/libcroco/libcroco_0.6.13.bb diff --git a/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch new file mode 100644 index 0000000..f813ded --- /dev/null +++ b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch @@ -0,0 +1,192 @@ +From 203d62efefe6f79080863dda61593003b4c31f25 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro <mcatanz...@gnome.org> +Date: Thu, 13 Aug 2020 20:03:05 -0500 +Subject: [PATCH] libcroco parser: limit recursion in block and any productions + +If we don't have any limits, we can recurse forever and overflow the +stack. + +This is for CVE-2020-12825: Stack overflow in cr_parser_parse_any_core +in cr-parser.c. + +Bug: https://gitlab.gnome.org/Archive/libcroco/-/issues/8 +Patch from https://gitlab.gnome.org/Archive/libcroco/-/merge_requests/5 + +CVE: CVE-2020-12825 +Upstream Status: Backport [https://gitlab.com/inkscape/inkscape/-/commit/203d62efefe6f79080863dda61593003b4c31f25.patch] + +Signed-off-by: Neetika Singh <neetika.si...@kpit.com> +--- + src/cr-parser.c | 44 ++++++++++++++++++++----------- + 1 file changed, 29 insertions(+), 15 deletions(-) + +diff --git a/src/cr-parser.c b/src/cr-parser.c +index d85e71f0fc..cd7b6ebd4a 100644 +--- a/src/cr-parser.c ++++ b/src/cr-parser.c +@@ -136,6 +136,8 @@ struct _CRParserPriv { + + #define CHARS_TAB_SIZE 12 + ++#define RECURSIVE_CALLERS_LIMIT 100 ++ + /** + * IS_NUM: + *@a_char: the char to test. +@@ -343,9 +345,11 @@ static enum CRStatus cr_parser_parse_selector_core (CRParser * a_this); + + static enum CRStatus cr_parser_parse_declaration_core (CRParser * a_this); + +-static enum CRStatus cr_parser_parse_any_core (CRParser * a_this); ++static enum CRStatus cr_parser_parse_any_core (CRParser * a_this, ++ guint n_calls); + +-static enum CRStatus cr_parser_parse_block_core (CRParser * a_this); ++static enum CRStatus cr_parser_parse_block_core (CRParser * a_this, ++ guint n_calls); + + static enum CRStatus cr_parser_parse_value_core (CRParser * a_this); + +@@ -783,7 +787,7 @@ cr_parser_parse_atrule_core (CRParser * a_this) + cr_parser_try_to_skip_spaces_and_comments (a_this); + + do { +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, 0); + } while (status == CR_OK); + + status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, +@@ -794,7 +798,7 @@ cr_parser_parse_atrule_core (CRParser * a_this) + cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, + token); + token = NULL; +- status = cr_parser_parse_block_core (a_this); ++ status = cr_parser_parse_block_core (a_this, 0); + CHECK_PARSING_STATUS (status, + FALSE); + goto done; +@@ -929,11 +933,11 @@ cr_parser_parse_selector_core (CRParser * a_this) + + RECORD_INITIAL_POS (a_this, &init_pos); + +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, 0); + CHECK_PARSING_STATUS (status, FALSE); + + do { +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, 0); + + } while (status == CR_OK); + +@@ -955,10 +959,12 @@ cr_parser_parse_selector_core (CRParser * a_this) + *in chapter 4.1 of the css2 spec. + *block ::= '{' S* [ any | block | ATKEYWORD S* | ';' ]* '}' S*; + *@param a_this the current instance of #CRParser. ++ *@param n_calls used to limit recursion depth + *FIXME: code this function. + */ + static enum CRStatus +-cr_parser_parse_block_core (CRParser * a_this) ++cr_parser_parse_block_core (CRParser * a_this, ++ guint n_calls) + { + CRToken *token = NULL; + CRInputPos init_pos; +@@ -966,6 +972,9 @@ cr_parser_parse_block_core (CRParser * a_this) + + g_return_val_if_fail (a_this && PRIVATE (a_this), CR_BAD_PARAM_ERROR); + ++ if (n_calls > RECURSIVE_CALLERS_LIMIT) ++ return CR_ERROR; ++ + RECORD_INITIAL_POS (a_this, &init_pos); + + status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token); +@@ -995,13 +1004,13 @@ cr_parser_parse_block_core (CRParser * a_this) + } else if (token->type == CBO_TK) { + cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token); + token = NULL; +- status = cr_parser_parse_block_core (a_this); ++ status = cr_parser_parse_block_core (a_this, n_calls + 1); + CHECK_PARSING_STATUS (status, FALSE); + goto parse_block_content; + } else { + cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token); + token = NULL; +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, n_calls + 1); + CHECK_PARSING_STATUS (status, FALSE); + goto parse_block_content; + } +@@ -1108,7 +1117,7 @@ cr_parser_parse_value_core (CRParser * a_this) + status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, + token); + token = NULL; +- status = cr_parser_parse_block_core (a_this); ++ status = cr_parser_parse_block_core (a_this, 0); + CHECK_PARSING_STATUS (status, FALSE); + ref++; + goto continue_parsing; +@@ -1122,7 +1131,7 @@ cr_parser_parse_value_core (CRParser * a_this) + status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, + token); + token = NULL; +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, 0); + if (status == CR_OK) { + ref++; + goto continue_parsing; +@@ -1162,10 +1162,12 @@ + * | FUNCTION | DASHMATCH | '(' any* ')' | '[' any* ']' ] S*; + * + *@param a_this the current instance of #CRParser. ++ *@param n_calls used to limit recursion depth + *@return CR_OK upon successfull completion, an error code otherwise. + */ + static enum CRStatus +-cr_parser_parse_any_core (CRParser * a_this) ++cr_parser_parse_any_core (CRParser * a_this, ++ guint n_calls) + { + CRToken *token1 = NULL, + *token2 = NULL; +@@ -1173,6 +1184,9 @@ cr_parser_parse_any_core (CRParser * a_this) + + g_return_val_if_fail (a_this, CR_BAD_PARAM_ERROR); + ++ if (n_calls > RECURSIVE_CALLERS_LIMIT) ++ return CR_ERROR; ++ + RECORD_INITIAL_POS (a_this, &init_pos); + + status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token1); +@@ -1211,7 +1225,7 @@ cr_parser_parse_any_core (CRParser * a_this) + *We consider parameter as being an "any*" production. + */ + do { +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, n_calls + 1); + } while (status == CR_OK); + + ENSURE_PARSING_COND (status == CR_PARSING_ERROR); +@@ -1236,7 +1250,7 @@ cr_parser_parse_any_core (CRParser * a_this) + } + + do { +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, n_calls + 1); + } while (status == CR_OK); + + ENSURE_PARSING_COND (status == CR_PARSING_ERROR); +@@ -1264,7 +1278,7 @@ cr_parser_parse_any_core (CRParser * a_this) + } + + do { +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, n_calls + 1); + } while (status == CR_OK); + + ENSURE_PARSING_COND (status == CR_PARSING_ERROR); +-- +GitLab diff --git a/meta/recipes-support/libcroco/libcroco_0.6.13.bb b/meta/recipes-support/libcroco/libcroco_0.6.13.bb new file mode 100644 index 0000000..fd5927e --- /dev/null +++ b/meta/recipes-support/libcroco/libcroco_0.6.13.bb @@ -0,0 +1,22 @@ +SUMMARY = "Cascading Style Sheet (CSS) parsing and manipulation toolkit" +HOMEPAGE = "http://www.gnome.org/"; +BUGTRACKER = "https://bugzilla.gnome.org/"; + +LICENSE = "LGPLv2 & LGPLv2.1" +LIC_FILES_CHKSUM = "file://COPYING;md5=55ca817ccb7d5b5b66355690e9abc605 \ + file://src/cr-rgb.c;endline=22;md5=31d5f0944d556c8589d04ea6055fcc66 \ + file://tests/cr-test-utils.c;endline=21;md5=2382c27934cae1d3792fcb17a6142c4e" + +SECTION = "x11/utils" +DEPENDS = "glib-2.0 libxml2 zlib" +BBCLASSEXTEND = "native nativesdk" +EXTRA_OECONF += "--enable-Bsymbolic=auto" + +BINCONFIG = "${bindir}/croco-0.6-config" + +inherit gnomebase gtk-doc binconfig-disabled + +SRC_URI += "file://CVE-2020-12825.patch" + +SRC_URI[archive.md5sum] = "c80c5a8385011a0260dce6bd0da93dce" +SRC_URI[archive.sha256sum] = "767ec234ae7aa684695b3a735548224888132e063f92db585759b422570621d4" -- 2.7.4 This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#150043): https://lists.openembedded.org/g/openembedded-core/message/150043 Mute This Topic: https://lists.openembedded.org/mt/81697834/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
