Hello, These patches are only going to hardknott, and upstream released a new version yesterday that we can use for the master branch. The CVE fixes are present in the new version, and these patches backport those fixes for libxml version 2.9.10 in hardknott. I am working on the uprev to 2.9.12, and will send it to master once tested.
Thanks, Tony -----Original Message----- From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Tony Tascioglu Sent: Friday, May 14, 2021 9:15 AM To: openembedded-core@lists.openembedded.org Cc: MacLeod, Randy <randy.macl...@windriver.com>; Tascioglu, Tony <tony.tascio...@windriver.com> Subject: [OE-core] [hardknott][PATCH 1/3] libxml2: fix CVE-2021-3517 Fixes heap-based buffer overflow in xmlEncodeEntitiesInternal() in entities.c CVE: CVE-2021-3517 Upstream-status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2] Signed-off-by: Tony Tascioglu <tony.tascio...@windriver.com> --- .../libxml/libxml2/CVE-2021-3517.patch | 54 +++++++++++++++++++ meta/recipes-core/libxml/libxml2_2.9.10.bb | 1 + 2 files changed, 55 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch new file mode 100644 index 0000000000..b6204f655a --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch @@ -0,0 +1,54 @@ +From df3de1376585f7a273d70023f92a530395957324 Mon Sep 17 00:00:00 2001 +From: Joel Hockey <joel.hoc...@gmail.com> +Date: Sun, 16 Aug 2020 17:19:35 -0700 +Subject: [PATCH 1/3] Validate UTF8 in xmlEncodeEntities + +Code is currently assuming UTF-8 without validating. Truncated UTF-8 +input can cause out-of-bounds array access. + +Adds further checks to partial fix in 50f06b3e. + +Fixes #178 + +CVE: CVE-2021-3517 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b5 +25cf0a88c2dc87a3a2] + +Signed-off-by: Tony Tascioglu <tony.tascio...@windriver.com> +--- + entities.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/entities.c b/entities.c +index d575e9d1..7cdbc4de 100644 +--- a/entities.c ++++ b/entities.c +@@ -666,11 +666,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) { + } else { + /* + * We assume we have UTF-8 input. ++ * It must match either: ++ * 110xxxxx 10xxxxxx ++ * 1110xxxx 10xxxxxx 10xxxxxx ++ * 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx ++ * That is: ++ * cur[0] is 11xxxxxx ++ * cur[1] is 10xxxxxx ++ * cur[2] is 10xxxxxx if cur[0] is 111xxxxx ++ * cur[3] is 10xxxxxx if cur[0] is 1111xxxx ++ * cur[0] is not 11111xxx + */ + char buf[11], *ptr; + int val = 0, l = 1; + +- if (*cur < 0xC0) { ++ if (((cur[0] & 0xC0) != 0xC0) || ++ ((cur[1] & 0xC0) != 0x80) || ++ (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) || ++ (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) || ++ (((cur[0] & 0xF8) == 0xF8))) { + xmlEntitiesErr(XML_CHECK_NOT_UTF8, + "xmlEncodeEntities: input not UTF-8"); + if (doc != NULL) +-- +2.25.1 + diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb index 07ae68610c..ad612379b3 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb @@ -24,6 +24,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \ file://CVE-2019-20388.patch \ file://CVE-2020-24977.patch \ file://fix-python39.patch \ + file://CVE-2021-3517.patch \ " SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5" -- 2.29.2
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#151764): https://lists.openembedded.org/g/openembedded-core/message/151764 Mute This Topic: https://lists.openembedded.org/mt/82823776/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
