[OE-core][dunfell][PATCH] expat: fix CVE-2013-0340
expat < 4.0 is vulnerable to billion laughs attacks (see
[https://github.com/libexpat/libexpat/issues/34]). This patch backports
the commits b1d039607d3d8a042bf0466bfcc1c0f104e353c8
and 60959f2b491876199879d97c8ed956eabb0c2e73 from upstream.
Additionally, the SRC_URI had to be adjusted due to renaming of the
source archive
Signed-off-by: Jasper Orschulko
Upstream-Status: Submitted
[https://lists.openembedded.org/g/openembedded-core/message/153030?p=,,,20,0,0,0::Created,,Jasper,20,2,0,83581993]
---
.../expat/expat/CVE-2013-0340.patch | 1758 +
.../expat/expat/libtool-tag.patch | 41 +-
meta/recipes-core/expat/expat_2.2.9.bb| 12 +-
3 files changed, 1782 insertions(+), 29 deletions(-)
create mode 100644 meta/recipes-core/expat/expat/CVE-2013-0340.patch
diff --git a/meta/recipes-core/expat/expat/CVE-2013-0340.patch
b/meta/recipes-core/expat/expat/CVE-2013-0340.patch
new file mode 100644
index 00..5ef749719d
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2013-0340.patch
@@ -0,0 +1,1758 @@
+From a644ccf25392523b1329872310e24d0fc5f40629 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping
+Date: Mon, 19 Apr 2021 21:42:51 +0200
+Subject: [PATCH] expat: Backport fix for CVE-2013-0340
+
+Issue: https://github.com/libexpat/libexpat/issues/34
+
+This patch cherry-picks the following commits from upstream release
+2.4.0 onto 2.2.9:
+
+- b1d039607d3d8a042bf0466bfcc1c0f104e353c8
+- 60959f2b491876199879d97c8ed956eabb0c2e73
+
+Upstream-Status: Backport
+CVE: CVE-2013-0340
+Signed-off-by: Jasper Orschulko
+---
+ lib/expat.h | 21 +-
+ lib/internal.h| 30 +
+ lib/libexpat.def |3 +
+ lib/libexpatw.def |3 +
+ lib/xmlparse.c| 1147 +--
+ 5 files changed, 1143 insertions(+), 61 deletions(-)
+
+diff --git a/lib/expat.h b/lib/expat.h
+index 48a6e2a3..0fb70d9d 100644
+--- a/lib/expat.h
b/lib/expat.h
+@@ -115,7 +115,9 @@ enum XML_Error {
+ XML_ERROR_RESERVED_PREFIX_XMLNS,
+ XML_ERROR_RESERVED_NAMESPACE_URI,
+ /* Added in 2.2.1. */
+- XML_ERROR_INVALID_ARGUMENT
++ XML_ERROR_INVALID_ARGUMENT,
++ /* Added in 2.4.0. */
++ XML_ERROR_AMPLIFICATION_LIMIT_BREACH
+ };
+
+ enum XML_Content_Type {
+@@ -997,7 +999,10 @@ enum XML_FeatureEnum {
+ XML_FEATURE_SIZEOF_XML_LCHAR,
+ XML_FEATURE_NS,
+ XML_FEATURE_LARGE_SIZE,
+- XML_FEATURE_ATTR_INFO
++ XML_FEATURE_ATTR_INFO,
++ /* Added in Expat 2.4.0. */
++ XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT,
++ XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT
+ /* Additional features must be added to the end of this enum. */
+ };
+
+@@ -1010,6 +1015,18 @@ typedef struct {
+ XMLPARSEAPI(const XML_Feature *)
+ XML_GetFeatureList(void);
+
++#ifdef XML_DTD
++/* Added in Expat 2.4.0. */
++XMLPARSEAPI(XML_Bool)
++XML_SetBillionLaughsAttackProtectionMaximumAmplification(
++XML_Parser parser, float maximumAmplificationFactor);
++
++/* Added in Expat 2.4.0. */
++XMLPARSEAPI(XML_Bool)
++XML_SetBillionLaughsAttackProtectionActivationThreshold(
++XML_Parser parser, unsigned long long activationThresholdBytes);
++#endif
++
+ /* Expat follows the semantic versioning convention.
+See http://semver.org.
+ */
+diff --git a/lib/internal.h b/lib/internal.h
+index 60913dab..d8b31fa2 100644
+--- a/lib/internal.h
b/lib/internal.h
+@@ -101,10 +101,40 @@
+ # endif
+ #endif
+
++#include // ULONG_MAX
++
++#if defined(_WIN32) && ! defined(__USE_MINGW_ANSI_STDIO)
++# define EXPAT_FMT_ULL(midpart) "%" midpart "I64u"
++# if defined(_WIN64) // Note: modifier "td" does not work for MinGW
++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "I64d"
++# else
++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d"
++# endif
++#else
++# define EXPAT_FMT_ULL(midpart) "%" midpart "llu"
++# if ! defined(ULONG_MAX)
++#error Compiler did not define ULONG_MAX for us
++# elif ULONG_MAX == 18446744073709551615u // 2^64-1
++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "ld"
++# else
++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d"
++# endif
++#endif
++
+ #ifndef UNUSED_P
+ # define UNUSED_P(p) (void)p
+ #endif
+
++/* NOTE BEGIN If you ever patch these defaults to greater values
++ for non-attack XML payload in your environment,
++ please file a bug report with libexpat. Thank you!
++*/
++#define EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT
\
++ 100.0f
++#define EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT
\
++ 8388608 // 8 MiB, 2^23
++/* NOTE END */
++
+ #ifdef __cplusplus
+ extern "C" {
+ #endif
+diff --git a/lib/libexpat.def b/lib/libexpat.def
+index 16faf595..5aefa6df 100644
+--- a/lib/libexpat.def
b/lib/libexpat.def
+@@ -76,3 +76,6 @@ EXPORTS
+ XML_SetHashSalt @67
+ ; added with version 2.2.5
+ _INTERNAL_trim_to_complete_utf8_characters @68
++; added with version 2.4.0
++
Re: [OE-core][dunfell][PATCH] expat: fix CVE-2013-0340
expat < 4.0 is vulnerable to billion laughs attacks (see
[https://github.com/libexpat/libexpat/issues/34]). This patch backports
the commits b1d039607d3d8a042bf0466bfcc1c0f104e353c8
and 60959f2b491876199879d97c8ed956eabb0c2e73 from upstream.
Additionally, the SRC_URI had to be adjusted due to renaming of the
source archive
Signed-off-by: Jasper Orschulko
Upstream-Status: Submitted
[https://lists.openembedded.org/g/openembedded-core/message/153030?p=,,,20,0,0,0::Created,,Jasper,20,2,0,83581993
]
---
.../expat/expat/CVE-2013-0340.patch | 1758 +
.../expat/expat/libtool-tag.patch | 41 +-
meta/recipes-core/expat/expat_2.2.9.bb| 12 +-
3 files changed, 1782 insertions(+), 29 deletions(-)
create mode 100644 meta/recipes-core/expat/expat/CVE-2013-0340.patch
diff --git a/meta/recipes-core/expat/expat/CVE-2013-0340.patch
b/meta/recipes-core/expat/expat/CVE-2013-0340.patch
new file mode 100644
index 00..5ef749719d
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2013-0340.patch
@@ -0,0 +1,1758 @@
+From a644ccf25392523b1329872310e24d0fc5f40629 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping
+Date: Mon, 19 Apr 2021 21:42:51 +0200
+Subject: [PATCH] expat: Backport fix for CVE-2013-0340
+
+Issue: https://github.com/libexpat/libexpat/issues/34
+
+This patch cherry-picks the following commits from upstream release
+2.4.0 onto 2.2.9:
+
+- b1d039607d3d8a042bf0466bfcc1c0f104e353c8
+- 60959f2b491876199879d97c8ed956eabb0c2e73
+
+Upstream-Status: Backport
+CVE: CVE-2013-0340
+Signed-off-by: Jasper Orschulko
+---
+ lib/expat.h | 21 +-
+ lib/internal.h| 30 +
+ lib/libexpat.def |3 +
+ lib/libexpatw.def |3 +
+ lib/xmlparse.c| 1147 +--
+ 5 files changed, 1143 insertions(+), 61 deletions(-)
+
+diff --git a/lib/expat.h b/lib/expat.h
+index 48a6e2a3..0fb70d9d 100644
+--- a/lib/expat.h
b/lib/expat.h
+@@ -115,7 +115,9 @@ enum XML_Error {
+ XML_ERROR_RESERVED_PREFIX_XMLNS,
+ XML_ERROR_RESERVED_NAMESPACE_URI,
+ /* Added in 2.2.1. */
+- XML_ERROR_INVALID_ARGUMENT
++ XML_ERROR_INVALID_ARGUMENT,
++ /* Added in 2.4.0. */
++ XML_ERROR_AMPLIFICATION_LIMIT_BREACH
+ };
+
+ enum XML_Content_Type {
+@@ -997,7 +999,10 @@ enum XML_FeatureEnum {
+ XML_FEATURE_SIZEOF_XML_LCHAR,
+ XML_FEATURE_NS,
+ XML_FEATURE_LARGE_SIZE,
+- XML_FEATURE_ATTR_INFO
++ XML_FEATURE_ATTR_INFO,
++ /* Added in Expat 2.4.0. */
++
XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFA
ULT,
++
XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAU
LT
+ /* Additional features must be added to the end of this enum. */
+ };
+
+@@ -1010,6 +1015,18 @@ typedef struct {
+ XMLPARSEAPI(const XML_Feature *)
+ XML_GetFeatureList(void);
+
++#ifdef XML_DTD
++/* Added in Expat 2.4.0. */
++XMLPARSEAPI(XML_Bool)
++XML_SetBillionLaughsAttackProtectionMaximumAmplification(
++XML_Parser parser, float maximumAmplificationFactor);
++
++/* Added in Expat 2.4.0. */
++XMLPARSEAPI(XML_Bool)
++XML_SetBillionLaughsAttackProtectionActivationThreshold(
++XML_Parser parser, unsigned long long activationThresholdBytes);
++#endif
++
+ /* Expat follows the semantic versioning convention.
+See http://semver.org.
+ */
+diff --git a/lib/internal.h b/lib/internal.h
+index 60913dab..d8b31fa2 100644
+--- a/lib/internal.h
b/lib/internal.h
+@@ -101,10 +101,40 @@
+ # endif
+ #endif
+
++#include // ULONG_MAX
++
++#if defined(_WIN32) && ! defined(__USE_MINGW_ANSI_STDIO)
++# define EXPAT_FMT_ULL(midpart) "%" midpart "I64u"
++# if defined(_WIN64) // Note: modifier "td" does not work for MinGW
++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "I64d"
++# else
++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d"
++# endif
++#else
++# define EXPAT_FMT_ULL(midpart) "%" midpart "llu"
++# if ! defined(ULONG_MAX)
++#error Compiler did not define ULONG_MAX for us
++# elif ULONG_MAX == 18446744073709551615u // 2^64-1
++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "ld"
++# else
++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d"
++# endif
++#endif
++
+ #ifndef UNUSED_P
+ # define UNUSED_P(p) (void)p
+ #endif
+
++/* NOTE BEGIN If you ever patch these defaults to greater values
++ for non-attack XML payload in your environment,
++ please file a bug report with libexpat. Thank you!
++*/
++#define
EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT
\
++ 100.0f
++#define
EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT
\
++ 8388608 // 8 MiB, 2^23
++/* NOTE END */
++
+ #ifdef __cplusplus
+ extern "C" {
+ #endif
+diff --git a/lib/libexpat.def b/lib/libexpat.def
+index 16faf595..5aefa6df 100644
+--- a/lib/libexpat.def
b/lib/libexpat.def
+@@ -76,3 +76,6 @@ EXPORTS
+ XML_SetHashSalt @67
+ ; added with version 2.2.5
+ _INTERNAL_trim_to_complete_utf8_characters @68
++; added with version 2.4.0
++
Re: [OE-core][dunfell][PATCH] expat: fix CVE-2013-0340
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
I just noticed (additionally to the fact that I messed up the path in
my patch), that the original do_configure_prepend task actually is not
necessary, as there is no ${S}/conftools/libtool.m4 in the 2.9.9
release (neither git, nor sourceforge). While removing a non-existing
file does no harm, I will provide a new patch tomorrow without this
task, for tidiness' sake. ;)
- --
With best regards
Jasper Orschulko
DevOps Engineer
Tel. +49 30 58 58 14 265
Fax +49 30 58 58 14 999
jasper.orschu...@iris-sensing.com
• • • • • • • • • • • • • • • • • • • • • • • • • •
iris-GmbH
infrared & intelligent sensors
Ostendstraße 1-14 | 12459 Berlin
https://iris-sensing.com/
On Wed, 2021-06-16 at 20:20 +0200, Jasper Orschulko wrote:
> Revision of the the patch file. Please verify. :)
>
-BEGIN PGP SIGNATURE-
iQEzBAEBCAAdFiEE4WyPMIC5Ap4+Ooo1Ygqew07VMNUFAmDKaXMACgkQYgqew07V
MNXfFQf8C5Lh2OG7tDsP6uQcLEV/J+ieCWN2ylKH5lARVzEPQB5TpVGfgcbdrqPr
66Ia3NS/gKDHtpKDigBOpYau4jFC71252Hpfap13/OiH53/+1es3hwXm5k4xtYYL
WU8iAG7wlKwrj8zSljeElOvOw0EiDLaX/dnhtNKboquKxAgJrQkGG2a3G4KlFQ50
W4xR0Jrx67/UkWJLic1h51vc1RGw7zeDbOwJ+xl+2uXDGCjRtQHmXChpBSInAMjP
r0uza47Oi/+XQGuVYAdYR12lp89Vl7EGAvoy6seKablkVSu7zBMxBi70GyrQdKFw
eM7ixMdqSS1MZ6zdI/64Aaq9XB1wgg==
=EY5+
-END PGP SIGNATURE-
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#153045):
https://lists.openembedded.org/g/openembedded-core/message/153045
Mute This Topic: https://lists.openembedded.org/mt/83581993/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][dunfell][PATCH] expat: fix CVE-2013-0340
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Revision of the the patch file. Please verify. :)
- --
With best regards
Jasper Orschulko
DevOps Engineer
Tel. +49 30 58 58 14 265
Fax +49 30 58 58 14 999
jasper.orschu...@iris-sensing.com
• • • • • • • • • • • • • • • • • • • • • • • • • •
iris-GmbH
infrared & intelligent sensors
Ostendstraße 1-14 | 12459 Berlin
https://iris-sensing.com/
On Wed, 2021-06-16 at 18:19 +, Jasper Orschulko wrote:
> expat < 4.0 is vulnerable to billion laughs attacks (see
> [https://github.com/libexpat/libexpat/issues/34]). This patch
> backports
> the commits b1d039607d3d8a042bf0466bfcc1c0f104e353c8
> and 60959f2b491876199879d97c8ed956eabb0c2e73 from upstream.
>
> Additionally, the SRC_URI had to be adjusted due to renaming of the
> source archive
>
> Signed-off-by: Jasper Orschulko
> ---
> .../expat/expat/CVE-2013-0340.patch | 1758
> +
> .../expat/expat/libtool-tag.patch | 41 +-
> meta/recipes-core/expat/expat_2.2.9.bb | 10 +-
> 3 files changed, 1783 insertions(+), 26 deletions(-)
> create mode 100644 meta/recipes-core/expat/expat/CVE-2013-0340.patch
>
> diff --git a/meta/recipes-core/expat/expat/CVE-2013-0340.patch
> b/meta/recipes-core/expat/expat/CVE-2013-0340.patch
> new file mode 100644
> index 00..5ef749719d
> --- /dev/null
> +++ b/meta/recipes-core/expat/expat/CVE-2013-0340.patch
> @@ -0,0 +1,1758 @@
> +From a644ccf25392523b1329872310e24d0fc5f40629 Mon Sep 17 00:00:00
> 2001
> +From: Sebastian Pipping
> +Date: Mon, 19 Apr 2021 21:42:51 +0200
> +Subject: [PATCH] expat: Backport fix for CVE-2013-0340
> +
> +Issue: https://github.com/libexpat/libexpat/issues/34
> +
> +This patch cherry-picks the following commits from upstream release
> +2.4.0 onto 2.2.9:
> +
> +- b1d039607d3d8a042bf0466bfcc1c0f104e353c8
> +- 60959f2b491876199879d97c8ed956eabb0c2e73
> +
> +Upstream-Status: Backport
> +CVE: CVE-2013-0340
> +Signed-off-by: Jasper Orschulko
> +---
> + lib/expat.h | 21 +-
> + lib/internal.h | 30 +
> + lib/libexpat.def | 3 +
> + lib/libexpatw.def | 3 +
> + lib/xmlparse.c | 1147 +--
> + 5 files changed, 1143 insertions(+), 61 deletions(-)
> +
> +diff --git a/lib/expat.h b/lib/expat.h
> +index 48a6e2a3..0fb70d9d 100644
> +--- a/lib/expat.h
> b/lib/expat.h
> +@@ -115,7 +115,9 @@ enum XML_Error {
> + XML_ERROR_RESERVED_PREFIX_XMLNS,
> + XML_ERROR_RESERVED_NAMESPACE_URI,
> + /* Added in 2.2.1. */
> +- XML_ERROR_INVALID_ARGUMENT
> ++ XML_ERROR_INVALID_ARGUMENT,
> ++ /* Added in 2.4.0. */
> ++ XML_ERROR_AMPLIFICATION_LIMIT_BREACH
> + };
> +
> + enum XML_Content_Type {
> +@@ -997,7 +999,10 @@ enum XML_FeatureEnum {
> + XML_FEATURE_SIZEOF_XML_LCHAR,
> + XML_FEATURE_NS,
> + XML_FEATURE_LARGE_SIZE,
> +- XML_FEATURE_ATTR_INFO
> ++ XML_FEATURE_ATTR_INFO,
> ++ /* Added in Expat 2.4.0. */
> ++
> XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DE
> FA
> ULT,
> ++
> XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEF
> AU
> LT
> + /* Additional features must be added to the end of this enum. */
> + };
> +
> +@@ -1010,6 +1015,18 @@ typedef struct {
> + XMLPARSEAPI(const XML_Feature *)
> + XML_GetFeatureList(void);
> +
> ++#ifdef XML_DTD
> ++/* Added in Expat 2.4.0. */
> ++XMLPARSEAPI(XML_Bool)
> ++XML_SetBillionLaughsAttackProtectionMaximumAmplification(
> ++ XML_Parser parser, float maximumAmplificationFactor);
> ++
> ++/* Added in Expat 2.4.0. */
> ++XMLPARSEAPI(XML_Bool)
> ++XML_SetBillionLaughsAttackProtectionActivationThreshold(
> ++ XML_Parser parser, unsigned long long
> activationThresholdBytes);
> ++#endif
> ++
> + /* Expat follows the semantic versioning convention.
> + See http://semver.org.
> + */
> +diff --git a/lib/internal.h b/lib/internal.h
> +index 60913dab..d8b31fa2 100644
> +--- a/lib/internal.h
> b/lib/internal.h
> +@@ -101,10 +101,40 @@
> + # endif
> + #endif
> +
> ++#include // ULONG_MAX
> ++
> ++#if defined(_WIN32) && ! defined(__USE_MINGW_ANSI_STDIO)
> ++# define EXPAT_FMT_ULL(midpart) "%" midpart "I64u"
> ++# if defined(_WIN64) // Note: modifier "td" does not work for
> MinGW
> ++# define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "I64d"
> ++# else
> ++# define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d"
> ++# endif
> ++#else
> ++# define EXPAT_FMT_ULL(midpart) "%" midpart "llu"
> ++# if ! defined(ULONG_MAX)
> ++# error Compiler did not define ULONG_MAX for us
> ++# elif ULONG_MAX == 18446744073709551615u // 2^64-1
> ++# define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "ld"
> ++# else
> ++# define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d"
> ++# endif
> ++#endif
> ++
> + #ifndef UNUSED_P
> + # define UNUSED_P(p) (void)p
> + #endif
> +
> ++/* NOTE BEGIN If you ever patch these defaults to greater values
> ++ for non-attack XML payload in your environment,
> ++ please file a bug report with
Re: [OE-core][dunfell][PATCH] expat: fix CVE-2013-0340
expat < 4.0 is vulnerable to billion laughs attacks (see
[https://github.com/libexpat/libexpat/issues/34]). This patch backports
the commits b1d039607d3d8a042bf0466bfcc1c0f104e353c8
and 60959f2b491876199879d97c8ed956eabb0c2e73 from upstream.
Additionally, the SRC_URI had to be adjusted due to renaming of the
source archive
Signed-off-by: Jasper Orschulko
---
.../expat/expat/CVE-2013-0340.patch | 1758 +
.../expat/expat/libtool-tag.patch | 41 +-
meta/recipes-core/expat/expat_2.2.9.bb| 10 +-
3 files changed, 1783 insertions(+), 26 deletions(-)
create mode 100644 meta/recipes-core/expat/expat/CVE-2013-0340.patch
diff --git a/meta/recipes-core/expat/expat/CVE-2013-0340.patch
b/meta/recipes-core/expat/expat/CVE-2013-0340.patch
new file mode 100644
index 00..5ef749719d
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2013-0340.patch
@@ -0,0 +1,1758 @@
+From a644ccf25392523b1329872310e24d0fc5f40629 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping
+Date: Mon, 19 Apr 2021 21:42:51 +0200
+Subject: [PATCH] expat: Backport fix for CVE-2013-0340
+
+Issue: https://github.com/libexpat/libexpat/issues/34
+
+This patch cherry-picks the following commits from upstream release
+2.4.0 onto 2.2.9:
+
+- b1d039607d3d8a042bf0466bfcc1c0f104e353c8
+- 60959f2b491876199879d97c8ed956eabb0c2e73
+
+Upstream-Status: Backport
+CVE: CVE-2013-0340
+Signed-off-by: Jasper Orschulko
+---
+ lib/expat.h | 21 +-
+ lib/internal.h| 30 +
+ lib/libexpat.def |3 +
+ lib/libexpatw.def |3 +
+ lib/xmlparse.c| 1147 +--
+ 5 files changed, 1143 insertions(+), 61 deletions(-)
+
+diff --git a/lib/expat.h b/lib/expat.h
+index 48a6e2a3..0fb70d9d 100644
+--- a/lib/expat.h
b/lib/expat.h
+@@ -115,7 +115,9 @@ enum XML_Error {
+ XML_ERROR_RESERVED_PREFIX_XMLNS,
+ XML_ERROR_RESERVED_NAMESPACE_URI,
+ /* Added in 2.2.1. */
+- XML_ERROR_INVALID_ARGUMENT
++ XML_ERROR_INVALID_ARGUMENT,
++ /* Added in 2.4.0. */
++ XML_ERROR_AMPLIFICATION_LIMIT_BREACH
+ };
+
+ enum XML_Content_Type {
+@@ -997,7 +999,10 @@ enum XML_FeatureEnum {
+ XML_FEATURE_SIZEOF_XML_LCHAR,
+ XML_FEATURE_NS,
+ XML_FEATURE_LARGE_SIZE,
+- XML_FEATURE_ATTR_INFO
++ XML_FEATURE_ATTR_INFO,
++ /* Added in Expat 2.4.0. */
++
XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFA
ULT,
++
XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAU
LT
+ /* Additional features must be added to the end of this enum. */
+ };
+
+@@ -1010,6 +1015,18 @@ typedef struct {
+ XMLPARSEAPI(const XML_Feature *)
+ XML_GetFeatureList(void);
+
++#ifdef XML_DTD
++/* Added in Expat 2.4.0. */
++XMLPARSEAPI(XML_Bool)
++XML_SetBillionLaughsAttackProtectionMaximumAmplification(
++XML_Parser parser, float maximumAmplificationFactor);
++
++/* Added in Expat 2.4.0. */
++XMLPARSEAPI(XML_Bool)
++XML_SetBillionLaughsAttackProtectionActivationThreshold(
++XML_Parser parser, unsigned long long activationThresholdBytes);
++#endif
++
+ /* Expat follows the semantic versioning convention.
+See http://semver.org.
+ */
+diff --git a/lib/internal.h b/lib/internal.h
+index 60913dab..d8b31fa2 100644
+--- a/lib/internal.h
b/lib/internal.h
+@@ -101,10 +101,40 @@
+ # endif
+ #endif
+
++#include // ULONG_MAX
++
++#if defined(_WIN32) && ! defined(__USE_MINGW_ANSI_STDIO)
++# define EXPAT_FMT_ULL(midpart) "%" midpart "I64u"
++# if defined(_WIN64) // Note: modifier "td" does not work for MinGW
++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "I64d"
++# else
++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d"
++# endif
++#else
++# define EXPAT_FMT_ULL(midpart) "%" midpart "llu"
++# if ! defined(ULONG_MAX)
++#error Compiler did not define ULONG_MAX for us
++# elif ULONG_MAX == 18446744073709551615u // 2^64-1
++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "ld"
++# else
++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d"
++# endif
++#endif
++
+ #ifndef UNUSED_P
+ # define UNUSED_P(p) (void)p
+ #endif
+
++/* NOTE BEGIN If you ever patch these defaults to greater values
++ for non-attack XML payload in your environment,
++ please file a bug report with libexpat. Thank you!
++*/
++#define
EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT
\
++ 100.0f
++#define
EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT
\
++ 8388608 // 8 MiB, 2^23
++/* NOTE END */
++
+ #ifdef __cplusplus
+ extern "C" {
+ #endif
+diff --git a/lib/libexpat.def b/lib/libexpat.def
+index 16faf595..5aefa6df 100644
+--- a/lib/libexpat.def
b/lib/libexpat.def
+@@ -76,3 +76,6 @@ EXPORTS
+ XML_SetHashSalt @67
+ ; added with version 2.2.5
+ _INTERNAL_trim_to_complete_utf8_characters @68
++; added with version 2.4.0
++ XML_SetBillionLaughsAttackProtectionActivationThreshold @69
++ XML_SetBillionLaughsAttackProtectionMaximumAmplification @70
+diff --git a/lib/libexpatw.def
Re: [OE-core][dunfell][PATCH] expat: fix CVE-2013-0340
On Wed, Jun 16, 2021 at 5:17 AM Jasper Orschulko
wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Hi Steve!
>
> Thanks for the quick feedback! I just noticed that the archive folder
> structure from sourceforge differs to to the git content, thus the
> "inner" patch currently fails. Oops!
>
> I'm thinking about setting the git repository as SRC_URI, as the expat
> project is currently moving away from sourceforge towards github. Also,
> we would not be affected by random archive renaming ;) What do you
> think?
If the upstream project is moving from sourceforge to github, then yes
it makes sense to change the SRC_URI to reflect their new standard
source location.
Steve
> - --
> With best regards
>
> Jasper Orschulko
> DevOps Engineer
>
> Tel. +49 30 58 58 14 265
> Fax +49 30 58 58 14 999
> jasper.orschu...@iris-sensing.com
>
> • • • • • • • • • • • • • • • • • • • • • • • • • •
>
> iris-GmbH
> infrared & intelligent sensors
> Ostendstraße 1-14 | 12459 Berlin
>
> https://iris-sensing.com/
>
>
>
>
> On Wed, 2021-06-16 at 05:09 -1000, Steve Sakoman wrote:
> > On Wed, Jun 16, 2021 at 4:49 AM Jasper Orschulko
> > wrote:
> > >
> > > -BEGIN PGP SIGNED MESSAGE-
> > > Hash: SHA256
> > >
> > > P.S.: I am not too familiar with expat, this particular CVE, not
> > > with
> > > the practise of backporting security patches, so someone(TM) should
> > > definitely take a closer look at this first.
> >
> > Will do!
> >
> > A few initial comments:
> >
> > 1. Please don't PGP sign patch emails :-)
> > 2. Change the patch file name to CVE-2013-0340.patch
> >
> > Other than that it looks OK at first glance.
> >
> > For reference the patch requirements for CVE's are outlined at:
> >
> > https://wiki.yoctoproject.org/wiki/Security
> >
> > in the "Patch name convention and commit message" section.
> >
> > Thanks for helping with CVEs!
> >
> > Steve
> >
> >
> >
> >
> > > With best regards
> > >
> > > Jasper Orschulko
> > > DevOps Engineer
> > >
> > > Tel. +49 30 58 58 14 265
> > > Fax +49 30 58 58 14 999
> > > jasper.orschu...@iris-sensing.com
> > >
> > > • • • • • • • • • • • • • • • • • • • • • • • • • •
> > >
> > > iris-GmbH
> > > infrared & intelligent sensors
> > > Ostendstraße 1-14 | 12459 Berlin
> > >
> > > https://iris-sensing.com/
> > >
> > >
> > >
> > >
> > > On Wed, 2021-06-16 at 14:44 +, Jasper Orschulko wrote:
> > > > expat < 4.0 is vulnerable to billion laughs attacks (see
> > > > [https://github.com/libexpat/libexpat/issues/34]). This patch
> > > > backports
> > > > the commits b1d039607d3d8a042bf0466bfcc1c0f104e353c8
> > > > and 60959f2b491876199879d97c8ed956eabb0c2e73 from upstream.
> > > >
> > > > Additionally, the SRC_URI had to be adjusted due to renaming of
> > > > the
> > > > source archive
> > > >
> > > > Signed-off-by: Jasper Orschulko
> > > >
> > > > ---
> > > > ...expat-Backport-fix-for-CVE-2013-0340.patch | 1758
> > > > +
> > > > meta/recipes-core/expat/expat_2.2.9.bb|3 +-
> > > > 2 files changed, 1760 insertions(+), 1 deletion(-)
> > > > create mode 100644 meta/recipes-core/expat/expat/0001-expat-
> > > > Backport-
> > > > fix-for-CVE-2013-0340.patch
> > > >
> > > > diff --git a/meta/recipes-core/expat/expat/0001-expat-Backport-
> > > > fix-
> > > > for-
> > > > CVE-2013-0340.patch b/meta/recipes-core/expat/expat/0001-expat-
> > > > Backport-fix-for-CVE-2013-0340.patch
> > > > new file mode 100644
> > > > index 00..b2ca066d96
> > > > --- /dev/null
> > > > +++ b/meta/recipes-core/expat/expat/0001-expat-Backport-fix-for-
> > > > CVE-
> > > > 2013-0340.patch
> > > > @@ -0,0 +1,1758 @@
> > > > +From 6f68eb0439f3c1807a143ff8c8972e74d404d8f0 Mon Sep 17
> > > > 00:00:00
> > > > 2001
> > > > +From: Sebastian Pipping
> > > > +Date: Mon, 19 Apr 2021 21:42:51 +0200
> > > > +Subject: [PATCH] expat: Backport fix for CVE-2013-0340
> > > > +
> > > > +Issue: https://github.com/libexpat/libexpat/issues/34
> > > > +
> > > > +This patch cherry-picks the following commits from upstream
> > > > release
> > > > +2.4.0 onto 2.2.9:
> > > > +
> > > > +- b1d039607d3d8a042bf0466bfcc1c0f104e353c8
> > > > +- 60959f2b491876199879d97c8ed956eabb0c2e73
> > > > +
> > > > +Upstream-Status: Backport
> > > > +CVE: CVE-2013-0340
> > > > +Signed-off-by: Jasper Orschulko
> > > >
> > > > +---
> > > > + expat/lib/expat.h | 21 +-
> > > > + expat/lib/internal.h| 30 +
> > > > + expat/lib/libexpat.def |3 +
> > > > + expat/lib/libexpatw.def |3 +
> > > > + expat/lib/xmlparse.c| 1147
> > > > +-
> > > > -
> > > > + 5 files changed, 1143 insertions(+), 61 deletions(-)
> > > > +
> > > > +diff --git a/expat/lib/expat.h b/expat/lib/expat.h
> > > > +index 48a6e2a3..796086c2 100644
> > > > +--- a/expat/lib/expat.h
> > > > b/expat/lib/expat.h
> > > > +@@ -115,7 +115,9 @@ enum XML_Error {
> > > > + XML_ERROR_RESERVED_PREFIX_XMLNS,
> > > > + XML_ERROR_RESERVED_NAMESPACE_URI,
> > > > + /* Added in 2.2.1. */
> > > >
Re: [OE-core][dunfell][PATCH] expat: fix CVE-2013-0340
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
P.S.: I was looking
at
https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines#Example:_CVE_patch_header
and this page as far as I can tell only mentions the patch header
convention, not the file name itself. Maybe this needs an update? :)
- --
With best regards
Jasper Orschulko
DevOps Engineer
Tel. +49 30 58 58 14 265
Fax +49 30 58 58 14 999
jasper.orschu...@iris-sensing.com
• • • • • • • • • • • • • • • • • • • • • • • • • •
iris-GmbH
infrared & intelligent sensors
Ostendstraße 1-14 | 12459 Berlin
https://iris-sensing.com/
On Wed, 2021-06-16 at 05:09 -1000, Steve Sakoman wrote:
> On Wed, Jun 16, 2021 at 4:49 AM Jasper Orschulko
> wrote:
> >
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > P.S.: I am not too familiar with expat, this particular CVE, not with
> > the practise of backporting security patches, so someone(TM) should
> > definitely take a closer look at this first.
>
> Will do!
>
> A few initial comments:
>
> 1. Please don't PGP sign patch emails :-)
> 2. Change the patch file name to CVE-2013-0340.patch
>
> Other than that it looks OK at first glance.
>
> For reference the patch requirements for CVE's are outlined at:
>
> https://wiki.yoctoproject.org/wiki/Security
>
> in the "Patch name convention and commit message" section.
>
> Thanks for helping with CVEs!
>
> Steve
>
>
>
>
> > With best regards
> >
> > Jasper Orschulko
> > DevOps Engineer
> >
> > Tel. +49 30 58 58 14 265
> > Fax +49 30 58 58 14 999
> > jasper.orschu...@iris-sensing.com
> >
> > • • • • • • • • • • • • • • • • • • • • • • • • • •
> >
> > iris-GmbH
> > infrared & intelligent sensors
> > Ostendstraße 1-14 | 12459 Berlin
> >
> > https://iris-sensing.com/
> >
> >
> >
> >
> > On Wed, 2021-06-16 at 14:44 +, Jasper Orschulko wrote:
> > > expat < 4.0 is vulnerable to billion laughs attacks (see
> > > [https://github.com/libexpat/libexpat/issues/34]). This patch
> > > backports
> > > the commits b1d039607d3d8a042bf0466bfcc1c0f104e353c8
> > > and 60959f2b491876199879d97c8ed956eabb0c2e73 from upstream.
> > >
> > > Additionally, the SRC_URI had to be adjusted due to renaming of the
> > > source archive
> > >
> > > Signed-off-by: Jasper Orschulko
> > > ---
> > > ...expat-Backport-fix-for-CVE-2013-0340.patch | 1758
> > > +
> > > meta/recipes-core/expat/expat_2.2.9.bb | 3 +-
> > > 2 files changed, 1760 insertions(+), 1 deletion(-)
> > > create mode 100644 meta/recipes-core/expat/expat/0001-expat-
> > > Backport-
> > > fix-for-CVE-2013-0340.patch
> > >
> > > diff --git a/meta/recipes-core/expat/expat/0001-expat-Backport-fix-
> > > for-
> > > CVE-2013-0340.patch b/meta/recipes-core/expat/expat/0001-expat-
> > > Backport-fix-for-CVE-2013-0340.patch
> > > new file mode 100644
> > > index 00..b2ca066d96
> > > --- /dev/null
> > > +++ b/meta/recipes-core/expat/expat/0001-expat-Backport-fix-for-
> > > CVE-
> > > 2013-0340.patch
> > > @@ -0,0 +1,1758 @@
> > > +From 6f68eb0439f3c1807a143ff8c8972e74d404d8f0 Mon Sep 17 00:00:00
> > > 2001
> > > +From: Sebastian Pipping
> > > +Date: Mon, 19 Apr 2021 21:42:51 +0200
> > > +Subject: [PATCH] expat: Backport fix for CVE-2013-0340
> > > +
> > > +Issue: https://github.com/libexpat/libexpat/issues/34
> > > +
> > > +This patch cherry-picks the following commits from upstream
> > > release
> > > +2.4.0 onto 2.2.9:
> > > +
> > > +- b1d039607d3d8a042bf0466bfcc1c0f104e353c8
> > > +- 60959f2b491876199879d97c8ed956eabb0c2e73
> > > +
> > > +Upstream-Status: Backport
> > > +CVE: CVE-2013-0340
> > > +Signed-off-by: Jasper Orschulko
> > >
> > > +---
> > > + expat/lib/expat.h | 21 +-
> > > + expat/lib/internal.h | 30 +
> > > + expat/lib/libexpat.def | 3 +
> > > + expat/lib/libexpatw.def | 3 +
> > > + expat/lib/xmlparse.c | 1147
> > > +-
> > > -
> > > + 5 files changed, 1143 insertions(+), 61 deletions(-)
> > > +
> > > +diff --git a/expat/lib/expat.h b/expat/lib/expat.h
> > > +index 48a6e2a3..796086c2 100644
> > > +--- a/expat/lib/expat.h
> > > b/expat/lib/expat.h
> > > +@@ -115,7 +115,9 @@ enum XML_Error {
> > > + XML_ERROR_RESERVED_PREFIX_XMLNS,
> > > + XML_ERROR_RESERVED_NAMESPACE_URI,
> > > + /* Added in 2.2.1. */
> > > +- XML_ERROR_INVALID_ARGUMENT
> > > ++ XML_ERROR_INVALID_ARGUMENT,
> > > ++ /* Backported from 2.4.0. */
> > > ++ XML_ERROR_AMPLIFICATION_LIMIT_BREACH
> > > + };
> > > +
> > > + enum XML_Content_Type {
> > > +@@ -997,7 +999,10 @@ enum XML_FeatureEnum {
> > > + XML_FEATURE_SIZEOF_XML_LCHAR,
> > > + XML_FEATURE_NS,
> > > + XML_FEATURE_LARGE_SIZE,
> > > +- XML_FEATURE_ATTR_INFO
> > > ++ XML_FEATURE_ATTR_INFO,
> > > ++ /* Added in Expat 2.4.0. */
> > > ++
> > > XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_
> > > DE
> > > FA
> > > ULT,
> > > ++
> > > XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_D
> > > EF
> > > AU
> > > LT
>
Re: [OE-core][dunfell][PATCH] expat: fix CVE-2013-0340
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi Steve!
Thanks for the quick feedback! I just noticed that the archive folder
structure from sourceforge differs to to the git content, thus the
"inner" patch currently fails. Oops!
I'm thinking about setting the git repository as SRC_URI, as the expat
project is currently moving away from sourceforge towards github. Also,
we would not be affected by random archive renaming ;) What do you
think?
- --
With best regards
Jasper Orschulko
DevOps Engineer
Tel. +49 30 58 58 14 265
Fax +49 30 58 58 14 999
jasper.orschu...@iris-sensing.com
• • • • • • • • • • • • • • • • • • • • • • • • • •
iris-GmbH
infrared & intelligent sensors
Ostendstraße 1-14 | 12459 Berlin
https://iris-sensing.com/
On Wed, 2021-06-16 at 05:09 -1000, Steve Sakoman wrote:
> On Wed, Jun 16, 2021 at 4:49 AM Jasper Orschulko
> wrote:
> >
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > P.S.: I am not too familiar with expat, this particular CVE, not
> > with
> > the practise of backporting security patches, so someone(TM) should
> > definitely take a closer look at this first.
>
> Will do!
>
> A few initial comments:
>
> 1. Please don't PGP sign patch emails :-)
> 2. Change the patch file name to CVE-2013-0340.patch
>
> Other than that it looks OK at first glance.
>
> For reference the patch requirements for CVE's are outlined at:
>
> https://wiki.yoctoproject.org/wiki/Security
>
> in the "Patch name convention and commit message" section.
>
> Thanks for helping with CVEs!
>
> Steve
>
>
>
>
> > With best regards
> >
> > Jasper Orschulko
> > DevOps Engineer
> >
> > Tel. +49 30 58 58 14 265
> > Fax +49 30 58 58 14 999
> > jasper.orschu...@iris-sensing.com
> >
> > • • • • • • • • • • • • • • • • • • • • • • • • • •
> >
> > iris-GmbH
> > infrared & intelligent sensors
> > Ostendstraße 1-14 | 12459 Berlin
> >
> > https://iris-sensing.com/
> >
> >
> >
> >
> > On Wed, 2021-06-16 at 14:44 +, Jasper Orschulko wrote:
> > > expat < 4.0 is vulnerable to billion laughs attacks (see
> > > [https://github.com/libexpat/libexpat/issues/34]). This patch
> > > backports
> > > the commits b1d039607d3d8a042bf0466bfcc1c0f104e353c8
> > > and 60959f2b491876199879d97c8ed956eabb0c2e73 from upstream.
> > >
> > > Additionally, the SRC_URI had to be adjusted due to renaming of
> > > the
> > > source archive
> > >
> > > Signed-off-by: Jasper Orschulko
> > >
> > > ---
> > > ...expat-Backport-fix-for-CVE-2013-0340.patch | 1758
> > > +
> > > meta/recipes-core/expat/expat_2.2.9.bb | 3 +-
> > > 2 files changed, 1760 insertions(+), 1 deletion(-)
> > > create mode 100644 meta/recipes-core/expat/expat/0001-expat-
> > > Backport-
> > > fix-for-CVE-2013-0340.patch
> > >
> > > diff --git a/meta/recipes-core/expat/expat/0001-expat-Backport-
> > > fix-
> > > for-
> > > CVE-2013-0340.patch b/meta/recipes-core/expat/expat/0001-expat-
> > > Backport-fix-for-CVE-2013-0340.patch
> > > new file mode 100644
> > > index 00..b2ca066d96
> > > --- /dev/null
> > > +++ b/meta/recipes-core/expat/expat/0001-expat-Backport-fix-for-
> > > CVE-
> > > 2013-0340.patch
> > > @@ -0,0 +1,1758 @@
> > > +From 6f68eb0439f3c1807a143ff8c8972e74d404d8f0 Mon Sep 17
> > > 00:00:00
> > > 2001
> > > +From: Sebastian Pipping
> > > +Date: Mon, 19 Apr 2021 21:42:51 +0200
> > > +Subject: [PATCH] expat: Backport fix for CVE-2013-0340
> > > +
> > > +Issue: https://github.com/libexpat/libexpat/issues/34
> > > +
> > > +This patch cherry-picks the following commits from upstream
> > > release
> > > +2.4.0 onto 2.2.9:
> > > +
> > > +- b1d039607d3d8a042bf0466bfcc1c0f104e353c8
> > > +- 60959f2b491876199879d97c8ed956eabb0c2e73
> > > +
> > > +Upstream-Status: Backport
> > > +CVE: CVE-2013-0340
> > > +Signed-off-by: Jasper Orschulko
> > >
> > > +---
> > > + expat/lib/expat.h | 21 +-
> > > + expat/lib/internal.h | 30 +
> > > + expat/lib/libexpat.def | 3 +
> > > + expat/lib/libexpatw.def | 3 +
> > > + expat/lib/xmlparse.c | 1147
> > > +-
> > > -
> > > + 5 files changed, 1143 insertions(+), 61 deletions(-)
> > > +
> > > +diff --git a/expat/lib/expat.h b/expat/lib/expat.h
> > > +index 48a6e2a3..796086c2 100644
> > > +--- a/expat/lib/expat.h
> > > b/expat/lib/expat.h
> > > +@@ -115,7 +115,9 @@ enum XML_Error {
> > > + XML_ERROR_RESERVED_PREFIX_XMLNS,
> > > + XML_ERROR_RESERVED_NAMESPACE_URI,
> > > + /* Added in 2.2.1. */
> > > +- XML_ERROR_INVALID_ARGUMENT
> > > ++ XML_ERROR_INVALID_ARGUMENT,
> > > ++ /* Backported from 2.4.0. */
> > > ++ XML_ERROR_AMPLIFICATION_LIMIT_BREACH
> > > + };
> > > +
> > > + enum XML_Content_Type {
> > > +@@ -997,7 +999,10 @@ enum XML_FeatureEnum {
> > > + XML_FEATURE_SIZEOF_XML_LCHAR,
> > > + XML_FEATURE_NS,
> > > + XML_FEATURE_LARGE_SIZE,
> > > +- XML_FEATURE_ATTR_INFO
> > > ++ XML_FEATURE_ATTR_INFO,
> > > ++ /* Added in Expat 2.4.0. */
> > > ++
> > >
Re: [OE-core][dunfell][PATCH] expat: fix CVE-2013-0340
On Wed, Jun 16, 2021 at 4:49 AM Jasper Orschulko
wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> P.S.: I am not too familiar with expat, this particular CVE, not with
> the practise of backporting security patches, so someone(TM) should
> definitely take a closer look at this first.
Will do!
A few initial comments:
1. Please don't PGP sign patch emails :-)
2. Change the patch file name to CVE-2013-0340.patch
Other than that it looks OK at first glance.
For reference the patch requirements for CVE's are outlined at:
https://wiki.yoctoproject.org/wiki/Security
in the "Patch name convention and commit message" section.
Thanks for helping with CVEs!
Steve
> With best regards
>
> Jasper Orschulko
> DevOps Engineer
>
> Tel. +49 30 58 58 14 265
> Fax +49 30 58 58 14 999
> jasper.orschu...@iris-sensing.com
>
> • • • • • • • • • • • • • • • • • • • • • • • • • •
>
> iris-GmbH
> infrared & intelligent sensors
> Ostendstraße 1-14 | 12459 Berlin
>
> https://iris-sensing.com/
>
>
>
>
> On Wed, 2021-06-16 at 14:44 +, Jasper Orschulko wrote:
> > expat < 4.0 is vulnerable to billion laughs attacks (see
> > [https://github.com/libexpat/libexpat/issues/34]). This patch
> > backports
> > the commits b1d039607d3d8a042bf0466bfcc1c0f104e353c8
> > and 60959f2b491876199879d97c8ed956eabb0c2e73 from upstream.
> >
> > Additionally, the SRC_URI had to be adjusted due to renaming of the
> > source archive
> >
> > Signed-off-by: Jasper Orschulko
> > ---
> > ...expat-Backport-fix-for-CVE-2013-0340.patch | 1758
> > +
> > meta/recipes-core/expat/expat_2.2.9.bb|3 +-
> > 2 files changed, 1760 insertions(+), 1 deletion(-)
> > create mode 100644 meta/recipes-core/expat/expat/0001-expat-
> > Backport-
> > fix-for-CVE-2013-0340.patch
> >
> > diff --git a/meta/recipes-core/expat/expat/0001-expat-Backport-fix-
> > for-
> > CVE-2013-0340.patch b/meta/recipes-core/expat/expat/0001-expat-
> > Backport-fix-for-CVE-2013-0340.patch
> > new file mode 100644
> > index 00..b2ca066d96
> > --- /dev/null
> > +++ b/meta/recipes-core/expat/expat/0001-expat-Backport-fix-for-CVE-
> > 2013-0340.patch
> > @@ -0,0 +1,1758 @@
> > +From 6f68eb0439f3c1807a143ff8c8972e74d404d8f0 Mon Sep 17 00:00:00
> > 2001
> > +From: Sebastian Pipping
> > +Date: Mon, 19 Apr 2021 21:42:51 +0200
> > +Subject: [PATCH] expat: Backport fix for CVE-2013-0340
> > +
> > +Issue: https://github.com/libexpat/libexpat/issues/34
> > +
> > +This patch cherry-picks the following commits from upstream release
> > +2.4.0 onto 2.2.9:
> > +
> > +- b1d039607d3d8a042bf0466bfcc1c0f104e353c8
> > +- 60959f2b491876199879d97c8ed956eabb0c2e73
> > +
> > +Upstream-Status: Backport
> > +CVE: CVE-2013-0340
> > +Signed-off-by: Jasper Orschulko
> > +---
> > + expat/lib/expat.h | 21 +-
> > + expat/lib/internal.h| 30 +
> > + expat/lib/libexpat.def |3 +
> > + expat/lib/libexpatw.def |3 +
> > + expat/lib/xmlparse.c| 1147
> > +-
> > -
> > + 5 files changed, 1143 insertions(+), 61 deletions(-)
> > +
> > +diff --git a/expat/lib/expat.h b/expat/lib/expat.h
> > +index 48a6e2a3..796086c2 100644
> > +--- a/expat/lib/expat.h
> > b/expat/lib/expat.h
> > +@@ -115,7 +115,9 @@ enum XML_Error {
> > + XML_ERROR_RESERVED_PREFIX_XMLNS,
> > + XML_ERROR_RESERVED_NAMESPACE_URI,
> > + /* Added in 2.2.1. */
> > +- XML_ERROR_INVALID_ARGUMENT
> > ++ XML_ERROR_INVALID_ARGUMENT,
> > ++ /* Backported from 2.4.0. */
> > ++ XML_ERROR_AMPLIFICATION_LIMIT_BREACH
> > + };
> > +
> > + enum XML_Content_Type {
> > +@@ -997,7 +999,10 @@ enum XML_FeatureEnum {
> > + XML_FEATURE_SIZEOF_XML_LCHAR,
> > + XML_FEATURE_NS,
> > + XML_FEATURE_LARGE_SIZE,
> > +- XML_FEATURE_ATTR_INFO
> > ++ XML_FEATURE_ATTR_INFO,
> > ++ /* Added in Expat 2.4.0. */
> > ++
> > XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DE
> > FA
> > ULT,
> > ++
> > XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEF
> > AU
> > LT
> > + /* Additional features must be added to the end of this enum. */
> > + };
> > +
> > +@@ -1010,6 +1015,18 @@ typedef struct {
> > + XMLPARSEAPI(const XML_Feature *)
> > + XML_GetFeatureList(void);
> > +
> > ++#ifdef XML_DTD
> > ++/* Backported from Expat 2.4.0. */
> > ++XMLPARSEAPI(XML_Bool)
> > ++XML_SetBillionLaughsAttackProtectionMaximumAmplification(
> > ++XML_Parser parser, float maximumAmplificationFactor);
> > ++
> > ++/* Backported from Expat 2.4.0. */
> > ++XMLPARSEAPI(XML_Bool)
> > ++XML_SetBillionLaughsAttackProtectionActivationThreshold(
> > ++XML_Parser parser, unsigned long long
> > activationThresholdBytes);
> > ++#endif
> > ++
> > + /* Expat follows the semantic versioning convention.
> > +See http://semver.org.
> > + */
> > +diff --git a/expat/lib/internal.h b/expat/lib/internal.h
> > +index 60913dab..d8b31fa2 100644
> > +--- a/expat/lib/internal.h
> > b/expat/lib/internal.h
> > +@@ -101,10 +101,40 @@
> > + # endif
> > + #endif
>
Re: [OE-core][dunfell][PATCH] expat: fix CVE-2013-0340
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
P.S.: I am not too familiar with expat, this particular CVE, not with
the practise of backporting security patches, so someone(TM) should
definitely take a closer look at this first.
- --
With best regards
Jasper Orschulko
DevOps Engineer
Tel. +49 30 58 58 14 265
Fax +49 30 58 58 14 999
jasper.orschu...@iris-sensing.com
• • • • • • • • • • • • • • • • • • • • • • • • • •
iris-GmbH
infrared & intelligent sensors
Ostendstraße 1-14 | 12459 Berlin
https://iris-sensing.com/
On Wed, 2021-06-16 at 14:44 +, Jasper Orschulko wrote:
> expat < 4.0 is vulnerable to billion laughs attacks (see
> [https://github.com/libexpat/libexpat/issues/34]). This patch
> backports
> the commits b1d039607d3d8a042bf0466bfcc1c0f104e353c8
> and 60959f2b491876199879d97c8ed956eabb0c2e73 from upstream.
>
> Additionally, the SRC_URI had to be adjusted due to renaming of the
> source archive
>
> Signed-off-by: Jasper Orschulko
> ---
> ...expat-Backport-fix-for-CVE-2013-0340.patch | 1758
> +
> meta/recipes-core/expat/expat_2.2.9.bb | 3 +-
> 2 files changed, 1760 insertions(+), 1 deletion(-)
> create mode 100644 meta/recipes-core/expat/expat/0001-expat-
> Backport-
> fix-for-CVE-2013-0340.patch
>
> diff --git a/meta/recipes-core/expat/expat/0001-expat-Backport-fix-
> for-
> CVE-2013-0340.patch b/meta/recipes-core/expat/expat/0001-expat-
> Backport-fix-for-CVE-2013-0340.patch
> new file mode 100644
> index 00..b2ca066d96
> --- /dev/null
> +++ b/meta/recipes-core/expat/expat/0001-expat-Backport-fix-for-CVE-
> 2013-0340.patch
> @@ -0,0 +1,1758 @@
> +From 6f68eb0439f3c1807a143ff8c8972e74d404d8f0 Mon Sep 17 00:00:00
> 2001
> +From: Sebastian Pipping
> +Date: Mon, 19 Apr 2021 21:42:51 +0200
> +Subject: [PATCH] expat: Backport fix for CVE-2013-0340
> +
> +Issue: https://github.com/libexpat/libexpat/issues/34
> +
> +This patch cherry-picks the following commits from upstream release
> +2.4.0 onto 2.2.9:
> +
> +- b1d039607d3d8a042bf0466bfcc1c0f104e353c8
> +- 60959f2b491876199879d97c8ed956eabb0c2e73
> +
> +Upstream-Status: Backport
> +CVE: CVE-2013-0340
> +Signed-off-by: Jasper Orschulko
> +---
> + expat/lib/expat.h | 21 +-
> + expat/lib/internal.h | 30 +
> + expat/lib/libexpat.def | 3 +
> + expat/lib/libexpatw.def | 3 +
> + expat/lib/xmlparse.c | 1147
> +-
> -
> + 5 files changed, 1143 insertions(+), 61 deletions(-)
> +
> +diff --git a/expat/lib/expat.h b/expat/lib/expat.h
> +index 48a6e2a3..796086c2 100644
> +--- a/expat/lib/expat.h
> b/expat/lib/expat.h
> +@@ -115,7 +115,9 @@ enum XML_Error {
> + XML_ERROR_RESERVED_PREFIX_XMLNS,
> + XML_ERROR_RESERVED_NAMESPACE_URI,
> + /* Added in 2.2.1. */
> +- XML_ERROR_INVALID_ARGUMENT
> ++ XML_ERROR_INVALID_ARGUMENT,
> ++ /* Backported from 2.4.0. */
> ++ XML_ERROR_AMPLIFICATION_LIMIT_BREACH
> + };
> +
> + enum XML_Content_Type {
> +@@ -997,7 +999,10 @@ enum XML_FeatureEnum {
> + XML_FEATURE_SIZEOF_XML_LCHAR,
> + XML_FEATURE_NS,
> + XML_FEATURE_LARGE_SIZE,
> +- XML_FEATURE_ATTR_INFO
> ++ XML_FEATURE_ATTR_INFO,
> ++ /* Added in Expat 2.4.0. */
> ++
> XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DE
> FA
> ULT,
> ++
> XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEF
> AU
> LT
> + /* Additional features must be added to the end of this enum. */
> + };
> +
> +@@ -1010,6 +1015,18 @@ typedef struct {
> + XMLPARSEAPI(const XML_Feature *)
> + XML_GetFeatureList(void);
> +
> ++#ifdef XML_DTD
> ++/* Backported from Expat 2.4.0. */
> ++XMLPARSEAPI(XML_Bool)
> ++XML_SetBillionLaughsAttackProtectionMaximumAmplification(
> ++ XML_Parser parser, float maximumAmplificationFactor);
> ++
> ++/* Backported from Expat 2.4.0. */
> ++XMLPARSEAPI(XML_Bool)
> ++XML_SetBillionLaughsAttackProtectionActivationThreshold(
> ++ XML_Parser parser, unsigned long long
> activationThresholdBytes);
> ++#endif
> ++
> + /* Expat follows the semantic versioning convention.
> + See http://semver.org.
> + */
> +diff --git a/expat/lib/internal.h b/expat/lib/internal.h
> +index 60913dab..d8b31fa2 100644
> +--- a/expat/lib/internal.h
> b/expat/lib/internal.h
> +@@ -101,10 +101,40 @@
> + # endif
> + #endif
> +
> ++#include // ULONG_MAX
> ++
> ++#if defined(_WIN32) && ! defined(__USE_MINGW_ANSI_STDIO)
> ++# define EXPAT_FMT_ULL(midpart) "%" midpart "I64u"
> ++# if defined(_WIN64) // Note: modifier "td" does not work for
> MinGW
> ++# define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "I64d"
> ++# else
> ++# define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d"
> ++# endif
> ++#else
> ++# define EXPAT_FMT_ULL(midpart) "%" midpart "llu"
> ++# if ! defined(ULONG_MAX)
> ++# error Compiler did not define ULONG_MAX for us
> ++# elif ULONG_MAX == 18446744073709551615u // 2^64-1
> ++# define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "ld"
> ++# else
> ++# define EXPAT_FMT_PTRDIFF_T(midpart) "%"
[OE-core][dunfell][PATCH] expat: fix CVE-2013-0340
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
expat < 4.0 is vulnerable to billion laughs attacks (see
[https://github.com/libexpat/libexpat/issues/34]). This patch backports
the commits b1d039607d3d8a042bf0466bfcc1c0f104e353c8
and 60959f2b491876199879d97c8ed956eabb0c2e73 from upstream.
Additionally, the SRC_URI had to be adjusted due to renaming of the
source archive
Signed-off-by: Jasper Orschulko
- ---
...expat-Backport-fix-for-CVE-2013-0340.patch | 1758 +
meta/recipes-core/expat/expat_2.2.9.bb|3 +-
2 files changed, 1760 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-core/expat/expat/0001-expat-Backport-
fix-for-CVE-2013-0340.patch
diff --git a/meta/recipes-core/expat/expat/0001-expat-Backport-fix-for-
CVE-2013-0340.patch b/meta/recipes-core/expat/expat/0001-expat-
Backport-fix-for-CVE-2013-0340.patch
new file mode 100644
index 00..b2ca066d96
- --- /dev/null
+++ b/meta/recipes-core/expat/expat/0001-expat-Backport-fix-for-CVE-
2013-0340.patch
@@ -0,0 +1,1758 @@
+From 6f68eb0439f3c1807a143ff8c8972e74d404d8f0 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping
+Date: Mon, 19 Apr 2021 21:42:51 +0200
+Subject: [PATCH] expat: Backport fix for CVE-2013-0340
+
+Issue: https://github.com/libexpat/libexpat/issues/34
+
+This patch cherry-picks the following commits from upstream release
+2.4.0 onto 2.2.9:
+
+- b1d039607d3d8a042bf0466bfcc1c0f104e353c8
+- 60959f2b491876199879d97c8ed956eabb0c2e73
+
+Upstream-Status: Backport
+CVE: CVE-2013-0340
+Signed-off-by: Jasper Orschulko
+---
+ expat/lib/expat.h | 21 +-
+ expat/lib/internal.h| 30 +
+ expat/lib/libexpat.def |3 +
+ expat/lib/libexpatw.def |3 +
+ expat/lib/xmlparse.c| 1147 +-
- -
+ 5 files changed, 1143 insertions(+), 61 deletions(-)
+
+diff --git a/expat/lib/expat.h b/expat/lib/expat.h
+index 48a6e2a3..796086c2 100644
+--- a/expat/lib/expat.h
b/expat/lib/expat.h
+@@ -115,7 +115,9 @@ enum XML_Error {
+ XML_ERROR_RESERVED_PREFIX_XMLNS,
+ XML_ERROR_RESERVED_NAMESPACE_URI,
+ /* Added in 2.2.1. */
+- XML_ERROR_INVALID_ARGUMENT
++ XML_ERROR_INVALID_ARGUMENT,
++ /* Backported from 2.4.0. */
++ XML_ERROR_AMPLIFICATION_LIMIT_BREACH
+ };
+
+ enum XML_Content_Type {
+@@ -997,7 +999,10 @@ enum XML_FeatureEnum {
+ XML_FEATURE_SIZEOF_XML_LCHAR,
+ XML_FEATURE_NS,
+ XML_FEATURE_LARGE_SIZE,
+- XML_FEATURE_ATTR_INFO
++ XML_FEATURE_ATTR_INFO,
++ /* Added in Expat 2.4.0. */
++
XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFA
ULT,
++
XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAU
LT
+ /* Additional features must be added to the end of this enum. */
+ };
+
+@@ -1010,6 +1015,18 @@ typedef struct {
+ XMLPARSEAPI(const XML_Feature *)
+ XML_GetFeatureList(void);
+
++#ifdef XML_DTD
++/* Backported from Expat 2.4.0. */
++XMLPARSEAPI(XML_Bool)
++XML_SetBillionLaughsAttackProtectionMaximumAmplification(
++XML_Parser parser, float maximumAmplificationFactor);
++
++/* Backported from Expat 2.4.0. */
++XMLPARSEAPI(XML_Bool)
++XML_SetBillionLaughsAttackProtectionActivationThreshold(
++XML_Parser parser, unsigned long long activationThresholdBytes);
++#endif
++
+ /* Expat follows the semantic versioning convention.
+See http://semver.org.
+ */
+diff --git a/expat/lib/internal.h b/expat/lib/internal.h
+index 60913dab..d8b31fa2 100644
+--- a/expat/lib/internal.h
b/expat/lib/internal.h
+@@ -101,10 +101,40 @@
+ # endif
+ #endif
+
++#include // ULONG_MAX
++
++#if defined(_WIN32) && ! defined(__USE_MINGW_ANSI_STDIO)
++# define EXPAT_FMT_ULL(midpart) "%" midpart "I64u"
++# if defined(_WIN64) // Note: modifier "td" does not work for MinGW
++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "I64d"
++# else
++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d"
++# endif
++#else
++# define EXPAT_FMT_ULL(midpart) "%" midpart "llu"
++# if ! defined(ULONG_MAX)
++#error Compiler did not define ULONG_MAX for us
++# elif ULONG_MAX == 18446744073709551615u // 2^64-1
++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "ld"
++# else
++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d"
++# endif
++#endif
++
+ #ifndef UNUSED_P
+ # define UNUSED_P(p) (void)p
+ #endif
+
++/* NOTE BEGIN If you ever patch these defaults to greater values
++ for non-attack XML payload in your environment,
++ please file a bug report with libexpat. Thank you!
++*/
++#define
EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT
\
++ 100.0f
++#define
EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT
\
++ 8388608 // 8 MiB, 2^23
++/* NOTE END */
++
+ #ifdef __cplusplus
+ extern "C" {
+ #endif
+diff --git a/expat/lib/libexpat.def b/expat/lib/libexpat.def
+index 16faf595..b5e59d8d 100644
+--- a/expat/lib/libexpat.def
b/expat/lib/libexpat.def
+@@ -76,3 +76,6 @@ EXPORTS
+ XML_SetHashSalt @67
+ ; added with version 2.2.5
+
