[OE-core][dunfell][PATCH] expat: fix CVE-2013-0340
expat < 4.0 is vulnerable to billion laughs attacks (see [https://github.com/libexpat/libexpat/issues/34]). This patch backports the commits b1d039607d3d8a042bf0466bfcc1c0f104e353c8 and 60959f2b491876199879d97c8ed956eabb0c2e73 from upstream. Additionally, the SRC_URI had to be adjusted due to renaming of the source archive Signed-off-by: Jasper Orschulko Upstream-Status: Submitted [https://lists.openembedded.org/g/openembedded-core/message/153030?p=,,,20,0,0,0::Created,,Jasper,20,2,0,83581993] --- .../expat/expat/CVE-2013-0340.patch | 1758 + .../expat/expat/libtool-tag.patch | 41 +- meta/recipes-core/expat/expat_2.2.9.bb| 12 +- 3 files changed, 1782 insertions(+), 29 deletions(-) create mode 100644 meta/recipes-core/expat/expat/CVE-2013-0340.patch diff --git a/meta/recipes-core/expat/expat/CVE-2013-0340.patch b/meta/recipes-core/expat/expat/CVE-2013-0340.patch new file mode 100644 index 00..5ef749719d --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2013-0340.patch @@ -0,0 +1,1758 @@ +From a644ccf25392523b1329872310e24d0fc5f40629 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 19 Apr 2021 21:42:51 +0200 +Subject: [PATCH] expat: Backport fix for CVE-2013-0340 + +Issue: https://github.com/libexpat/libexpat/issues/34 + +This patch cherry-picks the following commits from upstream release +2.4.0 onto 2.2.9: + +- b1d039607d3d8a042bf0466bfcc1c0f104e353c8 +- 60959f2b491876199879d97c8ed956eabb0c2e73 + +Upstream-Status: Backport +CVE: CVE-2013-0340 +Signed-off-by: Jasper Orschulko +--- + lib/expat.h | 21 +- + lib/internal.h| 30 + + lib/libexpat.def |3 + + lib/libexpatw.def |3 + + lib/xmlparse.c| 1147 +-- + 5 files changed, 1143 insertions(+), 61 deletions(-) + +diff --git a/lib/expat.h b/lib/expat.h +index 48a6e2a3..0fb70d9d 100644 +--- a/lib/expat.h b/lib/expat.h +@@ -115,7 +115,9 @@ enum XML_Error { + XML_ERROR_RESERVED_PREFIX_XMLNS, + XML_ERROR_RESERVED_NAMESPACE_URI, + /* Added in 2.2.1. */ +- XML_ERROR_INVALID_ARGUMENT ++ XML_ERROR_INVALID_ARGUMENT, ++ /* Added in 2.4.0. */ ++ XML_ERROR_AMPLIFICATION_LIMIT_BREACH + }; + + enum XML_Content_Type { +@@ -997,7 +999,10 @@ enum XML_FeatureEnum { + XML_FEATURE_SIZEOF_XML_LCHAR, + XML_FEATURE_NS, + XML_FEATURE_LARGE_SIZE, +- XML_FEATURE_ATTR_INFO ++ XML_FEATURE_ATTR_INFO, ++ /* Added in Expat 2.4.0. */ ++ XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT, ++ XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT + /* Additional features must be added to the end of this enum. */ + }; + +@@ -1010,6 +1015,18 @@ typedef struct { + XMLPARSEAPI(const XML_Feature *) + XML_GetFeatureList(void); + ++#ifdef XML_DTD ++/* Added in Expat 2.4.0. */ ++XMLPARSEAPI(XML_Bool) ++XML_SetBillionLaughsAttackProtectionMaximumAmplification( ++XML_Parser parser, float maximumAmplificationFactor); ++ ++/* Added in Expat 2.4.0. */ ++XMLPARSEAPI(XML_Bool) ++XML_SetBillionLaughsAttackProtectionActivationThreshold( ++XML_Parser parser, unsigned long long activationThresholdBytes); ++#endif ++ + /* Expat follows the semantic versioning convention. +See http://semver.org. + */ +diff --git a/lib/internal.h b/lib/internal.h +index 60913dab..d8b31fa2 100644 +--- a/lib/internal.h b/lib/internal.h +@@ -101,10 +101,40 @@ + # endif + #endif + ++#include // ULONG_MAX ++ ++#if defined(_WIN32) && ! defined(__USE_MINGW_ANSI_STDIO) ++# define EXPAT_FMT_ULL(midpart) "%" midpart "I64u" ++# if defined(_WIN64) // Note: modifier "td" does not work for MinGW ++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "I64d" ++# else ++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d" ++# endif ++#else ++# define EXPAT_FMT_ULL(midpart) "%" midpart "llu" ++# if ! defined(ULONG_MAX) ++#error Compiler did not define ULONG_MAX for us ++# elif ULONG_MAX == 18446744073709551615u // 2^64-1 ++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "ld" ++# else ++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d" ++# endif ++#endif ++ + #ifndef UNUSED_P + # define UNUSED_P(p) (void)p + #endif + ++/* NOTE BEGIN If you ever patch these defaults to greater values ++ for non-attack XML payload in your environment, ++ please file a bug report with libexpat. Thank you! ++*/ ++#define EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT \ ++ 100.0f ++#define EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT \ ++ 8388608 // 8 MiB, 2^23 ++/* NOTE END */ ++ + #ifdef __cplusplus + extern "C" { + #endif +diff --git a/lib/libexpat.def b/lib/libexpat.def +index 16faf595..5aefa6df 100644 +--- a/lib/libexpat.def b/lib/libexpat.def +@@ -76,3 +76,6 @@ EXPORTS + XML_SetHashSalt @67 + ; added with version 2.2.5 + _INTERNAL_trim_to_complete_utf8_characters @68 ++; added with version 2.4.0 ++
Re: [OE-core][dunfell][PATCH] expat: fix CVE-2013-0340
expat < 4.0 is vulnerable to billion laughs attacks (see [https://github.com/libexpat/libexpat/issues/34]). This patch backports the commits b1d039607d3d8a042bf0466bfcc1c0f104e353c8 and 60959f2b491876199879d97c8ed956eabb0c2e73 from upstream. Additionally, the SRC_URI had to be adjusted due to renaming of the source archive Signed-off-by: Jasper Orschulko Upstream-Status: Submitted [https://lists.openembedded.org/g/openembedded-core/message/153030?p=,,,20,0,0,0::Created,,Jasper,20,2,0,83581993 ] --- .../expat/expat/CVE-2013-0340.patch | 1758 + .../expat/expat/libtool-tag.patch | 41 +- meta/recipes-core/expat/expat_2.2.9.bb| 12 +- 3 files changed, 1782 insertions(+), 29 deletions(-) create mode 100644 meta/recipes-core/expat/expat/CVE-2013-0340.patch diff --git a/meta/recipes-core/expat/expat/CVE-2013-0340.patch b/meta/recipes-core/expat/expat/CVE-2013-0340.patch new file mode 100644 index 00..5ef749719d --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2013-0340.patch @@ -0,0 +1,1758 @@ +From a644ccf25392523b1329872310e24d0fc5f40629 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 19 Apr 2021 21:42:51 +0200 +Subject: [PATCH] expat: Backport fix for CVE-2013-0340 + +Issue: https://github.com/libexpat/libexpat/issues/34 + +This patch cherry-picks the following commits from upstream release +2.4.0 onto 2.2.9: + +- b1d039607d3d8a042bf0466bfcc1c0f104e353c8 +- 60959f2b491876199879d97c8ed956eabb0c2e73 + +Upstream-Status: Backport +CVE: CVE-2013-0340 +Signed-off-by: Jasper Orschulko +--- + lib/expat.h | 21 +- + lib/internal.h| 30 + + lib/libexpat.def |3 + + lib/libexpatw.def |3 + + lib/xmlparse.c| 1147 +-- + 5 files changed, 1143 insertions(+), 61 deletions(-) + +diff --git a/lib/expat.h b/lib/expat.h +index 48a6e2a3..0fb70d9d 100644 +--- a/lib/expat.h b/lib/expat.h +@@ -115,7 +115,9 @@ enum XML_Error { + XML_ERROR_RESERVED_PREFIX_XMLNS, + XML_ERROR_RESERVED_NAMESPACE_URI, + /* Added in 2.2.1. */ +- XML_ERROR_INVALID_ARGUMENT ++ XML_ERROR_INVALID_ARGUMENT, ++ /* Added in 2.4.0. */ ++ XML_ERROR_AMPLIFICATION_LIMIT_BREACH + }; + + enum XML_Content_Type { +@@ -997,7 +999,10 @@ enum XML_FeatureEnum { + XML_FEATURE_SIZEOF_XML_LCHAR, + XML_FEATURE_NS, + XML_FEATURE_LARGE_SIZE, +- XML_FEATURE_ATTR_INFO ++ XML_FEATURE_ATTR_INFO, ++ /* Added in Expat 2.4.0. */ ++ XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFA ULT, ++ XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAU LT + /* Additional features must be added to the end of this enum. */ + }; + +@@ -1010,6 +1015,18 @@ typedef struct { + XMLPARSEAPI(const XML_Feature *) + XML_GetFeatureList(void); + ++#ifdef XML_DTD ++/* Added in Expat 2.4.0. */ ++XMLPARSEAPI(XML_Bool) ++XML_SetBillionLaughsAttackProtectionMaximumAmplification( ++XML_Parser parser, float maximumAmplificationFactor); ++ ++/* Added in Expat 2.4.0. */ ++XMLPARSEAPI(XML_Bool) ++XML_SetBillionLaughsAttackProtectionActivationThreshold( ++XML_Parser parser, unsigned long long activationThresholdBytes); ++#endif ++ + /* Expat follows the semantic versioning convention. +See http://semver.org. + */ +diff --git a/lib/internal.h b/lib/internal.h +index 60913dab..d8b31fa2 100644 +--- a/lib/internal.h b/lib/internal.h +@@ -101,10 +101,40 @@ + # endif + #endif + ++#include // ULONG_MAX ++ ++#if defined(_WIN32) && ! defined(__USE_MINGW_ANSI_STDIO) ++# define EXPAT_FMT_ULL(midpart) "%" midpart "I64u" ++# if defined(_WIN64) // Note: modifier "td" does not work for MinGW ++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "I64d" ++# else ++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d" ++# endif ++#else ++# define EXPAT_FMT_ULL(midpart) "%" midpart "llu" ++# if ! defined(ULONG_MAX) ++#error Compiler did not define ULONG_MAX for us ++# elif ULONG_MAX == 18446744073709551615u // 2^64-1 ++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "ld" ++# else ++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d" ++# endif ++#endif ++ + #ifndef UNUSED_P + # define UNUSED_P(p) (void)p + #endif + ++/* NOTE BEGIN If you ever patch these defaults to greater values ++ for non-attack XML payload in your environment, ++ please file a bug report with libexpat. Thank you! ++*/ ++#define EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT \ ++ 100.0f ++#define EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT \ ++ 8388608 // 8 MiB, 2^23 ++/* NOTE END */ ++ + #ifdef __cplusplus + extern "C" { + #endif +diff --git a/lib/libexpat.def b/lib/libexpat.def +index 16faf595..5aefa6df 100644 +--- a/lib/libexpat.def b/lib/libexpat.def +@@ -76,3 +76,6 @@ EXPORTS + XML_SetHashSalt @67 + ; added with version 2.2.5 + _INTERNAL_trim_to_complete_utf8_characters @68 ++; added with version 2.4.0 ++
Re: [OE-core][dunfell][PATCH] expat: fix CVE-2013-0340
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I just noticed (additionally to the fact that I messed up the path in my patch), that the original do_configure_prepend task actually is not necessary, as there is no ${S}/conftools/libtool.m4 in the 2.9.9 release (neither git, nor sourceforge). While removing a non-existing file does no harm, I will provide a new patch tomorrow without this task, for tidiness' sake. ;) - -- With best regards Jasper Orschulko DevOps Engineer Tel. +49 30 58 58 14 265 Fax +49 30 58 58 14 999 jasper.orschu...@iris-sensing.com • • • • • • • • • • • • • • • • • • • • • • • • • • iris-GmbH infrared & intelligent sensors Ostendstraße 1-14 | 12459 Berlin https://iris-sensing.com/ On Wed, 2021-06-16 at 20:20 +0200, Jasper Orschulko wrote: > Revision of the the patch file. Please verify. :) > -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEE4WyPMIC5Ap4+Ooo1Ygqew07VMNUFAmDKaXMACgkQYgqew07V MNXfFQf8C5Lh2OG7tDsP6uQcLEV/J+ieCWN2ylKH5lARVzEPQB5TpVGfgcbdrqPr 66Ia3NS/gKDHtpKDigBOpYau4jFC71252Hpfap13/OiH53/+1es3hwXm5k4xtYYL WU8iAG7wlKwrj8zSljeElOvOw0EiDLaX/dnhtNKboquKxAgJrQkGG2a3G4KlFQ50 W4xR0Jrx67/UkWJLic1h51vc1RGw7zeDbOwJ+xl+2uXDGCjRtQHmXChpBSInAMjP r0uza47Oi/+XQGuVYAdYR12lp89Vl7EGAvoy6seKablkVSu7zBMxBi70GyrQdKFw eM7ixMdqSS1MZ6zdI/64Aaq9XB1wgg== =EY5+ -END PGP SIGNATURE- -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#153045): https://lists.openembedded.org/g/openembedded-core/message/153045 Mute This Topic: https://lists.openembedded.org/mt/83581993/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][dunfell][PATCH] expat: fix CVE-2013-0340
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Revision of the the patch file. Please verify. :) - -- With best regards Jasper Orschulko DevOps Engineer Tel. +49 30 58 58 14 265 Fax +49 30 58 58 14 999 jasper.orschu...@iris-sensing.com • • • • • • • • • • • • • • • • • • • • • • • • • • iris-GmbH infrared & intelligent sensors Ostendstraße 1-14 | 12459 Berlin https://iris-sensing.com/ On Wed, 2021-06-16 at 18:19 +, Jasper Orschulko wrote: > expat < 4.0 is vulnerable to billion laughs attacks (see > [https://github.com/libexpat/libexpat/issues/34]). This patch > backports > the commits b1d039607d3d8a042bf0466bfcc1c0f104e353c8 > and 60959f2b491876199879d97c8ed956eabb0c2e73 from upstream. > > Additionally, the SRC_URI had to be adjusted due to renaming of the > source archive > > Signed-off-by: Jasper Orschulko > --- > .../expat/expat/CVE-2013-0340.patch | 1758 > + > .../expat/expat/libtool-tag.patch | 41 +- > meta/recipes-core/expat/expat_2.2.9.bb | 10 +- > 3 files changed, 1783 insertions(+), 26 deletions(-) > create mode 100644 meta/recipes-core/expat/expat/CVE-2013-0340.patch > > diff --git a/meta/recipes-core/expat/expat/CVE-2013-0340.patch > b/meta/recipes-core/expat/expat/CVE-2013-0340.patch > new file mode 100644 > index 00..5ef749719d > --- /dev/null > +++ b/meta/recipes-core/expat/expat/CVE-2013-0340.patch > @@ -0,0 +1,1758 @@ > +From a644ccf25392523b1329872310e24d0fc5f40629 Mon Sep 17 00:00:00 > 2001 > +From: Sebastian Pipping > +Date: Mon, 19 Apr 2021 21:42:51 +0200 > +Subject: [PATCH] expat: Backport fix for CVE-2013-0340 > + > +Issue: https://github.com/libexpat/libexpat/issues/34 > + > +This patch cherry-picks the following commits from upstream release > +2.4.0 onto 2.2.9: > + > +- b1d039607d3d8a042bf0466bfcc1c0f104e353c8 > +- 60959f2b491876199879d97c8ed956eabb0c2e73 > + > +Upstream-Status: Backport > +CVE: CVE-2013-0340 > +Signed-off-by: Jasper Orschulko > +--- > + lib/expat.h | 21 +- > + lib/internal.h | 30 + > + lib/libexpat.def | 3 + > + lib/libexpatw.def | 3 + > + lib/xmlparse.c | 1147 +-- > + 5 files changed, 1143 insertions(+), 61 deletions(-) > + > +diff --git a/lib/expat.h b/lib/expat.h > +index 48a6e2a3..0fb70d9d 100644 > +--- a/lib/expat.h > b/lib/expat.h > +@@ -115,7 +115,9 @@ enum XML_Error { > + XML_ERROR_RESERVED_PREFIX_XMLNS, > + XML_ERROR_RESERVED_NAMESPACE_URI, > + /* Added in 2.2.1. */ > +- XML_ERROR_INVALID_ARGUMENT > ++ XML_ERROR_INVALID_ARGUMENT, > ++ /* Added in 2.4.0. */ > ++ XML_ERROR_AMPLIFICATION_LIMIT_BREACH > + }; > + > + enum XML_Content_Type { > +@@ -997,7 +999,10 @@ enum XML_FeatureEnum { > + XML_FEATURE_SIZEOF_XML_LCHAR, > + XML_FEATURE_NS, > + XML_FEATURE_LARGE_SIZE, > +- XML_FEATURE_ATTR_INFO > ++ XML_FEATURE_ATTR_INFO, > ++ /* Added in Expat 2.4.0. */ > ++ > XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DE > FA > ULT, > ++ > XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEF > AU > LT > + /* Additional features must be added to the end of this enum. */ > + }; > + > +@@ -1010,6 +1015,18 @@ typedef struct { > + XMLPARSEAPI(const XML_Feature *) > + XML_GetFeatureList(void); > + > ++#ifdef XML_DTD > ++/* Added in Expat 2.4.0. */ > ++XMLPARSEAPI(XML_Bool) > ++XML_SetBillionLaughsAttackProtectionMaximumAmplification( > ++ XML_Parser parser, float maximumAmplificationFactor); > ++ > ++/* Added in Expat 2.4.0. */ > ++XMLPARSEAPI(XML_Bool) > ++XML_SetBillionLaughsAttackProtectionActivationThreshold( > ++ XML_Parser parser, unsigned long long > activationThresholdBytes); > ++#endif > ++ > + /* Expat follows the semantic versioning convention. > + See http://semver.org. > + */ > +diff --git a/lib/internal.h b/lib/internal.h > +index 60913dab..d8b31fa2 100644 > +--- a/lib/internal.h > b/lib/internal.h > +@@ -101,10 +101,40 @@ > + # endif > + #endif > + > ++#include // ULONG_MAX > ++ > ++#if defined(_WIN32) && ! defined(__USE_MINGW_ANSI_STDIO) > ++# define EXPAT_FMT_ULL(midpart) "%" midpart "I64u" > ++# if defined(_WIN64) // Note: modifier "td" does not work for > MinGW > ++# define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "I64d" > ++# else > ++# define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d" > ++# endif > ++#else > ++# define EXPAT_FMT_ULL(midpart) "%" midpart "llu" > ++# if ! defined(ULONG_MAX) > ++# error Compiler did not define ULONG_MAX for us > ++# elif ULONG_MAX == 18446744073709551615u // 2^64-1 > ++# define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "ld" > ++# else > ++# define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d" > ++# endif > ++#endif > ++ > + #ifndef UNUSED_P > + # define UNUSED_P(p) (void)p > + #endif > + > ++/* NOTE BEGIN If you ever patch these defaults to greater values > ++ for non-attack XML payload in your environment, > ++ please file a bug report with
Re: [OE-core][dunfell][PATCH] expat: fix CVE-2013-0340
expat < 4.0 is vulnerable to billion laughs attacks (see [https://github.com/libexpat/libexpat/issues/34]). This patch backports the commits b1d039607d3d8a042bf0466bfcc1c0f104e353c8 and 60959f2b491876199879d97c8ed956eabb0c2e73 from upstream. Additionally, the SRC_URI had to be adjusted due to renaming of the source archive Signed-off-by: Jasper Orschulko --- .../expat/expat/CVE-2013-0340.patch | 1758 + .../expat/expat/libtool-tag.patch | 41 +- meta/recipes-core/expat/expat_2.2.9.bb| 10 +- 3 files changed, 1783 insertions(+), 26 deletions(-) create mode 100644 meta/recipes-core/expat/expat/CVE-2013-0340.patch diff --git a/meta/recipes-core/expat/expat/CVE-2013-0340.patch b/meta/recipes-core/expat/expat/CVE-2013-0340.patch new file mode 100644 index 00..5ef749719d --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2013-0340.patch @@ -0,0 +1,1758 @@ +From a644ccf25392523b1329872310e24d0fc5f40629 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 19 Apr 2021 21:42:51 +0200 +Subject: [PATCH] expat: Backport fix for CVE-2013-0340 + +Issue: https://github.com/libexpat/libexpat/issues/34 + +This patch cherry-picks the following commits from upstream release +2.4.0 onto 2.2.9: + +- b1d039607d3d8a042bf0466bfcc1c0f104e353c8 +- 60959f2b491876199879d97c8ed956eabb0c2e73 + +Upstream-Status: Backport +CVE: CVE-2013-0340 +Signed-off-by: Jasper Orschulko +--- + lib/expat.h | 21 +- + lib/internal.h| 30 + + lib/libexpat.def |3 + + lib/libexpatw.def |3 + + lib/xmlparse.c| 1147 +-- + 5 files changed, 1143 insertions(+), 61 deletions(-) + +diff --git a/lib/expat.h b/lib/expat.h +index 48a6e2a3..0fb70d9d 100644 +--- a/lib/expat.h b/lib/expat.h +@@ -115,7 +115,9 @@ enum XML_Error { + XML_ERROR_RESERVED_PREFIX_XMLNS, + XML_ERROR_RESERVED_NAMESPACE_URI, + /* Added in 2.2.1. */ +- XML_ERROR_INVALID_ARGUMENT ++ XML_ERROR_INVALID_ARGUMENT, ++ /* Added in 2.4.0. */ ++ XML_ERROR_AMPLIFICATION_LIMIT_BREACH + }; + + enum XML_Content_Type { +@@ -997,7 +999,10 @@ enum XML_FeatureEnum { + XML_FEATURE_SIZEOF_XML_LCHAR, + XML_FEATURE_NS, + XML_FEATURE_LARGE_SIZE, +- XML_FEATURE_ATTR_INFO ++ XML_FEATURE_ATTR_INFO, ++ /* Added in Expat 2.4.0. */ ++ XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFA ULT, ++ XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAU LT + /* Additional features must be added to the end of this enum. */ + }; + +@@ -1010,6 +1015,18 @@ typedef struct { + XMLPARSEAPI(const XML_Feature *) + XML_GetFeatureList(void); + ++#ifdef XML_DTD ++/* Added in Expat 2.4.0. */ ++XMLPARSEAPI(XML_Bool) ++XML_SetBillionLaughsAttackProtectionMaximumAmplification( ++XML_Parser parser, float maximumAmplificationFactor); ++ ++/* Added in Expat 2.4.0. */ ++XMLPARSEAPI(XML_Bool) ++XML_SetBillionLaughsAttackProtectionActivationThreshold( ++XML_Parser parser, unsigned long long activationThresholdBytes); ++#endif ++ + /* Expat follows the semantic versioning convention. +See http://semver.org. + */ +diff --git a/lib/internal.h b/lib/internal.h +index 60913dab..d8b31fa2 100644 +--- a/lib/internal.h b/lib/internal.h +@@ -101,10 +101,40 @@ + # endif + #endif + ++#include // ULONG_MAX ++ ++#if defined(_WIN32) && ! defined(__USE_MINGW_ANSI_STDIO) ++# define EXPAT_FMT_ULL(midpart) "%" midpart "I64u" ++# if defined(_WIN64) // Note: modifier "td" does not work for MinGW ++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "I64d" ++# else ++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d" ++# endif ++#else ++# define EXPAT_FMT_ULL(midpart) "%" midpart "llu" ++# if ! defined(ULONG_MAX) ++#error Compiler did not define ULONG_MAX for us ++# elif ULONG_MAX == 18446744073709551615u // 2^64-1 ++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "ld" ++# else ++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d" ++# endif ++#endif ++ + #ifndef UNUSED_P + # define UNUSED_P(p) (void)p + #endif + ++/* NOTE BEGIN If you ever patch these defaults to greater values ++ for non-attack XML payload in your environment, ++ please file a bug report with libexpat. Thank you! ++*/ ++#define EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT \ ++ 100.0f ++#define EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT \ ++ 8388608 // 8 MiB, 2^23 ++/* NOTE END */ ++ + #ifdef __cplusplus + extern "C" { + #endif +diff --git a/lib/libexpat.def b/lib/libexpat.def +index 16faf595..5aefa6df 100644 +--- a/lib/libexpat.def b/lib/libexpat.def +@@ -76,3 +76,6 @@ EXPORTS + XML_SetHashSalt @67 + ; added with version 2.2.5 + _INTERNAL_trim_to_complete_utf8_characters @68 ++; added with version 2.4.0 ++ XML_SetBillionLaughsAttackProtectionActivationThreshold @69 ++ XML_SetBillionLaughsAttackProtectionMaximumAmplification @70 +diff --git a/lib/libexpatw.def
Re: [OE-core][dunfell][PATCH] expat: fix CVE-2013-0340
On Wed, Jun 16, 2021 at 5:17 AM Jasper Orschulko wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Hi Steve! > > Thanks for the quick feedback! I just noticed that the archive folder > structure from sourceforge differs to to the git content, thus the > "inner" patch currently fails. Oops! > > I'm thinking about setting the git repository as SRC_URI, as the expat > project is currently moving away from sourceforge towards github. Also, > we would not be affected by random archive renaming ;) What do you > think? If the upstream project is moving from sourceforge to github, then yes it makes sense to change the SRC_URI to reflect their new standard source location. Steve > - -- > With best regards > > Jasper Orschulko > DevOps Engineer > > Tel. +49 30 58 58 14 265 > Fax +49 30 58 58 14 999 > jasper.orschu...@iris-sensing.com > > • • • • • • • • • • • • • • • • • • • • • • • • • • > > iris-GmbH > infrared & intelligent sensors > Ostendstraße 1-14 | 12459 Berlin > > https://iris-sensing.com/ > > > > > On Wed, 2021-06-16 at 05:09 -1000, Steve Sakoman wrote: > > On Wed, Jun 16, 2021 at 4:49 AM Jasper Orschulko > > wrote: > > > > > > -BEGIN PGP SIGNED MESSAGE- > > > Hash: SHA256 > > > > > > P.S.: I am not too familiar with expat, this particular CVE, not > > > with > > > the practise of backporting security patches, so someone(TM) should > > > definitely take a closer look at this first. > > > > Will do! > > > > A few initial comments: > > > > 1. Please don't PGP sign patch emails :-) > > 2. Change the patch file name to CVE-2013-0340.patch > > > > Other than that it looks OK at first glance. > > > > For reference the patch requirements for CVE's are outlined at: > > > > https://wiki.yoctoproject.org/wiki/Security > > > > in the "Patch name convention and commit message" section. > > > > Thanks for helping with CVEs! > > > > Steve > > > > > > > > > > > With best regards > > > > > > Jasper Orschulko > > > DevOps Engineer > > > > > > Tel. +49 30 58 58 14 265 > > > Fax +49 30 58 58 14 999 > > > jasper.orschu...@iris-sensing.com > > > > > > • • • • • • • • • • • • • • • • • • • • • • • • • • > > > > > > iris-GmbH > > > infrared & intelligent sensors > > > Ostendstraße 1-14 | 12459 Berlin > > > > > > https://iris-sensing.com/ > > > > > > > > > > > > > > > On Wed, 2021-06-16 at 14:44 +, Jasper Orschulko wrote: > > > > expat < 4.0 is vulnerable to billion laughs attacks (see > > > > [https://github.com/libexpat/libexpat/issues/34]). This patch > > > > backports > > > > the commits b1d039607d3d8a042bf0466bfcc1c0f104e353c8 > > > > and 60959f2b491876199879d97c8ed956eabb0c2e73 from upstream. > > > > > > > > Additionally, the SRC_URI had to be adjusted due to renaming of > > > > the > > > > source archive > > > > > > > > Signed-off-by: Jasper Orschulko > > > > > > > > --- > > > > ...expat-Backport-fix-for-CVE-2013-0340.patch | 1758 > > > > + > > > > meta/recipes-core/expat/expat_2.2.9.bb|3 +- > > > > 2 files changed, 1760 insertions(+), 1 deletion(-) > > > > create mode 100644 meta/recipes-core/expat/expat/0001-expat- > > > > Backport- > > > > fix-for-CVE-2013-0340.patch > > > > > > > > diff --git a/meta/recipes-core/expat/expat/0001-expat-Backport- > > > > fix- > > > > for- > > > > CVE-2013-0340.patch b/meta/recipes-core/expat/expat/0001-expat- > > > > Backport-fix-for-CVE-2013-0340.patch > > > > new file mode 100644 > > > > index 00..b2ca066d96 > > > > --- /dev/null > > > > +++ b/meta/recipes-core/expat/expat/0001-expat-Backport-fix-for- > > > > CVE- > > > > 2013-0340.patch > > > > @@ -0,0 +1,1758 @@ > > > > +From 6f68eb0439f3c1807a143ff8c8972e74d404d8f0 Mon Sep 17 > > > > 00:00:00 > > > > 2001 > > > > +From: Sebastian Pipping > > > > +Date: Mon, 19 Apr 2021 21:42:51 +0200 > > > > +Subject: [PATCH] expat: Backport fix for CVE-2013-0340 > > > > + > > > > +Issue: https://github.com/libexpat/libexpat/issues/34 > > > > + > > > > +This patch cherry-picks the following commits from upstream > > > > release > > > > +2.4.0 onto 2.2.9: > > > > + > > > > +- b1d039607d3d8a042bf0466bfcc1c0f104e353c8 > > > > +- 60959f2b491876199879d97c8ed956eabb0c2e73 > > > > + > > > > +Upstream-Status: Backport > > > > +CVE: CVE-2013-0340 > > > > +Signed-off-by: Jasper Orschulko > > > > > > > > +--- > > > > + expat/lib/expat.h | 21 +- > > > > + expat/lib/internal.h| 30 + > > > > + expat/lib/libexpat.def |3 + > > > > + expat/lib/libexpatw.def |3 + > > > > + expat/lib/xmlparse.c| 1147 > > > > +- > > > > - > > > > + 5 files changed, 1143 insertions(+), 61 deletions(-) > > > > + > > > > +diff --git a/expat/lib/expat.h b/expat/lib/expat.h > > > > +index 48a6e2a3..796086c2 100644 > > > > +--- a/expat/lib/expat.h > > > > b/expat/lib/expat.h > > > > +@@ -115,7 +115,9 @@ enum XML_Error { > > > > + XML_ERROR_RESERVED_PREFIX_XMLNS, > > > > + XML_ERROR_RESERVED_NAMESPACE_URI, > > > > + /* Added in 2.2.1. */ > > > >
Re: [OE-core][dunfell][PATCH] expat: fix CVE-2013-0340
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 P.S.: I was looking at https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines#Example:_CVE_patch_header and this page as far as I can tell only mentions the patch header convention, not the file name itself. Maybe this needs an update? :) - -- With best regards Jasper Orschulko DevOps Engineer Tel. +49 30 58 58 14 265 Fax +49 30 58 58 14 999 jasper.orschu...@iris-sensing.com • • • • • • • • • • • • • • • • • • • • • • • • • • iris-GmbH infrared & intelligent sensors Ostendstraße 1-14 | 12459 Berlin https://iris-sensing.com/ On Wed, 2021-06-16 at 05:09 -1000, Steve Sakoman wrote: > On Wed, Jun 16, 2021 at 4:49 AM Jasper Orschulko > wrote: > > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > > > P.S.: I am not too familiar with expat, this particular CVE, not with > > the practise of backporting security patches, so someone(TM) should > > definitely take a closer look at this first. > > Will do! > > A few initial comments: > > 1. Please don't PGP sign patch emails :-) > 2. Change the patch file name to CVE-2013-0340.patch > > Other than that it looks OK at first glance. > > For reference the patch requirements for CVE's are outlined at: > > https://wiki.yoctoproject.org/wiki/Security > > in the "Patch name convention and commit message" section. > > Thanks for helping with CVEs! > > Steve > > > > > > With best regards > > > > Jasper Orschulko > > DevOps Engineer > > > > Tel. +49 30 58 58 14 265 > > Fax +49 30 58 58 14 999 > > jasper.orschu...@iris-sensing.com > > > > • • • • • • • • • • • • • • • • • • • • • • • • • • > > > > iris-GmbH > > infrared & intelligent sensors > > Ostendstraße 1-14 | 12459 Berlin > > > > https://iris-sensing.com/ > > > > > > > > > > On Wed, 2021-06-16 at 14:44 +, Jasper Orschulko wrote: > > > expat < 4.0 is vulnerable to billion laughs attacks (see > > > [https://github.com/libexpat/libexpat/issues/34]). This patch > > > backports > > > the commits b1d039607d3d8a042bf0466bfcc1c0f104e353c8 > > > and 60959f2b491876199879d97c8ed956eabb0c2e73 from upstream. > > > > > > Additionally, the SRC_URI had to be adjusted due to renaming of the > > > source archive > > > > > > Signed-off-by: Jasper Orschulko > > > --- > > > ...expat-Backport-fix-for-CVE-2013-0340.patch | 1758 > > > + > > > meta/recipes-core/expat/expat_2.2.9.bb | 3 +- > > > 2 files changed, 1760 insertions(+), 1 deletion(-) > > > create mode 100644 meta/recipes-core/expat/expat/0001-expat- > > > Backport- > > > fix-for-CVE-2013-0340.patch > > > > > > diff --git a/meta/recipes-core/expat/expat/0001-expat-Backport-fix- > > > for- > > > CVE-2013-0340.patch b/meta/recipes-core/expat/expat/0001-expat- > > > Backport-fix-for-CVE-2013-0340.patch > > > new file mode 100644 > > > index 00..b2ca066d96 > > > --- /dev/null > > > +++ b/meta/recipes-core/expat/expat/0001-expat-Backport-fix-for- > > > CVE- > > > 2013-0340.patch > > > @@ -0,0 +1,1758 @@ > > > +From 6f68eb0439f3c1807a143ff8c8972e74d404d8f0 Mon Sep 17 00:00:00 > > > 2001 > > > +From: Sebastian Pipping > > > +Date: Mon, 19 Apr 2021 21:42:51 +0200 > > > +Subject: [PATCH] expat: Backport fix for CVE-2013-0340 > > > + > > > +Issue: https://github.com/libexpat/libexpat/issues/34 > > > + > > > +This patch cherry-picks the following commits from upstream > > > release > > > +2.4.0 onto 2.2.9: > > > + > > > +- b1d039607d3d8a042bf0466bfcc1c0f104e353c8 > > > +- 60959f2b491876199879d97c8ed956eabb0c2e73 > > > + > > > +Upstream-Status: Backport > > > +CVE: CVE-2013-0340 > > > +Signed-off-by: Jasper Orschulko > > > > > > +--- > > > + expat/lib/expat.h | 21 +- > > > + expat/lib/internal.h | 30 + > > > + expat/lib/libexpat.def | 3 + > > > + expat/lib/libexpatw.def | 3 + > > > + expat/lib/xmlparse.c | 1147 > > > +- > > > - > > > + 5 files changed, 1143 insertions(+), 61 deletions(-) > > > + > > > +diff --git a/expat/lib/expat.h b/expat/lib/expat.h > > > +index 48a6e2a3..796086c2 100644 > > > +--- a/expat/lib/expat.h > > > b/expat/lib/expat.h > > > +@@ -115,7 +115,9 @@ enum XML_Error { > > > + XML_ERROR_RESERVED_PREFIX_XMLNS, > > > + XML_ERROR_RESERVED_NAMESPACE_URI, > > > + /* Added in 2.2.1. */ > > > +- XML_ERROR_INVALID_ARGUMENT > > > ++ XML_ERROR_INVALID_ARGUMENT, > > > ++ /* Backported from 2.4.0. */ > > > ++ XML_ERROR_AMPLIFICATION_LIMIT_BREACH > > > + }; > > > + > > > + enum XML_Content_Type { > > > +@@ -997,7 +999,10 @@ enum XML_FeatureEnum { > > > + XML_FEATURE_SIZEOF_XML_LCHAR, > > > + XML_FEATURE_NS, > > > + XML_FEATURE_LARGE_SIZE, > > > +- XML_FEATURE_ATTR_INFO > > > ++ XML_FEATURE_ATTR_INFO, > > > ++ /* Added in Expat 2.4.0. */ > > > ++ > > > XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_ > > > DE > > > FA > > > ULT, > > > ++ > > > XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_D > > > EF > > > AU > > > LT >
Re: [OE-core][dunfell][PATCH] expat: fix CVE-2013-0340
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Steve! Thanks for the quick feedback! I just noticed that the archive folder structure from sourceforge differs to to the git content, thus the "inner" patch currently fails. Oops! I'm thinking about setting the git repository as SRC_URI, as the expat project is currently moving away from sourceforge towards github. Also, we would not be affected by random archive renaming ;) What do you think? - -- With best regards Jasper Orschulko DevOps Engineer Tel. +49 30 58 58 14 265 Fax +49 30 58 58 14 999 jasper.orschu...@iris-sensing.com • • • • • • • • • • • • • • • • • • • • • • • • • • iris-GmbH infrared & intelligent sensors Ostendstraße 1-14 | 12459 Berlin https://iris-sensing.com/ On Wed, 2021-06-16 at 05:09 -1000, Steve Sakoman wrote: > On Wed, Jun 16, 2021 at 4:49 AM Jasper Orschulko > wrote: > > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > > > P.S.: I am not too familiar with expat, this particular CVE, not > > with > > the practise of backporting security patches, so someone(TM) should > > definitely take a closer look at this first. > > Will do! > > A few initial comments: > > 1. Please don't PGP sign patch emails :-) > 2. Change the patch file name to CVE-2013-0340.patch > > Other than that it looks OK at first glance. > > For reference the patch requirements for CVE's are outlined at: > > https://wiki.yoctoproject.org/wiki/Security > > in the "Patch name convention and commit message" section. > > Thanks for helping with CVEs! > > Steve > > > > > > With best regards > > > > Jasper Orschulko > > DevOps Engineer > > > > Tel. +49 30 58 58 14 265 > > Fax +49 30 58 58 14 999 > > jasper.orschu...@iris-sensing.com > > > > • • • • • • • • • • • • • • • • • • • • • • • • • • > > > > iris-GmbH > > infrared & intelligent sensors > > Ostendstraße 1-14 | 12459 Berlin > > > > https://iris-sensing.com/ > > > > > > > > > > On Wed, 2021-06-16 at 14:44 +, Jasper Orschulko wrote: > > > expat < 4.0 is vulnerable to billion laughs attacks (see > > > [https://github.com/libexpat/libexpat/issues/34]). This patch > > > backports > > > the commits b1d039607d3d8a042bf0466bfcc1c0f104e353c8 > > > and 60959f2b491876199879d97c8ed956eabb0c2e73 from upstream. > > > > > > Additionally, the SRC_URI had to be adjusted due to renaming of > > > the > > > source archive > > > > > > Signed-off-by: Jasper Orschulko > > > > > > --- > > > ...expat-Backport-fix-for-CVE-2013-0340.patch | 1758 > > > + > > > meta/recipes-core/expat/expat_2.2.9.bb | 3 +- > > > 2 files changed, 1760 insertions(+), 1 deletion(-) > > > create mode 100644 meta/recipes-core/expat/expat/0001-expat- > > > Backport- > > > fix-for-CVE-2013-0340.patch > > > > > > diff --git a/meta/recipes-core/expat/expat/0001-expat-Backport- > > > fix- > > > for- > > > CVE-2013-0340.patch b/meta/recipes-core/expat/expat/0001-expat- > > > Backport-fix-for-CVE-2013-0340.patch > > > new file mode 100644 > > > index 00..b2ca066d96 > > > --- /dev/null > > > +++ b/meta/recipes-core/expat/expat/0001-expat-Backport-fix-for- > > > CVE- > > > 2013-0340.patch > > > @@ -0,0 +1,1758 @@ > > > +From 6f68eb0439f3c1807a143ff8c8972e74d404d8f0 Mon Sep 17 > > > 00:00:00 > > > 2001 > > > +From: Sebastian Pipping > > > +Date: Mon, 19 Apr 2021 21:42:51 +0200 > > > +Subject: [PATCH] expat: Backport fix for CVE-2013-0340 > > > + > > > +Issue: https://github.com/libexpat/libexpat/issues/34 > > > + > > > +This patch cherry-picks the following commits from upstream > > > release > > > +2.4.0 onto 2.2.9: > > > + > > > +- b1d039607d3d8a042bf0466bfcc1c0f104e353c8 > > > +- 60959f2b491876199879d97c8ed956eabb0c2e73 > > > + > > > +Upstream-Status: Backport > > > +CVE: CVE-2013-0340 > > > +Signed-off-by: Jasper Orschulko > > > > > > +--- > > > + expat/lib/expat.h | 21 +- > > > + expat/lib/internal.h | 30 + > > > + expat/lib/libexpat.def | 3 + > > > + expat/lib/libexpatw.def | 3 + > > > + expat/lib/xmlparse.c | 1147 > > > +- > > > - > > > + 5 files changed, 1143 insertions(+), 61 deletions(-) > > > + > > > +diff --git a/expat/lib/expat.h b/expat/lib/expat.h > > > +index 48a6e2a3..796086c2 100644 > > > +--- a/expat/lib/expat.h > > > b/expat/lib/expat.h > > > +@@ -115,7 +115,9 @@ enum XML_Error { > > > + XML_ERROR_RESERVED_PREFIX_XMLNS, > > > + XML_ERROR_RESERVED_NAMESPACE_URI, > > > + /* Added in 2.2.1. */ > > > +- XML_ERROR_INVALID_ARGUMENT > > > ++ XML_ERROR_INVALID_ARGUMENT, > > > ++ /* Backported from 2.4.0. */ > > > ++ XML_ERROR_AMPLIFICATION_LIMIT_BREACH > > > + }; > > > + > > > + enum XML_Content_Type { > > > +@@ -997,7 +999,10 @@ enum XML_FeatureEnum { > > > + XML_FEATURE_SIZEOF_XML_LCHAR, > > > + XML_FEATURE_NS, > > > + XML_FEATURE_LARGE_SIZE, > > > +- XML_FEATURE_ATTR_INFO > > > ++ XML_FEATURE_ATTR_INFO, > > > ++ /* Added in Expat 2.4.0. */ > > > ++ > > >
Re: [OE-core][dunfell][PATCH] expat: fix CVE-2013-0340
On Wed, Jun 16, 2021 at 4:49 AM Jasper Orschulko wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > P.S.: I am not too familiar with expat, this particular CVE, not with > the practise of backporting security patches, so someone(TM) should > definitely take a closer look at this first. Will do! A few initial comments: 1. Please don't PGP sign patch emails :-) 2. Change the patch file name to CVE-2013-0340.patch Other than that it looks OK at first glance. For reference the patch requirements for CVE's are outlined at: https://wiki.yoctoproject.org/wiki/Security in the "Patch name convention and commit message" section. Thanks for helping with CVEs! Steve > With best regards > > Jasper Orschulko > DevOps Engineer > > Tel. +49 30 58 58 14 265 > Fax +49 30 58 58 14 999 > jasper.orschu...@iris-sensing.com > > • • • • • • • • • • • • • • • • • • • • • • • • • • > > iris-GmbH > infrared & intelligent sensors > Ostendstraße 1-14 | 12459 Berlin > > https://iris-sensing.com/ > > > > > On Wed, 2021-06-16 at 14:44 +, Jasper Orschulko wrote: > > expat < 4.0 is vulnerable to billion laughs attacks (see > > [https://github.com/libexpat/libexpat/issues/34]). This patch > > backports > > the commits b1d039607d3d8a042bf0466bfcc1c0f104e353c8 > > and 60959f2b491876199879d97c8ed956eabb0c2e73 from upstream. > > > > Additionally, the SRC_URI had to be adjusted due to renaming of the > > source archive > > > > Signed-off-by: Jasper Orschulko > > --- > > ...expat-Backport-fix-for-CVE-2013-0340.patch | 1758 > > + > > meta/recipes-core/expat/expat_2.2.9.bb|3 +- > > 2 files changed, 1760 insertions(+), 1 deletion(-) > > create mode 100644 meta/recipes-core/expat/expat/0001-expat- > > Backport- > > fix-for-CVE-2013-0340.patch > > > > diff --git a/meta/recipes-core/expat/expat/0001-expat-Backport-fix- > > for- > > CVE-2013-0340.patch b/meta/recipes-core/expat/expat/0001-expat- > > Backport-fix-for-CVE-2013-0340.patch > > new file mode 100644 > > index 00..b2ca066d96 > > --- /dev/null > > +++ b/meta/recipes-core/expat/expat/0001-expat-Backport-fix-for-CVE- > > 2013-0340.patch > > @@ -0,0 +1,1758 @@ > > +From 6f68eb0439f3c1807a143ff8c8972e74d404d8f0 Mon Sep 17 00:00:00 > > 2001 > > +From: Sebastian Pipping > > +Date: Mon, 19 Apr 2021 21:42:51 +0200 > > +Subject: [PATCH] expat: Backport fix for CVE-2013-0340 > > + > > +Issue: https://github.com/libexpat/libexpat/issues/34 > > + > > +This patch cherry-picks the following commits from upstream release > > +2.4.0 onto 2.2.9: > > + > > +- b1d039607d3d8a042bf0466bfcc1c0f104e353c8 > > +- 60959f2b491876199879d97c8ed956eabb0c2e73 > > + > > +Upstream-Status: Backport > > +CVE: CVE-2013-0340 > > +Signed-off-by: Jasper Orschulko > > +--- > > + expat/lib/expat.h | 21 +- > > + expat/lib/internal.h| 30 + > > + expat/lib/libexpat.def |3 + > > + expat/lib/libexpatw.def |3 + > > + expat/lib/xmlparse.c| 1147 > > +- > > - > > + 5 files changed, 1143 insertions(+), 61 deletions(-) > > + > > +diff --git a/expat/lib/expat.h b/expat/lib/expat.h > > +index 48a6e2a3..796086c2 100644 > > +--- a/expat/lib/expat.h > > b/expat/lib/expat.h > > +@@ -115,7 +115,9 @@ enum XML_Error { > > + XML_ERROR_RESERVED_PREFIX_XMLNS, > > + XML_ERROR_RESERVED_NAMESPACE_URI, > > + /* Added in 2.2.1. */ > > +- XML_ERROR_INVALID_ARGUMENT > > ++ XML_ERROR_INVALID_ARGUMENT, > > ++ /* Backported from 2.4.0. */ > > ++ XML_ERROR_AMPLIFICATION_LIMIT_BREACH > > + }; > > + > > + enum XML_Content_Type { > > +@@ -997,7 +999,10 @@ enum XML_FeatureEnum { > > + XML_FEATURE_SIZEOF_XML_LCHAR, > > + XML_FEATURE_NS, > > + XML_FEATURE_LARGE_SIZE, > > +- XML_FEATURE_ATTR_INFO > > ++ XML_FEATURE_ATTR_INFO, > > ++ /* Added in Expat 2.4.0. */ > > ++ > > XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DE > > FA > > ULT, > > ++ > > XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEF > > AU > > LT > > + /* Additional features must be added to the end of this enum. */ > > + }; > > + > > +@@ -1010,6 +1015,18 @@ typedef struct { > > + XMLPARSEAPI(const XML_Feature *) > > + XML_GetFeatureList(void); > > + > > ++#ifdef XML_DTD > > ++/* Backported from Expat 2.4.0. */ > > ++XMLPARSEAPI(XML_Bool) > > ++XML_SetBillionLaughsAttackProtectionMaximumAmplification( > > ++XML_Parser parser, float maximumAmplificationFactor); > > ++ > > ++/* Backported from Expat 2.4.0. */ > > ++XMLPARSEAPI(XML_Bool) > > ++XML_SetBillionLaughsAttackProtectionActivationThreshold( > > ++XML_Parser parser, unsigned long long > > activationThresholdBytes); > > ++#endif > > ++ > > + /* Expat follows the semantic versioning convention. > > +See http://semver.org. > > + */ > > +diff --git a/expat/lib/internal.h b/expat/lib/internal.h > > +index 60913dab..d8b31fa2 100644 > > +--- a/expat/lib/internal.h > > b/expat/lib/internal.h > > +@@ -101,10 +101,40 @@ > > + # endif > > + #endif >
Re: [OE-core][dunfell][PATCH] expat: fix CVE-2013-0340
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 P.S.: I am not too familiar with expat, this particular CVE, not with the practise of backporting security patches, so someone(TM) should definitely take a closer look at this first. - -- With best regards Jasper Orschulko DevOps Engineer Tel. +49 30 58 58 14 265 Fax +49 30 58 58 14 999 jasper.orschu...@iris-sensing.com • • • • • • • • • • • • • • • • • • • • • • • • • • iris-GmbH infrared & intelligent sensors Ostendstraße 1-14 | 12459 Berlin https://iris-sensing.com/ On Wed, 2021-06-16 at 14:44 +, Jasper Orschulko wrote: > expat < 4.0 is vulnerable to billion laughs attacks (see > [https://github.com/libexpat/libexpat/issues/34]). This patch > backports > the commits b1d039607d3d8a042bf0466bfcc1c0f104e353c8 > and 60959f2b491876199879d97c8ed956eabb0c2e73 from upstream. > > Additionally, the SRC_URI had to be adjusted due to renaming of the > source archive > > Signed-off-by: Jasper Orschulko > --- > ...expat-Backport-fix-for-CVE-2013-0340.patch | 1758 > + > meta/recipes-core/expat/expat_2.2.9.bb | 3 +- > 2 files changed, 1760 insertions(+), 1 deletion(-) > create mode 100644 meta/recipes-core/expat/expat/0001-expat- > Backport- > fix-for-CVE-2013-0340.patch > > diff --git a/meta/recipes-core/expat/expat/0001-expat-Backport-fix- > for- > CVE-2013-0340.patch b/meta/recipes-core/expat/expat/0001-expat- > Backport-fix-for-CVE-2013-0340.patch > new file mode 100644 > index 00..b2ca066d96 > --- /dev/null > +++ b/meta/recipes-core/expat/expat/0001-expat-Backport-fix-for-CVE- > 2013-0340.patch > @@ -0,0 +1,1758 @@ > +From 6f68eb0439f3c1807a143ff8c8972e74d404d8f0 Mon Sep 17 00:00:00 > 2001 > +From: Sebastian Pipping > +Date: Mon, 19 Apr 2021 21:42:51 +0200 > +Subject: [PATCH] expat: Backport fix for CVE-2013-0340 > + > +Issue: https://github.com/libexpat/libexpat/issues/34 > + > +This patch cherry-picks the following commits from upstream release > +2.4.0 onto 2.2.9: > + > +- b1d039607d3d8a042bf0466bfcc1c0f104e353c8 > +- 60959f2b491876199879d97c8ed956eabb0c2e73 > + > +Upstream-Status: Backport > +CVE: CVE-2013-0340 > +Signed-off-by: Jasper Orschulko > +--- > + expat/lib/expat.h | 21 +- > + expat/lib/internal.h | 30 + > + expat/lib/libexpat.def | 3 + > + expat/lib/libexpatw.def | 3 + > + expat/lib/xmlparse.c | 1147 > +- > - > + 5 files changed, 1143 insertions(+), 61 deletions(-) > + > +diff --git a/expat/lib/expat.h b/expat/lib/expat.h > +index 48a6e2a3..796086c2 100644 > +--- a/expat/lib/expat.h > b/expat/lib/expat.h > +@@ -115,7 +115,9 @@ enum XML_Error { > + XML_ERROR_RESERVED_PREFIX_XMLNS, > + XML_ERROR_RESERVED_NAMESPACE_URI, > + /* Added in 2.2.1. */ > +- XML_ERROR_INVALID_ARGUMENT > ++ XML_ERROR_INVALID_ARGUMENT, > ++ /* Backported from 2.4.0. */ > ++ XML_ERROR_AMPLIFICATION_LIMIT_BREACH > + }; > + > + enum XML_Content_Type { > +@@ -997,7 +999,10 @@ enum XML_FeatureEnum { > + XML_FEATURE_SIZEOF_XML_LCHAR, > + XML_FEATURE_NS, > + XML_FEATURE_LARGE_SIZE, > +- XML_FEATURE_ATTR_INFO > ++ XML_FEATURE_ATTR_INFO, > ++ /* Added in Expat 2.4.0. */ > ++ > XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DE > FA > ULT, > ++ > XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEF > AU > LT > + /* Additional features must be added to the end of this enum. */ > + }; > + > +@@ -1010,6 +1015,18 @@ typedef struct { > + XMLPARSEAPI(const XML_Feature *) > + XML_GetFeatureList(void); > + > ++#ifdef XML_DTD > ++/* Backported from Expat 2.4.0. */ > ++XMLPARSEAPI(XML_Bool) > ++XML_SetBillionLaughsAttackProtectionMaximumAmplification( > ++ XML_Parser parser, float maximumAmplificationFactor); > ++ > ++/* Backported from Expat 2.4.0. */ > ++XMLPARSEAPI(XML_Bool) > ++XML_SetBillionLaughsAttackProtectionActivationThreshold( > ++ XML_Parser parser, unsigned long long > activationThresholdBytes); > ++#endif > ++ > + /* Expat follows the semantic versioning convention. > + See http://semver.org. > + */ > +diff --git a/expat/lib/internal.h b/expat/lib/internal.h > +index 60913dab..d8b31fa2 100644 > +--- a/expat/lib/internal.h > b/expat/lib/internal.h > +@@ -101,10 +101,40 @@ > + # endif > + #endif > + > ++#include // ULONG_MAX > ++ > ++#if defined(_WIN32) && ! defined(__USE_MINGW_ANSI_STDIO) > ++# define EXPAT_FMT_ULL(midpart) "%" midpart "I64u" > ++# if defined(_WIN64) // Note: modifier "td" does not work for > MinGW > ++# define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "I64d" > ++# else > ++# define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d" > ++# endif > ++#else > ++# define EXPAT_FMT_ULL(midpart) "%" midpart "llu" > ++# if ! defined(ULONG_MAX) > ++# error Compiler did not define ULONG_MAX for us > ++# elif ULONG_MAX == 18446744073709551615u // 2^64-1 > ++# define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "ld" > ++# else > ++# define EXPAT_FMT_PTRDIFF_T(midpart) "%"
[OE-core][dunfell][PATCH] expat: fix CVE-2013-0340
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 expat < 4.0 is vulnerable to billion laughs attacks (see [https://github.com/libexpat/libexpat/issues/34]). This patch backports the commits b1d039607d3d8a042bf0466bfcc1c0f104e353c8 and 60959f2b491876199879d97c8ed956eabb0c2e73 from upstream. Additionally, the SRC_URI had to be adjusted due to renaming of the source archive Signed-off-by: Jasper Orschulko - --- ...expat-Backport-fix-for-CVE-2013-0340.patch | 1758 + meta/recipes-core/expat/expat_2.2.9.bb|3 +- 2 files changed, 1760 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-core/expat/expat/0001-expat-Backport- fix-for-CVE-2013-0340.patch diff --git a/meta/recipes-core/expat/expat/0001-expat-Backport-fix-for- CVE-2013-0340.patch b/meta/recipes-core/expat/expat/0001-expat- Backport-fix-for-CVE-2013-0340.patch new file mode 100644 index 00..b2ca066d96 - --- /dev/null +++ b/meta/recipes-core/expat/expat/0001-expat-Backport-fix-for-CVE- 2013-0340.patch @@ -0,0 +1,1758 @@ +From 6f68eb0439f3c1807a143ff8c8972e74d404d8f0 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 19 Apr 2021 21:42:51 +0200 +Subject: [PATCH] expat: Backport fix for CVE-2013-0340 + +Issue: https://github.com/libexpat/libexpat/issues/34 + +This patch cherry-picks the following commits from upstream release +2.4.0 onto 2.2.9: + +- b1d039607d3d8a042bf0466bfcc1c0f104e353c8 +- 60959f2b491876199879d97c8ed956eabb0c2e73 + +Upstream-Status: Backport +CVE: CVE-2013-0340 +Signed-off-by: Jasper Orschulko +--- + expat/lib/expat.h | 21 +- + expat/lib/internal.h| 30 + + expat/lib/libexpat.def |3 + + expat/lib/libexpatw.def |3 + + expat/lib/xmlparse.c| 1147 +- - - + 5 files changed, 1143 insertions(+), 61 deletions(-) + +diff --git a/expat/lib/expat.h b/expat/lib/expat.h +index 48a6e2a3..796086c2 100644 +--- a/expat/lib/expat.h b/expat/lib/expat.h +@@ -115,7 +115,9 @@ enum XML_Error { + XML_ERROR_RESERVED_PREFIX_XMLNS, + XML_ERROR_RESERVED_NAMESPACE_URI, + /* Added in 2.2.1. */ +- XML_ERROR_INVALID_ARGUMENT ++ XML_ERROR_INVALID_ARGUMENT, ++ /* Backported from 2.4.0. */ ++ XML_ERROR_AMPLIFICATION_LIMIT_BREACH + }; + + enum XML_Content_Type { +@@ -997,7 +999,10 @@ enum XML_FeatureEnum { + XML_FEATURE_SIZEOF_XML_LCHAR, + XML_FEATURE_NS, + XML_FEATURE_LARGE_SIZE, +- XML_FEATURE_ATTR_INFO ++ XML_FEATURE_ATTR_INFO, ++ /* Added in Expat 2.4.0. */ ++ XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFA ULT, ++ XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAU LT + /* Additional features must be added to the end of this enum. */ + }; + +@@ -1010,6 +1015,18 @@ typedef struct { + XMLPARSEAPI(const XML_Feature *) + XML_GetFeatureList(void); + ++#ifdef XML_DTD ++/* Backported from Expat 2.4.0. */ ++XMLPARSEAPI(XML_Bool) ++XML_SetBillionLaughsAttackProtectionMaximumAmplification( ++XML_Parser parser, float maximumAmplificationFactor); ++ ++/* Backported from Expat 2.4.0. */ ++XMLPARSEAPI(XML_Bool) ++XML_SetBillionLaughsAttackProtectionActivationThreshold( ++XML_Parser parser, unsigned long long activationThresholdBytes); ++#endif ++ + /* Expat follows the semantic versioning convention. +See http://semver.org. + */ +diff --git a/expat/lib/internal.h b/expat/lib/internal.h +index 60913dab..d8b31fa2 100644 +--- a/expat/lib/internal.h b/expat/lib/internal.h +@@ -101,10 +101,40 @@ + # endif + #endif + ++#include // ULONG_MAX ++ ++#if defined(_WIN32) && ! defined(__USE_MINGW_ANSI_STDIO) ++# define EXPAT_FMT_ULL(midpart) "%" midpart "I64u" ++# if defined(_WIN64) // Note: modifier "td" does not work for MinGW ++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "I64d" ++# else ++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d" ++# endif ++#else ++# define EXPAT_FMT_ULL(midpart) "%" midpart "llu" ++# if ! defined(ULONG_MAX) ++#error Compiler did not define ULONG_MAX for us ++# elif ULONG_MAX == 18446744073709551615u // 2^64-1 ++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "ld" ++# else ++#define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d" ++# endif ++#endif ++ + #ifndef UNUSED_P + # define UNUSED_P(p) (void)p + #endif + ++/* NOTE BEGIN If you ever patch these defaults to greater values ++ for non-attack XML payload in your environment, ++ please file a bug report with libexpat. Thank you! ++*/ ++#define EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT \ ++ 100.0f ++#define EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT \ ++ 8388608 // 8 MiB, 2^23 ++/* NOTE END */ ++ + #ifdef __cplusplus + extern "C" { + #endif +diff --git a/expat/lib/libexpat.def b/expat/lib/libexpat.def +index 16faf595..b5e59d8d 100644 +--- a/expat/lib/libexpat.def b/expat/lib/libexpat.def +@@ -76,3 +76,6 @@ EXPORTS + XML_SetHashSalt @67 + ; added with version 2.2.5 +