[kirkstone][PATCH] expat: CVE-2022-40674


Florin Diaconescu
 

Just saw the new release, I will submit another patch with the 2.4.9 upgrade. Thanks for letting me know!

Florin


On Tue, Sep 20, 2022 at 6:57 PM Alex Kiernan <alex.kiernan@...> wrote:
2.4.9 looks to have landed w/ this change in it.

On Tue, Sep 20, 2022 at 12:09 PM Florin Diaconescu
<florin.diaconescu009@...> wrote:
>
> Upstream-Status: Accepted
> [https://github.com/libexpat/libexpat/pull/629/commits/4a32da87e931ba54393d465bb77c40b5c33d343b]
>
> Signed-off-by: Florin Diaconescu <florin.diaconescu009@...>
> ---
>  .../expat/expat/CVE-2022-40674.patch          | 56 +++++++++++++++++++
>  meta/recipes-core/expat/expat_2.4.8.bb        |  1 +
>  2 files changed, 57 insertions(+)
>  create mode 100644 meta/recipes-core/expat/expat/CVE-2022-40674.patch
>
> diff --git a/meta/recipes-core/expat/expat/CVE-2022-40674.patch b/meta/recipes-core/expat/expat/CVE-2022-40674.patch
> new file mode 100644
> index 0000000000..468811fefa
> --- /dev/null
> +++ b/meta/recipes-core/expat/expat/CVE-2022-40674.patch
> @@ -0,0 +1,56 @@
> +From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001
> +From: Rhodri James <rhodri@...>
> +Date: Wed, 17 Aug 2022 18:26:18 +0100
> +Subject: [PATCH] Ensure raw tagnames are safe exiting internalEntityParser
> +
> +It is possible to concoct a situation in which parsing is
> +suspended while substituting in an internal entity, so that
> +XML_ResumeParser directly uses internalEntityProcessor as
> +its processor.  If the subsequent parse includes some unclosed
> +tags, this will return without calling storeRawNames to ensure
> +that the raw versions of the tag names are stored in memory other
> +than the parse buffer itself.  If the parse buffer is then changed
> +or reallocated (for example if processing a file line by line),
> +badness will ensue.
> +
> +This patch ensures storeRawNames is always called when needed
> +after calling doContent.  The earlier call do doContent does
> +not need the same protection; it only deals with entity
> +substitution, which cannot leave unbalanced tags, and in any
> +case the raw names will be pointing into the stored entity
> +value not the parse buffer.
> +
> +CVE: CVE-2022-40674
> +Upstream-Status: Accepted [https://github.com/libexpat/libexpat/pull/629/commits/4a32da87e931ba54393d465bb77c40b5c33d343b]
> +
> +Signed-off-by: Florin Diaconescu <florin.diaconescu009@...>
> +---
> + lib/xmlparse.c | 13 +++++++++----
> + 1 file changed, 9 insertions(+), 4 deletions(-)
> +
> +diff --git a/lib/xmlparse.c b/lib/xmlparse.c
> +index e986156..eabe0fc 100644
> +--- a/lib/xmlparse.c
> ++++ b/lib/xmlparse.c
> +@@ -5826,10 +5826,15 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end,
> +   {
> +     parser->m_processor = contentProcessor;
> +     /* see externalEntityContentProcessor vs contentProcessor */
> +-    return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding,
> +-                     s, end, nextPtr,
> +-                     (XML_Bool)! parser->m_parsingStatus.finalBuffer,
> +-                     XML_ACCOUNT_DIRECT);
> ++    result = doContent(parser, parser->m_parentParser ? 1 : 0,
> ++                       parser->m_encoding, s, end, nextPtr,
> ++                       (XML_Bool)! parser->m_parsingStatus.finalBuffer,
> ++                       XML_ACCOUNT_DIRECT);
> ++    if (result == XML_ERROR_NONE) {
> ++      if (! storeRawNames(parser))
> ++        return XML_ERROR_NO_MEMORY;
> ++    }
> ++    return result;
> +   }
> + }
> +
> +--
> +2.35.1
> diff --git a/meta/recipes-core/expat/expat_2.4.8.bb b/meta/recipes-core/expat/expat_2.4.8.bb
> index 980c488640..93a2f98b38 100644
> --- a/meta/recipes-core/expat/expat_2.4.8.bb
> +++ b/meta/recipes-core/expat/expat_2.4.8.bb
> @@ -10,6 +10,7 @@ VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}"
>
>  SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2  \
>             file://run-ptest \
> +           file://CVE-2022-40674.patch \
>             "
>
>  UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"
> --
> 2.25.1
>
>
>
>


--
Alex Kiernan


Alex Kiernan
 

2.4.9 looks to have landed w/ this change in it.

On Tue, Sep 20, 2022 at 12:09 PM Florin Diaconescu
<florin.diaconescu009@...> wrote:

Upstream-Status: Accepted
[https://github.com/libexpat/libexpat/pull/629/commits/4a32da87e931ba54393d465bb77c40b5c33d343b]

Signed-off-by: Florin Diaconescu <florin.diaconescu009@...>
---
.../expat/expat/CVE-2022-40674.patch | 56 +++++++++++++++++++
meta/recipes-core/expat/expat_2.4.8.bb | 1 +
2 files changed, 57 insertions(+)
create mode 100644 meta/recipes-core/expat/expat/CVE-2022-40674.patch

diff --git a/meta/recipes-core/expat/expat/CVE-2022-40674.patch b/meta/recipes-core/expat/expat/CVE-2022-40674.patch
new file mode 100644
index 0000000000..468811fefa
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-40674.patch
@@ -0,0 +1,56 @@
+From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001
+From: Rhodri James <rhodri@...>
+Date: Wed, 17 Aug 2022 18:26:18 +0100
+Subject: [PATCH] Ensure raw tagnames are safe exiting internalEntityParser
+
+It is possible to concoct a situation in which parsing is
+suspended while substituting in an internal entity, so that
+XML_ResumeParser directly uses internalEntityProcessor as
+its processor. If the subsequent parse includes some unclosed
+tags, this will return without calling storeRawNames to ensure
+that the raw versions of the tag names are stored in memory other
+than the parse buffer itself. If the parse buffer is then changed
+or reallocated (for example if processing a file line by line),
+badness will ensue.
+
+This patch ensures storeRawNames is always called when needed
+after calling doContent. The earlier call do doContent does
+not need the same protection; it only deals with entity
+substitution, which cannot leave unbalanced tags, and in any
+case the raw names will be pointing into the stored entity
+value not the parse buffer.
+
+CVE: CVE-2022-40674
+Upstream-Status: Accepted [https://github.com/libexpat/libexpat/pull/629/commits/4a32da87e931ba54393d465bb77c40b5c33d343b]
+
+Signed-off-by: Florin Diaconescu <florin.diaconescu009@...>
+---
+ lib/xmlparse.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index e986156..eabe0fc 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -5826,10 +5826,15 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end,
+ {
+ parser->m_processor = contentProcessor;
+ /* see externalEntityContentProcessor vs contentProcessor */
+- return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding,
+- s, end, nextPtr,
+- (XML_Bool)! parser->m_parsingStatus.finalBuffer,
+- XML_ACCOUNT_DIRECT);
++ result = doContent(parser, parser->m_parentParser ? 1 : 0,
++ parser->m_encoding, s, end, nextPtr,
++ (XML_Bool)! parser->m_parsingStatus.finalBuffer,
++ XML_ACCOUNT_DIRECT);
++ if (result == XML_ERROR_NONE) {
++ if (! storeRawNames(parser))
++ return XML_ERROR_NO_MEMORY;
++ }
++ return result;
+ }
+ }
+
+--
+2.35.1
diff --git a/meta/recipes-core/expat/expat_2.4.8.bb b/meta/recipes-core/expat/expat_2.4.8.bb
index 980c488640..93a2f98b38 100644
--- a/meta/recipes-core/expat/expat_2.4.8.bb
+++ b/meta/recipes-core/expat/expat_2.4.8.bb
@@ -10,6 +10,7 @@ VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}"

SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \
file://run-ptest \
+ file://CVE-2022-40674.patch \
"

UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"
--
2.25.1




--
Alex Kiernan


Florin Diaconescu
 

Upstream-Status: Accepted
[https://github.com/libexpat/libexpat/pull/629/commits/4a32da87e931ba54393d465bb77c40b5c33d343b]

Signed-off-by: Florin Diaconescu <florin.diaconescu009@...>
---
.../expat/expat/CVE-2022-40674.patch | 56 +++++++++++++++++++
meta/recipes-core/expat/expat_2.4.8.bb | 1 +
2 files changed, 57 insertions(+)
create mode 100644 meta/recipes-core/expat/expat/CVE-2022-40674.patch

diff --git a/meta/recipes-core/expat/expat/CVE-2022-40674.patch b/meta/recipes-core/expat/expat/CVE-2022-40674.patch
new file mode 100644
index 0000000000..468811fefa
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-40674.patch
@@ -0,0 +1,56 @@
+From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001
+From: Rhodri James <rhodri@...>
+Date: Wed, 17 Aug 2022 18:26:18 +0100
+Subject: [PATCH] Ensure raw tagnames are safe exiting internalEntityParser
+
+It is possible to concoct a situation in which parsing is
+suspended while substituting in an internal entity, so that
+XML_ResumeParser directly uses internalEntityProcessor as
+its processor. If the subsequent parse includes some unclosed
+tags, this will return without calling storeRawNames to ensure
+that the raw versions of the tag names are stored in memory other
+than the parse buffer itself. If the parse buffer is then changed
+or reallocated (for example if processing a file line by line),
+badness will ensue.
+
+This patch ensures storeRawNames is always called when needed
+after calling doContent. The earlier call do doContent does
+not need the same protection; it only deals with entity
+substitution, which cannot leave unbalanced tags, and in any
+case the raw names will be pointing into the stored entity
+value not the parse buffer.
+
+CVE: CVE-2022-40674
+Upstream-Status: Accepted [https://github.com/libexpat/libexpat/pull/629/commits/4a32da87e931ba54393d465bb77c40b5c33d343b]
+
+Signed-off-by: Florin Diaconescu <florin.diaconescu009@...>
+---
+ lib/xmlparse.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index e986156..eabe0fc 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -5826,10 +5826,15 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end,
+ {
+ parser->m_processor = contentProcessor;
+ /* see externalEntityContentProcessor vs contentProcessor */
+- return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding,
+- s, end, nextPtr,
+- (XML_Bool)! parser->m_parsingStatus.finalBuffer,
+- XML_ACCOUNT_DIRECT);
++ result = doContent(parser, parser->m_parentParser ? 1 : 0,
++ parser->m_encoding, s, end, nextPtr,
++ (XML_Bool)! parser->m_parsingStatus.finalBuffer,
++ XML_ACCOUNT_DIRECT);
++ if (result == XML_ERROR_NONE) {
++ if (! storeRawNames(parser))
++ return XML_ERROR_NO_MEMORY;
++ }
++ return result;
+ }
+ }
+
+--
+2.35.1
diff --git a/meta/recipes-core/expat/expat_2.4.8.bb b/meta/recipes-core/expat/expat_2.4.8.bb
index 980c488640..93a2f98b38 100644
--- a/meta/recipes-core/expat/expat_2.4.8.bb
+++ b/meta/recipes-core/expat/expat_2.4.8.bb
@@ -10,6 +10,7 @@ VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}"

SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \
file://run-ptest \
+ file://CVE-2022-40674.patch \
"

UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"
--
2.25.1