> On Aug 24, 2022, at 4:53 AM, Pawan Badganchi <[email protected]> wrote: > > From: Pawan Badganchi <[email protected]> > > Add below patch to fix CVE-2016-3709 > > CVE-2016-3709.patch > Link: > https://github.com/GNOME/libxml2/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f > > Signed-off-by: Pawan Badganchi<[email protected]> > --- > .../libxml/libxml2/CVE-2016-3709.patch | 89 +++++++++++++++++++ > meta/recipes-core/libxml/libxml2_2.9.10.bb | 2 +- > 2 files changed, 90 insertions(+), 1 deletion(-) > create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch > > diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch > b/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch > new file mode 100644 > index 0000000000..5301d05323 > --- /dev/null > +++ b/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch > @@ -0,0 +1,89 @@ > +From c1ba6f54d32b707ca6d91cb3257ce9de82876b6f Mon Sep 17 00:00:00 2001 > +From: Nick Wellnhofer <[email protected]> > +Date: Sat, 15 Aug 2020 18:32:29 +0200 > +Subject: [PATCH] Revert "Do not URI escape in server side includes" > + > +This reverts commit 960f0e275616cadc29671a218d7fb9b69eb35588. > + > +This commit introduced > + > +- an infinite loop, found by OSS-Fuzz, which could be easily fixed. > +- an algorithm with quadratic runtime > +- a security issue, see > + https://bugzilla.gnome.org/show_bug.cgi?id=769760 > + > +A better approach is to add an option not to escape URLs at all > +which libxml2 should have possibly done in the first place. > + > +CVE: CVE-2016-3709 > +Upstream-Status: Backport > [https://github.com/GNOME/libxml2/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f] > +Signed-off-by: Pawan Badganchi <[email protected]> > +--- > + HTMLtree.c | 49 +++++++++++-------------------------------------- > + 1 file changed, 11 insertions(+), 38 deletions(-) > + > +diff --git a/HTMLtree.c b/HTMLtree.c > +index 8d236bb35..cdb7f86a6 100644 > +--- a/HTMLtree.c > ++++ b/HTMLtree.c > +@@ -706,49 +706,22 @@ htmlAttrDumpOutput(xmlOutputBufferPtr buf, xmlDocPtr > doc, xmlAttrPtr cur, > + (!xmlStrcasecmp(cur->name, BAD_CAST "src")) || > + ((!xmlStrcasecmp(cur->name, BAD_CAST "name")) && > + (!xmlStrcasecmp(cur->parent->name, BAD_CAST "a"))))) { > ++ xmlChar *escaped; > + xmlChar *tmp = value; > +- /* xmlURIEscapeStr() escapes '"' so it can be safely used. */ > +- xmlBufCCat(buf->buffer, "\""); > + > + while (IS_BLANK_CH(*tmp)) tmp++; > + > +- /* URI Escape everything, except server side includes. */ > +- for ( ; ; ) { > +- xmlChar *escaped; > +- xmlChar endChar; > +- xmlChar *end = NULL; > +- xmlChar *start = (xmlChar *)xmlStrstr(tmp, BAD_CAST "<!--"); > +- if (start != NULL) { > +- end = (xmlChar *)xmlStrstr(tmp, BAD_CAST "-->"); > +- if (end != NULL) { > +- *start = '\0'; > +- } > +- } > +- > +- /* Escape the whole string, or until start (set to '\0'). */ > +- escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+"); > +- if (escaped != NULL) { > +- xmlBufCat(buf->buffer, escaped); > +- xmlFree(escaped); > +- } else { > +- xmlBufCat(buf->buffer, tmp); > +- } > +- > +- if (end == NULL) { /* Everything has been written. */ > +- break; > +- } > +- > +- /* Do not escape anything within server side includes. */ > +- *start = '<'; /* Restore the first character of "<!--". */ > +- end += 3; /* strlen("-->") */ > +- endChar = *end; > +- *end = '\0'; > +- xmlBufCat(buf->buffer, start); > +- *end = endChar; > +- tmp = end; > ++ /* > ++ * the < and > have already been escaped at the entity level > ++ * And doing so here breaks server side includes > ++ */ > ++ escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+<>"); > ++ if (escaped != NULL) { > ++ xmlBufWriteQuotedString(buf->buffer, escaped); > ++ xmlFree(escaped); > ++ } else { > ++ xmlBufWriteQuotedString(buf->buffer, value); > + } > +- > +- xmlBufCCat(buf->buffer, "\""); > + } else { > + xmlBufWriteQuotedString(buf->buffer, value); > + } > diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb > b/meta/recipes-core/libxml/libxml2_2.9.10.bb > index d1c1f0884f..adeef5bda2 100644 > --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb > +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb > @@ -32,7 +32,7 @@ SRC_URI += > "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=te > file://CVE-2022-23308-fix-regression.patch \ > file://CVE-2022-29824-dependent.patch \ > file://CVE-2022-29824.patch \ > - file://0001-Port-gentest.py-to-Python-3.patch \
Did you intend to remove applying this patch? I assume not, but maybe there is something I’m not seeing. If you did intend to remove it, the patch file is still in the repo and the commit message doesn’t mention why it was removed. Thanks, Robert > + file://CVE-2016-3709.patch \ > " > > SRC_URI[archive.sha256sum] = > "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813" > -- > 2.37.1 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#169976): https://lists.openembedded.org/g/openembedded-core/message/169976 Mute This Topic: https://lists.openembedded.org/mt/93224781/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
