Hi , attaching patch file.
________________________________ From: [email protected] <[email protected]> on behalf of Virendra Thakur via lists.openembedded.org <[email protected]> Sent: Thursday, September 22, 2022 2:31 PM To: [email protected] <[email protected]> Cc: Virendra Kumar Thakur <[email protected]> Subject: [OE-Core][dunfell][PATCH] expat: Fix CVE-2022-40674 Caution: This email originated from outside of the KPIT. Do not click links or open attachments unless you recognize the sender and know the content is safe. From: Virendra Thakur <[email protected]> Add patch file to fix CVE-2022-40674 Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Flibexpat%2Flibexpat%2Fpull%2F629%2Fcommits%2F4a32da87e931ba54393d465bb77c40b5c33d343b&data=05%7C01%7Cvirendra.thakur%40kpit.com%7C0338ba3a60a043d9e69008da9c791e4d%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637994341333711717%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=4iNThkUMhS1QrEtMVirTug3OBYlGhwuP5dGZ6YXhBJw%3D&reserved=0 Signed-off-by: Virendra Thakur <[email protected]> --- .../expat/expat/CVE-2022-40674.patch | 53 +++++++++++++++++++ meta/recipes-core/expat/expat_2.2.9.bb | 1 + 2 files changed, 54 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2022-40674.patch diff --git a/meta/recipes-core/expat/expat/CVE-2022-40674.patch b/meta/recipes-core/expat/expat/CVE-2022-40674.patch new file mode 100644 index 0000000000..8b95f5f198 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2022-40674.patch @@ -0,0 +1,53 @@ +From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001 +From: Rhodri James <[email protected]> +Date: Wed, 17 Aug 2022 18:26:18 +0100 +Subject: [PATCH] Ensure raw tagnames are safe exiting internalEntityParser + +It is possible to concoct a situation in which parsing is +suspended while substituting in an internal entity, so that +XML_ResumeParser directly uses internalEntityProcessor as +its processor. If the subsequent parse includes some unclosed +tags, this will return without calling storeRawNames to ensure +that the raw versions of the tag names are stored in memory other +than the parse buffer itself. If the parse buffer is then changed +or reallocated (for example if processing a file line by line), +badness will ensue. + +This patch ensures storeRawNames is always called when needed +after calling doContent. The earlier call do doContent does +not need the same protection; it only deals with entity +substitution, which cannot leave unbalanced tags, and in any +case the raw names will be pointing into the stored entity +value not the parse buffer. + +Upstream-Status: Backport [https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Flibexpat%2Flibexpat%2Fcommit%2F4a32da87e931ba54393d465bb77c40b5c33d343b&data=05%7C01%7Cvirendra.thakur%40kpit.com%7C0338ba3a60a043d9e69008da9c791e4d%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637994341333711717%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2Fm7O1i8VGUJdh3WmVla5D93KiGtjYeoDvYy7cVps%2Flg%3D&reserved=0] +CVE: CVE-2022-40674 +Signed-off-by: Virendra Thakur <[email protected]> +--- + expat/lib/xmlparse.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +Index: expat/lib/xmlparse.c +=================================================================== +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -5657,10 +5657,15 @@ internalEntityProcessor(XML_Parser parse + { + parser->m_processor = contentProcessor; + /* see externalEntityContentProcessor vs contentProcessor */ +- return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding, +- s, end, nextPtr, +- (XML_Bool)! parser->m_parsingStatus.finalBuffer, +- XML_ACCOUNT_DIRECT); ++ result = doContent(parser, parser->m_parentParser ? 1 : 0, ++ parser->m_encoding, s, end, nextPtr, ++ (XML_Bool)! parser->m_parsingStatus.finalBuffer, ++ XML_ACCOUNT_DIRECT); ++ if (result == XML_ERROR_NONE) { ++ if (! storeRawNames(parser)) ++ return XML_ERROR_NO_MEMORY; ++ } ++ return result; + } + } + diff --git a/meta/recipes-core/expat/expat_2.2.9.bb b/meta/recipes-core/expat/expat_2.2.9.bb index f50e535922..578edfcbff 100644 --- a/meta/recipes-core/expat/expat_2.2.9.bb +++ b/meta/recipes-core/expat/expat_2.2.9.bb @@ -20,6 +20,7 @@ SRC_URI = "git://github.com/libexpat/libexpat.git;protocol=https;branch=master \ file://CVE-2022-25314.patch \ file://CVE-2022-25315.patch \ file://libtool-tag.patch \ + file://CVE-2022-40674.patch \ " SRCREV = "a7bc26b69768f7fb24f0c7976fae24b157b85b13" -- 2.17.1 This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails. This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
From a50604ee620bedaad8d7e42143f88675d047fb51 Mon Sep 17 00:00:00 2001 From: Virendra Thakur <[email protected]> Date: Wed, 21 Sep 2022 18:27:05 +0530 Subject: [PATCH] expat: Fix CVE-2022-40674 Add patch file to fix CVE-2022-40674 Link: https://github.com/libexpat/libexpat/pull/629/commits/4a32da87e931ba54393d465bb77c40b5c33d343b Signed-off-by: Virendra Thakur <[email protected]> --- .../expat/expat/CVE-2022-40674.patch | 53 +++++++++++++++++++ meta/recipes-core/expat/expat_2.2.9.bb | 1 + 2 files changed, 54 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2022-40674.patch diff --git a/meta/recipes-core/expat/expat/CVE-2022-40674.patch b/meta/recipes-core/expat/expat/CVE-2022-40674.patch new file mode 100644 index 0000000000..8b95f5f198 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2022-40674.patch @@ -0,0 +1,53 @@ +From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001 +From: Rhodri James <[email protected]> +Date: Wed, 17 Aug 2022 18:26:18 +0100 +Subject: [PATCH] Ensure raw tagnames are safe exiting internalEntityParser + +It is possible to concoct a situation in which parsing is +suspended while substituting in an internal entity, so that +XML_ResumeParser directly uses internalEntityProcessor as +its processor. If the subsequent parse includes some unclosed +tags, this will return without calling storeRawNames to ensure +that the raw versions of the tag names are stored in memory other +than the parse buffer itself. If the parse buffer is then changed +or reallocated (for example if processing a file line by line), +badness will ensue. + +This patch ensures storeRawNames is always called when needed +after calling doContent. The earlier call do doContent does +not need the same protection; it only deals with entity +substitution, which cannot leave unbalanced tags, and in any +case the raw names will be pointing into the stored entity +value not the parse buffer. + +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/4a32da87e931ba54393d465bb77c40b5c33d343b] +CVE: CVE-2022-40674 +Signed-off-by: Virendra Thakur <[email protected]> +--- + expat/lib/xmlparse.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +Index: expat/lib/xmlparse.c +=================================================================== +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -5657,10 +5657,15 @@ internalEntityProcessor(XML_Parser parse + { + parser->m_processor = contentProcessor; + /* see externalEntityContentProcessor vs contentProcessor */ +- return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding, +- s, end, nextPtr, +- (XML_Bool)! parser->m_parsingStatus.finalBuffer, +- XML_ACCOUNT_DIRECT); ++ result = doContent(parser, parser->m_parentParser ? 1 : 0, ++ parser->m_encoding, s, end, nextPtr, ++ (XML_Bool)! parser->m_parsingStatus.finalBuffer, ++ XML_ACCOUNT_DIRECT); ++ if (result == XML_ERROR_NONE) { ++ if (! storeRawNames(parser)) ++ return XML_ERROR_NO_MEMORY; ++ } ++ return result; + } + } + diff --git a/meta/recipes-core/expat/expat_2.2.9.bb b/meta/recipes-core/expat/expat_2.2.9.bb index f50e535922..578edfcbff 100644 --- a/meta/recipes-core/expat/expat_2.2.9.bb +++ b/meta/recipes-core/expat/expat_2.2.9.bb @@ -20,6 +20,7 @@ SRC_URI = "git://github.com/libexpat/libexpat.git;protocol=https;branch=master \ file://CVE-2022-25314.patch \ file://CVE-2022-25315.patch \ file://libtool-tag.patch \ + file://CVE-2022-40674.patch \ " SRCREV = "a7bc26b69768f7fb24f0c7976fae24b157b85b13" -- 2.17.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#170967): https://lists.openembedded.org/g/openembedded-core/message/170967 Mute This Topic: https://lists.openembedded.org/mt/93844719/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
