[OE-core][dunfell][PATCH] libxml2: Fix for CVE-2023-45322

Vijay Anusuri via lists.openembedded.org Thu, 11 Jan 2024 19:06:23 -0800

From: Vijay Anusuri <[email protected]>

Backport patch for gitlab issue mentioned in NVD CVE report.
* https://gitlab.gnome.org/GNOME/libxml2/-/issues/583
Backport also one of 14 patches for older issue with similar errors
to have clean cherry-pick without patch fuzz.
* https://gitlab.gnome.org/GNOME/libxml2/-/issues/344


The CVE is disputed because the maintainer does not think that
errors after memory allocation failures are not critical enough
to warrant a CVE ID.
This patch will formally fix reported error case, trying to backport
another 13 patches and resolve conflicts would be probably overkill
due to disputed state.
This CVE was ignored on master branch (as diputed).

Signed-off-by: Vijay Anusuri <[email protected]>
---
 .../libxml/libxml2/CVE-2023-45322-1.patch     | 50 ++++++++++++
 .../libxml/libxml2/CVE-2023-45322-2.patch     | 80 +++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.10.bb    |  2 +
 3 files changed, 132 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch 
b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
new file mode 100644
index 0000000000..182bb29abd
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
@@ -0,0 +1,50 @@
+From a22bd982bf10291deea8ba0c61bf75b898c604ce Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <[email protected]>
+Date: Wed, 2 Nov 2022 15:44:42 +0100
+Subject: [PATCH] malloc-fail: Fix memory leak in xmlStaticCopyNodeList
+
+Found with libFuzzer, see #344.
+
+Upstream-Status: Backport 
[https://gitlab.gnome.org/GNOME/libxml2/-/commit/a22bd982bf10291deea8ba0c61bf75b898c604ce]
+
+Signed-off-by: Peter Marko <[email protected]>
+Signed-off-by: Vijay Anusuri <[email protected]>
+---
+ tree.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index 507869efe..647288ce3 100644
+--- a/tree.c
++++ b/tree.c
+@@ -4461,7 +4461,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, 
xmlNodePtr parent) {
+           }
+           if (doc->intSubset == NULL) {
+               q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+-              if (q == NULL) return(NULL);
++              if (q == NULL) goto error;
+               q->doc = doc;
+               q->parent = parent;
+               doc->intSubset = (xmlDtdPtr) q;
+@@ -4473,7 +4473,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, 
xmlNodePtr parent) {
+       } else
+ #endif /* LIBXML_TREE_ENABLED */
+           q = xmlStaticCopyNode(node, doc, parent, 1);
+-      if (q == NULL) return(NULL);
++      if (q == NULL) goto error;
+       if (ret == NULL) {
+           q->prev = NULL;
+           ret = p = q;
+@@ -4486,6 +4486,9 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, 
xmlNodePtr parent) {
+       node = node->next;
+     }
+     return(ret);
++error:
++    xmlFreeNodeList(ret);
++    return(NULL);
+ }
+ 
+ /**
+-- 
+GitLab
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch 
b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
new file mode 100644
index 0000000000..c7e9681e6a
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
@@ -0,0 +1,80 @@
+From d39f78069dff496ec865c73aa44d7110e429bce9 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <[email protected]>
+Date: Wed, 23 Aug 2023 20:24:24 +0200
+Subject: [PATCH] tree: Fix copying of DTDs
+
+- Don't create multiple DTD nodes.
+- Fix UAF if malloc fails.
+- Skip DTD nodes if tree module is disabled.
+
+Fixes #583.
+
+CVE: CVE-2023-45322
+Upstream-Status: Backport 
[https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9]
+
+Signed-off-by: Peter Marko <[email protected]>
+Signed-off-by: Vijay Anusuri <[email protected]>
+---
+ tree.c | 31 ++++++++++++++++---------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index 6c8a875b9..02c1b5791 100644
+--- a/tree.c
++++ b/tree.c
+@@ -4471,29 +4471,28 @@ xmlNodePtr
+ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+     xmlNodePtr ret = NULL;
+     xmlNodePtr p = NULL,q;
++    xmlDtdPtr newSubset = NULL;
+ 
+     while (node != NULL) {
+-#ifdef LIBXML_TREE_ENABLED
+       if (node->type == XML_DTD_NODE ) {
+-          if (doc == NULL) {
++#ifdef LIBXML_TREE_ENABLED
++          if ((doc == NULL) || (doc->intSubset != NULL)) {
+               node = node->next;
+               continue;
+           }
+-          if (doc->intSubset == NULL) {
+-              q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+-              if (q == NULL) goto error;
+-              q->doc = doc;
+-              q->parent = parent;
+-              doc->intSubset = (xmlDtdPtr) q;
+-              xmlAddChild(parent, q);
+-          } else {
+-              q = (xmlNodePtr) doc->intSubset;
+-              xmlAddChild(parent, q);
+-          }
+-      } else
++            q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
++            if (q == NULL) goto error;
++            q->doc = doc;
++            q->parent = parent;
++            newSubset = (xmlDtdPtr) q;
++#else
++            node = node->next;
++            continue;
+ #endif /* LIBXML_TREE_ENABLED */
++      } else {
+           q = xmlStaticCopyNode(node, doc, parent, 1);
+-      if (q == NULL) goto error;
++          if (q == NULL) goto error;
++        }
+       if (ret == NULL) {
+           q->prev = NULL;
+           ret = p = q;
+@@ -4505,6 +4504,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, 
xmlNodePtr parent) {
+       }
+       node = node->next;
+     }
++    if (newSubset != NULL)
++        doc->intSubset = newSubset;
+     return(ret);
+ error:
+     xmlFreeNodeList(ret);
+-- 
+GitLab
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb 
b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index aa17cd8cca..90d30f1ea7 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -42,6 +42,8 @@ SRC_URI += 
"http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=te
            file://CVE-2023-39615-0001.patch \
            file://CVE-2023-39615-0002.patch \
            file://CVE-2021-3516.patch \
+           file://CVE-2023-45322-1.patch \
+           file://CVE-2023-45322-2.patch \
            "
 
 SRC_URI[archive.sha256sum] = 
"593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813"
-- 
2.25.1

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#193565): 
https://lists.openembedded.org/g/openembedded-core/message/193565
Mute This Topic: https://lists.openembedded.org/mt/103676576/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell][PATCH] libxml2: Fix for CVE-2023-45322

Reply via email to