On Thu, 2024-03-14 at 01:33 +0530, Ashish Sharma via lists.openembedded.org wrote: > Upstream ref: > https://github.com/libexpat/libexpat/pull/842 > https://github.com/libexpat/libexpat/issues/839 > > Upstream-Status: Backport > [https://github.com/libexpat/libexpat/commit/072eca0b72373da103ce15f8 > f62d1d7b52695454]
This link here and in the patch points to incorrect change. Should it be: https://github.com/libexpat/libexpat/pull/842/commits/1d50b80cf31de87750103656f6eb693746854aa8 ? > Signed-off-by: Ashish Sharma <asha...@mvista.com> > --- > .../expat/expat/CVE-2024-28757.patch | 57 > +++++++++++++++++++ > meta/recipes-core/expat/expat_2.2.9.bb | 1 + > 2 files changed, 58 insertions(+) > create mode 100644 meta/recipes-core/expat/expat/CVE-2024- > 28757.patch > > diff --git a/meta/recipes-core/expat/expat/CVE-2024-28757.patch > b/meta/recipes-core/expat/expat/CVE-2024-28757.patch > new file mode 100644 > index 0000000000..c4bdb4621a > --- /dev/null > +++ b/meta/recipes-core/expat/expat/CVE-2024-28757.patch > @@ -0,0 +1,57 @@ > +From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 > 2001 > +From: Sebastian Pipping <sebast...@pipping.org> > +Date: Mon, 4 Mar 2024 23:49:06 +0100 > +Subject: [PATCH] lib/xmlparse.c: Detect billion laughs attack with > isolated > + external parser > + > +When parsing DTD content with code like .. > + > + XML_Parser parser = XML_ParserCreate(NULL); > + XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, > NULL, NULL); > + enum XML_Status status = XML_Parse(ext_parser, doc, > (int)strlen(doc), XML_TRUE); > + > +.. there are 0 bytes accounted as direct input and all input from > `doc` accounted > +as indirect input. Now function accountingGetCurrentAmplification > cannot calculate > +the current amplification ratio as "(direct + indirect) / direct", > and it did refuse > +to divide by 0 as one would expect, but it returned 1.0 for this > case to indicate > +no amplification over direct input. As a result, billion laughs > attacks from > +DTD-only input were not detected with this isolated way of using an > external parser. > + > +The new approach is to assume direct input of length not 0 but 22 -- > derived from > +ghost input "<!ENTITY a SYSTEM 'b'>", the shortest possible way to > include an external > +DTD --, and do the usual "(direct + indirect) / direct" math with > "direct := 22". > + > +GitHub issue #839 has more details on this issue and its origin in > ClusterFuzz > +finding 66812. > +--- > +CVE: CVE-2024-28757 > +Upstream-Status: Backport > [https://github.com/libexpat/libexpat/commit/072eca0b72373da103ce15f8 > f62d1d7b52695454] > +Signed-off-by: Ashish Sharma <asha...@mvista.com> > +--- > + expat/lib/xmlparse.c | 6 +++++- > + 1 file changed, 5 insertions(+), 1 deletion(-) > + > +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c > +index b884d82b5..d44baa68d 100644 > +--- a/expat/lib/xmlparse.c > ++++ b/expat/lib/xmlparse.c > +@@ -7787,6 +7787,8 @@ copyString(const XML_Char *s, const > XML_Memory_Handling_Suite *memsuite) { > + > + static float > + accountingGetCurrentAmplification(XML_Parser rootParser) { > ++ // > 1.........1.........12 => 22 > ++ const size_t lenOfShortestInclude = sizeof("<!ENTITY a SYSTEM > 'b'>") - 1; > + const XmlBigCount countBytesOutput > + = rootParser->m_accounting.countBytesDirect > + + rootParser->m_accounting.countBytesIndirect; > +@@ -7794,7 +7796,9 @@ accountingGetCurrentAmplification(XML_Parser > rootParser) { > + = rootParser->m_accounting.countBytesDirect > + ? (countBytesOutput > + / (float)(rootParser- > >m_accounting.countBytesDirect)) > +- : 1.0f; > ++ : ((lenOfShortestInclude > ++ + rootParser->m_accounting.countBytesIndirect) > ++ / (float)lenOfShortestInclude); > + assert(! rootParser->m_parentParser); > + return amplificationFactor; > + } > diff --git a/meta/recipes-core/expat/expat_2.2.9.bb b/meta/recipes- > core/expat/expat_2.2.9.bb > index 8a5006e59a..ea50533ed9 100644 > --- a/meta/recipes-core/expat/expat_2.2.9.bb > +++ b/meta/recipes-core/expat/expat_2.2.9.bb > @@ -22,6 +22,7 @@ SRC_URI = > "git://github.com/libexpat/libexpat.git;protocol=https;branch=master > \ > file://libtool-tag.patch \ > file://CVE-2022-40674.patch \ > file://CVE-2022-43680.patch \ > + file://CVE-2024-28757.patch \ > " > > SRCREV = "a7bc26b69768f7fb24f0c7976fae24b157b85b13" > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197126): https://lists.openembedded.org/g/openembedded-core/message/197126 Mute This Topic: https://lists.openembedded.org/mt/104913576/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
