Fails at build time: ERROR: expat-2.2.9-r0 do_patch: Applying patch 'CVE-2024-28757.patch' on target directory '/home/steve/builds/poky-contrib-dunfell/build/tmp/work/core2-64-poky-linux/expat/2.2.9-r0/git/expat' Command Error: 'quilt --quiltrc /home/steve/builds/poky-contrib-dunfell/build/tmp/work/core2-64-poky-linux/expat/2.2.9-r0/recipe-sysroot-native/etc/quiltrc push' exited with 0 Output: Applying patch CVE-2024-28757.patch can't find file to patch at input line 38 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001 |From: Sebastian Pipping <[email protected]> |Date: Mon, 4 Mar 2024 23:49:06 +0100 |Subject: [PATCH] lib/xmlparse.c: Detect billion laughs attack with isolated | external parser | |When parsing DTD content with code like .. | | XML_Parser parser = XML_ParserCreate(NULL); | XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL); | enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE); | |.. there are 0 bytes accounted as direct input and all input from `doc` accounted |as indirect input. Now function accountingGetCurrentAmplification cannot calculate |the current amplification ratio as "(direct + indirect) / direct", and it did refuse |to divide by 0 as one would expect, but it returned 1.0 for this case to indicate |no amplification over direct input. As a result, billion laughs attacks from |DTD-only input were not detected with this isolated way of using an external parser. | |The new approach is to assume direct input of length not 0 but 22 -- derived from |ghost input "<!ENTITY a SYSTEM 'b'>", the shortest possible way to include an external |DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22". | |GitHub issue #839 has more details on this issue and its origin in ClusterFuzz |finding 66812. |--- |CVE: CVE-2024-28757 |Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/072eca0b72373da103ce15f8f62d1d7b52695454] |Signed-off-by: Ashish Sharma <[email protected]> |--- | expat/lib/xmlparse.c | 6 +++++- | 1 file changed, 5 insertions(+), 1 deletion(-) | |diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c |index b884d82b5..d44baa68d 100644 |--- a/expat/lib/xmlparse.c |+++ b/expat/lib/xmlparse.c -------------------------- No file to patch. Skipping patch. 2 out of 2 hunks ignored Patch CVE-2024-28757.patch does not apply (enforce with -f)
On Wed, Mar 13, 2024 at 10:03 AM Ashish Sharma via lists.openembedded.org <[email protected]> wrote: > > Upstream ref: > https://github.com/libexpat/libexpat/pull/842 > https://github.com/libexpat/libexpat/issues/839 > > Upstream-Status: Backport > [https://github.com/libexpat/libexpat/commit/072eca0b72373da103ce15f8f62d1d7b52695454] > Signed-off-by: Ashish Sharma <[email protected]> > --- > .../expat/expat/CVE-2024-28757.patch | 57 +++++++++++++++++++ > meta/recipes-core/expat/expat_2.2.9.bb | 1 + > 2 files changed, 58 insertions(+) > create mode 100644 meta/recipes-core/expat/expat/CVE-2024-28757.patch > > diff --git a/meta/recipes-core/expat/expat/CVE-2024-28757.patch > b/meta/recipes-core/expat/expat/CVE-2024-28757.patch > new file mode 100644 > index 0000000000..c4bdb4621a > --- /dev/null > +++ b/meta/recipes-core/expat/expat/CVE-2024-28757.patch > @@ -0,0 +1,57 @@ > +From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001 > +From: Sebastian Pipping <[email protected]> > +Date: Mon, 4 Mar 2024 23:49:06 +0100 > +Subject: [PATCH] lib/xmlparse.c: Detect billion laughs attack with isolated > + external parser > + > +When parsing DTD content with code like .. > + > + XML_Parser parser = XML_ParserCreate(NULL); > + XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL); > + enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), > XML_TRUE); > + > +.. there are 0 bytes accounted as direct input and all input from `doc` > accounted > +as indirect input. Now function accountingGetCurrentAmplification cannot > calculate > +the current amplification ratio as "(direct + indirect) / direct", and it > did refuse > +to divide by 0 as one would expect, but it returned 1.0 for this case to > indicate > +no amplification over direct input. As a result, billion laughs attacks from > +DTD-only input were not detected with this isolated way of using an external > parser. > + > +The new approach is to assume direct input of length not 0 but 22 -- derived > from > +ghost input "<!ENTITY a SYSTEM 'b'>", the shortest possible way to include > an external > +DTD --, and do the usual "(direct + indirect) / direct" math with "direct := > 22". > + > +GitHub issue #839 has more details on this issue and its origin in > ClusterFuzz > +finding 66812. > +--- > +CVE: CVE-2024-28757 > +Upstream-Status: Backport > [https://github.com/libexpat/libexpat/commit/072eca0b72373da103ce15f8f62d1d7b52695454] > +Signed-off-by: Ashish Sharma <[email protected]> > +--- > + expat/lib/xmlparse.c | 6 +++++- > + 1 file changed, 5 insertions(+), 1 deletion(-) > + > +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c > +index b884d82b5..d44baa68d 100644 > +--- a/expat/lib/xmlparse.c > ++++ b/expat/lib/xmlparse.c > +@@ -7787,6 +7787,8 @@ copyString(const XML_Char *s, const > XML_Memory_Handling_Suite *memsuite) { > + > + static float > + accountingGetCurrentAmplification(XML_Parser rootParser) { > ++ // 1.........1.........12 => 22 > ++ const size_t lenOfShortestInclude = sizeof("<!ENTITY a SYSTEM 'b'>") - 1; > + const XmlBigCount countBytesOutput > + = rootParser->m_accounting.countBytesDirect > + + rootParser->m_accounting.countBytesIndirect; > +@@ -7794,7 +7796,9 @@ accountingGetCurrentAmplification(XML_Parser > rootParser) { > + = rootParser->m_accounting.countBytesDirect > + ? (countBytesOutput > + / (float)(rootParser->m_accounting.countBytesDirect)) > +- : 1.0f; > ++ : ((lenOfShortestInclude > ++ + rootParser->m_accounting.countBytesIndirect) > ++ / (float)lenOfShortestInclude); > + assert(! rootParser->m_parentParser); > + return amplificationFactor; > + } > diff --git a/meta/recipes-core/expat/expat_2.2.9.bb > b/meta/recipes-core/expat/expat_2.2.9.bb > index 8a5006e59a..ea50533ed9 100644 > --- a/meta/recipes-core/expat/expat_2.2.9.bb > +++ b/meta/recipes-core/expat/expat_2.2.9.bb > @@ -22,6 +22,7 @@ SRC_URI = > "git://github.com/libexpat/libexpat.git;protocol=https;branch=master \ > file://libtool-tag.patch \ > file://CVE-2022-40674.patch \ > file://CVE-2022-43680.patch \ > + file://CVE-2024-28757.patch \ > " > > SRCREV = "a7bc26b69768f7fb24f0c7976fae24b157b85b13" > -- > 2.24.4 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197139): https://lists.openembedded.org/g/openembedded-core/message/197139 Mute This Topic: https://lists.openembedded.org/mt/104913576/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
