From: Peter Marko <[email protected]> Take patch from Debian: https://salsa.debian.org/debian/tinyxml/-/commit/38db99c12e43d7d6e349403ce4d39a706708603d
Signed-off-by: Peter Marko <[email protected]> Signed-off-by: Khem Raj <[email protected]> (cherry picked from commit 066cf35ae588ef5f81266b216624b95d37777661) [Fixup for styhead context] Signed-off-by: Armin Kuster <[email protected]> --- .../libtinyxml/CVE-2021-42260.patch | 27 +++++++++++++++++++ .../libtinyxml/libtinyxml_2.6.2.bb | 4 ++- 2 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-support/libtinyxml/libtinyxml/CVE-2021-42260.patch diff --git a/meta-oe/recipes-support/libtinyxml/libtinyxml/CVE-2021-42260.patch b/meta-oe/recipes-support/libtinyxml/libtinyxml/CVE-2021-42260.patch new file mode 100644 index 0000000000..8fc623744c --- /dev/null +++ b/meta-oe/recipes-support/libtinyxml/libtinyxml/CVE-2021-42260.patch @@ -0,0 +1,27 @@ +Description: In stamp always advance the pointer if *p= 0xef + . + The current implementation only advanced if 0xef is followed + by two non-zero bytes. In case of malformed input (0xef should be + the start byte of a three byte character) this leads to an infinite + loop. (CVE-2021-42260) +Origin: https://sourceforge.net/p/tinyxml/git/merge-requests/1/ + +CVE: CVE-2021-42260 +Upstream-Status: Inactive-Upstream [lastrelease: 2011] +Signed-off-by: Peter Marko <[email protected]> + +--- a/tinyxmlparser.cpp ++++ b/tinyxmlparser.cpp +@@ -274,6 +274,12 @@ void TiXmlParsingData::Stamp( const char* now, TiXmlEncoding encoding ) + else + { p +=3; ++col; } // A normal character. + } ++ else ++ { ++ // TIXML_UTF_LEAD_0 (239) is the start character of a 3 byte sequence, so ++ // there is something wrong here. Just advance the pointer to evade infinite loops ++ ++p; ++ } + } + else + { diff --git a/meta-oe/recipes-support/libtinyxml/libtinyxml_2.6.2.bb b/meta-oe/recipes-support/libtinyxml/libtinyxml_2.6.2.bb index 2a7ca30a9d..9ab92012f4 100644 --- a/meta-oe/recipes-support/libtinyxml/libtinyxml_2.6.2.bb +++ b/meta-oe/recipes-support/libtinyxml/libtinyxml_2.6.2.bb @@ -10,7 +10,9 @@ CVE_PRODUCT = "tinyxml" SRC_URI = "${SOURCEFORGE_MIRROR}/tinyxml/tinyxml_${@'${PV}'.replace('.', '_')}.tar.gz \ file://enforce-use-stl.patch \ - file://entity-encoding.patch" + file://entity-encoding.patch \ + file://CVE-2021-42260.patch \ +" SRC_URI[md5sum] = "c1b864c96804a10526540c664ade67f0" SRC_URI[sha256sum] = "15bdfdcec58a7da30adc87ac2b078e4417dbe5392f3afb719f9ba6d062645593" -- 2.43.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#115087): https://lists.openembedded.org/g/openembedded-devel/message/115087 Mute This Topic: https://lists.openembedded.org/mt/110810771/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
