From d8c044f58438ba49e95dae8734d3ace6683c976a Mon Sep 17 00:00:00 2001 From: Fabrice Fontaine Date: Sun, 18 Sep 2022 12:23:14 +0200 Subject: [PATCH] package/expat: fix CVE-2022-40674 libexpat before 2.4.9 (which is still not released) has a use-after-free in the doContent function in xmlparse.c. Signed-off-by: Fabrice Fontaine Signed-off-by: Yann E. MORIN --- ...re-safe-exiting-internalEntityParser.patch | 53 +++++++++++++++++++ package/expat/expat.mk | 3 ++ 2 files changed, 56 insertions(+) create mode 100644 package/expat/0001-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch diff --git a/package/expat/0001-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch b/package/expat/0001-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch new file mode 100644 index 0000000000..ca86e85115 --- /dev/null +++ b/package/expat/0001-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch @@ -0,0 +1,53 @@ +From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001 +From: Rhodri James +Date: Wed, 17 Aug 2022 18:26:18 +0100 +Subject: [PATCH] Ensure raw tagnames are safe exiting internalEntityParser + +It is possible to concoct a situation in which parsing is +suspended while substituting in an internal entity, so that +XML_ResumeParser directly uses internalEntityProcessor as +its processor. If the subsequent parse includes some unclosed +tags, this will return without calling storeRawNames to ensure +that the raw versions of the tag names are stored in memory other +than the parse buffer itself. If the parse buffer is then changed +or reallocated (for example if processing a file line by line), +badness will ensue. + +This patch ensures storeRawNames is always called when needed +after calling doContent. The earlier call do doContent does +not need the same protection; it only deals with entity +substitution, which cannot leave unbalanced tags, and in any +case the raw names will be pointing into the stored entity +value not the parse buffer. + +[Retrieved from: +https://github.com/libexpat/libexpat/commit/4a32da87e931ba54393d465bb77c40b5c33d343b] +Signed-off-by: Fabrice Fontaine +--- + expat/lib/xmlparse.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 7bcabf7f4..d73f419cf 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -5826,10 +5826,15 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end, + { + parser->m_processor = contentProcessor; + /* see externalEntityContentProcessor vs contentProcessor */ +- return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding, +- s, end, nextPtr, +- (XML_Bool)! parser->m_parsingStatus.finalBuffer, +- XML_ACCOUNT_DIRECT); ++ result = doContent(parser, parser->m_parentParser ? 1 : 0, ++ parser->m_encoding, s, end, nextPtr, ++ (XML_Bool)! parser->m_parsingStatus.finalBuffer, ++ XML_ACCOUNT_DIRECT); ++ if (result == XML_ERROR_NONE) { ++ if (! storeRawNames(parser)) ++ return XML_ERROR_NO_MEMORY; ++ } ++ return result; + } + } + diff --git a/package/expat/expat.mk b/package/expat/expat.mk index e89de81da7..61735a5fdb 100644 --- a/package/expat/expat.mk +++ b/package/expat/expat.mk @@ -13,6 +13,9 @@ EXPAT_LICENSE_FILES = COPYING EXPAT_CPE_ID_VENDOR = libexpat_project EXPAT_CPE_ID_PRODUCT = libexpat +# 0001-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch +EXPAT_IGNORE_CVES += CVE-2022-40674 + EXPAT_CONF_OPTS = \ --without-docbook --without-examples --without-tests --without-xmlwf HOST_EXPAT_CONF_OPTS = --without-docbook --without-examples --without-tests