aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHitendra Prajapati <hprajapati@mvista.com>2022-08-02 09:46:07 +0530
committerArmin Kuster <akuster808@gmail.com>2022-08-02 06:56:16 -0700
commit2dfc34aa062228f8c89a1d8110984bffd0505ef8 (patch)
treeffe8260c09369e674fb8f6c8596cdd5f9128326c
parent13d8997a44131615c2c23559be990c6a5dfc32ba (diff)
downloadmeta-openembedded-contrib-2dfc34aa062228f8c89a1d8110984bffd0505ef8.tar.gz
meta-openembedded-contrib-2dfc34aa062228f8c89a1d8110984bffd0505ef8.tar.bz2
meta-openembedded-contrib-2dfc34aa062228f8c89a1d8110984bffd0505ef8.zip
python3-lxml: CVE-2022-2309 NULL Pointer Dereference allows attackers to cause a denial of service
Source: https://github.com/lxml/lxml MR: 119399 Type: Security Fix Disposition: Backport from https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f ChangeID: 0b1ef4ce4c901ef6574a83ecbe4c4b1d2ab24777 Description: CVE-2022-2309 libxml: NULL Pointer Dereference allows attackers to cause a denial of service. Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
-rw-r--r--meta-python/recipes-devtools/python/python-lxml.inc2
-rw-r--r--meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch94
2 files changed, 96 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python-lxml.inc b/meta-python/recipes-devtools/python/python-lxml.inc
index 05b5eae462..0276a3e81a 100644
--- a/meta-python/recipes-devtools/python/python-lxml.inc
+++ b/meta-python/recipes-devtools/python/python-lxml.inc
@@ -18,6 +18,8 @@ LIC_FILES_CHKSUM = "file://LICENSES.txt;md5=e4c045ebad958ead4b48008f70838403 \
DEPENDS += "libxml2 libxslt"
+SRC_URI += "file://CVE-2022-2309.patch"
+
SRC_URI[md5sum] = "f088e452ed45b030b6f84269f1e84d11"
SRC_URI[sha256sum] = "8620ce80f50d023d414183bf90cc2576c2837b88e00bea3f33ad2630133bbb60"
diff --git a/meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch b/meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch
new file mode 100644
index 0000000000..ff3fcee6e2
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch
@@ -0,0 +1,94 @@
+From ccbda4b0669f418b2f00c4f099733cebe633eb47 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Fri, 29 Jul 2022 10:16:59 +0530
+Subject: [PATCH] CVE-2022-2309
+
+Upstream-Status: Backport [https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f]
+CVE: CVE-2022-2309
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/lxml/apihelpers.pxi | 7 ++++---
+ src/lxml/iterparse.pxi | 11 ++++++-----
+ src/lxml/tests/test_etree.py | 20 ++++++++++++++++++++
+ 3 files changed, 30 insertions(+), 8 deletions(-)
+
+diff --git a/src/lxml/apihelpers.pxi b/src/lxml/apihelpers.pxi
+index 5eb3416..88a031d 100644
+--- a/src/lxml/apihelpers.pxi
++++ b/src/lxml/apihelpers.pxi
+@@ -246,9 +246,10 @@ cdef dict _build_nsmap(xmlNode* c_node):
+ while c_node is not NULL and c_node.type == tree.XML_ELEMENT_NODE:
+ c_ns = c_node.nsDef
+ while c_ns is not NULL:
+- prefix = funicodeOrNone(c_ns.prefix)
+- if prefix not in nsmap:
+- nsmap[prefix] = funicodeOrNone(c_ns.href)
++ if c_ns.prefix or c_ns.href:
++ prefix = funicodeOrNone(c_ns.prefix)
++ if prefix not in nsmap:
++ nsmap[prefix] = funicodeOrNone(c_ns.href)
+ c_ns = c_ns.next
+ c_node = c_node.parent
+ return nsmap
+diff --git a/src/lxml/iterparse.pxi b/src/lxml/iterparse.pxi
+index 4c20506..3da7485 100644
+--- a/src/lxml/iterparse.pxi
++++ b/src/lxml/iterparse.pxi
+@@ -419,7 +419,7 @@ cdef int _countNsDefs(xmlNode* c_node):
+ count = 0
+ c_ns = c_node.nsDef
+ while c_ns is not NULL:
+- count += 1
++ count += (c_ns.href is not NULL)
+ c_ns = c_ns.next
+ return count
+
+@@ -430,9 +430,10 @@ cdef int _appendStartNsEvents(xmlNode* c_node, list event_list) except -1:
+ count = 0
+ c_ns = c_node.nsDef
+ while c_ns is not NULL:
+- ns_tuple = (funicode(c_ns.prefix) if c_ns.prefix is not NULL else '',
+- funicode(c_ns.href))
+- event_list.append( (u"start-ns", ns_tuple) )
+- count += 1
++ if c_ns.href:
++ ns_tuple = (funicodeOrEmpty(c_ns.prefix),
++ funicode(c_ns.href))
++ event_list.append( (u"start-ns", ns_tuple) )
++ count += 1
+ c_ns = c_ns.next
+ return count
+diff --git a/src/lxml/tests/test_etree.py b/src/lxml/tests/test_etree.py
+index b997e4d..69e1bf1 100644
+--- a/src/lxml/tests/test_etree.py
++++ b/src/lxml/tests/test_etree.py
+@@ -1448,6 +1448,26 @@ class ETreeOnlyTestCase(HelperTestCase):
+ [1,2,1,4],
+ counts)
+
++ def test_walk_after_parse_failure(self):
++ # This used to be an issue because libxml2 can leak empty namespaces
++ # between failed parser runs. iterwalk() failed to handle such a tree.
++ try:
++ etree.XML('''<anot xmlns="1">''')
++ except etree.XMLSyntaxError:
++ pass
++ else:
++ assert False, "invalid input did not fail to parse"
++
++ et = etree.XML('''<root> </root>''')
++ try:
++ ns = next(etree.iterwalk(et, events=('start-ns',)))
++ except StopIteration:
++ # This would be the expected result, because there was no namespace
++ pass
++ else:
++ # This is a bug in libxml2
++ assert not ns, repr(ns)
++
+ def test_itertext_comment_pi(self):
+ # https://bugs.launchpad.net/lxml/+bug/1844674
+ XML = self.etree.XML
+--
+2.25.1
+