diff options
Diffstat (limited to 'meta/recipes-core/libxml/libxml2/CVE-2021-3518-0002.patch')
-rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2021-3518-0002.patch | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0002.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0002.patch new file mode 100644 index 0000000000..de5fc0e8cb --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0002.patch @@ -0,0 +1,45 @@ +From 1098c30a040e72a4654968547f415be4e4c40fe7 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Thu, 22 Apr 2021 19:26:28 +0200 +Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude --dropdtd` + +The --dropdtd option can leave dangling pointers in entity reference +nodes. Make sure to skip these nodes when processing XIncludes. + +This also avoids scanning entity declarations and even modifying +them inadvertently during XInclude processing. + +Move from a block list to an allow list approach to avoid descending +into other node types that can't contain elements. + +Fixes #237. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7] +CVE: CVE-2021-3518 + +[OP: adjusted context] +Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> +Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com> +--- + xinclude.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/xinclude.c b/xinclude.c +index 6ec5d31..b8eebcc 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -2387,9 +2387,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { + if (xmlXIncludeTestNode(ctxt, cur) == 1) { + xmlXIncludePreProcessNode(ctxt, cur); + } else if ((cur->children != NULL) && +- (cur->children->type != XML_ENTITY_DECL) && +- (cur->children->type != XML_XINCLUDE_START) && +- (cur->children->type != XML_XINCLUDE_END)) { ++ ((cur->type == XML_DOCUMENT_NODE) || ++ (cur->type == XML_ELEMENT_NODE))) { + cur = cur->children; + continue; + } +-- +2.23.0 + |