code.ossystems Code Review - openembedded-core.git/commit

libxml2: Fix CVE-2021-3518

This patch fixes CVE-2021-3518. The fix for the CVE is the
following 3 lines in 1098c30a:

   -                   (cur->children->type != XML_ENTITY_DECL) &&
   -                   (cur->children->type != XML_XINCLUDE_START) &&
   -                   (cur->children->type != XML_XINCLUDE_END)) {
   +                   ((cur->type == XML_DOCUMENT_NODE) ||
   +                    (cur->type == XML_ELEMENT_NODE))) {

This relies on an updated version of xinclude.c from upstream which
also adds several new tests. Those changes are brought in first so
that the CVE patch can be applied cleanly.

The first patch updates xinclude.c and adds the new tests from
upstream, and the second applies the fix for the CVE.

CVE: CVE-2021-3518
Upstream-Status: Backport
[https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7]

Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

author	Tony Tascioglu <tony.tascioglu@windriver.com>
	Thu, 20 May 2021 21:45:40 +0000 (17:45 -0400)
committer	Richard Purdie <richard.purdie@linuxfoundation.org>
	Sat, 22 May 2021 09:57:24 +0000 (10:57 +0100)
commit	6c59d33ee158129d5c0cca3cce65824f9bc4e7e3
tree	8476ce590c1c64e9ea183c168e57fee552c72147	tree \| snapshot
parent	6d69f7453f78dcb19f472dcea183e859648c5243	commit \| diff

meta/recipes-core/libxml/libxml2/CVE-2021-3518-0001.patch	[new file with mode: 0644]	blob
meta/recipes-core/libxml/libxml2/CVE-2021-3518-0002.patch	[new file with mode: 0644]	blob
meta/recipes-core/libxml/libxml2_2.9.10.bb		diff \| blob \| history