]> code.ossystems Code Review - openembedded-core.git/commit
Code Review / openembedded-core.git / commit
? search:
summary | shortlog | log | commit | commitdiff | review | tree
(parent: 72ab213) | patch
expat: fix CVE-2022-25313
authorSteve Sakoman <steve@sakoman.com>
Mon, 28 Feb 2022 15:43:58 +0000 (05:43 -1000)
committerSteve Sakoman <steve@sakoman.com>
Thu, 3 Mar 2022 17:42:48 +0000 (07:42 -1000)
commit8105700b1d6d23c87332f453bdc7379999bb4b03
tree5238833316db74426638d71f71f711e107df524atree | snapshot
parent72ab213c128ef75669447eadcae8219a9f87f941commit | diff
expat: fix CVE-2022-25313

In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack
exhaustion in build_model via a large nesting depth in the DTD element.

Backport patch from:
https://github.com/libexpat/libexpat/pull/558/commits/9b4ce651b26557f16103c3a366c91934ecd439ab

Also add patch which fixes a regression introduced in the above fix:
https://github.com/libexpat/libexpat/pull/566

CVE: CVE-2022-25313

Signed-off-by: Steve Sakoman <steve@sakoman.com>
meta/recipes-core/expat/expat/CVE-2022-25313-regression.patch [new file with mode: 0644] blob
meta/recipes-core/expat/expat/CVE-2022-25313.patch [new file with mode: 0644] blob
meta/recipes-core/expat/expat_2.2.9.bb diff | blob | history
Mirror of the official openembedded-core repository