From 1699293a7011797895c284d6ad664c66badba426 Mon Sep 17 00:00:00 2001 From: Steve Sakoman Date: Wed, 21 Jul 2021 07:12:14 -1000 Subject: [PATCH] libxml2: fix CVE-2021-3541 A flaw was found in libxml2. Exponential entity expansion attack is possible bypassing all existing protection mechanisms and leading to denial of service. https://nvd.nist.gov/vuln/detail/CVE-2021-3541 CVE: 2021-3541 Signed-off-by: Steve Sakoman --- .../libxml/libxml2/CVE-2021-3541.patch | 73 +++++++++++++++++++ meta/recipes-core/libxml/libxml2_2.9.10.bb | 1 + 2 files changed, 74 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch new file mode 100644 index 0000000000..1f392b4cd7 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch @@ -0,0 +1,73 @@ +From 8598060bacada41a0eb09d95c97744ff4e428f8e Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Thu, 13 May 2021 14:55:12 +0200 +Subject: [PATCH] Patch for security issue CVE-2021-3541 + +This is relapted to parameter entities expansion and following +the line of the billion laugh attack. Somehow in that path the +counting of parameters was missed and the normal algorithm based +on entities "density" was useless. + +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e] +CVE: CVE-2021-3541 +Signed-off-by: Steve Sakoman + +--- + parser.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/parser.c b/parser.c +index f5e5e169..c9312fa4 100644 +--- a/parser.c ++++ b/parser.c +@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + xmlEntityPtr ent, size_t replacement) + { + size_t consumed = 0; ++ int i; + + if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE)) + return (0); +@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + rep = NULL; + } + } ++ ++ /* ++ * Prevent entity exponential check, not just replacement while ++ * parsing the DTD ++ * The check is potentially costly so do that only once in a thousand ++ */ ++ if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) && ++ (ctxt->nbentities % 1024 == 0)) { ++ for (i = 0;i < ctxt->inputNr;i++) { ++ consumed += ctxt->inputTab[i]->consumed + ++ (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base); ++ } ++ if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) { ++ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); ++ ctxt->instate = XML_PARSER_EOF; ++ return (1); ++ } ++ consumed = 0; ++ } ++ ++ ++ + if (replacement != 0) { + if (replacement < XML_MAX_TEXT_LENGTH) + return(0); +@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) + xmlChar start[4]; + xmlCharEncoding enc; + ++ if (xmlParserEntityCheck(ctxt, 0, entity, 0)) ++ return; ++ + if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && + ((ctxt->options & XML_PARSE_NOENT) == 0) && + ((ctxt->options & XML_PARSE_DTDVALID) == 0) && +-- +GitLab + diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb index b5fb3e6315..60dc71f38d 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb @@ -26,6 +26,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \ file://CVE-2021-3517.patch \ file://CVE-2021-3537.patch \ file://CVE-2021-3518.patch \ + file://CVE-2021-3541.patch \ " SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5" -- 2.40.1