On Wed, Mar 31, 2021 at 6:33 AM Neetika.Singh <neetika.si...@kpit.com> wrote: > > From: Neetika Singh <neetika.si...@kpit.com> > > Added refreshed patch for CVE issue CVE-2020-12825 > Link: > https://gitlab.com/inkscape/inkscape/-/commit/203d62efefe6f79080863dda61593003b4c31f25 > > Signed-off-by: Neetika.Singh <neetika.si...@kpit.com> > --- > .../libcroco/libcroco/CVE-2020-12825.patch | 192 > +++++++++++++++++++++ > meta/recipes-support/libcroco/libcroco_0.6.13.bb | 22 +++ > 2 files changed, 214 insertions(+) > create mode 100644 > meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch > create mode 100644 meta/recipes-support/libcroco/libcroco_0.6.13.bb >
sadly this patch is still not right. as I mentioned before libcroco recipe already exists in oe-core but this patch seem to be adding it, which tells me that its not being rebased on top of master branch of upstream oe-core. > diff --git a/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch > b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch > new file mode 100644 > index 0000000..fea1765 > --- /dev/null > +++ b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch > @@ -0,0 +1,192 @@ > +From 203d62efefe6f79080863dda61593003b4c31f25 Mon Sep 17 00:00:00 2001 > +From: Michael Catanzaro <mcatanz...@gnome.org> > +Date: Thu, 13 Aug 2020 20:03:05 -0500 > +Subject: [PATCH] libcroco parser: limit recursion in block and any > productions > + > +If we don't have any limits, we can recurse forever and overflow the > +stack. > + > +This is for CVE-2020-12825: Stack overflow in cr_parser_parse_any_core > +in cr-parser.c. > + > +Bug: https://gitlab.gnome.org/Archive/libcroco/-/issues/8 > +Patch from https://gitlab.gnome.org/Archive/libcroco/-/merge_requests/5 > + > +CVE: CVE-2020-12825 > +Upstream Status: Backport > [https://gitlab.com/inkscape/inkscape/-/commit/203d62efefe6f79080863dda61593003b4c31f25.patch] > + > +Signed-off-by: Neetika.Singh <neetika.si...@kpit.com> > +--- > + src/cr-parser.c | 44 ++++++++++++++++++++----------- > + 1 file changed, 29 insertions(+), 15 deletions(-) > + > +diff --git a/src/cr-parser.c b/src/cr-parser.c > +index d85e71f0fc..cd7b6ebd4a 100644 > +--- a/src/cr-parser.c > ++++ b/src/cr-parser.c > +@@ -136,6 +136,8 @@ struct _CRParserPriv { > + > + #define CHARS_TAB_SIZE 12 > + > ++#define RECURSIVE_CALLERS_LIMIT 100 > ++ > + /** > + * IS_NUM: > + *@a_char: the char to test. > +@@ -343,9 +345,11 @@ static enum CRStatus cr_parser_parse_selector_core > (CRParser * a_this); > + > + static enum CRStatus cr_parser_parse_declaration_core (CRParser * a_this); > + > +-static enum CRStatus cr_parser_parse_any_core (CRParser * a_this); > ++static enum CRStatus cr_parser_parse_any_core (CRParser * a_this, > ++ guint n_calls); > + > +-static enum CRStatus cr_parser_parse_block_core (CRParser * a_this); > ++static enum CRStatus cr_parser_parse_block_core (CRParser * a_this, > ++ guint n_calls); > + > + static enum CRStatus cr_parser_parse_value_core (CRParser * a_this); > + > +@@ -783,7 +787,7 @@ cr_parser_parse_atrule_core (CRParser * a_this) > + cr_parser_try_to_skip_spaces_and_comments (a_this); > + > + do { > +- status = cr_parser_parse_any_core (a_this); > ++ status = cr_parser_parse_any_core (a_this, 0); > + } while (status == CR_OK); > + > + status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, > +@@ -794,7 +798,7 @@ cr_parser_parse_atrule_core (CRParser * a_this) > + cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, > + token); > + token = NULL; > +- status = cr_parser_parse_block_core (a_this); > ++ status = cr_parser_parse_block_core (a_this, 0); > + CHECK_PARSING_STATUS (status, > + FALSE); > + goto done; > +@@ -929,11 +933,11 @@ cr_parser_parse_selector_core (CRParser * a_this) > + > + RECORD_INITIAL_POS (a_this, &init_pos); > + > +- status = cr_parser_parse_any_core (a_this); > ++ status = cr_parser_parse_any_core (a_this, 0); > + CHECK_PARSING_STATUS (status, FALSE); > + > + do { > +- status = cr_parser_parse_any_core (a_this); > ++ status = cr_parser_parse_any_core (a_this, 0); > + > + } while (status == CR_OK); > + > +@@ -955,10 +959,12 @@ cr_parser_parse_selector_core (CRParser * a_this) > + *in chapter 4.1 of the css2 spec. > + *block ::= '{' S* [ any | block | ATKEYWORD S* | ';' ]* '}' S*; > + *@param a_this the current instance of #CRParser. > ++ *@param n_calls used to limit recursion depth > + *FIXME: code this function. > + */ > + static enum CRStatus > +-cr_parser_parse_block_core (CRParser * a_this) > ++cr_parser_parse_block_core (CRParser * a_this, > ++ guint n_calls) > + { > + CRToken *token = NULL; > + CRInputPos init_pos; > +@@ -966,6 +972,9 @@ cr_parser_parse_block_core (CRParser * a_this) > + > + g_return_val_if_fail (a_this && PRIVATE (a_this), > CR_BAD_PARAM_ERROR); > + > ++ if (n_calls > RECURSIVE_CALLERS_LIMIT) > ++ return CR_ERROR; > ++ > + RECORD_INITIAL_POS (a_this, &init_pos); > + > + status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token); > +@@ -995,13 +1004,13 @@ cr_parser_parse_block_core (CRParser * a_this) > + } else if (token->type == CBO_TK) { > + cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token); > + token = NULL; > +- status = cr_parser_parse_block_core (a_this); > ++ status = cr_parser_parse_block_core (a_this, n_calls + 1); > + CHECK_PARSING_STATUS (status, FALSE); > + goto parse_block_content; > + } else { > + cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token); > + token = NULL; > +- status = cr_parser_parse_any_core (a_this); > ++ status = cr_parser_parse_any_core (a_this, n_calls + 1); > + CHECK_PARSING_STATUS (status, FALSE); > + goto parse_block_content; > + } > +@@ -1108,7 +1117,7 @@ cr_parser_parse_value_core (CRParser * a_this) > + status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, > + token); > + token = NULL; > +- status = cr_parser_parse_block_core (a_this); > ++ status = cr_parser_parse_block_core (a_this, 0); > + CHECK_PARSING_STATUS (status, FALSE); > + ref++; > + goto continue_parsing; > +@@ -1122,7 +1131,7 @@ cr_parser_parse_value_core (CRParser * a_this) > + status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, > + token); > + token = NULL; > +- status = cr_parser_parse_any_core (a_this); > ++ status = cr_parser_parse_any_core (a_this, 0); > + if (status == CR_OK) { > + ref++; > + goto continue_parsing; > +@@ -1162,10 +1162,12 @@ > + * | FUNCTION | DASHMATCH | '(' any* ')' | '[' any* ']' ] S*; > + * > + *@param a_this the current instance of #CRParser. > ++ *@param n_calls used to limit recursion depth > + *@return CR_OK upon successfull completion, an error code otherwise. > + */ > + static enum CRStatus > +-cr_parser_parse_any_core (CRParser * a_this) > ++cr_parser_parse_any_core (CRParser * a_this, > ++ guint n_calls) > + { > + CRToken *token1 = NULL, > + *token2 = NULL; > +@@ -1173,6 +1184,9 @@ cr_parser_parse_any_core (CRParser * a_this) > + > + g_return_val_if_fail (a_this, CR_BAD_PARAM_ERROR); > + > ++ if (n_calls > RECURSIVE_CALLERS_LIMIT) > ++ return CR_ERROR; > ++ > + RECORD_INITIAL_POS (a_this, &init_pos); > + > + status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token1); > +@@ -1211,7 +1225,7 @@ cr_parser_parse_any_core (CRParser * a_this) > + *We consider parameter as being an "any*" production. > + */ > + do { > +- status = cr_parser_parse_any_core (a_this); > ++ status = cr_parser_parse_any_core (a_this, n_calls > + 1); > + } while (status == CR_OK); > + > + ENSURE_PARSING_COND (status == CR_PARSING_ERROR); > +@@ -1236,7 +1250,7 @@ cr_parser_parse_any_core (CRParser * a_this) > + } > + > + do { > +- status = cr_parser_parse_any_core (a_this); > ++ status = cr_parser_parse_any_core (a_this, n_calls > + 1); > + } while (status == CR_OK); > + > + ENSURE_PARSING_COND (status == CR_PARSING_ERROR); > +@@ -1264,7 +1278,7 @@ cr_parser_parse_any_core (CRParser * a_this) > + } > + > + do { > +- status = cr_parser_parse_any_core (a_this); > ++ status = cr_parser_parse_any_core (a_this, n_calls > + 1); > + } while (status == CR_OK); > + > + ENSURE_PARSING_COND (status == CR_PARSING_ERROR); > +-- > +GitLab > diff --git a/meta/recipes-support/libcroco/libcroco_0.6.13.bb > b/meta/recipes-support/libcroco/libcroco_0.6.13.bb > new file mode 100644 > index 0000000..fd5927e > --- /dev/null > +++ b/meta/recipes-support/libcroco/libcroco_0.6.13.bb > @@ -0,0 +1,22 @@ > +SUMMARY = "Cascading Style Sheet (CSS) parsing and manipulation toolkit" > +HOMEPAGE = "http://www.gnome.org/"; > +BUGTRACKER = "https://bugzilla.gnome.org/"; > + > +LICENSE = "LGPLv2 & LGPLv2.1" > +LIC_FILES_CHKSUM = "file://COPYING;md5=55ca817ccb7d5b5b66355690e9abc605 \ > + > file://src/cr-rgb.c;endline=22;md5=31d5f0944d556c8589d04ea6055fcc66 \ > + > file://tests/cr-test-utils.c;endline=21;md5=2382c27934cae1d3792fcb17a6142c4e" > + > +SECTION = "x11/utils" > +DEPENDS = "glib-2.0 libxml2 zlib" > +BBCLASSEXTEND = "native nativesdk" > +EXTRA_OECONF += "--enable-Bsymbolic=auto" > + > +BINCONFIG = "${bindir}/croco-0.6-config" > + > +inherit gnomebase gtk-doc binconfig-disabled > + > +SRC_URI += "file://CVE-2020-12825.patch" > + > +SRC_URI[archive.md5sum] = "c80c5a8385011a0260dce6bd0da93dce" > +SRC_URI[archive.sha256sum] = > "767ec234ae7aa684695b3a735548224888132e063f92db585759b422570621d4" > -- > 2.7.4 > > This message contains information that may be privileged or confidential and > is the property of the KPIT Technologies Ltd. It is intended only for the > person to whom it is addressed. If you are not the intended recipient, you > are not authorized to read, print, retain copy, disseminate, distribute, or > use this message or any part thereof. If you receive this message in error, > please notify the sender immediately and delete all copies of this message. > KPIT Technologies Ltd. does not accept any liability for virus infected mails.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#150104): https://lists.openembedded.org/g/openembedded-core/message/150104 Mute This Topic: https://lists.openembedded.org/mt/81749411/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
