[OE-core][dunfell 06/14] libxml2: Add fix for CVE-2016-3709

Steve Sakoman Mon, 29 Aug 2022 14:03:03 -0700

From: Pawan Badganchi <badganch...@gmail.com>

Add below patch to fix CVE-2016-3709


CVE-2016-3709.patch
Link: 
https://github.com/GNOME/libxml2/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f

Signed-off-by: Pawan Badganchi<pawan.badgan...@kpit.com>
Signed-off-by: Steve Sakoman <st...@sakoman.com>
---
 .../libxml/libxml2/CVE-2016-3709.patch        | 89 +++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.10.bb    |  1 +
 2 files changed, 90 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch 
b/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch
new file mode 100644
index 0000000000..5301d05323
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch
@@ -0,0 +1,89 @@
+From c1ba6f54d32b707ca6d91cb3257ce9de82876b6f Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnho...@aevum.de>
+Date: Sat, 15 Aug 2020 18:32:29 +0200
+Subject: [PATCH] Revert "Do not URI escape in server side includes"
+
+This reverts commit 960f0e275616cadc29671a218d7fb9b69eb35588.
+
+This commit introduced
+
+- an infinite loop, found by OSS-Fuzz, which could be easily fixed.
+- an algorithm with quadratic runtime
+- a security issue, see
+  https://bugzilla.gnome.org/show_bug.cgi?id=769760
+
+A better approach is to add an option not to escape URLs at all
+which libxml2 should have possibly done in the first place.
+
+CVE: CVE-2016-3709
+Upstream-Status: Backport 
[https://github.com/GNOME/libxml2/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f]
+Signed-off-by: Pawan Badganchi <pawan.badgan...@kpit.com>
+---
+ HTMLtree.c | 49 +++++++++++--------------------------------------
+ 1 file changed, 11 insertions(+), 38 deletions(-)
+
+diff --git a/HTMLtree.c b/HTMLtree.c
+index 8d236bb35..cdb7f86a6 100644
+--- a/HTMLtree.c
++++ b/HTMLtree.c
+@@ -706,49 +706,22 @@ htmlAttrDumpOutput(xmlOutputBufferPtr buf, xmlDocPtr 
doc, xmlAttrPtr cur,
+                (!xmlStrcasecmp(cur->name, BAD_CAST "src")) ||
+                ((!xmlStrcasecmp(cur->name, BAD_CAST "name")) &&
+                 (!xmlStrcasecmp(cur->parent->name, BAD_CAST "a"))))) {
++              xmlChar *escaped;
+               xmlChar *tmp = value;
+-              /* xmlURIEscapeStr() escapes '"' so it can be safely used. */
+-              xmlBufCCat(buf->buffer, "\"");
+
+               while (IS_BLANK_CH(*tmp)) tmp++;
+
+-              /* URI Escape everything, except server side includes. */
+-              for ( ; ; ) {
+-                  xmlChar *escaped;
+-                  xmlChar endChar;
+-                  xmlChar *end = NULL;
+-                  xmlChar *start = (xmlChar *)xmlStrstr(tmp, BAD_CAST "<!--");
+-                  if (start != NULL) {
+-                      end = (xmlChar *)xmlStrstr(tmp, BAD_CAST "-->");
+-                      if (end != NULL) {
+-                          *start = '\0';
+-                      }
+-                  }
+-
+-                  /* Escape the whole string, or until start (set to '\0'). */
+-                  escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+");
+-                  if (escaped != NULL) {
+-                      xmlBufCat(buf->buffer, escaped);
+-                      xmlFree(escaped);
+-                  } else {
+-                      xmlBufCat(buf->buffer, tmp);
+-                  }
+-
+-                  if (end == NULL) { /* Everything has been written. */
+-                      break;
+-                  }
+-
+-                  /* Do not escape anything within server side includes. */
+-                  *start = '<'; /* Restore the first character of "<!--". */
+-                  end += 3; /* strlen("-->") */
+-                  endChar = *end;
+-                  *end = '\0';
+-                  xmlBufCat(buf->buffer, start);
+-                  *end = endChar;
+-                  tmp = end;
++              /*
++               * the < and > have already been escaped at the entity level
++               * And doing so here breaks server side includes
++               */
++              escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+<>");
++              if (escaped != NULL) {
++                  xmlBufWriteQuotedString(buf->buffer, escaped);
++                  xmlFree(escaped);
++              } else {
++                  xmlBufWriteQuotedString(buf->buffer, value);
+               }
+-
+-              xmlBufCCat(buf->buffer, "\"");
+           } else {
+               xmlBufWriteQuotedString(buf->buffer, value);
+           }
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb 
b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index d1c1f0884f..dc62991739 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -33,6 +33,7 @@ SRC_URI += 
"http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=te
            file://CVE-2022-29824-dependent.patch \
            file://CVE-2022-29824.patch \
            file://0001-Port-gentest.py-to-Python-3.patch \
+           file://CVE-2016-3709.patch \
            "
 
 SRC_URI[archive.sha256sum] = 
"593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813"
-- 
2.25.1

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#170031): 
https://lists.openembedded.org/g/openembedded-core/message/170031
Mute This Topic: https://lists.openembedded.org/mt/93336008/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell 06/14] libxml2: Add fix for CVE-2016-3709

Reply via email to