Re: [oe-core][kirkstone][PATCH 1/1] expat: fix CVE-2023-52426

Randy MacLeod Tue, 12 Mar 2024 05:27:56 -0700

On Tue, Mar 12, 2024, 03:58 Meenali Gupta via lists.openembedded.org
<meenali.gupta=windriver....@lists.openembedded.org> wrote:


> Hi Anuj,
>
> I have sent the upgrade to 2.6.0 , it includes the complete security fix
> for CVE-2023-52426 and CVE-2023-52425.
>

Unfortunately that update changes the so version number, so it isn't
acceptable for kirkstone.


  #775 #776  Version info bumped from 9:10:8 (libexpat*.so.1.8.10)
                    to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/
                    for what these numbers do


I think you will have to carefully back-port the two CVE fixes.

It looks like Debian devs may have already  back-ported at least one of
these CVs to version 2.5.0-x

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063238

Thanks,

../Randy


> Regards
> Meenali
> ------------------------------
> *From:* Mittal, Anuj <anuj.mit...@intel.com>
> *Sent:* 11 March 2024 08:37
> *To:* Gupta, Meenali <meenali.gu...@windriver.com>;
> openembedded-core@lists.openembedded.org <
> openembedded-core@lists.openembedded.org>
> *Subject:* Re: [oe-core][kirkstone][PATCH 1/1] expat: fix CVE-2023-52426
>
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and
> know the content is safe.
>
> On Thu, 2024-03-07 at 16:08 -0800, Meenali Gupta via
> lists.openembedded.org wrote:
> > From: Meenali Gupta <meenali.gu...@windriver.com>
> >
> > A flaw was found in Expat (libexpat). If XML_DTD is undefined at
> > compile time, a recursive XML Entity
> > Expansion condition can be triggered. This issue may lead to a
> > condition where data is expanded exponentially,
> > which will quickly consume system resources and cause a denial of
> > service.
> >
> > Signed-off-by: Meenali Gupta <meenali.gu...@windriver.com>
> > ---
> >  .../expat/expat/CVE-2023-52426.patch          | 429
> > ++++++++++++++++++
> >  meta/recipes-core/expat/expat_2.5.0.bb        |   1 +
> >  2 files changed, 430 insertions(+)
> >  create mode 100644 meta/recipes-core/expat/expat/CVE-2023-
> > 52426.patch
> >
> > diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426.patch
> > b/meta/recipes-core/expat/expat/CVE-2023-52426.patch
> > new file mode 100644
> > index 0000000000..b78a8ee0dc
> > --- /dev/null
> > +++ b/meta/recipes-core/expat/expat/CVE-2023-52426.patch
> > @@ -0,0 +1,429 @@
> > +From 0f075ec8ecb5e43f8fdca5182f8cca4703da0404 Mon Sep 17 00:00:00
> > 2001
> > +From: Sebastian Pipping <sebast...@pipping.org>
> > +Date: Thu, 26 Oct 2023 00:43:22 +0200
> > +Subject: [PATCH] lib|xmlwf|cmake: Extend scope of billion laughs
> > attack
> > + protection
> > +
> > +.. from "defined(XML_DTD)" to "defined(XML_DTD) || XML_GE==1".
> > +
> > +CVE: CVE-2023-52426
> > +Upstream-Status: Backport
> > [https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca518
> > 2f8cca4703da0404]
>
> The PR that this commit is part of includes other commits as well. Is
> there any reason why only this is included or required?
>
> I didn't check in detail but as an example, it seems this commit uses
> EXPAT_GE which was introduced in an earlier commit in that PR:
>
>
> https://github.com/libexpat/libexpat/pull/777/commits/daa89e42c005cc7f4f7af9eee271ae0723d30300
>
> So, is this supposed to work as intended?
>
> Thanks,
>
> Anuj
>
> > +
> > +Signed-off-by: Meenali Gupta <meenali.gu...@windriver.com>
> > +---
> > + CMakeLists.txt         |  8 ++++-
> > + lib/expat.h            |  8 +++--
> > + lib/internal.h         |  2 +-
> > + lib/libexpat.def.cmake |  4 +--
> > + lib/xmlparse.c         | 71 ++++++++++++++++++++++-----------------
> > ---
> > + xmlwf/xmlwf.c          | 18 ++++++-----
> > + 6 files changed, 62 insertions(+), 49 deletions(-)
> > +
> > +diff --git a/CMakeLists.txt b/CMakeLists.txt
> > +index 2b4c13c..183c5c2 100644
> > +--- a/CMakeLists.txt
> > ++++ b/CMakeLists.txt
> > +@@ -381,7 +381,13 @@ if(EXPAT_SHARED_LIBS)
> > +             endif()
> > +         endmacro()
> > +
> > +-        _expat_def_file_toggle(EXPAT_DTD _EXPAT_COMMENT_DTD)
> > ++    if(EXPAT_DTD OR EXPAT_GE)
> > ++            set(_EXPAT_DTD_OR_GE TRUE)
> > ++        else()
> > ++            set(_EXPAT_DTD_OR_GE FALSE)
> > ++        endif()
> > ++
> > ++        _expat_def_file_toggle(_EXPAT_DTD_OR_GE
> > _EXPAT_COMMENT_DTD_OR_GE)
> > +         _expat_def_file_toggle(EXPAT_ATTR_INFO
> > _EXPAT_COMMENT_ATTR_INFO)
> > +
> > +
> > configure_file("${CMAKE_CURRENT_SOURCE_DIR}/lib/libexpat.def.cmake"
> > "${CMAKE_CURRENT_BINARY_DIR}/lib/libexpat.def")
> > +diff --git a/lib/expat.h b/lib/expat.h
> > +index 1c83563..33c94af 100644
> > +--- a/lib/expat.h
> > ++++ b/lib/expat.h
> > +@@ -1038,13 +1038,15 @@ typedef struct {
> > + XMLPARSEAPI(const XML_Feature *)
> > + XML_GetFeatureList(void);
> > +
> > +-#ifdef XML_DTD
> > +-/* Added in Expat 2.4.0. */
> > ++#if defined(XML_DTD) || XML_GE == 1
> > ++/* Added in Expat 2.4.0 for XML_DTD defined and
> > ++ * added in Expat 2.6.0 for XML_GE == 1. */
> > + XMLPARSEAPI(XML_Bool)
> > + XML_SetBillionLaughsAttackProtectionMaximumAmplification(
> > +     XML_Parser parser, float maximumAmplificationFactor);
> > +
> > +-/* Added in Expat 2.4.0. */
> > ++/* Added in Expat 2.4.0 for XML_DTD defined and
> > ++ * added in Expat 2.6.0 for XML_GE == 1. */
> > + XMLPARSEAPI(XML_Bool)
> > + XML_SetBillionLaughsAttackProtectionActivationThreshold(
> > +     XML_Parser parser, unsigned long long
> > activationThresholdBytes);
> > +diff --git a/lib/internal.h b/lib/internal.h
> > +index e09f533..1851925 100644
> > +--- a/lib/internal.h
> > ++++ b/lib/internal.h
> > +@@ -154,7 +154,7 @@ extern "C" {
> > + void _INTERNAL_trim_to_complete_utf8_characters(const char *from,
> > +                                                 const char
> > **fromLimRef);
> > +
> > +-#if defined(XML_DTD)
> > ++#if defined(XML_DTD) || XML_GE == 1
> > + unsigned long long testingAccountingGetCountBytesDirect(XML_Parser
> > parser);
> > + unsigned long long
> > testingAccountingGetCountBytesIndirect(XML_Parser parser);
> > + const char *unsignedCharToPrintable(unsigned char c);
> > +diff --git a/lib/libexpat.def.cmake b/lib/libexpat.def.cmake
> > +index cf434a2..61a4f00 100644
> > +--- a/lib/libexpat.def.cmake
> > ++++ b/lib/libexpat.def.cmake
> > +@@ -75,5 +75,5 @@ EXPORTS
> > +   XML_SetHashSalt @67
> > + ; internal @68 removed with version 2.3.1
> > + ; added with version 2.4.0
> > +-@_EXPAT_COMMENT_DTD@
> > XML_SetBillionLaughsAttackProtectionActivationThreshold @69
> > +-@_EXPAT_COMMENT_DTD@
> > XML_SetBillionLaughsAttackProtectionMaximumAmplification @70
> > ++@_EXPAT_COMMENT_DTD_OR_GE@
> > XML_SetBillionLaughsAttackProtectionActivationThreshold @69
> > ++@_EXPAT_COMMENT_DTD_OR_GE@
> > XML_SetBillionLaughsAttackProtectionMaximumAmplification @70
> > +diff --git a/lib/xmlparse.c b/lib/xmlparse.c
> > +index b6c2eca..e23441e 100644
> > +--- a/lib/xmlparse.c
> > ++++ b/lib/xmlparse.c
> > +@@ -408,7 +408,7 @@ enum XML_Account {
> > +   XML_ACCOUNT_NONE              /* i.e. do not account, was
> > accounted already */
> > + };
> > +
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > + typedef unsigned long long XmlBigCount;
> > + typedef struct accounting {
> > +   XmlBigCount countBytesDirect;
> > +@@ -424,7 +424,7 @@ typedef struct entity_stats {
> > +   unsigned int maximumDepthSeen;
> > +   int debugLevel;
> > + } ENTITY_STATS;
> > +-#endif /* XML_DTD */
> > ++#endif /* defined(XML_DTD) || XML_GE == 1 */
> > +
> > + typedef enum XML_Error PTRCALL Processor(XML_Parser parser, const
> > char *start,
> > +                                          const char *end, const
> > char **endPtr);
> > +@@ -562,7 +562,7 @@ static XML_Parser parserCreate(const XML_Char
> > *encodingName,
> > +
> > + static void parserInit(XML_Parser parser, const XML_Char
> > *encodingName);
> > +
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > + static float accountingGetCurrentAmplification(XML_Parser
> > rootParser);
> > + static void accountingReportStats(XML_Parser originParser, const
> > char *epilog);
> > + static void accountingOnAbort(XML_Parser originParser);
> > +@@ -585,7 +585,7 @@ static void entityTrackingOnClose(XML_Parser
> > parser, ENTITY *entity,
> > +
> > + static XML_Parser getRootParserOf(XML_Parser parser,
> > +                                   unsigned int *outLevelDiff);
> > +-#endif /* XML_DTD */
> > ++#endif /* defined(XML_DTD) || XML_GE == 1 */
> > +
> > + static unsigned long getDebugLevel(const char *variableName,
> > +                                    unsigned long
> > defaultDebugLevel);
> > +@@ -703,7 +703,7 @@ struct XML_ParserStruct {
> > +   enum XML_ParamEntityParsing m_paramEntityParsing;
> > + #endif
> > +   unsigned long m_hash_secret_salt;
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +   ACCOUNTING m_accounting;
> > +   ENTITY_STATS m_entity_stats;
> > + #endif
> > +@@ -1163,7 +1163,7 @@ parserInit(XML_Parser parser, const XML_Char
> > *encodingName) {
> > + #endif
> > +   parser->m_hash_secret_salt = 0;
> > +
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +   memset(&parser->m_accounting, 0, sizeof(ACCOUNTING));
> > +   parser->m_accounting.debugLevel =
> > getDebugLevel("EXPAT_ACCOUNTING_DEBUG", 0u);
> > +   parser->m_accounting.maximumAmplificationFactor
> > +@@ -2522,8 +2522,9 @@ XML_GetFeatureList(void) {
> > + #ifdef XML_ATTR_INFO
> > +       {XML_FEATURE_ATTR_INFO, XML_L("XML_ATTR_INFO"), 0},
> > + #endif
> > +-#ifdef XML_DTD
> > +-      /* Added in Expat 2.4.0. */
> > ++#if defined(XML_DTD) || XML_GE == 1
> > ++    /* Added in Expat 2.4.0 for XML_DTD defined and
> > ++     * added in Expat 2.6.0 for XML_GE == 1. */
> > +
> > {XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_D
> > EFAULT,
> > +        XML_L("XML_BLAP_MAX_AMP"),
> > +        (long int)
> > +@@ -2537,7 +2538,7 @@ XML_GetFeatureList(void) {
> > +   return features;
> > + }
> > +
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > + XML_Bool XMLCALL
> > + XML_SetBillionLaughsAttackProtectionMaximumAmplification(
> > +     XML_Parser parser, float maximumAmplificationFactor) {
> > +@@ -2559,7 +2560,7 @@
> > XML_SetBillionLaughsAttackProtectionActivationThreshold(
> > +   parser->m_accounting.activationThresholdBytes =
> > activationThresholdBytes;
> > +   return XML_TRUE;
> > + }
> > +-#endif /* XML_DTD */
> > ++#endif /* defined(XML_DTD) || XML_GE == 1 */
> > +
> > + /* Initially tag->rawName always points into the parse buffer;
> > +    for those TAG instances opened while the current parse buffer
> > was
> > +@@ -2645,13 +2646,13 @@ externalEntityInitProcessor2(XML_Parser
> > parser, const char *start,
> > +   int tok = XmlContentTok(parser->m_encoding, start, end, &next);
> > +   switch (tok) {
> > +   case XML_TOK_BOM:
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +     if (! accountingDiffTolerated(parser, tok, start, next,
> > __LINE__,
> > +                                   XML_ACCOUNT_DIRECT)) {
> > +       accountingOnAbort(parser);
> > +       return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
> > +     }
> > +-#endif /* XML_DTD */
> > ++#endif /* defined(XML_DTD) || XML_GE == 1 */
> > +
> > +     /* If we are at the end of the buffer, this would cause the
> > next stage,
> > +        i.e. externalEntityInitProcessor3, to pass control directly
> > to
> > +@@ -2765,7 +2766,7 @@ doContent(XML_Parser parser, int
> > startTagLevel, const ENCODING *enc,
> > +   for (;;) {
> > +     const char *next = s; /* XmlContentTok doesn't always set the
> > last arg */
> > +     int tok = XmlContentTok(enc, s, end, &next);
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +     const char *accountAfter
> > +         = ((tok == XML_TOK_TRAILING_RSQB) || (tok ==
> > XML_TOK_TRAILING_CR))
> > +               ? (haveMore ? s /* i.e. 0 bytes */ : end)
> > +@@ -2831,14 +2832,14 @@ doContent(XML_Parser parser, int
> > startTagLevel, const ENCODING *enc,
> > +       XML_Char ch = (XML_Char)XmlPredefinedEntityName(
> > +           enc, s + enc->minBytesPerChar, next - enc-
> > >minBytesPerChar);
> > +       if (ch) {
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +         /* NOTE: We are replacing 4-6 characters original input for
> > 1 character
> > +          *       so there is no amplification and hence recording
> > without
> > +          *       protection. */
> > +         accountingDiffTolerated(parser, tok, (char *)&ch,
> > +                                 ((char *)&ch) + sizeof(XML_Char),
> > __LINE__,
> > +                                 XML_ACCOUNT_ENTITY_EXPANSION);
> > +-#endif /* XML_DTD */
> > ++#endif /* defined(XML_DTD) || XML_GE == 1 */
> > +         if (parser->m_characterDataHandler)
> > +           parser->m_characterDataHandler(parser->m_handlerArg, &ch,
> > 1);
> > +         else if (parser->m_defaultHandler)
> > +@@ -4040,7 +4041,7 @@ doCdataSection(XML_Parser parser, const
> > ENCODING *enc, const char **startPtr,
> > +   for (;;) {
> > +     const char *next = s; /* in case of XML_TOK_NONE or
> > XML_TOK_PARTIAL */
> > +     int tok = XmlCdataSectionTok(enc, s, end, &next);
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +     if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
> > account)) {
> > +       accountingOnAbort(parser);
> > +       return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
> > +@@ -4192,7 +4193,7 @@ doIgnoreSection(XML_Parser parser, const
> > ENCODING *enc, const char **startPtr,
> > +   *eventPP = s;
> > +   *startPtr = NULL;
> > +   tok = XmlIgnoreSectionTok(enc, s, end, &next);
> > +-#  ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +   if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
> > +                                 XML_ACCOUNT_DIRECT)) {
> > +     accountingOnAbort(parser);
> > +@@ -4284,7 +4285,7 @@ processXmlDecl(XML_Parser parser, int
> > isGeneralTextEntity, const char *s,
> > +   const XML_Char *storedversion = NULL;
> > +   int standalone = -1;
> > +
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +   if (! accountingDiffTolerated(parser, XML_TOK_XML_DECL, s, next,
> > __LINE__,
> > +                                 XML_ACCOUNT_DIRECT)) {
> > +     accountingOnAbort(parser);
> > +@@ -4491,7 +4492,7 @@ entityValueInitProcessor(XML_Parser parser,
> > const char *s, const char *end,
> > +     */
> > +     else if (tok == XML_TOK_BOM && next == end
> > +              && ! parser->m_parsingStatus.finalBuffer) {
> > +-#  ifdef XML_DTD
> > ++#  if defined(XML_DTD) || XML_GE == 1
> > +       if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
> > +                                     XML_ACCOUNT_DIRECT)) {
> > +         accountingOnAbort(parser);
> > +@@ -4707,11 +4708,13 @@ doProlog(XML_Parser parser, const ENCODING
> > *enc, const char *s, const char *end,
> > +       }
> > +     }
> > +     role = XmlTokenRole(&parser->m_prologState, tok, s, next, enc);
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +     switch (role) {
> > +     case XML_ROLE_INSTANCE_START: // bytes accounted in
> > contentProcessor
> > +     case XML_ROLE_XML_DECL:       // bytes accounted in
> > processXmlDecl
> > +-    case XML_ROLE_TEXT_DECL:      // bytes accounted in
> > processXmlDecl
> > ++    #  ifdef XML_DTD
> > ++    case XML_ROLE_TEXT_DECL: // bytes accounted in processXmlDecl
> > ++#  endif
> > +       break;
> > +     default:
> > +       if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
> > account)) {
> > +@@ -5648,7 +5651,7 @@ epilogProcessor(XML_Parser parser, const char
> > *s, const char *end,
> > +   for (;;) {
> > +     const char *next = NULL;
> > +     int tok = XmlPrologTok(parser->m_encoding, s, end, &next);
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +     if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
> > +                                   XML_ACCOUNT_DIRECT)) {
> > +       accountingOnAbort(parser);
> > +@@ -5728,7 +5731,7 @@ processInternalEntity(XML_Parser parser,
> > ENTITY *entity, XML_Bool betweenDecl) {
> > +       return XML_ERROR_NO_MEMORY;
> > +   }
> > +   entity->open = XML_TRUE;
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +   entityTrackingOnOpen(parser, entity, __LINE__);
> > + #endif
> > +   entity->processed = 0;
> > +@@ -5762,9 +5765,9 @@ processInternalEntity(XML_Parser parser,
> > ENTITY *entity, XML_Bool betweenDecl) {
> > +       entity->processed = (int)(next - textStart);
> > +       parser->m_processor = internalEntityProcessor;
> > +     } else {
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +       entityTrackingOnClose(parser, entity, __LINE__);
> > +-#endif /* XML_DTD */
> > ++#endif /* defined(XML_DTD) || XML_GE == 1 */
> > +       entity->open = XML_FALSE;
> > +       parser->m_openInternalEntities = openEntity->next;
> > +       /* put openEntity back in list of free instances */
> > +@@ -5813,7 +5816,7 @@ internalEntityProcessor(XML_Parser parser,
> > const char *s, const char *end,
> > +     return result;
> > +   }
> > +
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +   entityTrackingOnClose(parser, entity, __LINE__);
> > + #endif
> > +   entity->open = XML_FALSE;
> > +@@ -5892,7 +5895,7 @@ appendAttributeValue(XML_Parser parser, const
> > ENCODING *enc, XML_Bool isCdata,
> > +     const char *next
> > +         = ptr; /* XmlAttributeValueTok doesn't always set the last
> > arg */
> > +     int tok = XmlAttributeValueTok(enc, ptr, end, &next);
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +     if (! accountingDiffTolerated(parser, tok, ptr, next, __LINE__,
> > account)) {
> > +       accountingOnAbort(parser);
> > +       return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
> > +@@ -5957,14 +5960,14 @@ appendAttributeValue(XML_Parser parser,
> > const ENCODING *enc, XML_Bool isCdata,
> > +       XML_Char ch = (XML_Char)XmlPredefinedEntityName(
> > +           enc, ptr + enc->minBytesPerChar, next - enc-
> > >minBytesPerChar);
> > +       if (ch) {
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +         /* NOTE: We are replacing 4-6 characters original input for
> > 1 character
> > +          *       so there is no amplification and hence recording
> > without
> > +          *       protection. */
> > +         accountingDiffTolerated(parser, tok, (char *)&ch,
> > +                                 ((char *)&ch) + sizeof(XML_Char),
> > __LINE__,
> > +                                 XML_ACCOUNT_ENTITY_EXPANSION);
> > +-#endif /* XML_DTD */
> > ++#endif /* defined(XML_DTD) || XML_GE == 1 */
> > +         if (! poolAppendChar(pool, ch))
> > +           return XML_ERROR_NO_MEMORY;
> > +         break;
> > +@@ -6042,14 +6045,14 @@ appendAttributeValue(XML_Parser parser,
> > const ENCODING *enc, XML_Bool isCdata,
> > +         enum XML_Error result;
> > +         const XML_Char *textEnd = entity->textPtr + entity-
> > >textLen;
> > +         entity->open = XML_TRUE;
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +         entityTrackingOnOpen(parser, entity, __LINE__);
> > + #endif
> > +         result = appendAttributeValue(parser, parser-
> > >m_internalEncoding,
> > +                                       isCdata, (const char
> > *)entity->textPtr,
> > +                                       (const char *)textEnd, pool,
> > +
> > XML_ACCOUNT_ENTITY_EXPANSION);
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +         entityTrackingOnClose(parser, entity, __LINE__);
> > + #endif
> > +         entity->open = XML_FALSE;
> > +@@ -6105,7 +6108,7 @@ storeEntityValue(XML_Parser parser, const
> > ENCODING *enc,
> > +         = entityTextPtr; /* XmlEntityValueTok doesn't always set
> > the last arg */
> > +     int tok = XmlEntityValueTok(enc, entityTextPtr, entityTextEnd,
> > &next);
> > +
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +     if (! accountingDiffTolerated(parser, tok, entityTextPtr, next,
> > __LINE__,
> > +                                   account)) {
> > +       accountingOnAbort(parser);
> > +@@ -7651,7 +7654,7 @@ copyString(const XML_Char *s, const
> > XML_Memory_Handling_Suite *memsuite) {
> > +   return result;
> > + }
> > +
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +
> > + static float
> > + accountingGetCurrentAmplification(XML_Parser rootParser) {
> > +@@ -8382,7 +8385,7 @@ unsignedCharToPrintable(unsigned char c) {
> > +   assert(0); /* never gets here */
> > + }
> > +
> > +-#endif /* XML_DTD */
> > ++#endif /* defined(XML_DTD) || XML_GE == 1 */
> > +
> > + static unsigned long
> > + getDebugLevel(const char *variableName, unsigned long
> > defaultDebugLevel) {
> > +diff --git a/xmlwf/xmlwf.c b/xmlwf/xmlwf.c
> > +index 471f2a2..be23f5a 100644
> > +--- a/xmlwf/xmlwf.c
> > ++++ b/xmlwf/xmlwf.c
> > +@@ -1062,9 +1062,10 @@ tmain(int argc, XML_Char **argv) {
> > +             " (needs a floating point number greater or equal than
> > 1.0)"));
> > +         exit(XMLWF_EXIT_USAGE_ERROR);
> > +       }
> > +-#ifndef XML_DTD
> > +-      ftprintf(stderr, T("Warning: Given amplification limit
> > ignored") T(
> > +-                           ", xmlwf has been compiled without DTD
> > support.\n"));
> > ++#if ! defined(XML_DTD) && XML_GE == 0
> > ++      ftprintf(stderr,
> > ++               T("Warning: Given amplification limit ignored")
> > ++                   T(", xmlwf has been compiled without DTD/GE
> > support.\n"));
> > + #endif
> > +       break;
> > +     }
> > +@@ -1083,9 +1084,10 @@ tmain(int argc, XML_Char **argv) {
> > +         exit(XMLWF_EXIT_USAGE_ERROR);
> > +       }
> > +       attackThresholdGiven = XML_TRUE;
> > +-#ifndef XML_DTD
> > +-      ftprintf(stderr, T("Warning: Given attack threshold ignored")
> > T(
> > +-                           ", xmlwf has been compiled without DTD
> > support.\n"));
> > ++#if ! defined(XML_DTD) && XML_GE == 0
> > ++      ftprintf(stderr,
> > ++               T("Warning: Given attack threshold ignored")
> > ++                   T(", xmlwf has been compiled without DTD/GE
> > support.\n"));
> > + #endif
> > +       break;
> > +     }
> > +@@ -1120,13 +1122,13 @@ tmain(int argc, XML_Char **argv) {
> > +     }
> > +
> > +     if (attackMaximumAmplification != -1.0f) {
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +       XML_SetBillionLaughsAttackProtectionMaximumAmplification(
> > +           parser, attackMaximumAmplification);
> > + #endif
> > +     }
> > +     if (attackThresholdGiven) {
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +       XML_SetBillionLaughsAttackProtectionActivationThreshold(
> > +           parser, attackThresholdBytes);
> > + #else
> > +--
> > +2.40.0
> > diff --git a/meta/recipes-core/expat/expat_2.5.0.bb b/meta/recipes-
> > core/expat/expat_2.5.0.bb
> > index 7080f934d1..e427020534 100644
> > --- a/meta/recipes-core/expat/expat_2.5.0.bb
> > +++ b/meta/recipes-core/expat/expat_2.5.0.bb
> > @@ -10,6 +10,7 @@ VERSION_TAG = "${@d.getVar('PV').replace('.',
> > '_')}"
> >
> >  SRC_URI =
> > "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_T
> > AG}/expat-${PV}.tar.bz2  \
> >             file://run-ptest \
> > +           file://CVE-2023-52426.patch \
> >             "
> >
> >  UPSTREAM_CHECK_URI =
> > "https://github.com/libexpat/libexpat/releases/";
> >
> >
> >
>
>
> 
>
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196976): 
https://lists.openembedded.org/g/openembedded-core/message/196976
Mute This Topic: https://lists.openembedded.org/mt/104800121/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [oe-core][kirkstone][PATCH 1/1] expat: fix CVE-2023-52426

Reply via email to