On Fri, Aug 9, 2024 at 5:39 AM aszh07 via lists.openembedded.org <mail2szahir=gmail....@lists.openembedded.org> wrote: > > libexpat through 2.5.0 allows a denial of service > (resource consumption) because many full reparsings > are required in the case of a large token for which > multiple buffer fills are needed. > > References: > https://security-tracker.debian.org/tracker/CVE-2023-52425 > https://ubuntu.com/security/CVE-2023-52425 > https://packages.ubuntu.com/mantic/expat > https://github.com/libexpat/libexpat/pull/789 > > Signed-off-by: Bindu Bhabu <bhabu.bi...@kpit.com> > --- > .../expat/expat/CVE-2023-52425.patch | 581 ++++++++++++++++++ > meta/recipes-core/expat/expat_2.5.0.bb | 1 + > 2 files changed, 582 insertions(+) > create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425.patch > > diff --git a/meta/recipes-core/expat/expat/CVE-2023-52425.patch > b/meta/recipes-core/expat/expat/CVE-2023-52425.patch > new file mode 100644 > index 0000000000..00bc464173 > --- /dev/null > +++ b/meta/recipes-core/expat/expat/CVE-2023-52425.patch > @@ -0,0 +1,581 @@ > +Backport of https://github.com/libexpat/libexpat/pull/789 > + > +From 9cdf9b8d77d5c2c2a27d15fb68dd3f83cafb45a1 Mon Sep 17 00:00:00 2001 > +From: Snild Dolkow <sn...@sony.com> > +Date: Thu, 17 Aug 2023 16:25:26 +0200 > +Subject: [PATCH] Skip parsing after repeated partials on the same token > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=UTF-8 > +Content-Transfer-Encoding: 8bit > + > +When the parse buffer contains the starting bytes of a token but not > +all of them, we cannot parse the token to completion. We call this a > +partial token. When this happens, the parse position is reset to the > +start of the token, and the parse() call returns. The client is then > +expected to provide more data and call parse() again. > + > +In extreme cases, this means that the bytes of a token may be parsed > +many times: once for every buffer refill required before the full token > +is present in the buffer. > + > +Math: > + Assume there's a token of T bytes > + Assume the client fills the buffer in chunks of X bytes > + We'll try to parse X, 2X, 3X, 4X ... until mX == T (technically >=) > + That's (m²+m)X/2 = (T²/X+T)/2 bytes parsed (arithmetic progression) > + While it is alleviated by larger refills, this amounts to O(T²) > + > +Expat grows its internal buffer by doubling it when necessary, but has > +no way to inform the client about how much space is available. Instead, > +we add a heuristic that skips parsing when we've repeatedly stopped on > +an incomplete token. Specifically: > + > + * Only try to parse if we have a certain amount of data buffered > + * Every time we stop on an incomplete token, double the threshold > + * As soon as any token completes, the threshold is reset > + > +This means that when we get stuck on an incomplete token, the threshold > +grows exponentially, effectively making the client perform larger buffer > +fills, limiting how many times we can end up re-parsing the same bytes. > + > +Math: > + Assume there's a token of T bytes > + Assume the client fills the buffer in chunks of X bytes > + We'll try to parse X, 2X, 4X, 8X ... until (2^k)X == T (or larger) > + That's (2^(k+1)-1)X bytes parsed -- e.g. 15X if T = 8X > + This is equal to 2T-X, which amounts to O(T) > + > +We could've chosen a faster growth rate, e.g. 4 or 8. Those seem to > +increase performance further, at the cost of further increasing the > +risk of growing the buffer more than necessary. This can easily be > +adjusted in the future, if desired. > + > +This is all completely transparent to the client, except for: > +1. possible delay of some callbacks (when our heuristic overshoots) > +2. apps that never do isFinal=XML_TRUE could miss data at the end > + > +For the affected testdata, this change shows a 100-400x speedup. > +The recset.xml benchmark shows no clear change either way. > + > +Before: > +benchmark -n ../testdata/largefiles/recset.xml 65535 3 > + 3 loops, with buffer size 65535. Average time per loop: 0.270223 > +benchmark -n ../testdata/largefiles/aaaaaa_attr.xml 4096 3 > + 3 loops, with buffer size 4096. Average time per loop: 15.033048 > +benchmark -n ../testdata/largefiles/aaaaaa_cdata.xml 4096 3 > + 3 loops, with buffer size 4096. Average time per loop: 0.018027 > +benchmark -n ../testdata/largefiles/aaaaaa_comment.xml 4096 3 > + 3 loops, with buffer size 4096. Average time per loop: 11.775362 > +benchmark -n ../testdata/largefiles/aaaaaa_tag.xml 4096 3 > + 3 loops, with buffer size 4096. Average time per loop: 11.711414 > +benchmark -n ../testdata/largefiles/aaaaaa_text.xml 4096 3 > + 3 loops, with buffer size 4096. Average time per loop: 0.019362 > + > +After: > +./run.sh benchmark -n ../testdata/largefiles/recset.xml 65535 3 > + 3 loops, with buffer size 65535. Average time per loop: 0.269030 > +./run.sh benchmark -n ../testdata/largefiles/aaaaaa_attr.xml 4096 3 > + 3 loops, with buffer size 4096. Average time per loop: 0.044794 > +./run.sh benchmark -n ../testdata/largefiles/aaaaaa_cdata.xml 4096 3 > + 3 loops, with buffer size 4096. Average time per loop: 0.016377 > +./run.sh benchmark -n ../testdata/largefiles/aaaaaa_comment.xml 4096 3 > + 3 loops, with buffer size 4096. Average time per loop: 0.027022 > +./run.sh benchmark -n ../testdata/largefiles/aaaaaa_tag.xml 4096 3 > + 3 loops, with buffer size 4096. Average time per loop: 0.099360 > +./run.sh benchmark -n ../testdata/largefiles/aaaaaa_text.xml 4096 3 > + 3 loops, with buffer size 4096. Average time per loop: 0.017956 > + > +CVE: CVE-2023-52425 > +Upstream-Status: Backport > [http://archive.ubuntu.com/ubuntu/pool/main/e/expat/expat_2.5.0-2ubuntu0.1.debian.tar.xz]
Not sure why this was sent three times! But all have the same issue -- ubuntu is not the upstream for libexpat, please reference the actual upstream commit. Thanks! Steve > +Comments: Hunks refreshed. > + Patch difference/summary has also been modified. > +Signed-off-by: Bhabu Bindu <bhabu.bi...@kpit.com> > + > +--- > + lib/expat.h | 5 +++++ > + lib/libexpat.def.cmake | 2 ++ > + lib/xmlparse.c | 228 > ++++++++++++++++++++++++++++++++++++++++++---------------------------------- > + xmlwf/xmlwf.c | 20 ++++++++++++++++++++ > + xmlwf/xmlwf_helpgen.py | 4 ++++ > + 5 files changed, 156 insertions(+), 103 deletions(-) > + > +--- a/lib/expat.h > ++++ b/lib/expat.h > +@@ -16,6 +16,7 @@ > + Copyright (c) 2016 Thomas Beutlich <t...@tbeu.de> > + Copyright (c) 2017 Rhodri James <rho...@wildebeest.org.uk> > + Copyright (c) 2022 Thijs Schreijer <th...@thijsschreijer.nl> > ++ Copyright (c) 2023 Sony Corporation / Snild Dolkow <sn...@sony.com> > + Licensed under the MIT license: > + > + Permission is hereby granted, free of charge, to any person obtaining > +@@ -1050,6 +1051,10 @@ XML_SetBillionLaughsAttackProtectionActi > + XML_Parser parser, unsigned long long activationThresholdBytes); > + #endif > + > ++/* Added in Expat 2.6.0. */ > ++XMLPARSEAPI(XML_Bool) > ++XML_SetReparseDeferralEnabled(XML_Parser parser, XML_Bool enabled); > ++ > + /* Expat follows the semantic versioning convention. > + See http://semver.org. > + */ > +--- a/lib/libexpat.def.cmake > ++++ b/lib/libexpat.def.cmake > +@@ -77,3 +77,5 @@ EXPORTS > + ; added with version 2.4.0 > + @_EXPAT_COMMENT_DTD_OR_GE@ > XML_SetBillionLaughsAttackProtectionActivationThreshold @69 > + @_EXPAT_COMMENT_DTD_OR_GE@ > XML_SetBillionLaughsAttackProtectionMaximumAmplification @70 > ++; added with version 2.6.0 > ++ XML_SetReparseDeferralEnabled @71 > +--- a/lib/xmlparse.c > ++++ b/lib/xmlparse.c > +@@ -36,6 +36,7 @@ > + Copyright (c) 2022 Samanta Navarro <feri...@riseup.net> > + Copyright (c) 2022 Jeffrey Walton <noloa...@gmail.com> > + Copyright (c) 2022 Jann Horn <ja...@google.com> > ++ Copyright (c) 2023 Sony Corporation / Snild Dolkow <sn...@sony.com> > + Licensed under the MIT license: > + > + Permission is hereby granted, free of charge, to any person obtaining > +@@ -73,6 +74,7 @@ > + # endif > + #endif > + > ++#include <stdbool.h> > + #include <stddef.h> > + #include <string.h> /* memset(), memcpy() */ > + #include <assert.h> > +@@ -196,6 +198,8 @@ typedef char ICHAR; > + /* Do safe (NULL-aware) pointer arithmetic */ > + #define EXPAT_SAFE_PTR_DIFF(p, q) (((p) && (q)) ? ((p) - (q)) : 0) > + > ++#define EXPAT_MIN(a, b) (((a) < (b)) ? (a) : (b)) > ++ > + #include "internal.h" > + #include "xmltok.h" > + #include "xmlrole.h" > +@@ -617,6 +621,9 @@ struct XML_ParserStruct { > + const char *m_bufferLim; > + XML_Index m_parseEndByteIndex; > + const char *m_parseEndPtr; > ++ size_t m_partialTokenBytesBefore; /* used in heuristic to avoid O(n^2) */ > ++ XML_Bool m_reparseDeferralEnabled; > ++ int m_lastBufferRequestSize; > + XML_Char *m_dataBuf; > + XML_Char *m_dataBufEnd; > + XML_StartElementHandler m_startElementHandler; > +@@ -948,6 +955,46 @@ get_hash_secret_salt(XML_Parser parser) > + return parser->m_hash_secret_salt; > + } > + > ++static enum XML_Error > ++callProcessor(XML_Parser parser, const char *start, const char *end, > ++ const char **endPtr) { > ++ const size_t have_now = EXPAT_SAFE_PTR_DIFF(end, start); > ++ > ++ if (parser->m_reparseDeferralEnabled > ++ && ! parser->m_parsingStatus.finalBuffer) { > ++ // Heuristic: don't try to parse a partial token again until the amount > of > ++ // available data has increased significantly. > ++ const size_t had_before = parser->m_partialTokenBytesBefore; > ++ // ...but *do* try anyway if we're close to causing a reallocation. > ++ size_t available_buffer > ++ = EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer); > ++#if XML_CONTEXT_BYTES > 0 > ++ available_buffer -= EXPAT_MIN(available_buffer, XML_CONTEXT_BYTES); > ++#endif > ++ available_buffer > ++ += EXPAT_SAFE_PTR_DIFF(parser->m_bufferLim, parser->m_bufferEnd); > ++ // m_lastBufferRequestSize is never assigned a value < 0, so the cast > is ok > ++ const bool enough > ++ = (have_now >= 2 * had_before) > ++ || ((size_t)parser->m_lastBufferRequestSize > available_buffer); > ++ > ++ if (! enough) { > ++ *endPtr = start; // callers may expect this to be set > ++ return XML_ERROR_NONE; > ++ } > ++ } > ++ const enum XML_Error ret = parser->m_processor(parser, start, end, > endPtr); > ++ if (ret == XML_ERROR_NONE) { > ++ // if we consumed nothing, remember what we had on this parse attempt. > ++ if (*endPtr == start) { > ++ parser->m_partialTokenBytesBefore = have_now; > ++ } else { > ++ parser->m_partialTokenBytesBefore = 0; > ++ } > ++ } > ++ return ret; > ++} > ++ > + static XML_Bool /* only valid for root parser */ > + startParsing(XML_Parser parser) { > + /* hash functions must be initialized before setContext() is called */ > +@@ -1129,6 +1176,9 @@ parserInit(XML_Parser parser, const XML_ > + parser->m_bufferEnd = parser->m_buffer; > + parser->m_parseEndByteIndex = 0; > + parser->m_parseEndPtr = NULL; > ++ parser->m_partialTokenBytesBefore = 0; > ++ parser->m_reparseDeferralEnabled = XML_TRUE; > ++ parser->m_lastBufferRequestSize = 0; > + parser->m_declElementType = NULL; > + parser->m_declAttributeId = NULL; > + parser->m_declEntity = NULL; > +@@ -1298,6 +1348,7 @@ XML_ExternalEntityParserCreate(XML_Parse > + to worry which hash secrets each table has. > + */ > + unsigned long oldhash_secret_salt; > ++ XML_Bool oldReparseDeferralEnabled; > + > + /* Validate the oldParser parameter before we pull everything out of it */ > + if (oldParser == NULL) > +@@ -1342,6 +1393,7 @@ XML_ExternalEntityParserCreate(XML_Parse > + to worry which hash secrets each table has. > + */ > + oldhash_secret_salt = parser->m_hash_secret_salt; > ++ oldReparseDeferralEnabled = parser->m_reparseDeferralEnabled; > + > + #ifdef XML_DTD > + if (! context) > +@@ -1394,6 +1446,7 @@ XML_ExternalEntityParserCreate(XML_Parse > + parser->m_defaultExpandInternalEntities = > oldDefaultExpandInternalEntities; > + parser->m_ns_triplets = oldns_triplets; > + parser->m_hash_secret_salt = oldhash_secret_salt; > ++ parser->m_reparseDeferralEnabled = oldReparseDeferralEnabled; > + parser->m_parentParser = oldParser; > + #ifdef XML_DTD > + parser->m_paramEntityParsing = oldParamEntityParsing; > +@@ -1848,55 +1901,8 @@ XML_Parse(XML_Parser parser, const char > + parser->m_parsingStatus.parsing = XML_PARSING; > + } > + > +- if (len == 0) { > +- parser->m_parsingStatus.finalBuffer = (XML_Bool)isFinal; > +- if (! isFinal) > +- return XML_STATUS_OK; > +- parser->m_positionPtr = parser->m_bufferPtr; > +- parser->m_parseEndPtr = parser->m_bufferEnd; > +- > +- /* If data are left over from last buffer, and we now know that these > +- data are the final chunk of input, then we have to check them again > +- to detect errors based on that fact. > +- */ > +- parser->m_errorCode > +- = parser->m_processor(parser, parser->m_bufferPtr, > +- parser->m_parseEndPtr, &parser->m_bufferPtr); > +- > +- if (parser->m_errorCode == XML_ERROR_NONE) { > +- switch (parser->m_parsingStatus.parsing) { > +- case XML_SUSPENDED: > +- /* It is hard to be certain, but it seems that this case > +- * cannot occur. This code is cleaning up a previous parse > +- * with no new data (since len == 0). Changing the parsing > +- * state requires getting to execute a handler function, and > +- * there doesn't seem to be an opportunity for that while in > +- * this circumstance. > +- * > +- * Given the uncertainty, we retain the code but exclude it > +- * from coverage tests. > +- * > +- * LCOV_EXCL_START > +- */ > +- XmlUpdatePosition(parser->m_encoding, parser->m_positionPtr, > +- parser->m_bufferPtr, &parser->m_position); > +- parser->m_positionPtr = parser->m_bufferPtr; > +- return XML_STATUS_SUSPENDED; > +- /* LCOV_EXCL_STOP */ > +- case XML_INITIALIZED: > +- case XML_PARSING: > +- parser->m_parsingStatus.parsing = XML_FINISHED; > +- /* fall through */ > +- default: > +- return XML_STATUS_OK; > +- } > +- } > +- parser->m_eventEndPtr = parser->m_eventPtr; > +- parser->m_processor = errorProcessor; > +- return XML_STATUS_ERROR; > +- } > +-#ifndef XML_CONTEXT_BYTES > +- else if (parser->m_bufferPtr == parser->m_bufferEnd) { > ++#if XML_CONTEXT_BYTES == 0 > ++ if (parser->m_bufferPtr == parser->m_bufferEnd) { > + const char *end; > + int nLeftOver; > + enum XML_Status result; > +@@ -1907,12 +1913,15 @@ XML_Parse(XML_Parser parser, const char > + parser->m_processor = errorProcessor; > + return XML_STATUS_ERROR; > + } > ++ // though this isn't a buffer request, we assume that `len` is the app's > ++ // preferred buffer fill size, and therefore save it here. > ++ parser->m_lastBufferRequestSize = len; > + parser->m_parseEndByteIndex += len; > + parser->m_positionPtr = s; > + parser->m_parsingStatus.finalBuffer = (XML_Bool)isFinal; > + > + parser->m_errorCode > +- = parser->m_processor(parser, s, parser->m_parseEndPtr = s + len, > &end); > ++ = callProcessor(parser, s, parser->m_parseEndPtr = s + len, &end); > + > + if (parser->m_errorCode != XML_ERROR_NONE) { > + parser->m_eventEndPtr = parser->m_eventPtr; > +@@ -1939,23 +1948,25 @@ XML_Parse(XML_Parser parser, const char > + &parser->m_position); > + nLeftOver = s + len - end; > + if (nLeftOver) { > +- if (parser->m_buffer == NULL > +- || nLeftOver > parser->m_bufferLim - parser->m_buffer) { > +- /* avoid _signed_ integer overflow */ > +- char *temp = NULL; > +- const int bytesToAllocate = (int)((unsigned)len * 2U); > +- if (bytesToAllocate > 0) { > +- temp = (char *)REALLOC(parser, parser->m_buffer, bytesToAllocate); > +- } > +- if (temp == NULL) { > +- parser->m_errorCode = XML_ERROR_NO_MEMORY; > +- parser->m_eventPtr = parser->m_eventEndPtr = NULL; > +- parser->m_processor = errorProcessor; > +- return XML_STATUS_ERROR; > +- } > +- parser->m_buffer = temp; > +- parser->m_bufferLim = parser->m_buffer + bytesToAllocate; > ++ // Back up and restore the parsing status to avoid XML_ERROR_SUSPENDED > ++ // (and XML_ERROR_FINISHED) from XML_GetBuffer. > ++ const enum XML_Parsing originalStatus = > parser->m_parsingStatus.parsing; > ++ parser->m_parsingStatus.parsing = XML_PARSING; > ++ void *const temp = XML_GetBuffer(parser, nLeftOver); > ++ parser->m_parsingStatus.parsing = originalStatus; > ++ // GetBuffer may have overwritten this, but we want to remember what > the > ++ // app requested, not how many bytes were left over after parsing. > ++ parser->m_lastBufferRequestSize = len; > ++ if (temp == NULL) { > ++ // NOTE: parser->m_errorCode has already been set by > XML_GetBuffer(). > ++ parser->m_eventPtr = parser->m_eventEndPtr = NULL; > ++ parser->m_processor = errorProcessor; > ++ return XML_STATUS_ERROR; > + } > ++ // Since we know that the buffer was empty and XML_CONTEXT_BYTES is > 0, we > ++ // don't have any data to preserve, and can copy straight into the > start > ++ // of the buffer rather than the GetBuffer return pointer (which may > be > ++ // pointing further into the allocated buffer). > + memcpy(parser->m_buffer, end, nLeftOver); > + } > + parser->m_bufferPtr = parser->m_buffer; > +@@ -1966,16 +1977,15 @@ XML_Parse(XML_Parser parser, const char > + parser->m_eventEndPtr = parser->m_bufferPtr; > + return result; > + } > +-#endif /* not defined XML_CONTEXT_BYTES */ > +- else { > +- void *buff = XML_GetBuffer(parser, len); > +- if (buff == NULL) > +- return XML_STATUS_ERROR; > +- else { > +- memcpy(buff, s, len); > +- return XML_ParseBuffer(parser, len, isFinal); > +- } > ++#endif /* XML_CONTEXT_BYTES == 0 */ > ++ void *buff = XML_GetBuffer(parser, len); > ++ if (buff == NULL) > ++ return XML_STATUS_ERROR; > ++ if (len > 0) { > ++ assert(s != NULL); // make sure s==NULL && len!=0 was rejected above > ++ memcpy(buff, s, len); > + } > ++ return XML_ParseBuffer(parser, len, isFinal); > + } > + > + enum XML_Status XMLCALL > +@@ -2015,8 +2025,8 @@ XML_ParseBuffer(XML_Parser parser, int l > + parser->m_parseEndByteIndex += len; > + parser->m_parsingStatus.finalBuffer = (XML_Bool)isFinal; > + > +- parser->m_errorCode = parser->m_processor( > +- parser, start, parser->m_parseEndPtr, &parser->m_bufferPtr); > ++ parser->m_errorCode = callProcessor(parser, start, parser->m_parseEndPtr, > ++ &parser->m_bufferPtr); > + > + if (parser->m_errorCode != XML_ERROR_NONE) { > + parser->m_eventEndPtr = parser->m_eventPtr; > +@@ -2061,8 +2071,12 @@ XML_GetBuffer(XML_Parser parser, int len > + default:; > + } > + > +- if (len > EXPAT_SAFE_PTR_DIFF(parser->m_bufferLim, parser->m_bufferEnd)) { > +-#ifdef XML_CONTEXT_BYTES > ++ // whether or not the request succeeds, `len` seems to be the app's > preferred > ++ // buffer fill size; remember it. > ++ parser->m_lastBufferRequestSize = len; > ++ if (len > EXPAT_SAFE_PTR_DIFF(parser->m_bufferLim, parser->m_bufferEnd) > ++ || parser->m_buffer == NULL) { > ++#if XML_CONTEXT_BYTES > 0 > + int keep; > + #endif /* defined XML_CONTEXT_BYTES */ > + /* Do not invoke signed arithmetic overflow: */ > +@@ -2083,10 +2097,11 @@ XML_GetBuffer(XML_Parser parser, int len > + return NULL; > + } > + neededSize += keep; > +-#endif /* defined XML_CONTEXT_BYTES */ > +- if (neededSize > +- <= EXPAT_SAFE_PTR_DIFF(parser->m_bufferLim, parser->m_buffer)) { > +-#ifdef XML_CONTEXT_BYTES > ++#endif /* XML_CONTEXT_BYTES > 0 */ > ++ if (parser->m_buffer && parser->m_bufferPtr > ++ && neededSize > ++ <= EXPAT_SAFE_PTR_DIFF(parser->m_bufferLim, > parser->m_buffer)) { > ++#if XML_CONTEXT_BYTES > 0 > + if (keep < EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, > parser->m_buffer)) { > + int offset > + = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, > parser->m_buffer) > +@@ -2099,19 +2114,17 @@ XML_GetBuffer(XML_Parser parser, int len > + parser->m_bufferPtr -= offset; > + } > + #else > +- if (parser->m_buffer && parser->m_bufferPtr) { > +- memmove(parser->m_buffer, parser->m_bufferPtr, > +- EXPAT_SAFE_PTR_DIFF(parser->m_bufferEnd, > parser->m_bufferPtr)); > +- parser->m_bufferEnd > +- = parser->m_buffer > +- + EXPAT_SAFE_PTR_DIFF(parser->m_bufferEnd, > parser->m_bufferPtr); > +- parser->m_bufferPtr = parser->m_buffer; > +- } > +-#endif /* not defined XML_CONTEXT_BYTES */ > ++ memmove(parser->m_buffer, parser->m_bufferPtr, > ++ EXPAT_SAFE_PTR_DIFF(parser->m_bufferEnd, > parser->m_bufferPtr)); > ++ parser->m_bufferEnd > ++ = parser->m_buffer > ++ + EXPAT_SAFE_PTR_DIFF(parser->m_bufferEnd, parser->m_bufferPtr); > ++ parser->m_bufferPtr = parser->m_buffer; > ++#endif /* XML_CONTEXT_BYTES > 0 */ > + } else { > + char *newBuf; > + int bufferSize > +- = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferLim, > parser->m_bufferPtr); > ++ = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferLim, parser->m_buffer); > + if (bufferSize == 0) > + bufferSize = INIT_BUFFER_SIZE; > + do { > +@@ -2208,7 +2221,7 @@ XML_ResumeParser(XML_Parser parser) { > + } > + parser->m_parsingStatus.parsing = XML_PARSING; > + > +- parser->m_errorCode = parser->m_processor( > ++ parser->m_errorCode = callProcessor( > + parser, parser->m_bufferPtr, parser->m_parseEndPtr, > &parser->m_bufferPtr); > + > + if (parser->m_errorCode != XML_ERROR_NONE) { > +@@ -2576,6 +2576,15 @@ XML_SetBillionLaughsAttackProtectionActi > + } > + #endif /* XML_GE == 1 */ > + > ++XML_Bool XMLCALL > ++XML_SetReparseDeferralEnabled(XML_Parser parser, XML_Bool enabled) { > ++ if (parser != NULL && (enabled == XML_TRUE || enabled == XML_FALSE)) { > ++ parser->m_reparseDeferralEnabled = enabled; > ++ return XML_TRUE; > ++ } > ++ return XML_FALSE; > ++} > ++ > + /* Initially tag->rawName always points into the parse buffer; > + for those TAG instances opened while the current parse buffer was > + processed, and not yet closed, we need to store tag->rawName in a more > +@@ -4497,15 +4506,15 @@ entityValueInitProcessor(XML_Parser pars > + parser->m_processor = entityValueProcessor; > + return entityValueProcessor(parser, next, end, nextPtr); > + } > +- /* If we are at the end of the buffer, this would cause XmlPrologTok to > +- return XML_TOK_NONE on the next call, which would then cause the > +- function to exit with *nextPtr set to s - that is what we want for > other > +- tokens, but not for the BOM - we would rather like to skip it; > +- then, when this routine is entered the next time, XmlPrologTok will > +- return XML_TOK_INVALID, since the BOM is still in the buffer > ++ /* XmlPrologTok has now set the encoding based on the BOM it found, and > we > ++ must move s and nextPtr forward to consume the BOM. > ++ > ++ If we didn't, and got XML_TOK_NONE from the next XmlPrologTok call, > we > ++ would leave the BOM in the buffer and return. On the next call to > this > ++ function, our XmlPrologTok call would return XML_TOK_INVALID, since > it > ++ is not valid to have multiple BOMs. > + */ > +- else if (tok == XML_TOK_BOM && next == end > +- && ! parser->m_parsingStatus.finalBuffer) { > ++ else if (tok == XML_TOK_BOM) { > + # if XML_GE == 1 > + if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, > + XML_ACCOUNT_DIRECT)) { > +@@ -4500,7 +4522,7 @@ entityValueInitProcessor(XML_Parser pars > + # endif > + > + *nextPtr = next; > +- return XML_ERROR_NONE; > ++ s = next; > + } > + /* If we get this token, we have the start of what might be a > + normal tag, but not a declaration (i.e. it doesn't begin with > +--- a/xmlwf/xmlwf.c > ++++ b/xmlwf/xmlwf.c > +@@ -914,6 +914,9 @@ usage(const XML_Char *prog, int rc) { > + T(" -a FACTOR set maximum tolerated [a]mplification factor > (default: 100.0)\n") > + T(" -b BYTES set number of output [b]ytes needed to activate > (default: 8 MiB)\n") > + T("\n") > ++ T("reparse deferral:\n") > ++ T(" -q disable reparse deferral, and allow [q]uadratic > parse runtime with large tokens\n") > ++ T("\n") > + T("info arguments:\n") > + T(" -h show this [h]elp message and exit\n") > + T(" -v show program's [v]ersion number and exit\n") > +@@ -967,6 +970,8 @@ tmain(int argc, XML_Char **argv) { > + unsigned long long attackThresholdBytes; > + XML_Bool attackThresholdGiven = XML_FALSE; > + > ++ XML_Bool disableDeferral = XML_FALSE; > ++ > + int exitCode = XMLWF_EXIT_SUCCESS; > + enum XML_ParamEntityParsing paramEntityParsing > + = XML_PARAM_ENTITY_PARSING_NEVER; > +@@ -1089,6 +1094,11 @@ tmain(int argc, XML_Char **argv) { > + #endif > + break; > + } > ++ case T('q'): { > ++ disableDeferral = XML_TRUE; > ++ j++; > ++ break; > ++ } > + case T('\0'): > + if (j > 1) { > + i++; > +@@ -1134,6 +1144,16 @@ tmain(int argc, XML_Char **argv) { > + #endif > + } > + > ++ if (disableDeferral) { > ++ const XML_Bool success = XML_SetReparseDeferralEnabled(parser, > XML_FALSE); > ++ if (! success) { > ++ // This prevents tperror(..) from reporting misleading "[..]: > Success" > ++ errno = EINVAL; > ++ tperror(T("Failed to disable reparse deferral")); > ++ exit(XMLWF_EXIT_INTERNAL_ERROR); > ++ } > ++ } > ++ > + if (requireStandalone) > + XML_SetNotStandaloneHandler(parser, notStandalone); > + XML_SetParamEntityParsing(parser, paramEntityParsing); > +--- a/xmlwf/xmlwf_helpgen.py > ++++ b/xmlwf/xmlwf_helpgen.py > +@@ -81,6 +81,10 @@ billion_laughs.add_argument('-a', metava > + help='set maximum tolerated [a]mplification > factor (default: 100.0)') > + billion_laughs.add_argument('-b', metavar='BYTES', help='set number of > output [b]ytes needed to activate (default: 8 MiB)') > + > ++reparse_deferral = parser.add_argument_group('reparse deferral') > ++reparse_deferral.add_argument('-q', metavar='FACTOR', > ++ help='disable reparse deferral, and allow > [q]uadratic parse runtime with large tokens') > ++ > + parser.add_argument('files', metavar='FILE', nargs='*', help='file to > process (default: STDIN)') > + > + info = parser.add_argument_group('info arguments') > diff --git a/meta/recipes-core/expat/expat_2.5.0.bb > b/meta/recipes-core/expat/expat_2.5.0.bb > index 31e989cfe2..09bc7a0a0b 100644 > --- a/meta/recipes-core/expat/expat_2.5.0.bb > +++ b/meta/recipes-core/expat/expat_2.5.0.bb > @@ -22,6 +22,7 @@ SRC_URI = > "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TA > file://CVE-2023-52426-009.patch \ > file://CVE-2023-52426-010.patch \ > file://CVE-2023-52426-011.patch \ > + file://CVE-2023-52425.patch \ > " > > UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"; > -- > 2.17.1 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#203175): https://lists.openembedded.org/g/openembedded-core/message/203175 Mute This Topic: https://lists.openembedded.org/mt/107806028/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
