| Message ID | 20220801044403.6009-1-hprajapati@mvista.com |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [dunfell] python3-lxml: CVE-2022-2309 NULL Pointer Dereference allows attackers to cause a denial of service | expand |
Wrong list :-) This is a patch for meta-openembedded and should be sent to: openembedded-devel@lists.openembedded.org Steve On Sun, Jul 31, 2022 at 6:44 PM Hitendra Prajapati <hprajapati@mvista.com> wrote: > > Source: https://github.com/lxml/lxml > MR: 119399 > Type: Security Fix > Disposition: Backport from https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f > ChangeID: 0b1ef4ce4c901ef6574a83ecbe4c4b1d2ab24777 > Description: > CVE-2022-2309 libxml: NULL Pointer Dereference allows attackers to cause a denial of service. > > Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > --- > .../recipes-devtools/python/python-lxml.inc | 2 + > .../python/python3-lxml/CVE-2022-2309.patch | 94 +++++++++++++++++++ > 2 files changed, 96 insertions(+) > create mode 100644 meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch > > diff --git a/meta-python/recipes-devtools/python/python-lxml.inc b/meta-python/recipes-devtools/python/python-lxml.inc > index 05b5eae462..0276a3e81a 100644 > --- a/meta-python/recipes-devtools/python/python-lxml.inc > +++ b/meta-python/recipes-devtools/python/python-lxml.inc > @@ -18,6 +18,8 @@ LIC_FILES_CHKSUM = "file://LICENSES.txt;md5=e4c045ebad958ead4b48008f70838403 \ > > DEPENDS += "libxml2 libxslt" > > +SRC_URI += "file://CVE-2022-2309.patch" > + > SRC_URI[md5sum] = "f088e452ed45b030b6f84269f1e84d11" > SRC_URI[sha256sum] = "8620ce80f50d023d414183bf90cc2576c2837b88e00bea3f33ad2630133bbb60" > > diff --git a/meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch b/meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch > new file mode 100644 > index 0000000000..ff3fcee6e2 > --- /dev/null > +++ b/meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch > @@ -0,0 +1,94 @@ > +From ccbda4b0669f418b2f00c4f099733cebe633eb47 Mon Sep 17 00:00:00 2001 > +From: Hitendra Prajapati <hprajapati@mvista.com> > +Date: Fri, 29 Jul 2022 10:16:59 +0530 > +Subject: [PATCH] CVE-2022-2309 > + > +Upstream-Status: Backport [https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f] > +CVE: CVE-2022-2309 > +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > +--- > + src/lxml/apihelpers.pxi | 7 ++++--- > + src/lxml/iterparse.pxi | 11 ++++++----- > + src/lxml/tests/test_etree.py | 20 ++++++++++++++++++++ > + 3 files changed, 30 insertions(+), 8 deletions(-) > + > +diff --git a/src/lxml/apihelpers.pxi b/src/lxml/apihelpers.pxi > +index 5eb3416..88a031d 100644 > +--- a/src/lxml/apihelpers.pxi > ++++ b/src/lxml/apihelpers.pxi > +@@ -246,9 +246,10 @@ cdef dict _build_nsmap(xmlNode* c_node): > + while c_node is not NULL and c_node.type == tree.XML_ELEMENT_NODE: > + c_ns = c_node.nsDef > + while c_ns is not NULL: > +- prefix = funicodeOrNone(c_ns.prefix) > +- if prefix not in nsmap: > +- nsmap[prefix] = funicodeOrNone(c_ns.href) > ++ if c_ns.prefix or c_ns.href: > ++ prefix = funicodeOrNone(c_ns.prefix) > ++ if prefix not in nsmap: > ++ nsmap[prefix] = funicodeOrNone(c_ns.href) > + c_ns = c_ns.next > + c_node = c_node.parent > + return nsmap > +diff --git a/src/lxml/iterparse.pxi b/src/lxml/iterparse.pxi > +index 4c20506..3da7485 100644 > +--- a/src/lxml/iterparse.pxi > ++++ b/src/lxml/iterparse.pxi > +@@ -419,7 +419,7 @@ cdef int _countNsDefs(xmlNode* c_node): > + count = 0 > + c_ns = c_node.nsDef > + while c_ns is not NULL: > +- count += 1 > ++ count += (c_ns.href is not NULL) > + c_ns = c_ns.next > + return count > + > +@@ -430,9 +430,10 @@ cdef int _appendStartNsEvents(xmlNode* c_node, list event_list) except -1: > + count = 0 > + c_ns = c_node.nsDef > + while c_ns is not NULL: > +- ns_tuple = (funicode(c_ns.prefix) if c_ns.prefix is not NULL else '', > +- funicode(c_ns.href)) > +- event_list.append( (u"start-ns", ns_tuple) ) > +- count += 1 > ++ if c_ns.href: > ++ ns_tuple = (funicodeOrEmpty(c_ns.prefix), > ++ funicode(c_ns.href)) > ++ event_list.append( (u"start-ns", ns_tuple) ) > ++ count += 1 > + c_ns = c_ns.next > + return count > +diff --git a/src/lxml/tests/test_etree.py b/src/lxml/tests/test_etree.py > +index b997e4d..69e1bf1 100644 > +--- a/src/lxml/tests/test_etree.py > ++++ b/src/lxml/tests/test_etree.py > +@@ -1448,6 +1448,26 @@ class ETreeOnlyTestCase(HelperTestCase): > + [1,2,1,4], > + counts) > + > ++ def test_walk_after_parse_failure(self): > ++ # This used to be an issue because libxml2 can leak empty namespaces > ++ # between failed parser runs. iterwalk() failed to handle such a tree. > ++ try: > ++ etree.XML('''<anot xmlns="1">''') > ++ except etree.XMLSyntaxError: > ++ pass > ++ else: > ++ assert False, "invalid input did not fail to parse" > ++ > ++ et = etree.XML('''<root> </root>''') > ++ try: > ++ ns = next(etree.iterwalk(et, events=('start-ns',))) > ++ except StopIteration: > ++ # This would be the expected result, because there was no namespace > ++ pass > ++ else: > ++ # This is a bug in libxml2 > ++ assert not ns, repr(ns) > ++ > + def test_itertext_comment_pi(self): > + # https://bugs.launchpad.net/lxml/+bug/1844674 > + XML = self.etree.XML > +-- > +2.25.1 > + > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#168693): https://lists.openembedded.org/g/openembedded-core/message/168693 > Mute This Topic: https://lists.openembedded.org/mt/92741215/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta-python/recipes-devtools/python/python-lxml.inc b/meta-python/recipes-devtools/python/python-lxml.inc index 05b5eae462..0276a3e81a 100644 --- a/meta-python/recipes-devtools/python/python-lxml.inc +++ b/meta-python/recipes-devtools/python/python-lxml.inc @@ -18,6 +18,8 @@ LIC_FILES_CHKSUM = "file://LICENSES.txt;md5=e4c045ebad958ead4b48008f70838403 \ DEPENDS += "libxml2 libxslt" +SRC_URI += "file://CVE-2022-2309.patch" + SRC_URI[md5sum] = "f088e452ed45b030b6f84269f1e84d11" SRC_URI[sha256sum] = "8620ce80f50d023d414183bf90cc2576c2837b88e00bea3f33ad2630133bbb60" diff --git a/meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch b/meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch new file mode 100644 index 0000000000..ff3fcee6e2 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch @@ -0,0 +1,94 @@ +From ccbda4b0669f418b2f00c4f099733cebe633eb47 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Fri, 29 Jul 2022 10:16:59 +0530 +Subject: [PATCH] CVE-2022-2309 + +Upstream-Status: Backport [https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f] +CVE: CVE-2022-2309 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/lxml/apihelpers.pxi | 7 ++++--- + src/lxml/iterparse.pxi | 11 ++++++----- + src/lxml/tests/test_etree.py | 20 ++++++++++++++++++++ + 3 files changed, 30 insertions(+), 8 deletions(-) + +diff --git a/src/lxml/apihelpers.pxi b/src/lxml/apihelpers.pxi +index 5eb3416..88a031d 100644 +--- a/src/lxml/apihelpers.pxi ++++ b/src/lxml/apihelpers.pxi +@@ -246,9 +246,10 @@ cdef dict _build_nsmap(xmlNode* c_node): + while c_node is not NULL and c_node.type == tree.XML_ELEMENT_NODE: + c_ns = c_node.nsDef + while c_ns is not NULL: +- prefix = funicodeOrNone(c_ns.prefix) +- if prefix not in nsmap: +- nsmap[prefix] = funicodeOrNone(c_ns.href) ++ if c_ns.prefix or c_ns.href: ++ prefix = funicodeOrNone(c_ns.prefix) ++ if prefix not in nsmap: ++ nsmap[prefix] = funicodeOrNone(c_ns.href) + c_ns = c_ns.next + c_node = c_node.parent + return nsmap +diff --git a/src/lxml/iterparse.pxi b/src/lxml/iterparse.pxi +index 4c20506..3da7485 100644 +--- a/src/lxml/iterparse.pxi ++++ b/src/lxml/iterparse.pxi +@@ -419,7 +419,7 @@ cdef int _countNsDefs(xmlNode* c_node): + count = 0 + c_ns = c_node.nsDef + while c_ns is not NULL: +- count += 1 ++ count += (c_ns.href is not NULL) + c_ns = c_ns.next + return count + +@@ -430,9 +430,10 @@ cdef int _appendStartNsEvents(xmlNode* c_node, list event_list) except -1: + count = 0 + c_ns = c_node.nsDef + while c_ns is not NULL: +- ns_tuple = (funicode(c_ns.prefix) if c_ns.prefix is not NULL else '', +- funicode(c_ns.href)) +- event_list.append( (u"start-ns", ns_tuple) ) +- count += 1 ++ if c_ns.href: ++ ns_tuple = (funicodeOrEmpty(c_ns.prefix), ++ funicode(c_ns.href)) ++ event_list.append( (u"start-ns", ns_tuple) ) ++ count += 1 + c_ns = c_ns.next + return count +diff --git a/src/lxml/tests/test_etree.py b/src/lxml/tests/test_etree.py +index b997e4d..69e1bf1 100644 +--- a/src/lxml/tests/test_etree.py ++++ b/src/lxml/tests/test_etree.py +@@ -1448,6 +1448,26 @@ class ETreeOnlyTestCase(HelperTestCase): + [1,2,1,4], + counts) + ++ def test_walk_after_parse_failure(self): ++ # This used to be an issue because libxml2 can leak empty namespaces ++ # between failed parser runs. iterwalk() failed to handle such a tree. ++ try: ++ etree.XML('''<anot xmlns="1">''') ++ except etree.XMLSyntaxError: ++ pass ++ else: ++ assert False, "invalid input did not fail to parse" ++ ++ et = etree.XML('''<root> </root>''') ++ try: ++ ns = next(etree.iterwalk(et, events=('start-ns',))) ++ except StopIteration: ++ # This would be the expected result, because there was no namespace ++ pass ++ else: ++ # This is a bug in libxml2 ++ assert not ns, repr(ns) ++ + def test_itertext_comment_pi(self): + # https://bugs.launchpad.net/lxml/+bug/1844674 + XML = self.etree.XML +-- +2.25.1 +
Source: https://github.com/lxml/lxml MR: 119399 Type: Security Fix Disposition: Backport from https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f ChangeID: 0b1ef4ce4c901ef6574a83ecbe4c4b1d2ab24777 Description: CVE-2022-2309 libxml: NULL Pointer Dereference allows attackers to cause a denial of service. Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> --- .../recipes-devtools/python/python-lxml.inc | 2 + .../python/python3-lxml/CVE-2022-2309.patch | 94 +++++++++++++++++++ 2 files changed, 96 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch