python3-lxml: CVE-2022-2309 NULL Pointer Dereference allows attackers to cause a denial of service

Source: https://github.com/lxml/lxml MR: 119399 Type: Security Fix Disposition: Backport from https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f ChangeID: 0b1ef4ce4c901ef6574a83ecbe4c4b1d2ab24777 Description: CVE-2022-2309 libxml: NULL Pointer Dereference allows attackers to cause a denial of service. Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2022-08-02 09:46:07 +0530
committer: Armin Kuster <akuster808@gmail.com> 2022-09-11 13:49:52 -0400
commit: e5e63be86e247f1e243e4a8aa2be94e09df06c4c (patch)
tree: ffe8260c09369e674fb8f6c8596cdd5f9128326c
parent: f22bf6efaae61a8fd9272be64e7d75223c58922e (diff)
download: meta-openembedded-e5e63be86e247f1e243e4a8aa2be94e09df06c4c.tar.gz
2 files changed, 96 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python-lxml.inc b/meta-python/recipes-devtools/python/python-lxml.inc
index 05b5eae462..0276a3e81a 100644
--- a/meta-python/recipes-devtools/python/python-lxml.inc
+++ b/meta-python/recipes-devtools/python/python-lxml.inc
@@ -18,6 +18,8 @@ LIC_FILES_CHKSUM = "file://LICENSES.txt;md5=e4c045ebad958ead4b48008f70838403 \
 DEPENDS += "libxml2 libxslt"
+SRC_URI += "file://CVE-2022-2309.patch"
 SRC_URI[md5sum] = "f088e452ed45b030b6f84269f1e84d11"
 SRC_URI[sha256sum] = "8620ce80f50d023d414183bf90cc2576c2837b88e00bea3f33ad2630133bbb60"
diff --git a/meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch b/meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch
new file mode 100644
index 0000000000..ff3fcee6e2
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch
@@ -0,0 +1,94 @@
+From ccbda4b0669f418b2f00c4f099733cebe633eb47 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Fri, 29 Jul 2022 10:16:59 +0530
+Subject: [PATCH] CVE-2022-2309
+Upstream-Status: Backport [https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f]
+CVE: CVE-2022-2309
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/lxml/apihelpers.pxi      |  7 ++++---
+ src/lxml/iterparse.pxi       | 11 ++++++-----
+ src/lxml/tests/test_etree.py | 20 ++++++++++++++++++++
+ 3 files changed, 30 insertions(+), 8 deletions(-)
+diff --git a/src/lxml/apihelpers.pxi b/src/lxml/apihelpers.pxi
+index 5eb3416..88a031d 100644
+--- a/src/lxml/apihelpers.pxi
+++ b/src/lxml/apihelpers.pxi
+@@ -246,9 +246,10 @@ cdef dict _build_nsmap(xmlNode* c_node):
+     while c_node is not NULL and c_node.type == tree.XML_ELEMENT_NODE:
+         c_ns = c_node.nsDef
+         while c_ns is not NULL:
+-            prefix = funicodeOrNone(c_ns.prefix)
+-            if prefix not in nsmap:
+-                nsmap[prefix] = funicodeOrNone(c_ns.href)
+            if c_ns.prefix or c_ns.href:
+                prefix = funicodeOrNone(c_ns.prefix)
+                if prefix not in nsmap:
+                    nsmap[prefix] = funicodeOrNone(c_ns.href)
+             c_ns = c_ns.next
+         c_node = c_node.parent
+     return nsmap
+diff --git a/src/lxml/iterparse.pxi b/src/lxml/iterparse.pxi
+index 4c20506..3da7485 100644
+--- a/src/lxml/iterparse.pxi
+++ b/src/lxml/iterparse.pxi
+@@ -419,7 +419,7 @@ cdef int _countNsDefs(xmlNode* c_node):
+     count = 0
+     c_ns = c_node.nsDef
+     while c_ns is not NULL:
+-        count += 1
+        count += (c_ns.href is not NULL)
+         c_ns = c_ns.next
+     return count
+ 
+@@ -430,9 +430,10 @@ cdef int _appendStartNsEvents(xmlNode* c_node, list event_list) except -1:
+     count = 0
+     c_ns = c_node.nsDef
+     while c_ns is not NULL:
+-        ns_tuple = (funicode(c_ns.prefix) if c_ns.prefix is not NULL else '',
+-                    funicode(c_ns.href))
+-        event_list.append( (u"start-ns", ns_tuple) )
+-        count += 1
+        if c_ns.href:
+            ns_tuple = (funicodeOrEmpty(c_ns.prefix),
+                        funicode(c_ns.href))
+            event_list.append( (u"start-ns", ns_tuple) )
+            count += 1
+         c_ns = c_ns.next
+     return count
+diff --git a/src/lxml/tests/test_etree.py b/src/lxml/tests/test_etree.py
+index b997e4d..69e1bf1 100644
+--- a/src/lxml/tests/test_etree.py
+++ b/src/lxml/tests/test_etree.py
+@@ -1448,6 +1448,26 @@ class ETreeOnlyTestCase(HelperTestCase):
+             [1,2,1,4],
+             counts)
+ 
+    def test_walk_after_parse_failure(self):
+        # This used to be an issue because libxml2 can leak empty namespaces
+        # between failed parser runs.  iterwalk() failed to handle such a tree.
+        try:
+            etree.XML('''<anot xmlns="1">''')
+        except etree.XMLSyntaxError:
+            pass
+        else:
+            assert False, "invalid input did not fail to parse"
+
+        et = etree.XML('''<root>  </root>''')
+        try:
+            ns = next(etree.iterwalk(et, events=('start-ns',)))
+        except StopIteration:
+            # This would be the expected result, because there was no namespace
+            pass
+        else:
+            # This is a bug in libxml2
+            assert not ns, repr(ns)
+
+     def test_itertext_comment_pi(self):
+         # https://bugs.launchpad.net/lxml/+bug/1844674
+         XML = self.etree.XML
+-- 
+2.25.1
author	Hitendra Prajapati <hprajapati@mvista.com>	2022-08-02 09:46:07 +0530
committer	Armin Kuster <akuster808@gmail.com>	2022-09-11 13:49:52 -0400
commit	e5e63be86e247f1e243e4a8aa2be94e09df06c4c (patch)
tree	ffe8260c09369e674fb8f6c8596cdd5f9128326c
parent	f22bf6efaae61a8fd9272be64e7d75223c58922e (diff)
download	meta-openembedded-e5e63be86e247f1e243e4a8aa2be94e09df06c4c.tar.gz

diff --git a/meta-python/recipes-devtools/python/python-lxml.inc b/meta-python/recipes-devtools/python/python-lxml.inc index 05b5eae462..0276a3e81a 100644 --- a/meta-python/recipes-devtools/python/python-lxml.inc +++ b/meta-python/recipes-devtools/python/python-lxml.inc
@@ -18,6 +18,8 @@ LIC_FILES_CHKSUM = "file://LICENSES.txt;md5=e4c045ebad958ead4b48008f70838403 \
18		18
19	DEPENDS += "libxml2 libxslt"	19	DEPENDS += "libxml2 libxslt"
20		20
		21	SRC_URI += "file://CVE-2022-2309.patch"
		22
21	SRC_URI[md5sum] = "f088e452ed45b030b6f84269f1e84d11"	23	SRC_URI[md5sum] = "f088e452ed45b030b6f84269f1e84d11"
22	SRC_URI[sha256sum] = "8620ce80f50d023d414183bf90cc2576c2837b88e00bea3f33ad2630133bbb60"	24	SRC_URI[sha256sum] = "8620ce80f50d023d414183bf90cc2576c2837b88e00bea3f33ad2630133bbb60"
23		25


diff --git a/meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch b/meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch new file mode 100644 index 0000000000..ff3fcee6e2 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch
@@ -0,0 +1,94 @@
		1	From ccbda4b0669f418b2f00c4f099733cebe633eb47 Mon Sep 17 00:00:00 2001
		2	From: Hitendra Prajapati <hprajapati@mvista.com>
		3	Date: Fri, 29 Jul 2022 10:16:59 +0530
		4	Subject: [PATCH] CVE-2022-2309
		5
		6	Upstream-Status: Backport [https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f]
		7	CVE: CVE-2022-2309
		8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		9	---
		10	src/lxml/apihelpers.pxi \| 7 ++++---
		11	src/lxml/iterparse.pxi \| 11 ++++++-----
		12	src/lxml/tests/test_etree.py \| 20 ++++++++++++++++++++
		13	3 files changed, 30 insertions(+), 8 deletions(-)
		14
		15	diff --git a/src/lxml/apihelpers.pxi b/src/lxml/apihelpers.pxi
		16	index 5eb3416..88a031d 100644
		17	--- a/src/lxml/apihelpers.pxi
		18	+++ b/src/lxml/apihelpers.pxi
		19	@@ -246,9 +246,10 @@ cdef dict _build_nsmap(xmlNode* c_node):
		20	while c_node is not NULL and c_node.type == tree.XML_ELEMENT_NODE:
		21	c_ns = c_node.nsDef
		22	while c_ns is not NULL:
		23	- prefix = funicodeOrNone(c_ns.prefix)
		24	- if prefix not in nsmap:
		25	- nsmap[prefix] = funicodeOrNone(c_ns.href)
		26	+ if c_ns.prefix or c_ns.href:
		27	+ prefix = funicodeOrNone(c_ns.prefix)
		28	+ if prefix not in nsmap:
		29	+ nsmap[prefix] = funicodeOrNone(c_ns.href)
		30	c_ns = c_ns.next
		31	c_node = c_node.parent
		32	return nsmap
		33	diff --git a/src/lxml/iterparse.pxi b/src/lxml/iterparse.pxi
		34	index 4c20506..3da7485 100644
		35	--- a/src/lxml/iterparse.pxi
		36	+++ b/src/lxml/iterparse.pxi
		37	@@ -419,7 +419,7 @@ cdef int _countNsDefs(xmlNode* c_node):
		38	count = 0
		39	c_ns = c_node.nsDef
		40	while c_ns is not NULL:
		41	- count += 1
		42	+ count += (c_ns.href is not NULL)
		43	c_ns = c_ns.next
		44	return count
		45
		46	@@ -430,9 +430,10 @@ cdef int _appendStartNsEvents(xmlNode* c_node, list event_list) except -1:
		47	count = 0
		48	c_ns = c_node.nsDef
		49	while c_ns is not NULL:
		50	- ns_tuple = (funicode(c_ns.prefix) if c_ns.prefix is not NULL else '',
		51	- funicode(c_ns.href))
		52	- event_list.append( (u"start-ns", ns_tuple) )
		53	- count += 1
		54	+ if c_ns.href:
		55	+ ns_tuple = (funicodeOrEmpty(c_ns.prefix),
		56	+ funicode(c_ns.href))
		57	+ event_list.append( (u"start-ns", ns_tuple) )
		58	+ count += 1
		59	c_ns = c_ns.next
		60	return count
		61	diff --git a/src/lxml/tests/test_etree.py b/src/lxml/tests/test_etree.py
		62	index b997e4d..69e1bf1 100644
		63	--- a/src/lxml/tests/test_etree.py
		64	+++ b/src/lxml/tests/test_etree.py
		65	@@ -1448,6 +1448,26 @@ class ETreeOnlyTestCase(HelperTestCase):
		66	[1,2,1,4],
		67	counts)
		68
		69	+ def test_walk_after_parse_failure(self):
		70	+ # This used to be an issue because libxml2 can leak empty namespaces
		71	+ # between failed parser runs. iterwalk() failed to handle such a tree.
		72	+ try:
		73	+ etree.XML('''<anot xmlns="1">''')
		74	+ except etree.XMLSyntaxError:
		75	+ pass
		76	+ else:
		77	+ assert False, "invalid input did not fail to parse"
		78	+
		79	+ et = etree.XML('''<root> </root>''')
		80	+ try:
		81	+ ns = next(etree.iterwalk(et, events=('start-ns',)))
		82	+ except StopIteration:
		83	+ # This would be the expected result, because there was no namespace
		84	+ pass
		85	+ else:
		86	+ # This is a bug in libxml2
		87	+ assert not ns, repr(ns)
		88	+
		89	def test_itertext_comment_pi(self):
		90	# https://bugs.launchpad.net/lxml/+bug/1844674
		91	XML = self.etree.XML
		92	--
		93	2.25.1
		94