2 files changed, 212 insertions, 0 deletions
diff --git a/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
new file mode 100644
index 0000000000..8e58f73097
--- /dev/null
+++ b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
@@ -0,0 +1,190 @@
+From 203d62efefe6f79080863dda61593003b4c31f25 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@gnome.org>
+Date: Thu, 13 Aug 2020 20:03:05 -0500
+Subject: [PATCH] libcroco parser: limit recursion in block and any productions
+If we don't have any limits, we can recurse forever and overflow the
+stack.
+This is for CVE-2020-12825: Stack overflow in cr_parser_parse_any_core
+in cr-parser.c.
+Bug: https://gitlab.gnome.org/Archive/libcroco/-/issues/8
+Patch from https://gitlab.gnome.org/Archive/libcroco/-/merge_requests/5
+CVE: CVE-2020-12825
+Upstream Status: Backport [https://gitlab.com/inkscape/inkscape/-/commit/203d62efefe6f79080863dda61593003b4c31f25.patch]
+---
+ src/cr-parser.c | 44 ++++++++++++++++++++-----------
+ 1 file changed, 29 insertions(+), 15 deletions(-)
+diff --git a/src/cr-parser.c b/src/cr-parser.c
+index d85e71f0fc..cd7b6ebd4a 100644
+--- a/src/cr-parser.c
+++ b/src/cr-parser.c
+@@ -136,6 +136,8 @@ struct _CRParserPriv {
+ #define CHARS_TAB_SIZE 12
+#define RECURSIVE_CALLERS_LIMIT 100
+
+ /**
+  * IS_NUM:
+  *@a_char: the char to test.
+@@ -343,9 +345,11 @@ static enum CRStatus cr_parser_parse_selector_core (CRParser * a_this);
+ static enum CRStatus cr_parser_parse_declaration_core (CRParser * a_this);
+-static enum CRStatus cr_parser_parse_any_core (CRParser * a_this);
+static enum CRStatus cr_parser_parse_any_core (CRParser * a_this,
+                                               guint      n_calls);
+-static enum CRStatus cr_parser_parse_block_core (CRParser * a_this);
+static enum CRStatus cr_parser_parse_block_core (CRParser * a_this,
+                                                 guint      n_calls);
+ static enum CRStatus cr_parser_parse_value_core (CRParser * a_this);
+@@ -783,7 +787,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
+         cr_parser_try_to_skip_spaces_and_comments (a_this);
+         do {
+-                status = cr_parser_parse_any_core (a_this);
+                status = cr_parser_parse_any_core (a_this, 0);
+         } while (status == CR_OK);
+         status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr,
+@@ -794,7 +798,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
+                 cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
+                                       token);
+                 token = NULL;
+-                status = cr_parser_parse_block_core (a_this);
+                status = cr_parser_parse_block_core (a_this, 0);
+                 CHECK_PARSING_STATUS (status,
+                                       FALSE);
+                 goto done;
+@@ -929,11 +933,11 @@ cr_parser_parse_selector_core (CRParser * a_this)
+         RECORD_INITIAL_POS (a_this, &init_pos);
+-        status = cr_parser_parse_any_core (a_this);
+        status = cr_parser_parse_any_core (a_this, 0);
+         CHECK_PARSING_STATUS (status, FALSE);
+         do {
+-                status = cr_parser_parse_any_core (a_this);
+                status = cr_parser_parse_any_core (a_this, 0);
+         } while (status == CR_OK);
+@@ -955,10 +959,12 @@ cr_parser_parse_selector_core (CRParser * a_this)
+  *in chapter 4.1 of the css2 spec.
+  *block ::= '{' S* [ any | block | ATKEYWORD S* | ';' ]* '}' S*;
+  *@param a_this the current instance of #CRParser.
+ *@param n_calls used to limit recursion depth
+  *FIXME: code this function.
+  */
+ static enum CRStatus
+-cr_parser_parse_block_core (CRParser * a_this)
+cr_parser_parse_block_core (CRParser * a_this,
+                            guint      n_calls)
+ {
+         CRToken *token = NULL;
+         CRInputPos init_pos;
+@@ -966,6 +972,9 @@ cr_parser_parse_block_core (CRParser * a_this)
+         g_return_val_if_fail (a_this && PRIVATE (a_this), CR_BAD_PARAM_ERROR);
+        if (n_calls > RECURSIVE_CALLERS_LIMIT)
+                return CR_ERROR;
+
+         RECORD_INITIAL_POS (a_this, &init_pos);
+         status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token);
+@@ -995,13 +1004,13 @@ cr_parser_parse_block_core (CRParser * a_this)
+         } else if (token->type == CBO_TK) {
+                 cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
+                 token = NULL;
+-                status = cr_parser_parse_block_core (a_this);
+                status = cr_parser_parse_block_core (a_this, n_calls + 1);
+                 CHECK_PARSING_STATUS (status, FALSE);
+                 goto parse_block_content;
+         } else {
+                 cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
+                 token = NULL;
+-                status = cr_parser_parse_any_core (a_this);
+                status = cr_parser_parse_any_core (a_this, n_calls + 1);
+                 CHECK_PARSING_STATUS (status, FALSE);
+                 goto parse_block_content;
+         }
+@@ -1108,7 +1117,7 @@ cr_parser_parse_value_core (CRParser * a_this)
+                 status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
+                                                token);
+                 token = NULL;
+-                status = cr_parser_parse_block_core (a_this);
+                status = cr_parser_parse_block_core (a_this, 0);
+                 CHECK_PARSING_STATUS (status, FALSE);
+                 ref++;
+                 goto continue_parsing;
+@@ -1122,7 +1131,7 @@ cr_parser_parse_value_core (CRParser * a_this)
+                 status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
+                                                token);
+                 token = NULL;
+-                status = cr_parser_parse_any_core (a_this);
+                status = cr_parser_parse_any_core (a_this, 0);
+                 if (status == CR_OK) {
+                         ref++;
+                         goto continue_parsing;
+@@ -1162,10 +1162,12 @@
+  *        | FUNCTION | DASHMATCH | '(' any* ')' | '[' any* ']' ] S*;
+  *
+  *@param a_this the current instance of #CRParser.
+ *@param n_calls used to limit recursion depth
+  *@return CR_OK upon successfull completion, an error code otherwise.
+  */
+ static enum CRStatus
+-cr_parser_parse_any_core (CRParser * a_this)
+cr_parser_parse_any_core (CRParser * a_this,
+                          guint      n_calls)
+ {
+         CRToken *token1 = NULL,
+                 *token2 = NULL;
+@@ -1173,6 +1184,9 @@ cr_parser_parse_any_core (CRParser * a_this)
+         g_return_val_if_fail (a_this, CR_BAD_PARAM_ERROR);
+        if (n_calls > RECURSIVE_CALLERS_LIMIT)
+                return CR_ERROR;
+
+         RECORD_INITIAL_POS (a_this, &init_pos);
+         status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token1);
+@@ -1211,7 +1225,7 @@ cr_parser_parse_any_core (CRParser * a_this)
+                  *We consider parameter as being an "any*" production.
+                  */
+                 do {
+-                        status = cr_parser_parse_any_core (a_this);
+                        status = cr_parser_parse_any_core (a_this, n_calls + 1);
+                 } while (status == CR_OK);
+                 ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
+@@ -1236,7 +1250,7 @@ cr_parser_parse_any_core (CRParser * a_this)
+                 }
+                 do {
+-                        status = cr_parser_parse_any_core (a_this);
+                        status = cr_parser_parse_any_core (a_this, n_calls + 1);
+                 } while (status == CR_OK);
+                 ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
+@@ -1264,7 +1278,7 @@ cr_parser_parse_any_core (CRParser * a_this)
+                 }
+                 do {
+-                        status = cr_parser_parse_any_core (a_this);
+                        status = cr_parser_parse_any_core (a_this, n_calls + 1);
+                 } while (status == CR_OK);
+                 ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
+--
+GitLab
diff --git a/meta/recipes-support/libcroco/libcroco_0.6.13.bb b/meta/recipes-support/libcroco/libcroco_0.6.13.bb
new file mode 100644
index 0000000000..fd5927e014
--- /dev/null
+++ b/meta/recipes-support/libcroco/libcroco_0.6.13.bb
@@ -0,0 +1,22 @@
+SUMMARY = "Cascading Style Sheet (CSS) parsing and manipulation toolkit"
+HOMEPAGE = "http://www.gnome.org/"
+BUGTRACKER = "https://bugzilla.gnome.org/"
+LICENSE = "LGPLv2 & LGPLv2.1"
+LIC_FILES_CHKSUM = "file://COPYING;md5=55ca817ccb7d5b5b66355690e9abc605 \
+                    file://src/cr-rgb.c;endline=22;md5=31d5f0944d556c8589d04ea6055fcc66 \
+                    file://tests/cr-test-utils.c;endline=21;md5=2382c27934cae1d3792fcb17a6142c4e"
+SECTION = "x11/utils"
+DEPENDS = "glib-2.0 libxml2 zlib"
+BBCLASSEXTEND = "native nativesdk"
+EXTRA_OECONF += "--enable-Bsymbolic=auto"
+BINCONFIG = "${bindir}/croco-0.6-config"
+inherit gnomebase gtk-doc binconfig-disabled
+SRC_URI += "file://CVE-2020-12825.patch"
+SRC_URI[archive.md5sum] = "c80c5a8385011a0260dce6bd0da93dce"
+SRC_URI[archive.sha256sum] = "767ec234ae7aa684695b3a735548224888132e063f92db585759b422570621d4"

diff --git a/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch new file mode 100644 index 0000000000..8e58f73097 --- /dev/null +++ b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
@@ -0,0 +1,190 @@
	1	From 203d62efefe6f79080863dda61593003b4c31f25 Mon Sep 17 00:00:00 2001
	2	From: Michael Catanzaro <mcatanzaro@gnome.org>
	3	Date: Thu, 13 Aug 2020 20:03:05 -0500
	4	Subject: [PATCH] libcroco parser: limit recursion in block and any productions
	5
	6	If we don't have any limits, we can recurse forever and overflow the
	7	stack.
	8
	9	This is for CVE-2020-12825: Stack overflow in cr_parser_parse_any_core
	10	in cr-parser.c.
	11
	12	Bug: https://gitlab.gnome.org/Archive/libcroco/-/issues/8
	13	Patch from https://gitlab.gnome.org/Archive/libcroco/-/merge_requests/5
	14
	15	CVE: CVE-2020-12825
	16	Upstream Status: Backport [https://gitlab.com/inkscape/inkscape/-/commit/203d62efefe6f79080863dda61593003b4c31f25.patch]
	17	---
	18	src/cr-parser.c \| 44 ++++++++++++++++++++-----------
	19	1 file changed, 29 insertions(+), 15 deletions(-)
	20
	21	diff --git a/src/cr-parser.c b/src/cr-parser.c
	22	index d85e71f0fc..cd7b6ebd4a 100644
	23	--- a/src/cr-parser.c
	24	+++ b/src/cr-parser.c
	25	@@ -136,6 +136,8 @@ struct _CRParserPriv {
	26
	27	#define CHARS_TAB_SIZE 12
	28
	29	+#define RECURSIVE_CALLERS_LIMIT 100
	30	+
	31	/**
	32	* IS_NUM:
	33	*@a_char: the char to test.
	34	@@ -343,9 +345,11 @@ static enum CRStatus cr_parser_parse_selector_core (CRParser * a_this);
	35
	36	static enum CRStatus cr_parser_parse_declaration_core (CRParser * a_this);
	37
	38	-static enum CRStatus cr_parser_parse_any_core (CRParser * a_this);
	39	+static enum CRStatus cr_parser_parse_any_core (CRParser * a_this,
	40	+ guint n_calls);
	41
	42	-static enum CRStatus cr_parser_parse_block_core (CRParser * a_this);
	43	+static enum CRStatus cr_parser_parse_block_core (CRParser * a_this,
	44	+ guint n_calls);
	45
	46	static enum CRStatus cr_parser_parse_value_core (CRParser * a_this);
	47
	48	@@ -783,7 +787,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
	49	cr_parser_try_to_skip_spaces_and_comments (a_this);
	50
	51	do {
	52	- status = cr_parser_parse_any_core (a_this);
	53	+ status = cr_parser_parse_any_core (a_this, 0);
	54	} while (status == CR_OK);
	55
	56	status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr,
	57	@@ -794,7 +798,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
	58	cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
	59	token);
	60	token = NULL;
	61	- status = cr_parser_parse_block_core (a_this);
	62	+ status = cr_parser_parse_block_core (a_this, 0);
	63	CHECK_PARSING_STATUS (status,
	64	FALSE);
	65	goto done;
	66	@@ -929,11 +933,11 @@ cr_parser_parse_selector_core (CRParser * a_this)
	67
	68	RECORD_INITIAL_POS (a_this, &init_pos);
	69
	70	- status = cr_parser_parse_any_core (a_this);
	71	+ status = cr_parser_parse_any_core (a_this, 0);
	72	CHECK_PARSING_STATUS (status, FALSE);
	73
	74	do {
	75	- status = cr_parser_parse_any_core (a_this);
	76	+ status = cr_parser_parse_any_core (a_this, 0);
	77
	78	} while (status == CR_OK);
	79
	80	@@ -955,10 +959,12 @@ cr_parser_parse_selector_core (CRParser * a_this)
	81	*in chapter 4.1 of the css2 spec.
	82	block ::= '{' S [ any \| block \| ATKEYWORD S* \| ';' ]* '}' S*;
	83	*@param a_this the current instance of #CRParser.
	84	+ *@param n_calls used to limit recursion depth
	85	*FIXME: code this function.
	86	*/
	87	static enum CRStatus
	88	-cr_parser_parse_block_core (CRParser * a_this)
	89	+cr_parser_parse_block_core (CRParser * a_this,
	90	+ guint n_calls)
	91	{
	92	CRToken *token = NULL;
	93	CRInputPos init_pos;
	94	@@ -966,6 +972,9 @@ cr_parser_parse_block_core (CRParser * a_this)
	95
	96	g_return_val_if_fail (a_this && PRIVATE (a_this), CR_BAD_PARAM_ERROR);
	97
	98	+ if (n_calls > RECURSIVE_CALLERS_LIMIT)
	99	+ return CR_ERROR;
	100	+
	101	RECORD_INITIAL_POS (a_this, &init_pos);
	102
	103	status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token);
	104	@@ -995,13 +1004,13 @@ cr_parser_parse_block_core (CRParser * a_this)
	105	} else if (token->type == CBO_TK) {
	106	cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
	107	token = NULL;
	108	- status = cr_parser_parse_block_core (a_this);
	109	+ status = cr_parser_parse_block_core (a_this, n_calls + 1);
	110	CHECK_PARSING_STATUS (status, FALSE);
	111	goto parse_block_content;
	112	} else {
	113	cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
	114	token = NULL;
	115	- status = cr_parser_parse_any_core (a_this);
	116	+ status = cr_parser_parse_any_core (a_this, n_calls + 1);
	117	CHECK_PARSING_STATUS (status, FALSE);
	118	goto parse_block_content;
	119	}
	120	@@ -1108,7 +1117,7 @@ cr_parser_parse_value_core (CRParser * a_this)
	121	status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
	122	token);
	123	token = NULL;
	124	- status = cr_parser_parse_block_core (a_this);
	125	+ status = cr_parser_parse_block_core (a_this, 0);
	126	CHECK_PARSING_STATUS (status, FALSE);
	127	ref++;
	128	goto continue_parsing;
	129	@@ -1122,7 +1131,7 @@ cr_parser_parse_value_core (CRParser * a_this)
	130	status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
	131	token);
	132	token = NULL;
	133	- status = cr_parser_parse_any_core (a_this);
	134	+ status = cr_parser_parse_any_core (a_this, 0);
	135	if (status == CR_OK) {
	136	ref++;
	137	goto continue_parsing;
	138	@@ -1162,10 +1162,12 @@
	139	* \| FUNCTION \| DASHMATCH \| '(' any* ')' \| '[' any* ']' ] S*;
	140	*
	141	*@param a_this the current instance of #CRParser.
	142	+ *@param n_calls used to limit recursion depth
	143	*@return CR_OK upon successfull completion, an error code otherwise.
	144	*/
	145	static enum CRStatus
	146	-cr_parser_parse_any_core (CRParser * a_this)
	147	+cr_parser_parse_any_core (CRParser * a_this,
	148	+ guint n_calls)
	149	{
	150	CRToken *token1 = NULL,
	151	*token2 = NULL;
	152	@@ -1173,6 +1184,9 @@ cr_parser_parse_any_core (CRParser * a_this)
	153
	154	g_return_val_if_fail (a_this, CR_BAD_PARAM_ERROR);
	155
	156	+ if (n_calls > RECURSIVE_CALLERS_LIMIT)
	157	+ return CR_ERROR;
	158	+
	159	RECORD_INITIAL_POS (a_this, &init_pos);
	160
	161	status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token1);
	162	@@ -1211,7 +1225,7 @@ cr_parser_parse_any_core (CRParser * a_this)
	163	We consider parameter as being an "any" production.
	164	*/
	165	do {
	166	- status = cr_parser_parse_any_core (a_this);
	167	+ status = cr_parser_parse_any_core (a_this, n_calls + 1);
	168	} while (status == CR_OK);
	169
	170	ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
	171	@@ -1236,7 +1250,7 @@ cr_parser_parse_any_core (CRParser * a_this)
	172	}
	173
	174	do {
	175	- status = cr_parser_parse_any_core (a_this);
	176	+ status = cr_parser_parse_any_core (a_this, n_calls + 1);
	177	} while (status == CR_OK);
	178
	179	ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
	180	@@ -1264,7 +1278,7 @@ cr_parser_parse_any_core (CRParser * a_this)
	181	}
	182
	183	do {
	184	- status = cr_parser_parse_any_core (a_this);
	185	+ status = cr_parser_parse_any_core (a_this, n_calls + 1);
	186	} while (status == CR_OK);
	187
	188	ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
	189	--
	190	GitLab


diff --git a/meta/recipes-support/libcroco/libcroco_0.6.13.bb b/meta/recipes-support/libcroco/libcroco_0.6.13.bb new file mode 100644 index 0000000000..fd5927e014 --- /dev/null +++ b/meta/recipes-support/libcroco/libcroco_0.6.13.bb
@@ -0,0 +1,22 @@
	1	SUMMARY = "Cascading Style Sheet (CSS) parsing and manipulation toolkit"
	2	HOMEPAGE = "http://www.gnome.org/"
	3	BUGTRACKER = "https://bugzilla.gnome.org/"
	4
	5	LICENSE = "LGPLv2 & LGPLv2.1"
	6	LIC_FILES_CHKSUM = "file://COPYING;md5=55ca817ccb7d5b5b66355690e9abc605 \
	7	file://src/cr-rgb.c;endline=22;md5=31d5f0944d556c8589d04ea6055fcc66 \
	8	file://tests/cr-test-utils.c;endline=21;md5=2382c27934cae1d3792fcb17a6142c4e"
	9
	10	SECTION = "x11/utils"
	11	DEPENDS = "glib-2.0 libxml2 zlib"
	12	BBCLASSEXTEND = "native nativesdk"
	13	EXTRA_OECONF += "--enable-Bsymbolic=auto"
	14
	15	BINCONFIG = "${bindir}/croco-0.6-config"
	16
	17	inherit gnomebase gtk-doc binconfig-disabled
	18
	19	SRC_URI += "file://CVE-2020-12825.patch"
	20
	21	SRC_URI[archive.md5sum] = "c80c5a8385011a0260dce6bd0da93dce"
	22	SRC_URI[archive.sha256sum] = "767ec234ae7aa684695b3a735548224888132e063f92db585759b422570621d4"