2 files changed, 34 insertions, 0 deletions
diff --git a/meta/recipes-core/expat/expat/CVE-2022-43680.patch b/meta/recipes-core/expat/expat/CVE-2022-43680.patch
new file mode 100644
index 0000000000..76c55edc76
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-43680.patch
@@ -0,0 +1,33 @@
+CVE: CVE-2022-43680
+Upstream-Status: Backport [5290462a7ea1278a8d5c0d5b2860d4e244f997e4]
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+From 5290462a7ea1278a8d5c0d5b2860d4e244f997e4 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Tue, 20 Sep 2022 02:44:34 +0200
+Subject: [PATCH] lib: Fix overeager DTD destruction in
+ XML_ExternalEntityParserCreate
+---
+ expat/lib/xmlparse.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index aacd6e7fc..57bf103cc 100644
+--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
+@@ -1068,6 +1068,14 @@ parserCreate(const XML_Char *encodingName,
+   parserInit(parser, encodingName);
+ 
+   if (encodingName && ! parser->m_protocolEncodingName) {
+    if (dtd) {
+      // We need to stop the upcoming call to XML_ParserFree from happily
+      // destroying parser->m_dtd because the DTD is shared with the parent
+      // parser and the only guard that keeps XML_ParserFree from destroying
+      // parser->m_dtd is parser->m_isParamEntity but it will be set to
+      // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all).
+      parser->m_dtd = NULL;
+    }
+     XML_ParserFree(parser);
+     return NULL;
+   }
diff --git a/meta/recipes-core/expat/expat_2.4.9.bb b/meta/recipes-core/expat/expat_2.4.9.bb
index cb007708c7..22f9845a99 100644
--- a/meta/recipes-core/expat/expat_2.4.9.bb
+++ b/meta/recipes-core/expat/expat_2.4.9.bb
@@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=7b3b078238d0901d3b339289117cb7fb"
 VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}"
 SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2  \
+           file://CVE-2022-43680.patch \
           file://run-ptest \
           "

diff --git a/meta/recipes-core/expat/expat/CVE-2022-43680.patch b/meta/recipes-core/expat/expat/CVE-2022-43680.patch new file mode 100644 index 0000000000..76c55edc76 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2022-43680.patch
@@ -0,0 +1,33 @@
		1	CVE: CVE-2022-43680
		2	Upstream-Status: Backport [5290462a7ea1278a8d5c0d5b2860d4e244f997e4]
		3	Signed-off-by: Ross Burton <ross.burton@arm.com>
		4
		5	From 5290462a7ea1278a8d5c0d5b2860d4e244f997e4 Mon Sep 17 00:00:00 2001
		6	From: Sebastian Pipping <sebastian@pipping.org>
		7	Date: Tue, 20 Sep 2022 02:44:34 +0200
		8	Subject: [PATCH] lib: Fix overeager DTD destruction in
		9	XML_ExternalEntityParserCreate
		10
		11	---
		12	expat/lib/xmlparse.c \| 8 ++++++++
		13	1 file changed, 8 insertions(+)
		14
		15	diff --git a/lib/xmlparse.c b/lib/xmlparse.c
		16	index aacd6e7fc..57bf103cc 100644
		17	--- a/lib/xmlparse.c
		18	+++ b/lib/xmlparse.c
		19	@@ -1068,6 +1068,14 @@ parserCreate(const XML_Char *encodingName,
		20	parserInit(parser, encodingName);
		21
		22	if (encodingName && ! parser->m_protocolEncodingName) {
		23	+ if (dtd) {
		24	+ // We need to stop the upcoming call to XML_ParserFree from happily
		25	+ // destroying parser->m_dtd because the DTD is shared with the parent
		26	+ // parser and the only guard that keeps XML_ParserFree from destroying
		27	+ // parser->m_dtd is parser->m_isParamEntity but it will be set to
		28	+ // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all).
		29	+ parser->m_dtd = NULL;
		30	+ }
		31	XML_ParserFree(parser);
		32	return NULL;
		33	}


diff --git a/meta/recipes-core/expat/expat_2.4.9.bb b/meta/recipes-core/expat/expat_2.4.9.bb index cb007708c7..22f9845a99 100644 --- a/meta/recipes-core/expat/expat_2.4.9.bb +++ b/meta/recipes-core/expat/expat_2.4.9.bb
@@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=7b3b078238d0901d3b339289117cb7fb"
9	VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}"	9	VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}"
10		10
11	SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \	11	SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \
		12	file://CVE-2022-43680.patch \
12	file://run-ptest \	13	file://run-ptest \
13	"	14	"
14		15