poky/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch - openbmc/openbmc - Gitiles

 From e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68 Mon Sep 17 00:00:00 2001
 From: Nick Wellnhofer <wellnhofer@aevum.de>
 Date: Fri, 7 Apr 2023 11:46:35 +0200
 Subject: [PATCH] [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType

 Fix a null pointer dereference when parsing (invalid) XML schemas.

 Thanks to Robby Simpson for the report!

 Fixes #491.

 CVE: CVE-2023-28484
 Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68]

 Signed-off-by: Peter Marko <peter.marko@siemens.com>
 ---
  result/schemas/issue491_0_0.err |  1 +
  test/schemas/issue491_0.xml     |  1 +
  test/schemas/issue491_0.xsd     | 18 ++++++++++++++++++
  xmlschemas.c                    |  2 +-
  4 files changed, 21 insertions(+), 1 deletion(-)
  create mode 100644 result/schemas/issue491_0_0.err
  create mode 100644 test/schemas/issue491_0.xml
  create mode 100644 test/schemas/issue491_0.xsd

 diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err
 new file mode 100644
 index 00000000..9b2bb969
 --- /dev/null
 +++ b/result/schemas/issue491_0_0.err
 @@ -0,0 +1 @@
 +./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'.
 diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml
 new file mode 100644
 index 00000000..e2b2fc2e
 --- /dev/null
 +++ b/test/schemas/issue491_0.xml
 @@ -0,0 +1 @@
 +<Child xmlns="http://www.test.com">5</Child>
 diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd
 new file mode 100644
 index 00000000..81702649
 --- /dev/null
 +++ b/test/schemas/issue491_0.xsd
 @@ -0,0 +1,18 @@
 +<?xml version='1.0' encoding='UTF-8'?>
 +<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://www.test.com" targetNamespace="http://www.test.com" elementFormDefault="qualified" attributeFormDefault="unqualified">
 +  <xs:complexType name="BaseType">
 +    <xs:simpleContent>
 +      <xs:extension base="xs:int" />
 +    </xs:simpleContent>
 +  </xs:complexType>
 +  <xs:complexType name="ChildType">
 +    <xs:complexContent>
 +      <xs:extension base="BaseType">
 +        <xs:sequence>
 +          <xs:element name="bad" type="xs:int" minOccurs="0" maxOccurs="1"/>
 +        </xs:sequence>
 +      </xs:extension>
 +    </xs:complexContent>
 +  </xs:complexType>
 +  <xs:element name="Child" type="ChildType" />
 +</xs:schema>
 diff --git a/xmlschemas.c b/xmlschemas.c
 index 6a353858..a4eaf591 100644
 --- a/xmlschemas.c
 +++ b/xmlschemas.c
 @@ -18632,7 +18632,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt,
  			"allowed to appear inside other model groups",
  			NULL, NULL);

 -		} else if (! dummySequence) {
 +		} else if ((!dummySequence) && (baseType->subtypes != NULL)) {
  		    xmlSchemaTreeItemPtr effectiveContent =
  			(xmlSchemaTreeItemPtr) type->subtypes;
  		    /*
 --
 GitLab
	From e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68 Mon Sep 17 00:00:00 2001
	From: Nick Wellnhofer <wellnhofer@aevum.de>
	Date: Fri, 7 Apr 2023 11:46:35 +0200
	Subject: [PATCH] [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType

	Fix a null pointer dereference when parsing (invalid) XML schemas.

	Thanks to Robby Simpson for the report!

	Fixes #491.

	CVE: CVE-2023-28484
	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68]

	Signed-off-by: Peter Marko <peter.marko@siemens.com>
	---
	result/schemas/issue491_0_0.err \| 1 +
	test/schemas/issue491_0.xml \| 1 +
	test/schemas/issue491_0.xsd \| 18 ++++++++++++++++++
	xmlschemas.c \| 2 +-
	4 files changed, 21 insertions(+), 1 deletion(-)
	create mode 100644 result/schemas/issue491_0_0.err
	create mode 100644 test/schemas/issue491_0.xml
	create mode 100644 test/schemas/issue491_0.xsd

	diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err
	new file mode 100644
	index 00000000..9b2bb969
	--- /dev/null
	+++ b/result/schemas/issue491_0_0.err
	@@ -0,0 +1 @@
	+./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'.
	diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml
	new file mode 100644
	index 00000000..e2b2fc2e
	--- /dev/null
	+++ b/test/schemas/issue491_0.xml
	@@ -0,0 +1 @@
	+<Child xmlns="http://www.test.com">5</Child>
	diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd
	new file mode 100644
	index 00000000..81702649
	--- /dev/null
	+++ b/test/schemas/issue491_0.xsd
	@@ -0,0 +1,18 @@
	+<?xml version='1.0' encoding='UTF-8'?>
	+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://www.test.com" targetNamespace="http://www.test.com" elementFormDefault="qualified" attributeFormDefault="unqualified">
	+ <xs:complexType name="BaseType">
	+ <xs:simpleContent>
	+ <xs:extension base="xs:int" />
	+ </xs:simpleContent>
	+ </xs:complexType>
	+ <xs:complexType name="ChildType">
	+ <xs:complexContent>
	+ <xs:extension base="BaseType">
	+ <xs:sequence>
	+ <xs:element name="bad" type="xs:int" minOccurs="0" maxOccurs="1"/>
	+ </xs:sequence>
	+ </xs:extension>
	+ </xs:complexContent>
	+ </xs:complexType>
	+ <xs:element name="Child" type="ChildType" />
	+</xs:schema>
	diff --git a/xmlschemas.c b/xmlschemas.c
	index 6a353858..a4eaf591 100644
	--- a/xmlschemas.c
	+++ b/xmlschemas.c
	@@ -18632,7 +18632,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt,
	"allowed to appear inside other model groups",
	NULL, NULL);

	- } else if (! dummySequence) {
	+ } else if ((!dummySequence) && (baseType->subtypes != NULL)) {
	xmlSchemaTreeItemPtr effectiveContent =
	(xmlSchemaTreeItemPtr) type->subtypes;
	/*
	--
	GitLab