From 39d2ca83f03ff5de825253a9e97ce9e4e53082e1 Mon Sep 17 00:00:00 2001 From: yaozc701 Date: Wed, 23 Jun 2021 16:38:16 +0800 Subject: [PATCH] add patch CVE-2021-28903 --- CVE-2021-28903.patch | 69 ++++++++++++++++++++++++++++++++++++++++++++ libyang.spec | 6 +++- 2 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 CVE-2021-28903.patch diff --git a/CVE-2021-28903.patch b/CVE-2021-28903.patch new file mode 100644 index 0000000..51bed30 --- /dev/null +++ b/CVE-2021-28903.patch @@ -0,0 +1,69 @@ +From 298b30ea4ebee137226acf9bb38678bd82704582 Mon Sep 17 00:00:00 2001 +From: Michal Vasko +Date: Mon, 8 Mar 2021 14:32:58 +0100 +Subject: [PATCH] common FEATURE add a hard limit for recursion + +Fixes #1453 +--- + src/common.h.in | 3 +++ + src/xml.c | 12 +++++++++--- + 2 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/src/common.h.in b/src/common.h.in +index a5bf2b038..624beba9f 100644 +--- a/src/common.h.in ++++ b/src/common.h.in +@@ -53,6 +53,9 @@ + /* how many bytes add when enlarging buffers */ + #define LY_BUF_STEP 128 + ++/* hard limit on recursion for cases with theoretical unlimited recursion */ ++#define LY_RECURSION_LIMIT 10000 ++ + /* internal logging options */ + enum int_log_opts { + ILO_LOG = 0, /* log normally */ +diff --git a/src/xml.c b/src/xml.c +index 1bc4fdfa5..7e4760976 100644 +--- a/src/xml.c ++++ b/src/xml.c +@@ -943,7 +943,8 @@ parse_attr(struct ly_ctx *ctx, const char *data, unsigned int *len, struct lyxml + + /* logs directly */ + struct lyxml_elem * +-lyxml_parse_elem(struct ly_ctx *ctx, const char *data, unsigned int *len, struct lyxml_elem *parent, int options) ++lyxml_parse_elem(struct ly_ctx *ctx, const char *data, unsigned int *len, struct lyxml_elem *parent, int options, ++ int bt_count) + { + const char *c = data, *start, *e; + const char *lws; /* leading white space for handling mixed content */ +@@ -958,6 +959,11 @@ lyxml_parse_elem(struct ly_ctx *ctx, const char *data, unsigned int *len, struct + + *len = 0; + ++ if (bt_count > LY_RECURSION_LIMIT) { ++ LOGVAL(ctx, LYE_XML_INVAL, LY_VLOG_NONE, NULL, "Recursion limit %d reached", LY_RECURSION_LIMIT); ++ return NULL; ++ } ++ + if (*c != '<') { + return NULL; + } +@@ -1141,7 +1147,7 @@ lyxml_parse_elem(struct ly_ctx *ctx, const char *data, unsigned int *len, struct + lyxml_add_child(ctx, elem, child); + elem->flags |= LYXML_ELEM_MIXED; + } +- child = lyxml_parse_elem(ctx, c, &size, elem, options); ++ child = lyxml_parse_elem(ctx, c, &size, elem, options, bt_count + 1); + if (!child) { + goto error; + } +@@ -1295,7 +1301,7 @@ lyxml_parse_mem(struct ly_ctx *ctx, const char *data, int options) + } + } + +- root = lyxml_parse_elem(ctx, c, &len, NULL, options); ++ root = lyxml_parse_elem(ctx, c, &len, NULL, options, 0); + if (!root) { + goto error; + } else if (!first) { diff --git a/libyang.spec b/libyang.spec index 8b0b095..4ef36db 100644 --- a/libyang.spec +++ b/libyang.spec @@ -1,13 +1,14 @@ %global debug_package %{nil} Name: libyang Version: 1.0.184 -Release: 0 +Release: 1 Summary: YANG data modeling language library Url: https://github.com/CESNET/libyang Source: %{url}/archive/%{name}-%{version}.tar.gz License: BSD Patch0: libyang-1.0.184-doc.patch +Patch1: CVE-2021-28903.patch Requires: pcre BuildRequires: cmake @@ -126,5 +127,8 @@ cp -r doc/html %{buildroot}/%{_docdir}/libyang/html %{python3_sitearch}/__pycache__/yang* %changelog +* Wed Jun 23 2021 yaozc7 - 1.0.184-1 +- Add patch CVE-2021-28903 + * Fri Jul 10 2020 openEuler Buildteam - 1.0.184-0 - Package init -- Gitee