[Buildroot] [PATCH 1/2] package/tinyxml: add TINYXML_CPE_ID_VENDOR

[Buildroot] [PATCH 1/2] package/tinyxml: add TINYXML_CPE_ID_VENDOR

[Fabrice Fontaine]

cpe:2.3:a:tinyxml_project:tinyxml is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Atinyxml_project%3Atinyxml

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/tinyxml/tinyxml.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/tinyxml/tinyxml.mk b/package/tinyxml/tinyxml.mk
index 15280517ac..b8b8e43c05 100644
--- a/package/tinyxml/tinyxml.mk
+++ b/package/tinyxml/tinyxml.mk
@@ -12,5 +12,6 @@ TINYXML_AUTORECONF = YES
 TINYXML_INSTALL_STAGING = YES
 TINYXML_LICENSE = Zlib
 TINYXML_LICENSE_FILES = README
+TINYXML_CPE_ID_VENDOT = tinyxml_project
 
 $(eval $(autotools-package))
-- 
2.34.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 2/2] package/tinyxml: fix CVE-2021-42260

[Fabrice Fontaine]

TinyXML through 2.6.2 has an infinite loop in TiXmlParsingData::Stamp in
tinyxmlparser.cpp via the TIXML_UTF_LEAD_0 case. It can be triggered by
a crafted XML message and leads to a denial of service.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 ...always-advance-the-pointer-if-p-0xef.patch | 37 +++++++++++++++++++
 package/tinyxml/tinyxml.mk                    |  3 ++
 2 files changed, 40 insertions(+)
 create mode 100644 package/tinyxml/0001-In-stamp-always-advance-the-pointer-if-p-0xef.patch

diff --git a/package/tinyxml/0001-In-stamp-always-advance-the-pointer-if-p-0xef.patch b/package/tinyxml/0001-In-stamp-always-advance-the-pointer-if-p-0xef.patch
new file mode 100644
index 0000000000..ea0f6476c8
--- /dev/null
+++ b/package/tinyxml/0001-In-stamp-always-advance-the-pointer-if-p-0xef.patch
@@ -0,0 +1,37 @@
+From f7ca0035d17a663f55668e662b840afce7b86112 Mon Sep 17 00:00:00 2001
+From: Christian Voegl <cvoegl@suse.com>
+Date: Wed, 27 Oct 2021 11:25:18 +0200
+Subject: [PATCH] In stamp always advance the pointer if *p= 0xef
+
+The current implementation only advanced if 0xef is followed
+by two non-zero bytes. In case of malformed input (0xef should be
+the start byte of a three byte character) this leads to an infinite
+loop. (CVE-2021-42260)
+
+[Retrieved (and backported) from:
+https://sourceforge.net/p/tinyxml/git/merge-requests/1]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ tinyxmlparser.cpp | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/tinyxmlparser.cpp b/src/tinyxmlparser.cpp
+index 81b7eae..8aa0dfa 100755
+--- a/src/tinyxmlparser.cpp
++++ b/src/tinyxmlparser.cpp
+@@ -274,6 +274,12 @@ void TiXmlParsingData::Stamp( const char* now, TiXmlEncoding encoding )
+ 						else
+ 							{ p +=3; ++col; }	// A normal character.
+ 					}
++					else
++					{
++						// TIXML_UTF_LEAD_0 (239) is the start character of a 3 byte sequence, so
++						// there is something wrong here. Just advance the pointer to evade infinite loops
++						++p;
++					}
+ 				}
+ 				else
+ 				{
+-- 
+2.34.1
+
diff --git a/package/tinyxml/tinyxml.mk b/package/tinyxml/tinyxml.mk
index b8b8e43c05..d173254e31 100644
--- a/package/tinyxml/tinyxml.mk
+++ b/package/tinyxml/tinyxml.mk
@@ -14,4 +14,7 @@ TINYXML_LICENSE = Zlib
 TINYXML_LICENSE_FILES = README
 TINYXML_CPE_ID_VENDOT = tinyxml_project
 
+# 0001-In-stamp-always-advance-the-pointer-if-p-0xef.patch
+TINYXML_IGNORE_CVES += CVE-2021-42260
+
 $(eval $(autotools-package))
-- 
2.34.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/2] package/tinyxml: add TINYXML_CPE_ID_VENDOR

[Thomas Petazzoni]

On Mon, 24 Jan 2022 18:23:21 +0100
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:

> cpe:2.3:a:tinyxml_project:tinyxml is a valid CPE identifier for this
> package:
> 
>   https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Atinyxml_project%3Atinyxml
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
>  package/tinyxml/tinyxml.mk | 1 +
>  1 file changed, 1 insertion(+)

Both applied to master, thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/2] package/tinyxml: add TINYXML_CPE_ID_VENDOR

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > cpe:2.3:a:tinyxml_project:tinyxml is a valid CPE identifier for this
 > package:

 >   https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Atinyxml_project%3Atinyxml

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2021.02.x and 2021.11.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2/2] package/tinyxml: fix CVE-2021-42260

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > TinyXML through 2.6.2 has an infinite loop in TiXmlParsingData::Stamp in
 > tinyxmlparser.cpp via the TIXML_UTF_LEAD_0 case. It can be triggered by
 > a crafted XML message and leads to a denial of service.

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2021.02.x and 2021.11.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot