aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAriadne Conill <ariadne@dereferenced.org>2021-05-31 18:35:48 -0600
committerAriadne Conill <ariadne@dereferenced.org>2021-05-31 18:35:48 -0600
commitdb25b534f847200f11649c31a3a0140775061704 (patch)
tree687a9e7951ea4b163c465b437ba08f3c7c8cf017
parentc8ee77c5333647d3a267d3eea51f0af15c45a8ba (diff)
downloadaports-db25b534f847200f11649c31a3a0140775061704.tar.gz
aports-db25b534f847200f11649c31a3a0140775061704.tar.bz2
aports-db25b534f847200f11649c31a3a0140775061704.tar.xz
community/libyang: add mitigations for CVE-2021-28902, CVE-2021-28903, CVE-2021-28904, CVE-2021-28905, CVE-2021-28906
-rw-r--r--community/libyang/APKBUILD24
-rw-r--r--community/libyang/CVE-2021-28903.patch69
-rw-r--r--community/libyang/CVE-2021-28904.patch26
-rw-r--r--community/libyang/CVE-2021-28905.patch263
-rw-r--r--community/libyang/CVE-2021-28906.patch65
5 files changed, 444 insertions, 3 deletions
diff --git a/community/libyang/APKBUILD b/community/libyang/APKBUILD
index 23e5a81027..973794f475 100644
--- a/community/libyang/APKBUILD
+++ b/community/libyang/APKBUILD
@@ -2,14 +2,26 @@
# Maintainer: Christian Franke <nobody@nowhere.ws>
pkgname=libyang
pkgver=1.0.215
-pkgrel=0
+pkgrel=1
pkgdesc="YANG data modelling language parser and toolkit"
url="https://github.com/CESNET/libyang"
arch="all"
license="BSD-3-Clause-Clear"
makedepends="bison cmake cmocka-dev flex pcre-dev"
subpackages="$pkgname-dev $pkgname-doc"
-source="$pkgname-$pkgver.tar.gz::https://github.com/CESNET/libyang/archive/v$pkgver.tar.gz"
+source="$pkgname-$pkgver.tar.gz::https://github.com/CESNET/libyang/archive/v$pkgver.tar.gz
+ CVE-2021-28903.patch
+ CVE-2021-28904.patch
+ CVE-2021-28905.patch
+ CVE-2021-28906.patch"
+
+# secfixes:
+# 1.0.215-r1:
+# - CVE-2021-28902
+# - CVE-2021-28903
+# - CVE-2021-28904
+# - CVE-2021-28905
+# - CVE-2021-28906
build() {
if [ "$CBUILD" != "$CHOST" ]; then
@@ -35,4 +47,10 @@ package() {
make -C build DESTDIR="$pkgdir" install
}
-sha512sums="042e7be3a658340eebb5aaf819169a516af5489c366c026b599d673b623811b01a5cc7b2fce0fe39c5deb5cce5b1e0e6dfc4eb85a331fb3203d415011e6d2dad libyang-1.0.215.tar.gz"
+sha512sums="
+042e7be3a658340eebb5aaf819169a516af5489c366c026b599d673b623811b01a5cc7b2fce0fe39c5deb5cce5b1e0e6dfc4eb85a331fb3203d415011e6d2dad libyang-1.0.215.tar.gz
+fd51bba07f817b1186566bee324655c089f7a901015abc0e3583ba351691e14b71b8cd1512d2f0bf7be1f6770ddf237cda508df9f0a8c971b79cecb4f74d93b0 CVE-2021-28903.patch
+73c351587fab0a11f9a738e09167fc99695f9df5aca77780145c14112c1ae04baf3ba72f49a2838fcc10e9324d027d6535ded01b9df0e1ba83ffb330ac8d8885 CVE-2021-28904.patch
+c7502d18a97471c1412082adcb785e36e241223a1025839105cf8d6cba3403b47bbd843a68e1a80c4355700a06c7c8e7268f344130acbebca7196c31bd1f85cd CVE-2021-28905.patch
+746ce394985f0cb3983cce8a1789ee86041e8fa40bc53d858c6cc7093f69b343d103eb0e7d76b819a3546d69f47426090eefa711a93cae767df72a405084a3d4 CVE-2021-28906.patch
+"
diff --git a/community/libyang/CVE-2021-28903.patch b/community/libyang/CVE-2021-28903.patch
new file mode 100644
index 0000000000..51bed30033
--- /dev/null
+++ b/community/libyang/CVE-2021-28903.patch
@@ -0,0 +1,69 @@
+From 298b30ea4ebee137226acf9bb38678bd82704582 Mon Sep 17 00:00:00 2001
+From: Michal Vasko <mvasko@cesnet.cz>
+Date: Mon, 8 Mar 2021 14:32:58 +0100
+Subject: [PATCH] common FEATURE add a hard limit for recursion
+
+Fixes #1453
+---
+ src/common.h.in | 3 +++
+ src/xml.c | 12 +++++++++---
+ 2 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/src/common.h.in b/src/common.h.in
+index a5bf2b038..624beba9f 100644
+--- a/src/common.h.in
++++ b/src/common.h.in
+@@ -53,6 +53,9 @@
+ /* how many bytes add when enlarging buffers */
+ #define LY_BUF_STEP 128
+
++/* hard limit on recursion for cases with theoretical unlimited recursion */
++#define LY_RECURSION_LIMIT 10000
++
+ /* internal logging options */
+ enum int_log_opts {
+ ILO_LOG = 0, /* log normally */
+diff --git a/src/xml.c b/src/xml.c
+index 1bc4fdfa5..7e4760976 100644
+--- a/src/xml.c
++++ b/src/xml.c
+@@ -943,7 +943,8 @@ parse_attr(struct ly_ctx *ctx, const char *data, unsigned int *len, struct lyxml
+
+ /* logs directly */
+ struct lyxml_elem *
+-lyxml_parse_elem(struct ly_ctx *ctx, const char *data, unsigned int *len, struct lyxml_elem *parent, int options)
++lyxml_parse_elem(struct ly_ctx *ctx, const char *data, unsigned int *len, struct lyxml_elem *parent, int options,
++ int bt_count)
+ {
+ const char *c = data, *start, *e;
+ const char *lws; /* leading white space for handling mixed content */
+@@ -958,6 +959,11 @@ lyxml_parse_elem(struct ly_ctx *ctx, const char *data, unsigned int *len, struct
+
+ *len = 0;
+
++ if (bt_count > LY_RECURSION_LIMIT) {
++ LOGVAL(ctx, LYE_XML_INVAL, LY_VLOG_NONE, NULL, "Recursion limit %d reached", LY_RECURSION_LIMIT);
++ return NULL;
++ }
++
+ if (*c != '<') {
+ return NULL;
+ }
+@@ -1141,7 +1147,7 @@ lyxml_parse_elem(struct ly_ctx *ctx, const char *data, unsigned int *len, struct
+ lyxml_add_child(ctx, elem, child);
+ elem->flags |= LYXML_ELEM_MIXED;
+ }
+- child = lyxml_parse_elem(ctx, c, &size, elem, options);
++ child = lyxml_parse_elem(ctx, c, &size, elem, options, bt_count + 1);
+ if (!child) {
+ goto error;
+ }
+@@ -1295,7 +1301,7 @@ lyxml_parse_mem(struct ly_ctx *ctx, const char *data, int options)
+ }
+ }
+
+- root = lyxml_parse_elem(ctx, c, &len, NULL, options);
++ root = lyxml_parse_elem(ctx, c, &len, NULL, options, 0);
+ if (!root) {
+ goto error;
+ } else if (!first) {
diff --git a/community/libyang/CVE-2021-28904.patch b/community/libyang/CVE-2021-28904.patch
new file mode 100644
index 0000000000..df87f28e76
--- /dev/null
+++ b/community/libyang/CVE-2021-28904.patch
@@ -0,0 +1,26 @@
+From 59a0bff1a5a2f0a0eac07e4bf94d4aea9dd3708d Mon Sep 17 00:00:00 2001
+From: Michal Vasko <mvasko@cesnet.cz>
+Date: Mon, 8 Mar 2021 09:20:30 +0100
+Subject: [PATCH] plugins BUGFIX handle empty revision correctly
+
+Fixes #1451
+---
+ src/plugins.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/src/plugins.c b/src/plugins.c
+index 7e6fdf358..fa62ce76c 100644
+--- a/src/plugins.c
++++ b/src/plugins.c
+@@ -457,9 +457,8 @@ ext_get_plugin(const char *name, const char *module, const char *revision)
+ assert(module);
+
+ for (u = 0; u < ext_plugins_count; u++) {
+- if (!strcmp(name, ext_plugins[u].name) &&
+- !strcmp(module, ext_plugins[u].module) &&
+- (!ext_plugins[u].revision || !strcmp(revision, ext_plugins[u].revision))) {
++ if (!strcmp(name, ext_plugins[u].name) && !strcmp(module, ext_plugins[u].module) &&
++ ((!revision && !ext_plugins[u].revision) || (revision && !strcmp(revision, ext_plugins[u].revision)))) {
+ /* we have the match */
+ return ext_plugins[u].plugin;
+ }
diff --git a/community/libyang/CVE-2021-28905.patch b/community/libyang/CVE-2021-28905.patch
new file mode 100644
index 0000000000..89e620720c
--- /dev/null
+++ b/community/libyang/CVE-2021-28905.patch
@@ -0,0 +1,263 @@
+From 5ce30801f9ccc372bbe9b7c98bb5324b15fb010a Mon Sep 17 00:00:00 2001
+From: Michal Vasko <mvasko@cesnet.cz>
+Date: Mon, 8 Mar 2021 09:34:04 +0100
+Subject: [PATCH] schema tree BUGFIX freeing nodes with no module set
+
+Context must be passed explicitly for these cases.
+Fixes #1452
+---
+ src/parser_yin.c | 24 ++++++++++++------------
+ src/resolve.c | 2 +-
+ src/tree_internal.h | 4 +++-
+ src/tree_schema.c | 27 +++++++++++----------------
+ 4 files changed, 27 insertions(+), 30 deletions(-)
+
+diff --git a/src/parser_yin.c b/src/parser_yin.c
+index d545a6d26..275991644 100644
+--- a/src/parser_yin.c
++++ b/src/parser_yin.c
+@@ -4213,7 +4213,7 @@ read_yin_case(struct lys_module *module, struct lys_node *parent, struct lyxml_e
+ while (root.child) {
+ lyxml_free(ctx, root.child);
+ }
+- lys_node_free(retval, NULL, 0);
++ lys_node_free(ctx, retval, NULL, 0);
+
+ return NULL;
+ }
+@@ -4420,7 +4420,7 @@ read_yin_choice(struct lys_module *module, struct lys_node *parent, struct lyxml
+
+ error:
+ lyxml_free(ctx, dflt);
+- lys_node_free(retval, NULL, 0);
++ lys_node_free(ctx, retval, NULL, 0);
+ return NULL;
+ }
+
+@@ -4581,7 +4581,7 @@ read_yin_anydata(struct lys_module *module, struct lys_node *parent, struct lyxm
+ return retval;
+
+ error:
+- lys_node_free(retval, NULL, 0);
++ lys_node_free(ctx, retval, NULL, 0);
+ return NULL;
+ }
+
+@@ -4803,7 +4803,7 @@ read_yin_leaf(struct lys_module *module, struct lys_node *parent, struct lyxml_e
+ return retval;
+
+ error:
+- lys_node_free(retval, NULL, 0);
++ lys_node_free(ctx, retval, NULL, 0);
+ return NULL;
+ }
+
+@@ -5117,7 +5117,7 @@ read_yin_leaflist(struct lys_module *module, struct lys_node *parent, struct lyx
+ return retval;
+
+ error:
+- lys_node_free(retval, NULL, 0);
++ lys_node_free(ctx, retval, NULL, 0);
+ return NULL;
+ }
+
+@@ -5490,7 +5490,7 @@ read_yin_list(struct lys_module *module, struct lys_node *parent, struct lyxml_e
+
+ error:
+
+- lys_node_free(retval, NULL, 0);
++ lys_node_free(ctx, retval, NULL, 0);
+ while (root.child) {
+ lyxml_free(ctx, root.child);
+ }
+@@ -5714,7 +5714,7 @@ read_yin_container(struct lys_module *module, struct lys_node *parent, struct ly
+ return retval;
+
+ error:
+- lys_node_free(retval, NULL, 0);
++ lys_node_free(ctx, retval, NULL, 0);
+ while (root.child) {
+ lyxml_free(ctx, root.child);
+ }
+@@ -5859,7 +5859,7 @@ read_yin_grouping(struct lys_module *module, struct lys_node *parent, struct lyx
+ return retval;
+
+ error:
+- lys_node_free(retval, NULL, 0);
++ lys_node_free(ctx, retval, NULL, 0);
+ while (root.child) {
+ lyxml_free(ctx, root.child);
+ }
+@@ -6035,7 +6035,7 @@ read_yin_input_output(struct lys_module *module, struct lys_node *parent, struct
+ return retval;
+
+ error:
+- lys_node_free(retval, NULL, 0);
++ lys_node_free(ctx, retval, NULL, 0);
+ while (root.child) {
+ lyxml_free(ctx, root.child);
+ }
+@@ -6216,7 +6216,7 @@ read_yin_notif(struct lys_module *module, struct lys_node *parent, struct lyxml_
+ return retval;
+
+ error:
+- lys_node_free(retval, NULL, 0);
++ lys_node_free(ctx, retval, NULL, 0);
+ while (root.child) {
+ lyxml_free(ctx, root.child);
+ }
+@@ -6368,7 +6368,7 @@ read_yin_rpc_action(struct lys_module *module, struct lys_node *parent, struct l
+ return retval;
+
+ error:
+- lys_node_free(retval, NULL, 0);
++ lys_node_free(ctx, retval, NULL, 0);
+ while (root.child) {
+ lyxml_free(ctx, root.child);
+ }
+@@ -6522,7 +6522,7 @@ read_yin_uses(struct lys_module *module, struct lys_node *parent, struct lyxml_e
+ return retval;
+
+ error:
+- lys_node_free(retval, NULL, 0);
++ lys_node_free(ctx, retval, NULL, 0);
+ return NULL;
+ }
+
+diff --git a/src/resolve.c b/src/resolve.c
+index 21293ebc2..29862187f 100644
+--- a/src/resolve.c
++++ b/src/resolve.c
+@@ -5654,7 +5654,7 @@ resolve_uses(struct lys_node_uses *uses, struct unres_schema *unres)
+
+ fail:
+ LY_TREE_FOR_SAFE(uses->child, next, iter) {
+- lys_node_free(iter, NULL, 0);
++ lys_node_free(ctx, iter, NULL, 0);
+ }
+ free(refine_nodes);
+ return -1;
+diff --git a/src/tree_internal.h b/src/tree_internal.h
+index 497c62c4d..36e94f5c5 100644
+--- a/src/tree_internal.h
++++ b/src/tree_internal.h
+@@ -368,12 +368,14 @@ void lys_node_unlink(struct lys_node *node);
+ /**
+ * @brief Free the schema node structure, includes unlinking it from the tree
+ *
++ * @param[in] ctx libang context to use, @p node may not have it filled (in groupings, for example).
+ * @param[in] node Schema tree node to free. Do not use the pointer after calling this function.
+ * @param[in] private_destructor Optional destructor function for private objects assigned
+ * to the nodes via lys_set_private(). If NULL, the private objects are not freed by libyang.
+ * @param[in] shallow Whether to do a shallow free only (on a shallow copy of a node).
+ */
+-void lys_node_free(struct lys_node *node, void (*private_destructor)(const struct lys_node *node, void *priv), int shallow);
++void lys_node_free(struct ly_ctx *ctx, struct lys_node *node,
++ void (*private_destructor)(const struct lys_node *node, void *priv), int shallow);
+
+ /**
+ * @brief Free (and unlink it from the context) the specified schema.
+diff --git a/src/tree_schema.c b/src/tree_schema.c
+index 43b19039f..fb4c85f3f 100644
+--- a/src/tree_schema.c
++++ b/src/tree_schema.c
+@@ -942,7 +942,7 @@ lys_node_addchild(struct lys_node *parent, struct lys_module *module, struct lys
+ iter->next = NULL;
+ iter->prev = iter;
+ iter->parent = NULL;
+- lys_node_free(iter, NULL, 0);
++ lys_node_free(ctx, iter, NULL, 0);
+ } else {
+ if (shortcase) {
+ /* create the implicit case to allow it to serve as a target of the augments,
+@@ -2464,7 +2464,7 @@ lys_augment_free(struct ly_ctx *ctx, struct lys_node_augment *aug,
+ /* children from a resolved augment are freed under the target node */
+ if (!aug->target || (aug->flags & LYS_NOTAPPLIED)) {
+ LY_TREE_FOR_SAFE(aug->child, next, sub) {
+- lys_node_free(sub, private_destructor, 0);
++ lys_node_free(ctx, sub, private_destructor, 0);
+ }
+ }
+
+@@ -2722,11 +2722,11 @@ lys_deviation_free(struct lys_module *module, struct lys_deviation *dev,
+
+ LY_TREE_DFS_END(dev->orig_node, next, elem);
+ }
+- lys_node_free(dev->orig_node, NULL, 0);
++ lys_node_free(ctx, dev->orig_node, NULL, 0);
+ } else {
+ /* it's just a shallow copy, freeing one node */
+ dev->orig_node->module = module;
+- lys_node_free(dev->orig_node, NULL, 1);
++ lys_node_free(ctx, dev->orig_node, NULL, 1);
+ }
+ }
+
+@@ -2798,20 +2798,15 @@ lys_uses_free(struct ly_ctx *ctx, struct lys_node_uses *uses,
+ }
+
+ void
+-lys_node_free(struct lys_node *node, void (*private_destructor)(const struct lys_node *node, void *priv), int shallow)
++lys_node_free(struct ly_ctx *ctx, struct lys_node *node,
++ void (*private_destructor)(const struct lys_node *node, void *priv), int shallow)
+ {
+- struct ly_ctx *ctx;
+ struct lys_node *sub, *next;
+
+ if (!node) {
+ return;
+ }
+
+- assert(node->module);
+- assert(node->module->ctx);
+-
+- ctx = node->module->ctx;
+-
+ /* remove private object */
+ if (node->priv && private_destructor) {
+ private_destructor(node, node->priv);
+@@ -2827,7 +2822,7 @@ lys_node_free(struct lys_node *node, void (*private_destructor)(const struct lys
+
+ if (!shallow && !(node->nodetype & (LYS_LEAF | LYS_LEAFLIST))) {
+ LY_TREE_FOR_SAFE(node->child, next, sub) {
+- lys_node_free(sub, private_destructor, 0);
++ lys_node_free(ctx, sub, private_destructor, 0);
+ }
+ }
+
+@@ -2942,7 +2937,7 @@ module_free_common(struct lys_module *module, void (*private_destructor)(const s
+ * are placed in the main module altogether */
+ if (!module->type) {
+ LY_TREE_FOR_SAFE(module->data, next, iter) {
+- lys_node_free(iter, private_destructor, 0);
++ lys_node_free(ctx, iter, private_destructor, 0);
+ }
+ }
+
+@@ -3507,7 +3502,7 @@ lys_node_dup_recursion(struct lys_module *module, struct lys_node *parent, const
+ return retval;
+
+ error:
+- lys_node_free(retval, NULL, 0);
++ lys_node_free(ctx, retval, NULL, 0);
+ return NULL;
+ }
+
+@@ -5149,7 +5144,7 @@ lys_submodule_module_data_free(struct lys_submodule *submodule)
+ /* remove parsed data */
+ LY_TREE_FOR_SAFE(submodule->belongsto->data, next, elem) {
+ if (elem->module == (struct lys_module *)submodule) {
+- lys_node_free(elem, NULL, 0);
++ lys_node_free(submodule->ctx, elem, NULL, 0);
+ }
+ }
+ }
+@@ -5546,7 +5541,7 @@ lys_extension_instances_free(struct ly_ctx *ctx, struct lys_ext_instance **e, un
+ case LY_STMT_USES:
+ pp = (void**)&((struct lys_ext_instance_complex *)e[i])->content[substmt[j].offset];
+ LY_TREE_FOR_SAFE((struct lys_node *)(*pp), snext, siter) {
+- lys_node_free(siter, NULL, 0);
++ lys_node_free(ctx, siter, NULL, 0);
+ }
+ *pp = NULL;
+ break;
diff --git a/community/libyang/CVE-2021-28906.patch b/community/libyang/CVE-2021-28906.patch
new file mode 100644
index 0000000000..6b0529084b
--- /dev/null
+++ b/community/libyang/CVE-2021-28906.patch
@@ -0,0 +1,65 @@
+From a3917d95d516e3de267d3cfa5d4d3715a90e8777 Mon Sep 17 00:00:00 2001
+From: Michal Vasko <mvasko@cesnet.cz>
+Date: Mon, 8 Mar 2021 14:08:05 +0100
+Subject: [PATCH] yin parser BUGFIX invalid memory access
+
+... in case there were some unresolved
+extensions.
+Fixes #1454
+Fixes #1455
+---
+ src/parser_yin.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/src/parser_yin.c b/src/parser_yin.c
+index 275991644..256325415 100644
+--- a/src/parser_yin.c
++++ b/src/parser_yin.c
+@@ -4572,7 +4572,7 @@ read_yin_anydata(struct lys_module *module, struct lys_node *parent, struct lyxm
+
+ for (r = 0; r < retval->ext_size; ++r) {
+ /* set flag, which represent LYEXT_OPT_VALID */
+- if (retval->ext[r]->flags & LYEXT_OPT_VALID) {
++ if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) {
+ retval->flags |= LYS_VALID_EXT;
+ break;
+ }
+@@ -4794,7 +4794,7 @@ read_yin_leaf(struct lys_module *module, struct lys_node *parent, struct lyxml_e
+
+ for (r = 0; r < retval->ext_size; ++r) {
+ /* set flag, which represent LYEXT_OPT_VALID */
+- if (retval->ext[r]->flags & LYEXT_OPT_VALID) {
++ if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) {
+ retval->flags |= LYS_VALID_EXT;
+ break;
+ }
+@@ -5108,7 +5108,7 @@ read_yin_leaflist(struct lys_module *module, struct lys_node *parent, struct lyx
+
+ for (r = 0; r < retval->ext_size; ++r) {
+ /* set flag, which represent LYEXT_OPT_VALID */
+- if (retval->ext[r]->flags & LYEXT_OPT_VALID) {
++ if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) {
+ retval->flags |= LYS_VALID_EXT;
+ break;
+ }
+@@ -5477,7 +5477,7 @@ read_yin_list(struct lys_module *module, struct lys_node *parent, struct lyxml_e
+
+ for (r = 0; r < retval->ext_size; ++r) {
+ /* set flag, which represent LYEXT_OPT_VALID */
+- if (retval->ext[r]->flags & LYEXT_OPT_VALID) {
++ if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) {
+ retval->flags |= LYS_VALID_EXT;
+ if (retval->ext[r]->flags & LYEXT_OPT_VALID_SUBTREE) {
+ retval->flags |= LYS_VALID_EXT_SUBTREE;
+@@ -5701,8 +5701,9 @@ read_yin_container(struct lys_module *module, struct lys_node *parent, struct ly
+ }
+
+ for (r = 0; r < retval->ext_size; ++r) {
+- /* set flag, which represent LYEXT_OPT_VALID */
+- if (retval->ext[r]->flags & LYEXT_OPT_VALID) {
++ /* extension instance may not yet be resolved */
++ if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) {
++ /* set flag, which represent LYEXT_OPT_VALID */
+ retval->flags |= LYS_VALID_EXT;
+ if (retval->ext[r]->flags & LYEXT_OPT_VALID_SUBTREE) {
+ retval->flags |= LYS_VALID_EXT_SUBTREE;