diff options
| -rw-r--r-- | community/libyang/APKBUILD | 24 | ||||
| -rw-r--r-- | community/libyang/CVE-2021-28903.patch | 69 | ||||
| -rw-r--r-- | community/libyang/CVE-2021-28904.patch | 26 | ||||
| -rw-r--r-- | community/libyang/CVE-2021-28905.patch | 263 | ||||
| -rw-r--r-- | community/libyang/CVE-2021-28906.patch | 65 |
5 files changed, 444 insertions, 3 deletions
diff --git a/community/libyang/APKBUILD b/community/libyang/APKBUILD index 23e5a810276..973794f4752 100644 --- a/community/libyang/APKBUILD +++ b/community/libyang/APKBUILD @@ -2,14 +2,26 @@ # Maintainer: Christian Franke <nobody@nowhere.ws> pkgname=libyang pkgver=1.0.215 -pkgrel=0 +pkgrel=1 pkgdesc="YANG data modelling language parser and toolkit" url="https://github.com/CESNET/libyang" arch="all" license="BSD-3-Clause-Clear" makedepends="bison cmake cmocka-dev flex pcre-dev" subpackages="$pkgname-dev $pkgname-doc" -source="$pkgname-$pkgver.tar.gz::https://github.com/CESNET/libyang/archive/v$pkgver.tar.gz" +source="$pkgname-$pkgver.tar.gz::https://github.com/CESNET/libyang/archive/v$pkgver.tar.gz + CVE-2021-28903.patch + CVE-2021-28904.patch + CVE-2021-28905.patch + CVE-2021-28906.patch" + +# secfixes: +# 1.0.215-r1: +# - CVE-2021-28902 +# - CVE-2021-28903 +# - CVE-2021-28904 +# - CVE-2021-28905 +# - CVE-2021-28906 build() { if [ "$CBUILD" != "$CHOST" ]; then @@ -35,4 +47,10 @@ package() { make -C build DESTDIR="$pkgdir" install } -sha512sums="042e7be3a658340eebb5aaf819169a516af5489c366c026b599d673b623811b01a5cc7b2fce0fe39c5deb5cce5b1e0e6dfc4eb85a331fb3203d415011e6d2dad libyang-1.0.215.tar.gz" +sha512sums=" +042e7be3a658340eebb5aaf819169a516af5489c366c026b599d673b623811b01a5cc7b2fce0fe39c5deb5cce5b1e0e6dfc4eb85a331fb3203d415011e6d2dad libyang-1.0.215.tar.gz +fd51bba07f817b1186566bee324655c089f7a901015abc0e3583ba351691e14b71b8cd1512d2f0bf7be1f6770ddf237cda508df9f0a8c971b79cecb4f74d93b0 CVE-2021-28903.patch +73c351587fab0a11f9a738e09167fc99695f9df5aca77780145c14112c1ae04baf3ba72f49a2838fcc10e9324d027d6535ded01b9df0e1ba83ffb330ac8d8885 CVE-2021-28904.patch +c7502d18a97471c1412082adcb785e36e241223a1025839105cf8d6cba3403b47bbd843a68e1a80c4355700a06c7c8e7268f344130acbebca7196c31bd1f85cd CVE-2021-28905.patch +746ce394985f0cb3983cce8a1789ee86041e8fa40bc53d858c6cc7093f69b343d103eb0e7d76b819a3546d69f47426090eefa711a93cae767df72a405084a3d4 CVE-2021-28906.patch +" diff --git a/community/libyang/CVE-2021-28903.patch b/community/libyang/CVE-2021-28903.patch new file mode 100644 index 00000000000..51bed300338 --- /dev/null +++ b/community/libyang/CVE-2021-28903.patch @@ -0,0 +1,69 @@ +From 298b30ea4ebee137226acf9bb38678bd82704582 Mon Sep 17 00:00:00 2001 +From: Michal Vasko <mvasko@cesnet.cz> +Date: Mon, 8 Mar 2021 14:32:58 +0100 +Subject: [PATCH] common FEATURE add a hard limit for recursion + +Fixes #1453 +--- + src/common.h.in | 3 +++ + src/xml.c | 12 +++++++++--- + 2 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/src/common.h.in b/src/common.h.in +index a5bf2b038..624beba9f 100644 +--- a/src/common.h.in ++++ b/src/common.h.in +@@ -53,6 +53,9 @@ + /* how many bytes add when enlarging buffers */ + #define LY_BUF_STEP 128 + ++/* hard limit on recursion for cases with theoretical unlimited recursion */ ++#define LY_RECURSION_LIMIT 10000 ++ + /* internal logging options */ + enum int_log_opts { + ILO_LOG = 0, /* log normally */ +diff --git a/src/xml.c b/src/xml.c +index 1bc4fdfa5..7e4760976 100644 +--- a/src/xml.c ++++ b/src/xml.c +@@ -943,7 +943,8 @@ parse_attr(struct ly_ctx *ctx, const char *data, unsigned int *len, struct lyxml + + /* logs directly */ + struct lyxml_elem * +-lyxml_parse_elem(struct ly_ctx *ctx, const char *data, unsigned int *len, struct lyxml_elem *parent, int options) ++lyxml_parse_elem(struct ly_ctx *ctx, const char *data, unsigned int *len, struct lyxml_elem *parent, int options, ++ int bt_count) + { + const char *c = data, *start, *e; + const char *lws; /* leading white space for handling mixed content */ +@@ -958,6 +959,11 @@ lyxml_parse_elem(struct ly_ctx *ctx, const char *data, unsigned int *len, struct + + *len = 0; + ++ if (bt_count > LY_RECURSION_LIMIT) { ++ LOGVAL(ctx, LYE_XML_INVAL, LY_VLOG_NONE, NULL, "Recursion limit %d reached", LY_RECURSION_LIMIT); ++ return NULL; ++ } ++ + if (*c != '<') { + return NULL; + } +@@ -1141,7 +1147,7 @@ lyxml_parse_elem(struct ly_ctx *ctx, const char *data, unsigned int *len, struct + lyxml_add_child(ctx, elem, child); + elem->flags |= LYXML_ELEM_MIXED; + } +- child = lyxml_parse_elem(ctx, c, &size, elem, options); ++ child = lyxml_parse_elem(ctx, c, &size, elem, options, bt_count + 1); + if (!child) { + goto error; + } +@@ -1295,7 +1301,7 @@ lyxml_parse_mem(struct ly_ctx *ctx, const char *data, int options) + } + } + +- root = lyxml_parse_elem(ctx, c, &len, NULL, options); ++ root = lyxml_parse_elem(ctx, c, &len, NULL, options, 0); + if (!root) { + goto error; + } else if (!first) { diff --git a/community/libyang/CVE-2021-28904.patch b/community/libyang/CVE-2021-28904.patch new file mode 100644 index 00000000000..df87f28e768 --- /dev/null +++ b/community/libyang/CVE-2021-28904.patch @@ -0,0 +1,26 @@ +From 59a0bff1a5a2f0a0eac07e4bf94d4aea9dd3708d Mon Sep 17 00:00:00 2001 +From: Michal Vasko <mvasko@cesnet.cz> +Date: Mon, 8 Mar 2021 09:20:30 +0100 +Subject: [PATCH] plugins BUGFIX handle empty revision correctly + +Fixes #1451 +--- + src/plugins.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/src/plugins.c b/src/plugins.c +index 7e6fdf358..fa62ce76c 100644 +--- a/src/plugins.c ++++ b/src/plugins.c +@@ -457,9 +457,8 @@ ext_get_plugin(const char *name, const char *module, const char *revision) + assert(module); + + for (u = 0; u < ext_plugins_count; u++) { +- if (!strcmp(name, ext_plugins[u].name) && +- !strcmp(module, ext_plugins[u].module) && +- (!ext_plugins[u].revision || !strcmp(revision, ext_plugins[u].revision))) { ++ if (!strcmp(name, ext_plugins[u].name) && !strcmp(module, ext_plugins[u].module) && ++ ((!revision && !ext_plugins[u].revision) || (revision && !strcmp(revision, ext_plugins[u].revision)))) { + /* we have the match */ + return ext_plugins[u].plugin; + } diff --git a/community/libyang/CVE-2021-28905.patch b/community/libyang/CVE-2021-28905.patch new file mode 100644 index 00000000000..89e620720c7 --- /dev/null +++ b/community/libyang/CVE-2021-28905.patch @@ -0,0 +1,263 @@ +From 5ce30801f9ccc372bbe9b7c98bb5324b15fb010a Mon Sep 17 00:00:00 2001 +From: Michal Vasko <mvasko@cesnet.cz> +Date: Mon, 8 Mar 2021 09:34:04 +0100 +Subject: [PATCH] schema tree BUGFIX freeing nodes with no module set + +Context must be passed explicitly for these cases. +Fixes #1452 +--- + src/parser_yin.c | 24 ++++++++++++------------ + src/resolve.c | 2 +- + src/tree_internal.h | 4 +++- + src/tree_schema.c | 27 +++++++++++---------------- + 4 files changed, 27 insertions(+), 30 deletions(-) + +diff --git a/src/parser_yin.c b/src/parser_yin.c +index d545a6d26..275991644 100644 +--- a/src/parser_yin.c ++++ b/src/parser_yin.c +@@ -4213,7 +4213,7 @@ read_yin_case(struct lys_module *module, struct lys_node *parent, struct lyxml_e + while (root.child) { + lyxml_free(ctx, root.child); + } +- lys_node_free(retval, NULL, 0); ++ lys_node_free(ctx, retval, NULL, 0); + + return NULL; + } +@@ -4420,7 +4420,7 @@ read_yin_choice(struct lys_module *module, struct lys_node *parent, struct lyxml + + error: + lyxml_free(ctx, dflt); +- lys_node_free(retval, NULL, 0); ++ lys_node_free(ctx, retval, NULL, 0); + return NULL; + } + +@@ -4581,7 +4581,7 @@ read_yin_anydata(struct lys_module *module, struct lys_node *parent, struct lyxm + return retval; + + error: +- lys_node_free(retval, NULL, 0); ++ lys_node_free(ctx, retval, NULL, 0); + return NULL; + } + +@@ -4803,7 +4803,7 @@ read_yin_leaf(struct lys_module *module, struct lys_node *parent, struct lyxml_e + return retval; + + error: +- lys_node_free(retval, NULL, 0); ++ lys_node_free(ctx, retval, NULL, 0); + return NULL; + } + +@@ -5117,7 +5117,7 @@ read_yin_leaflist(struct lys_module *module, struct lys_node *parent, struct lyx + return retval; + + error: +- lys_node_free(retval, NULL, 0); ++ lys_node_free(ctx, retval, NULL, 0); + return NULL; + } + +@@ -5490,7 +5490,7 @@ read_yin_list(struct lys_module *module, struct lys_node *parent, struct lyxml_e + + error: + +- lys_node_free(retval, NULL, 0); ++ lys_node_free(ctx, retval, NULL, 0); + while (root.child) { + lyxml_free(ctx, root.child); + } +@@ -5714,7 +5714,7 @@ read_yin_container(struct lys_module *module, struct lys_node *parent, struct ly + return retval; + + error: +- lys_node_free(retval, NULL, 0); ++ lys_node_free(ctx, retval, NULL, 0); + while (root.child) { + lyxml_free(ctx, root.child); + } +@@ -5859,7 +5859,7 @@ read_yin_grouping(struct lys_module *module, struct lys_node *parent, struct lyx + return retval; + + error: +- lys_node_free(retval, NULL, 0); ++ lys_node_free(ctx, retval, NULL, 0); + while (root.child) { + lyxml_free(ctx, root.child); + } +@@ -6035,7 +6035,7 @@ read_yin_input_output(struct lys_module *module, struct lys_node *parent, struct + return retval; + + error: +- lys_node_free(retval, NULL, 0); ++ lys_node_free(ctx, retval, NULL, 0); + while (root.child) { + lyxml_free(ctx, root.child); + } +@@ -6216,7 +6216,7 @@ read_yin_notif(struct lys_module *module, struct lys_node *parent, struct lyxml_ + return retval; + + error: +- lys_node_free(retval, NULL, 0); ++ lys_node_free(ctx, retval, NULL, 0); + while (root.child) { + lyxml_free(ctx, root.child); + } +@@ -6368,7 +6368,7 @@ read_yin_rpc_action(struct lys_module *module, struct lys_node *parent, struct l + return retval; + + error: +- lys_node_free(retval, NULL, 0); ++ lys_node_free(ctx, retval, NULL, 0); + while (root.child) { + lyxml_free(ctx, root.child); + } +@@ -6522,7 +6522,7 @@ read_yin_uses(struct lys_module *module, struct lys_node *parent, struct lyxml_e + return retval; + + error: +- lys_node_free(retval, NULL, 0); ++ lys_node_free(ctx, retval, NULL, 0); + return NULL; + } + +diff --git a/src/resolve.c b/src/resolve.c +index 21293ebc2..29862187f 100644 +--- a/src/resolve.c ++++ b/src/resolve.c +@@ -5654,7 +5654,7 @@ resolve_uses(struct lys_node_uses *uses, struct unres_schema *unres) + + fail: + LY_TREE_FOR_SAFE(uses->child, next, iter) { +- lys_node_free(iter, NULL, 0); ++ lys_node_free(ctx, iter, NULL, 0); + } + free(refine_nodes); + return -1; +diff --git a/src/tree_internal.h b/src/tree_internal.h +index 497c62c4d..36e94f5c5 100644 +--- a/src/tree_internal.h ++++ b/src/tree_internal.h +@@ -368,12 +368,14 @@ void lys_node_unlink(struct lys_node *node); + /** + * @brief Free the schema node structure, includes unlinking it from the tree + * ++ * @param[in] ctx libang context to use, @p node may not have it filled (in groupings, for example). + * @param[in] node Schema tree node to free. Do not use the pointer after calling this function. + * @param[in] private_destructor Optional destructor function for private objects assigned + * to the nodes via lys_set_private(). If NULL, the private objects are not freed by libyang. + * @param[in] shallow Whether to do a shallow free only (on a shallow copy of a node). + */ +-void lys_node_free(struct lys_node *node, void (*private_destructor)(const struct lys_node *node, void *priv), int shallow); ++void lys_node_free(struct ly_ctx *ctx, struct lys_node *node, ++ void (*private_destructor)(const struct lys_node *node, void *priv), int shallow); + + /** + * @brief Free (and unlink it from the context) the specified schema. +diff --git a/src/tree_schema.c b/src/tree_schema.c +index 43b19039f..fb4c85f3f 100644 +--- a/src/tree_schema.c ++++ b/src/tree_schema.c +@@ -942,7 +942,7 @@ lys_node_addchild(struct lys_node *parent, struct lys_module *module, struct lys + iter->next = NULL; + iter->prev = iter; + iter->parent = NULL; +- lys_node_free(iter, NULL, 0); ++ lys_node_free(ctx, iter, NULL, 0); + } else { + if (shortcase) { + /* create the implicit case to allow it to serve as a target of the augments, +@@ -2464,7 +2464,7 @@ lys_augment_free(struct ly_ctx *ctx, struct lys_node_augment *aug, + /* children from a resolved augment are freed under the target node */ + if (!aug->target || (aug->flags & LYS_NOTAPPLIED)) { + LY_TREE_FOR_SAFE(aug->child, next, sub) { +- lys_node_free(sub, private_destructor, 0); ++ lys_node_free(ctx, sub, private_destructor, 0); + } + } + +@@ -2722,11 +2722,11 @@ lys_deviation_free(struct lys_module *module, struct lys_deviation *dev, + + LY_TREE_DFS_END(dev->orig_node, next, elem); + } +- lys_node_free(dev->orig_node, NULL, 0); ++ lys_node_free(ctx, dev->orig_node, NULL, 0); + } else { + /* it's just a shallow copy, freeing one node */ + dev->orig_node->module = module; +- lys_node_free(dev->orig_node, NULL, 1); ++ lys_node_free(ctx, dev->orig_node, NULL, 1); + } + } + +@@ -2798,20 +2798,15 @@ lys_uses_free(struct ly_ctx *ctx, struct lys_node_uses *uses, + } + + void +-lys_node_free(struct lys_node *node, void (*private_destructor)(const struct lys_node *node, void *priv), int shallow) ++lys_node_free(struct ly_ctx *ctx, struct lys_node *node, ++ void (*private_destructor)(const struct lys_node *node, void *priv), int shallow) + { +- struct ly_ctx *ctx; + struct lys_node *sub, *next; + + if (!node) { + return; + } + +- assert(node->module); +- assert(node->module->ctx); +- +- ctx = node->module->ctx; +- + /* remove private object */ + if (node->priv && private_destructor) { + private_destructor(node, node->priv); +@@ -2827,7 +2822,7 @@ lys_node_free(struct lys_node *node, void (*private_destructor)(const struct lys + + if (!shallow && !(node->nodetype & (LYS_LEAF | LYS_LEAFLIST))) { + LY_TREE_FOR_SAFE(node->child, next, sub) { +- lys_node_free(sub, private_destructor, 0); ++ lys_node_free(ctx, sub, private_destructor, 0); + } + } + +@@ -2942,7 +2937,7 @@ module_free_common(struct lys_module *module, void (*private_destructor)(const s + * are placed in the main module altogether */ + if (!module->type) { + LY_TREE_FOR_SAFE(module->data, next, iter) { +- lys_node_free(iter, private_destructor, 0); ++ lys_node_free(ctx, iter, private_destructor, 0); + } + } + +@@ -3507,7 +3502,7 @@ lys_node_dup_recursion(struct lys_module *module, struct lys_node *parent, const + return retval; + + error: +- lys_node_free(retval, NULL, 0); ++ lys_node_free(ctx, retval, NULL, 0); + return NULL; + } + +@@ -5149,7 +5144,7 @@ lys_submodule_module_data_free(struct lys_submodule *submodule) + /* remove parsed data */ + LY_TREE_FOR_SAFE(submodule->belongsto->data, next, elem) { + if (elem->module == (struct lys_module *)submodule) { +- lys_node_free(elem, NULL, 0); ++ lys_node_free(submodule->ctx, elem, NULL, 0); + } + } + } +@@ -5546,7 +5541,7 @@ lys_extension_instances_free(struct ly_ctx *ctx, struct lys_ext_instance **e, un + case LY_STMT_USES: + pp = (void**)&((struct lys_ext_instance_complex *)e[i])->content[substmt[j].offset]; + LY_TREE_FOR_SAFE((struct lys_node *)(*pp), snext, siter) { +- lys_node_free(siter, NULL, 0); ++ lys_node_free(ctx, siter, NULL, 0); + } + *pp = NULL; + break; diff --git a/community/libyang/CVE-2021-28906.patch b/community/libyang/CVE-2021-28906.patch new file mode 100644 index 00000000000..6b0529084b3 --- /dev/null +++ b/community/libyang/CVE-2021-28906.patch @@ -0,0 +1,65 @@ +From a3917d95d516e3de267d3cfa5d4d3715a90e8777 Mon Sep 17 00:00:00 2001 +From: Michal Vasko <mvasko@cesnet.cz> +Date: Mon, 8 Mar 2021 14:08:05 +0100 +Subject: [PATCH] yin parser BUGFIX invalid memory access + +... in case there were some unresolved +extensions. +Fixes #1454 +Fixes #1455 +--- + src/parser_yin.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/src/parser_yin.c b/src/parser_yin.c +index 275991644..256325415 100644 +--- a/src/parser_yin.c ++++ b/src/parser_yin.c +@@ -4572,7 +4572,7 @@ read_yin_anydata(struct lys_module *module, struct lys_node *parent, struct lyxm + + for (r = 0; r < retval->ext_size; ++r) { + /* set flag, which represent LYEXT_OPT_VALID */ +- if (retval->ext[r]->flags & LYEXT_OPT_VALID) { ++ if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) { + retval->flags |= LYS_VALID_EXT; + break; + } +@@ -4794,7 +4794,7 @@ read_yin_leaf(struct lys_module *module, struct lys_node *parent, struct lyxml_e + + for (r = 0; r < retval->ext_size; ++r) { + /* set flag, which represent LYEXT_OPT_VALID */ +- if (retval->ext[r]->flags & LYEXT_OPT_VALID) { ++ if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) { + retval->flags |= LYS_VALID_EXT; + break; + } +@@ -5108,7 +5108,7 @@ read_yin_leaflist(struct lys_module *module, struct lys_node *parent, struct lyx + + for (r = 0; r < retval->ext_size; ++r) { + /* set flag, which represent LYEXT_OPT_VALID */ +- if (retval->ext[r]->flags & LYEXT_OPT_VALID) { ++ if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) { + retval->flags |= LYS_VALID_EXT; + break; + } +@@ -5477,7 +5477,7 @@ read_yin_list(struct lys_module *module, struct lys_node *parent, struct lyxml_e + + for (r = 0; r < retval->ext_size; ++r) { + /* set flag, which represent LYEXT_OPT_VALID */ +- if (retval->ext[r]->flags & LYEXT_OPT_VALID) { ++ if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) { + retval->flags |= LYS_VALID_EXT; + if (retval->ext[r]->flags & LYEXT_OPT_VALID_SUBTREE) { + retval->flags |= LYS_VALID_EXT_SUBTREE; +@@ -5701,8 +5701,9 @@ read_yin_container(struct lys_module *module, struct lys_node *parent, struct ly + } + + for (r = 0; r < retval->ext_size; ++r) { +- /* set flag, which represent LYEXT_OPT_VALID */ +- if (retval->ext[r]->flags & LYEXT_OPT_VALID) { ++ /* extension instance may not yet be resolved */ ++ if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) { ++ /* set flag, which represent LYEXT_OPT_VALID */ + retval->flags |= LYS_VALID_EXT; + if (retval->ext[r]->flags & LYEXT_OPT_VALID_SUBTREE) { + retval->flags |= LYS_VALID_EXT_SUBTREE; |