From 9fd71b4a68f7bac1eb29e9b20b9898fdd80c44bb Mon Sep 17 00:00:00 2001 From: anonymous_z Date: Tue, 29 Jun 2021 10:46:10 +0800 Subject: [PATCH] fix CVE-2021-28902 CVE-2021-28904 CVE-2021-28906 --- CVE-2021-28902-CVE-2021-28906.patch | 65 +++++++++++++++++++++++++++++ CVE-2021-28904.patch | 26 ++++++++++++ libyang.spec | 11 ++++- 3 files changed, 101 insertions(+), 1 deletion(-) create mode 100644 CVE-2021-28902-CVE-2021-28906.patch create mode 100644 CVE-2021-28904.patch diff --git a/CVE-2021-28902-CVE-2021-28906.patch b/CVE-2021-28902-CVE-2021-28906.patch new file mode 100644 index 0000000..6b05290 --- /dev/null +++ b/CVE-2021-28902-CVE-2021-28906.patch @@ -0,0 +1,65 @@ +From a3917d95d516e3de267d3cfa5d4d3715a90e8777 Mon Sep 17 00:00:00 2001 +From: Michal Vasko +Date: Mon, 8 Mar 2021 14:08:05 +0100 +Subject: [PATCH] yin parser BUGFIX invalid memory access + +... in case there were some unresolved +extensions. +Fixes #1454 +Fixes #1455 +--- + src/parser_yin.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/src/parser_yin.c b/src/parser_yin.c +index 275991644..256325415 100644 +--- a/src/parser_yin.c ++++ b/src/parser_yin.c +@@ -4572,7 +4572,7 @@ read_yin_anydata(struct lys_module *module, struct lys_node *parent, struct lyxm + + for (r = 0; r < retval->ext_size; ++r) { + /* set flag, which represent LYEXT_OPT_VALID */ +- if (retval->ext[r]->flags & LYEXT_OPT_VALID) { ++ if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) { + retval->flags |= LYS_VALID_EXT; + break; + } +@@ -4794,7 +4794,7 @@ read_yin_leaf(struct lys_module *module, struct lys_node *parent, struct lyxml_e + + for (r = 0; r < retval->ext_size; ++r) { + /* set flag, which represent LYEXT_OPT_VALID */ +- if (retval->ext[r]->flags & LYEXT_OPT_VALID) { ++ if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) { + retval->flags |= LYS_VALID_EXT; + break; + } +@@ -5108,7 +5108,7 @@ read_yin_leaflist(struct lys_module *module, struct lys_node *parent, struct lyx + + for (r = 0; r < retval->ext_size; ++r) { + /* set flag, which represent LYEXT_OPT_VALID */ +- if (retval->ext[r]->flags & LYEXT_OPT_VALID) { ++ if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) { + retval->flags |= LYS_VALID_EXT; + break; + } +@@ -5477,7 +5477,7 @@ read_yin_list(struct lys_module *module, struct lys_node *parent, struct lyxml_e + + for (r = 0; r < retval->ext_size; ++r) { + /* set flag, which represent LYEXT_OPT_VALID */ +- if (retval->ext[r]->flags & LYEXT_OPT_VALID) { ++ if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) { + retval->flags |= LYS_VALID_EXT; + if (retval->ext[r]->flags & LYEXT_OPT_VALID_SUBTREE) { + retval->flags |= LYS_VALID_EXT_SUBTREE; +@@ -5701,8 +5701,9 @@ read_yin_container(struct lys_module *module, struct lys_node *parent, struct ly + } + + for (r = 0; r < retval->ext_size; ++r) { +- /* set flag, which represent LYEXT_OPT_VALID */ +- if (retval->ext[r]->flags & LYEXT_OPT_VALID) { ++ /* extension instance may not yet be resolved */ ++ if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) { ++ /* set flag, which represent LYEXT_OPT_VALID */ + retval->flags |= LYS_VALID_EXT; + if (retval->ext[r]->flags & LYEXT_OPT_VALID_SUBTREE) { + retval->flags |= LYS_VALID_EXT_SUBTREE; diff --git a/CVE-2021-28904.patch b/CVE-2021-28904.patch new file mode 100644 index 0000000..df87f28 --- /dev/null +++ b/CVE-2021-28904.patch @@ -0,0 +1,26 @@ +From 59a0bff1a5a2f0a0eac07e4bf94d4aea9dd3708d Mon Sep 17 00:00:00 2001 +From: Michal Vasko +Date: Mon, 8 Mar 2021 09:20:30 +0100 +Subject: [PATCH] plugins BUGFIX handle empty revision correctly + +Fixes #1451 +--- + src/plugins.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/src/plugins.c b/src/plugins.c +index 7e6fdf358..fa62ce76c 100644 +--- a/src/plugins.c ++++ b/src/plugins.c +@@ -457,9 +457,8 @@ ext_get_plugin(const char *name, const char *module, const char *revision) + assert(module); + + for (u = 0; u < ext_plugins_count; u++) { +- if (!strcmp(name, ext_plugins[u].name) && +- !strcmp(module, ext_plugins[u].module) && +- (!ext_plugins[u].revision || !strcmp(revision, ext_plugins[u].revision))) { ++ if (!strcmp(name, ext_plugins[u].name) && !strcmp(module, ext_plugins[u].module) && ++ ((!revision && !ext_plugins[u].revision) || (revision && !strcmp(revision, ext_plugins[u].revision)))) { + /* we have the match */ + return ext_plugins[u].plugin; + } diff --git a/libyang.spec b/libyang.spec index 07da91c..751b3c7 100644 --- a/libyang.spec +++ b/libyang.spec @@ -1,7 +1,7 @@ %global debug_package %{nil} Name: libyang Version: 1.0.184 -Release: 2 +Release: 3 Summary: YANG data modeling language library Url: https://github.com/CESNET/libyang Source: %{url}/archive/%{name}-%{version}.tar.gz @@ -10,6 +10,8 @@ License: BSD Patch0: libyang-1.0.184-doc.patch Patch1: CVE-2021-28903.patch Patch2: CVE-2021-28905.patch +Patch3: CVE-2021-28904.patch +Patch4: CVE-2021-28902-CVE-2021-28906.patch Requires: pcre BuildRequires: cmake @@ -128,6 +130,13 @@ cp -r doc/html %{buildroot}/%{_docdir}/libyang/html %{python3_sitearch}/__pycache__/yang* %changelog +* Tue Jun 29 2021 anaonymous_z - 1.0.184-3 +- Type:CVE +- ID:NA +- SUG:NA +- DESC: fix CVE-2021-28902 CVE-2021-28906 + CVE-2021-28904 + * Mon Jun 28 2021 zhuqingfu - 1.0.184-2 - Add patch CVE-2021-28905 -- Gitee