diff options
| author | Nicolas Graves <ngraves@ngraves.fr> | 2025-03-06 21:19:19 +0100 |
|---|---|---|
| committer | Zheng Junjie <z572@z572.online> | 2025-06-23 12:32:51 +0800 |
| commit | 8dfd0173ee9a3d08f2b3a832216e81b69bfc95fd (patch) | |
| tree | 6f9227cd4257f04ab0b290dedfc0e99405b60858 | |
| parent | afaae8ab2fd080413e31a5843e2700405f2f8552 (diff) | |
gnu: tinyxml: Fix CVE-2023-34194.
* gnu/packages/patches/tinyxml-CVE-2023-34194.patch: Add patch.
* gnu/packages/xml.scm, gnu/local.mk: Record it.
Signed-off-by: Zheng Junjie <z572@z572.online>
| -rw-r--r-- | gnu/local.mk | 1 | ||||
| -rw-r--r-- | gnu/packages/patches/tinyxml-CVE-2023-34194.patch | 28 | ||||
| -rw-r--r-- | gnu/packages/xml.scm | 3 |
3 files changed, 31 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 7ca1a02b9e..8ec28bc03a 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -2349,6 +2349,7 @@ dist_patch_DATA = \ %D%/packages/patches/tidy-CVE-2015-5522+5523.patch \ %D%/packages/patches/timewarrior-time-sensitive-tests.patch \ %D%/packages/patches/tinydir-fix-cbehave-test.patch \ + %D%/packages/patches/tinyxml-CVE-2023-34194.patch \ %D%/packages/patches/tinyxml-use-stl.patch \ %D%/packages/patches/tk-find-library.patch \ %D%/packages/patches/tla2tools-build-xml.patch \ diff --git a/gnu/packages/patches/tinyxml-CVE-2023-34194.patch b/gnu/packages/patches/tinyxml-CVE-2023-34194.patch new file mode 100644 index 0000000000..dee0aa1d93 --- /dev/null +++ b/gnu/packages/patches/tinyxml-CVE-2023-34194.patch @@ -0,0 +1,28 @@ +From: Guilhem Moulin <guilhem@debian.org> +Date: Sat, 30 Dec 2023 14:15:54 +0100 +Subject: Avoid reachable assertion via crafted XML document with a '\0' + located after whitespace + +Bug: https://www.forescout.com/resources/sierra21-vulnerabilities +Bug-Debian: https://bugs.debian.org/1059315 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-34194 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-40462 +--- + tinyxmlparser.cpp | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tinyxmlparser.cpp b/tinyxmlparser.cpp +index 8aa0dfa..1601962 100644 +--- a/tinyxmlparser.cpp ++++ b/tinyxmlparser.cpp +@@ -1606,6 +1606,10 @@ const char* TiXmlDeclaration::Parse( const char* p, TiXmlParsingData* data, TiXm + } + + p = SkipWhiteSpace( p, _encoding ); ++ if ( !p || !*p ) ++ { ++ break; ++ } + if ( StringEqual( p, "version", true, _encoding ) ) + { + TiXmlAttribute attrib; diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index 10cd6d98fa..2ae9209f75 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -1288,7 +1288,8 @@ UTF-8 and UTF-16 encoding.") (sha256 (base32 "14smciid19lvkxqznfig77jxn5s4iq3jpb47vh5a6zcaqp7gvg8m")) - (patches (search-patches "tinyxml-use-stl.patch")))) + (patches (search-patches "tinyxml-use-stl.patch" + "tinyxml-CVE-2023-34194.patch")))) (build-system gnu-build-system) ;; This library is missing *a lot* of the steps to make it usable, so we ;; have to add them here, like every other distro must do. |