!4 fix CVE-2021-28902 CVE-2021-28904 CVE-2021-28906

From: @anonymous_z Reviewed-by: @hubble_zhu Signed-off-by: @hubble_zhu
2021-06-29 06:36:52 +00:00 · 2021-06-29 06:36:52 +00:00 · 872478880e
commit 872478880e
parent 821ded69bc 9fd71b4a68
3 changed files with 101 additions and 1 deletions
--- a/CVE-2021-28902-CVE-2021-28906.patch
+++ b/CVE-2021-28902-CVE-2021-28906.patch
@ -0,0 +1,65 @@
+From a3917d95d516e3de267d3cfa5d4d3715a90e8777 Mon Sep 17 00:00:00 2001
+From: Michal Vasko <mvasko@cesnet.cz>
+Date: Mon, 8 Mar 2021 14:08:05 +0100
+Subject: [PATCH] yin parser BUGFIX invalid memory access
+
+... in case there were some unresolved
+extensions.
+Fixes #1454
+Fixes #1455
+---
+ src/parser_yin.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/src/parser_yin.c b/src/parser_yin.c
+index 275991644..256325415 100644
+--- a/src/parser_yin.c
+++ b/src/parser_yin.c
+@@ -4572,7 +4572,7 @@ read_yin_anydata(struct lys_module *module, struct lys_node *parent, struct lyxm
+ 
+     for (r = 0; r < retval->ext_size; ++r) {
+         /* set flag, which represent LYEXT_OPT_VALID */
+-        if (retval->ext[r]->flags & LYEXT_OPT_VALID) {
+        if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) {
+             retval->flags |= LYS_VALID_EXT;
+             break;
+         }
+@@ -4794,7 +4794,7 @@ read_yin_leaf(struct lys_module *module, struct lys_node *parent, struct lyxml_e
+ 
+     for (r = 0; r < retval->ext_size; ++r) {
+         /* set flag, which represent LYEXT_OPT_VALID */
+-        if (retval->ext[r]->flags & LYEXT_OPT_VALID) {
+        if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) {
+             retval->flags |= LYS_VALID_EXT;
+             break;
+         }
+@@ -5108,7 +5108,7 @@ read_yin_leaflist(struct lys_module *module, struct lys_node *parent, struct lyx
+ 
+     for (r = 0; r < retval->ext_size; ++r) {
+         /* set flag, which represent LYEXT_OPT_VALID */
+-        if (retval->ext[r]->flags & LYEXT_OPT_VALID) {
+        if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) {
+             retval->flags |= LYS_VALID_EXT;
+             break;
+         }
+@@ -5477,7 +5477,7 @@ read_yin_list(struct lys_module *module, struct lys_node *parent, struct lyxml_e
+ 
+     for (r = 0; r < retval->ext_size; ++r) {
+         /* set flag, which represent LYEXT_OPT_VALID */
+-        if (retval->ext[r]->flags & LYEXT_OPT_VALID) {
+        if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) {
+             retval->flags |= LYS_VALID_EXT;
+             if (retval->ext[r]->flags & LYEXT_OPT_VALID_SUBTREE) {
+                 retval->flags |= LYS_VALID_EXT_SUBTREE;
+@@ -5701,8 +5701,9 @@ read_yin_container(struct lys_module *module, struct lys_node *parent, struct ly
+     }
+ 
+     for (r = 0; r < retval->ext_size; ++r) {
+-        /* set flag, which represent LYEXT_OPT_VALID */
+-        if (retval->ext[r]->flags & LYEXT_OPT_VALID) {
+        /* extension instance may not yet be resolved */
+        if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) {
+             /* set flag, which represent LYEXT_OPT_VALID */
+             retval->flags |= LYS_VALID_EXT;
+             if (retval->ext[r]->flags & LYEXT_OPT_VALID_SUBTREE) {
+                 retval->flags |= LYS_VALID_EXT_SUBTREE;
--- a/CVE-2021-28904.patch
+++ b/CVE-2021-28904.patch
@ -0,0 +1,26 @@
+From 59a0bff1a5a2f0a0eac07e4bf94d4aea9dd3708d Mon Sep 17 00:00:00 2001
+From: Michal Vasko <mvasko@cesnet.cz>
+Date: Mon, 8 Mar 2021 09:20:30 +0100
+Subject: [PATCH] plugins BUGFIX handle empty revision correctly
+
+Fixes #1451
+---
+ src/plugins.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/src/plugins.c b/src/plugins.c
+index 7e6fdf358..fa62ce76c 100644
+--- a/src/plugins.c
+++ b/src/plugins.c
+@@ -457,9 +457,8 @@ ext_get_plugin(const char *name, const char *module, const char *revision)
+     assert(module);
+ 
+     for (u = 0; u < ext_plugins_count; u++) {
+-        if (!strcmp(name, ext_plugins[u].name) &&
+-                !strcmp(module, ext_plugins[u].module) &&
+-                (!ext_plugins[u].revision || !strcmp(revision, ext_plugins[u].revision))) {
+        if (!strcmp(name, ext_plugins[u].name) && !strcmp(module, ext_plugins[u].module) &&
+                ((!revision && !ext_plugins[u].revision) || (revision && !strcmp(revision, ext_plugins[u].revision)))) {
+             /* we have the match */
+             return ext_plugins[u].plugin;
+         }
--- a/libyang.spec
+++ b/libyang.spec
@ -1,7 +1,7 @@
 %global debug_package %{nil}
 Name: libyang
 Version: 1.0.184
-Release: 2
+Release: 3
 Summary: YANG data modeling language library
 Url: https://github.com/CESNET/libyang
 Source: %{url}/archive/%{name}-%{version}.tar.gz
@ -10,6 +10,8 @@ License: BSD
 Patch0:	libyang-1.0.184-doc.patch
 Patch1: CVE-2021-28903.patch
 Patch2: CVE-2021-28905.patch
+Patch3: CVE-2021-28904.patch
+Patch4: CVE-2021-28902-CVE-2021-28906.patch

 Requires:  pcre
 BuildRequires:  cmake
@ -128,6 +130,13 @@ cp -r doc/html %{buildroot}/%{_docdir}/libyang/html
 %{python3_sitearch}/__pycache__/yang*

 %changelog
+* Tue Jun 29 2021 anaonymous_z <zhangrui182@huawei.com> - 1.0.184-3
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DESC: fix CVE-2021-28902 CVE-2021-28906
+        CVE-2021-28904
+
 * Mon Jun 28 2021 zhuqingfu <zhuqingfu1@huawei.com> - 1.0.184-2
 - Add patch CVE-2021-28905