From 5987513c7f12ad9840d91366ddba06c966da3077 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mon, 23 Jan 2023 09:33:24 -0500 Subject: [PATCH] import expat-2.4.9-1.el9_1.1 --- SOURCES/expat-2.4.9-CVE-2022-43680.patch | 92 ++++++++++++++++++++++++ SPECS/expat.spec | 10 ++- 2 files changed, 101 insertions(+), 1 deletion(-) create mode 100644 SOURCES/expat-2.4.9-CVE-2022-43680.patch diff --git a/SOURCES/expat-2.4.9-CVE-2022-43680.patch b/SOURCES/expat-2.4.9-CVE-2022-43680.patch new file mode 100644 index 0000000..666ee87 --- /dev/null +++ b/SOURCES/expat-2.4.9-CVE-2022-43680.patch @@ -0,0 +1,92 @@ +commit b463b1beeba2ad7f9eb456bdbdc136cbbdd1dec8 +Author: Tomas Korbar +Date: Fri Nov 11 10:46:36 2022 +0100 + + Fix CVE-2022-43680 + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index c0bece5..a73a1bf 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -1068,6 +1068,14 @@ parserCreate(const XML_Char *encodingName, + parserInit(parser, encodingName); + + if (encodingName && ! parser->m_protocolEncodingName) { ++ if (dtd) { ++ // We need to stop the upcoming call to XML_ParserFree from happily ++ // destroying parser->m_dtd because the DTD is shared with the parent ++ // parser and the only guard that keeps XML_ParserFree from destroying ++ // parser->m_dtd is parser->m_isParamEntity but it will be set to ++ // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all). ++ parser->m_dtd = NULL; ++ } + XML_ParserFree(parser); + return NULL; + } +diff --git a/tests/runtests.c b/tests/runtests.c +index 530f184..cbfe420 100644 +--- a/tests/runtests.c ++++ b/tests/runtests.c +@@ -10090,6 +10090,53 @@ START_TEST(test_alloc_long_notation) { + } + END_TEST + ++static int XMLCALL ++external_entity_parser_create_alloc_fail_handler(XML_Parser parser, ++ const XML_Char *context, ++ const XML_Char *base, ++ const XML_Char *systemId, ++ const XML_Char *publicId) { ++ UNUSED_P(base); ++ UNUSED_P(systemId); ++ UNUSED_P(publicId); ++ ++ if (context != NULL) ++ fail("Unexpected non-NULL context"); ++ ++ // The following number intends to fail the upcoming allocation in line ++ // "parser->m_protocolEncodingName = copyString(encodingName, ++ // &(parser->m_mem));" in function parserInit. ++ allocation_count = 3; ++ ++ const XML_Char *const encodingName = XCS("UTF-8"); // needs something non-NULL ++ const XML_Parser ext_parser ++ = XML_ExternalEntityParserCreate(parser, context, encodingName); ++ if (ext_parser != NULL) ++ fail( ++ "Call to XML_ExternalEntityParserCreate was expected to fail out-of-memory"); ++ ++ allocation_count = ALLOC_ALWAYS_SUCCEED; ++ return XML_STATUS_ERROR; ++} ++ ++START_TEST(test_alloc_reset_after_external_entity_parser_create_fail) { ++ const char *const text = ""; ++ ++ XML_SetExternalEntityRefHandler( ++ g_parser, external_entity_parser_create_alloc_fail_handler); ++ XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS); ++ ++ if (XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE) ++ != XML_STATUS_ERROR) ++ fail("Call to parse was expected to fail"); ++ ++ if (XML_GetErrorCode(g_parser) != XML_ERROR_EXTERNAL_ENTITY_HANDLING) ++ fail("Call to parse was expected to fail from the external entity handler"); ++ ++ XML_ParserReset(g_parser, NULL); ++} ++END_TEST ++ + static void + nsalloc_setup(void) { + XML_Memory_Handling_Suite memsuite = {duff_allocator, duff_reallocator, free}; +@@ -12279,6 +12326,8 @@ make_suite(void) { + tcase_add_test(tc_alloc, test_alloc_long_public_id); + tcase_add_test(tc_alloc, test_alloc_long_entity_value); + tcase_add_test(tc_alloc, test_alloc_long_notation); ++ tcase_add_test__ifdef_xml_dtd( ++ tc_alloc, test_alloc_reset_after_external_entity_parser_create_fail); + + suite_add_tcase(s, tc_nsalloc); + tcase_add_checked_fixture(tc_nsalloc, nsalloc_setup, nsalloc_teardown); diff --git a/SPECS/expat.spec b/SPECS/expat.spec index cc03718..21ab817 100644 --- a/SPECS/expat.spec +++ b/SPECS/expat.spec @@ -3,13 +3,15 @@ Summary: An XML parser library Name: expat Version: %(echo %{unversion} | sed 's/_/./g') -Release: 1%{?dist} +Release: 1%{?dist}.1 Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz URL: https://libexpat.github.io/ License: MIT BuildRequires: autoconf, libtool, xmlto, gcc-c++ BuildRequires: make +Patch0: expat-2.4.9-CVE-2022-43680.patch + %description This is expat, the C library for parsing XML, written by James Clark. Expat is a stream oriented XML parser. This means that you register handlers with @@ -40,6 +42,8 @@ Install it if you need to link statically with expat. sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am ./buildconf.sh +%patch0 -p1 -b.CVE-2022-43680 + %build export CFLAGS="$RPM_OPT_FLAGS -fPIC" export DOCBOOK_TO_MAN="xmlto man --skip-validation" @@ -74,6 +78,10 @@ make check %{_libdir}/lib*.a %changelog +* Fri Nov 11 2022 Tomas Korbar - 2.4.9-1.1 +- CVE-2022-43680 expat: use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate +- Resolves: CVE-2022-43680 + * Thu Sep 29 2022 Tomas Korbar - 2.4.9-1 - Rebase to version 2.4.9 - Resolves: CVE-2022-40674