From 7908d743844f5e57cae76238c5ae842bb5f50f64 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 16 May 2023 06:17:08 +0000 Subject: [PATCH] import expat-2.2.5-11.el8 --- .expat.metadata | 1 + .gitignore | 1 + ...5-Add-missing-validation-of-encoding.patch | 200 +++++++++ SOURCES/expat-2.2.5-CVE-2018-20843.patch | 15 + SOURCES/expat-2.2.5-CVE-2019-15903.patch | 171 ++++++++ SOURCES/expat-2.2.5-CVE-2022-43680.patch | 89 ++++ ...nt-integer-overflow-in-XML_GetBuffer.patch | 183 +++++++++ ...-and-prevent-troublesome-left-shifts.patch | 54 +++ ...re-safe-exiting-internalEntityParser.patch | 118 ++++++ ...event-integer-overflow-in-copyString.patch | 19 + ...nt-integer-overflow-in-storeRawNames.patch | 31 ++ ...-overflow-on-m_groupSize-in-function.patch | 38 ++ ...2.2.5-Prevent-more-integer-overflows.patch | 238 +++++++++++ ...vent-stack-exhaustion-in-build_model.patch | 228 +++++++++++ ...nst-malicious-namespace-declarations.patch | 229 +++++++++++ SOURCES/expat-2.2.5-doc2man.patch | 26 ++ SPECS/expat.spec | 379 ++++++++++++++++++ 17 files changed, 2020 insertions(+) create mode 100644 .expat.metadata create mode 100644 .gitignore create mode 100644 SOURCES/expat-2.2.5-Add-missing-validation-of-encoding.patch create mode 100644 SOURCES/expat-2.2.5-CVE-2018-20843.patch create mode 100644 SOURCES/expat-2.2.5-CVE-2019-15903.patch create mode 100644 SOURCES/expat-2.2.5-CVE-2022-43680.patch create mode 100644 SOURCES/expat-2.2.5-Detect-and-prevent-integer-overflow-in-XML_GetBuffer.patch create mode 100644 SOURCES/expat-2.2.5-Detect-and-prevent-troublesome-left-shifts.patch create mode 100644 SOURCES/expat-2.2.5-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch create mode 100644 SOURCES/expat-2.2.5-Prevent-integer-overflow-in-copyString.patch create mode 100644 SOURCES/expat-2.2.5-Prevent-integer-overflow-in-storeRawNames.patch create mode 100644 SOURCES/expat-2.2.5-Prevent-integer-overflow-on-m_groupSize-in-function.patch create mode 100644 SOURCES/expat-2.2.5-Prevent-more-integer-overflows.patch create mode 100644 SOURCES/expat-2.2.5-Prevent-stack-exhaustion-in-build_model.patch create mode 100644 SOURCES/expat-2.2.5-Protect-against-malicious-namespace-declarations.patch create mode 100644 SOURCES/expat-2.2.5-doc2man.patch create mode 100644 SPECS/expat.spec diff --git a/.expat.metadata b/.expat.metadata new file mode 100644 index 0000000..e69ad7b --- /dev/null +++ b/.expat.metadata @@ -0,0 +1 @@ +fa46ccce6770ccae767c28f6ac55e2428089d4a0 SOURCES/expat-2.2.5.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..2d47f87 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/expat-2.2.5.tar.gz diff --git a/SOURCES/expat-2.2.5-Add-missing-validation-of-encoding.patch b/SOURCES/expat-2.2.5-Add-missing-validation-of-encoding.patch new file mode 100644 index 0000000..8876367 --- /dev/null +++ b/SOURCES/expat-2.2.5-Add-missing-validation-of-encoding.patch @@ -0,0 +1,200 @@ +commit e8f285b522a907603501329e5b4212755f525fdf +Author: Tomas Korbar +Date: Thu Mar 3 12:04:09 2022 +0100 + + CVE-2022-25235 + +diff --git a/lib/xmltok.c b/lib/xmltok.c +index 6b415d8..b55732a 100644 +--- a/lib/xmltok.c ++++ b/lib/xmltok.c +@@ -103,13 +103,6 @@ + + ((((byte)[2]) >> 5) & 1)] \ + & (1u << (((byte)[2]) & 0x1F))) + +-#define UTF8_GET_NAMING(pages, p, n) \ +- ((n) == 2 \ +- ? UTF8_GET_NAMING2(pages, (const unsigned char *)(p)) \ +- : ((n) == 3 \ +- ? UTF8_GET_NAMING3(pages, (const unsigned char *)(p)) \ +- : 0)) +- + /* Detection of invalid UTF-8 sequences is based on Table 3.1B + of Unicode 3.2: http://www.unicode.org/unicode/reports/tr28/ + with the additional restriction of not allowing the Unicode +diff --git a/lib/xmltok_impl.c b/lib/xmltok_impl.c +index 0403dd3..56d7a40 100644 +--- a/lib/xmltok_impl.c ++++ b/lib/xmltok_impl.c +@@ -61,7 +61,7 @@ + case BT_LEAD ## n: \ + if (end - ptr < n) \ + return XML_TOK_PARTIAL_CHAR; \ +- if (!IS_NAME_CHAR(enc, ptr, n)) { \ ++ if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NAME_CHAR(enc, ptr, n)) { \ + *nextTokPtr = ptr; \ + return XML_TOK_INVALID; \ + } \ +@@ -89,7 +89,7 @@ + case BT_LEAD ## n: \ + if (end - ptr < n) \ + return XML_TOK_PARTIAL_CHAR; \ +- if (!IS_NMSTRT_CHAR(enc, ptr, n)) { \ ++ if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NMSTRT_CHAR(enc, ptr, n)) { \ + *nextTokPtr = ptr; \ + return XML_TOK_INVALID; \ + } \ +@@ -1117,6 +1117,10 @@ PREFIX(prologTok)(const ENCODING *enc, const char *ptr, const char *end, + case BT_LEAD ## n: \ + if (end - ptr < n) \ + return XML_TOK_PARTIAL_CHAR; \ ++ if (IS_INVALID_CHAR(enc, ptr, n)) { \ ++ *nextTokPtr = ptr; \ ++ return XML_TOK_INVALID; \ ++ } \ + if (IS_NMSTRT_CHAR(enc, ptr, n)) { \ + ptr += n; \ + tok = XML_TOK_NAME; \ +diff --git a/tests/runtests.c b/tests/runtests.c +index 278bfa1..0f3afde 100644 +--- a/tests/runtests.c ++++ b/tests/runtests.c +@@ -6540,6 +6540,106 @@ START_TEST(test_utf8_in_cdata_section_2) + } + END_TEST + ++START_TEST(test_utf8_in_start_tags) { ++ struct test_case { ++ bool goodName; ++ bool goodNameStart; ++ const char *tagName; ++ }; ++ ++ // The idea with the tests below is this: ++ // We want to cover 1-, 2- and 3-byte sequences, 4-byte sequences ++ // go to isNever and are hence not a concern. ++ // ++ // We start with a character that is a valid name character ++ // (or even name-start character, see XML 1.0r4 spec) and then we flip ++ // single bits at places where (1) the result leaves the UTF-8 encoding space ++ // and (2) we stay in the same n-byte sequence family. ++ // ++ // The flipped bits are highlighted in angle brackets in comments, ++ // e.g. "[<1>011 1001]" means we had [0011 1001] but we now flipped ++ // the most significant bit to 1 to leave UTF-8 encoding space. ++ struct test_case cases[] = { ++ // 1-byte UTF-8: [0xxx xxxx] ++ {true, true, "\x3A"}, // [0011 1010] = ASCII colon ':' ++ {false, false, "\xBA"}, // [<1>011 1010] ++ {true, false, "\x39"}, // [0011 1001] = ASCII nine '9' ++ {false, false, "\xB9"}, // [<1>011 1001] ++ ++ // 2-byte UTF-8: [110x xxxx] [10xx xxxx] ++ {true, true, "\xDB\xA5"}, // [1101 1011] [1010 0101] = ++ // Arabic small waw U+06E5 ++ {false, false, "\x9B\xA5"}, // [1<0>01 1011] [1010 0101] ++ {false, false, "\xDB\x25"}, // [1101 1011] [<0>010 0101] ++ {false, false, "\xDB\xE5"}, // [1101 1011] [1<1>10 0101] ++ {true, false, "\xCC\x81"}, // [1100 1100] [1000 0001] = ++ // combining char U+0301 ++ {false, false, "\x8C\x81"}, // [1<0>00 1100] [1000 0001] ++ {false, false, "\xCC\x01"}, // [1100 1100] [<0>000 0001] ++ {false, false, "\xCC\xC1"}, // [1100 1100] [1<1>00 0001] ++ ++ // 3-byte UTF-8: [1110 xxxx] [10xx xxxx] [10xxxxxx] ++ {true, true, "\xE0\xA4\x85"}, // [1110 0000] [1010 0100] [1000 0101] = ++ // Devanagari Letter A U+0905 ++ {false, false, "\xA0\xA4\x85"}, // [1<0>10 0000] [1010 0100] [1000 0101] ++ {false, false, "\xE0\x24\x85"}, // [1110 0000] [<0>010 0100] [1000 0101] ++ {false, false, "\xE0\xE4\x85"}, // [1110 0000] [1<1>10 0100] [1000 0101] ++ {false, false, "\xE0\xA4\x05"}, // [1110 0000] [1010 0100] [<0>000 0101] ++ {false, false, "\xE0\xA4\xC5"}, // [1110 0000] [1010 0100] [1<1>00 0101] ++ {true, false, "\xE0\xA4\x81"}, // [1110 0000] [1010 0100] [1000 0001] = ++ // combining char U+0901 ++ {false, false, "\xA0\xA4\x81"}, // [1<0>10 0000] [1010 0100] [1000 0001] ++ {false, false, "\xE0\x24\x81"}, // [1110 0000] [<0>010 0100] [1000 0001] ++ {false, false, "\xE0\xE4\x81"}, // [1110 0000] [1<1>10 0100] [1000 0001] ++ {false, false, "\xE0\xA4\x01"}, // [1110 0000] [1010 0100] [<0>000 0001] ++ {false, false, "\xE0\xA4\xC1"}, // [1110 0000] [1010 0100] [1<1>00 0001] ++ }; ++ const bool atNameStart[] = {true, false}; ++ ++ size_t i = 0; ++ char doc[1024]; ++ size_t failCount = 0; ++ ++ for (; i < sizeof(cases) / sizeof(cases[0]); i++) { ++ size_t j = 0; ++ for (; j < sizeof(atNameStart) / sizeof(atNameStart[0]); j++) { ++ const bool expectedSuccess ++ = atNameStart[j] ? cases[i].goodNameStart : cases[i].goodName; ++ sprintf(doc, "<%s%s>a'>]>&e;\n" ++ "<" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "/>" ++ ""; ++ const size_t firstChunkSizeBytes = 54; ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ XML_SetUserData(parser, parser); ++ XML_SetCommentHandler(parser, suspending_comment_handler); ++ ++ if (XML_Parse(parser, text, (int)firstChunkSizeBytes, XML_FALSE) ++ != XML_STATUS_SUSPENDED) ++ xml_failure(parser); ++ if (XML_ResumeParser(parser) != XML_STATUS_OK) ++ xml_failure(parser); ++ if (XML_Parse(parser, text + firstChunkSizeBytes, ++ (int)(strlen(text) - firstChunkSizeBytes), XML_TRUE) ++ != XML_STATUS_OK) ++ xml_failure(parser); ++ XML_ParserFree(parser); ++} ++END_TEST ++ ++ + /* Test suspending and resuming in a parameter entity substitution */ + static void XMLCALL + element_decl_suspender(void *UNUSED_P(userData), +@@ -12395,6 +12467,7 @@ make_suite(void) + tcase_add_test(tc_basic, test_hash_collision); + tcase_add_test(tc_basic, test_suspend_resume_internal_entity); + tcase_add_test(tc_basic, test_resume_entity_with_syntax_error); ++ tcase_add_test(tc_basic, test_suspend_resume_internal_entity_issue_629); + tcase_add_test(tc_basic, test_suspend_resume_parameter_entity); + tcase_add_test(tc_basic, test_restart_on_error); + tcase_add_test(tc_basic, test_reject_lt_in_attribute_value); diff --git a/SOURCES/expat-2.2.5-Prevent-integer-overflow-in-copyString.patch b/SOURCES/expat-2.2.5-Prevent-integer-overflow-in-copyString.patch new file mode 100644 index 0000000..f67a898 --- /dev/null +++ b/SOURCES/expat-2.2.5-Prevent-integer-overflow-in-copyString.patch @@ -0,0 +1,19 @@ +commit e5b609876e5a266725fba1c377b0ac95c737e6ed +Author: Tomas Korbar +Date: Mon May 2 12:44:06 2022 +0200 + + Fix CVE-2022-25314 + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 1f1413f..ceeec26 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -7525,7 +7525,7 @@ static XML_Char * + copyString(const XML_Char *s, + const XML_Memory_Handling_Suite *memsuite) + { +- int charsRequired = 0; ++ size_t charsRequired = 0; + XML_Char *result; + + /* First determine how long the string is */ diff --git a/SOURCES/expat-2.2.5-Prevent-integer-overflow-in-storeRawNames.patch b/SOURCES/expat-2.2.5-Prevent-integer-overflow-in-storeRawNames.patch new file mode 100644 index 0000000..be5927b --- /dev/null +++ b/SOURCES/expat-2.2.5-Prevent-integer-overflow-in-storeRawNames.patch @@ -0,0 +1,31 @@ +commit 3a4141add108097fa548b196f5950c6663e1578e +Author: Tomas Korbar +Date: Thu Mar 3 13:50:20 2022 +0100 + + CVE-2022-25315 + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index f0061c8..45fda00 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -2508,6 +2508,7 @@ storeRawNames(XML_Parser parser) + while (tag) { + int bufSize; + int nameLen = sizeof(XML_Char) * (tag->name.strLen + 1); ++ size_t rawNameLen; + char *rawNameBuf = tag->buf + nameLen; + /* Stop if already stored. Since m_tagStack is a stack, we can stop + at the first entry that has already been copied; everything +@@ -2519,7 +2520,11 @@ storeRawNames(XML_Parser parser) + /* For re-use purposes we need to ensure that the + size of tag->buf is a multiple of sizeof(XML_Char). + */ +- bufSize = nameLen + ROUND_UP(tag->rawNameLength, sizeof(XML_Char)); ++ rawNameLen = ROUND_UP(tag->rawNameLength, sizeof(XML_Char)); ++ /* Detect and prevent integer overflow. */ ++ if (rawNameLen > (size_t)INT_MAX - nameLen) ++ return XML_FALSE; ++ bufSize = nameLen + (int)rawNameLen; + if (bufSize > tag->bufEnd - tag->buf) { + char *temp = (char *)REALLOC(parser, tag->buf, bufSize); + if (temp == NULL) diff --git a/SOURCES/expat-2.2.5-Prevent-integer-overflow-on-m_groupSize-in-function.patch b/SOURCES/expat-2.2.5-Prevent-integer-overflow-on-m_groupSize-in-function.patch new file mode 100644 index 0000000..f7e76e6 --- /dev/null +++ b/SOURCES/expat-2.2.5-Prevent-integer-overflow-on-m_groupSize-in-function.patch @@ -0,0 +1,38 @@ +commit 835df27bc1a1eae1ec51b14122ea40c974dd7409 +Author: Tomas Korbar +Date: Mon Feb 14 12:29:20 2022 +0100 + + CVE-2021-46143 + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index c45be0c..22d0a75 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -4995,6 +4995,11 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + case XML_ROLE_GROUP_OPEN: + if (parser->m_prologState.level >= parser->m_groupSize) { + if (parser->m_groupSize) { ++ /* Detect and prevent integer overflow */ ++ if (parser->m_groupSize > (unsigned int)(-1) / 2u) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ + char *temp = (char *)REALLOC(parser, parser->m_groupConnector, parser->m_groupSize *= 2); + if (temp == NULL) { + parser->m_groupSize /= 2; +@@ -5002,6 +5007,15 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + } + parser->m_groupConnector = temp; + if (dtd->scaffIndex) { ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if (parser->m_groupSize > (size_t)(-1) / sizeof(int)) { ++ return XML_ERROR_NO_MEMORY; ++ } ++#endif + int *temp = (int *)REALLOC(parser, dtd->scaffIndex, + parser->m_groupSize * sizeof(int)); + if (temp == NULL) diff --git a/SOURCES/expat-2.2.5-Prevent-more-integer-overflows.patch b/SOURCES/expat-2.2.5-Prevent-more-integer-overflows.patch new file mode 100644 index 0000000..45e3f8d --- /dev/null +++ b/SOURCES/expat-2.2.5-Prevent-more-integer-overflows.patch @@ -0,0 +1,238 @@ +commit 0f920007dc157e052fed2fc66a83c6c23ccec0aa +Author: Tomas Korbar +Date: Mon Feb 14 12:41:56 2022 +0100 + + CVE-2022-22822 to CVE-2022-22827 + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 22d0a75..6a880af 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -3187,13 +3187,38 @@ storeAtts(XML_Parser parser, const ENCODING *enc, + + /* get the attributes from the tokenizer */ + n = XmlGetAttributes(enc, attStr, parser->m_attsSize, parser->m_atts); ++ ++ /* Detect and prevent integer overflow */ ++ if (n > INT_MAX - nDefaultAtts) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ + if (n + nDefaultAtts > parser->m_attsSize) { + int oldAttsSize = parser->m_attsSize; + ATTRIBUTE *temp; + #ifdef XML_ATTR_INFO + XML_AttrInfo *temp2; + #endif ++ ++ /* Detect and prevent integer overflow */ ++ if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE) ++ || (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ + parser->m_attsSize = n + nDefaultAtts + INIT_ATTS_SIZE; ++ ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) { ++ parser->m_attsSize = oldAttsSize; ++ return XML_ERROR_NO_MEMORY; ++ } ++#endif ++ + temp = (ATTRIBUTE *)REALLOC(parser, (void *)parser->m_atts, parser->m_attsSize * sizeof(ATTRIBUTE)); + if (temp == NULL) { + parser->m_attsSize = oldAttsSize; +@@ -3201,6 +3226,17 @@ storeAtts(XML_Parser parser, const ENCODING *enc, + } + parser->m_atts = temp; + #ifdef XML_ATTR_INFO ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++# if UINT_MAX >= SIZE_MAX ++ if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(XML_AttrInfo)) { ++ parser->m_attsSize = oldAttsSize; ++ return XML_ERROR_NO_MEMORY; ++ } ++# endif ++ + temp2 = (XML_AttrInfo *)REALLOC(parser, (void *)parser->m_attInfo, parser->m_attsSize * sizeof(XML_AttrInfo)); + if (temp2 == NULL) { + parser->m_attsSize = oldAttsSize; +@@ -3535,9 +3571,30 @@ storeAtts(XML_Parser parser, const ENCODING *enc, + tagNamePtr->prefixLen = prefixLen; + for (i = 0; localPart[i++];) + ; /* i includes null terminator */ ++ ++ /* Detect and prevent integer overflow */ ++ if (binding->uriLen > INT_MAX - prefixLen ++ || i > INT_MAX - (binding->uriLen + prefixLen)) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ + n = i + binding->uriLen + prefixLen; + if (n > binding->uriAlloc) { + TAG *p; ++ /* Detect and prevent integer overflow */ ++ if (n > INT_MAX - EXPAND_SPARE) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) { ++ return XML_ERROR_NO_MEMORY; ++ } ++#endif ++ + uri = (XML_Char *)MALLOC(parser, (n + EXPAND_SPARE) * sizeof(XML_Char)); + if (!uri) + return XML_ERROR_NO_MEMORY; +@@ -3638,6 +3695,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId, + if (parser->m_freeBindingList) { + b = parser->m_freeBindingList; + if (len > b->uriAlloc) { ++ /* Detect and prevent integer overflow */ ++ if (len > INT_MAX - EXPAND_SPARE) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) { ++ return XML_ERROR_NO_MEMORY; ++ } ++#endif ++ + XML_Char *temp = (XML_Char *)REALLOC(parser, b->uri, + sizeof(XML_Char) * (len + EXPAND_SPARE)); + if (temp == NULL) +@@ -3651,6 +3723,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId, + b = (BINDING *)MALLOC(parser, sizeof(BINDING)); + if (!b) + return XML_ERROR_NO_MEMORY; ++ ++ /* Detect and prevent integer overflow */ ++ if (len > INT_MAX - EXPAND_SPARE) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) { ++ return XML_ERROR_NO_MEMORY; ++ } ++#endif ++ + b->uri = (XML_Char *)MALLOC(parser, sizeof(XML_Char) * (len + EXPAND_SPARE)); + if (!b->uri) { + FREE(parser, b); +@@ -6058,7 +6145,24 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata, + } + else { + DEFAULT_ATTRIBUTE *temp; ++ ++ /* Detect and prevent integer overflow */ ++ if (type->allocDefaultAtts > INT_MAX / 2) { ++ return 0; ++ } ++ + int count = type->allocDefaultAtts * 2; ++ ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if ((unsigned)count > (size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE)) { ++ return 0; ++ } ++#endif ++ + temp = (DEFAULT_ATTRIBUTE *) + REALLOC(parser, type->defaultAtts, (count * sizeof(DEFAULT_ATTRIBUTE))); + if (temp == NULL) +@@ -6733,8 +6837,20 @@ lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize) + /* check for overflow (table is half full) */ + if (table->used >> (table->power - 1)) { + unsigned char newPower = table->power + 1; ++ ++ /* Detect and prevent invalid shift */ ++ if (newPower >= sizeof(unsigned long) * 8 /* bits per byte */) { ++ return NULL; ++ } ++ + size_t newSize = (size_t)1 << newPower; + unsigned long newMask = (unsigned long)newSize - 1; ++ ++ /* Detect and prevent integer overflow */ ++ if (newSize > (size_t)(-1) / sizeof(NAMED *)) { ++ return NULL; ++ } ++ + size_t tsize = newSize * sizeof(NAMED *); + NAMED **newV = (NAMED **)table->mem->malloc_fcn(tsize); + if (!newV) +@@ -7100,6 +7216,20 @@ nextScaffoldPart(XML_Parser parser) + if (dtd->scaffCount >= dtd->scaffSize) { + CONTENT_SCAFFOLD *temp; + if (dtd->scaffold) { ++ /* Detect and prevent integer overflow */ ++ if (dtd->scaffSize > UINT_MAX / 2u) { ++ return -1; ++ } ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if (dtd->scaffSize > (size_t)(-1) / 2u / sizeof(CONTENT_SCAFFOLD)) { ++ return -1; ++ } ++#endif ++ + temp = (CONTENT_SCAFFOLD *) + REALLOC(parser, dtd->scaffold, dtd->scaffSize * 2 * sizeof(CONTENT_SCAFFOLD)); + if (temp == NULL) +@@ -7176,8 +7306,26 @@ build_model (XML_Parser parser) + XML_Content *ret; + XML_Content *cpos; + XML_Char * str; +- int allocsize = (dtd->scaffCount * sizeof(XML_Content) +- + (dtd->contentStringLen * sizeof(XML_Char))); ++ ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if (dtd->scaffCount > (size_t)(-1) / sizeof(XML_Content)) { ++ return NULL; ++ } ++ if (dtd->contentStringLen > (size_t)(-1) / sizeof(XML_Char)) { ++ return NULL; ++ } ++#endif ++ if (dtd->scaffCount * sizeof(XML_Content) ++ > (size_t)(-1) - dtd->contentStringLen * sizeof(XML_Char)) { ++ return NULL; ++ } ++ ++ const size_t allocsize = (dtd->scaffCount * sizeof(XML_Content) ++ + (dtd->contentStringLen * sizeof(XML_Char))); + + ret = (XML_Content *)MALLOC(parser, allocsize); + if (!ret) diff --git a/SOURCES/expat-2.2.5-Prevent-stack-exhaustion-in-build_model.patch b/SOURCES/expat-2.2.5-Prevent-stack-exhaustion-in-build_model.patch new file mode 100644 index 0000000..52af442 --- /dev/null +++ b/SOURCES/expat-2.2.5-Prevent-stack-exhaustion-in-build_model.patch @@ -0,0 +1,228 @@ +commit f1b61e6fbaedbb2bbea736269a015d97d4df46ce +Author: Tomas Korbar +Date: Tue May 3 13:42:54 2022 +0200 + + Fix CVE-2022-25313 + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index ceeec26..d47e42c 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -7458,12 +7458,14 @@ build_node(XML_Parser parser, + } + + static XML_Content * +-build_model (XML_Parser parser) +-{ +- DTD * const dtd = parser->m_dtd; /* save one level of indirection */ ++build_model(XML_Parser parser) { ++ /* Function build_model transforms the existing parser->m_dtd->scaffold ++ * array of CONTENT_SCAFFOLD tree nodes into a new array of ++ * XML_Content tree nodes followed by a gapless list of zero-terminated ++ * strings. */ ++ DTD *const dtd = parser->m_dtd; /* save one level of indirection */ + XML_Content *ret; +- XML_Content *cpos; +- XML_Char * str; ++ XML_Char *str; /* the current string writing location */ + + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning +@@ -7486,13 +7488,99 @@ build_model (XML_Parser parser) + + (dtd->contentStringLen * sizeof(XML_Char))); + + ret = (XML_Content *)MALLOC(parser, allocsize); +- if (!ret) ++ if (! ret) + return NULL; + +- str = (XML_Char *) (&ret[dtd->scaffCount]); +- cpos = &ret[1]; ++ /* What follows is an iterative implementation (of what was previously done ++ * recursively in a dedicated function called "build_node". The old recursive ++ * build_node could be forced into stack exhaustion from input as small as a ++ * few megabyte, and so that was a security issue. Hence, a function call ++ * stack is avoided now by resolving recursion.) ++ * ++ * The iterative approach works as follows: ++ * ++ * - We have two writing pointers, both walking up the result array; one does ++ * the work, the other creates "jobs" for its colleague to do, and leads ++ * the way: ++ * ++ * - The faster one, pointer jobDest, always leads and writes "what job ++ * to do" by the other, once they reach that place in the ++ * array: leader "jobDest" stores the source node array index (relative ++ * to array dtd->scaffold) in field "numchildren". ++ * ++ * - The slower one, pointer dest, looks at the value stored in the ++ * "numchildren" field (which actually holds a source node array index ++ * at that time) and puts the real data from dtd->scaffold in. ++ * ++ * - Before the loop starts, jobDest writes source array index 0 ++ * (where the root node is located) so that dest will have something to do ++ * when it starts operation. ++ * ++ * - Whenever nodes with children are encountered, jobDest appends ++ * them as new jobs, in order. As a result, tree node siblings are ++ * adjacent in the resulting array, for example: ++ * ++ * [0] root, has two children ++ * [1] first child of 0, has three children ++ * [3] first child of 1, does not have children ++ * [4] second child of 1, does not have children ++ * [5] third child of 1, does not have children ++ * [2] second child of 0, does not have children ++ * ++ * Or (the same data) presented in flat array view: ++ * ++ * [0] root, has two children ++ * ++ * [1] first child of 0, has three children ++ * [2] second child of 0, does not have children ++ * ++ * [3] first child of 1, does not have children ++ * [4] second child of 1, does not have children ++ * [5] third child of 1, does not have children ++ * ++ * - The algorithm repeats until all target array indices have been processed. ++ */ ++ XML_Content *dest = ret; /* tree node writing location, moves upwards */ ++ XML_Content *const destLimit = &ret[dtd->scaffCount]; ++ XML_Content *jobDest = ret; /* next free writing location in target array */ ++ str = (XML_Char *)&ret[dtd->scaffCount]; ++ ++ /* Add the starting job, the root node (index 0) of the source tree */ ++ (jobDest++)->numchildren = 0; ++ ++ for (; dest < destLimit; dest++) { ++ /* Retrieve source tree array index from job storage */ ++ const int src_node = (int)dest->numchildren; ++ ++ /* Convert item */ ++ dest->type = dtd->scaffold[src_node].type; ++ dest->quant = dtd->scaffold[src_node].quant; ++ if (dest->type == XML_CTYPE_NAME) { ++ const XML_Char *src; ++ dest->name = str; ++ src = dtd->scaffold[src_node].name; ++ for (;;) { ++ *str++ = *src; ++ if (! *src) ++ break; ++ src++; ++ } ++ dest->numchildren = 0; ++ dest->children = NULL; ++ } else { ++ unsigned int i; ++ int cn; ++ dest->name = NULL; ++ dest->numchildren = dtd->scaffold[src_node].childcnt; ++ dest->children = jobDest; ++ ++ /* Append scaffold indices of children to array */ ++ for (i = 0, cn = dtd->scaffold[src_node].firstchild; ++ i < dest->numchildren; i++, cn = dtd->scaffold[cn].nextsib) ++ (jobDest++)->numchildren = (unsigned int)cn; ++ } ++ } + +- build_node(parser, 0, ret, &cpos, &str); + return ret; + } + +diff --git a/tests/runtests.c b/tests/runtests.c +index eacd163..569ad8c 100644 +--- a/tests/runtests.c ++++ b/tests/runtests.c +@@ -2848,6 +2848,81 @@ START_TEST(test_dtd_elements) + } + END_TEST + ++static void XMLCALL ++element_decl_check_model(void *UNUSED_P(userData), const XML_Char *name, ++ XML_Content *model) { ++ uint32_t errorFlags = 0; ++ ++ /* Expected model array structure is this: ++ * [0] (type 6, quant 0) ++ * [1] (type 5, quant 0) ++ * [3] (type 4, quant 0, name "bar") ++ * [4] (type 4, quant 0, name "foo") ++ * [5] (type 4, quant 3, name "xyz") ++ * [2] (type 4, quant 2, name "zebra") ++ */ ++ errorFlags |= ((xcstrcmp(name, XCS("junk")) == 0) ? 0 : (1u << 0)); ++ errorFlags |= ((model != NULL) ? 0 : (1u << 1)); ++ ++ errorFlags |= ((model[0].type == XML_CTYPE_SEQ) ? 0 : (1u << 2)); ++ errorFlags |= ((model[0].quant == XML_CQUANT_NONE) ? 0 : (1u << 3)); ++ errorFlags |= ((model[0].numchildren == 2) ? 0 : (1u << 4)); ++ errorFlags |= ((model[0].children == &model[1]) ? 0 : (1u << 5)); ++ errorFlags |= ((model[0].name == NULL) ? 0 : (1u << 6)); ++ ++ errorFlags |= ((model[1].type == XML_CTYPE_CHOICE) ? 0 : (1u << 7)); ++ errorFlags |= ((model[1].quant == XML_CQUANT_NONE) ? 0 : (1u << 8)); ++ errorFlags |= ((model[1].numchildren == 3) ? 0 : (1u << 9)); ++ errorFlags |= ((model[1].children == &model[3]) ? 0 : (1u << 10)); ++ errorFlags |= ((model[1].name == NULL) ? 0 : (1u << 11)); ++ ++ errorFlags |= ((model[2].type == XML_CTYPE_NAME) ? 0 : (1u << 12)); ++ errorFlags |= ((model[2].quant == XML_CQUANT_REP) ? 0 : (1u << 13)); ++ errorFlags |= ((model[2].numchildren == 0) ? 0 : (1u << 14)); ++ errorFlags |= ((model[2].children == NULL) ? 0 : (1u << 15)); ++ errorFlags |= ((xcstrcmp(model[2].name, XCS("zebra")) == 0) ? 0 : (1u << 16)); ++ ++ errorFlags |= ((model[3].type == XML_CTYPE_NAME) ? 0 : (1u << 17)); ++ errorFlags |= ((model[3].quant == XML_CQUANT_NONE) ? 0 : (1u << 18)); ++ errorFlags |= ((model[3].numchildren == 0) ? 0 : (1u << 19)); ++ errorFlags |= ((model[3].children == NULL) ? 0 : (1u << 20)); ++ errorFlags |= ((xcstrcmp(model[3].name, XCS("bar")) == 0) ? 0 : (1u << 21)); ++ ++ errorFlags |= ((model[4].type == XML_CTYPE_NAME) ? 0 : (1u << 22)); ++ errorFlags |= ((model[4].quant == XML_CQUANT_NONE) ? 0 : (1u << 23)); ++ errorFlags |= ((model[4].numchildren == 0) ? 0 : (1u << 24)); ++ errorFlags |= ((model[4].children == NULL) ? 0 : (1u << 25)); ++ errorFlags |= ((xcstrcmp(model[4].name, XCS("foo")) == 0) ? 0 : (1u << 26)); ++ ++ errorFlags |= ((model[5].type == XML_CTYPE_NAME) ? 0 : (1u << 27)); ++ errorFlags |= ((model[5].quant == XML_CQUANT_PLUS) ? 0 : (1u << 28)); ++ errorFlags |= ((model[5].numchildren == 0) ? 0 : (1u << 29)); ++ errorFlags |= ((model[5].children == NULL) ? 0 : (1u << 30)); ++ errorFlags |= ((xcstrcmp(model[5].name, XCS("xyz")) == 0) ? 0 : (1u << 31)); ++ ++ XML_SetUserData(parser, (void *)(uintptr_t)errorFlags); ++ XML_FreeContentModel(parser, model); ++} ++ ++START_TEST(test_dtd_elements_nesting) { ++ // Payload inspired by a test in Perl's XML::Parser ++ const char *text = "\n" ++ "]>\n" ++ ""; ++ ++ XML_SetUserData(parser, (void *)(uintptr_t)-1); ++ ++ XML_SetElementDeclHandler(parser, element_decl_check_model); ++ if (XML_Parse(parser, text, (int)strlen(text), XML_TRUE) ++ == XML_STATUS_ERROR) ++ xml_failure(parser); ++ ++ if ((uint32_t)(uintptr_t)XML_GetUserData(parser) != 0) ++ fail("Element declaration model regression detected"); ++} ++END_TEST ++ + /* Test foreign DTD handling */ + START_TEST(test_set_foreign_dtd) + { +@@ -12256,6 +12331,7 @@ make_suite(void) + tcase_add_test(tc_basic, test_memory_allocation); + tcase_add_test(tc_basic, test_default_current); + tcase_add_test(tc_basic, test_dtd_elements); ++ tcase_add_test(tc_basic, test_dtd_elements_nesting); + tcase_add_test(tc_basic, test_set_foreign_dtd); + tcase_add_test(tc_basic, test_foreign_dtd_not_standalone); + tcase_add_test(tc_basic, test_invalid_foreign_dtd); diff --git a/SOURCES/expat-2.2.5-Protect-against-malicious-namespace-declarations.patch b/SOURCES/expat-2.2.5-Protect-against-malicious-namespace-declarations.patch new file mode 100644 index 0000000..acd46fb --- /dev/null +++ b/SOURCES/expat-2.2.5-Protect-against-malicious-namespace-declarations.patch @@ -0,0 +1,229 @@ +commit fd5473ef5873048eadef344a1f16f71ad8eefe99 +Author: Tomas Korbar +Date: Mon Mar 14 12:17:41 2022 +0100 + + Protect against malicious namespace declarations + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 581b9a4..6f3510b 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -661,8 +661,7 @@ XML_ParserCreate(const XML_Char *encodingName) + XML_Parser XMLCALL + XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep) + { +- XML_Char tmp[2]; +- *tmp = nsSep; ++ XML_Char tmp[2] = {nsSep, 0}; + return XML_ParserCreate_MM(encodingName, NULL, tmp); + } + +@@ -1288,8 +1287,7 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, + would be otherwise. + */ + if (parser->m_ns) { +- XML_Char tmp[2]; +- *tmp = parser->m_namespaceSeparator; ++ XML_Char tmp[2] = {parser->m_namespaceSeparator, 0}; + parser = parserCreate(encodingName, &parser->m_mem, tmp, newDtd); + } + else { +@@ -3640,6 +3638,117 @@ storeAtts(XML_Parser parser, const ENCODING *enc, + return XML_ERROR_NONE; + } + ++static XML_Bool ++is_rfc3986_uri_char(XML_Char candidate) { ++ // For the RFC 3986 ANBF grammar see ++ // https://datatracker.ietf.org/doc/html/rfc3986#appendix-A ++ ++ switch (candidate) { ++ // From rule "ALPHA" (uppercase half) ++ case 'A': ++ case 'B': ++ case 'C': ++ case 'D': ++ case 'E': ++ case 'F': ++ case 'G': ++ case 'H': ++ case 'I': ++ case 'J': ++ case 'K': ++ case 'L': ++ case 'M': ++ case 'N': ++ case 'O': ++ case 'P': ++ case 'Q': ++ case 'R': ++ case 'S': ++ case 'T': ++ case 'U': ++ case 'V': ++ case 'W': ++ case 'X': ++ case 'Y': ++ case 'Z': ++ ++ // From rule "ALPHA" (lowercase half) ++ case 'a': ++ case 'b': ++ case 'c': ++ case 'd': ++ case 'e': ++ case 'f': ++ case 'g': ++ case 'h': ++ case 'i': ++ case 'j': ++ case 'k': ++ case 'l': ++ case 'm': ++ case 'n': ++ case 'o': ++ case 'p': ++ case 'q': ++ case 'r': ++ case 's': ++ case 't': ++ case 'u': ++ case 'v': ++ case 'w': ++ case 'x': ++ case 'y': ++ case 'z': ++ ++ // From rule "DIGIT" ++ case '0': ++ case '1': ++ case '2': ++ case '3': ++ case '4': ++ case '5': ++ case '6': ++ case '7': ++ case '8': ++ case '9': ++ ++ // From rule "pct-encoded" ++ case '%': ++ ++ // From rule "unreserved" ++ case '-': ++ case '.': ++ case '_': ++ case '~': ++ ++ // From rule "gen-delims" ++ case ':': ++ case '/': ++ case '?': ++ case '#': ++ case '[': ++ case ']': ++ case '@': ++ ++ // From rule "sub-delims" ++ case '!': ++ case '$': ++ case '&': ++ case '\'': ++ case '(': ++ case ')': ++ case '*': ++ case '+': ++ case ',': ++ case ';': ++ case '=': ++ return XML_TRUE; ++ ++ default: ++ return XML_FALSE; ++ } ++} ++ + /* addBinding() overwrites the value of prefix->binding without checking. + Therefore one must keep track of the old value outside of addBinding(). + */ +@@ -3700,6 +3809,29 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId, + if (!mustBeXML && isXMLNS + && (len > xmlnsLen || uri[len] != xmlnsNamespace[len])) + isXMLNS = XML_FALSE; ++ ++ // NOTE: While Expat does not validate namespace URIs against RFC 3986 ++ // today (and is not REQUIRED to do so with regard to the XML 1.0 ++ // namespaces specification) we have to at least make sure, that ++ // the application on top of Expat (that is likely splitting expanded ++ // element names ("qualified names") of form ++ // "[uri sep] local [sep prefix] '\0'" back into 1, 2 or 3 pieces ++ // in its element handler code) cannot be confused by an attacker ++ // putting additional namespace separator characters into namespace ++ // declarations. That would be ambiguous and not to be expected. ++ // ++ // While the HTML API docs of function XML_ParserCreateNS have been ++ // advising against use of a namespace separator character that can ++ // appear in a URI for >20 years now, some widespread applications ++ // are using URI characters (':' (colon) in particular) for a ++ // namespace separator, in practice. To keep these applications ++ // functional, we only reject namespaces URIs containing the ++ // application-chosen namespace separator if the chosen separator ++ // is a non-URI character with regard to RFC 3986. ++ if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator) ++ && ! is_rfc3986_uri_char(uri[len])) { ++ return XML_ERROR_SYNTAX; ++ } + } + isXML = isXML && len == xmlLen; + isXMLNS = isXMLNS && len == xmlnsLen; +diff --git a/tests/runtests.c b/tests/runtests.c +index ecc6f47..eabd55d 100644 +--- a/tests/runtests.c ++++ b/tests/runtests.c +@@ -7950,6 +7950,38 @@ START_TEST(test_ns_double_colon_doctype) + } + END_TEST + ++START_TEST(test_ns_separator_in_uri) { ++ struct test_case { ++ enum XML_Status expectedStatus; ++ const char *doc; ++ XML_Char namesep; ++ }; ++ struct test_case cases[] = { ++ {XML_STATUS_OK, "", XCS('\n')}, ++ {XML_STATUS_ERROR, "", XCS('\n')}, ++ {XML_STATUS_OK, "", XCS(':')}, ++ }; ++ ++ size_t i = 0; ++ size_t failCount = 0; ++ for (; i < sizeof(cases) / sizeof(cases[0]); i++) { ++ XML_Parser parser = XML_ParserCreateNS(NULL, cases[i].namesep); ++ XML_SetElementHandler(parser, dummy_start_element, dummy_end_element); ++ if (XML_Parse(parser, cases[i].doc, (int)strlen(cases[i].doc), ++ /*isFinal*/ XML_TRUE) ++ != cases[i].expectedStatus) { ++ failCount++; ++ } ++ XML_ParserFree(parser); ++ } ++ ++ if (failCount) { ++ fail("Namespace separator handling is broken"); ++ } ++} ++END_TEST ++ ++ + /* Control variable; the number of times duff_allocator() will successfully allocate */ + #define ALLOC_ALWAYS_SUCCEED (-1) + #define REALLOC_ALWAYS_SUCCEED (-1) +@@ -12290,6 +12322,7 @@ make_suite(void) + tcase_add_test(tc_namespace, test_ns_utf16_doctype); + tcase_add_test(tc_namespace, test_ns_invalid_doctype); + tcase_add_test(tc_namespace, test_ns_double_colon_doctype); ++ tcase_add_test(tc_namespace, test_ns_separator_in_uri); + + suite_add_tcase(s, tc_misc); + tcase_add_checked_fixture(tc_misc, NULL, basic_teardown); diff --git a/SOURCES/expat-2.2.5-doc2man.patch b/SOURCES/expat-2.2.5-doc2man.patch new file mode 100644 index 0000000..59c7136 --- /dev/null +++ b/SOURCES/expat-2.2.5-doc2man.patch @@ -0,0 +1,26 @@ +diff -uap libexpat-R_2_2_5/expat/configure.ac.doc2man libexpat-R_2_2_5/expat/configure.ac +--- libexpat-R_2_2_5/expat/configure.ac.doc2man ++++ libexpat-R_2_2_5/expat/configure.ac +@@ -241,7 +241,7 @@ AS_IF([test "x$with_docbook" != xno], + [if test "x$with_docbook" != xcheck; then + AC_MSG_ERROR([Required program 'docbook2x-man' not found.])])]) + +-AM_CONDITIONAL(WITH_DOCBOOK, [test x${DOCBOOK_TO_MAN} != x]) ++AM_CONDITIONAL(WITH_DOCBOOK, [test "x${DOCBOOK_TO_MAN}" != x]) + + AC_CONFIG_FILES([Makefile expat.pc]) + AC_CONFIG_FILES([ +diff -uap libexpat-R_2_2_5/expat/doc/Makefile.am.doc2man libexpat-R_2_2_5/expat/doc/Makefile.am +--- libexpat-R_2_2_5/expat/doc/Makefile.am.doc2man ++++ libexpat-R_2_2_5/expat/doc/Makefile.am +@@ -32,8 +32,9 @@ dist_man_MANS = xmlwf.1 + + xmlwf.1: xmlwf.xml + if WITH_DOCBOOK ++ -rm -f $@ + $(DOCBOOK_TO_MAN) $< +- mv XMLWF.1 $@ ++ test -f $@ || mv XMLWF.1 $@ + else + @echo 'ERROR: Configure with --with-docbook for "make dist".' 1>&2 + @false diff --git a/SPECS/expat.spec b/SPECS/expat.spec new file mode 100644 index 0000000..5ceff69 --- /dev/null +++ b/SPECS/expat.spec @@ -0,0 +1,379 @@ +%global unversion 2_2_5 + +Summary: An XML parser library +Name: expat +Version: %(echo %{unversion} | sed 's/_/./g') +Release: 11%{?dist} +Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz +URL: https://libexpat.github.io/ +License: MIT +BuildRequires: autoconf, libtool, xmlto, gcc-c++ +Patch0: expat-2.2.5-doc2man.patch +Patch1: expat-2.2.5-CVE-2018-20843.patch +Patch2: expat-2.2.5-CVE-2019-15903.patch +Patch3: expat-2.2.5-Detect-and-prevent-integer-overflow-in-XML_GetBuffer.patch +Patch4: expat-2.2.5-Detect-and-prevent-troublesome-left-shifts.patch +Patch5: expat-2.2.5-Prevent-integer-overflow-on-m_groupSize-in-function.patch +Patch6: expat-2.2.5-Prevent-more-integer-overflows.patch +Patch7: expat-2.2.5-Protect-against-malicious-namespace-declarations.patch +Patch8: expat-2.2.5-Add-missing-validation-of-encoding.patch +Patch9: expat-2.2.5-Prevent-integer-overflow-in-storeRawNames.patch +Patch10: expat-2.2.5-Prevent-integer-overflow-in-copyString.patch +Patch11: expat-2.2.5-Prevent-stack-exhaustion-in-build_model.patch +Patch12: expat-2.2.5-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch +Patch13: expat-2.2.5-CVE-2022-43680.patch + +%description +This is expat, the C library for parsing XML, written by James Clark. Expat +is a stream oriented XML parser. This means that you register handlers with +the parser prior to starting the parse. These handlers are called when the +parser discovers the associated structures in the document being parsed. A +start tag is an example of the kind of structures for which you may +register handlers. + +%package devel +Summary: Libraries and header files to develop applications using expat +Requires: expat%{?_isa} = %{version}-%{release} + +%description devel +The expat-devel package contains the libraries, include files and documentation +to develop XML applications with expat. + +%package static +Summary: expat XML parser static library +Requires: expat-devel%{?_isa} = %{version}-%{release} + +%description static +The expat-static package contains the static version of the expat library. +Install it if you need to link statically with expat. + +%prep +%setup -q -n libexpat-R_%{unversion}/expat +%patch0 -p2 -b .doc2man +%patch1 -p2 -b .cve20843 +%patch2 -p2 -b .cve15903 +%patch3 -p1 -b .CVE-2022-23852 +%patch4 -p1 -b .CVE-2021-45960 +%patch5 -p1 -b .CVE-2021-46143 +%patch6 -p1 -b .CVE-2022-22822-CVE-2022-22827 +%patch7 -p1 -b .CVE-2022-25236 +%patch8 -p1 -b .CVE-2022-25235 +%patch9 -p1 -b .CVE-2022-25315 +%patch10 -p1 -b .CVE-2022-25314 +%patch11 -p1 -b .CVE-2022-25313 +%patch12 -p1 -b .CVE-2022-40674 +%patch13 -p1 -b .CVE-2022-43680 + +sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am +./buildconf.sh + +%build +export CFLAGS="$RPM_OPT_FLAGS -fPIC" +export DOCBOOK_TO_MAN="xmlto man --skip-validation" +%configure +make %{?_smp_mflags} + +%install +make install DESTDIR=$RPM_BUILD_ROOT + +rm -f $RPM_BUILD_ROOT%{_libdir}/*.la + +%check +make check + +%ldconfig_scriptlets + +%files +%{!?_licensedir:%global license %%doc} +%doc AUTHORS Changes +%license COPYING +%{_bindir}/* +%{_libdir}/lib*.so.* +%{_mandir}/*/* + +%files devel +%doc doc/reference.html doc/*.png doc/*.css examples/*.c +%{_libdir}/lib*.so +%{_libdir}/pkgconfig/*.pc +%{_includedir}/*.h + +%files static +%{_libdir}/lib*.a + +%changelog +* Mon Nov 14 2022 Tomas Korbar - 2.2.5-11 +- CVE-2022-43680 expat: use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate +- Resolves: CVE-2022-43680 + +* Fri Sep 30 2022 Tomas Korbar - 2.2.5-10 +- Ensure raw tagnames are safe exiting internalEntityParser +- Resolves: CVE-2022-40674 + +* Fri May 06 2022 Tomas Korbar - 2.2.5-9 +- Fix multiple CVEs +- Resolves: CVE-2022-25314 +- Resolves: CVE-2022-25313 + +* Mon Mar 14 2022 Tomas Korbar - 2.2.5-8 +- Improve patch for CVE-2022-25236 +- Related: CVE-2022-25236 + +* Fri Mar 04 2022 Tomas Korbar - 2.2.5-7 +- Fix patch for CVE-2022-25235 +- Resolves: CVE-2022-25235 + +* Thu Mar 03 2022 Tomas Korbar - 2.2.5-6 +- Fix multiple CVEs +- CVE-2022-25236 expat: namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution +- CVE-2022-25235 expat: malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution +- CVE-2022-25315 expat: integer overflow in storeRawNames() +- Resolves: CVE-2022-25236 +- Resolves: CVE-2022-25235 +- Resolves: CVE-2022-25315 + +* Fri Feb 14 2022 Tomas Korbar - 2.2.5-5 +- Fix multiple CVEs +- CVE-2022-23852 expat: integer overflow in function XML_GetBuffer +- CVE-2021-45960 expat: Large number of prefixed XML attributes on a single tag can crash libexpat +- CVE-2021-46143 expat: Integer overflow in doProlog in xmlparse.c +- CVE-2022-22827 Integer overflow in storeAtts in xmlparse.c +- CVE-2022-22826 Integer overflow in nextScaffoldPart in xmlparse.c +- CVE-2022-22825 Integer overflow in lookup in xmlparse.c +- CVE-2022-22824 Integer overflow in defineAttribute in xmlparse.c +- CVE-2022-22823 Integer overflow in build_model in xmlparse.c +- CVE-2022-22822 Integer overflow in addBinding in xmlparse.c +- Resolves: CVE-2022-23852 +- Resolves: CVE-2021-45960 +- Resolves: CVE-2021-46143 +- Resolves: CVE-2022-22827 +- Resolves: CVE-2022-22826 +- Resolves: CVE-2022-22825 +- Resolves: CVE-2022-22824 +- Resolves: CVE-2022-22823 +- Resolves: CVE-2022-22822 + +* Fri Apr 24 2020 Joe Orton - 2.2.5-4 +- add security fixes for CVE-2018-20843, CVE-2019-15903 + +* Wed Feb 07 2018 Fedora Release Engineering - 2.2.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sat Feb 03 2018 Igor Gnatenko - 2.2.5-2 +- Switch to %%ldconfig_scriptlets + +* Thu Nov 2 2017 Joe Orton - 2.2.5-1 +- update to 2.2.5 (#1508667) + +* Mon Aug 21 2017 Joe Orton - 2.2.4-1 +- update to 2.2.4 (#1483359) + +* Fri Aug 4 2017 Joe Orton - 2.2.3-1 +- fix tests with unsigned char (upstream PR 109) +- update to 2.2.3 (#1473266) + +* Wed Aug 02 2017 Fedora Release Engineering - 2.2.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 2.2.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Jul 14 2017 Joe Orton - 2.2.2-2 +- update to 2.2.2 (#1470891) + +* Fri Jul 7 2017 Joe Orton - 2.2.1-2 +- trim unnecessary doc, examples content + +* Mon Jun 19 2017 Joe Orton - 2.2.1-1 +- update to 2.2.1 (#1462474) + +* Fri Feb 10 2017 Fedora Release Engineering - 2.2.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Tue Jun 21 2016 Joe Orton - 2.2.0-1 +- update to 2.2.0 (#1247348) + +* Thu Jun 16 2016 Joe Orton - 2.1.1-2 +- add security fixes for CVE-2016-0718, CVE-2012-6702, CVE-2016-5300, + CVE-2016-4472 + +* Mon Apr 18 2016 David Tardon - 2.1.1-1 +- new upstream release + +* Wed Feb 03 2016 Fedora Release Engineering - 2.1.0-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jun 17 2015 Fedora Release Engineering - 2.1.0-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sat Feb 21 2015 Till Maas - 2.1.0-11 +- Rebuilt for Fedora 23 Change + https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code + +* Sat Aug 16 2014 Fedora Release Engineering - 2.1.0-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jul 12 2014 Tom Callaway - 2.1.0-9 +- fix license handling + +* Sat Jun 07 2014 Fedora Release Engineering - 2.1.0-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sat Aug 03 2013 Fedora Release Engineering - 2.1.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Mon Jun 17 2013 Joe Orton - 2.1.0-6 +- fix "xmlwf -h" output (#948534) + +* Wed Feb 13 2013 Fedora Release Engineering - 2.1.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Thu Jul 19 2012 Fedora Release Engineering - 2.1.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Apr 13 2012 Joe Orton - 2.1.0-3 +- add -static subpackage (#722647) + +* Fri Mar 30 2012 Joe Orton - 2.1.0-1 +- ship .pc file, move library back to libdir (#808399) + +* Mon Mar 26 2012 Joe Orton - 2.1.0-1 +- update to 2.1.0 (#806602) + +* Fri Jan 13 2012 Fedora Release Engineering - 2.0.1-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Feb 08 2011 Fedora Release Engineering - 2.0.1-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon Feb 8 2010 Joe Orton - 2.0.1-10 +- revised fix for CVE-2009-3560 regression (#544996) + +* Sun Jan 31 2010 Joe Orton - 2.0.1-9 +- drop static libraries (#556046) +- add fix for regression in CVE-2009-3560 patch (#544996) + +* Tue Dec 1 2009 Joe Orton - 2.0.1-8 +- add security fix for CVE-2009-3560 (#533174) +- add security fix for CVE-2009-3720 (#531697) +- run the test suite + +* Fri Jul 24 2009 Fedora Release Engineering - 2.0.1-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Tue Feb 24 2009 Fedora Release Engineering - 2.0.1-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Tue Feb 19 2008 Fedora Release Engineering - 2.0.1-5 +- Autorebuild for GCC 4.3 + +* Wed Jan 23 2008 Joe Orton 2.0.1-4 +- chmod 644 even more documentation (#429806) + +* Tue Jan 8 2008 Joe Orton 2.0.1-3 +- chmod 644 the documentation (#427950) + +* Wed Aug 22 2007 Joe Orton 2.0.1-2 +- rebuild + +* Wed Aug 8 2007 Joe Orton 2.0.1-1 +- update to 2.0.1 +- fix the License tag +- drop the .la file + +* Sun Feb 4 2007 Joe Orton 1.95.8-10 +- remove trailing dot in Summary (#225742) +- use preferred BuildRoot per packaging guidelines (#225742) + +* Tue Jan 30 2007 Joe Orton 1.95.8-9 +- regenerate configure/libtool correctly (#199361) +- strip DSP files from examples (#186889) +- fix expat.h compilation with g++ -pedantic (#190244) + +* Wed Jul 12 2006 Jesse Keating - 1.95.8-8.2.1 +- rebuild + +* Fri Feb 10 2006 Jesse Keating - 1.95.8-8.2 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 1.95.8-8.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Tue Jan 31 2006 Joe Orton 1.95.8-8 +- restore .la file for apr-util + +* Mon Jan 30 2006 Joe Orton 1.95.8-7 +- move library to /lib (#178743) +- omit .la file (#170031) + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Tue Mar 8 2005 Joe Orton 1.95.8-6 +- rebuild + +* Thu Nov 25 2004 Ivana Varekova 1.95.8 +- update to 1.95.8 + +* Wed Jun 16 2004 Jeff Johnson 1.95.7-4 +- add -fPIC (#125586). + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Fri Jun 11 2004 Jeff Johnson 1.95.7-2 +- fix: malloc failure from dbus test suite (#124747). + +* Tue Mar 02 2004 Elliot Lee +- rebuilt + +* Sun Feb 22 2004 Joe Orton 1.95.7-1 +- update to 1.95.7, include COPYING file in main package + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Wed Sep 17 2003 Matt Wilson 1.95.5-6 +- rebuild again for #91211 + +* Tue Sep 16 2003 Matt Wilson 1.95.5-5 +- rebuild to fix gzip'ed file md5sums (#91211) + +* Tue Jun 17 2003 Jeff Johnson 1.95.5-4 +- rebuilt because of crt breakage on ppc64. + +* Wed Jun 04 2003 Elliot Lee +- rebuilt + +* Wed Jan 22 2003 Tim Powers +- rebuilt + +* Mon Nov 11 2002 Jeff Johnson 1.95.5-1 +- update to 1.95.5. + +* Mon Aug 19 2002 Trond Eivind Glomsrød 1,95.4-1 +- 1.95.4. 1.95.3 was withdrawn by the expat developers. + +* Fri Jun 21 2002 Tim Powers +- automated rebuild + +* Thu Jun 6 2002 Trond Eivind Glomsrød 1,95.3-1 +- 1.95.3 + +* Thu May 23 2002 Tim Powers +- automated rebuild + +* Fri Mar 22 2002 Trond Eivind Glomsrød +- Change a prereq in -devel on main package to a req +- License from MIT/X11 to BSD + +* Mon Mar 11 2002 Trond Eivind Glomsrød +- 1.95.2 + +* Sun Jun 24 2001 Elliot Lee +- Bump release + rebuild. + +* Tue Oct 24 2000 Jeff Johnson +- update to 1.95.1 + +* Sun Oct 8 2000 Jeff Johnson +- Create.