import expat-2.2.5-15.el8_10

2 months ago · 8d01e01798
parent fb6f17c37a
commit 8d01e01798
4 changed files with 206 additions and 2 deletions
--- a/SOURCES/expat-2.2.5-CVE-2024-45490.patch
+++ b/SOURCES/expat-2.2.5-CVE-2024-45490.patch
@ -0,0 +1,129 @@
+commit 3c1a64705b5662c5b78f4aa5a5acc7a59c477094
+Author: Tomas Korbar <tkorbar@redhat.com>
+Date:   Wed Sep 11 15:03:05 2024 +0200
+
+    Fix CVE-2024-45490
+    
+    https://github.com/libexpat/libexpat/pull/890
+
+diff --git a/expat/doc/reference.html b/expat/doc/reference.html
+index 95c33c7..08cf9b0 100644
+--- a/expat/doc/reference.html
+++ b/expat/doc/reference.html
+@@ -1039,7 +1039,9 @@ containing part (or perhaps all) of the document. The number of bytes of s
+ that are part of the document is indicated by <code>len</code>. This means
+ that <code>s</code> doesn't have to be null terminated. It also means that
+ if <code>len</code> is larger than the number of bytes in the block of
+-memory that <code>s</code> points at, then a memory fault is likely. The
+memory that <code>s</code> points at, then a memory fault is likely.
+Negative values for <code>len</code> are rejected since Expat 2.2.1.
+The
+ <code>isFinal</code> parameter informs the parser that this is the last
+ piece of the document. Frequently, the last piece is empty (i.e.
+ <code>len</code> is zero.)
+@@ -1054,11 +1056,17 @@ XML_ParseBuffer(XML_Parser p,
+                 int isFinal);
+ </pre>
+ <div class="fcndef">
+<p>
+ This is just like <code><a href= "#XML_Parse" >XML_Parse</a></code>,
+ except in this case Expat provides the buffer.  By obtaining the
+ buffer from Expat with the <code><a href= "#XML_GetBuffer"
+ >XML_GetBuffer</a></code> function, the application can avoid double
+ copying of the input.
+</p>
+
+<p>
+Negative values for <code>len</code> are rejected since Expat 2.6.3.
+</p>
+ </div>
+ 
+ <pre class="fcndec" id="XML_GetBuffer">
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 488f63f..c3c1af9 100644
+--- a/expat/lib/xmlparse.c
+++ b/expat/lib/xmlparse.c
+@@ -1981,6 +1981,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal)
+ 
+   if (parser == NULL)
+     return XML_STATUS_ERROR;
+
+  if (len < 0) {
+    parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT;
+    return XML_STATUS_ERROR;
+  }
+
+   switch (parser->m_parsingStatus.parsing) {
+   case XML_SUSPENDED:
+     parser->m_errorCode = XML_ERROR_SUSPENDED;
+diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c
+index 486073f..6a3e09a 100644
+--- a/expat/tests/runtests.c
+++ b/expat/tests/runtests.c
+@@ -4083,6 +4083,57 @@ START_TEST(test_empty_parse)
+ }
+ END_TEST
+ 
+/* Test XML_Parse for len < 0 */
+START_TEST(test_negative_len_parse) {
+  const char *const doc = "<root/>";
+  for (int isFinal = 0; isFinal < 2; isFinal++) {
+    XML_Parser parser = XML_ParserCreate(NULL);
+
+    if (XML_GetErrorCode(parser) != XML_ERROR_NONE)
+      fail("There was not supposed to be any initial parse error.");
+
+    const enum XML_Status status = XML_Parse(parser, doc, -1, isFinal);
+
+    if (status != XML_STATUS_ERROR)
+      fail("Negative len was expected to fail the parse but did not.");
+
+    if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT)
+      fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT.");
+
+    XML_ParserFree(parser);
+  }
+}
+END_TEST
+
+/* Test XML_ParseBuffer for len < 0 */
+START_TEST(test_negative_len_parse_buffer) {
+  const char *const doc = "<root/>";
+  for (int isFinal = 0; isFinal < 2; isFinal++) {
+    XML_Parser parser = XML_ParserCreate(NULL);
+
+    if (XML_GetErrorCode(parser) != XML_ERROR_NONE)
+      fail("There was not supposed to be any initial parse error.");
+
+    void *const buffer = XML_GetBuffer(parser, (int)strlen(doc));
+
+    if (buffer == NULL)
+      fail("XML_GetBuffer failed.");
+
+    memcpy(buffer, doc, strlen(doc));
+
+    const enum XML_Status status = XML_ParseBuffer(parser, -1, isFinal);
+
+    if (status != XML_STATUS_ERROR)
+      fail("Negative len was expected to fail the parse but did not.");
+
+    if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT)
+      fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT.");
+
+    XML_ParserFree(parser);
+  }
+}
+END_TEST
+
+ /* Test odd corners of the XML_GetBuffer interface */
+ static enum XML_Status
+ get_feature(enum XML_FeatureEnum feature_id, long *presult)
+@@ -13094,6 +13145,8 @@ make_suite(void)
+     tcase_add_test(tc_basic, test_user_parameters);
+     tcase_add_test(tc_basic, test_ext_entity_ref_parameter);
+     tcase_add_test(tc_basic, test_empty_parse);
+    tcase_add_test(tc_basic, test_negative_len_parse);
+    tcase_add_test(tc_basic, test_negative_len_parse_buffer);
+     tcase_add_test(tc_basic, test_get_buffer_1);
+     tcase_add_test(tc_basic, test_get_buffer_2);
+ #if defined(XML_CONTEXT_BYTES)
--- a/SOURCES/expat-2.2.5-CVE-2024-45491.patch
+++ b/SOURCES/expat-2.2.5-CVE-2024-45491.patch
@ -0,0 +1,29 @@
+commit 75bb51c072a0a505037bea18d18103473000b339
+Author: Tomas Korbar <tkorbar@redhat.com>
+Date:   Wed Sep 11 15:07:26 2024 +0200
+
+    Fix CVE-2024-45491
+    
+    https://github.com/libexpat/libexpat/pull/891
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index c3c1af9..6818c4e 100644
+--- a/expat/lib/xmlparse.c
+++ b/expat/lib/xmlparse.c
+@@ -6843,6 +6843,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, const XML_Memory_H
+     if (!newE)
+       return 0;
+     if (oldE->nDefaultAtts) {
+      /* Detect and prevent integer overflow.
+       * The preprocessor guard addresses the "always false" warning
+       * from -Wtype-limits on platforms where
+       * sizeof(int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+      if ((size_t)oldE->nDefaultAtts
+          > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) {
+        return 0;
+      }
+#endif
+       newE->defaultAtts = (DEFAULT_ATTRIBUTE *)
+           ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
+       if (!newE->defaultAtts) {
--- a/SOURCES/expat-2.2.5-CVE-2024-45492.patch
+++ b/SOURCES/expat-2.2.5-CVE-2024-45492.patch
@ -0,0 +1,28 @@
+commit 6fd04be3c2f7a2730c85b0eaf061549953161da3
+Author: Tomas Korbar <tkorbar@redhat.com>
+Date:   Wed Sep 11 15:12:38 2024 +0200
+
+    Fix CVE-2024-45492
+    
+    https://github.com/libexpat/libexpat/pull/892
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 6818c4e..698e907 100644
+--- a/expat/lib/xmlparse.c
+++ b/expat/lib/xmlparse.c
+@@ -7426,6 +7426,15 @@ nextScaffoldPart(XML_Parser parser)
+   int next;
+ 
+   if (!dtd->scaffIndex) {
+    /* Detect and prevent integer overflow.
+     * The preprocessor guard addresses the "always false" warning
+     * from -Wtype-limits on platforms where
+     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+    if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) {
+      return -1;
+    }
+#endif
+     dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * sizeof(int));
+     if (!dtd->scaffIndex)
+       return -1;
--- a/SPECS/expat.spec
+++ b/SPECS/expat.spec
@ -3,7 +3,7 @@
 Summary: An XML parser library
 Name: expat
 Version: %(echo %{unversion} | sed 's/_/./g')
-Release: 13%{?dist}
+Release: 15%{?dist}
 Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
 URL: https://libexpat.github.io/
 License: MIT
@ -23,6 +23,9 @@ Patch11: expat-2.2.5-Prevent-stack-exhaustion-in-build_model.patch
 Patch12: expat-2.2.5-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch
 Patch13: expat-2.2.5-CVE-2022-43680.patch
 Patch14: expat-2.2.5-CVE-2023-52425.patch
+Patch15: expat-2.2.5-CVE-2024-45490.patch
+Patch16: expat-2.2.5-CVE-2024-45491.patch
+Patch17: expat-2.2.5-CVE-2024-45492.patch

 %description
 This is expat, the C library for parsing XML, written by James Clark. Expat
@ -66,6 +69,9 @@ Install it if you need to link statically with expat.
 %patch13 -p1 -b .CVE-2022-43680
 pushd ..
 %patch14 -p1 -b .CVE-2023-52425
+%patch15 -p1 -b .CVE-2024-45490
+%patch16 -p1 -b .CVE-2024-45491
+%patch17 -p1 -b .CVE-2024-45492
 popd

 sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am
@ -114,7 +120,19 @@ make check
 %{_libdir}/lib*.a

 %changelog
-* Tue Mar 26 2024 Tomas Korbar <tkorbar@redhat.com - 2.2.5-13
+* Wed Sep 11 2024 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-15
+- Rebuild for test reconfiguration
+
+* Wed Sep 11 2024 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-14
+- Fix multiple CVEs
+- Fix CVE-2024-45492 integer overflow
+- Fix CVE-2024-45491 Integer Overflow or Wraparound
+- Fix CVE-2024-45490 Negative Length Parsing Vulnerability
+- Resolves: RHEL-57505
+- Resolves: RHEL-57493
+- Resolves: RHEL-56751
+
+* Tue Mar 26 2024 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-13
 - Fix wrongly exposed variables
 - Resolves: RHEL-29321