From 00ef654fce79bdb84c4d96eef8e781913506ae1c Mon Sep 17 00:00:00 2001
From: Tomas Korbar <tkorbar@redhat.com>
Date: Fri, 8 Nov 2024 11:31:01 +0100
Subject: [PATCH] Fix CVE-2024-50602

Resolves: RHEL-65062
---
 expat-2.2.5-CVE-2024-50602.patch | 108 +++++++++++++++++++++++++++++++
 expat.spec                       |   8 ++-
 2 files changed, 115 insertions(+), 1 deletion(-)
 create mode 100644 expat-2.2.5-CVE-2024-50602.patch

diff --git a/expat-2.2.5-CVE-2024-50602.patch b/expat-2.2.5-CVE-2024-50602.patch
new file mode 100644
index 0000000..3886c7d
--- /dev/null
+++ b/expat-2.2.5-CVE-2024-50602.patch
@@ -0,0 +1,108 @@
+commit c84ad1507fa42c25937af06e349c8f2f9bc34c11
+Author: Tomas Korbar <tkorbar@redhat.com>
+Date:   Fri Nov 8 11:18:42 2024 +0100
+
+    Fix CVE-2024-50602
+    
+    See https://github.com/libexpat/libexpat/pull/915
+
+diff --git a/expat/lib/expat.h b/expat/lib/expat.h
+index afe12c5..157953c 100644
+--- a/expat/lib/expat.h
++++ b/expat/lib/expat.h
+@@ -124,7 +124,9 @@ enum XML_Error {
+   XML_ERROR_RESERVED_PREFIX_XMLNS,
+   XML_ERROR_RESERVED_NAMESPACE_URI,
+   /* Added in 2.2.1. */
+-  XML_ERROR_INVALID_ARGUMENT
++  XML_ERROR_INVALID_ARGUMENT,
++  /* Added in 2.6.4. */
++  XML_ERROR_NOT_STARTED
+ };
+ 
+ enum XML_Content_Type {
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 698e907..ed079a5 100644
+--- a/expat/lib/xmlparse.c
++++ b/expat/lib/xmlparse.c
+@@ -2170,6 +2170,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable)
+   if (parser == NULL)
+     return XML_STATUS_ERROR;
+   switch (parser->m_parsingStatus.parsing) {
++  case XML_INITIALIZED:
++    parser->m_errorCode = XML_ERROR_NOT_STARTED;
++    return XML_STATUS_ERROR;
+   case XML_SUSPENDED:
+     if (resumable) {
+       parser->m_errorCode = XML_ERROR_SUSPENDED;
+@@ -2180,7 +2183,7 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable)
+   case XML_FINISHED:
+     parser->m_errorCode = XML_ERROR_FINISHED;
+     return XML_STATUS_ERROR;
+-  default:
++  case XML_PARSING:
+     if (resumable) {
+ #ifdef XML_DTD
+       if (parser->m_isParamEntity) {
+@@ -2192,6 +2195,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable)
+     }
+     else
+       parser->m_parsingStatus.parsing = XML_FINISHED;
++    break;
++  default:
++    assert(0);
+   }
+   return XML_STATUS_OK;
+ }
+@@ -2456,6 +2462,9 @@ XML_ErrorString(enum XML_Error code)
+   /* Added in 2.2.5. */
+   case XML_ERROR_INVALID_ARGUMENT:  /* Constant added in 2.2.1, already */
+     return XML_L("invalid argument");
++  /* Added in 2.6.4. */
++  case XML_ERROR_NOT_STARTED:
++    return XML_L("parser not started");
+   }
+   return NULL;
+ }
+diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c
+index 6a3e09a..7b6d9fb 100644
+--- a/expat/tests/runtests.c
++++ b/expat/tests/runtests.c
+@@ -9162,6 +9162,28 @@ START_TEST(test_misc_utf16le)
+ END_TEST
+ 
+ 
++START_TEST(test_misc_resumeparser_not_crashing) {
++  XML_Parser parser = XML_ParserCreate(NULL);
++  XML_GetBuffer(parser, 1);
++  XML_StopParser(parser, /*resumable=*/XML_TRUE);
++  XML_ResumeParser(parser); // could crash here, previously
++  XML_ParserFree(parser);
++}
++END_TEST
++
++START_TEST(test_misc_stopparser_rejects_unstarted_parser) {
++  const XML_Bool cases[] = {XML_TRUE, XML_FALSE};
++  for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) {
++    const XML_Bool resumable = cases[i];
++    XML_Parser parser = XML_ParserCreate(NULL);
++    assert_true(XML_GetErrorCode(parser) == XML_ERROR_NONE);
++    assert_true(XML_StopParser(parser, resumable) == XML_STATUS_ERROR);
++    assert_true(XML_GetErrorCode(parser) == XML_ERROR_NOT_STARTED);
++    XML_ParserFree(parser);
++  }
++}
++END_TEST
++
+ static void
+ alloc_setup(void)
+ {
+@@ -13325,6 +13347,8 @@ make_suite(void)
+     tcase_add_test(tc_misc,
+                    test_misc_deny_internal_entity_closing_doctype_issue_317);
+ #endif
++    tcase_add_test(tc_misc, test_misc_resumeparser_not_crashing);
++    tcase_add_test(tc_misc, test_misc_stopparser_rejects_unstarted_parser);
+ 
+     suite_add_tcase(s, tc_alloc);
+     tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown);
diff --git a/expat.spec b/expat.spec
index 3572f60..6e276d7 100644
--- a/expat.spec
+++ b/expat.spec
@@ -3,7 +3,7 @@
 Summary: An XML parser library
 Name: expat
 Version: %(echo %{unversion} | sed 's/_/./g')
-Release: 15%{?dist}
+Release: 16%{?dist}
 Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
 URL: https://libexpat.github.io/
 License: MIT
@@ -26,6 +26,7 @@ Patch14: expat-2.2.5-CVE-2023-52425.patch
 Patch15: expat-2.2.5-CVE-2024-45490.patch
 Patch16: expat-2.2.5-CVE-2024-45491.patch
 Patch17: expat-2.2.5-CVE-2024-45492.patch
+Patch18: expat-2.2.5-CVE-2024-50602.patch
 
 %description
 This is expat, the C library for parsing XML, written by James Clark. Expat
@@ -72,6 +73,7 @@ pushd ..
 %patch15 -p1 -b .CVE-2024-45490
 %patch16 -p1 -b .CVE-2024-45491
 %patch17 -p1 -b .CVE-2024-45492
+%patch18 -p1 -b .CVE-2024-50602
 popd
 
 sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am
@@ -120,6 +122,10 @@ make check
 %{_libdir}/lib*.a
 
 %changelog
+* Fri Nov 08 2024 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-16
+- Fix CVE-2024-50602
+- Resolves: RHEL-65062
+
 * Wed Sep 11 2024 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-15
 - Rebuild for test reconfiguration