import UBI expat-2.5.0-2.el9_4.1
This commit is contained in:
parent
4ff2865e4a
commit
090e8f9ec6
129
SOURCES/expat-2.5.0-CVE-2024-45490.patch
Normal file
129
SOURCES/expat-2.5.0-CVE-2024-45490.patch
Normal file
@ -0,0 +1,129 @@
|
|||||||
|
commit 05d87eb116ddde35bfa4e4c1d2ec7bcbda38c09b
|
||||||
|
Author: Tomas Korbar <tkorbar@redhat.com>
|
||||||
|
Date: Wed Sep 11 13:48:58 2024 +0200
|
||||||
|
|
||||||
|
Fix CVE-2024-45490
|
||||||
|
|
||||||
|
https://github.com/libexpat/libexpat/pull/890
|
||||||
|
|
||||||
|
diff --git a/expat/doc/reference.html b/expat/doc/reference.html
|
||||||
|
index a10f3cb..d618bd8 100644
|
||||||
|
--- a/expat/doc/reference.html
|
||||||
|
+++ b/expat/doc/reference.html
|
||||||
|
@@ -1098,7 +1098,9 @@ containing part (or perhaps all) of the document. The number of bytes of s
|
||||||
|
that are part of the document is indicated by <code>len</code>. This means
|
||||||
|
that <code>s</code> doesn't have to be null terminated. It also means that
|
||||||
|
if <code>len</code> is larger than the number of bytes in the block of
|
||||||
|
-memory that <code>s</code> points at, then a memory fault is likely. The
|
||||||
|
+memory that <code>s</code> points at, then a memory fault is likely.
|
||||||
|
+Negative values for <code>len</code> are rejected since Expat 2.2.1.
|
||||||
|
+The
|
||||||
|
<code>isFinal</code> parameter informs the parser that this is the last
|
||||||
|
piece of the document. Frequently, the last piece is empty (i.e.
|
||||||
|
<code>len</code> is zero.)
|
||||||
|
@@ -1114,11 +1116,17 @@ XML_ParseBuffer(XML_Parser p,
|
||||||
|
int isFinal);
|
||||||
|
</pre>
|
||||||
|
<div class="fcndef">
|
||||||
|
+<p>
|
||||||
|
This is just like <code><a href= "#XML_Parse" >XML_Parse</a></code>,
|
||||||
|
except in this case Expat provides the buffer. By obtaining the
|
||||||
|
buffer from Expat with the <code><a href= "#XML_GetBuffer"
|
||||||
|
>XML_GetBuffer</a></code> function, the application can avoid double
|
||||||
|
copying of the input.
|
||||||
|
+</p>
|
||||||
|
+
|
||||||
|
+<p>
|
||||||
|
+Negative values for <code>len</code> are rejected since Expat 2.6.3.
|
||||||
|
+</p>
|
||||||
|
</div>
|
||||||
|
|
||||||
|
<h4 id="XML_GetBuffer">XML_GetBuffer</h4>
|
||||||
|
diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
|
||||||
|
index 0896b16..f54e258 100644
|
||||||
|
--- a/expat/lib/xmlparse.c
|
||||||
|
+++ b/expat/lib/xmlparse.c
|
||||||
|
@@ -1998,6 +1998,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) {
|
||||||
|
|
||||||
|
if (parser == NULL)
|
||||||
|
return XML_STATUS_ERROR;
|
||||||
|
+
|
||||||
|
+ if (len < 0) {
|
||||||
|
+ parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT;
|
||||||
|
+ return XML_STATUS_ERROR;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
switch (parser->m_parsingStatus.parsing) {
|
||||||
|
case XML_SUSPENDED:
|
||||||
|
parser->m_errorCode = XML_ERROR_SUSPENDED;
|
||||||
|
diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c
|
||||||
|
index 93adc45..ed88f9f 100644
|
||||||
|
--- a/expat/tests/runtests.c
|
||||||
|
+++ b/expat/tests/runtests.c
|
||||||
|
@@ -3856,6 +3856,57 @@ START_TEST(test_empty_parse) {
|
||||||
|
}
|
||||||
|
END_TEST
|
||||||
|
|
||||||
|
+/* Test XML_Parse for len < 0 */
|
||||||
|
+START_TEST(test_negative_len_parse) {
|
||||||
|
+ const char *const doc = "<root/>";
|
||||||
|
+ for (int isFinal = 0; isFinal < 2; isFinal++) {
|
||||||
|
+ XML_Parser parser = XML_ParserCreate(NULL);
|
||||||
|
+
|
||||||
|
+ if (XML_GetErrorCode(parser) != XML_ERROR_NONE)
|
||||||
|
+ fail("There was not supposed to be any initial parse error.");
|
||||||
|
+
|
||||||
|
+ const enum XML_Status status = XML_Parse(parser, doc, -1, isFinal);
|
||||||
|
+
|
||||||
|
+ if (status != XML_STATUS_ERROR)
|
||||||
|
+ fail("Negative len was expected to fail the parse but did not.");
|
||||||
|
+
|
||||||
|
+ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT)
|
||||||
|
+ fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT.");
|
||||||
|
+
|
||||||
|
+ XML_ParserFree(parser);
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+END_TEST
|
||||||
|
+
|
||||||
|
+/* Test XML_ParseBuffer for len < 0 */
|
||||||
|
+START_TEST(test_negative_len_parse_buffer) {
|
||||||
|
+ const char *const doc = "<root/>";
|
||||||
|
+ for (int isFinal = 0; isFinal < 2; isFinal++) {
|
||||||
|
+ XML_Parser parser = XML_ParserCreate(NULL);
|
||||||
|
+
|
||||||
|
+ if (XML_GetErrorCode(parser) != XML_ERROR_NONE)
|
||||||
|
+ fail("There was not supposed to be any initial parse error.");
|
||||||
|
+
|
||||||
|
+ void *const buffer = XML_GetBuffer(parser, (int)strlen(doc));
|
||||||
|
+
|
||||||
|
+ if (buffer == NULL)
|
||||||
|
+ fail("XML_GetBuffer failed.");
|
||||||
|
+
|
||||||
|
+ memcpy(buffer, doc, strlen(doc));
|
||||||
|
+
|
||||||
|
+ const enum XML_Status status = XML_ParseBuffer(parser, -1, isFinal);
|
||||||
|
+
|
||||||
|
+ if (status != XML_STATUS_ERROR)
|
||||||
|
+ fail("Negative len was expected to fail the parse but did not.");
|
||||||
|
+
|
||||||
|
+ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT)
|
||||||
|
+ fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT.");
|
||||||
|
+
|
||||||
|
+ XML_ParserFree(parser);
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+END_TEST
|
||||||
|
+
|
||||||
|
/* Test odd corners of the XML_GetBuffer interface */
|
||||||
|
static enum XML_Status
|
||||||
|
get_feature(enum XML_FeatureEnum feature_id, long *presult) {
|
||||||
|
@@ -12937,6 +12988,8 @@ make_suite(void) {
|
||||||
|
tcase_add_test__ifdef_xml_dtd(tc_basic, test_user_parameters);
|
||||||
|
tcase_add_test__ifdef_xml_dtd(tc_basic, test_ext_entity_ref_parameter);
|
||||||
|
tcase_add_test(tc_basic, test_empty_parse);
|
||||||
|
+ tcase_add_test(tc_basic, test_negative_len_parse);
|
||||||
|
+ tcase_add_test(tc_basic, test_negative_len_parse_buffer);
|
||||||
|
tcase_add_test(tc_basic, test_get_buffer_1);
|
||||||
|
tcase_add_test(tc_basic, test_get_buffer_2);
|
||||||
|
#if defined(XML_CONTEXT_BYTES)
|
31
SOURCES/expat-2.5.0-CVE-2024-45491.patch
Normal file
31
SOURCES/expat-2.5.0-CVE-2024-45491.patch
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
From 8e439a9947e9dc80a395c0c7456545d8d9d9e421 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sebastian Pipping <sebastian@pipping.org>
|
||||||
|
Date: Mon, 19 Aug 2024 22:34:13 +0200
|
||||||
|
Subject: [PATCH] lib: Detect integer overflow in dtdCopy
|
||||||
|
|
||||||
|
Reported by TaiYou
|
||||||
|
---
|
||||||
|
expat/lib/xmlparse.c | 10 ++++++++++
|
||||||
|
1 file changed, 10 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
|
||||||
|
index 91682c188..e2327bdcf 100644
|
||||||
|
--- a/expat/lib/xmlparse.c
|
||||||
|
+++ b/expat/lib/xmlparse.c
|
||||||
|
@@ -7016,6 +7016,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd,
|
||||||
|
if (! newE)
|
||||||
|
return 0;
|
||||||
|
if (oldE->nDefaultAtts) {
|
||||||
|
+ /* Detect and prevent integer overflow.
|
||||||
|
+ * The preprocessor guard addresses the "always false" warning
|
||||||
|
+ * from -Wtype-limits on platforms where
|
||||||
|
+ * sizeof(int) < sizeof(size_t), e.g. on x86_64. */
|
||||||
|
+#if UINT_MAX >= SIZE_MAX
|
||||||
|
+ if ((size_t)oldE->nDefaultAtts
|
||||||
|
+ > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) {
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
newE->defaultAtts
|
||||||
|
= ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
|
||||||
|
if (! newE->defaultAtts) {
|
30
SOURCES/expat-2.5.0-CVE-2024-45492.patch
Normal file
30
SOURCES/expat-2.5.0-CVE-2024-45492.patch
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
From 9bf0f2c16ee86f644dd1432507edff94c08dc232 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sebastian Pipping <sebastian@pipping.org>
|
||||||
|
Date: Mon, 19 Aug 2024 22:37:16 +0200
|
||||||
|
Subject: [PATCH] lib: Detect integer overflow in function nextScaffoldPart
|
||||||
|
|
||||||
|
Reported by TaiYou
|
||||||
|
---
|
||||||
|
expat/lib/xmlparse.c | 9 +++++++++
|
||||||
|
1 file changed, 9 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
|
||||||
|
index 91682c188..f737575ea 100644
|
||||||
|
--- a/expat/lib/xmlparse.c
|
||||||
|
+++ b/expat/lib/xmlparse.c
|
||||||
|
@@ -7558,6 +7558,15 @@ nextScaffoldPart(XML_Parser parser) {
|
||||||
|
int next;
|
||||||
|
|
||||||
|
if (! dtd->scaffIndex) {
|
||||||
|
+ /* Detect and prevent integer overflow.
|
||||||
|
+ * The preprocessor guard addresses the "always false" warning
|
||||||
|
+ * from -Wtype-limits on platforms where
|
||||||
|
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
|
||||||
|
+#if UINT_MAX >= SIZE_MAX
|
||||||
|
+ if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) {
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * sizeof(int));
|
||||||
|
if (! dtd->scaffIndex)
|
||||||
|
return -1;
|
@ -3,7 +3,7 @@
|
|||||||
Summary: An XML parser library
|
Summary: An XML parser library
|
||||||
Name: expat
|
Name: expat
|
||||||
Version: %(echo %{unversion} | sed 's/_/./g')
|
Version: %(echo %{unversion} | sed 's/_/./g')
|
||||||
Release: 2%{?dist}
|
Release: 2%{?dist}.1
|
||||||
Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
|
Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
|
||||||
URL: https://libexpat.github.io/
|
URL: https://libexpat.github.io/
|
||||||
License: MIT
|
License: MIT
|
||||||
@ -13,6 +13,12 @@ BuildRequires: make
|
|||||||
Patch0: expat-2.5.0-CVE-2023-52425.patch
|
Patch0: expat-2.5.0-CVE-2023-52425.patch
|
||||||
# https://issues.redhat.com/browse/RHEL-28700
|
# https://issues.redhat.com/browse/RHEL-28700
|
||||||
Patch1: expat-2.5.0-CVE-2024-28757.patch
|
Patch1: expat-2.5.0-CVE-2024-28757.patch
|
||||||
|
# https://issues.redhat.com/browse/RHEL-56763
|
||||||
|
Patch2: expat-2.5.0-CVE-2024-45490.patch
|
||||||
|
# https://issues.redhat.com/browse/RHEL-57497
|
||||||
|
Patch3: expat-2.5.0-CVE-2024-45491.patch
|
||||||
|
# https://issues.redhat.com/browse/RHEL-57510
|
||||||
|
Patch4: expat-2.5.0-CVE-2024-45492.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
This is expat, the C library for parsing XML, written by James Clark. Expat
|
This is expat, the C library for parsing XML, written by James Clark. Expat
|
||||||
@ -43,6 +49,9 @@ Install it if you need to link statically with expat.
|
|||||||
pushd ..
|
pushd ..
|
||||||
%patch0 -p1 -b .CVE-2023-52425
|
%patch0 -p1 -b .CVE-2023-52425
|
||||||
%patch1 -p1 -b .CVE-2024-28757
|
%patch1 -p1 -b .CVE-2024-28757
|
||||||
|
%patch2 -p1 -b .CVE-2024-45490
|
||||||
|
%patch3 -p1 -b .CVE-2024-45491
|
||||||
|
%patch4 -p1 -b .CVE-2024-45492
|
||||||
popd
|
popd
|
||||||
|
|
||||||
sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am
|
sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am
|
||||||
@ -91,6 +100,15 @@ make check
|
|||||||
%{_libdir}/lib*.a
|
%{_libdir}/lib*.a
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Sep 11 2024 Tomas Korbar <tkorbar@redhat.com> - 2.5.0-2.1
|
||||||
|
- Fix multiple CVEs
|
||||||
|
- Fix CVE-2024-45492 integer overflow
|
||||||
|
- Fix CVE-2024-45491 Integer Overflow or Wraparound
|
||||||
|
- Fix CVE-2024-45490 Negative Length Parsing Vulnerability
|
||||||
|
- Resolves: RHEL-57510
|
||||||
|
- Resolves: RHEL-57497
|
||||||
|
- Resolves: RHEL-56763
|
||||||
|
|
||||||
* Tue Feb 13 2024 Tomas Korbar <tkorbar@redhat.com> - 2.5.0-2
|
* Tue Feb 13 2024 Tomas Korbar <tkorbar@redhat.com> - 2.5.0-2
|
||||||
- Fix parsing of large tokens
|
- Fix parsing of large tokens
|
||||||
- Reject direct parameter entity recursion
|
- Reject direct parameter entity recursion
|
||||||
|
Loading…
Reference in New Issue
Block a user