CVE-2021-45960 expat: Large number of prefixed XML attributes on a single tag can crash libexpat
Resolves: CVE-2021-45960
This commit is contained in:
parent
d183ecbb95
commit
21e8e5c32d
@ -0,0 +1,59 @@
|
|||||||
|
From 0adcb34c49bee5b19bd29b16a578c510c23597ea Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sebastian Pipping <sebastian@pipping.org>
|
||||||
|
Date: Mon, 27 Dec 2021 20:15:02 +0100
|
||||||
|
Subject: [PATCH] lib: Detect and prevent troublesome left shifts in function
|
||||||
|
storeAtts (CVE-2021-45960)
|
||||||
|
|
||||||
|
---
|
||||||
|
expat/lib/xmlparse.c | 31 +++++++++++++++++++++++++++++--
|
||||||
|
1 file changed, 29 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
|
||||||
|
index d730f41c3..b47c31b05 100644
|
||||||
|
--- a/lib/xmlparse.c
|
||||||
|
+++ b/lib/xmlparse.c
|
||||||
|
@@ -3414,7 +3414,13 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
|
||||||
|
if (nPrefixes) {
|
||||||
|
int j; /* hash table index */
|
||||||
|
unsigned long version = parser->m_nsAttsVersion;
|
||||||
|
- int nsAttsSize = (int)1 << parser->m_nsAttsPower;
|
||||||
|
+
|
||||||
|
+ /* Detect and prevent invalid shift */
|
||||||
|
+ if (parser->m_nsAttsPower >= sizeof(unsigned int) * 8 /* bits per byte */) {
|
||||||
|
+ return XML_ERROR_NO_MEMORY;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ unsigned int nsAttsSize = 1u << parser->m_nsAttsPower;
|
||||||
|
unsigned char oldNsAttsPower = parser->m_nsAttsPower;
|
||||||
|
/* size of hash table must be at least 2 * (# of prefixed attributes) */
|
||||||
|
if ((nPrefixes << 1)
|
||||||
|
@@ -3425,7 +3431,28 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
|
||||||
|
;
|
||||||
|
if (parser->m_nsAttsPower < 3)
|
||||||
|
parser->m_nsAttsPower = 3;
|
||||||
|
- nsAttsSize = (int)1 << parser->m_nsAttsPower;
|
||||||
|
+
|
||||||
|
+ /* Detect and prevent invalid shift */
|
||||||
|
+ if (parser->m_nsAttsPower >= sizeof(nsAttsSize) * 8 /* bits per byte */) {
|
||||||
|
+ /* Restore actual size of memory in m_nsAtts */
|
||||||
|
+ parser->m_nsAttsPower = oldNsAttsPower;
|
||||||
|
+ return XML_ERROR_NO_MEMORY;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ nsAttsSize = 1u << parser->m_nsAttsPower;
|
||||||
|
+
|
||||||
|
+ /* Detect and prevent integer overflow.
|
||||||
|
+ * The preprocessor guard addresses the "always false" warning
|
||||||
|
+ * from -Wtype-limits on platforms where
|
||||||
|
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
|
||||||
|
+#if UINT_MAX >= SIZE_MAX
|
||||||
|
+ if (nsAttsSize > (size_t)(-1) / sizeof(NS_ATT)) {
|
||||||
|
+ /* Restore actual size of memory in m_nsAtts */
|
||||||
|
+ parser->m_nsAttsPower = oldNsAttsPower;
|
||||||
|
+ return XML_ERROR_NO_MEMORY;
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
temp = (NS_ATT *)REALLOC(parser, parser->m_nsAtts,
|
||||||
|
nsAttsSize * sizeof(NS_ATT));
|
||||||
|
if (! temp) {
|
@ -3,7 +3,7 @@
|
|||||||
Summary: An XML parser library
|
Summary: An XML parser library
|
||||||
Name: expat
|
Name: expat
|
||||||
Version: %(echo %{unversion} | sed 's/_/./g')
|
Version: %(echo %{unversion} | sed 's/_/./g')
|
||||||
Release: 7%{?dist}
|
Release: 8%{?dist}
|
||||||
Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
|
Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
|
||||||
URL: https://libexpat.github.io/
|
URL: https://libexpat.github.io/
|
||||||
License: MIT
|
License: MIT
|
||||||
@ -12,6 +12,7 @@ BuildRequires: make
|
|||||||
Patch0: expat-2.2.10-prevent-integer-overflow-in-doProlog.patch
|
Patch0: expat-2.2.10-prevent-integer-overflow-in-doProlog.patch
|
||||||
Patch1: expat-2.2.10-Prevent-more-integer-overflows.patch
|
Patch1: expat-2.2.10-Prevent-more-integer-overflows.patch
|
||||||
Patch2: expat-2.2.10-Prevent-integer-overflow-on-m_groupSize-in-function.patch
|
Patch2: expat-2.2.10-Prevent-integer-overflow-on-m_groupSize-in-function.patch
|
||||||
|
Patch3: expat-2.2.10-Detect-and-prevent-troublesome-left-shifts.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
This is expat, the C library for parsing XML, written by James Clark. Expat
|
This is expat, the C library for parsing XML, written by James Clark. Expat
|
||||||
@ -42,6 +43,8 @@ Install it if you need to link statically with expat.
|
|||||||
%patch0 -p1 -b .CVE-2022-23990
|
%patch0 -p1 -b .CVE-2022-23990
|
||||||
%patch1 -p1 -b .CVE-2022-22822-CVE-2022-22827
|
%patch1 -p1 -b .CVE-2022-22822-CVE-2022-22827
|
||||||
%patch2 -p1 -b .CVE-2021-46143
|
%patch2 -p1 -b .CVE-2021-46143
|
||||||
|
%patch3 -p1 -b .CVE-2021-45960
|
||||||
|
|
||||||
sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am
|
sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am
|
||||||
./buildconf.sh
|
./buildconf.sh
|
||||||
|
|
||||||
@ -78,6 +81,10 @@ make check
|
|||||||
%{_libdir}/lib*.a
|
%{_libdir}/lib*.a
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Feb 10 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.10-8
|
||||||
|
- CVE-2021-45960 expat: Large number of prefixed XML attributes on a single tag can crash libexpat
|
||||||
|
- Resolves: CVE-2021-45960
|
||||||
|
|
||||||
* Wed Feb 09 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.10-7
|
* Wed Feb 09 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.10-7
|
||||||
- CVE-2021-46143 expat: Integer overflow in doProlog in xmlparse.c
|
- CVE-2021-46143 expat: Integer overflow in doProlog in xmlparse.c
|
||||||
- Resolves: CVE-2021-46143
|
- Resolves: CVE-2021-46143
|
||||||
|
@ -44,7 +44,7 @@ rlJournalStart
|
|||||||
for i in `seq -w $COUNT`; do
|
for i in `seq -w $COUNT`; do
|
||||||
rlRun "dd if=/dev/urandom of=file$i.xml bs=1024 count=100" \
|
rlRun "dd if=/dev/urandom of=file$i.xml bs=1024 count=100" \
|
||||||
0 "Creating file$i.xml with random content"
|
0 "Creating file$i.xml with random content"
|
||||||
if ! rlRun "xmlwf file$i.xml"; then
|
if ! rlRun "xmlwf file$i.xml" 0,2; then
|
||||||
rlFileSubmit "file$i.xml"
|
rlFileSubmit "file$i.xml"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
Loading…
Reference in New Issue
Block a user