From 29ef1f83edaf44a3ac78fedb618f4ade726eee06 Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Wed, 9 Oct 2024 11:16:33 +0200 Subject: [PATCH] Fix CVE-2024-45490, CVE-2024-45491, CVE-2024-45492 Resolves: RHEL-56761 Resolves: RHEL-57520 Resolves: RHEL-57511 --- expat-2.5.0-CVE-2024-45490.patch | 129 +++++++++++++++++++++++++++++++ expat-2.5.0-CVE-2024-45491.patch | 31 ++++++++ expat-2.5.0-CVE-2024-45492.patch | 30 +++++++ expat.spec | 17 +++- 4 files changed, 206 insertions(+), 1 deletion(-) create mode 100644 expat-2.5.0-CVE-2024-45490.patch create mode 100644 expat-2.5.0-CVE-2024-45491.patch create mode 100644 expat-2.5.0-CVE-2024-45492.patch diff --git a/expat-2.5.0-CVE-2024-45490.patch b/expat-2.5.0-CVE-2024-45490.patch new file mode 100644 index 0000000..044f6c5 --- /dev/null +++ b/expat-2.5.0-CVE-2024-45490.patch @@ -0,0 +1,129 @@ +commit 05d87eb116ddde35bfa4e4c1d2ec7bcbda38c09b +Author: Tomas Korbar +Date: Wed Sep 11 13:48:58 2024 +0200 + + Fix CVE-2024-45490 + + https://github.com/libexpat/libexpat/pull/890 + +diff --git a/expat/doc/reference.html b/expat/doc/reference.html +index a10f3cb..d618bd8 100644 +--- a/expat/doc/reference.html ++++ b/expat/doc/reference.html +@@ -1098,7 +1098,9 @@ containing part (or perhaps all) of the document. The number of bytes of s + that are part of the document is indicated by len. This means + that s doesn't have to be null terminated. It also means that + if len is larger than the number of bytes in the block of +-memory that s points at, then a memory fault is likely. The ++memory that s points at, then a memory fault is likely. ++Negative values for len are rejected since Expat 2.2.1. ++The + isFinal parameter informs the parser that this is the last + piece of the document. Frequently, the last piece is empty (i.e. + len is zero.) +@@ -1114,11 +1116,17 @@ XML_ParseBuffer(XML_Parser p, + int isFinal); + +
++

+ This is just like XML_Parse, + except in this case Expat provides the buffer. By obtaining the + buffer from Expat with the XML_GetBuffer function, the application can avoid double + copying of the input. ++

++ ++

++Negative values for len are rejected since Expat 2.6.3. ++

+
+ +

XML_GetBuffer

+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 0896b16..f54e258 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -1998,6 +1998,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) { + + if (parser == NULL) + return XML_STATUS_ERROR; ++ ++ if (len < 0) { ++ parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT; ++ return XML_STATUS_ERROR; ++ } ++ + switch (parser->m_parsingStatus.parsing) { + case XML_SUSPENDED: + parser->m_errorCode = XML_ERROR_SUSPENDED; +diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c +index 93adc45..ed88f9f 100644 +--- a/expat/tests/runtests.c ++++ b/expat/tests/runtests.c +@@ -3856,6 +3856,57 @@ START_TEST(test_empty_parse) { + } + END_TEST + ++/* Test XML_Parse for len < 0 */ ++START_TEST(test_negative_len_parse) { ++ const char *const doc = ""; ++ for (int isFinal = 0; isFinal < 2; isFinal++) { ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_NONE) ++ fail("There was not supposed to be any initial parse error."); ++ ++ const enum XML_Status status = XML_Parse(parser, doc, -1, isFinal); ++ ++ if (status != XML_STATUS_ERROR) ++ fail("Negative len was expected to fail the parse but did not."); ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT) ++ fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT."); ++ ++ XML_ParserFree(parser); ++ } ++} ++END_TEST ++ ++/* Test XML_ParseBuffer for len < 0 */ ++START_TEST(test_negative_len_parse_buffer) { ++ const char *const doc = ""; ++ for (int isFinal = 0; isFinal < 2; isFinal++) { ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_NONE) ++ fail("There was not supposed to be any initial parse error."); ++ ++ void *const buffer = XML_GetBuffer(parser, (int)strlen(doc)); ++ ++ if (buffer == NULL) ++ fail("XML_GetBuffer failed."); ++ ++ memcpy(buffer, doc, strlen(doc)); ++ ++ const enum XML_Status status = XML_ParseBuffer(parser, -1, isFinal); ++ ++ if (status != XML_STATUS_ERROR) ++ fail("Negative len was expected to fail the parse but did not."); ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT) ++ fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT."); ++ ++ XML_ParserFree(parser); ++ } ++} ++END_TEST ++ + /* Test odd corners of the XML_GetBuffer interface */ + static enum XML_Status + get_feature(enum XML_FeatureEnum feature_id, long *presult) { +@@ -12937,6 +12988,8 @@ make_suite(void) { + tcase_add_test__ifdef_xml_dtd(tc_basic, test_user_parameters); + tcase_add_test__ifdef_xml_dtd(tc_basic, test_ext_entity_ref_parameter); + tcase_add_test(tc_basic, test_empty_parse); ++ tcase_add_test(tc_basic, test_negative_len_parse); ++ tcase_add_test(tc_basic, test_negative_len_parse_buffer); + tcase_add_test(tc_basic, test_get_buffer_1); + tcase_add_test(tc_basic, test_get_buffer_2); + #if defined(XML_CONTEXT_BYTES) diff --git a/expat-2.5.0-CVE-2024-45491.patch b/expat-2.5.0-CVE-2024-45491.patch new file mode 100644 index 0000000..0f69dd7 --- /dev/null +++ b/expat-2.5.0-CVE-2024-45491.patch @@ -0,0 +1,31 @@ +From 8e439a9947e9dc80a395c0c7456545d8d9d9e421 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 19 Aug 2024 22:34:13 +0200 +Subject: [PATCH] lib: Detect integer overflow in dtdCopy + +Reported by TaiYou +--- + expat/lib/xmlparse.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 91682c188..e2327bdcf 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -7016,6 +7016,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, + if (! newE) + return 0; + if (oldE->nDefaultAtts) { ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if ((size_t)oldE->nDefaultAtts ++ > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) { ++ return 0; ++ } ++#endif + newE->defaultAtts + = ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE)); + if (! newE->defaultAtts) { diff --git a/expat-2.5.0-CVE-2024-45492.patch b/expat-2.5.0-CVE-2024-45492.patch new file mode 100644 index 0000000..8950cdf --- /dev/null +++ b/expat-2.5.0-CVE-2024-45492.patch @@ -0,0 +1,30 @@ +From 9bf0f2c16ee86f644dd1432507edff94c08dc232 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 19 Aug 2024 22:37:16 +0200 +Subject: [PATCH] lib: Detect integer overflow in function nextScaffoldPart + +Reported by TaiYou +--- + expat/lib/xmlparse.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 91682c188..f737575ea 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -7558,6 +7558,15 @@ nextScaffoldPart(XML_Parser parser) { + int next; + + if (! dtd->scaffIndex) { ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) { ++ return -1; ++ } ++#endif + dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * sizeof(int)); + if (! dtd->scaffIndex) + return -1; diff --git a/expat.spec b/expat.spec index 34d1ecc..b0a76f1 100644 --- a/expat.spec +++ b/expat.spec @@ -3,7 +3,7 @@ Summary: An XML parser library Name: expat Version: %(echo %{unversion} | sed 's/_/./g') -Release: 2%{?dist} +Release: 3%{?dist} Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz URL: https://libexpat.github.io/ License: MIT @@ -13,6 +13,12 @@ BuildRequires: make Patch0: expat-2.5.0-CVE-2023-52425.patch # https://issues.redhat.com/browse/RHEL-28700 Patch1: expat-2.5.0-CVE-2024-28757.patch +# https://issues.redhat.com/browse/RHEL-56761 +Patch2: expat-2.5.0-CVE-2024-45490.patch +# https://issues.redhat.com/browse/RHEL-57520 +Patch3: expat-2.5.0-CVE-2024-45491.patch +# https://issues.redhat.com/browse/RHEL-57511 +Patch4: expat-2.5.0-CVE-2024-45492.patch %description This is expat, the C library for parsing XML, written by James Clark. Expat @@ -43,6 +49,9 @@ Install it if you need to link statically with expat. pushd .. %patch0 -p1 -b .CVE-2023-52425 %patch1 -p1 -b .CVE-2024-28757 +%patch2 -p1 -b .CVE-2024-45490 +%patch3 -p1 -b .CVE-2024-45491 +%patch4 -p1 -b .CVE-2024-45492 popd sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am @@ -91,6 +100,12 @@ make check %{_libdir}/lib*.a %changelog +* Wed Oct 09 2024 Tomas Korbar - 2.5.0-3 +- Fix CVE-2024-45490, CVE-2024-45491, CVE-2024-45492 +- Resolves: RHEL-56761 +- Resolves: RHEL-57520 +- Resolves: RHEL-57511 + * Tue Feb 13 2024 Tomas Korbar - 2.5.0-2 - Fix parsing of large tokens - Reject direct parameter entity recursion