Fix CVE-2024-50602

Resolves: RHEL-65066
This commit is contained in:
Tomas Korbar 2024-11-07 15:43:05 +01:00
parent 29ef1f83ed
commit 4b4a20d485
2 changed files with 116 additions and 1 deletions

View File

@ -0,0 +1,108 @@
commit 38905b99bb78a6a691ed8358f30030116783656c
Author: Tomas Korbar <tkorbar@redhat.com>
Date: Thu Nov 7 15:00:46 2024 +0100
Fix CVE-2024-50602
See https://github.com/libexpat/libexpat/pull/915
diff --git a/expat/lib/expat.h b/expat/lib/expat.h
index 842dd70..69b0ba1 100644
--- a/expat/lib/expat.h
+++ b/expat/lib/expat.h
@@ -128,7 +128,9 @@ enum XML_Error {
/* Added in 2.3.0. */
XML_ERROR_NO_BUFFER,
/* Added in 2.4.0. */
- XML_ERROR_AMPLIFICATION_LIMIT_BREACH
+ XML_ERROR_AMPLIFICATION_LIMIT_BREACH,
+ /* Added in 2.6.4. */
+ XML_ERROR_NOT_STARTED,
};
enum XML_Content_Type {
diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
index e0c2873..8b2af91 100644
--- a/expat/lib/xmlparse.c
+++ b/expat/lib/xmlparse.c
@@ -2193,6 +2193,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) {
if (parser == NULL)
return XML_STATUS_ERROR;
switch (parser->m_parsingStatus.parsing) {
+ case XML_INITIALIZED:
+ parser->m_errorCode = XML_ERROR_NOT_STARTED;
+ return XML_STATUS_ERROR;
case XML_SUSPENDED:
if (resumable) {
parser->m_errorCode = XML_ERROR_SUSPENDED;
@@ -2203,7 +2206,7 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) {
case XML_FINISHED:
parser->m_errorCode = XML_ERROR_FINISHED;
return XML_STATUS_ERROR;
- default:
+ case XML_PARSING:
if (resumable) {
#ifdef XML_DTD
if (parser->m_isParamEntity) {
@@ -2214,6 +2217,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) {
parser->m_parsingStatus.parsing = XML_SUSPENDED;
} else
parser->m_parsingStatus.parsing = XML_FINISHED;
+ break;
+ default:
+ assert(0);
}
return XML_STATUS_OK;
}
@@ -2478,6 +2484,9 @@ XML_ErrorString(enum XML_Error code) {
case XML_ERROR_AMPLIFICATION_LIMIT_BREACH:
return XML_L(
"limit on input amplification factor (from DTD and entities) breached");
+ /* Added in 2.6.4. */
+ case XML_ERROR_NOT_STARTED:
+ return XML_L("parser not started");
}
return NULL;
}
diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c
index ed88f9f..5769aa0 100644
--- a/expat/tests/runtests.c
+++ b/expat/tests/runtests.c
@@ -8711,6 +8711,28 @@ START_TEST(test_misc_tag_mismatch_reset_leak) {
}
END_TEST
+START_TEST(test_misc_resumeparser_not_crashing) {
+ XML_Parser parser = XML_ParserCreate(NULL);
+ XML_GetBuffer(parser, 1);
+ XML_StopParser(parser, /*resumable=*/XML_TRUE);
+ XML_ResumeParser(parser); // could crash here, previously
+ XML_ParserFree(parser);
+}
+END_TEST
+
+START_TEST(test_misc_stopparser_rejects_unstarted_parser) {
+ const XML_Bool cases[] = {XML_TRUE, XML_FALSE};
+ for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) {
+ const XML_Bool resumable = cases[i];
+ XML_Parser parser = XML_ParserCreate(NULL);
+ assert_true(XML_GetErrorCode(parser) == XML_ERROR_NONE);
+ assert_true(XML_StopParser(parser, resumable) == XML_STATUS_ERROR);
+ assert_true(XML_GetErrorCode(parser) == XML_ERROR_NOT_STARTED);
+ XML_ParserFree(parser);
+ }
+}
+END_TEST
+
static void
alloc_setup(void) {
XML_Memory_Handling_Suite memsuite = {duff_allocator, duff_reallocator, free};
@@ -13176,6 +13198,8 @@ make_suite(void) {
tcase_add_test__ifdef_xml_dtd(
tc_misc, test_misc_deny_internal_entity_closing_doctype_issue_317);
tcase_add_test(tc_misc, test_misc_tag_mismatch_reset_leak);
+ tcase_add_test(tc_misc, test_misc_resumeparser_not_crashing);
+ tcase_add_test(tc_misc, test_misc_stopparser_rejects_unstarted_parser);
suite_add_tcase(s, tc_alloc);
tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown);

View File

@ -3,7 +3,7 @@
Summary: An XML parser library
Name: expat
Version: %(echo %{unversion} | sed 's/_/./g')
Release: 3%{?dist}
Release: 4%{?dist}
Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
URL: https://libexpat.github.io/
License: MIT
@ -19,6 +19,8 @@ Patch2: expat-2.5.0-CVE-2024-45490.patch
Patch3: expat-2.5.0-CVE-2024-45491.patch
# https://issues.redhat.com/browse/RHEL-57511
Patch4: expat-2.5.0-CVE-2024-45492.patch
# https://issues.redhat.com/browse/RHEL-65066
Patch5: expat-2.5.0-CVE-2024-50602.patch
%description
This is expat, the C library for parsing XML, written by James Clark. Expat
@ -52,6 +54,7 @@ pushd ..
%patch2 -p1 -b .CVE-2024-45490
%patch3 -p1 -b .CVE-2024-45491
%patch4 -p1 -b .CVE-2024-45492
%patch5 -p1 -b .CVE-2024-50602
popd
sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am
@ -100,6 +103,10 @@ make check
%{_libdir}/lib*.a
%changelog
* Thu Nov 07 2024 Tomas Korbar <tkorbar@redhat.com> - 2.5.0-4
- Fix CVE-2024-50602
- Resolves: RHEL-65066
* Wed Oct 09 2024 Tomas Korbar <tkorbar@redhat.com> - 2.5.0-3
- Fix CVE-2024-45490, CVE-2024-45491, CVE-2024-45492
- Resolves: RHEL-56761