diff --git a/SOURCES/expat-2.5.0-CVE-2024-50602.patch b/SOURCES/expat-2.5.0-CVE-2024-50602.patch new file mode 100644 index 0000000..1a06e2e --- /dev/null +++ b/SOURCES/expat-2.5.0-CVE-2024-50602.patch @@ -0,0 +1,108 @@ +commit 38905b99bb78a6a691ed8358f30030116783656c +Author: Tomas Korbar +Date: Thu Nov 7 15:00:46 2024 +0100 + + Fix CVE-2024-50602 + + See https://github.com/libexpat/libexpat/pull/915 + +diff --git a/expat/lib/expat.h b/expat/lib/expat.h +index 842dd70..69b0ba1 100644 +--- a/expat/lib/expat.h ++++ b/expat/lib/expat.h +@@ -128,7 +128,9 @@ enum XML_Error { + /* Added in 2.3.0. */ + XML_ERROR_NO_BUFFER, + /* Added in 2.4.0. */ +- XML_ERROR_AMPLIFICATION_LIMIT_BREACH ++ XML_ERROR_AMPLIFICATION_LIMIT_BREACH, ++ /* Added in 2.6.4. */ ++ XML_ERROR_NOT_STARTED, + }; + + enum XML_Content_Type { +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index e0c2873..8b2af91 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -2193,6 +2193,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) { + if (parser == NULL) + return XML_STATUS_ERROR; + switch (parser->m_parsingStatus.parsing) { ++ case XML_INITIALIZED: ++ parser->m_errorCode = XML_ERROR_NOT_STARTED; ++ return XML_STATUS_ERROR; + case XML_SUSPENDED: + if (resumable) { + parser->m_errorCode = XML_ERROR_SUSPENDED; +@@ -2203,7 +2206,7 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) { + case XML_FINISHED: + parser->m_errorCode = XML_ERROR_FINISHED; + return XML_STATUS_ERROR; +- default: ++ case XML_PARSING: + if (resumable) { + #ifdef XML_DTD + if (parser->m_isParamEntity) { +@@ -2214,6 +2217,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) { + parser->m_parsingStatus.parsing = XML_SUSPENDED; + } else + parser->m_parsingStatus.parsing = XML_FINISHED; ++ break; ++ default: ++ assert(0); + } + return XML_STATUS_OK; + } +@@ -2478,6 +2484,9 @@ XML_ErrorString(enum XML_Error code) { + case XML_ERROR_AMPLIFICATION_LIMIT_BREACH: + return XML_L( + "limit on input amplification factor (from DTD and entities) breached"); ++ /* Added in 2.6.4. */ ++ case XML_ERROR_NOT_STARTED: ++ return XML_L("parser not started"); + } + return NULL; + } +diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c +index ed88f9f..5769aa0 100644 +--- a/expat/tests/runtests.c ++++ b/expat/tests/runtests.c +@@ -8711,6 +8711,28 @@ START_TEST(test_misc_tag_mismatch_reset_leak) { + } + END_TEST + ++START_TEST(test_misc_resumeparser_not_crashing) { ++ XML_Parser parser = XML_ParserCreate(NULL); ++ XML_GetBuffer(parser, 1); ++ XML_StopParser(parser, /*resumable=*/XML_TRUE); ++ XML_ResumeParser(parser); // could crash here, previously ++ XML_ParserFree(parser); ++} ++END_TEST ++ ++START_TEST(test_misc_stopparser_rejects_unstarted_parser) { ++ const XML_Bool cases[] = {XML_TRUE, XML_FALSE}; ++ for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) { ++ const XML_Bool resumable = cases[i]; ++ XML_Parser parser = XML_ParserCreate(NULL); ++ assert_true(XML_GetErrorCode(parser) == XML_ERROR_NONE); ++ assert_true(XML_StopParser(parser, resumable) == XML_STATUS_ERROR); ++ assert_true(XML_GetErrorCode(parser) == XML_ERROR_NOT_STARTED); ++ XML_ParserFree(parser); ++ } ++} ++END_TEST ++ + static void + alloc_setup(void) { + XML_Memory_Handling_Suite memsuite = {duff_allocator, duff_reallocator, free}; +@@ -13176,6 +13198,8 @@ make_suite(void) { + tcase_add_test__ifdef_xml_dtd( + tc_misc, test_misc_deny_internal_entity_closing_doctype_issue_317); + tcase_add_test(tc_misc, test_misc_tag_mismatch_reset_leak); ++ tcase_add_test(tc_misc, test_misc_resumeparser_not_crashing); ++ tcase_add_test(tc_misc, test_misc_stopparser_rejects_unstarted_parser); + + suite_add_tcase(s, tc_alloc); + tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown); diff --git a/SPECS/expat.spec b/SPECS/expat.spec index e3479b1..76ef5e5 100644 --- a/SPECS/expat.spec +++ b/SPECS/expat.spec @@ -3,7 +3,7 @@ Summary: An XML parser library Name: expat Version: %(echo %{unversion} | sed 's/_/./g') -Release: 2%{?dist}.1 +Release: 3%{?dist}.1 Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz URL: https://libexpat.github.io/ License: MIT @@ -13,12 +13,14 @@ BuildRequires: make Patch0: expat-2.5.0-CVE-2023-52425.patch # https://issues.redhat.com/browse/RHEL-28700 Patch1: expat-2.5.0-CVE-2024-28757.patch -# https://issues.redhat.com/browse/RHEL-56763 +# https://issues.redhat.com/browse/RHEL-56761 Patch2: expat-2.5.0-CVE-2024-45490.patch -# https://issues.redhat.com/browse/RHEL-57497 +# https://issues.redhat.com/browse/RHEL-57520 Patch3: expat-2.5.0-CVE-2024-45491.patch -# https://issues.redhat.com/browse/RHEL-57510 +# https://issues.redhat.com/browse/RHEL-57511 Patch4: expat-2.5.0-CVE-2024-45492.patch +# https://issues.redhat.com/browse/RHEL-65064 +Patch5: expat-2.5.0-CVE-2024-50602.patch %description This is expat, the C library for parsing XML, written by James Clark. Expat @@ -52,6 +54,7 @@ pushd .. %patch2 -p1 -b .CVE-2024-45490 %patch3 -p1 -b .CVE-2024-45491 %patch4 -p1 -b .CVE-2024-45492 +%patch5 -p1 -b .CVE-2024-50602 popd sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am @@ -100,14 +103,15 @@ make check %{_libdir}/lib*.a %changelog -* Wed Sep 11 2024 Tomas Korbar - 2.5.0-2.1 -- Fix multiple CVEs -- Fix CVE-2024-45492 integer overflow -- Fix CVE-2024-45491 Integer Overflow or Wraparound -- Fix CVE-2024-45490 Negative Length Parsing Vulnerability -- Resolves: RHEL-57510 -- Resolves: RHEL-57497 -- Resolves: RHEL-56763 +* Thu Nov 07 2024 Tomas Korbar - 2.5.0-3.1 +- Fix CVE-2024-50602 +- Resolves: RHEL-65064 + +* Wed Oct 09 2024 Tomas Korbar - 2.5.0-3 +- Fix CVE-2024-45490, CVE-2024-45491, CVE-2024-45492 +- Resolves: RHEL-56761 +- Resolves: RHEL-57520 +- Resolves: RHEL-57511 * Tue Feb 13 2024 Tomas Korbar - 2.5.0-2 - Fix parsing of large tokens