import expat-2.4.9-1.el9_1.1
This commit is contained in:
parent
58ee343536
commit
c1b1190772
|
@ -0,0 +1,92 @@
|
||||||
|
commit b463b1beeba2ad7f9eb456bdbdc136cbbdd1dec8
|
||||||
|
Author: Tomas Korbar <tkorbar@redhat.com>
|
||||||
|
Date: Fri Nov 11 10:46:36 2022 +0100
|
||||||
|
|
||||||
|
Fix CVE-2022-43680
|
||||||
|
|
||||||
|
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
|
||||||
|
index c0bece5..a73a1bf 100644
|
||||||
|
--- a/lib/xmlparse.c
|
||||||
|
+++ b/lib/xmlparse.c
|
||||||
|
@@ -1068,6 +1068,14 @@ parserCreate(const XML_Char *encodingName,
|
||||||
|
parserInit(parser, encodingName);
|
||||||
|
|
||||||
|
if (encodingName && ! parser->m_protocolEncodingName) {
|
||||||
|
+ if (dtd) {
|
||||||
|
+ // We need to stop the upcoming call to XML_ParserFree from happily
|
||||||
|
+ // destroying parser->m_dtd because the DTD is shared with the parent
|
||||||
|
+ // parser and the only guard that keeps XML_ParserFree from destroying
|
||||||
|
+ // parser->m_dtd is parser->m_isParamEntity but it will be set to
|
||||||
|
+ // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all).
|
||||||
|
+ parser->m_dtd = NULL;
|
||||||
|
+ }
|
||||||
|
XML_ParserFree(parser);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
diff --git a/tests/runtests.c b/tests/runtests.c
|
||||||
|
index 530f184..cbfe420 100644
|
||||||
|
--- a/tests/runtests.c
|
||||||
|
+++ b/tests/runtests.c
|
||||||
|
@@ -10090,6 +10090,53 @@ START_TEST(test_alloc_long_notation) {
|
||||||
|
}
|
||||||
|
END_TEST
|
||||||
|
|
||||||
|
+static int XMLCALL
|
||||||
|
+external_entity_parser_create_alloc_fail_handler(XML_Parser parser,
|
||||||
|
+ const XML_Char *context,
|
||||||
|
+ const XML_Char *base,
|
||||||
|
+ const XML_Char *systemId,
|
||||||
|
+ const XML_Char *publicId) {
|
||||||
|
+ UNUSED_P(base);
|
||||||
|
+ UNUSED_P(systemId);
|
||||||
|
+ UNUSED_P(publicId);
|
||||||
|
+
|
||||||
|
+ if (context != NULL)
|
||||||
|
+ fail("Unexpected non-NULL context");
|
||||||
|
+
|
||||||
|
+ // The following number intends to fail the upcoming allocation in line
|
||||||
|
+ // "parser->m_protocolEncodingName = copyString(encodingName,
|
||||||
|
+ // &(parser->m_mem));" in function parserInit.
|
||||||
|
+ allocation_count = 3;
|
||||||
|
+
|
||||||
|
+ const XML_Char *const encodingName = XCS("UTF-8"); // needs something non-NULL
|
||||||
|
+ const XML_Parser ext_parser
|
||||||
|
+ = XML_ExternalEntityParserCreate(parser, context, encodingName);
|
||||||
|
+ if (ext_parser != NULL)
|
||||||
|
+ fail(
|
||||||
|
+ "Call to XML_ExternalEntityParserCreate was expected to fail out-of-memory");
|
||||||
|
+
|
||||||
|
+ allocation_count = ALLOC_ALWAYS_SUCCEED;
|
||||||
|
+ return XML_STATUS_ERROR;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+START_TEST(test_alloc_reset_after_external_entity_parser_create_fail) {
|
||||||
|
+ const char *const text = "<!DOCTYPE doc SYSTEM 'foo'><doc/>";
|
||||||
|
+
|
||||||
|
+ XML_SetExternalEntityRefHandler(
|
||||||
|
+ g_parser, external_entity_parser_create_alloc_fail_handler);
|
||||||
|
+ XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
|
||||||
|
+
|
||||||
|
+ if (XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE)
|
||||||
|
+ != XML_STATUS_ERROR)
|
||||||
|
+ fail("Call to parse was expected to fail");
|
||||||
|
+
|
||||||
|
+ if (XML_GetErrorCode(g_parser) != XML_ERROR_EXTERNAL_ENTITY_HANDLING)
|
||||||
|
+ fail("Call to parse was expected to fail from the external entity handler");
|
||||||
|
+
|
||||||
|
+ XML_ParserReset(g_parser, NULL);
|
||||||
|
+}
|
||||||
|
+END_TEST
|
||||||
|
+
|
||||||
|
static void
|
||||||
|
nsalloc_setup(void) {
|
||||||
|
XML_Memory_Handling_Suite memsuite = {duff_allocator, duff_reallocator, free};
|
||||||
|
@@ -12279,6 +12326,8 @@ make_suite(void) {
|
||||||
|
tcase_add_test(tc_alloc, test_alloc_long_public_id);
|
||||||
|
tcase_add_test(tc_alloc, test_alloc_long_entity_value);
|
||||||
|
tcase_add_test(tc_alloc, test_alloc_long_notation);
|
||||||
|
+ tcase_add_test__ifdef_xml_dtd(
|
||||||
|
+ tc_alloc, test_alloc_reset_after_external_entity_parser_create_fail);
|
||||||
|
|
||||||
|
suite_add_tcase(s, tc_nsalloc);
|
||||||
|
tcase_add_checked_fixture(tc_nsalloc, nsalloc_setup, nsalloc_teardown);
|
|
@ -3,13 +3,15 @@
|
||||||
Summary: An XML parser library
|
Summary: An XML parser library
|
||||||
Name: expat
|
Name: expat
|
||||||
Version: %(echo %{unversion} | sed 's/_/./g')
|
Version: %(echo %{unversion} | sed 's/_/./g')
|
||||||
Release: 1%{?dist}
|
Release: 1%{?dist}.1
|
||||||
Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
|
Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
|
||||||
URL: https://libexpat.github.io/
|
URL: https://libexpat.github.io/
|
||||||
License: MIT
|
License: MIT
|
||||||
BuildRequires: autoconf, libtool, xmlto, gcc-c++
|
BuildRequires: autoconf, libtool, xmlto, gcc-c++
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
|
|
||||||
|
Patch0: expat-2.4.9-CVE-2022-43680.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
This is expat, the C library for parsing XML, written by James Clark. Expat
|
This is expat, the C library for parsing XML, written by James Clark. Expat
|
||||||
is a stream oriented XML parser. This means that you register handlers with
|
is a stream oriented XML parser. This means that you register handlers with
|
||||||
|
@ -40,6 +42,8 @@ Install it if you need to link statically with expat.
|
||||||
sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am
|
sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am
|
||||||
./buildconf.sh
|
./buildconf.sh
|
||||||
|
|
||||||
|
%patch0 -p1 -b.CVE-2022-43680
|
||||||
|
|
||||||
%build
|
%build
|
||||||
export CFLAGS="$RPM_OPT_FLAGS -fPIC"
|
export CFLAGS="$RPM_OPT_FLAGS -fPIC"
|
||||||
export DOCBOOK_TO_MAN="xmlto man --skip-validation"
|
export DOCBOOK_TO_MAN="xmlto man --skip-validation"
|
||||||
|
@ -74,6 +78,10 @@ make check
|
||||||
%{_libdir}/lib*.a
|
%{_libdir}/lib*.a
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Nov 11 2022 Tomas Korbar <tkorbar@redhat.com> - 2.4.9-1.1
|
||||||
|
- CVE-2022-43680 expat: use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate
|
||||||
|
- Resolves: CVE-2022-43680
|
||||||
|
|
||||||
* Thu Sep 29 2022 Tomas Korbar <tkorbar@redhat.com> - 2.4.9-1
|
* Thu Sep 29 2022 Tomas Korbar <tkorbar@redhat.com> - 2.4.9-1
|
||||||
- Rebase to version 2.4.9
|
- Rebase to version 2.4.9
|
||||||
- Resolves: CVE-2022-40674
|
- Resolves: CVE-2022-40674
|
||||||
|
|
Loading…
Reference in New Issue