From dbc14c5fec8c38397f5c51660fc497d014cfb40c Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 28 Jul 2020 09:17:54 -0400 Subject: [PATCH] import expat-2.2.5-4.el8 --- SOURCES/expat-2.2.5-CVE-2018-20843.patch | 15 ++ SOURCES/expat-2.2.5-CVE-2019-15903.patch | 171 +++++++++++++++++++++++ SPECS/expat.spec | 10 +- 3 files changed, 195 insertions(+), 1 deletion(-) create mode 100644 SOURCES/expat-2.2.5-CVE-2018-20843.patch create mode 100644 SOURCES/expat-2.2.5-CVE-2019-15903.patch diff --git a/SOURCES/expat-2.2.5-CVE-2018-20843.patch b/SOURCES/expat-2.2.5-CVE-2018-20843.patch new file mode 100644 index 0000000..8afbfd0 --- /dev/null +++ b/SOURCES/expat-2.2.5-CVE-2018-20843.patch @@ -0,0 +1,15 @@ + +https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-20843 +https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6 + +--- libexpat-R_2_2_5/expat/lib/xmlparse.c.cve20843 ++++ libexpat-R_2_2_5/expat/lib/xmlparse.c +@@ -6057,7 +6057,7 @@ setElementTypePrefix(XML_Parser parser, + else + poolDiscard(&dtd->pool); + elementType->prefix = prefix; +- ++ break; + } + } + return 1; diff --git a/SOURCES/expat-2.2.5-CVE-2019-15903.patch b/SOURCES/expat-2.2.5-CVE-2019-15903.patch new file mode 100644 index 0000000..72c0164 --- /dev/null +++ b/SOURCES/expat-2.2.5-CVE-2019-15903.patch @@ -0,0 +1,171 @@ + +https://bugzilla.redhat.com/show_bug.cgi?id=1752592 + +https://github.com/libexpat/libexpat/commit/6da1f19625592bfb928253620cac568d9a9b9c65 + +--- libexpat-R_2_2_5/expat/lib/xmlparse.c.cve15903 ++++ libexpat-R_2_2_5/expat/lib/xmlparse.c +@@ -411,7 +411,7 @@ initializeEncoding(XML_Parser parser); + static enum XML_Error + doProlog(XML_Parser parser, const ENCODING *enc, const char *s, + const char *end, int tok, const char *next, const char **nextPtr, +- XML_Bool haveMore); ++ XML_Bool haveMore, XML_Bool allowClosingDoctype); + static enum XML_Error + processInternalEntity(XML_Parser parser, ENTITY *entity, + XML_Bool betweenDecl); +@@ -4218,7 +4218,7 @@ externalParEntProcessor(XML_Parser parse + + parser->m_processor = prologProcessor; + return doProlog(parser, parser->m_encoding, s, end, tok, next, +- nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer); ++ nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE); + } + + static enum XML_Error PTRCALL +@@ -4268,19 +4268,13 @@ prologProcessor(XML_Parser parser, + const char *next = s; + int tok = XmlPrologTok(parser->m_encoding, s, end, &next); + return doProlog(parser, parser->m_encoding, s, end, tok, next, +- nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer); ++ nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE); + } + + static enum XML_Error +-doProlog(XML_Parser parser, +- const ENCODING *enc, +- const char *s, +- const char *end, +- int tok, +- const char *next, +- const char **nextPtr, +- XML_Bool haveMore) +-{ ++doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, ++ int tok, const char *next, const char **nextPtr, XML_Bool haveMore, ++ XML_Bool allowClosingDoctype) { + #ifdef XML_DTD + static const XML_Char externalSubsetName[] = { ASCII_HASH , '\0' }; + #endif /* XML_DTD */ +@@ -4458,6 +4452,11 @@ doProlog(XML_Parser parser, + } + break; + case XML_ROLE_DOCTYPE_CLOSE: ++ if (allowClosingDoctype != XML_TRUE) { ++ /* Must not close doctype from within expanded parameter entities */ ++ return XML_ERROR_INVALID_TOKEN; ++ } ++ + if (parser->m_doctypeName) { + parser->m_startDoctypeDeclHandler(parser->m_handlerArg, parser->m_doctypeName, + parser->m_doctypeSysid, parser->m_doctypePubid, 0); +@@ -5395,7 +5394,7 @@ processInternalEntity(XML_Parser parser, + if (entity->is_param) { + int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next); + result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok, +- next, &next, XML_FALSE); ++ next, &next, XML_FALSE, XML_FALSE); + } + else + #endif /* XML_DTD */ +@@ -5442,7 +5441,7 @@ internalEntityProcessor(XML_Parser parse + if (entity->is_param) { + int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next); + result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok, +- next, &next, XML_FALSE); ++ next, &next, XML_FALSE, XML_TRUE); + } + else + #endif /* XML_DTD */ +@@ -5469,7 +5468,7 @@ internalEntityProcessor(XML_Parser parse + parser->m_processor = prologProcessor; + tok = XmlPrologTok(parser->m_encoding, s, end, &next); + return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr, +- (XML_Bool)!parser->m_parsingStatus.finalBuffer); ++ (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE); + } + else + #endif /* XML_DTD */ +--- libexpat-R_2_2_5/expat/tests/runtests.c.cve15903 ++++ libexpat-R_2_2_5/expat/tests/runtests.c +@@ -7193,6 +7193,69 @@ overwrite_end_checker(void *userData, co + CharData_AppendXMLChars(storage, XCS("\n"), 1); + } + ++#ifdef XML_DTD ++START_TEST(test_misc_deny_internal_entity_closing_doctype_issue_317) { ++ const char *const inputOne = "'>\n" ++ "\n" ++ "%e;"; ++ const char *const inputTwo = "'>\n" ++ "\n" ++ "%e2;"; ++ const char *const inputThree = "\n" ++ "\n" ++ "%e;"; ++ const char *const inputIssue317 = "\n" ++ "Hell'>\n" ++ "%foo;\n" ++ "]>\n" ++ "Hello, world"; ++ ++ const char *const inputs[] = {inputOne, inputTwo, inputThree, inputIssue317}; ++ size_t inputIndex = 0; ++ ++ for (; inputIndex < sizeof(inputs) / sizeof(inputs[0]); inputIndex++) { ++ XML_Parser parser; ++ enum XML_Status parseResult; ++ int setParamEntityResult; ++ XML_Size lineNumber; ++ XML_Size columnNumber; ++ const char *const input = inputs[inputIndex]; ++ ++ parser = XML_ParserCreate(NULL); ++ setParamEntityResult ++ = XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS); ++ if (setParamEntityResult != 1) ++ fail("Failed to set XML_PARAM_ENTITY_PARSING_ALWAYS."); ++ ++ parseResult = XML_Parse(parser, input, (int)strlen(input), 0); ++ if (parseResult != XML_STATUS_ERROR) { ++ parseResult = XML_Parse(parser, "", 0, 1); ++ if (parseResult != XML_STATUS_ERROR) { ++ fail("Parsing was expected to fail but succeeded."); ++ } ++ } ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_TOKEN) ++ fail("Error code does not match XML_ERROR_INVALID_TOKEN"); ++ ++ lineNumber = XML_GetCurrentLineNumber(parser); ++ if (lineNumber != 4) ++ fail("XML_GetCurrentLineNumber does not work as expected."); ++ ++ columnNumber = XML_GetCurrentColumnNumber(parser); ++ if (columnNumber != 0) ++ fail("XML_GetCurrentColumnNumber does not work as expected."); ++ ++ XML_ParserFree(parser); ++ } ++} ++END_TEST ++#endif ++ + static void + run_ns_tagname_overwrite_test(const char *text, const XML_Char *result) + { +@@ -12210,6 +12273,10 @@ make_suite(void) + tcase_add_test(tc_misc, test_misc_features); + tcase_add_test(tc_misc, test_misc_attribute_leak); + tcase_add_test(tc_misc, test_misc_utf16le); ++#ifdef XML_DTD ++ tcase_add_test(tc_misc, ++ test_misc_deny_internal_entity_closing_doctype_issue_317); ++#endif + + suite_add_tcase(s, tc_alloc); + tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown); diff --git a/SPECS/expat.spec b/SPECS/expat.spec index 233ae52..25338ac 100644 --- a/SPECS/expat.spec +++ b/SPECS/expat.spec @@ -3,12 +3,14 @@ Summary: An XML parser library Name: expat Version: %(echo %{unversion} | sed 's/_/./g') -Release: 3%{?dist} +Release: 4%{?dist} Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz URL: https://libexpat.github.io/ License: MIT BuildRequires: autoconf, libtool, xmlto, gcc-c++ Patch0: expat-2.2.5-doc2man.patch +Patch1: expat-2.2.5-CVE-2018-20843.patch +Patch2: expat-2.2.5-CVE-2019-15903.patch %description This is expat, the C library for parsing XML, written by James Clark. Expat @@ -37,6 +39,9 @@ Install it if you need to link statically with expat. %prep %setup -q -n libexpat-R_%{unversion}/expat %patch0 -p2 -b .doc2man +%patch1 -p2 -b .cve20843 +%patch2 -p2 -b .cve15903 + sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am ./buildconf.sh @@ -74,6 +79,9 @@ make check %{_libdir}/lib*.a %changelog +* Fri Apr 24 2020 Joe Orton - 2.2.5-4 +- add security fixes for CVE-2018-20843, CVE-2019-15903 + * Wed Feb 07 2018 Fedora Release Engineering - 2.2.5-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild