Improve fix for CVE-2022-25236
Related: CVE-2022-25236
This commit is contained in:
parent
6c4005223e
commit
f23fd2fa9c
@ -1,17 +1,14 @@
|
|||||||
From 6881a4fc8596307ab9ff2e85e605afa2e413ab71 Mon Sep 17 00:00:00 2001
|
commit 5c47ae80738d0985babf06a023b3845169682064
|
||||||
From: Sebastian Pipping <sebastian@pipping.org>
|
Author: Tomas Korbar <tkorbar@redhat.com>
|
||||||
Date: Sat, 12 Feb 2022 00:19:13 +0100
|
Date: Mon Mar 14 10:22:37 2022 +0100
|
||||||
Subject: [PATCH 1/4] lib: Fix (harmless) use of uninitialized memory
|
|
||||||
|
|
||||||
---
|
Protect against malicious namespace declarations
|
||||||
expat/lib/xmlparse.c | 6 ++----
|
|
||||||
1 file changed, 2 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
|
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
|
||||||
index 902895d5..c768f856 100644
|
index 5c3f573..901abbf 100644
|
||||||
--- a/lib/xmlparse.c
|
--- a/lib/xmlparse.c
|
||||||
+++ b/lib/xmlparse.c
|
+++ b/lib/xmlparse.c
|
||||||
@@ -718,8 +718,7 @@ XML_ParserCreate(const XML_Char *encodingName) {
|
@@ -638,8 +638,7 @@ XML_ParserCreate(const XML_Char *encodingName) {
|
||||||
|
|
||||||
XML_Parser XMLCALL
|
XML_Parser XMLCALL
|
||||||
XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep) {
|
XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep) {
|
||||||
@ -21,7 +18,7 @@ index 902895d5..c768f856 100644
|
|||||||
return XML_ParserCreate_MM(encodingName, NULL, tmp);
|
return XML_ParserCreate_MM(encodingName, NULL, tmp);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1344,8 +1343,7 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context,
|
@@ -1253,8 +1252,7 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context,
|
||||||
would be otherwise.
|
would be otherwise.
|
||||||
*/
|
*/
|
||||||
if (parser->m_ns) {
|
if (parser->m_ns) {
|
||||||
@ -31,54 +28,159 @@ index 902895d5..c768f856 100644
|
|||||||
parser = parserCreate(encodingName, &parser->m_mem, tmp, newDtd);
|
parser = parserCreate(encodingName, &parser->m_mem, tmp, newDtd);
|
||||||
} else {
|
} else {
|
||||||
parser = parserCreate(encodingName, &parser->m_mem, NULL, newDtd);
|
parser = parserCreate(encodingName, &parser->m_mem, NULL, newDtd);
|
||||||
|
@@ -3526,6 +3524,117 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
|
||||||
From a2fe525e660badd64b6c557c2b1ec26ddc07f6e4 Mon Sep 17 00:00:00 2001
|
return XML_ERROR_NONE;
|
||||||
From: Sebastian Pipping <sebastian@pipping.org>
|
}
|
||||||
Date: Sat, 12 Feb 2022 01:09:29 +0100
|
|
||||||
Subject: [PATCH 2/4] lib: Protect against malicious namespace declarations
|
+static XML_Bool
|
||||||
(CVE-2022-25236)
|
+is_rfc3986_uri_char(XML_Char candidate) {
|
||||||
|
+ // For the RFC 3986 ANBF grammar see
|
||||||
---
|
+ // https://datatracker.ietf.org/doc/html/rfc3986#appendix-A
|
||||||
expat/lib/xmlparse.c | 11 +++++++++++
|
+
|
||||||
1 file changed, 11 insertions(+)
|
+ switch (candidate) {
|
||||||
|
+ // From rule "ALPHA" (uppercase half)
|
||||||
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
|
+ case 'A':
|
||||||
index c768f856..a3aef88c 100644
|
+ case 'B':
|
||||||
--- a/lib/xmlparse.c
|
+ case 'C':
|
||||||
+++ b/lib/xmlparse.c
|
+ case 'D':
|
||||||
@@ -3754,6 +3754,17 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
|
+ case 'E':
|
||||||
|
+ case 'F':
|
||||||
|
+ case 'G':
|
||||||
|
+ case 'H':
|
||||||
|
+ case 'I':
|
||||||
|
+ case 'J':
|
||||||
|
+ case 'K':
|
||||||
|
+ case 'L':
|
||||||
|
+ case 'M':
|
||||||
|
+ case 'N':
|
||||||
|
+ case 'O':
|
||||||
|
+ case 'P':
|
||||||
|
+ case 'Q':
|
||||||
|
+ case 'R':
|
||||||
|
+ case 'S':
|
||||||
|
+ case 'T':
|
||||||
|
+ case 'U':
|
||||||
|
+ case 'V':
|
||||||
|
+ case 'W':
|
||||||
|
+ case 'X':
|
||||||
|
+ case 'Y':
|
||||||
|
+ case 'Z':
|
||||||
|
+
|
||||||
|
+ // From rule "ALPHA" (lowercase half)
|
||||||
|
+ case 'a':
|
||||||
|
+ case 'b':
|
||||||
|
+ case 'c':
|
||||||
|
+ case 'd':
|
||||||
|
+ case 'e':
|
||||||
|
+ case 'f':
|
||||||
|
+ case 'g':
|
||||||
|
+ case 'h':
|
||||||
|
+ case 'i':
|
||||||
|
+ case 'j':
|
||||||
|
+ case 'k':
|
||||||
|
+ case 'l':
|
||||||
|
+ case 'm':
|
||||||
|
+ case 'n':
|
||||||
|
+ case 'o':
|
||||||
|
+ case 'p':
|
||||||
|
+ case 'q':
|
||||||
|
+ case 'r':
|
||||||
|
+ case 's':
|
||||||
|
+ case 't':
|
||||||
|
+ case 'u':
|
||||||
|
+ case 'v':
|
||||||
|
+ case 'w':
|
||||||
|
+ case 'x':
|
||||||
|
+ case 'y':
|
||||||
|
+ case 'z':
|
||||||
|
+
|
||||||
|
+ // From rule "DIGIT"
|
||||||
|
+ case '0':
|
||||||
|
+ case '1':
|
||||||
|
+ case '2':
|
||||||
|
+ case '3':
|
||||||
|
+ case '4':
|
||||||
|
+ case '5':
|
||||||
|
+ case '6':
|
||||||
|
+ case '7':
|
||||||
|
+ case '8':
|
||||||
|
+ case '9':
|
||||||
|
+
|
||||||
|
+ // From rule "pct-encoded"
|
||||||
|
+ case '%':
|
||||||
|
+
|
||||||
|
+ // From rule "unreserved"
|
||||||
|
+ case '-':
|
||||||
|
+ case '.':
|
||||||
|
+ case '_':
|
||||||
|
+ case '~':
|
||||||
|
+
|
||||||
|
+ // From rule "gen-delims"
|
||||||
|
+ case ':':
|
||||||
|
+ case '/':
|
||||||
|
+ case '?':
|
||||||
|
+ case '#':
|
||||||
|
+ case '[':
|
||||||
|
+ case ']':
|
||||||
|
+ case '@':
|
||||||
|
+
|
||||||
|
+ // From rule "sub-delims"
|
||||||
|
+ case '!':
|
||||||
|
+ case '$':
|
||||||
|
+ case '&':
|
||||||
|
+ case '\'':
|
||||||
|
+ case '(':
|
||||||
|
+ case ')':
|
||||||
|
+ case '*':
|
||||||
|
+ case '+':
|
||||||
|
+ case ',':
|
||||||
|
+ case ';':
|
||||||
|
+ case '=':
|
||||||
|
+ return XML_TRUE;
|
||||||
|
+
|
||||||
|
+ default:
|
||||||
|
+ return XML_FALSE;
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/* addBinding() overwrites the value of prefix->binding without checking.
|
||||||
|
Therefore one must keep track of the old value outside of addBinding().
|
||||||
|
*/
|
||||||
|
@@ -3581,6 +3690,29 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
|
||||||
if (! mustBeXML && isXMLNS
|
if (! mustBeXML && isXMLNS
|
||||||
&& (len > xmlnsLen || uri[len] != xmlnsNamespace[len]))
|
&& (len > xmlnsLen || uri[len] != xmlnsNamespace[len]))
|
||||||
isXMLNS = XML_FALSE;
|
isXMLNS = XML_FALSE;
|
||||||
+
|
+
|
||||||
+ // NOTE: While Expat does not validate namespace URIs against RFC 3986,
|
+ // NOTE: While Expat does not validate namespace URIs against RFC 3986
|
||||||
+ // we have to at least make sure that the XML processor on top of
|
+ // today (and is not REQUIRED to do so with regard to the XML 1.0
|
||||||
+ // Expat (that is splitting tag names by namespace separator into
|
+ // namespaces specification) we have to at least make sure, that
|
||||||
+ // 2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused
|
+ // the application on top of Expat (that is likely splitting expanded
|
||||||
+ // by an attacker putting additional namespace separator characters
|
+ // element names ("qualified names") of form
|
||||||
+ // into namespace declarations. That would be ambiguous and not to
|
+ // "[uri sep] local [sep prefix] '\0'" back into 1, 2 or 3 pieces
|
||||||
+ // be expected.
|
+ // in its element handler code) cannot be confused by an attacker
|
||||||
+ if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) {
|
+ // putting additional namespace separator characters into namespace
|
||||||
|
+ // declarations. That would be ambiguous and not to be expected.
|
||||||
|
+ //
|
||||||
|
+ // While the HTML API docs of function XML_ParserCreateNS have been
|
||||||
|
+ // advising against use of a namespace separator character that can
|
||||||
|
+ // appear in a URI for >20 years now, some widespread applications
|
||||||
|
+ // are using URI characters (':' (colon) in particular) for a
|
||||||
|
+ // namespace separator, in practice. To keep these applications
|
||||||
|
+ // functional, we only reject namespaces URIs containing the
|
||||||
|
+ // application-chosen namespace separator if the chosen separator
|
||||||
|
+ // is a non-URI character with regard to RFC 3986.
|
||||||
|
+ if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)
|
||||||
|
+ && ! is_rfc3986_uri_char(uri[len])) {
|
||||||
+ return XML_ERROR_SYNTAX;
|
+ return XML_ERROR_SYNTAX;
|
||||||
+ }
|
+ }
|
||||||
}
|
}
|
||||||
isXML = isXML && len == xmlLen;
|
isXML = isXML && len == xmlLen;
|
||||||
isXMLNS = isXMLNS && len == xmlnsLen;
|
isXMLNS = isXMLNS && len == xmlnsLen;
|
||||||
|
|
||||||
From 2de077423fb22750ebea599677d523b53cb93b1d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sebastian Pipping <sebastian@pipping.org>
|
|
||||||
Date: Sat, 12 Feb 2022 00:51:43 +0100
|
|
||||||
Subject: [PATCH 3/4] tests: Cover CVE-2022-25236
|
|
||||||
|
|
||||||
---
|
|
||||||
expat/tests/runtests.c | 30 ++++++++++++++++++++++++++++++
|
|
||||||
1 file changed, 30 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/tests/runtests.c b/tests/runtests.c
|
diff --git a/tests/runtests.c b/tests/runtests.c
|
||||||
index d07203f2..bc5344b1 100644
|
index f03e008..40172d2 100644
|
||||||
--- a/tests/runtests.c
|
--- a/tests/runtests.c
|
||||||
+++ b/tests/runtests.c
|
+++ b/tests/runtests.c
|
||||||
@@ -7220,6 +7220,35 @@ START_TEST(test_ns_double_colon_doctype) {
|
@@ -7233,6 +7233,37 @@ START_TEST(test_ns_double_colon_doctype) {
|
||||||
}
|
}
|
||||||
END_TEST
|
END_TEST
|
||||||
|
|
||||||
@ -86,16 +188,18 @@ index d07203f2..bc5344b1 100644
|
|||||||
+ struct test_case {
|
+ struct test_case {
|
||||||
+ enum XML_Status expectedStatus;
|
+ enum XML_Status expectedStatus;
|
||||||
+ const char *doc;
|
+ const char *doc;
|
||||||
|
+ XML_Char namesep;
|
||||||
+ };
|
+ };
|
||||||
+ struct test_case cases[] = {
|
+ struct test_case cases[] = {
|
||||||
+ {XML_STATUS_OK, "<doc xmlns='one_two' />"},
|
+ {XML_STATUS_OK, "<doc xmlns='one_two' />", XCS('\n')},
|
||||||
+ {XML_STATUS_ERROR, "<doc xmlns='one
two' />"},
|
+ {XML_STATUS_ERROR, "<doc xmlns='one
two' />", XCS('\n')},
|
||||||
|
+ {XML_STATUS_OK, "<doc xmlns='one:two' />", XCS(':')},
|
||||||
+ };
|
+ };
|
||||||
+
|
+
|
||||||
+ size_t i = 0;
|
+ size_t i = 0;
|
||||||
+ size_t failCount = 0;
|
+ size_t failCount = 0;
|
||||||
+ for (; i < sizeof(cases) / sizeof(cases[0]); i++) {
|
+ for (; i < sizeof(cases) / sizeof(cases[0]); i++) {
|
||||||
+ XML_Parser parser = XML_ParserCreateNS(NULL, '\n');
|
+ XML_Parser parser = XML_ParserCreateNS(NULL, cases[i].namesep);
|
||||||
+ XML_SetElementHandler(parser, dummy_start_element, dummy_end_element);
|
+ XML_SetElementHandler(parser, dummy_start_element, dummy_end_element);
|
||||||
+ if (XML_Parse(parser, cases[i].doc, (int)strlen(cases[i].doc),
|
+ if (XML_Parse(parser, cases[i].doc, (int)strlen(cases[i].doc),
|
||||||
+ /*isFinal*/ XML_TRUE)
|
+ /*isFinal*/ XML_TRUE)
|
||||||
@ -114,7 +218,7 @@ index d07203f2..bc5344b1 100644
|
|||||||
/* Control variable; the number of times duff_allocator() will successfully
|
/* Control variable; the number of times duff_allocator() will successfully
|
||||||
* allocate */
|
* allocate */
|
||||||
#define ALLOC_ALWAYS_SUCCEED (-1)
|
#define ALLOC_ALWAYS_SUCCEED (-1)
|
||||||
@@ -11905,6 +11934,7 @@ make_suite(void) {
|
@@ -11527,6 +11558,7 @@ make_suite(void) {
|
||||||
tcase_add_test(tc_namespace, test_ns_utf16_doctype);
|
tcase_add_test(tc_namespace, test_ns_utf16_doctype);
|
||||||
tcase_add_test(tc_namespace, test_ns_invalid_doctype);
|
tcase_add_test(tc_namespace, test_ns_invalid_doctype);
|
||||||
tcase_add_test(tc_namespace, test_ns_double_colon_doctype);
|
tcase_add_test(tc_namespace, test_ns_double_colon_doctype);
|
||||||
@ -122,4 +226,3 @@ index d07203f2..bc5344b1 100644
|
|||||||
|
|
||||||
suite_add_tcase(s, tc_misc);
|
suite_add_tcase(s, tc_misc);
|
||||||
tcase_add_checked_fixture(tc_misc, NULL, basic_teardown);
|
tcase_add_checked_fixture(tc_misc, NULL, basic_teardown);
|
||||||
|
|
||||||
|
@ -3,7 +3,7 @@
|
|||||||
Summary: An XML parser library
|
Summary: An XML parser library
|
||||||
Name: expat
|
Name: expat
|
||||||
Version: %(echo %{unversion} | sed 's/_/./g')
|
Version: %(echo %{unversion} | sed 's/_/./g')
|
||||||
Release: 10%{?dist}
|
Release: 11%{?dist}
|
||||||
Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
|
Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
|
||||||
URL: https://libexpat.github.io/
|
URL: https://libexpat.github.io/
|
||||||
License: MIT
|
License: MIT
|
||||||
@ -89,6 +89,10 @@ make check
|
|||||||
%{_libdir}/lib*.a
|
%{_libdir}/lib*.a
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Mar 14 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.10-11
|
||||||
|
- Improve fix for CVE-2022-25236
|
||||||
|
- Related: CVE-2022-25236
|
||||||
|
|
||||||
* Mon Feb 28 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.10-10
|
* Mon Feb 28 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.10-10
|
||||||
- Fix multiple CVEs
|
- Fix multiple CVEs
|
||||||
- CVE-2022-25236 expat: namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution
|
- CVE-2022-25236 expat: namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution
|
||||||
|
Loading…
Reference in New Issue
Block a user