Compare commits
No commits in common. "c8" and "c8-beta" have entirely different histories.
File diff suppressed because it is too large
Load Diff
@ -1,129 +0,0 @@
|
||||
commit 3c1a64705b5662c5b78f4aa5a5acc7a59c477094
|
||||
Author: Tomas Korbar <tkorbar@redhat.com>
|
||||
Date: Wed Sep 11 15:03:05 2024 +0200
|
||||
|
||||
Fix CVE-2024-45490
|
||||
|
||||
https://github.com/libexpat/libexpat/pull/890
|
||||
|
||||
diff --git a/expat/doc/reference.html b/expat/doc/reference.html
|
||||
index 95c33c7..08cf9b0 100644
|
||||
--- a/expat/doc/reference.html
|
||||
+++ b/expat/doc/reference.html
|
||||
@@ -1039,7 +1039,9 @@ containing part (or perhaps all) of the document. The number of bytes of s
|
||||
that are part of the document is indicated by <code>len</code>. This means
|
||||
that <code>s</code> doesn't have to be null terminated. It also means that
|
||||
if <code>len</code> is larger than the number of bytes in the block of
|
||||
-memory that <code>s</code> points at, then a memory fault is likely. The
|
||||
+memory that <code>s</code> points at, then a memory fault is likely.
|
||||
+Negative values for <code>len</code> are rejected since Expat 2.2.1.
|
||||
+The
|
||||
<code>isFinal</code> parameter informs the parser that this is the last
|
||||
piece of the document. Frequently, the last piece is empty (i.e.
|
||||
<code>len</code> is zero.)
|
||||
@@ -1054,11 +1056,17 @@ XML_ParseBuffer(XML_Parser p,
|
||||
int isFinal);
|
||||
</pre>
|
||||
<div class="fcndef">
|
||||
+<p>
|
||||
This is just like <code><a href= "#XML_Parse" >XML_Parse</a></code>,
|
||||
except in this case Expat provides the buffer. By obtaining the
|
||||
buffer from Expat with the <code><a href= "#XML_GetBuffer"
|
||||
>XML_GetBuffer</a></code> function, the application can avoid double
|
||||
copying of the input.
|
||||
+</p>
|
||||
+
|
||||
+<p>
|
||||
+Negative values for <code>len</code> are rejected since Expat 2.6.3.
|
||||
+</p>
|
||||
</div>
|
||||
|
||||
<pre class="fcndec" id="XML_GetBuffer">
|
||||
diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
|
||||
index 488f63f..c3c1af9 100644
|
||||
--- a/expat/lib/xmlparse.c
|
||||
+++ b/expat/lib/xmlparse.c
|
||||
@@ -1981,6 +1981,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal)
|
||||
|
||||
if (parser == NULL)
|
||||
return XML_STATUS_ERROR;
|
||||
+
|
||||
+ if (len < 0) {
|
||||
+ parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT;
|
||||
+ return XML_STATUS_ERROR;
|
||||
+ }
|
||||
+
|
||||
switch (parser->m_parsingStatus.parsing) {
|
||||
case XML_SUSPENDED:
|
||||
parser->m_errorCode = XML_ERROR_SUSPENDED;
|
||||
diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c
|
||||
index 486073f..6a3e09a 100644
|
||||
--- a/expat/tests/runtests.c
|
||||
+++ b/expat/tests/runtests.c
|
||||
@@ -4083,6 +4083,57 @@ START_TEST(test_empty_parse)
|
||||
}
|
||||
END_TEST
|
||||
|
||||
+/* Test XML_Parse for len < 0 */
|
||||
+START_TEST(test_negative_len_parse) {
|
||||
+ const char *const doc = "<root/>";
|
||||
+ for (int isFinal = 0; isFinal < 2; isFinal++) {
|
||||
+ XML_Parser parser = XML_ParserCreate(NULL);
|
||||
+
|
||||
+ if (XML_GetErrorCode(parser) != XML_ERROR_NONE)
|
||||
+ fail("There was not supposed to be any initial parse error.");
|
||||
+
|
||||
+ const enum XML_Status status = XML_Parse(parser, doc, -1, isFinal);
|
||||
+
|
||||
+ if (status != XML_STATUS_ERROR)
|
||||
+ fail("Negative len was expected to fail the parse but did not.");
|
||||
+
|
||||
+ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT)
|
||||
+ fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT.");
|
||||
+
|
||||
+ XML_ParserFree(parser);
|
||||
+ }
|
||||
+}
|
||||
+END_TEST
|
||||
+
|
||||
+/* Test XML_ParseBuffer for len < 0 */
|
||||
+START_TEST(test_negative_len_parse_buffer) {
|
||||
+ const char *const doc = "<root/>";
|
||||
+ for (int isFinal = 0; isFinal < 2; isFinal++) {
|
||||
+ XML_Parser parser = XML_ParserCreate(NULL);
|
||||
+
|
||||
+ if (XML_GetErrorCode(parser) != XML_ERROR_NONE)
|
||||
+ fail("There was not supposed to be any initial parse error.");
|
||||
+
|
||||
+ void *const buffer = XML_GetBuffer(parser, (int)strlen(doc));
|
||||
+
|
||||
+ if (buffer == NULL)
|
||||
+ fail("XML_GetBuffer failed.");
|
||||
+
|
||||
+ memcpy(buffer, doc, strlen(doc));
|
||||
+
|
||||
+ const enum XML_Status status = XML_ParseBuffer(parser, -1, isFinal);
|
||||
+
|
||||
+ if (status != XML_STATUS_ERROR)
|
||||
+ fail("Negative len was expected to fail the parse but did not.");
|
||||
+
|
||||
+ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT)
|
||||
+ fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT.");
|
||||
+
|
||||
+ XML_ParserFree(parser);
|
||||
+ }
|
||||
+}
|
||||
+END_TEST
|
||||
+
|
||||
/* Test odd corners of the XML_GetBuffer interface */
|
||||
static enum XML_Status
|
||||
get_feature(enum XML_FeatureEnum feature_id, long *presult)
|
||||
@@ -13094,6 +13145,8 @@ make_suite(void)
|
||||
tcase_add_test(tc_basic, test_user_parameters);
|
||||
tcase_add_test(tc_basic, test_ext_entity_ref_parameter);
|
||||
tcase_add_test(tc_basic, test_empty_parse);
|
||||
+ tcase_add_test(tc_basic, test_negative_len_parse);
|
||||
+ tcase_add_test(tc_basic, test_negative_len_parse_buffer);
|
||||
tcase_add_test(tc_basic, test_get_buffer_1);
|
||||
tcase_add_test(tc_basic, test_get_buffer_2);
|
||||
#if defined(XML_CONTEXT_BYTES)
|
@ -1,29 +0,0 @@
|
||||
commit 75bb51c072a0a505037bea18d18103473000b339
|
||||
Author: Tomas Korbar <tkorbar@redhat.com>
|
||||
Date: Wed Sep 11 15:07:26 2024 +0200
|
||||
|
||||
Fix CVE-2024-45491
|
||||
|
||||
https://github.com/libexpat/libexpat/pull/891
|
||||
|
||||
diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
|
||||
index c3c1af9..6818c4e 100644
|
||||
--- a/expat/lib/xmlparse.c
|
||||
+++ b/expat/lib/xmlparse.c
|
||||
@@ -6843,6 +6843,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, const XML_Memory_H
|
||||
if (!newE)
|
||||
return 0;
|
||||
if (oldE->nDefaultAtts) {
|
||||
+ /* Detect and prevent integer overflow.
|
||||
+ * The preprocessor guard addresses the "always false" warning
|
||||
+ * from -Wtype-limits on platforms where
|
||||
+ * sizeof(int) < sizeof(size_t), e.g. on x86_64. */
|
||||
+#if UINT_MAX >= SIZE_MAX
|
||||
+ if ((size_t)oldE->nDefaultAtts
|
||||
+ > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
newE->defaultAtts = (DEFAULT_ATTRIBUTE *)
|
||||
ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
|
||||
if (!newE->defaultAtts) {
|
@ -1,28 +0,0 @@
|
||||
commit 6fd04be3c2f7a2730c85b0eaf061549953161da3
|
||||
Author: Tomas Korbar <tkorbar@redhat.com>
|
||||
Date: Wed Sep 11 15:12:38 2024 +0200
|
||||
|
||||
Fix CVE-2024-45492
|
||||
|
||||
https://github.com/libexpat/libexpat/pull/892
|
||||
|
||||
diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
|
||||
index 6818c4e..698e907 100644
|
||||
--- a/expat/lib/xmlparse.c
|
||||
+++ b/expat/lib/xmlparse.c
|
||||
@@ -7426,6 +7426,15 @@ nextScaffoldPart(XML_Parser parser)
|
||||
int next;
|
||||
|
||||
if (!dtd->scaffIndex) {
|
||||
+ /* Detect and prevent integer overflow.
|
||||
+ * The preprocessor guard addresses the "always false" warning
|
||||
+ * from -Wtype-limits on platforms where
|
||||
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
|
||||
+#if UINT_MAX >= SIZE_MAX
|
||||
+ if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) {
|
||||
+ return -1;
|
||||
+ }
|
||||
+#endif
|
||||
dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * sizeof(int));
|
||||
if (!dtd->scaffIndex)
|
||||
return -1;
|
@ -1,108 +0,0 @@
|
||||
commit c84ad1507fa42c25937af06e349c8f2f9bc34c11
|
||||
Author: Tomas Korbar <tkorbar@redhat.com>
|
||||
Date: Fri Nov 8 11:18:42 2024 +0100
|
||||
|
||||
Fix CVE-2024-50602
|
||||
|
||||
See https://github.com/libexpat/libexpat/pull/915
|
||||
|
||||
diff --git a/expat/lib/expat.h b/expat/lib/expat.h
|
||||
index afe12c5..157953c 100644
|
||||
--- a/expat/lib/expat.h
|
||||
+++ b/expat/lib/expat.h
|
||||
@@ -124,7 +124,9 @@ enum XML_Error {
|
||||
XML_ERROR_RESERVED_PREFIX_XMLNS,
|
||||
XML_ERROR_RESERVED_NAMESPACE_URI,
|
||||
/* Added in 2.2.1. */
|
||||
- XML_ERROR_INVALID_ARGUMENT
|
||||
+ XML_ERROR_INVALID_ARGUMENT,
|
||||
+ /* Added in 2.6.4. */
|
||||
+ XML_ERROR_NOT_STARTED
|
||||
};
|
||||
|
||||
enum XML_Content_Type {
|
||||
diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
|
||||
index 698e907..ed079a5 100644
|
||||
--- a/expat/lib/xmlparse.c
|
||||
+++ b/expat/lib/xmlparse.c
|
||||
@@ -2170,6 +2170,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable)
|
||||
if (parser == NULL)
|
||||
return XML_STATUS_ERROR;
|
||||
switch (parser->m_parsingStatus.parsing) {
|
||||
+ case XML_INITIALIZED:
|
||||
+ parser->m_errorCode = XML_ERROR_NOT_STARTED;
|
||||
+ return XML_STATUS_ERROR;
|
||||
case XML_SUSPENDED:
|
||||
if (resumable) {
|
||||
parser->m_errorCode = XML_ERROR_SUSPENDED;
|
||||
@@ -2180,7 +2183,7 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable)
|
||||
case XML_FINISHED:
|
||||
parser->m_errorCode = XML_ERROR_FINISHED;
|
||||
return XML_STATUS_ERROR;
|
||||
- default:
|
||||
+ case XML_PARSING:
|
||||
if (resumable) {
|
||||
#ifdef XML_DTD
|
||||
if (parser->m_isParamEntity) {
|
||||
@@ -2192,6 +2195,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable)
|
||||
}
|
||||
else
|
||||
parser->m_parsingStatus.parsing = XML_FINISHED;
|
||||
+ break;
|
||||
+ default:
|
||||
+ assert(0);
|
||||
}
|
||||
return XML_STATUS_OK;
|
||||
}
|
||||
@@ -2456,6 +2462,9 @@ XML_ErrorString(enum XML_Error code)
|
||||
/* Added in 2.2.5. */
|
||||
case XML_ERROR_INVALID_ARGUMENT: /* Constant added in 2.2.1, already */
|
||||
return XML_L("invalid argument");
|
||||
+ /* Added in 2.6.4. */
|
||||
+ case XML_ERROR_NOT_STARTED:
|
||||
+ return XML_L("parser not started");
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c
|
||||
index 6a3e09a..7b6d9fb 100644
|
||||
--- a/expat/tests/runtests.c
|
||||
+++ b/expat/tests/runtests.c
|
||||
@@ -9162,6 +9162,28 @@ START_TEST(test_misc_utf16le)
|
||||
END_TEST
|
||||
|
||||
|
||||
+START_TEST(test_misc_resumeparser_not_crashing) {
|
||||
+ XML_Parser parser = XML_ParserCreate(NULL);
|
||||
+ XML_GetBuffer(parser, 1);
|
||||
+ XML_StopParser(parser, /*resumable=*/XML_TRUE);
|
||||
+ XML_ResumeParser(parser); // could crash here, previously
|
||||
+ XML_ParserFree(parser);
|
||||
+}
|
||||
+END_TEST
|
||||
+
|
||||
+START_TEST(test_misc_stopparser_rejects_unstarted_parser) {
|
||||
+ const XML_Bool cases[] = {XML_TRUE, XML_FALSE};
|
||||
+ for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) {
|
||||
+ const XML_Bool resumable = cases[i];
|
||||
+ XML_Parser parser = XML_ParserCreate(NULL);
|
||||
+ assert_true(XML_GetErrorCode(parser) == XML_ERROR_NONE);
|
||||
+ assert_true(XML_StopParser(parser, resumable) == XML_STATUS_ERROR);
|
||||
+ assert_true(XML_GetErrorCode(parser) == XML_ERROR_NOT_STARTED);
|
||||
+ XML_ParserFree(parser);
|
||||
+ }
|
||||
+}
|
||||
+END_TEST
|
||||
+
|
||||
static void
|
||||
alloc_setup(void)
|
||||
{
|
||||
@@ -13325,6 +13347,8 @@ make_suite(void)
|
||||
tcase_add_test(tc_misc,
|
||||
test_misc_deny_internal_entity_closing_doctype_issue_317);
|
||||
#endif
|
||||
+ tcase_add_test(tc_misc, test_misc_resumeparser_not_crashing);
|
||||
+ tcase_add_test(tc_misc, test_misc_stopparser_rejects_unstarted_parser);
|
||||
|
||||
suite_add_tcase(s, tc_alloc);
|
||||
tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown);
|
@ -3,7 +3,7 @@
|
||||
Summary: An XML parser library
|
||||
Name: expat
|
||||
Version: %(echo %{unversion} | sed 's/_/./g')
|
||||
Release: 16%{?dist}
|
||||
Release: 11%{?dist}
|
||||
Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
|
||||
URL: https://libexpat.github.io/
|
||||
License: MIT
|
||||
@ -22,11 +22,6 @@ Patch10: expat-2.2.5-Prevent-integer-overflow-in-copyString.patch
|
||||
Patch11: expat-2.2.5-Prevent-stack-exhaustion-in-build_model.patch
|
||||
Patch12: expat-2.2.5-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch
|
||||
Patch13: expat-2.2.5-CVE-2022-43680.patch
|
||||
Patch14: expat-2.2.5-CVE-2023-52425.patch
|
||||
Patch15: expat-2.2.5-CVE-2024-45490.patch
|
||||
Patch16: expat-2.2.5-CVE-2024-45491.patch
|
||||
Patch17: expat-2.2.5-CVE-2024-45492.patch
|
||||
Patch18: expat-2.2.5-CVE-2024-50602.patch
|
||||
|
||||
%description
|
||||
This is expat, the C library for parsing XML, written by James Clark. Expat
|
||||
@ -68,13 +63,6 @@ Install it if you need to link statically with expat.
|
||||
%patch11 -p1 -b .CVE-2022-25313
|
||||
%patch12 -p1 -b .CVE-2022-40674
|
||||
%patch13 -p1 -b .CVE-2022-43680
|
||||
pushd ..
|
||||
%patch14 -p1 -b .CVE-2023-52425
|
||||
%patch15 -p1 -b .CVE-2024-45490
|
||||
%patch16 -p1 -b .CVE-2024-45491
|
||||
%patch17 -p1 -b .CVE-2024-45492
|
||||
%patch18 -p1 -b .CVE-2024-50602
|
||||
popd
|
||||
|
||||
sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am
|
||||
./buildconf.sh
|
||||
@ -91,15 +79,6 @@ make install DESTDIR=$RPM_BUILD_ROOT
|
||||
rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
|
||||
|
||||
%check
|
||||
bash -c "for i in {1..500000}; do printf AAAAAAAAAAAAAAAAAAAA >> achars.txt; done"
|
||||
for testfile in ../testdata/largefiles/aaaaaa_*; do
|
||||
first_part="$(sed 's/\(.*\)ACHARS.*/\1/g' $testfile)"
|
||||
second_part="$(sed 's/.*ACHARS\(.*\)/\1/g' $testfile)"
|
||||
printf "$first_part" > "$testfile"
|
||||
cat achars.txt >> "$testfile"
|
||||
printf "$second_part" >> "$testfile"
|
||||
done
|
||||
|
||||
make check
|
||||
|
||||
%ldconfig_scriptlets
|
||||
@ -122,30 +101,6 @@ make check
|
||||
%{_libdir}/lib*.a
|
||||
|
||||
%changelog
|
||||
* Fri Nov 08 2024 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-16
|
||||
- Fix CVE-2024-50602
|
||||
- Resolves: RHEL-65062
|
||||
|
||||
* Wed Sep 11 2024 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-15
|
||||
- Rebuild for test reconfiguration
|
||||
|
||||
* Wed Sep 11 2024 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-14
|
||||
- Fix multiple CVEs
|
||||
- Fix CVE-2024-45492 integer overflow
|
||||
- Fix CVE-2024-45491 Integer Overflow or Wraparound
|
||||
- Fix CVE-2024-45490 Negative Length Parsing Vulnerability
|
||||
- Resolves: RHEL-57505
|
||||
- Resolves: RHEL-57493
|
||||
- Resolves: RHEL-56751
|
||||
|
||||
* Tue Mar 26 2024 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-13
|
||||
- Fix wrongly exposed variables
|
||||
- Resolves: RHEL-29321
|
||||
|
||||
* Thu Mar 21 2024 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-12
|
||||
- CVE-2023-52425 expat: parsing large tokens can trigger a denial of service
|
||||
- Resolves: RHEL-29321
|
||||
|
||||
* Mon Nov 14 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-11
|
||||
- CVE-2022-43680 expat: use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate
|
||||
- Resolves: CVE-2022-43680
|
||||
|
Loading…
Reference in New Issue
Block a user