7 changed files with 1781 additions and 3 deletions
--- a/SOURCES/expat-2.2.5-CVE-2022-43680.patch
+++ b/SOURCES/expat-2.2.5-CVE-2022-43680.patch
@ -87,4 +87,3 @@ index f3ebbd7..f58f794 100644
     suite_add_tcase(s, tc_nsalloc);
     tcase_add_checked_fixture(tc_nsalloc, nsalloc_setup, nsalloc_teardown);
     tcase_add_test(tc_nsalloc, test_nsalloc_xmlns);
--- a/SOURCES/expat-2.2.5-CVE-2023-52425.patch
+++ b/SOURCES/expat-2.2.5-CVE-2023-52425.patch
--- a/SOURCES/expat-2.2.5-CVE-2024-45490.patch
+++ b/SOURCES/expat-2.2.5-CVE-2024-45490.patch
@ -0,0 +1,129 @@
 commit 3c1a64705b5662c5b78f4aa5a5acc7a59c477094
 Author: Tomas Korbar <tkorbar@redhat.com>
 Date:   Wed Sep 11 15:03:05 2024 +0200
    Fix CVE-2024-45490
    https://github.com/libexpat/libexpat/pull/890
 diff --git a/expat/doc/reference.html b/expat/doc/reference.html
 index 95c33c7..08cf9b0 100644
 --- a/expat/doc/reference.html
 +++ b/expat/doc/reference.html
@@ -1039,7 +1039,9 @@ containing part (or perhaps all) of the document. The number of bytes of s
 that are part of the document is indicated by <code>len</code>. This means
 that <code>s</code> doesn't have to be null terminated. It also means that
 if <code>len</code> is larger than the number of bytes in the block of
 -memory that <code>s</code> points at, then a memory fault is likely. The
 +memory that <code>s</code> points at, then a memory fault is likely.
 +Negative values for <code>len</code> are rejected since Expat 2.2.1.
 +The
 <code>isFinal</code> parameter informs the parser that this is the last
 piece of the document. Frequently, the last piece is empty (i.e.
 <code>len</code> is zero.)
@@ -1054,11 +1056,17 @@ XML_ParseBuffer(XML_Parser p,
                 int isFinal);
 </pre>
 <div class="fcndef">
 +<p>
 This is just like <code><a href= "#XML_Parse" >XML_Parse</a></code>,
 except in this case Expat provides the buffer.  By obtaining the
 buffer from Expat with the <code><a href= "#XML_GetBuffer"
 >XML_GetBuffer</a></code> function, the application can avoid double
 copying of the input.
 +</p>
 +
 +<p>
 +Negative values for <code>len</code> are rejected since Expat 2.6.3.
 +</p>
 </div>
 <pre class="fcndec" id="XML_GetBuffer">
 diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
 index 488f63f..c3c1af9 100644
 --- a/expat/lib/xmlparse.c
 +++ b/expat/lib/xmlparse.c
@@ -1981,6 +1981,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal)
   if (parser == NULL)
     return XML_STATUS_ERROR;
 +
 +  if (len < 0) {
 +    parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT;
 +    return XML_STATUS_ERROR;
 +  }
 +
   switch (parser->m_parsingStatus.parsing) {
   case XML_SUSPENDED:
     parser->m_errorCode = XML_ERROR_SUSPENDED;
 diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c
 index 486073f..6a3e09a 100644
 --- a/expat/tests/runtests.c
 +++ b/expat/tests/runtests.c
@@ -4083,6 +4083,57 @@ START_TEST(test_empty_parse)
 }
 END_TEST
 +/* Test XML_Parse for len < 0 */
 +START_TEST(test_negative_len_parse) {
 +  const char *const doc = "<root/>";
 +  for (int isFinal = 0; isFinal < 2; isFinal++) {
 +    XML_Parser parser = XML_ParserCreate(NULL);
 +
 +    if (XML_GetErrorCode(parser) != XML_ERROR_NONE)
 +      fail("There was not supposed to be any initial parse error.");
 +
 +    const enum XML_Status status = XML_Parse(parser, doc, -1, isFinal);
 +
 +    if (status != XML_STATUS_ERROR)
 +      fail("Negative len was expected to fail the parse but did not.");
 +
 +    if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT)
 +      fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT.");
 +
 +    XML_ParserFree(parser);
 +  }
 +}
 +END_TEST
 +
 +/* Test XML_ParseBuffer for len < 0 */
 +START_TEST(test_negative_len_parse_buffer) {
 +  const char *const doc = "<root/>";
 +  for (int isFinal = 0; isFinal < 2; isFinal++) {
 +    XML_Parser parser = XML_ParserCreate(NULL);
 +
 +    if (XML_GetErrorCode(parser) != XML_ERROR_NONE)
 +      fail("There was not supposed to be any initial parse error.");
 +
 +    void *const buffer = XML_GetBuffer(parser, (int)strlen(doc));
 +
 +    if (buffer == NULL)
 +      fail("XML_GetBuffer failed.");
 +
 +    memcpy(buffer, doc, strlen(doc));
 +
 +    const enum XML_Status status = XML_ParseBuffer(parser, -1, isFinal);
 +
 +    if (status != XML_STATUS_ERROR)
 +      fail("Negative len was expected to fail the parse but did not.");
 +
 +    if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT)
 +      fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT.");
 +
 +    XML_ParserFree(parser);
 +  }
 +}
 +END_TEST
 +
 /* Test odd corners of the XML_GetBuffer interface */
 static enum XML_Status
 get_feature(enum XML_FeatureEnum feature_id, long *presult)
@@ -13094,6 +13145,8 @@ make_suite(void)
     tcase_add_test(tc_basic, test_user_parameters);
     tcase_add_test(tc_basic, test_ext_entity_ref_parameter);
     tcase_add_test(tc_basic, test_empty_parse);
 +    tcase_add_test(tc_basic, test_negative_len_parse);
 +    tcase_add_test(tc_basic, test_negative_len_parse_buffer);
     tcase_add_test(tc_basic, test_get_buffer_1);
     tcase_add_test(tc_basic, test_get_buffer_2);
 #if defined(XML_CONTEXT_BYTES)
--- a/SOURCES/expat-2.2.5-CVE-2024-45491.patch
+++ b/SOURCES/expat-2.2.5-CVE-2024-45491.patch
@ -0,0 +1,29 @@
 commit 75bb51c072a0a505037bea18d18103473000b339
 Author: Tomas Korbar <tkorbar@redhat.com>
 Date:   Wed Sep 11 15:07:26 2024 +0200
    Fix CVE-2024-45491
    https://github.com/libexpat/libexpat/pull/891
 diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
 index c3c1af9..6818c4e 100644
 --- a/expat/lib/xmlparse.c
 +++ b/expat/lib/xmlparse.c
@@ -6843,6 +6843,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, const XML_Memory_H
     if (!newE)
       return 0;
     if (oldE->nDefaultAtts) {
 +      /* Detect and prevent integer overflow.
 +       * The preprocessor guard addresses the "always false" warning
 +       * from -Wtype-limits on platforms where
 +       * sizeof(int) < sizeof(size_t), e.g. on x86_64. */
 +#if UINT_MAX >= SIZE_MAX
 +      if ((size_t)oldE->nDefaultAtts
 +          > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) {
 +        return 0;
 +      }
 +#endif
       newE->defaultAtts = (DEFAULT_ATTRIBUTE *)
           ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
       if (!newE->defaultAtts) {
--- a/SOURCES/expat-2.2.5-CVE-2024-45492.patch
+++ b/SOURCES/expat-2.2.5-CVE-2024-45492.patch
@ -0,0 +1,28 @@
 commit 6fd04be3c2f7a2730c85b0eaf061549953161da3
 Author: Tomas Korbar <tkorbar@redhat.com>
 Date:   Wed Sep 11 15:12:38 2024 +0200
    Fix CVE-2024-45492
    https://github.com/libexpat/libexpat/pull/892
 diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
 index 6818c4e..698e907 100644
 --- a/expat/lib/xmlparse.c
 +++ b/expat/lib/xmlparse.c
@@ -7426,6 +7426,15 @@ nextScaffoldPart(XML_Parser parser)
   int next;
   if (!dtd->scaffIndex) {
 +    /* Detect and prevent integer overflow.
 +     * The preprocessor guard addresses the "always false" warning
 +     * from -Wtype-limits on platforms where
 +     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
 +#if UINT_MAX >= SIZE_MAX
 +    if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) {
 +      return -1;
 +    }
 +#endif
     dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * sizeof(int));
     if (!dtd->scaffIndex)
       return -1;
--- a/SOURCES/expat-2.2.5-CVE-2024-50602.patch
+++ b/SOURCES/expat-2.2.5-CVE-2024-50602.patch
@ -0,0 +1,108 @@
 commit c84ad1507fa42c25937af06e349c8f2f9bc34c11
 Author: Tomas Korbar <tkorbar@redhat.com>
 Date:   Fri Nov 8 11:18:42 2024 +0100
    Fix CVE-2024-50602
    See https://github.com/libexpat/libexpat/pull/915
 diff --git a/expat/lib/expat.h b/expat/lib/expat.h
 index afe12c5..157953c 100644
 --- a/expat/lib/expat.h
 +++ b/expat/lib/expat.h
@@ -124,7 +124,9 @@ enum XML_Error {
   XML_ERROR_RESERVED_PREFIX_XMLNS,
   XML_ERROR_RESERVED_NAMESPACE_URI,
   /* Added in 2.2.1. */
 -  XML_ERROR_INVALID_ARGUMENT
 +  XML_ERROR_INVALID_ARGUMENT,
 +  /* Added in 2.6.4. */
 +  XML_ERROR_NOT_STARTED
 };
 enum XML_Content_Type {
 diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
 index 698e907..ed079a5 100644
 --- a/expat/lib/xmlparse.c
 +++ b/expat/lib/xmlparse.c
@@ -2170,6 +2170,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable)
   if (parser == NULL)
     return XML_STATUS_ERROR;
   switch (parser->m_parsingStatus.parsing) {
 +  case XML_INITIALIZED:
 +    parser->m_errorCode = XML_ERROR_NOT_STARTED;
 +    return XML_STATUS_ERROR;
   case XML_SUSPENDED:
     if (resumable) {
       parser->m_errorCode = XML_ERROR_SUSPENDED;
@@ -2180,7 +2183,7 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable)
   case XML_FINISHED:
     parser->m_errorCode = XML_ERROR_FINISHED;
     return XML_STATUS_ERROR;
 -  default:
 +  case XML_PARSING:
     if (resumable) {
 #ifdef XML_DTD
       if (parser->m_isParamEntity) {
@@ -2192,6 +2195,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable)
     }
     else
       parser->m_parsingStatus.parsing = XML_FINISHED;
 +    break;
 +  default:
 +    assert(0);
   }
   return XML_STATUS_OK;
 }
@@ -2456,6 +2462,9 @@ XML_ErrorString(enum XML_Error code)
   /* Added in 2.2.5. */
   case XML_ERROR_INVALID_ARGUMENT:  /* Constant added in 2.2.1, already */
     return XML_L("invalid argument");
 +  /* Added in 2.6.4. */
 +  case XML_ERROR_NOT_STARTED:
 +    return XML_L("parser not started");
   }
   return NULL;
 }
 diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c
 index 6a3e09a..7b6d9fb 100644
 --- a/expat/tests/runtests.c
 +++ b/expat/tests/runtests.c
@@ -9162,6 +9162,28 @@ START_TEST(test_misc_utf16le)
 END_TEST
 +START_TEST(test_misc_resumeparser_not_crashing) {
 +  XML_Parser parser = XML_ParserCreate(NULL);
 +  XML_GetBuffer(parser, 1);
 +  XML_StopParser(parser, /*resumable=*/XML_TRUE);
 +  XML_ResumeParser(parser); // could crash here, previously
 +  XML_ParserFree(parser);
 +}
 +END_TEST
 +
 +START_TEST(test_misc_stopparser_rejects_unstarted_parser) {
 +  const XML_Bool cases[] = {XML_TRUE, XML_FALSE};
 +  for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) {
 +    const XML_Bool resumable = cases[i];
 +    XML_Parser parser = XML_ParserCreate(NULL);
 +    assert_true(XML_GetErrorCode(parser) == XML_ERROR_NONE);
 +    assert_true(XML_StopParser(parser, resumable) == XML_STATUS_ERROR);
 +    assert_true(XML_GetErrorCode(parser) == XML_ERROR_NOT_STARTED);
 +    XML_ParserFree(parser);
 +  }
 +}
 +END_TEST
 +
 static void
 alloc_setup(void)
 {
@@ -13325,6 +13347,8 @@ make_suite(void)
     tcase_add_test(tc_misc,
                    test_misc_deny_internal_entity_closing_doctype_issue_317);
 #endif
 +    tcase_add_test(tc_misc, test_misc_resumeparser_not_crashing);
 +    tcase_add_test(tc_misc, test_misc_stopparser_rejects_unstarted_parser);
     suite_add_tcase(s, tc_alloc);
     tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown);
--- a/SPECS/expat.spec
+++ b/SPECS/expat.spec
@ -3,7 +3,7 @@
 Summary: An XML parser library
 Name: expat
 Version: %(echo %{unversion} | sed 's/_/./g')
-Release: 10%{?dist}.1
+Release: 16%{?dist}
 Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
 URL: https://libexpat.github.io/
 License: MIT
@ -22,6 +22,11 @@ Patch10: expat-2.2.5-Prevent-integer-overflow-in-copyString.patch
 Patch11: expat-2.2.5-Prevent-stack-exhaustion-in-build_model.patch
 Patch12: expat-2.2.5-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch
 Patch13: expat-2.2.5-CVE-2022-43680.patch
 Patch14: expat-2.2.5-CVE-2023-52425.patch
 Patch15: expat-2.2.5-CVE-2024-45490.patch
 Patch16: expat-2.2.5-CVE-2024-45491.patch
 Patch17: expat-2.2.5-CVE-2024-45492.patch
 Patch18: expat-2.2.5-CVE-2024-50602.patch
 %description
 This is expat, the C library for parsing XML, written by James Clark. Expat
@ -63,6 +68,13 @@ Install it if you need to link statically with expat.
 %patch11 -p1 -b .CVE-2022-25313
 %patch12 -p1 -b .CVE-2022-40674
 %patch13 -p1 -b .CVE-2022-43680
 pushd ..
 %patch14 -p1 -b .CVE-2023-52425
 %patch15 -p1 -b .CVE-2024-45490
 %patch16 -p1 -b .CVE-2024-45491
 %patch17 -p1 -b .CVE-2024-45492
 %patch18 -p1 -b .CVE-2024-50602
 popd
 sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am
 ./buildconf.sh
@ -79,6 +91,15 @@ make install DESTDIR=$RPM_BUILD_ROOT
 rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
 %check
 bash -c "for i in {1..500000}; do printf AAAAAAAAAAAAAAAAAAAA >> achars.txt; done"
 for testfile in ../testdata/largefiles/aaaaaa_*; do
        first_part="$(sed 's/\(.*\)ACHARS.*/\1/g' $testfile)"
        second_part="$(sed 's/.*ACHARS\(.*\)/\1/g' $testfile)"
        printf "$first_part" > "$testfile"
        cat achars.txt >> "$testfile"
        printf "$second_part" >> "$testfile"
 done
 make check
 %ldconfig_scriptlets
@ -101,7 +122,31 @@ make check
 %{_libdir}/lib*.a
 %changelog
-* Mon Nov 14 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-10.1
+* Fri Nov 08 2024 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-16
 - Fix CVE-2024-50602
 - Resolves: RHEL-65062
 * Wed Sep 11 2024 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-15
 - Rebuild for test reconfiguration
 * Wed Sep 11 2024 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-14
 - Fix multiple CVEs
 - Fix CVE-2024-45492 integer overflow
 - Fix CVE-2024-45491 Integer Overflow or Wraparound
 - Fix CVE-2024-45490 Negative Length Parsing Vulnerability
 - Resolves: RHEL-57505
 - Resolves: RHEL-57493
 - Resolves: RHEL-56751
 * Tue Mar 26 2024 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-13
 - Fix wrongly exposed variables
 - Resolves: RHEL-29321
 * Thu Mar 21 2024 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-12
 - CVE-2023-52425 expat: parsing large tokens can trigger a denial of service
 - Resolves: RHEL-29321
 * Mon Nov 14 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-11
 - CVE-2022-43680 expat: use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate
 - Resolves: CVE-2022-43680