From 9beba4b3f2d941b83c19a6e6b2e2ed2f838f502f Mon Sep 17 00:00:00 2001 From: Eike Rathke Date: Tue, 15 Mar 2022 14:35:28 +0100 Subject: [PATCH] Update to 91.7.0 plus patches to bundled expat against CVE-2022-25235 CVE-2022-25236 CVE-2022-25315 --- .gitignore | 2 ++ expat-CVE-2022-25235.patch | 49 ++++++++++++++++++++++++++++++++++++++ expat-CVE-2022-25236.patch | 40 +++++++++++++++++++++++++++++++ expat-CVE-2022-25315.patch | 24 +++++++++++++++++++ sources | 4 ++-- thunderbird.spec | 19 ++++++++++++--- 6 files changed, 133 insertions(+), 5 deletions(-) create mode 100644 expat-CVE-2022-25235.patch create mode 100644 expat-CVE-2022-25236.patch create mode 100644 expat-CVE-2022-25315.patch diff --git a/.gitignore b/.gitignore index 346b672..426d778 100644 --- a/.gitignore +++ b/.gitignore @@ -351,3 +351,5 @@ thunderbird-langpacks-3.1.2-20100803.tar.bz2 /thunderbird-langpacks-91.6.1-20220228.tar.xz /thunderbird-langpacks-91.6.2-20220307.tar.xz /thunderbird-91.6.2.source.tar.xz +/thunderbird-langpacks-91.7.0-20220308.tar.xz +/thunderbird-91.7.0.source.tar.xz diff --git a/expat-CVE-2022-25235.patch b/expat-CVE-2022-25235.patch new file mode 100644 index 0000000..ac495b1 --- /dev/null +++ b/expat-CVE-2022-25235.patch @@ -0,0 +1,49 @@ +diff -up thunderbird-91.7.0/parser/expat/lib/xmltok.c.expat-CVE-2022-25235 thunderbird-91.7.0/parser/expat/lib/xmltok.c +--- thunderbird-91.7.0/parser/expat/lib/xmltok.c.expat-CVE-2022-25235 2022-03-02 17:57:38.364361168 +0100 ++++ thunderbird-91.7.0/parser/expat/lib/xmltok.c 2022-03-02 17:58:22.235512399 +0100 +@@ -65,13 +65,6 @@ + + ((((byte)[2]) >> 5) & 1)] \ + & (1u << (((byte)[2]) & 0x1F))) + +-#define UTF8_GET_NAMING(pages, p, n) \ +- ((n) == 2 \ +- ? UTF8_GET_NAMING2(pages, (const unsigned char *)(p)) \ +- : ((n) == 3 \ +- ? UTF8_GET_NAMING3(pages, (const unsigned char *)(p)) \ +- : 0)) +- + /* Detection of invalid UTF-8 sequences is based on Table 3.1B + of Unicode 3.2: http://www.unicode.org/unicode/reports/tr28/ + with the additional restriction of not allowing the Unicode +diff -up thunderbird-91.7.0/parser/expat/lib/xmltok_impl.c.expat-CVE-2022-25235 thunderbird-91.7.0/parser/expat/lib/xmltok_impl.c +--- thunderbird-91.7.0/parser/expat/lib/xmltok_impl.c.expat-CVE-2022-25235 2022-03-02 17:57:38.365361172 +0100 ++++ thunderbird-91.7.0/parser/expat/lib/xmltok_impl.c 2022-03-02 18:04:51.240853247 +0100 +@@ -34,7 +34,7 @@ + case BT_LEAD ## n: \ + if (end - ptr < n) \ + return XML_TOK_PARTIAL_CHAR; \ +- if (!IS_NAME_CHAR(enc, ptr, n)) { \ ++ if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NAME_CHAR(enc, ptr, n)) { \ + *nextTokPtr = ptr; \ + return XML_TOK_INVALID; \ + } \ +@@ -62,7 +62,7 @@ + case BT_LEAD ## n: \ + if (end - ptr < n) \ + return XML_TOK_PARTIAL_CHAR; \ +- if (!IS_NMSTRT_CHAR(enc, ptr, n)) { \ ++ if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NMSTRT_CHAR(enc, ptr, n)) { \ + *nextTokPtr = ptr; \ + return XML_TOK_INVALID; \ + } \ +@@ -1090,6 +1090,10 @@ PREFIX(prologTok)(const ENCODING *enc, c + case BT_LEAD ## n: \ + if (end - ptr < n) \ + return XML_TOK_PARTIAL_CHAR; \ ++ if (IS_INVALID_CHAR(enc, ptr, n)) { \ ++ *nextTokPtr = ptr; \ ++ return XML_TOK_INVALID; \ ++ } \ + if (IS_NMSTRT_CHAR(enc, ptr, n)) { \ + ptr += n; \ + tok = XML_TOK_NAME; \ diff --git a/expat-CVE-2022-25236.patch b/expat-CVE-2022-25236.patch new file mode 100644 index 0000000..84cafd2 --- /dev/null +++ b/expat-CVE-2022-25236.patch @@ -0,0 +1,40 @@ +diff -up thunderbird-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25236 thunderbird-91.7.0/parser/expat/lib/xmlparse.c +--- thunderbird-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25236 2022-03-02 18:08:40.085642028 +0100 ++++ thunderbird-91.7.0/parser/expat/lib/xmlparse.c 2022-03-02 18:13:31.838667958 +0100 +@@ -700,8 +700,7 @@ XML_ParserCreate(const XML_Char *encodin + XML_Parser XMLCALL + XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep) + { +- XML_Char tmp[2]; +- *tmp = nsSep; ++ XML_Char tmp[2] = {nsSep, 0}; + return XML_ParserCreate_MM(encodingName, NULL, tmp); + } + #endif +@@ -1276,8 +1275,7 @@ XML_ExternalEntityParserCreate(XML_Parse + would be otherwise. + */ + if (ns) { +- XML_Char tmp[2]; +- *tmp = namespaceSeparator; ++ XML_Char tmp[2] = {parser->m_namespaceSeparator, 0}; + parser = parserCreate(encodingName, &parser->m_mem, tmp, newDtd); + } + else { +@@ -3667,6 +3665,16 @@ addBinding(XML_Parser parser, PREFIX *pr + if (!mustBeXML && isXMLNS + && (len > xmlnsLen || uri[len] != xmlnsNamespace[len])) + isXMLNS = XML_FALSE; ++ // NOTE: While Expat does not validate namespace URIs against RFC 3986, ++ // we have to at least make sure that the XML processor on top of ++ // Expat (that is splitting tag names by namespace separator into ++ // 2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused ++ // by an attacker putting additional namespace separator characters ++ // into namespace declarations. That would be ambiguous and not to ++ // be expected. ++ if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) { ++ return XML_ERROR_SYNTAX; ++ } + } + isXML = isXML && len == xmlLen; + isXMLNS = isXMLNS && len == xmlnsLen; diff --git a/expat-CVE-2022-25315.patch b/expat-CVE-2022-25315.patch new file mode 100644 index 0000000..4d4efb7 --- /dev/null +++ b/expat-CVE-2022-25315.patch @@ -0,0 +1,24 @@ +diff -up thunderbird-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25315 thunderbird-91.7.0/parser/expat/lib/xmlparse.c +--- thunderbird-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25315 2022-03-02 18:17:50.966583254 +0100 ++++ thunderbird-91.7.0/parser/expat/lib/xmlparse.c 2022-03-02 18:19:27.636924735 +0100 +@@ -2479,6 +2479,7 @@ storeRawNames(XML_Parser parser) + while (tag) { + int bufSize; + int nameLen = sizeof(XML_Char) * (tag->name.strLen + 1); ++ size_t rawNameLen; + char *rawNameBuf = tag->buf + nameLen; + /* Stop if already stored. Since tagStack is a stack, we can stop + at the first entry that has already been copied; everything +@@ -2490,7 +2491,11 @@ storeRawNames(XML_Parser parser) + /* For re-use purposes we need to ensure that the + size of tag->buf is a multiple of sizeof(XML_Char). + */ +- bufSize = nameLen + ROUND_UP(tag->rawNameLength, sizeof(XML_Char)); ++ rawNameLen = ROUND_UP(tag->rawNameLength, sizeof(XML_Char)); ++ /* Detect and prevent integer overflow. */ ++ if (rawNameLen > (size_t)INT_MAX - nameLen) ++ return XML_FALSE; ++ bufSize = nameLen + (int)rawNameLen; + if (bufSize > tag->bufEnd - tag->buf) { + char *temp = (char *)REALLOC(tag->buf, bufSize); + if (temp == NULL) diff --git a/sources b/sources index 287d6cc..a969db0 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (cbindgen-vendor.tar.xz) = 105a7d93d63920d8c232421a29f6330c171343d27807feaeadb1737374e5cf1d48916cb6e9ce04773dd81bb3c52a6f5cef12e633b0922cb9f91ca99acc9e4b78 -SHA512 (thunderbird-langpacks-91.6.2-20220307.tar.xz) = 6008e7d5e0e80b0170f18213338c5339f9ed434d791df08524bca454c111d3013f10874fe15a5e7dd270b27f7a1c55cbde151910c38c8fb83dc3fa21c9ce519d -SHA512 (thunderbird-91.6.2.source.tar.xz) = eb1cb06390694872e37830991e16d1e0bd3259cd1fedfed86fd24901f190bc9c274fc1a85cfbba01a0c9cac0d422b62a9b1062d8ba1770fd25bf99528f6df9e0 +SHA512 (thunderbird-langpacks-91.7.0-20220308.tar.xz) = e606af74edc52edf0905b9314c30a0865c7f9d1ac19347bb7601c1574b1c569b95faeda4dc760f6bdd652f20ec081b25396312672f7371d9e106977beb72347f +SHA512 (thunderbird-91.7.0.source.tar.xz) = 2afaee16f155edcb0bdb46ebe282a733cf041ec6f562aebd06f8b675e46917f6f500fcc532fc54d74f3f4b0b489a88934a2c6c304f849873de4bc2690b9056a0 diff --git a/thunderbird.spec b/thunderbird.spec index 4dc7a45..5170aea 100644 --- a/thunderbird.spec +++ b/thunderbird.spec @@ -89,13 +89,13 @@ ExcludeArch: s390x Summary: Mozilla Thunderbird mail/newsgroup client Name: thunderbird -Version: 91.6.2 +Version: 91.7.0 Release: 1%{?dist} URL: http://www.mozilla.org/projects/thunderbird/ License: MPLv1.1 or GPLv2+ or LGPLv2+ Source0: https://archive.mozilla.org/pub/thunderbird/releases/%{version}%{?pre_version}/source/thunderbird-%{version}%{?pre_version}.source.tar.xz %if %{build_langpacks} -Source1: thunderbird-langpacks-%{version}-20220307.tar.xz +Source1: thunderbird-langpacks-%{version}-20220308.tar.xz %endif Source3: get-calendar-langpacks.sh Source4: cbindgen-vendor.tar.xz @@ -128,6 +128,11 @@ Patch304: mozilla-1245783.patch Patch402: mozilla-526293.patch Patch406: mozilla-1170092.patch +# Bundled expat backported patches +Patch501: expat-CVE-2022-25235.patch +Patch502: expat-CVE-2022-25236.patch +Patch503: expat-CVE-2022-25315.patch + %if %{official_branding} # Required by Mozilla Corporation @@ -291,6 +296,10 @@ debug %{name}, you want to install %{name}-debuginfo instead. pushd comm popd +%patch501 -p1 -b .expat-CVE-2022-25235 +%patch502 -p1 -b .expat-CVE-2022-25236 +%patch503 -p1 -b .expat-CVE-2022-25315 + %if %{official_branding} # Required by Mozilla Corporation @@ -720,6 +729,10 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : #=============================================================================== %changelog +* Tue Mar 15 2022 Eike Rathke - 91.7.0-1 +- Update to 91.7.0 +- plus patches to bundled expat against CVE-2022-25235 CVE-2022-25236 CVE-2022-25315 + * Mon Mar 7 2022 Jan Horak - 91.6.2-1 - Update to 91.6.2 @@ -864,7 +877,7 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : * Fri Mar 13 2020 Jan Horak - 68.6.0-1 - Update to 68.6.0 build2 -* Wed Mar 3 2020 David Auer - 68.5.0-2 +* Thu Mar 03 2020 David Auer - 68.5.0-2 - Fix spellcheck (rhbz#1753011) * Thu Feb 13 2020 Jan Horak - 68.5.0-1