From 0d5eb9ed8febb0d4006234cf103779fa40dcd405 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 3 Jul 2024 12:09:56 +0300 Subject: [PATCH] Import from CS git --- .gitignore | 1 + .xmlrpc-c.metadata | 1 + ...ess-segfault-found-in-CVE-2023-52425.patch | 106 ++++++++++++++++++ SPECS/xmlrpc-c.spec | 7 +- 4 files changed, 113 insertions(+), 2 deletions(-) create mode 100644 SOURCES/0007-Address-segfault-found-in-CVE-2023-52425.patch diff --git a/.gitignore b/.gitignore index 023d1eb..a113a44 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ SOURCES/xmlrpc-c-1.51.0.tar.xz +SOURCES/benchmark-tests.tar.xz diff --git a/.xmlrpc-c.metadata b/.xmlrpc-c.metadata index 40e82bc..537d5df 100644 --- a/.xmlrpc-c.metadata +++ b/.xmlrpc-c.metadata @@ -1 +1,2 @@ +b4fb65d500c1af5fe83917ab2976a47ae6268fdd SOURCES/benchmark-tests.tar.xz 784a3e74971f3b7d992d768c732daa891ffd2412 SOURCES/xmlrpc-c-1.51.0.tar.xz diff --git a/SOURCES/0007-Address-segfault-found-in-CVE-2023-52425.patch b/SOURCES/0007-Address-segfault-found-in-CVE-2023-52425.patch new file mode 100644 index 0000000..52533dd --- /dev/null +++ b/SOURCES/0007-Address-segfault-found-in-CVE-2023-52425.patch @@ -0,0 +1,106 @@ +From 66e6f8700959f7a54056ed7946c179d808e838e8 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 25 Apr 2024 09:26:04 -0400 +Subject: [PATCH] Address segfault found in CVE-2023-52425 + +The CVE addresses a possible DoS when unreasonably large tokens +are passed into the XML parser for processing. These were taking +upwards of 8 seconds per file processed with the exception of +aaaaaa_cdata.xml which caused a segmentation fault. The XML +processor was effectively losing the start of the string, setting +it to NULL. This caused a cascade of errors trying to parse both +the next token and in handling errors if a new token was not found. + +This handles both those cases but not the underlying reason why +the pointer to inputStart is lost. + +Trying to backport the libexpat changes to address the performance +issue would be enormous since the xmlrpc-c custom version of libexpat +is extremely old. Since xmlrpc-c is mostly used as a client passing +in random values is less of an issue. + +Include the libexpat upstream benchmark test to validate that the +tests pass, albeit slowly. + +To run the benchmarks: + extract the sources + cd xmlrpc-c-1.51.0 + make + cd test + make + cd benchmark + for file in *.xml; do ./benchmark $file 4096 1; done + +One test will error out but this is expected as part of the fix. + +The tests will be extracted as a Source because of their +uncompressed size (~48M) + +Fixes: RHEL-24226 +--- + lib/expat/xmlparse/xmlparse.c | 3 +++ + lib/expat/xmltok/xmltok_impl.c | 4 ++++ + test/Makefile | 7 +++++-- + 3 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c +index 16ab82a..6621d18 100644 +--- a/lib/expat/xmlparse/xmlparse.c ++++ b/lib/expat/xmlparse/xmlparse.c +@@ -35,6 +35,9 @@ extractXmlSample(const char * const start, + size_t const maximumLen) { + + size_t const len = MIN(maximumLen, (size_t)(end - start)); ++ if (start == NULL) { ++ return strdup(""); ++ } + + return xmlrpc_makePrintable_lp(start, len); + } +diff --git a/lib/expat/xmltok/xmltok_impl.c b/lib/expat/xmltok/xmltok_impl.c +index bae79b9..80da94f 100644 +--- a/lib/expat/xmltok/xmltok_impl.c ++++ b/lib/expat/xmltok/xmltok_impl.c +@@ -871,6 +871,10 @@ PREFIX(contentTok)(const ENCODING * const enc, + */ + PREFIX(chopToWholeCharacters)(inputStart, inputEnd, &end); + ++ if (inputStart == NULL) { ++ *nextTokPtr = NULL; ++ return XML_TOK_INVALID; ++ } + if (end == inputStart) { + *nextTokPtr = inputStart; + return XML_TOK_PARTIAL; +diff --git a/test/Makefile b/test/Makefile +index 4fce824..1242910 100644 +--- a/test/Makefile ++++ b/test/Makefile +@@ -7,7 +7,7 @@ SUBDIR := test + + include $(BLDDIR)/config.mk + +-SUBDIRS = cpp ++SUBDIRS = cpp benchmark + + XMLRPC_C_CONFIG = $(BLDDIR)/xmlrpc-c-config.test + +@@ -98,11 +98,14 @@ runtests_local: test cgitest1 + ./test + + .PHONY: runtests +-runtests: runtests_local cpp/runtests ++runtests: runtests_local cpp/runtests benchmark/runtests + + cpp/runtests: FORCE + $(MAKE) -C $(dir $@) $(notdir $@) + ++benchmark/runtests: ++ $(MAKE) -C $(dir $@) $(notdir $@) ++ + .PHONY: install + install: + +-- +2.42.0 + diff --git a/SPECS/xmlrpc-c.spec b/SPECS/xmlrpc-c.spec index 16b156a..2002cd0 100644 --- a/SPECS/xmlrpc-c.spec +++ b/SPECS/xmlrpc-c.spec @@ -17,6 +17,7 @@ URL: http://xmlrpc-c.sourceforge.net/ # upstream does not tag versions so we must fetch from the branch and # check which version was used for it %{?advanced_branch:Source0: xmlrpc-c-%version.tar.xz} +%{?advanced_branch:Source1: benchmark-tests.tar.xz} # Upstreamable patches Patch101: 0001-xmlrpc_server_abyss-use-va_args-properly.patch @@ -27,6 +28,7 @@ Patch103: 0003-allow-30x-redirections.patch Patch104: 0004-Add-missing-validation-of-encoding-CVE-2022-25235.patch Patch105: 0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch Patch106: 0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch +Patch107: 0007-Address-segfault-found-in-CVE-2023-52425.patch # Backported patches # https://sourceforge.net/p/xmlrpc-c/code/2981/ @@ -129,6 +131,7 @@ This package contains some handy XML-RPC demo applications. %prep %autosetup -Sgit +tar xf %{SOURCE1} %build %meson %{?with_libxml2:-Dlibxml2-backend=true} @@ -194,8 +197,8 @@ This package contains some handy XML-RPC demo applications. %{_bindir}/xmlrpc_dumpserver %changelog -* Tue Feb 27 2024 Rob Crittenden - 1.51.0-9 -- expat: Fix segmentation fault with large ctags (#24226) (CVE-2023-52425) +* Thu Apr 25 2024 Rob Crittenden - 1.51.0-9 +- Address segfault found in CVE-2023-52425 (RHEL-24226) * Thu Apr 14 2022 Rob Crittenden - 1.51.0-8 - Address some Coverity issues in the patch set