Import from CS git

2024-07-03 12:09:56 +03:00 · 2024-07-03 12:09:56 +03:00 · 0d5eb9ed8f
commit 0d5eb9ed8f
parent 71007d5574
4 changed files with 113 additions and 2 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
 SOURCES/xmlrpc-c-1.51.0.tar.xz
+SOURCES/benchmark-tests.tar.xz
--- a/.xmlrpc-c.metadata
+++ b/.xmlrpc-c.metadata
@ -1 +1,2 @@
+b4fb65d500c1af5fe83917ab2976a47ae6268fdd SOURCES/benchmark-tests.tar.xz
 784a3e74971f3b7d992d768c732daa891ffd2412 SOURCES/xmlrpc-c-1.51.0.tar.xz
--- a/SOURCES/0007-Address-segfault-found-in-CVE-2023-52425.patch
+++ b/SOURCES/0007-Address-segfault-found-in-CVE-2023-52425.patch
@ -0,0 +1,106 @@
+From 66e6f8700959f7a54056ed7946c179d808e838e8 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Thu, 25 Apr 2024 09:26:04 -0400
+Subject: [PATCH] Address segfault found in CVE-2023-52425
+
+The CVE addresses a possible DoS when unreasonably large tokens
+are passed into the XML parser for processing. These were taking
+upwards of 8 seconds per file processed with the exception of
+aaaaaa_cdata.xml which caused a segmentation fault. The XML
+processor was effectively losing the start of the string, setting
+it to NULL. This caused a cascade of errors trying to parse both
+the next token and in handling errors if a new token was not found.
+
+This handles both those cases but not the underlying reason why
+the pointer to inputStart is lost.
+
+Trying to backport the libexpat changes to address the performance
+issue would be enormous since the xmlrpc-c custom version of libexpat
+is extremely old. Since xmlrpc-c is mostly used as a client passing
+in random values is less of an issue.
+
+Include the libexpat upstream benchmark test to validate that the
+tests pass, albeit slowly.
+
+To run the benchmarks:
+ extract the sources
+ cd xmlrpc-c-1.51.0
+ make
+ cd test
+ make
+ cd benchmark
+ for file in *.xml; do ./benchmark $file 4096 1; done
+
+One test will error out but this is expected as part of the fix.
+
+The tests will be extracted as a Source because of their
+uncompressed size (~48M)
+
+Fixes: RHEL-24226
+---
+ lib/expat/xmlparse/xmlparse.c  | 3 +++
+ lib/expat/xmltok/xmltok_impl.c | 4 ++++
+ test/Makefile                  | 7 +++++--
+ 3 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c
+index 16ab82a..6621d18 100644
+--- a/lib/expat/xmlparse/xmlparse.c
+++ b/lib/expat/xmlparse/xmlparse.c
+@@ -35,6 +35,9 @@ extractXmlSample(const char * const start,
+                  size_t       const maximumLen) {
+ 
+     size_t const len = MIN(maximumLen, (size_t)(end - start));
+    if (start == NULL) {
+        return strdup("");
+    }
+     
+     return xmlrpc_makePrintable_lp(start, len);
+ }
+diff --git a/lib/expat/xmltok/xmltok_impl.c b/lib/expat/xmltok/xmltok_impl.c
+index bae79b9..80da94f 100644
+--- a/lib/expat/xmltok/xmltok_impl.c
+++ b/lib/expat/xmltok/xmltok_impl.c
+@@ -871,6 +871,10 @@ PREFIX(contentTok)(const ENCODING * const enc,
+             */
+         PREFIX(chopToWholeCharacters)(inputStart, inputEnd, &end);
+ 
+        if (inputStart == NULL) {
+            *nextTokPtr = NULL;
+            return XML_TOK_INVALID;
+        }
+         if (end == inputStart) {
+             *nextTokPtr = inputStart;
+             return XML_TOK_PARTIAL;
+diff --git a/test/Makefile b/test/Makefile
+index 4fce824..1242910 100644
+--- a/test/Makefile
+++ b/test/Makefile
+@@ -7,7 +7,7 @@ SUBDIR := test
+ 
+ include $(BLDDIR)/config.mk
+ 
+-SUBDIRS = cpp
+SUBDIRS = cpp benchmark
+ 
+ XMLRPC_C_CONFIG = $(BLDDIR)/xmlrpc-c-config.test
+ 
+@@ -98,11 +98,14 @@ runtests_local: test cgitest1
+ 	./test
+ 
+ .PHONY: runtests
+-runtests: runtests_local cpp/runtests
+runtests: runtests_local cpp/runtests benchmark/runtests
+ 
+ cpp/runtests: FORCE
+ 	$(MAKE) -C $(dir $@) $(notdir $@)
+ 
+benchmark/runtests:
+	$(MAKE) -C $(dir $@) $(notdir $@)
+
+ .PHONY: install
+ install:
+ 
+-- 
+2.42.0
+
--- a/SPECS/xmlrpc-c.spec
+++ b/SPECS/xmlrpc-c.spec
@ -17,6 +17,7 @@ URL:            http://xmlrpc-c.sourceforge.net/
 # upstream does not tag versions so we must fetch from the branch and
 # check which version was used for it
 %{?advanced_branch:Source0: xmlrpc-c-%version.tar.xz}
+%{?advanced_branch:Source1: benchmark-tests.tar.xz}

 # Upstreamable patches
 Patch101:       0001-xmlrpc_server_abyss-use-va_args-properly.patch
@ -27,6 +28,7 @@ Patch103:       0003-allow-30x-redirections.patch
 Patch104:       0004-Add-missing-validation-of-encoding-CVE-2022-25235.patch
 Patch105:       0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch
 Patch106:       0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch
+Patch107:       0007-Address-segfault-found-in-CVE-2023-52425.patch

 # Backported patches
 # https://sourceforge.net/p/xmlrpc-c/code/2981/
@ -129,6 +131,7 @@ This package contains some handy XML-RPC demo applications.

 %prep
 %autosetup -Sgit
+tar xf %{SOURCE1}

 %build
 %meson %{?with_libxml2:-Dlibxml2-backend=true}
@ -194,8 +197,8 @@ This package contains some handy XML-RPC demo applications.
 %{_bindir}/xmlrpc_dumpserver

 %changelog
-* Tue Feb 27 2024 Rob Crittenden <rcritten@redhat.com> - 1.51.0-9
- expat: Fix segmentation fault with large ctags (#24226) (CVE-2023-52425)
+* Thu Apr 25 2024 Rob Crittenden <rcritten@redhat.com> - 1.51.0-9
+- Address segfault found in CVE-2023-52425 (RHEL-24226)

 * Thu Apr 14 2022 Rob Crittenden <rcritten@redhat.com> - 1.51.0-8
 - Address some Coverity issues in the patch set