diff --git a/.gitignore b/.gitignore index 1a35219..17057eb 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ /xmlrpc-c-1.51.0.tar.xz +/benchmark-tests.tar.xz diff --git a/0007-Address-segfault-found-in-CVE-2023-52425.patch b/0007-Address-segfault-found-in-CVE-2023-52425.patch new file mode 100644 index 0000000..52533dd --- /dev/null +++ b/0007-Address-segfault-found-in-CVE-2023-52425.patch @@ -0,0 +1,106 @@ +From 66e6f8700959f7a54056ed7946c179d808e838e8 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 25 Apr 2024 09:26:04 -0400 +Subject: [PATCH] Address segfault found in CVE-2023-52425 + +The CVE addresses a possible DoS when unreasonably large tokens +are passed into the XML parser for processing. These were taking +upwards of 8 seconds per file processed with the exception of +aaaaaa_cdata.xml which caused a segmentation fault. The XML +processor was effectively losing the start of the string, setting +it to NULL. This caused a cascade of errors trying to parse both +the next token and in handling errors if a new token was not found. + +This handles both those cases but not the underlying reason why +the pointer to inputStart is lost. + +Trying to backport the libexpat changes to address the performance +issue would be enormous since the xmlrpc-c custom version of libexpat +is extremely old. Since xmlrpc-c is mostly used as a client passing +in random values is less of an issue. + +Include the libexpat upstream benchmark test to validate that the +tests pass, albeit slowly. + +To run the benchmarks: + extract the sources + cd xmlrpc-c-1.51.0 + make + cd test + make + cd benchmark + for file in *.xml; do ./benchmark $file 4096 1; done + +One test will error out but this is expected as part of the fix. + +The tests will be extracted as a Source because of their +uncompressed size (~48M) + +Fixes: RHEL-24226 +--- + lib/expat/xmlparse/xmlparse.c | 3 +++ + lib/expat/xmltok/xmltok_impl.c | 4 ++++ + test/Makefile | 7 +++++-- + 3 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c +index 16ab82a..6621d18 100644 +--- a/lib/expat/xmlparse/xmlparse.c ++++ b/lib/expat/xmlparse/xmlparse.c +@@ -35,6 +35,9 @@ extractXmlSample(const char * const start, + size_t const maximumLen) { + + size_t const len = MIN(maximumLen, (size_t)(end - start)); ++ if (start == NULL) { ++ return strdup(""); ++ } + + return xmlrpc_makePrintable_lp(start, len); + } +diff --git a/lib/expat/xmltok/xmltok_impl.c b/lib/expat/xmltok/xmltok_impl.c +index bae79b9..80da94f 100644 +--- a/lib/expat/xmltok/xmltok_impl.c ++++ b/lib/expat/xmltok/xmltok_impl.c +@@ -871,6 +871,10 @@ PREFIX(contentTok)(const ENCODING * const enc, + */ + PREFIX(chopToWholeCharacters)(inputStart, inputEnd, &end); + ++ if (inputStart == NULL) { ++ *nextTokPtr = NULL; ++ return XML_TOK_INVALID; ++ } + if (end == inputStart) { + *nextTokPtr = inputStart; + return XML_TOK_PARTIAL; +diff --git a/test/Makefile b/test/Makefile +index 4fce824..1242910 100644 +--- a/test/Makefile ++++ b/test/Makefile +@@ -7,7 +7,7 @@ SUBDIR := test + + include $(BLDDIR)/config.mk + +-SUBDIRS = cpp ++SUBDIRS = cpp benchmark + + XMLRPC_C_CONFIG = $(BLDDIR)/xmlrpc-c-config.test + +@@ -98,11 +98,14 @@ runtests_local: test cgitest1 + ./test + + .PHONY: runtests +-runtests: runtests_local cpp/runtests ++runtests: runtests_local cpp/runtests benchmark/runtests + + cpp/runtests: FORCE + $(MAKE) -C $(dir $@) $(notdir $@) + ++benchmark/runtests: ++ $(MAKE) -C $(dir $@) $(notdir $@) ++ + .PHONY: install + install: + +-- +2.42.0 + diff --git a/sources b/sources index e6fff5a..0d40771 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ +SHA512 (benchmark-tests.tar.xz) = 1c15947e0b9ab8d8698ae1ca716b6a87506bf4ca468d863e50d0d96d8a4127055acf1ef6f64d9a91d037bd07640827bdab31c93e567d9e65fad526f5a56e8c15 SHA512 (xmlrpc-c-1.51.0.tar.xz) = 23b0a2fd15ee8ee48d19ed2e329d1a81d3f5ed9b9c0948da736202dddcada1c0fdd378013392ef8e1a2380a2e83ea779d4d3f4f925ca7aab82d335f5c74c211e diff --git a/xmlrpc-c.spec b/xmlrpc-c.spec index 9732d67..2002cd0 100644 --- a/xmlrpc-c.spec +++ b/xmlrpc-c.spec @@ -6,7 +6,7 @@ Name: xmlrpc-c Version: 1.51.0 -Release: 8%{?dist} +Release: 9%{?dist} Summary: Lightweight RPC library based on XML and HTTP # See doc/COPYING for details. # The Python 1.5.2 license used by a few files is just BSD. @@ -17,6 +17,7 @@ URL: http://xmlrpc-c.sourceforge.net/ # upstream does not tag versions so we must fetch from the branch and # check which version was used for it %{?advanced_branch:Source0: xmlrpc-c-%version.tar.xz} +%{?advanced_branch:Source1: benchmark-tests.tar.xz} # Upstreamable patches Patch101: 0001-xmlrpc_server_abyss-use-va_args-properly.patch @@ -27,6 +28,7 @@ Patch103: 0003-allow-30x-redirections.patch Patch104: 0004-Add-missing-validation-of-encoding-CVE-2022-25235.patch Patch105: 0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch Patch106: 0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch +Patch107: 0007-Address-segfault-found-in-CVE-2023-52425.patch # Backported patches # https://sourceforge.net/p/xmlrpc-c/code/2981/ @@ -129,6 +131,7 @@ This package contains some handy XML-RPC demo applications. %prep %autosetup -Sgit +tar xf %{SOURCE1} %build %meson %{?with_libxml2:-Dlibxml2-backend=true} @@ -194,6 +197,9 @@ This package contains some handy XML-RPC demo applications. %{_bindir}/xmlrpc_dumpserver %changelog +* Thu Apr 25 2024 Rob Crittenden - 1.51.0-9 +- Address segfault found in CVE-2023-52425 (RHEL-24226) + * Thu Apr 14 2022 Rob Crittenden - 1.51.0-8 - Address some Coverity issues in the patch set