expat: Address segementation fault in CVE-2023-52425
CVE-2023-52425 is a DoS where extremely large tags can cause significant processing delays. It isn't reasonably possible to backport the fix but while testing the impact it was determined that a large ctags could cause a segmentation fault. That is what is addressed. Resolves: RHEL-24226
This commit is contained in:
parent
32dbac7946
commit
0e89150eee
1
.gitignore
vendored
1
.gitignore
vendored
@ -1 +1,2 @@
|
|||||||
/xmlrpc-c-1.51.0.tar.xz
|
/xmlrpc-c-1.51.0.tar.xz
|
||||||
|
/benchmark-tests.tar.xz
|
||||||
|
106
0007-Address-segfault-found-in-CVE-2023-52425.patch
Normal file
106
0007-Address-segfault-found-in-CVE-2023-52425.patch
Normal file
@ -0,0 +1,106 @@
|
|||||||
|
From 66e6f8700959f7a54056ed7946c179d808e838e8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Date: Thu, 25 Apr 2024 09:26:04 -0400
|
||||||
|
Subject: [PATCH] Address segfault found in CVE-2023-52425
|
||||||
|
|
||||||
|
The CVE addresses a possible DoS when unreasonably large tokens
|
||||||
|
are passed into the XML parser for processing. These were taking
|
||||||
|
upwards of 8 seconds per file processed with the exception of
|
||||||
|
aaaaaa_cdata.xml which caused a segmentation fault. The XML
|
||||||
|
processor was effectively losing the start of the string, setting
|
||||||
|
it to NULL. This caused a cascade of errors trying to parse both
|
||||||
|
the next token and in handling errors if a new token was not found.
|
||||||
|
|
||||||
|
This handles both those cases but not the underlying reason why
|
||||||
|
the pointer to inputStart is lost.
|
||||||
|
|
||||||
|
Trying to backport the libexpat changes to address the performance
|
||||||
|
issue would be enormous since the xmlrpc-c custom version of libexpat
|
||||||
|
is extremely old. Since xmlrpc-c is mostly used as a client passing
|
||||||
|
in random values is less of an issue.
|
||||||
|
|
||||||
|
Include the libexpat upstream benchmark test to validate that the
|
||||||
|
tests pass, albeit slowly.
|
||||||
|
|
||||||
|
To run the benchmarks:
|
||||||
|
extract the sources
|
||||||
|
cd xmlrpc-c-1.51.0
|
||||||
|
make
|
||||||
|
cd test
|
||||||
|
make
|
||||||
|
cd benchmark
|
||||||
|
for file in *.xml; do ./benchmark $file 4096 1; done
|
||||||
|
|
||||||
|
One test will error out but this is expected as part of the fix.
|
||||||
|
|
||||||
|
The tests will be extracted as a Source because of their
|
||||||
|
uncompressed size (~48M)
|
||||||
|
|
||||||
|
Fixes: RHEL-24226
|
||||||
|
---
|
||||||
|
lib/expat/xmlparse/xmlparse.c | 3 +++
|
||||||
|
lib/expat/xmltok/xmltok_impl.c | 4 ++++
|
||||||
|
test/Makefile | 7 +++++--
|
||||||
|
3 files changed, 12 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c
|
||||||
|
index 16ab82a..6621d18 100644
|
||||||
|
--- a/lib/expat/xmlparse/xmlparse.c
|
||||||
|
+++ b/lib/expat/xmlparse/xmlparse.c
|
||||||
|
@@ -35,6 +35,9 @@ extractXmlSample(const char * const start,
|
||||||
|
size_t const maximumLen) {
|
||||||
|
|
||||||
|
size_t const len = MIN(maximumLen, (size_t)(end - start));
|
||||||
|
+ if (start == NULL) {
|
||||||
|
+ return strdup("");
|
||||||
|
+ }
|
||||||
|
|
||||||
|
return xmlrpc_makePrintable_lp(start, len);
|
||||||
|
}
|
||||||
|
diff --git a/lib/expat/xmltok/xmltok_impl.c b/lib/expat/xmltok/xmltok_impl.c
|
||||||
|
index bae79b9..80da94f 100644
|
||||||
|
--- a/lib/expat/xmltok/xmltok_impl.c
|
||||||
|
+++ b/lib/expat/xmltok/xmltok_impl.c
|
||||||
|
@@ -871,6 +871,10 @@ PREFIX(contentTok)(const ENCODING * const enc,
|
||||||
|
*/
|
||||||
|
PREFIX(chopToWholeCharacters)(inputStart, inputEnd, &end);
|
||||||
|
|
||||||
|
+ if (inputStart == NULL) {
|
||||||
|
+ *nextTokPtr = NULL;
|
||||||
|
+ return XML_TOK_INVALID;
|
||||||
|
+ }
|
||||||
|
if (end == inputStart) {
|
||||||
|
*nextTokPtr = inputStart;
|
||||||
|
return XML_TOK_PARTIAL;
|
||||||
|
diff --git a/test/Makefile b/test/Makefile
|
||||||
|
index 4fce824..1242910 100644
|
||||||
|
--- a/test/Makefile
|
||||||
|
+++ b/test/Makefile
|
||||||
|
@@ -7,7 +7,7 @@ SUBDIR := test
|
||||||
|
|
||||||
|
include $(BLDDIR)/config.mk
|
||||||
|
|
||||||
|
-SUBDIRS = cpp
|
||||||
|
+SUBDIRS = cpp benchmark
|
||||||
|
|
||||||
|
XMLRPC_C_CONFIG = $(BLDDIR)/xmlrpc-c-config.test
|
||||||
|
|
||||||
|
@@ -98,11 +98,14 @@ runtests_local: test cgitest1
|
||||||
|
./test
|
||||||
|
|
||||||
|
.PHONY: runtests
|
||||||
|
-runtests: runtests_local cpp/runtests
|
||||||
|
+runtests: runtests_local cpp/runtests benchmark/runtests
|
||||||
|
|
||||||
|
cpp/runtests: FORCE
|
||||||
|
$(MAKE) -C $(dir $@) $(notdir $@)
|
||||||
|
|
||||||
|
+benchmark/runtests:
|
||||||
|
+ $(MAKE) -C $(dir $@) $(notdir $@)
|
||||||
|
+
|
||||||
|
.PHONY: install
|
||||||
|
install:
|
||||||
|
|
||||||
|
--
|
||||||
|
2.42.0
|
||||||
|
|
1
sources
1
sources
@ -1 +1,2 @@
|
|||||||
|
SHA512 (benchmark-tests.tar.xz) = 1c15947e0b9ab8d8698ae1ca716b6a87506bf4ca468d863e50d0d96d8a4127055acf1ef6f64d9a91d037bd07640827bdab31c93e567d9e65fad526f5a56e8c15
|
||||||
SHA512 (xmlrpc-c-1.51.0.tar.xz) = 23b0a2fd15ee8ee48d19ed2e329d1a81d3f5ed9b9c0948da736202dddcada1c0fdd378013392ef8e1a2380a2e83ea779d4d3f4f925ca7aab82d335f5c74c211e
|
SHA512 (xmlrpc-c-1.51.0.tar.xz) = 23b0a2fd15ee8ee48d19ed2e329d1a81d3f5ed9b9c0948da736202dddcada1c0fdd378013392ef8e1a2380a2e83ea779d4d3f4f925ca7aab82d335f5c74c211e
|
||||||
|
@ -6,7 +6,7 @@
|
|||||||
|
|
||||||
Name: xmlrpc-c
|
Name: xmlrpc-c
|
||||||
Version: 1.51.0
|
Version: 1.51.0
|
||||||
Release: 8%{?dist}
|
Release: 9%{?dist}
|
||||||
Summary: Lightweight RPC library based on XML and HTTP
|
Summary: Lightweight RPC library based on XML and HTTP
|
||||||
# See doc/COPYING for details.
|
# See doc/COPYING for details.
|
||||||
# The Python 1.5.2 license used by a few files is just BSD.
|
# The Python 1.5.2 license used by a few files is just BSD.
|
||||||
@ -17,6 +17,7 @@ URL: http://xmlrpc-c.sourceforge.net/
|
|||||||
# upstream does not tag versions so we must fetch from the branch and
|
# upstream does not tag versions so we must fetch from the branch and
|
||||||
# check which version was used for it
|
# check which version was used for it
|
||||||
%{?advanced_branch:Source0: xmlrpc-c-%version.tar.xz}
|
%{?advanced_branch:Source0: xmlrpc-c-%version.tar.xz}
|
||||||
|
%{?advanced_branch:Source1: benchmark-tests.tar.xz}
|
||||||
|
|
||||||
# Upstreamable patches
|
# Upstreamable patches
|
||||||
Patch101: 0001-xmlrpc_server_abyss-use-va_args-properly.patch
|
Patch101: 0001-xmlrpc_server_abyss-use-va_args-properly.patch
|
||||||
@ -27,6 +28,7 @@ Patch103: 0003-allow-30x-redirections.patch
|
|||||||
Patch104: 0004-Add-missing-validation-of-encoding-CVE-2022-25235.patch
|
Patch104: 0004-Add-missing-validation-of-encoding-CVE-2022-25235.patch
|
||||||
Patch105: 0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch
|
Patch105: 0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch
|
||||||
Patch106: 0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch
|
Patch106: 0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch
|
||||||
|
Patch107: 0007-Address-segfault-found-in-CVE-2023-52425.patch
|
||||||
|
|
||||||
# Backported patches
|
# Backported patches
|
||||||
# https://sourceforge.net/p/xmlrpc-c/code/2981/
|
# https://sourceforge.net/p/xmlrpc-c/code/2981/
|
||||||
@ -129,6 +131,7 @@ This package contains some handy XML-RPC demo applications.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%autosetup -Sgit
|
%autosetup -Sgit
|
||||||
|
tar xf %{SOURCE1}
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%meson %{?with_libxml2:-Dlibxml2-backend=true}
|
%meson %{?with_libxml2:-Dlibxml2-backend=true}
|
||||||
@ -194,6 +197,9 @@ This package contains some handy XML-RPC demo applications.
|
|||||||
%{_bindir}/xmlrpc_dumpserver
|
%{_bindir}/xmlrpc_dumpserver
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Apr 25 2024 Rob Crittenden <rcritten@redhat.com> - 1.51.0-9
|
||||||
|
- Address segfault found in CVE-2023-52425 (RHEL-24226)
|
||||||
|
|
||||||
* Thu Apr 14 2022 Rob Crittenden <rcritten@redhat.com> - 1.51.0-8
|
* Thu Apr 14 2022 Rob Crittenden <rcritten@redhat.com> - 1.51.0-8
|
||||||
- Address some Coverity issues in the patch set
|
- Address some Coverity issues in the patch set
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user