diff --git a/SOURCES/0004-Add-missing-validation-of-encoding-CVE-2022-25235.patch b/SOURCES/0004-Add-missing-validation-of-encoding-CVE-2022-25235.patch new file mode 100644 index 0000000..a11e792 --- /dev/null +++ b/SOURCES/0004-Add-missing-validation-of-encoding-CVE-2022-25235.patch @@ -0,0 +1,89 @@ +From 6aee99f381cc5bdfb6e514ac1e82f5e7b0fa7e2d Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Fri, 25 Feb 2022 16:42:35 -0500 +Subject: [PATCH 5/6] Add missing validation of encoding (CVE-2022-25235) + +Backported from upstream https://github.com/libexpat/libexpat/pull/562 + +Resolves: #2058114 +--- + lib/expat/xmltok/xmltok.c | 21 +++++++++++++++------ + lib/expat/xmltok/xmltok_impl.c | 8 ++++++-- + 2 files changed, 21 insertions(+), 8 deletions(-) + +diff --git a/lib/expat/xmltok/xmltok.c b/lib/expat/xmltok/xmltok.c +index 7b31fbb..3b0c950 100644 +--- a/lib/expat/xmltok/xmltok.c ++++ b/lib/expat/xmltok/xmltok.c +@@ -61,12 +61,17 @@ We need 8 bits to index into pages, 3 bits to add to that index and + ? UTF8_GET_NAMING3(pages, (const unsigned char *)(p)) \ + : 0)) + ++#define UTF8_INVALID2(p) \ ++ ((*p) < 0xC2 || ((p)[1] & 0x80) == 0 || ((p)[1] & 0xC0) == 0xC0) ++ + #define UTF8_INVALID3(p) \ +- ((*p) == 0xED \ +- ? (((p)[1] & 0x20) != 0) \ +- : ((*p) == 0xEF \ +- ? ((p)[1] == 0xBF && ((p)[2] == 0xBF || (p)[2] == 0xBE)) \ +- : 0)) ++ (((p)[2] & 0x80) == 0 \ ++ || ((*p) == 0xEF && (p)[1] == 0xBF ? (p)[2] > 0xBD \ ++ : ((p)[2] & 0xC0) == 0xC0) \ ++ || ((*p) == 0xE0 \ ++ ? (p)[1] < 0xA0 || ((p)[1] & 0xC0) == 0xC0 \ ++ : ((p)[1] & 0x80) == 0 \ ++ || ((*p) == 0xED ? (p)[1] > 0x9F : ((p)[1] & 0xC0) == 0xC0))) + + #define UTF8_INVALID4(p) ((*p) == 0xF4 && ((p)[1] & 0x30) != 0) + +@@ -104,7 +109,11 @@ int utf8_isNmstrt3(const ENCODING *enc ATTR_UNUSED, const char *p) + + #define utf8_isNmstrt4 isNever + +-#define utf8_isInvalid2 isNever ++static ++int utf8_isInvalid2(const ENCODING *enc ATTR_UNUSED, const char *p) ++{ ++ return UTF8_INVALID2((const unsigned char *)p); ++} + + static + int utf8_isInvalid3(const ENCODING *enc ATTR_UNUSED, const char *p) +diff --git a/lib/expat/xmltok/xmltok_impl.c b/lib/expat/xmltok/xmltok_impl.c +index d035527..bae79b9 100644 +--- a/lib/expat/xmltok/xmltok_impl.c ++++ b/lib/expat/xmltok/xmltok_impl.c +@@ -43,7 +43,7 @@ See the file copying.txt for copying permission. + case BT_LEAD ## n: \ + if (end - ptr < n) \ + return XML_TOK_PARTIAL_CHAR; \ +- if (!IS_NAME_CHAR(enc, ptr, n)) { \ ++ if (IS_INVALID_CHAR(enc, ptr, n) || !IS_NAME_CHAR(enc, ptr, n)) { \ + *nextTokPtr = ptr; \ + return XML_TOK_INVALID; \ + } \ +@@ -71,7 +71,7 @@ See the file copying.txt for copying permission. + case BT_LEAD ## n: \ + if (end - ptr < n) \ + return XML_TOK_PARTIAL_CHAR; \ +- if (!IS_NMSTRT_CHAR(enc, ptr, n)) { \ ++ if (IS_INVALID_CHAR(enc, ptr, n) || !IS_NMSTRT_CHAR(enc, ptr, n)) { \ + *nextTokPtr = ptr; \ + return XML_TOK_INVALID; \ + } \ +@@ -1168,6 +1168,10 @@ int PREFIX(prologTok)(const ENCODING *enc, const char *ptr, const char *end, + case BT_LEAD ## n: \ + if (end - ptr < n) \ + return XML_TOK_PARTIAL_CHAR; \ ++ if (IS_INVALID_CHAR(enc, ptr, n)) { \ ++ *nextTokPtr = ptr; \ ++ return XML_TOK_INVALID; \ ++ } \ + if (IS_NMSTRT_CHAR(enc, ptr, n)) { \ + ptr += n; \ + tok = XML_TOK_NAME; \ +-- +2.31.1 + diff --git a/SPECS/xmlrpc-c.spec b/SPECS/xmlrpc-c.spec index 59f8e56..f572796 100644 --- a/SPECS/xmlrpc-c.spec +++ b/SPECS/xmlrpc-c.spec @@ -6,7 +6,7 @@ Name: xmlrpc-c Version: 1.51.0 -Release: 5%{?dist} +Release: 5%{?dist}.1 Summary: Lightweight RPC library based on XML and HTTP # See doc/COPYING for details. # The Python 1.5.2 license used by a few files is just BSD. @@ -24,6 +24,7 @@ Patch102: 0002-Use-proper-datatypes-for-long-long.patch Patch103: 0003-allow-30x-redirections.patch #Patch104: xmlrpc-c-printf-size_t.patch #Patch105: xmlrpc-c-check-vasprintf-return-value.patch +Patch104: 0004-Add-missing-validation-of-encoding-CVE-2022-25235.patch # Backported patches # https://sourceforge.net/p/xmlrpc-c/code/2981/ @@ -191,6 +192,9 @@ This package contains some handy XML-RPC demo applications. %{_bindir}/xmlrpc_dumpserver %changelog +* Thu Mar 03 2022 Rob Crittenden - 1.51.0-5.1 +- Add missing validation of encoding (CVE-2022-25235) (#2058114) + * Thu Apr 19 2018 Adam Williamson - 1.51.0-5 - Backport upstream fix for console spam with debug messages (#1541868)