Prevent integer overflow or wraparound CVE-2024-45491
An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). Backported from upstream https://github.com/libexpat/libexpat/pull/891 Resolves: RHEL-57519
This commit is contained in:
parent
0e89150eee
commit
288e29745d
@ -0,0 +1,40 @@
|
||||
From d15ba056c15db75c9153fda27a62b1a6cfb8196e Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Mon, 9 Sep 2024 14:35:28 -0400
|
||||
Subject: [PATCH] Prevent integer overflow or wraparound CVE-2024-45491
|
||||
|
||||
An issue was discovered in libexpat before 2.6.3. dtdCopy in
|
||||
xmlparse.c can have an integer overflow for nDefaultAtts on
|
||||
32-bit platforms (where UINT_MAX equals SIZE_MAX).
|
||||
|
||||
Backported from upstream https://github.com/libexpat/libexpat/pull/891
|
||||
|
||||
Resolves: RHEL-57519
|
||||
---
|
||||
lib/expat/xmlparse/xmlparse.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c
|
||||
index 359267a..40f753b 100644
|
||||
--- a/lib/expat/xmlparse/xmlparse.c
|
||||
+++ b/lib/expat/xmlparse/xmlparse.c
|
||||
@@ -1020,6 +1020,16 @@ static int dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd)
|
||||
if (!newE)
|
||||
return 0;
|
||||
if (oldE->nDefaultAtts) {
|
||||
+ /* Detect and prevent integer overflow.
|
||||
+ * The preprocessor guard addresses the "always false" warning
|
||||
+ * from -Wtype-limits on platforms where
|
||||
+ * sizeof(int) < sizeof(size_t), e.g. on x86_64. */
|
||||
+#if UINT_MAX >= SIZE_MAX
|
||||
+ if ((size_t)oldE->nDefaultAtts
|
||||
+ > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
newE->defaultAtts = (DEFAULT_ATTRIBUTE *)
|
||||
malloc(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
|
||||
if (!newE->defaultAtts)
|
||||
--
|
||||
2.45.0
|
||||
|
@ -6,7 +6,7 @@
|
||||
|
||||
Name: xmlrpc-c
|
||||
Version: 1.51.0
|
||||
Release: 9%{?dist}
|
||||
Release: 10%{?dist}
|
||||
Summary: Lightweight RPC library based on XML and HTTP
|
||||
# See doc/COPYING for details.
|
||||
# The Python 1.5.2 license used by a few files is just BSD.
|
||||
@ -29,6 +29,7 @@ Patch104: 0004-Add-missing-validation-of-encoding-CVE-2022-25235.patch
|
||||
Patch105: 0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch
|
||||
Patch106: 0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch
|
||||
Patch107: 0007-Address-segfault-found-in-CVE-2023-52425.patch
|
||||
Patch108: 0008-Prevent-integer-overflow-or-wraparound-CVE-2024-4549.patch
|
||||
|
||||
# Backported patches
|
||||
# https://sourceforge.net/p/xmlrpc-c/code/2981/
|
||||
@ -197,6 +198,9 @@ tar xf %{SOURCE1}
|
||||
%{_bindir}/xmlrpc_dumpserver
|
||||
|
||||
%changelog
|
||||
* Thu Sep 19 2024 Rob Crittenden <rcritten@redhat.com> - 1.51.0-10
|
||||
- Prevent integer overflow or wraparound, CVE-2024-4549 (RHEL-57519)
|
||||
|
||||
* Thu Apr 25 2024 Rob Crittenden <rcritten@redhat.com> - 1.51.0-9
|
||||
- Address segfault found in CVE-2023-52425 (RHEL-24226)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user