From 288e29745d447c6db594b944d7ac36a7f018ec78 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Fri, 20 Sep 2024 09:55:09 -0400 Subject: [PATCH] Prevent integer overflow or wraparound CVE-2024-45491 An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). Backported from upstream https://github.com/libexpat/libexpat/pull/891 Resolves: RHEL-57519 --- ...overflow-or-wraparound-CVE-2024-4549.patch | 40 +++++++++++++++++++ xmlrpc-c.spec | 6 ++- 2 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 0008-Prevent-integer-overflow-or-wraparound-CVE-2024-4549.patch diff --git a/0008-Prevent-integer-overflow-or-wraparound-CVE-2024-4549.patch b/0008-Prevent-integer-overflow-or-wraparound-CVE-2024-4549.patch new file mode 100644 index 0000000..c0ce3e5 --- /dev/null +++ b/0008-Prevent-integer-overflow-or-wraparound-CVE-2024-4549.patch @@ -0,0 +1,40 @@ +From d15ba056c15db75c9153fda27a62b1a6cfb8196e Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 9 Sep 2024 14:35:28 -0400 +Subject: [PATCH] Prevent integer overflow or wraparound CVE-2024-45491 + +An issue was discovered in libexpat before 2.6.3. dtdCopy in +xmlparse.c can have an integer overflow for nDefaultAtts on +32-bit platforms (where UINT_MAX equals SIZE_MAX). + +Backported from upstream https://github.com/libexpat/libexpat/pull/891 + +Resolves: RHEL-57519 +--- + lib/expat/xmlparse/xmlparse.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c +index 359267a..40f753b 100644 +--- a/lib/expat/xmlparse/xmlparse.c ++++ b/lib/expat/xmlparse/xmlparse.c +@@ -1020,6 +1020,16 @@ static int dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd) + if (!newE) + return 0; + if (oldE->nDefaultAtts) { ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if ((size_t)oldE->nDefaultAtts ++ > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) { ++ return 0; ++ } ++#endif + newE->defaultAtts = (DEFAULT_ATTRIBUTE *) + malloc(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE)); + if (!newE->defaultAtts) +-- +2.45.0 + diff --git a/xmlrpc-c.spec b/xmlrpc-c.spec index 2002cd0..b8a37ab 100644 --- a/xmlrpc-c.spec +++ b/xmlrpc-c.spec @@ -6,7 +6,7 @@ Name: xmlrpc-c Version: 1.51.0 -Release: 9%{?dist} +Release: 10%{?dist} Summary: Lightweight RPC library based on XML and HTTP # See doc/COPYING for details. # The Python 1.5.2 license used by a few files is just BSD. @@ -29,6 +29,7 @@ Patch104: 0004-Add-missing-validation-of-encoding-CVE-2022-25235.patch Patch105: 0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch Patch106: 0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch Patch107: 0007-Address-segfault-found-in-CVE-2023-52425.patch +Patch108: 0008-Prevent-integer-overflow-or-wraparound-CVE-2024-4549.patch # Backported patches # https://sourceforge.net/p/xmlrpc-c/code/2981/ @@ -197,6 +198,9 @@ tar xf %{SOURCE1} %{_bindir}/xmlrpc_dumpserver %changelog +* Thu Sep 19 2024 Rob Crittenden - 1.51.0-10 +- Prevent integer overflow or wraparound, CVE-2024-4549 (RHEL-57519) + * Thu Apr 25 2024 Rob Crittenden - 1.51.0-9 - Address segfault found in CVE-2023-52425 (RHEL-24226)