import xmlrpc-c-1.51.0-8.el8
This commit is contained in:
parent
e793cf6d1f
commit
8437b31578
@ -0,0 +1,92 @@
|
||||
From ce6eddc1a167dafaac17c7bad9fa6b013fada31b Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Fri, 25 Feb 2022 13:07:07 -0500
|
||||
Subject: [PATCH 5/6] lib: Prevent more integer overflows (CVE-2022-22822 to
|
||||
CVE-2022-22827)
|
||||
|
||||
Backport fixes from https://github.com/libexpat/libexpat/pull/539
|
||||
|
||||
Resolves: #2058567, #2058576, #2058282, #2058589, #2058595, #2058602
|
||||
---
|
||||
lib/expat/xmlparse/xmlparse.c | 40 +++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 40 insertions(+)
|
||||
|
||||
diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c
|
||||
index 48adfb3..16ab82a 100644
|
||||
--- a/lib/expat/xmlparse/xmlparse.c
|
||||
+++ b/lib/expat/xmlparse/xmlparse.c
|
||||
@@ -19,6 +19,7 @@ See the file copying.txt for copying permission.
|
||||
#include <assert.h>
|
||||
#include <limits.h> /* UINT_MAX */
|
||||
#include <time.h> /* time() */
|
||||
+#include <stdint.h>
|
||||
|
||||
#include "xmlrpc_config.h"
|
||||
#include "c_util.h"
|
||||
@@ -1076,6 +1077,9 @@ int addBinding(XML_Parser parser,
|
||||
;
|
||||
if (namespaceSeparator)
|
||||
len++;
|
||||
+ if (namespaceSeparator && (uri[len] == namespaceSeparator)) {
|
||||
+ return XML_ERROR_SYNTAX;
|
||||
+ }
|
||||
if (freeBindingList) {
|
||||
b = freeBindingList;
|
||||
if (len > b->uriAlloc) {
|
||||
@@ -2116,10 +2120,32 @@ storeAtts(XML_Parser const xmlParserP,
|
||||
}
|
||||
/* get the attributes from the tokenizer */
|
||||
n = XmlGetAttributes(enc, attStr, attsSize, atts);
|
||||
+
|
||||
+
|
||||
+ /* Detect and prevent integer overflow */
|
||||
+ if (n > INT_MAX - nDefaultAtts) {
|
||||
+ return XML_ERROR_NO_MEMORY;
|
||||
+ }
|
||||
+
|
||||
if (n + nDefaultAtts > attsSize) {
|
||||
int oldAttsSize = attsSize;
|
||||
ATTRIBUTE *temp;
|
||||
+ /* Detect and prevent integer overflow */
|
||||
+ if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE)
|
||||
+ || (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) {
|
||||
+ return XML_ERROR_NO_MEMORY;
|
||||
+ }
|
||||
attsSize = n + nDefaultAtts + INIT_ATTS_SIZE;
|
||||
+ /* Detect and prevent integer overflow.
|
||||
+ * The preprocessor guard addresses the "always false" warning
|
||||
+ * from -Wtype-limits on platforms where
|
||||
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
|
||||
+#if UINT_MAX >= SIZE_MAX
|
||||
+ if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) {
|
||||
+ attsSize = oldAttsSize;
|
||||
+ return XML_ERROR_NO_MEMORY;
|
||||
+ }
|
||||
+#endif
|
||||
temp = realloc((void *)atts, attsSize * sizeof(ATTRIBUTE));
|
||||
if (!temp)
|
||||
return XML_ERROR_NO_MEMORY;
|
||||
@@ -2297,6 +2323,20 @@ storeAtts(XML_Parser const xmlParserP,
|
||||
n = i + binding->uriLen;
|
||||
if (n > binding->uriAlloc) {
|
||||
TAG *p;
|
||||
+
|
||||
+ /* Detect and prevent integer overflow */
|
||||
+ if (n > INT_MAX - EXPAND_SPARE) {
|
||||
+ return XML_ERROR_NO_MEMORY;
|
||||
+ }
|
||||
+ /* Detect and prevent integer overflow.
|
||||
+ * The preprocessor guard addresses the "always false" warning
|
||||
+ * from -Wtype-limits on platforms where
|
||||
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
|
||||
+#if UINT_MAX >= SIZE_MAX
|
||||
+ if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
|
||||
+ return XML_ERROR_NO_MEMORY;
|
||||
+ }
|
||||
+#endif
|
||||
XML_Char *uri = malloc((n + EXPAND_SPARE) * sizeof(XML_Char));
|
||||
if (!uri)
|
||||
return XML_ERROR_NO_MEMORY;
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,32 @@
|
||||
From 06d354807ac297374973631a6418edf7e3fcbf30 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Mon, 28 Feb 2022 10:43:23 -0500
|
||||
Subject: [PATCH 6/6] Prevent integer overflow on m_groupSize in doProlog
|
||||
(CVE-2021-46143)
|
||||
|
||||
Backported from upstream https://github.com/libexpat/libexpat/pull/538
|
||||
|
||||
Resolves: #2058560
|
||||
---
|
||||
lib/expat/xmlparse/xmlparse.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c
|
||||
index 16ab82a..b9aa927 100644
|
||||
--- a/lib/expat/xmlparse/xmlparse.c
|
||||
+++ b/lib/expat/xmlparse/xmlparse.c
|
||||
@@ -3991,6 +3991,11 @@ doProlog(XML_Parser const xmlParserP,
|
||||
case XML_ROLE_GROUP_OPEN:
|
||||
if (prologState.level >= groupSize) {
|
||||
if (groupSize) {
|
||||
+ /* Detect and prevent integer overflow */
|
||||
+ if (groupSize > (unsigned int)(-1) / 2u) {
|
||||
+ *errorCodeP = XML_ERROR_NO_MEMORY;
|
||||
+ return;
|
||||
+ }
|
||||
char *temp = realloc(groupConnector, groupSize *= 2);
|
||||
if (!temp) {
|
||||
*errorCodeP = XML_ERROR_NO_MEMORY;
|
||||
--
|
||||
2.31.1
|
||||
|
@ -6,7 +6,7 @@
|
||||
|
||||
Name: xmlrpc-c
|
||||
Version: 1.51.0
|
||||
Release: 6%{?dist}
|
||||
Release: 8%{?dist}
|
||||
Summary: Lightweight RPC library based on XML and HTTP
|
||||
# See doc/COPYING for details.
|
||||
# The Python 1.5.2 license used by a few files is just BSD.
|
||||
@ -25,6 +25,8 @@ Patch103: 0003-allow-30x-redirections.patch
|
||||
#Patch104: xmlrpc-c-printf-size_t.patch
|
||||
#Patch105: xmlrpc-c-check-vasprintf-return-value.patch
|
||||
Patch104: 0004-Add-missing-validation-of-encoding-CVE-2022-25235.patch
|
||||
Patch105: 0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch
|
||||
Patch106: 0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch
|
||||
|
||||
# Backported patches
|
||||
# https://sourceforge.net/p/xmlrpc-c/code/2981/
|
||||
@ -192,8 +194,17 @@ This package contains some handy XML-RPC demo applications.
|
||||
%{_bindir}/xmlrpc_dumpserver
|
||||
|
||||
%changelog
|
||||
* Thu Apr 14 2022 Rob Crittenden <rcritten@redhat.com> - 1.51.0-8
|
||||
- Address some Coverity issues in the patch set
|
||||
|
||||
* Tue Apr 05 2022 Rob Crittenden <rcritten@redhat.com> - 1.51.0-7
|
||||
- lib: Prevent more integer overflows (CVE-2022-22822 to CVE-2022-22827)
|
||||
(#2058567, #2058576, #2058582, #2058589, #2058595, #2058602)
|
||||
- Prevent integer overflow on m_groupSize in doProlog
|
||||
(CVE-2021-46143) (#2058560)
|
||||
|
||||
* Thu Mar 03 2022 Rob Crittenden <rcritten@redhat.com> - 1.51.0-6
|
||||
- Add missing validation of encoding (CVE-2022-25235) (#2058114)
|
||||
- Add missing validation of encoding (CVE-2022-25235) (#2070481)
|
||||
|
||||
* Thu Apr 19 2018 Adam Williamson <awilliam@redhat.com> - 1.51.0-5
|
||||
- Backport upstream fix for console spam with debug messages (#1541868)
|
||||
|
Loading…
Reference in New Issue
Block a user