import xmlrpc-c-1.51.0-8.el8

2022-09-27 16:05:40 -04:00 · 2022-09-27 16:05:40 -04:00 · 8fcdbd8c0a
commit 8fcdbd8c0a
parent a50dcd6587
4 changed files with 229 additions and 1 deletions
--- a/SOURCES/0004-Add-missing-validation-of-encoding-CVE-2022-25235.patch
+++ b/SOURCES/0004-Add-missing-validation-of-encoding-CVE-2022-25235.patch
@ -0,0 +1,89 @@
 From 6aee99f381cc5bdfb6e514ac1e82f5e7b0fa7e2d Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
 Date: Fri, 25 Feb 2022 16:42:35 -0500
 Subject: [PATCH 5/6] Add missing validation of encoding (CVE-2022-25235)
 Backported from upstream https://github.com/libexpat/libexpat/pull/562
 Resolves: #2058114
 ---
 lib/expat/xmltok/xmltok.c      | 21 +++++++++++++++------
 lib/expat/xmltok/xmltok_impl.c |  8 ++++++--
 2 files changed, 21 insertions(+), 8 deletions(-)
 diff --git a/lib/expat/xmltok/xmltok.c b/lib/expat/xmltok/xmltok.c
 index 7b31fbb..3b0c950 100644
 --- a/lib/expat/xmltok/xmltok.c
 +++ b/lib/expat/xmltok/xmltok.c
@@ -61,12 +61,17 @@ We need 8 bits to index into pages, 3 bits to add to that index and
      ? UTF8_GET_NAMING3(pages, (const unsigned char *)(p)) \
      : 0))
 +#define UTF8_INVALID2(p) \
 +  ((*p) < 0xC2 || ((p)[1] & 0x80) == 0 || ((p)[1] & 0xC0) == 0xC0)
 +
 #define UTF8_INVALID3(p) \
 -  ((*p) == 0xED \
 -  ? (((p)[1] & 0x20) != 0) \
 -  : ((*p) == 0xEF \
 -     ? ((p)[1] == 0xBF && ((p)[2] == 0xBF || (p)[2] == 0xBE)) \
 -     : 0))
 +  (((p)[2] & 0x80) == 0 \
 +   || ((*p) == 0xEF && (p)[1] == 0xBF ? (p)[2] > 0xBD \
 +                                      : ((p)[2] & 0xC0) == 0xC0) \
 +   || ((*p) == 0xE0 \
 +           ? (p)[1] < 0xA0 || ((p)[1] & 0xC0) == 0xC0 \
 +           : ((p)[1] & 0x80) == 0 \
 +                 || ((*p) == 0xED ? (p)[1] > 0x9F : ((p)[1] & 0xC0) == 0xC0)))
 #define UTF8_INVALID4(p) ((*p) == 0xF4 && ((p)[1] & 0x30) != 0)
@@ -104,7 +109,11 @@ int utf8_isNmstrt3(const ENCODING *enc ATTR_UNUSED, const char *p)
 #define utf8_isNmstrt4 isNever
 -#define utf8_isInvalid2 isNever
 +static
 +int utf8_isInvalid2(const ENCODING *enc ATTR_UNUSED, const char *p)
 +{ 
 +  return UTF8_INVALID2((const unsigned char *)p);
 +}
 static
 int utf8_isInvalid3(const ENCODING *enc ATTR_UNUSED, const char *p)
 diff --git a/lib/expat/xmltok/xmltok_impl.c b/lib/expat/xmltok/xmltok_impl.c
 index d035527..bae79b9 100644
 --- a/lib/expat/xmltok/xmltok_impl.c
 +++ b/lib/expat/xmltok/xmltok_impl.c
@@ -43,7 +43,7 @@ See the file copying.txt for copying permission.
    case BT_LEAD ## n: \
      if (end - ptr < n) \
        return XML_TOK_PARTIAL_CHAR; \
 -     if (!IS_NAME_CHAR(enc, ptr, n)) { \
 +     if (IS_INVALID_CHAR(enc, ptr, n) || !IS_NAME_CHAR(enc, ptr, n)) { \
        *nextTokPtr = ptr; \
        return XML_TOK_INVALID; \
      } \
@@ -71,7 +71,7 @@ See the file copying.txt for copying permission.
    case BT_LEAD ## n: \
      if (end - ptr < n) \
        return XML_TOK_PARTIAL_CHAR; \
 -     if (!IS_NMSTRT_CHAR(enc, ptr, n)) { \
 +     if (IS_INVALID_CHAR(enc, ptr, n) || !IS_NMSTRT_CHAR(enc, ptr, n)) { \
        *nextTokPtr = ptr; \
        return XML_TOK_INVALID; \
      } \
@@ -1168,6 +1168,10 @@ int PREFIX(prologTok)(const ENCODING *enc, const char *ptr, const char *end,
   case BT_LEAD ## n: \
     if (end - ptr < n) \
       return XML_TOK_PARTIAL_CHAR; \
 +    if (IS_INVALID_CHAR(enc, ptr, n)) { \
 +      *nextTokPtr = ptr; \
 +      return XML_TOK_INVALID; \
 +    } \
     if (IS_NMSTRT_CHAR(enc, ptr, n)) { \
       ptr += n; \
       tok = XML_TOK_NAME; \
 -- 
 2.31.1
--- a/SOURCES/0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch
+++ b/SOURCES/0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch
@ -0,0 +1,92 @@
 From ce6eddc1a167dafaac17c7bad9fa6b013fada31b Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
 Date: Fri, 25 Feb 2022 13:07:07 -0500
 Subject: [PATCH 5/6] lib: Prevent more integer overflows (CVE-2022-22822 to
 CVE-2022-22827)
 Backport fixes from https://github.com/libexpat/libexpat/pull/539
 Resolves: #2058567, #2058576, #2058282, #2058589, #2058595, #2058602
 ---
 lib/expat/xmlparse/xmlparse.c | 40 +++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c
 index 48adfb3..16ab82a 100644
 --- a/lib/expat/xmlparse/xmlparse.c
 +++ b/lib/expat/xmlparse/xmlparse.c
@@ -19,6 +19,7 @@ See the file copying.txt for copying permission.
 #include <assert.h>
 #include <limits.h>                     /* UINT_MAX */
 #include <time.h>                       /* time() */
 +#include <stdint.h>
 #include "xmlrpc_config.h"
 #include "c_util.h"
@@ -1076,6 +1077,9 @@ int addBinding(XML_Parser parser,
     ;
   if (namespaceSeparator)
     len++;
 +  if (namespaceSeparator && (uri[len] == namespaceSeparator)) {
 +    return XML_ERROR_SYNTAX;
 +  }
   if (freeBindingList) {
     b = freeBindingList;
     if (len > b->uriAlloc) {
@@ -2116,10 +2120,32 @@ storeAtts(XML_Parser       const xmlParserP,
   }
   /* get the attributes from the tokenizer */
   n = XmlGetAttributes(enc, attStr, attsSize, atts);
 +
 +
 +  /* Detect and prevent integer overflow */
 +  if (n > INT_MAX - nDefaultAtts) {
 +    return XML_ERROR_NO_MEMORY;
 +  }
 +
   if (n + nDefaultAtts > attsSize) {
     int oldAttsSize = attsSize;
     ATTRIBUTE *temp;
 +    /* Detect and prevent integer overflow */
 +    if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE)
 +        || (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) {
 +      return XML_ERROR_NO_MEMORY;
 +    }
     attsSize = n + nDefaultAtts + INIT_ATTS_SIZE;
 +    /* Detect and prevent integer overflow.
 +     * The preprocessor guard addresses the "always false" warning
 +     * from -Wtype-limits on platforms where
 +     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
 +#if UINT_MAX >= SIZE_MAX
 +    if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) {
 +      attsSize = oldAttsSize;
 +      return XML_ERROR_NO_MEMORY;
 +    }
 +#endif
     temp = realloc((void *)atts, attsSize * sizeof(ATTRIBUTE));
     if (!temp)
       return XML_ERROR_NO_MEMORY;
@@ -2297,6 +2323,20 @@ storeAtts(XML_Parser       const xmlParserP,
   n = i + binding->uriLen;
   if (n > binding->uriAlloc) {
     TAG *p;
 +
 +    /* Detect and prevent integer overflow */
 +    if (n > INT_MAX - EXPAND_SPARE) {
 +      return XML_ERROR_NO_MEMORY;
 +    }
 +    /* Detect and prevent integer overflow.
 +     * The preprocessor guard addresses the "always false" warning
 +     * from -Wtype-limits on platforms where
 +     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
 +#if UINT_MAX >= SIZE_MAX
 +    if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
 +      return XML_ERROR_NO_MEMORY;
 +    }
 +#endif
     XML_Char *uri = malloc((n + EXPAND_SPARE) * sizeof(XML_Char));
     if (!uri)
       return XML_ERROR_NO_MEMORY;
 -- 
 2.31.1
--- a/SOURCES/0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch
+++ b/SOURCES/0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch
@ -0,0 +1,32 @@
 From 06d354807ac297374973631a6418edf7e3fcbf30 Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
 Date: Mon, 28 Feb 2022 10:43:23 -0500
 Subject: [PATCH 6/6] Prevent integer overflow on m_groupSize in doProlog
 (CVE-2021-46143)
 Backported from upstream https://github.com/libexpat/libexpat/pull/538
 Resolves: #2058560
 ---
 lib/expat/xmlparse/xmlparse.c | 5 +++++
 1 file changed, 5 insertions(+)
 diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c
 index 16ab82a..b9aa927 100644
 --- a/lib/expat/xmlparse/xmlparse.c
 +++ b/lib/expat/xmlparse/xmlparse.c
@@ -3991,6 +3991,11 @@ doProlog(XML_Parser       const xmlParserP,
     case XML_ROLE_GROUP_OPEN:
       if (prologState.level >= groupSize) {
         if (groupSize) {
 +          /* Detect and prevent integer overflow */
 +          if (groupSize > (unsigned int)(-1) / 2u) {
 +            *errorCodeP = XML_ERROR_NO_MEMORY;
 +            return;
 +          }
           char *temp = realloc(groupConnector, groupSize *= 2);
           if (!temp) {
             *errorCodeP = XML_ERROR_NO_MEMORY;
 -- 
 2.31.1
--- a/SPECS/xmlrpc-c.spec
+++ b/SPECS/xmlrpc-c.spec
@ -6,7 +6,7 @@
 Name:           xmlrpc-c
 Version:        1.51.0
-Release:        5%{?dist}
+Release:        8%{?dist}
 Summary:        Lightweight RPC library based on XML and HTTP
 # See doc/COPYING for details.
 # The Python 1.5.2 license used by a few files is just BSD.
@ -24,6 +24,9 @@ Patch102:       0002-Use-proper-datatypes-for-long-long.patch
 Patch103:       0003-allow-30x-redirections.patch
 #Patch104:       xmlrpc-c-printf-size_t.patch
 #Patch105:       xmlrpc-c-check-vasprintf-return-value.patch
 Patch104:       0004-Add-missing-validation-of-encoding-CVE-2022-25235.patch
 Patch105:       0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch
 Patch106:       0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch
 # Backported patches
 # https://sourceforge.net/p/xmlrpc-c/code/2981/
@ -191,6 +194,18 @@ This package contains some handy XML-RPC demo applications.
 %{_bindir}/xmlrpc_dumpserver
 %changelog
 * Thu Apr 14 2022 Rob Crittenden <rcritten@redhat.com> - 1.51.0-8
 - Address some Coverity issues in the patch set
 * Tue Apr 05 2022 Rob Crittenden <rcritten@redhat.com> - 1.51.0-7
 - lib: Prevent more integer overflows (CVE-2022-22822 to CVE-2022-22827)
  (#2058567, #2058576, #2058582, #2058589, #2058595, #2058602)
 - Prevent integer overflow on m_groupSize in doProlog
  (CVE-2021-46143) (#2058560)
 * Thu Mar 03 2022 Rob Crittenden <rcritten@redhat.com> - 1.51.0-6
 - Add missing validation of encoding (CVE-2022-25235) (#2070481)
 * Thu Apr 19 2018 Adam Williamson <awilliam@redhat.com> - 1.51.0-5
 - Backport upstream fix for console spam with debug messages (#1541868)