import from CS git xmlrpc-c-1.51.0-10.el8

2024-11-05 09:08:16 +00:00 · 2024-11-05 09:08:16 +00:00 · dacaa56c1b
commit dacaa56c1b
parent 0d5eb9ed8f
3 changed files with 46 additions and 2 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
-SOURCES/xmlrpc-c-1.51.0.tar.xz
 SOURCES/benchmark-tests.tar.xz
+SOURCES/xmlrpc-c-1.51.0.tar.xz
--- a/SOURCES/0008-Prevent-integer-overflow-or-wraparound-CVE-2024-4549.patch
+++ b/SOURCES/0008-Prevent-integer-overflow-or-wraparound-CVE-2024-4549.patch
@ -0,0 +1,40 @@
+From d15ba056c15db75c9153fda27a62b1a6cfb8196e Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Mon, 9 Sep 2024 14:35:28 -0400
+Subject: [PATCH] Prevent integer overflow or wraparound CVE-2024-45491
+
+An issue was discovered in libexpat before 2.6.3. dtdCopy in
+xmlparse.c can have an integer overflow for nDefaultAtts on
+32-bit platforms (where UINT_MAX equals SIZE_MAX).
+
+Backported from upstream https://github.com/libexpat/libexpat/pull/891
+
+Resolves: RHEL-57519
+---
+ lib/expat/xmlparse/xmlparse.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c
+index 359267a..40f753b 100644
+--- a/lib/expat/xmlparse/xmlparse.c
+++ b/lib/expat/xmlparse/xmlparse.c
+@@ -1020,6 +1020,16 @@ static int dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd)
+     if (!newE)
+       return 0;
+     if (oldE->nDefaultAtts) {
+      /* Detect and prevent integer overflow.
+       * The preprocessor guard addresses the "always false" warning
+       * from -Wtype-limits on platforms where
+       * sizeof(int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+      if ((size_t)oldE->nDefaultAtts
+          > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) {
+        return 0;
+      }
+#endif
+       newE->defaultAtts = (DEFAULT_ATTRIBUTE *)
+           malloc(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
+       if (!newE->defaultAtts)
+-- 
+2.45.0
+
--- a/SPECS/xmlrpc-c.spec
+++ b/SPECS/xmlrpc-c.spec
@ -6,7 +6,7 @@

 Name:           xmlrpc-c
 Version:        1.51.0
-Release:        9%{?dist}
+Release:        10%{?dist}
 Summary:        Lightweight RPC library based on XML and HTTP
 # See doc/COPYING for details.
 # The Python 1.5.2 license used by a few files is just BSD.
@ -29,6 +29,7 @@ Patch104:       0004-Add-missing-validation-of-encoding-CVE-2022-25235.patch
 Patch105:       0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch
 Patch106:       0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch
 Patch107:       0007-Address-segfault-found-in-CVE-2023-52425.patch
+Patch108:       0008-Prevent-integer-overflow-or-wraparound-CVE-2024-4549.patch

 # Backported patches
 # https://sourceforge.net/p/xmlrpc-c/code/2981/
@ -197,6 +198,9 @@ tar xf %{SOURCE1}
 %{_bindir}/xmlrpc_dumpserver

 %changelog
+* Thu Sep 19 2024 Rob Crittenden <rcritten@redhat.com> - 1.51.0-10
+- Prevent integer overflow or wraparound, CVE-2024-4549 (RHEL-57519)
+
 * Thu Apr 25 2024 Rob Crittenden <rcritten@redhat.com> - 1.51.0-9
 - Address segfault found in CVE-2023-52425 (RHEL-24226)