Compare commits

...

No commits in common. "c8-beta" and "c8" have entirely different histories.
c8-beta ... c8

5 changed files with 160 additions and 2 deletions

1
.gitignore vendored
View File

@ -1 +1,2 @@
SOURCES/benchmark-tests.tar.xz
SOURCES/xmlrpc-c-1.51.0.tar.xz SOURCES/xmlrpc-c-1.51.0.tar.xz

View File

@ -1 +1,2 @@
b4fb65d500c1af5fe83917ab2976a47ae6268fdd SOURCES/benchmark-tests.tar.xz
784a3e74971f3b7d992d768c732daa891ffd2412 SOURCES/xmlrpc-c-1.51.0.tar.xz 784a3e74971f3b7d992d768c732daa891ffd2412 SOURCES/xmlrpc-c-1.51.0.tar.xz

View File

@ -0,0 +1,106 @@
From 66e6f8700959f7a54056ed7946c179d808e838e8 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 25 Apr 2024 09:26:04 -0400
Subject: [PATCH] Address segfault found in CVE-2023-52425
The CVE addresses a possible DoS when unreasonably large tokens
are passed into the XML parser for processing. These were taking
upwards of 8 seconds per file processed with the exception of
aaaaaa_cdata.xml which caused a segmentation fault. The XML
processor was effectively losing the start of the string, setting
it to NULL. This caused a cascade of errors trying to parse both
the next token and in handling errors if a new token was not found.
This handles both those cases but not the underlying reason why
the pointer to inputStart is lost.
Trying to backport the libexpat changes to address the performance
issue would be enormous since the xmlrpc-c custom version of libexpat
is extremely old. Since xmlrpc-c is mostly used as a client passing
in random values is less of an issue.
Include the libexpat upstream benchmark test to validate that the
tests pass, albeit slowly.
To run the benchmarks:
extract the sources
cd xmlrpc-c-1.51.0
make
cd test
make
cd benchmark
for file in *.xml; do ./benchmark $file 4096 1; done
One test will error out but this is expected as part of the fix.
The tests will be extracted as a Source because of their
uncompressed size (~48M)
Fixes: RHEL-24226
---
lib/expat/xmlparse/xmlparse.c | 3 +++
lib/expat/xmltok/xmltok_impl.c | 4 ++++
test/Makefile | 7 +++++--
3 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c
index 16ab82a..6621d18 100644
--- a/lib/expat/xmlparse/xmlparse.c
+++ b/lib/expat/xmlparse/xmlparse.c
@@ -35,6 +35,9 @@ extractXmlSample(const char * const start,
size_t const maximumLen) {
size_t const len = MIN(maximumLen, (size_t)(end - start));
+ if (start == NULL) {
+ return strdup("");
+ }
return xmlrpc_makePrintable_lp(start, len);
}
diff --git a/lib/expat/xmltok/xmltok_impl.c b/lib/expat/xmltok/xmltok_impl.c
index bae79b9..80da94f 100644
--- a/lib/expat/xmltok/xmltok_impl.c
+++ b/lib/expat/xmltok/xmltok_impl.c
@@ -871,6 +871,10 @@ PREFIX(contentTok)(const ENCODING * const enc,
*/
PREFIX(chopToWholeCharacters)(inputStart, inputEnd, &end);
+ if (inputStart == NULL) {
+ *nextTokPtr = NULL;
+ return XML_TOK_INVALID;
+ }
if (end == inputStart) {
*nextTokPtr = inputStart;
return XML_TOK_PARTIAL;
diff --git a/test/Makefile b/test/Makefile
index 4fce824..1242910 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -7,7 +7,7 @@ SUBDIR := test
include $(BLDDIR)/config.mk
-SUBDIRS = cpp
+SUBDIRS = cpp benchmark
XMLRPC_C_CONFIG = $(BLDDIR)/xmlrpc-c-config.test
@@ -98,11 +98,14 @@ runtests_local: test cgitest1
./test
.PHONY: runtests
-runtests: runtests_local cpp/runtests
+runtests: runtests_local cpp/runtests benchmark/runtests
cpp/runtests: FORCE
$(MAKE) -C $(dir $@) $(notdir $@)
+benchmark/runtests:
+ $(MAKE) -C $(dir $@) $(notdir $@)
+
.PHONY: install
install:
--
2.42.0

View File

@ -0,0 +1,40 @@
From d15ba056c15db75c9153fda27a62b1a6cfb8196e Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 9 Sep 2024 14:35:28 -0400
Subject: [PATCH] Prevent integer overflow or wraparound CVE-2024-45491
An issue was discovered in libexpat before 2.6.3. dtdCopy in
xmlparse.c can have an integer overflow for nDefaultAtts on
32-bit platforms (where UINT_MAX equals SIZE_MAX).
Backported from upstream https://github.com/libexpat/libexpat/pull/891
Resolves: RHEL-57519
---
lib/expat/xmlparse/xmlparse.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c
index 359267a..40f753b 100644
--- a/lib/expat/xmlparse/xmlparse.c
+++ b/lib/expat/xmlparse/xmlparse.c
@@ -1020,6 +1020,16 @@ static int dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd)
if (!newE)
return 0;
if (oldE->nDefaultAtts) {
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if ((size_t)oldE->nDefaultAtts
+ > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) {
+ return 0;
+ }
+#endif
newE->defaultAtts = (DEFAULT_ATTRIBUTE *)
malloc(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
if (!newE->defaultAtts)
--
2.45.0

View File

@ -6,7 +6,7 @@
Name: xmlrpc-c Name: xmlrpc-c
Version: 1.51.0 Version: 1.51.0
Release: 8%{?dist} Release: 10%{?dist}
Summary: Lightweight RPC library based on XML and HTTP Summary: Lightweight RPC library based on XML and HTTP
# See doc/COPYING for details. # See doc/COPYING for details.
# The Python 1.5.2 license used by a few files is just BSD. # The Python 1.5.2 license used by a few files is just BSD.
@ -17,6 +17,7 @@ URL: http://xmlrpc-c.sourceforge.net/
# upstream does not tag versions so we must fetch from the branch and # upstream does not tag versions so we must fetch from the branch and
# check which version was used for it # check which version was used for it
%{?advanced_branch:Source0: xmlrpc-c-%version.tar.xz} %{?advanced_branch:Source0: xmlrpc-c-%version.tar.xz}
%{?advanced_branch:Source1: benchmark-tests.tar.xz}
# Upstreamable patches # Upstreamable patches
Patch101: 0001-xmlrpc_server_abyss-use-va_args-properly.patch Patch101: 0001-xmlrpc_server_abyss-use-va_args-properly.patch
@ -27,6 +28,8 @@ Patch103: 0003-allow-30x-redirections.patch
Patch104: 0004-Add-missing-validation-of-encoding-CVE-2022-25235.patch Patch104: 0004-Add-missing-validation-of-encoding-CVE-2022-25235.patch
Patch105: 0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch Patch105: 0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch
Patch106: 0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch Patch106: 0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch
Patch107: 0007-Address-segfault-found-in-CVE-2023-52425.patch
Patch108: 0008-Prevent-integer-overflow-or-wraparound-CVE-2024-4549.patch
# Backported patches # Backported patches
# https://sourceforge.net/p/xmlrpc-c/code/2981/ # https://sourceforge.net/p/xmlrpc-c/code/2981/
@ -129,6 +132,7 @@ This package contains some handy XML-RPC demo applications.
%prep %prep
%autosetup -Sgit %autosetup -Sgit
tar xf %{SOURCE1}
%build %build
%meson %{?with_libxml2:-Dlibxml2-backend=true} %meson %{?with_libxml2:-Dlibxml2-backend=true}
@ -194,6 +198,12 @@ This package contains some handy XML-RPC demo applications.
%{_bindir}/xmlrpc_dumpserver %{_bindir}/xmlrpc_dumpserver
%changelog %changelog
* Thu Sep 19 2024 Rob Crittenden <rcritten@redhat.com> - 1.51.0-10
- Prevent integer overflow or wraparound, CVE-2024-4549 (RHEL-57519)
* Thu Apr 25 2024 Rob Crittenden <rcritten@redhat.com> - 1.51.0-9
- Address segfault found in CVE-2023-52425 (RHEL-24226)
* Thu Apr 14 2022 Rob Crittenden <rcritten@redhat.com> - 1.51.0-8 * Thu Apr 14 2022 Rob Crittenden <rcritten@redhat.com> - 1.51.0-8
- Address some Coverity issues in the patch set - Address some Coverity issues in the patch set