Compare commits
No commits in common. "c8" and "c8-beta" have entirely different histories.
1
.gitignore
vendored
1
.gitignore
vendored
@ -1,2 +1 @@
|
||||
SOURCES/benchmark-tests.tar.xz
|
||||
SOURCES/xmlrpc-c-1.51.0.tar.xz
|
||||
@ -1,2 +1 @@
|
||||
b4fb65d500c1af5fe83917ab2976a47ae6268fdd SOURCES/benchmark-tests.tar.xz
|
||||
784a3e74971f3b7d992d768c732daa891ffd2412 SOURCES/xmlrpc-c-1.51.0.tar.xz
|
||||
|
||||
@ -1,106 +0,0 @@
|
||||
From 66e6f8700959f7a54056ed7946c179d808e838e8 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Thu, 25 Apr 2024 09:26:04 -0400
|
||||
Subject: [PATCH] Address segfault found in CVE-2023-52425
|
||||
|
||||
The CVE addresses a possible DoS when unreasonably large tokens
|
||||
are passed into the XML parser for processing. These were taking
|
||||
upwards of 8 seconds per file processed with the exception of
|
||||
aaaaaa_cdata.xml which caused a segmentation fault. The XML
|
||||
processor was effectively losing the start of the string, setting
|
||||
it to NULL. This caused a cascade of errors trying to parse both
|
||||
the next token and in handling errors if a new token was not found.
|
||||
|
||||
This handles both those cases but not the underlying reason why
|
||||
the pointer to inputStart is lost.
|
||||
|
||||
Trying to backport the libexpat changes to address the performance
|
||||
issue would be enormous since the xmlrpc-c custom version of libexpat
|
||||
is extremely old. Since xmlrpc-c is mostly used as a client passing
|
||||
in random values is less of an issue.
|
||||
|
||||
Include the libexpat upstream benchmark test to validate that the
|
||||
tests pass, albeit slowly.
|
||||
|
||||
To run the benchmarks:
|
||||
extract the sources
|
||||
cd xmlrpc-c-1.51.0
|
||||
make
|
||||
cd test
|
||||
make
|
||||
cd benchmark
|
||||
for file in *.xml; do ./benchmark $file 4096 1; done
|
||||
|
||||
One test will error out but this is expected as part of the fix.
|
||||
|
||||
The tests will be extracted as a Source because of their
|
||||
uncompressed size (~48M)
|
||||
|
||||
Fixes: RHEL-24226
|
||||
---
|
||||
lib/expat/xmlparse/xmlparse.c | 3 +++
|
||||
lib/expat/xmltok/xmltok_impl.c | 4 ++++
|
||||
test/Makefile | 7 +++++--
|
||||
3 files changed, 12 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c
|
||||
index 16ab82a..6621d18 100644
|
||||
--- a/lib/expat/xmlparse/xmlparse.c
|
||||
+++ b/lib/expat/xmlparse/xmlparse.c
|
||||
@@ -35,6 +35,9 @@ extractXmlSample(const char * const start,
|
||||
size_t const maximumLen) {
|
||||
|
||||
size_t const len = MIN(maximumLen, (size_t)(end - start));
|
||||
+ if (start == NULL) {
|
||||
+ return strdup("");
|
||||
+ }
|
||||
|
||||
return xmlrpc_makePrintable_lp(start, len);
|
||||
}
|
||||
diff --git a/lib/expat/xmltok/xmltok_impl.c b/lib/expat/xmltok/xmltok_impl.c
|
||||
index bae79b9..80da94f 100644
|
||||
--- a/lib/expat/xmltok/xmltok_impl.c
|
||||
+++ b/lib/expat/xmltok/xmltok_impl.c
|
||||
@@ -871,6 +871,10 @@ PREFIX(contentTok)(const ENCODING * const enc,
|
||||
*/
|
||||
PREFIX(chopToWholeCharacters)(inputStart, inputEnd, &end);
|
||||
|
||||
+ if (inputStart == NULL) {
|
||||
+ *nextTokPtr = NULL;
|
||||
+ return XML_TOK_INVALID;
|
||||
+ }
|
||||
if (end == inputStart) {
|
||||
*nextTokPtr = inputStart;
|
||||
return XML_TOK_PARTIAL;
|
||||
diff --git a/test/Makefile b/test/Makefile
|
||||
index 4fce824..1242910 100644
|
||||
--- a/test/Makefile
|
||||
+++ b/test/Makefile
|
||||
@@ -7,7 +7,7 @@ SUBDIR := test
|
||||
|
||||
include $(BLDDIR)/config.mk
|
||||
|
||||
-SUBDIRS = cpp
|
||||
+SUBDIRS = cpp benchmark
|
||||
|
||||
XMLRPC_C_CONFIG = $(BLDDIR)/xmlrpc-c-config.test
|
||||
|
||||
@@ -98,11 +98,14 @@ runtests_local: test cgitest1
|
||||
./test
|
||||
|
||||
.PHONY: runtests
|
||||
-runtests: runtests_local cpp/runtests
|
||||
+runtests: runtests_local cpp/runtests benchmark/runtests
|
||||
|
||||
cpp/runtests: FORCE
|
||||
$(MAKE) -C $(dir $@) $(notdir $@)
|
||||
|
||||
+benchmark/runtests:
|
||||
+ $(MAKE) -C $(dir $@) $(notdir $@)
|
||||
+
|
||||
.PHONY: install
|
||||
install:
|
||||
|
||||
--
|
||||
2.42.0
|
||||
|
||||
@ -1,40 +0,0 @@
|
||||
From d15ba056c15db75c9153fda27a62b1a6cfb8196e Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Mon, 9 Sep 2024 14:35:28 -0400
|
||||
Subject: [PATCH] Prevent integer overflow or wraparound CVE-2024-45491
|
||||
|
||||
An issue was discovered in libexpat before 2.6.3. dtdCopy in
|
||||
xmlparse.c can have an integer overflow for nDefaultAtts on
|
||||
32-bit platforms (where UINT_MAX equals SIZE_MAX).
|
||||
|
||||
Backported from upstream https://github.com/libexpat/libexpat/pull/891
|
||||
|
||||
Resolves: RHEL-57519
|
||||
---
|
||||
lib/expat/xmlparse/xmlparse.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c
|
||||
index 359267a..40f753b 100644
|
||||
--- a/lib/expat/xmlparse/xmlparse.c
|
||||
+++ b/lib/expat/xmlparse/xmlparse.c
|
||||
@@ -1020,6 +1020,16 @@ static int dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd)
|
||||
if (!newE)
|
||||
return 0;
|
||||
if (oldE->nDefaultAtts) {
|
||||
+ /* Detect and prevent integer overflow.
|
||||
+ * The preprocessor guard addresses the "always false" warning
|
||||
+ * from -Wtype-limits on platforms where
|
||||
+ * sizeof(int) < sizeof(size_t), e.g. on x86_64. */
|
||||
+#if UINT_MAX >= SIZE_MAX
|
||||
+ if ((size_t)oldE->nDefaultAtts
|
||||
+ > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
newE->defaultAtts = (DEFAULT_ATTRIBUTE *)
|
||||
malloc(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
|
||||
if (!newE->defaultAtts)
|
||||
--
|
||||
2.45.0
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
|
||||
Name: xmlrpc-c
|
||||
Version: 1.51.0
|
||||
Release: 10%{?dist}
|
||||
Release: 8%{?dist}
|
||||
Summary: Lightweight RPC library based on XML and HTTP
|
||||
# See doc/COPYING for details.
|
||||
# The Python 1.5.2 license used by a few files is just BSD.
|
||||
@ -17,7 +17,6 @@ URL: http://xmlrpc-c.sourceforge.net/
|
||||
# upstream does not tag versions so we must fetch from the branch and
|
||||
# check which version was used for it
|
||||
%{?advanced_branch:Source0: xmlrpc-c-%version.tar.xz}
|
||||
%{?advanced_branch:Source1: benchmark-tests.tar.xz}
|
||||
|
||||
# Upstreamable patches
|
||||
Patch101: 0001-xmlrpc_server_abyss-use-va_args-properly.patch
|
||||
@ -28,8 +27,6 @@ Patch103: 0003-allow-30x-redirections.patch
|
||||
Patch104: 0004-Add-missing-validation-of-encoding-CVE-2022-25235.patch
|
||||
Patch105: 0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch
|
||||
Patch106: 0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch
|
||||
Patch107: 0007-Address-segfault-found-in-CVE-2023-52425.patch
|
||||
Patch108: 0008-Prevent-integer-overflow-or-wraparound-CVE-2024-4549.patch
|
||||
|
||||
# Backported patches
|
||||
# https://sourceforge.net/p/xmlrpc-c/code/2981/
|
||||
@ -132,7 +129,6 @@ This package contains some handy XML-RPC demo applications.
|
||||
|
||||
%prep
|
||||
%autosetup -Sgit
|
||||
tar xf %{SOURCE1}
|
||||
|
||||
%build
|
||||
%meson %{?with_libxml2:-Dlibxml2-backend=true}
|
||||
@ -198,12 +194,6 @@ tar xf %{SOURCE1}
|
||||
%{_bindir}/xmlrpc_dumpserver
|
||||
|
||||
%changelog
|
||||
* Thu Sep 19 2024 Rob Crittenden <rcritten@redhat.com> - 1.51.0-10
|
||||
- Prevent integer overflow or wraparound, CVE-2024-4549 (RHEL-57519)
|
||||
|
||||
* Thu Apr 25 2024 Rob Crittenden <rcritten@redhat.com> - 1.51.0-9
|
||||
- Address segfault found in CVE-2023-52425 (RHEL-24226)
|
||||
|
||||
* Thu Apr 14 2022 Rob Crittenden <rcritten@redhat.com> - 1.51.0-8
|
||||
- Address some Coverity issues in the patch set
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user