Compare commits
No commits in common. "c8" and "imports/c8/xmlrpc-c-1.51.0-6.el8" have entirely different histories.
c8
...
imports/c8
1
.gitignore
vendored
1
.gitignore
vendored
@ -1,2 +1 @@
|
|||||||
SOURCES/xmlrpc-c-1.51.0.tar.xz
|
SOURCES/xmlrpc-c-1.51.0.tar.xz
|
||||||
SOURCES/benchmark-tests.tar.xz
|
|
||||||
|
@ -1,2 +1 @@
|
|||||||
b4fb65d500c1af5fe83917ab2976a47ae6268fdd SOURCES/benchmark-tests.tar.xz
|
|
||||||
784a3e74971f3b7d992d768c732daa891ffd2412 SOURCES/xmlrpc-c-1.51.0.tar.xz
|
784a3e74971f3b7d992d768c732daa891ffd2412 SOURCES/xmlrpc-c-1.51.0.tar.xz
|
||||||
|
@ -1,92 +0,0 @@
|
|||||||
From ce6eddc1a167dafaac17c7bad9fa6b013fada31b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Date: Fri, 25 Feb 2022 13:07:07 -0500
|
|
||||||
Subject: [PATCH 5/6] lib: Prevent more integer overflows (CVE-2022-22822 to
|
|
||||||
CVE-2022-22827)
|
|
||||||
|
|
||||||
Backport fixes from https://github.com/libexpat/libexpat/pull/539
|
|
||||||
|
|
||||||
Resolves: #2058567, #2058576, #2058282, #2058589, #2058595, #2058602
|
|
||||||
---
|
|
||||||
lib/expat/xmlparse/xmlparse.c | 40 +++++++++++++++++++++++++++++++++++
|
|
||||||
1 file changed, 40 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c
|
|
||||||
index 48adfb3..16ab82a 100644
|
|
||||||
--- a/lib/expat/xmlparse/xmlparse.c
|
|
||||||
+++ b/lib/expat/xmlparse/xmlparse.c
|
|
||||||
@@ -19,6 +19,7 @@ See the file copying.txt for copying permission.
|
|
||||||
#include <assert.h>
|
|
||||||
#include <limits.h> /* UINT_MAX */
|
|
||||||
#include <time.h> /* time() */
|
|
||||||
+#include <stdint.h>
|
|
||||||
|
|
||||||
#include "xmlrpc_config.h"
|
|
||||||
#include "c_util.h"
|
|
||||||
@@ -1076,6 +1077,9 @@ int addBinding(XML_Parser parser,
|
|
||||||
;
|
|
||||||
if (namespaceSeparator)
|
|
||||||
len++;
|
|
||||||
+ if (namespaceSeparator && (uri[len] == namespaceSeparator)) {
|
|
||||||
+ return XML_ERROR_SYNTAX;
|
|
||||||
+ }
|
|
||||||
if (freeBindingList) {
|
|
||||||
b = freeBindingList;
|
|
||||||
if (len > b->uriAlloc) {
|
|
||||||
@@ -2116,10 +2120,32 @@ storeAtts(XML_Parser const xmlParserP,
|
|
||||||
}
|
|
||||||
/* get the attributes from the tokenizer */
|
|
||||||
n = XmlGetAttributes(enc, attStr, attsSize, atts);
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+ /* Detect and prevent integer overflow */
|
|
||||||
+ if (n > INT_MAX - nDefaultAtts) {
|
|
||||||
+ return XML_ERROR_NO_MEMORY;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (n + nDefaultAtts > attsSize) {
|
|
||||||
int oldAttsSize = attsSize;
|
|
||||||
ATTRIBUTE *temp;
|
|
||||||
+ /* Detect and prevent integer overflow */
|
|
||||||
+ if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE)
|
|
||||||
+ || (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) {
|
|
||||||
+ return XML_ERROR_NO_MEMORY;
|
|
||||||
+ }
|
|
||||||
attsSize = n + nDefaultAtts + INIT_ATTS_SIZE;
|
|
||||||
+ /* Detect and prevent integer overflow.
|
|
||||||
+ * The preprocessor guard addresses the "always false" warning
|
|
||||||
+ * from -Wtype-limits on platforms where
|
|
||||||
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
|
|
||||||
+#if UINT_MAX >= SIZE_MAX
|
|
||||||
+ if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) {
|
|
||||||
+ attsSize = oldAttsSize;
|
|
||||||
+ return XML_ERROR_NO_MEMORY;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
temp = realloc((void *)atts, attsSize * sizeof(ATTRIBUTE));
|
|
||||||
if (!temp)
|
|
||||||
return XML_ERROR_NO_MEMORY;
|
|
||||||
@@ -2297,6 +2323,20 @@ storeAtts(XML_Parser const xmlParserP,
|
|
||||||
n = i + binding->uriLen;
|
|
||||||
if (n > binding->uriAlloc) {
|
|
||||||
TAG *p;
|
|
||||||
+
|
|
||||||
+ /* Detect and prevent integer overflow */
|
|
||||||
+ if (n > INT_MAX - EXPAND_SPARE) {
|
|
||||||
+ return XML_ERROR_NO_MEMORY;
|
|
||||||
+ }
|
|
||||||
+ /* Detect and prevent integer overflow.
|
|
||||||
+ * The preprocessor guard addresses the "always false" warning
|
|
||||||
+ * from -Wtype-limits on platforms where
|
|
||||||
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
|
|
||||||
+#if UINT_MAX >= SIZE_MAX
|
|
||||||
+ if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
|
|
||||||
+ return XML_ERROR_NO_MEMORY;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
XML_Char *uri = malloc((n + EXPAND_SPARE) * sizeof(XML_Char));
|
|
||||||
if (!uri)
|
|
||||||
return XML_ERROR_NO_MEMORY;
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -1,32 +0,0 @@
|
|||||||
From 06d354807ac297374973631a6418edf7e3fcbf30 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Date: Mon, 28 Feb 2022 10:43:23 -0500
|
|
||||||
Subject: [PATCH 6/6] Prevent integer overflow on m_groupSize in doProlog
|
|
||||||
(CVE-2021-46143)
|
|
||||||
|
|
||||||
Backported from upstream https://github.com/libexpat/libexpat/pull/538
|
|
||||||
|
|
||||||
Resolves: #2058560
|
|
||||||
---
|
|
||||||
lib/expat/xmlparse/xmlparse.c | 5 +++++
|
|
||||||
1 file changed, 5 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c
|
|
||||||
index 16ab82a..b9aa927 100644
|
|
||||||
--- a/lib/expat/xmlparse/xmlparse.c
|
|
||||||
+++ b/lib/expat/xmlparse/xmlparse.c
|
|
||||||
@@ -3991,6 +3991,11 @@ doProlog(XML_Parser const xmlParserP,
|
|
||||||
case XML_ROLE_GROUP_OPEN:
|
|
||||||
if (prologState.level >= groupSize) {
|
|
||||||
if (groupSize) {
|
|
||||||
+ /* Detect and prevent integer overflow */
|
|
||||||
+ if (groupSize > (unsigned int)(-1) / 2u) {
|
|
||||||
+ *errorCodeP = XML_ERROR_NO_MEMORY;
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
char *temp = realloc(groupConnector, groupSize *= 2);
|
|
||||||
if (!temp) {
|
|
||||||
*errorCodeP = XML_ERROR_NO_MEMORY;
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -1,106 +0,0 @@
|
|||||||
From 66e6f8700959f7a54056ed7946c179d808e838e8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Date: Thu, 25 Apr 2024 09:26:04 -0400
|
|
||||||
Subject: [PATCH] Address segfault found in CVE-2023-52425
|
|
||||||
|
|
||||||
The CVE addresses a possible DoS when unreasonably large tokens
|
|
||||||
are passed into the XML parser for processing. These were taking
|
|
||||||
upwards of 8 seconds per file processed with the exception of
|
|
||||||
aaaaaa_cdata.xml which caused a segmentation fault. The XML
|
|
||||||
processor was effectively losing the start of the string, setting
|
|
||||||
it to NULL. This caused a cascade of errors trying to parse both
|
|
||||||
the next token and in handling errors if a new token was not found.
|
|
||||||
|
|
||||||
This handles both those cases but not the underlying reason why
|
|
||||||
the pointer to inputStart is lost.
|
|
||||||
|
|
||||||
Trying to backport the libexpat changes to address the performance
|
|
||||||
issue would be enormous since the xmlrpc-c custom version of libexpat
|
|
||||||
is extremely old. Since xmlrpc-c is mostly used as a client passing
|
|
||||||
in random values is less of an issue.
|
|
||||||
|
|
||||||
Include the libexpat upstream benchmark test to validate that the
|
|
||||||
tests pass, albeit slowly.
|
|
||||||
|
|
||||||
To run the benchmarks:
|
|
||||||
extract the sources
|
|
||||||
cd xmlrpc-c-1.51.0
|
|
||||||
make
|
|
||||||
cd test
|
|
||||||
make
|
|
||||||
cd benchmark
|
|
||||||
for file in *.xml; do ./benchmark $file 4096 1; done
|
|
||||||
|
|
||||||
One test will error out but this is expected as part of the fix.
|
|
||||||
|
|
||||||
The tests will be extracted as a Source because of their
|
|
||||||
uncompressed size (~48M)
|
|
||||||
|
|
||||||
Fixes: RHEL-24226
|
|
||||||
---
|
|
||||||
lib/expat/xmlparse/xmlparse.c | 3 +++
|
|
||||||
lib/expat/xmltok/xmltok_impl.c | 4 ++++
|
|
||||||
test/Makefile | 7 +++++--
|
|
||||||
3 files changed, 12 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c
|
|
||||||
index 16ab82a..6621d18 100644
|
|
||||||
--- a/lib/expat/xmlparse/xmlparse.c
|
|
||||||
+++ b/lib/expat/xmlparse/xmlparse.c
|
|
||||||
@@ -35,6 +35,9 @@ extractXmlSample(const char * const start,
|
|
||||||
size_t const maximumLen) {
|
|
||||||
|
|
||||||
size_t const len = MIN(maximumLen, (size_t)(end - start));
|
|
||||||
+ if (start == NULL) {
|
|
||||||
+ return strdup("");
|
|
||||||
+ }
|
|
||||||
|
|
||||||
return xmlrpc_makePrintable_lp(start, len);
|
|
||||||
}
|
|
||||||
diff --git a/lib/expat/xmltok/xmltok_impl.c b/lib/expat/xmltok/xmltok_impl.c
|
|
||||||
index bae79b9..80da94f 100644
|
|
||||||
--- a/lib/expat/xmltok/xmltok_impl.c
|
|
||||||
+++ b/lib/expat/xmltok/xmltok_impl.c
|
|
||||||
@@ -871,6 +871,10 @@ PREFIX(contentTok)(const ENCODING * const enc,
|
|
||||||
*/
|
|
||||||
PREFIX(chopToWholeCharacters)(inputStart, inputEnd, &end);
|
|
||||||
|
|
||||||
+ if (inputStart == NULL) {
|
|
||||||
+ *nextTokPtr = NULL;
|
|
||||||
+ return XML_TOK_INVALID;
|
|
||||||
+ }
|
|
||||||
if (end == inputStart) {
|
|
||||||
*nextTokPtr = inputStart;
|
|
||||||
return XML_TOK_PARTIAL;
|
|
||||||
diff --git a/test/Makefile b/test/Makefile
|
|
||||||
index 4fce824..1242910 100644
|
|
||||||
--- a/test/Makefile
|
|
||||||
+++ b/test/Makefile
|
|
||||||
@@ -7,7 +7,7 @@ SUBDIR := test
|
|
||||||
|
|
||||||
include $(BLDDIR)/config.mk
|
|
||||||
|
|
||||||
-SUBDIRS = cpp
|
|
||||||
+SUBDIRS = cpp benchmark
|
|
||||||
|
|
||||||
XMLRPC_C_CONFIG = $(BLDDIR)/xmlrpc-c-config.test
|
|
||||||
|
|
||||||
@@ -98,11 +98,14 @@ runtests_local: test cgitest1
|
|
||||||
./test
|
|
||||||
|
|
||||||
.PHONY: runtests
|
|
||||||
-runtests: runtests_local cpp/runtests
|
|
||||||
+runtests: runtests_local cpp/runtests benchmark/runtests
|
|
||||||
|
|
||||||
cpp/runtests: FORCE
|
|
||||||
$(MAKE) -C $(dir $@) $(notdir $@)
|
|
||||||
|
|
||||||
+benchmark/runtests:
|
|
||||||
+ $(MAKE) -C $(dir $@) $(notdir $@)
|
|
||||||
+
|
|
||||||
.PHONY: install
|
|
||||||
install:
|
|
||||||
|
|
||||||
--
|
|
||||||
2.42.0
|
|
||||||
|
|
@ -6,7 +6,7 @@
|
|||||||
|
|
||||||
Name: xmlrpc-c
|
Name: xmlrpc-c
|
||||||
Version: 1.51.0
|
Version: 1.51.0
|
||||||
Release: 9%{?dist}
|
Release: 6%{?dist}
|
||||||
Summary: Lightweight RPC library based on XML and HTTP
|
Summary: Lightweight RPC library based on XML and HTTP
|
||||||
# See doc/COPYING for details.
|
# See doc/COPYING for details.
|
||||||
# The Python 1.5.2 license used by a few files is just BSD.
|
# The Python 1.5.2 license used by a few files is just BSD.
|
||||||
@ -17,7 +17,6 @@ URL: http://xmlrpc-c.sourceforge.net/
|
|||||||
# upstream does not tag versions so we must fetch from the branch and
|
# upstream does not tag versions so we must fetch from the branch and
|
||||||
# check which version was used for it
|
# check which version was used for it
|
||||||
%{?advanced_branch:Source0: xmlrpc-c-%version.tar.xz}
|
%{?advanced_branch:Source0: xmlrpc-c-%version.tar.xz}
|
||||||
%{?advanced_branch:Source1: benchmark-tests.tar.xz}
|
|
||||||
|
|
||||||
# Upstreamable patches
|
# Upstreamable patches
|
||||||
Patch101: 0001-xmlrpc_server_abyss-use-va_args-properly.patch
|
Patch101: 0001-xmlrpc_server_abyss-use-va_args-properly.patch
|
||||||
@ -26,9 +25,6 @@ Patch103: 0003-allow-30x-redirections.patch
|
|||||||
#Patch104: xmlrpc-c-printf-size_t.patch
|
#Patch104: xmlrpc-c-printf-size_t.patch
|
||||||
#Patch105: xmlrpc-c-check-vasprintf-return-value.patch
|
#Patch105: xmlrpc-c-check-vasprintf-return-value.patch
|
||||||
Patch104: 0004-Add-missing-validation-of-encoding-CVE-2022-25235.patch
|
Patch104: 0004-Add-missing-validation-of-encoding-CVE-2022-25235.patch
|
||||||
Patch105: 0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch
|
|
||||||
Patch106: 0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch
|
|
||||||
Patch107: 0007-Address-segfault-found-in-CVE-2023-52425.patch
|
|
||||||
|
|
||||||
# Backported patches
|
# Backported patches
|
||||||
# https://sourceforge.net/p/xmlrpc-c/code/2981/
|
# https://sourceforge.net/p/xmlrpc-c/code/2981/
|
||||||
@ -131,7 +127,6 @@ This package contains some handy XML-RPC demo applications.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%autosetup -Sgit
|
%autosetup -Sgit
|
||||||
tar xf %{SOURCE1}
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%meson %{?with_libxml2:-Dlibxml2-backend=true}
|
%meson %{?with_libxml2:-Dlibxml2-backend=true}
|
||||||
@ -197,20 +192,8 @@ tar xf %{SOURCE1}
|
|||||||
%{_bindir}/xmlrpc_dumpserver
|
%{_bindir}/xmlrpc_dumpserver
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Thu Apr 25 2024 Rob Crittenden <rcritten@redhat.com> - 1.51.0-9
|
|
||||||
- Address segfault found in CVE-2023-52425 (RHEL-24226)
|
|
||||||
|
|
||||||
* Thu Apr 14 2022 Rob Crittenden <rcritten@redhat.com> - 1.51.0-8
|
|
||||||
- Address some Coverity issues in the patch set
|
|
||||||
|
|
||||||
* Tue Apr 05 2022 Rob Crittenden <rcritten@redhat.com> - 1.51.0-7
|
|
||||||
- lib: Prevent more integer overflows (CVE-2022-22822 to CVE-2022-22827)
|
|
||||||
(#2058567, #2058576, #2058582, #2058589, #2058595, #2058602)
|
|
||||||
- Prevent integer overflow on m_groupSize in doProlog
|
|
||||||
(CVE-2021-46143) (#2058560)
|
|
||||||
|
|
||||||
* Thu Mar 03 2022 Rob Crittenden <rcritten@redhat.com> - 1.51.0-6
|
* Thu Mar 03 2022 Rob Crittenden <rcritten@redhat.com> - 1.51.0-6
|
||||||
- Add missing validation of encoding (CVE-2022-25235) (#2070481)
|
- Add missing validation of encoding (CVE-2022-25235) (#2058114)
|
||||||
|
|
||||||
* Thu Apr 19 2018 Adam Williamson <awilliam@redhat.com> - 1.51.0-5
|
* Thu Apr 19 2018 Adam Williamson <awilliam@redhat.com> - 1.51.0-5
|
||||||
- Backport upstream fix for console spam with debug messages (#1541868)
|
- Backport upstream fix for console spam with debug messages (#1541868)
|
||||||
|
Loading…
Reference in New Issue
Block a user