Import from CS git

import CS xmlrpc-c-1.51.0-9.el8
import xmlrpc-c-1.51.0-8.el8
2024-07-03 12:09:56 +03:00 · 2024-07-03 08:54:10 +00:00 · 2022-11-08 15:33:56 +00:00
6 changed files with 251 additions and 2 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
 SOURCES/xmlrpc-c-1.51.0.tar.xz
 SOURCES/benchmark-tests.tar.xz
--- a/.xmlrpc-c.metadata
+++ b/.xmlrpc-c.metadata
@ -1 +1,2 @@
 b4fb65d500c1af5fe83917ab2976a47ae6268fdd SOURCES/benchmark-tests.tar.xz
 784a3e74971f3b7d992d768c732daa891ffd2412 SOURCES/xmlrpc-c-1.51.0.tar.xz
--- a/SOURCES/0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch
+++ b/SOURCES/0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch
@ -0,0 +1,92 @@
 From ce6eddc1a167dafaac17c7bad9fa6b013fada31b Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
 Date: Fri, 25 Feb 2022 13:07:07 -0500
 Subject: [PATCH 5/6] lib: Prevent more integer overflows (CVE-2022-22822 to
 CVE-2022-22827)
 Backport fixes from https://github.com/libexpat/libexpat/pull/539
 Resolves: #2058567, #2058576, #2058282, #2058589, #2058595, #2058602
 ---
 lib/expat/xmlparse/xmlparse.c | 40 +++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c
 index 48adfb3..16ab82a 100644
 --- a/lib/expat/xmlparse/xmlparse.c
 +++ b/lib/expat/xmlparse/xmlparse.c
@@ -19,6 +19,7 @@ See the file copying.txt for copying permission.
 #include <assert.h>
 #include <limits.h>                     /* UINT_MAX */
 #include <time.h>                       /* time() */
 +#include <stdint.h>
 #include "xmlrpc_config.h"
 #include "c_util.h"
@@ -1076,6 +1077,9 @@ int addBinding(XML_Parser parser,
     ;
   if (namespaceSeparator)
     len++;
 +  if (namespaceSeparator && (uri[len] == namespaceSeparator)) {
 +    return XML_ERROR_SYNTAX;
 +  }
   if (freeBindingList) {
     b = freeBindingList;
     if (len > b->uriAlloc) {
@@ -2116,10 +2120,32 @@ storeAtts(XML_Parser       const xmlParserP,
   }
   /* get the attributes from the tokenizer */
   n = XmlGetAttributes(enc, attStr, attsSize, atts);
 +
 +
 +  /* Detect and prevent integer overflow */
 +  if (n > INT_MAX - nDefaultAtts) {
 +    return XML_ERROR_NO_MEMORY;
 +  }
 +
   if (n + nDefaultAtts > attsSize) {
     int oldAttsSize = attsSize;
     ATTRIBUTE *temp;
 +    /* Detect and prevent integer overflow */
 +    if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE)
 +        || (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) {
 +      return XML_ERROR_NO_MEMORY;
 +    }
     attsSize = n + nDefaultAtts + INIT_ATTS_SIZE;
 +    /* Detect and prevent integer overflow.
 +     * The preprocessor guard addresses the "always false" warning
 +     * from -Wtype-limits on platforms where
 +     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
 +#if UINT_MAX >= SIZE_MAX
 +    if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) {
 +      attsSize = oldAttsSize;
 +      return XML_ERROR_NO_MEMORY;
 +    }
 +#endif
     temp = realloc((void *)atts, attsSize * sizeof(ATTRIBUTE));
     if (!temp)
       return XML_ERROR_NO_MEMORY;
@@ -2297,6 +2323,20 @@ storeAtts(XML_Parser       const xmlParserP,
   n = i + binding->uriLen;
   if (n > binding->uriAlloc) {
     TAG *p;
 +
 +    /* Detect and prevent integer overflow */
 +    if (n > INT_MAX - EXPAND_SPARE) {
 +      return XML_ERROR_NO_MEMORY;
 +    }
 +    /* Detect and prevent integer overflow.
 +     * The preprocessor guard addresses the "always false" warning
 +     * from -Wtype-limits on platforms where
 +     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
 +#if UINT_MAX >= SIZE_MAX
 +    if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
 +      return XML_ERROR_NO_MEMORY;
 +    }
 +#endif
     XML_Char *uri = malloc((n + EXPAND_SPARE) * sizeof(XML_Char));
     if (!uri)
       return XML_ERROR_NO_MEMORY;
 -- 
 2.31.1
--- a/SOURCES/0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch
+++ b/SOURCES/0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch
@ -0,0 +1,32 @@
 From 06d354807ac297374973631a6418edf7e3fcbf30 Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
 Date: Mon, 28 Feb 2022 10:43:23 -0500
 Subject: [PATCH 6/6] Prevent integer overflow on m_groupSize in doProlog
 (CVE-2021-46143)
 Backported from upstream https://github.com/libexpat/libexpat/pull/538
 Resolves: #2058560
 ---
 lib/expat/xmlparse/xmlparse.c | 5 +++++
 1 file changed, 5 insertions(+)
 diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c
 index 16ab82a..b9aa927 100644
 --- a/lib/expat/xmlparse/xmlparse.c
 +++ b/lib/expat/xmlparse/xmlparse.c
@@ -3991,6 +3991,11 @@ doProlog(XML_Parser       const xmlParserP,
     case XML_ROLE_GROUP_OPEN:
       if (prologState.level >= groupSize) {
         if (groupSize) {
 +          /* Detect and prevent integer overflow */
 +          if (groupSize > (unsigned int)(-1) / 2u) {
 +            *errorCodeP = XML_ERROR_NO_MEMORY;
 +            return;
 +          }
           char *temp = realloc(groupConnector, groupSize *= 2);
           if (!temp) {
             *errorCodeP = XML_ERROR_NO_MEMORY;
 -- 
 2.31.1
--- a/SOURCES/0007-Address-segfault-found-in-CVE-2023-52425.patch
+++ b/SOURCES/0007-Address-segfault-found-in-CVE-2023-52425.patch
@ -0,0 +1,106 @@
 From 66e6f8700959f7a54056ed7946c179d808e838e8 Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
 Date: Thu, 25 Apr 2024 09:26:04 -0400
 Subject: [PATCH] Address segfault found in CVE-2023-52425
 The CVE addresses a possible DoS when unreasonably large tokens
 are passed into the XML parser for processing. These were taking
 upwards of 8 seconds per file processed with the exception of
 aaaaaa_cdata.xml which caused a segmentation fault. The XML
 processor was effectively losing the start of the string, setting
 it to NULL. This caused a cascade of errors trying to parse both
 the next token and in handling errors if a new token was not found.
 This handles both those cases but not the underlying reason why
 the pointer to inputStart is lost.
 Trying to backport the libexpat changes to address the performance
 issue would be enormous since the xmlrpc-c custom version of libexpat
 is extremely old. Since xmlrpc-c is mostly used as a client passing
 in random values is less of an issue.
 Include the libexpat upstream benchmark test to validate that the
 tests pass, albeit slowly.
 To run the benchmarks:
 extract the sources
 cd xmlrpc-c-1.51.0
 make
 cd test
 make
 cd benchmark
 for file in *.xml; do ./benchmark $file 4096 1; done
 One test will error out but this is expected as part of the fix.
 The tests will be extracted as a Source because of their
 uncompressed size (~48M)
 Fixes: RHEL-24226
 ---
 lib/expat/xmlparse/xmlparse.c  | 3 +++
 lib/expat/xmltok/xmltok_impl.c | 4 ++++
 test/Makefile                  | 7 +++++--
 3 files changed, 12 insertions(+), 2 deletions(-)
 diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c
 index 16ab82a..6621d18 100644
 --- a/lib/expat/xmlparse/xmlparse.c
 +++ b/lib/expat/xmlparse/xmlparse.c
@@ -35,6 +35,9 @@ extractXmlSample(const char * const start,
                  size_t       const maximumLen) {
     size_t const len = MIN(maximumLen, (size_t)(end - start));
 +    if (start == NULL) {
 +        return strdup("");
 +    }
     return xmlrpc_makePrintable_lp(start, len);
 }
 diff --git a/lib/expat/xmltok/xmltok_impl.c b/lib/expat/xmltok/xmltok_impl.c
 index bae79b9..80da94f 100644
 --- a/lib/expat/xmltok/xmltok_impl.c
 +++ b/lib/expat/xmltok/xmltok_impl.c
@@ -871,6 +871,10 @@ PREFIX(contentTok)(const ENCODING * const enc,
             */
         PREFIX(chopToWholeCharacters)(inputStart, inputEnd, &end);
 +        if (inputStart == NULL) {
 +            *nextTokPtr = NULL;
 +            return XML_TOK_INVALID;
 +        }
         if (end == inputStart) {
             *nextTokPtr = inputStart;
             return XML_TOK_PARTIAL;
 diff --git a/test/Makefile b/test/Makefile
 index 4fce824..1242910 100644
 --- a/test/Makefile
 +++ b/test/Makefile
@@ -7,7 +7,7 @@ SUBDIR := test
 include $(BLDDIR)/config.mk
 -SUBDIRS = cpp
 +SUBDIRS = cpp benchmark
 XMLRPC_C_CONFIG = $(BLDDIR)/xmlrpc-c-config.test
@@ -98,11 +98,14 @@ runtests_local: test cgitest1
 	./test
 .PHONY: runtests
 -runtests: runtests_local cpp/runtests
 +runtests: runtests_local cpp/runtests benchmark/runtests
 cpp/runtests: FORCE
 	$(MAKE) -C $(dir $@) $(notdir $@)
 +benchmark/runtests:
 +	$(MAKE) -C $(dir $@) $(notdir $@)
 +
 .PHONY: install
 install:
 -- 
 2.42.0
--- a/SPECS/xmlrpc-c.spec
+++ b/SPECS/xmlrpc-c.spec
@ -6,7 +6,7 @@
 Name:           xmlrpc-c
 Version:        1.51.0
-Release:        6%{?dist}
+Release:        9%{?dist}
 Summary:        Lightweight RPC library based on XML and HTTP
 # See doc/COPYING for details.
 # The Python 1.5.2 license used by a few files is just BSD.
@ -17,6 +17,7 @@ URL:            http://xmlrpc-c.sourceforge.net/
 # upstream does not tag versions so we must fetch from the branch and
 # check which version was used for it
 %{?advanced_branch:Source0: xmlrpc-c-%version.tar.xz}
 %{?advanced_branch:Source1: benchmark-tests.tar.xz}
 # Upstreamable patches
 Patch101:       0001-xmlrpc_server_abyss-use-va_args-properly.patch
@ -25,6 +26,9 @@ Patch103:       0003-allow-30x-redirections.patch
 #Patch104:       xmlrpc-c-printf-size_t.patch
 #Patch105:       xmlrpc-c-check-vasprintf-return-value.patch
 Patch104:       0004-Add-missing-validation-of-encoding-CVE-2022-25235.patch
 Patch105:       0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch
 Patch106:       0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch
 Patch107:       0007-Address-segfault-found-in-CVE-2023-52425.patch
 # Backported patches
 # https://sourceforge.net/p/xmlrpc-c/code/2981/
@ -127,6 +131,7 @@ This package contains some handy XML-RPC demo applications.
 %prep
 %autosetup -Sgit
 tar xf %{SOURCE1}
 %build
 %meson %{?with_libxml2:-Dlibxml2-backend=true}
@ -192,8 +197,20 @@ This package contains some handy XML-RPC demo applications.
 %{_bindir}/xmlrpc_dumpserver
 %changelog
 * Thu Apr 25 2024 Rob Crittenden <rcritten@redhat.com> - 1.51.0-9
 - Address segfault found in CVE-2023-52425 (RHEL-24226)
 * Thu Apr 14 2022 Rob Crittenden <rcritten@redhat.com> - 1.51.0-8
 - Address some Coverity issues in the patch set
 * Tue Apr 05 2022 Rob Crittenden <rcritten@redhat.com> - 1.51.0-7
 - lib: Prevent more integer overflows (CVE-2022-22822 to CVE-2022-22827)
  (#2058567, #2058576, #2058582, #2058589, #2058595, #2058602)
 - Prevent integer overflow on m_groupSize in doProlog
  (CVE-2021-46143) (#2058560)
 * Thu Mar 03 2022 Rob Crittenden <rcritten@redhat.com> - 1.51.0-6
- Add missing validation of encoding (CVE-2022-25235) (#2058114)
+- Add missing validation of encoding (CVE-2022-25235) (#2070481)
 * Thu Apr 19 2018 Adam Williamson <awilliam@redhat.com> - 1.51.0-5
 - Backport upstream fix for console spam with debug messages (#1541868)
Author	SHA1	Message	Date
eabdullin	0d5eb9ed8f	Import from CS git	2024-07-03 12:09:56 +03:00
eabdullin	71007d5574	import CS xmlrpc-c-1.51.0-9.el8	2024-07-03 08:54:10 +00:00
CentOS Sources	8437b31578	import xmlrpc-c-1.51.0-8.el8	2022-11-08 15:33:56 +00:00
`@ -1 +1,2 @@`
	`SOURCES/xmlrpc-c-1.51.0.tar.xz`	`SOURCES/xmlrpc-c-1.51.0.tar.xz`
		`SOURCES/benchmark-tests.tar.xz`
`@ -1 +1,2 @@`
		`b4fb65d500c1af5fe83917ab2976a47ae6268fdd SOURCES/benchmark-tests.tar.xz`
	`784a3e74971f3b7d992d768c732daa891ffd2412 SOURCES/xmlrpc-c-1.51.0.tar.xz`	`784a3e74971f3b7d992d768c732daa891ffd2412 SOURCES/xmlrpc-c-1.51.0.tar.xz`