From 8718defb680b5c5526082ba0b88162b33dae578a Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 20 2020 12:04:08 +0000 Subject: import expat-2.1.0-12.el7 --- diff --git a/SOURCES/expat-2.1.0-CVE-2018-20843.patch b/SOURCES/expat-2.1.0-CVE-2018-20843.patch new file mode 100644 index 0000000..677e021 --- /dev/null +++ b/SOURCES/expat-2.1.0-CVE-2018-20843.patch @@ -0,0 +1,14 @@ + +https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-20843 + +--- expat-2.1.0/lib/xmlparse.c.cve20843 ++++ expat-2.1.0/lib/xmlparse.c +@@ -5433,7 +5433,7 @@ + else + poolDiscard(&dtd->pool); + elementType->prefix = prefix; +- ++ break; + } + } + return 1; diff --git a/SOURCES/expat-2.1.0-CVE-2019-15903.patch b/SOURCES/expat-2.1.0-CVE-2019-15903.patch new file mode 100644 index 0000000..7a3be0f --- /dev/null +++ b/SOURCES/expat-2.1.0-CVE-2019-15903.patch @@ -0,0 +1,167 @@ + +https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-15903 + +https://github.com/libexpat/libexpat/commit/6da1f19625592bfb928253620cac568d9a9b9c65 + +--- expat-2.1.0/lib/xmlparse.c.cve15903 ++++ expat-2.1.0/lib/xmlparse.c +@@ -331,7 +331,7 @@ + static enum XML_Error + doProlog(XML_Parser parser, const ENCODING *enc, const char *s, + const char *end, int tok, const char *next, const char **nextPtr, +- XML_Bool haveMore); ++ XML_Bool haveMore, XML_Bool allowClosingDoctype); + static enum XML_Error + processInternalEntity(XML_Parser parser, ENTITY *entity, + XML_Bool betweenDecl); +@@ -3699,7 +3699,7 @@ + + processor = prologProcessor; + return doProlog(parser, encoding, s, end, tok, next, +- nextPtr, (XML_Bool)!ps_finalBuffer); ++ nextPtr, (XML_Bool)!ps_finalBuffer, XML_TRUE); + } + + static enum XML_Error PTRCALL +@@ -3749,7 +3749,7 @@ + const char *next = s; + int tok = XmlPrologTok(encoding, s, end, &next); + return doProlog(parser, encoding, s, end, tok, next, +- nextPtr, (XML_Bool)!ps_finalBuffer); ++ nextPtr, (XML_Bool)!ps_finalBuffer, XML_TRUE); + } + + static enum XML_Error +@@ -3760,7 +3760,8 @@ + int tok, + const char *next, + const char **nextPtr, +- XML_Bool haveMore) ++ XML_Bool haveMore, ++ XML_Bool allowClosingDoctype) + { + #ifdef XML_DTD + static const XML_Char externalSubsetName[] = { ASCII_HASH , '\0' }; +@@ -3936,6 +3937,11 @@ + } + break; + case XML_ROLE_DOCTYPE_CLOSE: ++ if (allowClosingDoctype != XML_TRUE) { ++ /* Must not close doctype from within expanded parameter entities */ ++ return XML_ERROR_INVALID_TOKEN; ++ } ++ + if (doctypeName) { + startDoctypeDeclHandler(handlerArg, doctypeName, + doctypeSysid, doctypePubid, 0); +@@ -4837,7 +4843,7 @@ + if (entity->is_param) { + int tok = XmlPrologTok(internalEncoding, textStart, textEnd, &next); + result = doProlog(parser, internalEncoding, textStart, textEnd, tok, +- next, &next, XML_FALSE); ++ next, &next, XML_FALSE, XML_FALSE); + } + else + #endif /* XML_DTD */ +@@ -4882,7 +4888,7 @@ + if (entity->is_param) { + int tok = XmlPrologTok(internalEncoding, textStart, textEnd, &next); + result = doProlog(parser, internalEncoding, textStart, textEnd, tok, +- next, &next, XML_FALSE); ++ next, &next, XML_FALSE, XML_TRUE); + } + else + #endif /* XML_DTD */ +@@ -4909,7 +4915,7 @@ + processor = prologProcessor; + tok = XmlPrologTok(encoding, s, end, &next); + return doProlog(parser, encoding, s, end, tok, next, nextPtr, +- (XML_Bool)!ps_finalBuffer); ++ (XML_Bool)!ps_finalBuffer, XML_TRUE); + } + else + #endif /* XML_DTD */ +--- expat-2.1.0/tests/runtests.c.cve15903 ++++ expat-2.1.0/tests/runtests.c +@@ -1157,6 +1157,69 @@ + CharData_AppendString(storage, "\n"); + } + ++#ifdef XML_DTD ++START_TEST(test_misc_deny_internal_entity_closing_doctype_issue_317) { ++ const char *const inputOne = "'>\n" ++ "\n" ++ "%e;"; ++ const char *const inputTwo = "'>\n" ++ "\n" ++ "%e2;"; ++ const char *const inputThree = "\n" ++ "\n" ++ "%e;"; ++ const char *const inputIssue317 = "\n" ++ "Hell'>\n" ++ "%foo;\n" ++ "]>\n" ++ "Hello, world"; ++ ++ const char *const inputs[] = {inputOne, inputTwo, inputThree, inputIssue317}; ++ size_t inputIndex = 0; ++ ++ for (; inputIndex < sizeof(inputs) / sizeof(inputs[0]); inputIndex++) { ++ XML_Parser parser; ++ enum XML_Status parseResult; ++ int setParamEntityResult; ++ XML_Size lineNumber; ++ XML_Size columnNumber; ++ const char *const input = inputs[inputIndex]; ++ ++ parser = XML_ParserCreate(NULL); ++ setParamEntityResult ++ = XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS); ++ if (setParamEntityResult != 1) ++ fail("Failed to set XML_PARAM_ENTITY_PARSING_ALWAYS."); ++ ++ parseResult = XML_Parse(parser, input, (int)strlen(input), 0); ++ if (parseResult != XML_STATUS_ERROR) { ++ parseResult = XML_Parse(parser, "", 0, 1); ++ if (parseResult != XML_STATUS_ERROR) { ++ fail("Parsing was expected to fail but succeeded."); ++ } ++ } ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_TOKEN) ++ fail("Error code does not match XML_ERROR_INVALID_TOKEN"); ++ ++ lineNumber = XML_GetCurrentLineNumber(parser); ++ if (lineNumber != 4) ++ fail("XML_GetCurrentLineNumber does not work as expected."); ++ ++ columnNumber = XML_GetCurrentColumnNumber(parser); ++ if (columnNumber != 0) ++ fail("XML_GetCurrentColumnNumber does not work as expected."); ++ ++ XML_ParserFree(parser); ++ } ++} ++END_TEST ++#endif ++ + static void + run_ns_tagname_overwrite_test(char *text, char *result) + { +@@ -1479,6 +1542,11 @@ + tcase_add_test(tc_namespace, test_ns_unbound_prefix_on_attribute); + tcase_add_test(tc_namespace, test_ns_unbound_prefix_on_element); + ++#ifdef XML_DTD ++ tcase_add_test(tc_basic, ++ test_misc_deny_internal_entity_closing_doctype_issue_317); ++#endif ++ + return s; + } + diff --git a/SPECS/expat.spec b/SPECS/expat.spec index 07da724..fa09adc 100644 --- a/SPECS/expat.spec +++ b/SPECS/expat.spec @@ -1,12 +1,14 @@ Summary: An XML parser library Name: expat Version: 2.1.0 -Release: 11%{?dist} +Release: 12%{?dist} Group: System Environment/Libraries Source: http://downloads.sourceforge.net/expat/expat-%{version}.tar.gz Patch0: expat-2.1.0-xmlwfargs.patch Patch1: expat-2.1.0-CVE-2016-0718.patch Patch2: expat-2.1.0-CVE-2015-2716.patch +Patch3: expat-2.1.0-CVE-2018-20843.patch +Patch4: expat-2.1.0-CVE-2019-15903.patch URL: http://www.libexpat.org/ License: MIT BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -43,6 +45,8 @@ Install it if you need to link statically with expat. %patch0 -p1 -b .xmlwfargs %patch1 -p1 -b .cve0718 %patch2 -p1 -b .cve2716 +%patch3 -p1 -b .cve20843 +%patch4 -p1 -b .cve15903 %build rm -rf autom4te*.cache @@ -89,6 +93,9 @@ rm -rf ${RPM_BUILD_ROOT} %{_libdir}/lib*.a %changelog +* Thu Apr 2 2020 Joe Orton - 2.1.0-12 +- add security fixes for CVE-2018-20843, CVE-2019-15903 + * Thu Jul 25 2019 Joe Orton - 2.1.0-11 - add security fix for CVE-2015-2716