diff --git a/.expat.metadata b/.expat.metadata index 2c088e1..899cf1d 100644 --- a/.expat.metadata +++ b/.expat.metadata @@ -1 +1 @@ -71bc4b192e54040b41d98e5a49aca5e18e27485b SOURCES/expat-2.4.9.tar.gz +03d9882ede56aa48919fbf50fe17614630257a82 SOURCES/expat-2.5.0.tar.gz diff --git a/.gitignore b/.gitignore index 37fcacc..85adc91 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/expat-2.4.9.tar.gz +SOURCES/expat-2.5.0.tar.gz diff --git a/SOURCES/expat-2.4.9-CVE-2022-43680.patch b/SOURCES/expat-2.4.9-CVE-2022-43680.patch deleted file mode 100644 index 666ee87..0000000 --- a/SOURCES/expat-2.4.9-CVE-2022-43680.patch +++ /dev/null @@ -1,92 +0,0 @@ -commit b463b1beeba2ad7f9eb456bdbdc136cbbdd1dec8 -Author: Tomas Korbar -Date: Fri Nov 11 10:46:36 2022 +0100 - - Fix CVE-2022-43680 - -diff --git a/lib/xmlparse.c b/lib/xmlparse.c -index c0bece5..a73a1bf 100644 ---- a/lib/xmlparse.c -+++ b/lib/xmlparse.c -@@ -1068,6 +1068,14 @@ parserCreate(const XML_Char *encodingName, - parserInit(parser, encodingName); - - if (encodingName && ! parser->m_protocolEncodingName) { -+ if (dtd) { -+ // We need to stop the upcoming call to XML_ParserFree from happily -+ // destroying parser->m_dtd because the DTD is shared with the parent -+ // parser and the only guard that keeps XML_ParserFree from destroying -+ // parser->m_dtd is parser->m_isParamEntity but it will be set to -+ // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all). -+ parser->m_dtd = NULL; -+ } - XML_ParserFree(parser); - return NULL; - } -diff --git a/tests/runtests.c b/tests/runtests.c -index 530f184..cbfe420 100644 ---- a/tests/runtests.c -+++ b/tests/runtests.c -@@ -10090,6 +10090,53 @@ START_TEST(test_alloc_long_notation) { - } - END_TEST - -+static int XMLCALL -+external_entity_parser_create_alloc_fail_handler(XML_Parser parser, -+ const XML_Char *context, -+ const XML_Char *base, -+ const XML_Char *systemId, -+ const XML_Char *publicId) { -+ UNUSED_P(base); -+ UNUSED_P(systemId); -+ UNUSED_P(publicId); -+ -+ if (context != NULL) -+ fail("Unexpected non-NULL context"); -+ -+ // The following number intends to fail the upcoming allocation in line -+ // "parser->m_protocolEncodingName = copyString(encodingName, -+ // &(parser->m_mem));" in function parserInit. -+ allocation_count = 3; -+ -+ const XML_Char *const encodingName = XCS("UTF-8"); // needs something non-NULL -+ const XML_Parser ext_parser -+ = XML_ExternalEntityParserCreate(parser, context, encodingName); -+ if (ext_parser != NULL) -+ fail( -+ "Call to XML_ExternalEntityParserCreate was expected to fail out-of-memory"); -+ -+ allocation_count = ALLOC_ALWAYS_SUCCEED; -+ return XML_STATUS_ERROR; -+} -+ -+START_TEST(test_alloc_reset_after_external_entity_parser_create_fail) { -+ const char *const text = ""; -+ -+ XML_SetExternalEntityRefHandler( -+ g_parser, external_entity_parser_create_alloc_fail_handler); -+ XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS); -+ -+ if (XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE) -+ != XML_STATUS_ERROR) -+ fail("Call to parse was expected to fail"); -+ -+ if (XML_GetErrorCode(g_parser) != XML_ERROR_EXTERNAL_ENTITY_HANDLING) -+ fail("Call to parse was expected to fail from the external entity handler"); -+ -+ XML_ParserReset(g_parser, NULL); -+} -+END_TEST -+ - static void - nsalloc_setup(void) { - XML_Memory_Handling_Suite memsuite = {duff_allocator, duff_reallocator, free}; -@@ -12279,6 +12326,8 @@ make_suite(void) { - tcase_add_test(tc_alloc, test_alloc_long_public_id); - tcase_add_test(tc_alloc, test_alloc_long_entity_value); - tcase_add_test(tc_alloc, test_alloc_long_notation); -+ tcase_add_test__ifdef_xml_dtd( -+ tc_alloc, test_alloc_reset_after_external_entity_parser_create_fail); - - suite_add_tcase(s, tc_nsalloc); - tcase_add_checked_fixture(tc_nsalloc, nsalloc_setup, nsalloc_teardown); diff --git a/SPECS/expat.spec b/SPECS/expat.spec index 21ab817..db2a285 100644 --- a/SPECS/expat.spec +++ b/SPECS/expat.spec @@ -1,17 +1,15 @@ -%global unversion 2_4_9 +%global unversion 2_5_0 Summary: An XML parser library Name: expat Version: %(echo %{unversion} | sed 's/_/./g') -Release: 1%{?dist}.1 +Release: 1%{?dist} Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz URL: https://libexpat.github.io/ License: MIT BuildRequires: autoconf, libtool, xmlto, gcc-c++ BuildRequires: make -Patch0: expat-2.4.9-CVE-2022-43680.patch - %description This is expat, the C library for parsing XML, written by James Clark. Expat is a stream oriented XML parser. This means that you register handlers with @@ -42,8 +40,6 @@ Install it if you need to link statically with expat. sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am ./buildconf.sh -%patch0 -p1 -b.CVE-2022-43680 - %build export CFLAGS="$RPM_OPT_FLAGS -fPIC" export DOCBOOK_TO_MAN="xmlto man --skip-validation" @@ -78,8 +74,8 @@ make check %{_libdir}/lib*.a %changelog -* Fri Nov 11 2022 Tomas Korbar - 2.4.9-1.1 -- CVE-2022-43680 expat: use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate +* Thu Nov 10 2022 Tomas Korbar - 2.5.0-1 +- Rebase to version 2.5.0 - Resolves: CVE-2022-43680 * Thu Sep 29 2022 Tomas Korbar - 2.4.9-1