diff --git a/SOURCES/expat-2.2.5-CVE-2022-43680.patch b/SOURCES/expat-2.2.5-CVE-2022-43680.patch new file mode 100644 index 0000000..25488ff --- /dev/null +++ b/SOURCES/expat-2.2.5-CVE-2022-43680.patch @@ -0,0 +1,89 @@ +commit a739613cfb5ee60919bd5ad545a5582fa8a6dad9 +Author: Tomas Korbar +Date: Mon Nov 14 12:37:16 2022 +0100 + + Fix CVE-2022-43680 + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 0cc24f6..3f765f7 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -1016,6 +1016,14 @@ parserCreate(const XML_Char *encodingName, + parserInit(parser, encodingName); + + if (encodingName && !parser->m_protocolEncodingName) { ++ if (dtd) { ++ // We need to stop the upcoming call to XML_ParserFree from happily ++ // destroying parser->m_dtd because the DTD is shared with the parent ++ // parser and the only guard that keeps XML_ParserFree from destroying ++ // parser->m_dtd is parser->m_isParamEntity but it will be set to ++ // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all). ++ parser->m_dtd = NULL; ++ } + XML_ParserFree(parser); + return NULL; + } +diff --git a/tests/runtests.c b/tests/runtests.c +index f3ebbd7..f58f794 100644 +--- a/tests/runtests.c ++++ b/tests/runtests.c +@@ -10819,6 +10819,48 @@ START_TEST(test_alloc_long_notation) + } + END_TEST + ++static int XMLCALL ++external_entity_parser_create_alloc_fail_handler(XML_Parser parser, ++ const XML_Char *context, ++ const XML_Char *UNUSED_P(base), ++ const XML_Char *UNUSED_P(systemId), ++ const XML_Char *UNUSED_P(publicId)) { ++ if (context != NULL) ++ fail("Unexpected non-NULL context"); ++ ++ // The following number intends to fail the upcoming allocation in line ++ // "parser->m_protocolEncodingName = copyString(encodingName, ++ // &(parser->m_mem));" in function parserInit. ++ allocation_count = 3; ++ ++ const XML_Char *const encodingName = XCS("UTF-8"); // needs something non-NULL ++ const XML_Parser ext_parser ++ = XML_ExternalEntityParserCreate(parser, context, encodingName); ++ if (ext_parser != NULL) ++ fail( ++ "Call to XML_ExternalEntityParserCreate was expected to fail out-of-memory"); ++ ++ allocation_count = ALLOC_ALWAYS_SUCCEED; ++ return XML_STATUS_ERROR; ++} ++ ++START_TEST(test_alloc_reset_after_external_entity_parser_create_fail) { ++ const char *const text = ""; ++ ++ XML_SetExternalEntityRefHandler( ++ parser, external_entity_parser_create_alloc_fail_handler); ++ XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS); ++ ++ if (XML_Parse(parser, text, (int)strlen(text), XML_TRUE) ++ != XML_STATUS_ERROR) ++ fail("Call to parse was expected to fail"); ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_EXTERNAL_ENTITY_HANDLING) ++ fail("Call to parse was expected to fail from the external entity handler"); ++ ++ XML_ParserReset(parser, NULL); ++} ++END_TEST + + static void + nsalloc_setup(void) +@@ -12653,6 +12695,10 @@ make_suite(void) + tcase_add_test(tc_alloc, test_alloc_long_entity_value); + tcase_add_test(tc_alloc, test_alloc_long_notation); + ++ #ifdef XML_DTD ++ tcase_add_test(tc_alloc, ++ test_alloc_reset_after_external_entity_parser_create_fail); ++ #endif + suite_add_tcase(s, tc_nsalloc); + tcase_add_checked_fixture(tc_nsalloc, nsalloc_setup, nsalloc_teardown); + tcase_add_test(tc_nsalloc, test_nsalloc_xmlns); diff --git a/SOURCES/expat-2.2.5-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch b/SOURCES/expat-2.2.5-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch new file mode 100644 index 0000000..76e6a7c --- /dev/null +++ b/SOURCES/expat-2.2.5-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch @@ -0,0 +1,118 @@ +commit bfecc1f11ab5f0cc2aa3dc5cb87d3236a87ce61d +Author: Tomas Korbar +Date: Fri Sep 30 10:52:04 2022 +0200 + + Fix CVE-2022-40674 + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index d47e42c..0cc24f6 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -5765,8 +5765,14 @@ internalEntityProcessor(XML_Parser parser, + { + parser->m_processor = contentProcessor; + /* see externalEntityContentProcessor vs contentProcessor */ +- return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding, s, end, +- nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer); ++ result = doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding, ++ s, end, nextPtr, ++ (XML_Bool)! parser->m_parsingStatus.finalBuffer); ++ if (result == XML_ERROR_NONE) { ++ if (! storeRawNames(parser)) ++ return XML_ERROR_NO_MEMORY; ++ } ++ return result; + } + } + +diff --git a/tests/runtests.c b/tests/runtests.c +index 569ad8c..f3ebbd7 100644 +--- a/tests/runtests.c ++++ b/tests/runtests.c +@@ -5401,6 +5401,78 @@ START_TEST(test_resume_entity_with_syntax_error) + } + END_TEST + ++void ++suspending_comment_handler(void *userData, const XML_Char *UNUSED_P(data)) { ++ XML_Parser parser = (XML_Parser)userData; ++ XML_StopParser(parser, XML_TRUE); ++} ++ ++START_TEST(test_suspend_resume_internal_entity_issue_629) { ++ const char *const text ++ = "a'>]>&e;\n" ++ "<" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "/>" ++ ""; ++ const size_t firstChunkSizeBytes = 54; ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ XML_SetUserData(parser, parser); ++ XML_SetCommentHandler(parser, suspending_comment_handler); ++ ++ if (XML_Parse(parser, text, (int)firstChunkSizeBytes, XML_FALSE) ++ != XML_STATUS_SUSPENDED) ++ xml_failure(parser); ++ if (XML_ResumeParser(parser) != XML_STATUS_OK) ++ xml_failure(parser); ++ if (XML_Parse(parser, text + firstChunkSizeBytes, ++ (int)(strlen(text) - firstChunkSizeBytes), XML_TRUE) ++ != XML_STATUS_OK) ++ xml_failure(parser); ++ XML_ParserFree(parser); ++} ++END_TEST ++ ++ + /* Test suspending and resuming in a parameter entity substitution */ + static void XMLCALL + element_decl_suspender(void *UNUSED_P(userData), +@@ -12395,6 +12467,7 @@ make_suite(void) + tcase_add_test(tc_basic, test_hash_collision); + tcase_add_test(tc_basic, test_suspend_resume_internal_entity); + tcase_add_test(tc_basic, test_resume_entity_with_syntax_error); ++ tcase_add_test(tc_basic, test_suspend_resume_internal_entity_issue_629); + tcase_add_test(tc_basic, test_suspend_resume_parameter_entity); + tcase_add_test(tc_basic, test_restart_on_error); + tcase_add_test(tc_basic, test_reject_lt_in_attribute_value); diff --git a/SPECS/expat.spec b/SPECS/expat.spec index a0c8a18..5ceff69 100644 --- a/SPECS/expat.spec +++ b/SPECS/expat.spec @@ -3,7 +3,7 @@ Summary: An XML parser library Name: expat Version: %(echo %{unversion} | sed 's/_/./g') -Release: 9%{?dist} +Release: 11%{?dist} Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz URL: https://libexpat.github.io/ License: MIT @@ -20,6 +20,8 @@ Patch8: expat-2.2.5-Add-missing-validation-of-encoding.patch Patch9: expat-2.2.5-Prevent-integer-overflow-in-storeRawNames.patch Patch10: expat-2.2.5-Prevent-integer-overflow-in-copyString.patch Patch11: expat-2.2.5-Prevent-stack-exhaustion-in-build_model.patch +Patch12: expat-2.2.5-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch +Patch13: expat-2.2.5-CVE-2022-43680.patch %description This is expat, the C library for parsing XML, written by James Clark. Expat @@ -59,6 +61,8 @@ Install it if you need to link statically with expat. %patch9 -p1 -b .CVE-2022-25315 %patch10 -p1 -b .CVE-2022-25314 %patch11 -p1 -b .CVE-2022-25313 +%patch12 -p1 -b .CVE-2022-40674 +%patch13 -p1 -b .CVE-2022-43680 sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am ./buildconf.sh @@ -97,6 +101,14 @@ make check %{_libdir}/lib*.a %changelog +* Mon Nov 14 2022 Tomas Korbar - 2.2.5-11 +- CVE-2022-43680 expat: use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate +- Resolves: CVE-2022-43680 + +* Fri Sep 30 2022 Tomas Korbar - 2.2.5-10 +- Ensure raw tagnames are safe exiting internalEntityParser +- Resolves: CVE-2022-40674 + * Fri May 06 2022 Tomas Korbar - 2.2.5-9 - Fix multiple CVEs - Resolves: CVE-2022-25314