diff --git a/SOURCES/expat-2.2.10-Prevent-integer-overflow-in-copyString.patch b/SOURCES/expat-2.2.10-Prevent-integer-overflow-in-copyString.patch new file mode 100644 index 0000000..9c9a640 --- /dev/null +++ b/SOURCES/expat-2.2.10-Prevent-integer-overflow-in-copyString.patch @@ -0,0 +1,14 @@ +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 4b43e6132..a39377c23 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -7412,7 +7412,7 @@ getElementType(XML_Parser parser, const ENCODING *enc, const char *ptr, + + static XML_Char * + copyString(const XML_Char *s, const XML_Memory_Handling_Suite *memsuite) { +- int charsRequired = 0; ++ size_t charsRequired = 0; + XML_Char *result; + + /* First determine how long the string is */ + diff --git a/SOURCES/expat-2.2.10-Prevent-stack-exhaustion-in-build_model.patch b/SOURCES/expat-2.2.10-Prevent-stack-exhaustion-in-build_model.patch new file mode 100644 index 0000000..cfa7c1b --- /dev/null +++ b/SOURCES/expat-2.2.10-Prevent-stack-exhaustion-in-build_model.patch @@ -0,0 +1,255 @@ +commit 37b45d8ff0f92a7ea0491dd61a0bceb951af332e +Author: Tomas Korbar +Date: Tue May 3 09:57:53 2022 +0200 + + Fix CVE-2022-25313 + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 0948906..8e84b5a 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -7138,44 +7138,15 @@ nextScaffoldPart(XML_Parser parser) { + return next; + } + +-static void +-build_node(XML_Parser parser, int src_node, XML_Content *dest, +- XML_Content **contpos, XML_Char **strpos) { +- DTD *const dtd = parser->m_dtd; /* save one level of indirection */ +- dest->type = dtd->scaffold[src_node].type; +- dest->quant = dtd->scaffold[src_node].quant; +- if (dest->type == XML_CTYPE_NAME) { +- const XML_Char *src; +- dest->name = *strpos; +- src = dtd->scaffold[src_node].name; +- for (;;) { +- *(*strpos)++ = *src; +- if (! *src) +- break; +- src++; +- } +- dest->numchildren = 0; +- dest->children = NULL; +- } else { +- unsigned int i; +- int cn; +- dest->numchildren = dtd->scaffold[src_node].childcnt; +- dest->children = *contpos; +- *contpos += dest->numchildren; +- for (i = 0, cn = dtd->scaffold[src_node].firstchild; i < dest->numchildren; +- i++, cn = dtd->scaffold[cn].nextsib) { +- build_node(parser, cn, &(dest->children[i]), contpos, strpos); +- } +- dest->name = NULL; +- } +-} +- + static XML_Content * + build_model(XML_Parser parser) { ++ /* Function build_model transforms the existing parser->m_dtd->scaffold ++ * array of CONTENT_SCAFFOLD tree nodes into a new array of ++ * XML_Content tree nodes followed by a gapless list of zero-terminated ++ * strings. */ + DTD *const dtd = parser->m_dtd; /* save one level of indirection */ + XML_Content *ret; +- XML_Content *cpos; +- XML_Char *str; ++ XML_Char *str; /* the current string writing location */ + + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning +@@ -7201,10 +7172,96 @@ build_model(XML_Parser parser) { + if (! ret) + return NULL; + +- str = (XML_Char *)(&ret[dtd->scaffCount]); +- cpos = &ret[1]; ++ /* What follows is an iterative implementation (of what was previously done ++ * recursively in a dedicated function called "build_node". The old recursive ++ * build_node could be forced into stack exhaustion from input as small as a ++ * few megabyte, and so that was a security issue. Hence, a function call ++ * stack is avoided now by resolving recursion.) ++ * ++ * The iterative approach works as follows: ++ * ++ * - We have two writing pointers, both walking up the result array; one does ++ * the work, the other creates "jobs" for its colleague to do, and leads ++ * the way: ++ * ++ * - The faster one, pointer jobDest, always leads and writes "what job ++ * to do" by the other, once they reach that place in the ++ * array: leader "jobDest" stores the source node array index (relative ++ * to array dtd->scaffold) in field "numchildren". ++ * ++ * - The slower one, pointer dest, looks at the value stored in the ++ * "numchildren" field (which actually holds a source node array index ++ * at that time) and puts the real data from dtd->scaffold in. ++ * ++ * - Before the loop starts, jobDest writes source array index 0 ++ * (where the root node is located) so that dest will have something to do ++ * when it starts operation. ++ * ++ * - Whenever nodes with children are encountered, jobDest appends ++ * them as new jobs, in order. As a result, tree node siblings are ++ * adjacent in the resulting array, for example: ++ * ++ * [0] root, has two children ++ * [1] first child of 0, has three children ++ * [3] first child of 1, does not have children ++ * [4] second child of 1, does not have children ++ * [5] third child of 1, does not have children ++ * [2] second child of 0, does not have children ++ * ++ * Or (the same data) presented in flat array view: ++ * ++ * [0] root, has two children ++ * ++ * [1] first child of 0, has three children ++ * [2] second child of 0, does not have children ++ * ++ * [3] first child of 1, does not have children ++ * [4] second child of 1, does not have children ++ * [5] third child of 1, does not have children ++ * ++ * - The algorithm repeats until all target array indices have been processed. ++ */ ++ XML_Content *dest = ret; /* tree node writing location, moves upwards */ ++ XML_Content *const destLimit = &ret[dtd->scaffCount]; ++ XML_Content *jobDest = ret; /* next free writing location in target array */ ++ str = (XML_Char *)&ret[dtd->scaffCount]; ++ ++ /* Add the starting job, the root node (index 0) of the source tree */ ++ (jobDest++)->numchildren = 0; ++ ++ for (; dest < destLimit; dest++) { ++ /* Retrieve source tree array index from job storage */ ++ const int src_node = (int)dest->numchildren; ++ ++ /* Convert item */ ++ dest->type = dtd->scaffold[src_node].type; ++ dest->quant = dtd->scaffold[src_node].quant; ++ if (dest->type == XML_CTYPE_NAME) { ++ const XML_Char *src; ++ dest->name = str; ++ src = dtd->scaffold[src_node].name; ++ for (;;) { ++ *str++ = *src; ++ if (! *src) ++ break; ++ src++; ++ } ++ dest->numchildren = 0; ++ dest->children = NULL; ++ } else { ++ unsigned int i; ++ int cn; ++ dest->name = NULL; ++ dest->numchildren = dtd->scaffold[src_node].childcnt; ++ dest->children = jobDest; ++ ++ /* Append scaffold indices of children to array */ ++ for (i = 0, cn = dtd->scaffold[src_node].firstchild; ++ i < dest->numchildren; i++, cn = dtd->scaffold[cn].nextsib) ++ (jobDest++)->numchildren = (unsigned int)cn; ++ } ++ } + +- build_node(parser, 0, ret, &cpos, &str); + return ret; + } + +diff --git a/tests/runtests.c b/tests/runtests.c +index 7293d46..05f3083 100644 +--- a/tests/runtests.c ++++ b/tests/runtests.c +@@ -2677,6 +2677,82 @@ START_TEST(test_dtd_elements) { + } + END_TEST + ++static void XMLCALL ++element_decl_check_model(void *userData, const XML_Char *name, ++ XML_Content *model) { ++ UNUSED_P(userData); ++ uint32_t errorFlags = 0; ++ ++ /* Expected model array structure is this: ++ * [0] (type 6, quant 0) ++ * [1] (type 5, quant 0) ++ * [3] (type 4, quant 0, name "bar") ++ * [4] (type 4, quant 0, name "foo") ++ * [5] (type 4, quant 3, name "xyz") ++ * [2] (type 4, quant 2, name "zebra") ++ */ ++ errorFlags |= ((xcstrcmp(name, XCS("junk")) == 0) ? 0 : (1u << 0)); ++ errorFlags |= ((model != NULL) ? 0 : (1u << 1)); ++ ++ errorFlags |= ((model[0].type == XML_CTYPE_SEQ) ? 0 : (1u << 2)); ++ errorFlags |= ((model[0].quant == XML_CQUANT_NONE) ? 0 : (1u << 3)); ++ errorFlags |= ((model[0].numchildren == 2) ? 0 : (1u << 4)); ++ errorFlags |= ((model[0].children == &model[1]) ? 0 : (1u << 5)); ++ errorFlags |= ((model[0].name == NULL) ? 0 : (1u << 6)); ++ ++ errorFlags |= ((model[1].type == XML_CTYPE_CHOICE) ? 0 : (1u << 7)); ++ errorFlags |= ((model[1].quant == XML_CQUANT_NONE) ? 0 : (1u << 8)); ++ errorFlags |= ((model[1].numchildren == 3) ? 0 : (1u << 9)); ++ errorFlags |= ((model[1].children == &model[3]) ? 0 : (1u << 10)); ++ errorFlags |= ((model[1].name == NULL) ? 0 : (1u << 11)); ++ ++ errorFlags |= ((model[2].type == XML_CTYPE_NAME) ? 0 : (1u << 12)); ++ errorFlags |= ((model[2].quant == XML_CQUANT_REP) ? 0 : (1u << 13)); ++ errorFlags |= ((model[2].numchildren == 0) ? 0 : (1u << 14)); ++ errorFlags |= ((model[2].children == NULL) ? 0 : (1u << 15)); ++ errorFlags |= ((xcstrcmp(model[2].name, XCS("zebra")) == 0) ? 0 : (1u << 16)); ++ ++ errorFlags |= ((model[3].type == XML_CTYPE_NAME) ? 0 : (1u << 17)); ++ errorFlags |= ((model[3].quant == XML_CQUANT_NONE) ? 0 : (1u << 18)); ++ errorFlags |= ((model[3].numchildren == 0) ? 0 : (1u << 19)); ++ errorFlags |= ((model[3].children == NULL) ? 0 : (1u << 20)); ++ errorFlags |= ((xcstrcmp(model[3].name, XCS("bar")) == 0) ? 0 : (1u << 21)); ++ ++ errorFlags |= ((model[4].type == XML_CTYPE_NAME) ? 0 : (1u << 22)); ++ errorFlags |= ((model[4].quant == XML_CQUANT_NONE) ? 0 : (1u << 23)); ++ errorFlags |= ((model[4].numchildren == 0) ? 0 : (1u << 24)); ++ errorFlags |= ((model[4].children == NULL) ? 0 : (1u << 25)); ++ errorFlags |= ((xcstrcmp(model[4].name, XCS("foo")) == 0) ? 0 : (1u << 26)); ++ ++ errorFlags |= ((model[5].type == XML_CTYPE_NAME) ? 0 : (1u << 27)); ++ errorFlags |= ((model[5].quant == XML_CQUANT_PLUS) ? 0 : (1u << 28)); ++ errorFlags |= ((model[5].numchildren == 0) ? 0 : (1u << 29)); ++ errorFlags |= ((model[5].children == NULL) ? 0 : (1u << 30)); ++ errorFlags |= ((xcstrcmp(model[5].name, XCS("xyz")) == 0) ? 0 : (1u << 31)); ++ ++ XML_SetUserData(g_parser, (void *)(uintptr_t)errorFlags); ++ XML_FreeContentModel(g_parser, model); ++} ++ ++START_TEST(test_dtd_elements_nesting) { ++ // Payload inspired by a test in Perl's XML::Parser ++ const char *text = "\n" ++ "]>\n" ++ ""; ++ ++ XML_SetUserData(g_parser, (void *)(uintptr_t)-1); ++ ++ XML_SetElementDeclHandler(g_parser, element_decl_check_model); ++ if (XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE) ++ == XML_STATUS_ERROR) ++ xml_failure(g_parser); ++ ++ if ((uint32_t)(uintptr_t)XML_GetUserData(g_parser) != 0) ++ fail("Element declaration model regression detected"); ++} ++END_TEST ++ + /* Test foreign DTD handling */ + START_TEST(test_set_foreign_dtd) { + const char *text1 = "\n"; +@@ -11487,6 +11563,7 @@ make_suite(void) { + tcase_add_test(tc_basic, test_memory_allocation); + tcase_add_test(tc_basic, test_default_current); + tcase_add_test(tc_basic, test_dtd_elements); ++ tcase_add_test(tc_basic, test_dtd_elements_nesting); + tcase_add_test__ifdef_xml_dtd(tc_basic, test_set_foreign_dtd); + tcase_add_test__ifdef_xml_dtd(tc_basic, test_foreign_dtd_not_standalone); + tcase_add_test__ifdef_xml_dtd(tc_basic, test_invalid_foreign_dtd); diff --git a/SPECS/expat.spec b/SPECS/expat.spec index d57f447..8752e1e 100644 --- a/SPECS/expat.spec +++ b/SPECS/expat.spec @@ -3,7 +3,7 @@ Summary: An XML parser library Name: expat Version: %(echo %{unversion} | sed 's/_/./g') -Release: 12%{?dist} +Release: 12%{?dist}.2 Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz URL: https://libexpat.github.io/ License: MIT @@ -17,6 +17,8 @@ Patch4: expat-2.2.10-Detect-and-prevent-integer-overflow-in-XML_GetBuffer.patch Patch5: expat-2.2.10-Protect-against-malicious-namespace-declarations.patch Patch6: expat-2.2.10-Add-missing-validation-of-encoding.patch Patch7: expat-2.2.10-Prevent-integer-overflow-in-storeRawNames.patch +Patch8: expat-2.2.10-Prevent-integer-overflow-in-copyString.patch +Patch9: expat-2.2.10-Prevent-stack-exhaustion-in-build_model.patch %description This is expat, the C library for parsing XML, written by James Clark. Expat @@ -52,6 +54,8 @@ Install it if you need to link statically with expat. %patch5 -p1 -b .CVE-2022-25236 %patch6 -p1 -b .CVE-2022-25235 %patch7 -p1 -b .CVE-2022-25315 +%patch8 -p1 -b .CVE-2022-25314 +%patch9 -p1 -b .CVE-2022-25313 sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am ./buildconf.sh @@ -89,6 +93,15 @@ make check %{_libdir}/lib*.a %changelog +* Tue May 03 2022 Tomas Korbar - 2.2.10-12.2 +- Improve fix for CVE-2022-25313 +- Related: CVE-2022-25313 + +* Tue Apr 26 2022 Tomas Korbar - 2.2.10-12.1 +- Fix multiple CVEs +- Resolves: CVE-2022-25314 +- Resolves: CVE-2022-25313 + * Wed Mar 16 2022 Tomas Korbar - 2.2.10-12 - Build fix for CVE-2022-25236 in rhel-9.0.0 - Related: CVE-2022-25236