diff --git a/SOURCES/expat-2.2.10-Prevent-integer-overflow-in-copyString.patch b/SOURCES/expat-2.2.10-Prevent-integer-overflow-in-copyString.patch
new file mode 100644
index 0000000..9c9a640
--- /dev/null
+++ b/SOURCES/expat-2.2.10-Prevent-integer-overflow-in-copyString.patch
@@ -0,0 +1,14 @@
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 4b43e6132..a39377c23 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -7412,7 +7412,7 @@ getElementType(XML_Parser parser, const ENCODING *enc, const char *ptr,
+
+ static XML_Char *
+ copyString(const XML_Char *s, const XML_Memory_Handling_Suite *memsuite) {
+- int charsRequired = 0;
++ size_t charsRequired = 0;
+ XML_Char *result;
+
+ /* First determine how long the string is */
+
diff --git a/SOURCES/expat-2.2.10-Prevent-stack-exhaustion-in-build_model.patch b/SOURCES/expat-2.2.10-Prevent-stack-exhaustion-in-build_model.patch
new file mode 100644
index 0000000..cfa7c1b
--- /dev/null
+++ b/SOURCES/expat-2.2.10-Prevent-stack-exhaustion-in-build_model.patch
@@ -0,0 +1,255 @@
+commit 37b45d8ff0f92a7ea0491dd61a0bceb951af332e
+Author: Tomas Korbar <tkorbar@redhat.com>
+Date: Tue May 3 09:57:53 2022 +0200
+
+ Fix CVE-2022-25313
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 0948906..8e84b5a 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -7138,44 +7138,15 @@ nextScaffoldPart(XML_Parser parser) {
+ return next;
+ }
+
+-static void
+-build_node(XML_Parser parser, int src_node, XML_Content *dest,
+- XML_Content **contpos, XML_Char **strpos) {
+- DTD *const dtd = parser->m_dtd; /* save one level of indirection */
+- dest->type = dtd->scaffold[src_node].type;
+- dest->quant = dtd->scaffold[src_node].quant;
+- if (dest->type == XML_CTYPE_NAME) {
+- const XML_Char *src;
+- dest->name = *strpos;
+- src = dtd->scaffold[src_node].name;
+- for (;;) {
+- *(*strpos)++ = *src;
+- if (! *src)
+- break;
+- src++;
+- }
+- dest->numchildren = 0;
+- dest->children = NULL;
+- } else {
+- unsigned int i;
+- int cn;
+- dest->numchildren = dtd->scaffold[src_node].childcnt;
+- dest->children = *contpos;
+- *contpos += dest->numchildren;
+- for (i = 0, cn = dtd->scaffold[src_node].firstchild; i < dest->numchildren;
+- i++, cn = dtd->scaffold[cn].nextsib) {
+- build_node(parser, cn, &(dest->children[i]), contpos, strpos);
+- }
+- dest->name = NULL;
+- }
+-}
+-
+ static XML_Content *
+ build_model(XML_Parser parser) {
++ /* Function build_model transforms the existing parser->m_dtd->scaffold
++ * array of CONTENT_SCAFFOLD tree nodes into a new array of
++ * XML_Content tree nodes followed by a gapless list of zero-terminated
++ * strings. */
+ DTD *const dtd = parser->m_dtd; /* save one level of indirection */
+ XML_Content *ret;
+- XML_Content *cpos;
+- XML_Char *str;
++ XML_Char *str; /* the current string writing location */
+
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+@@ -7201,10 +7172,96 @@ build_model(XML_Parser parser) {
+ if (! ret)
+ return NULL;
+
+- str = (XML_Char *)(&ret[dtd->scaffCount]);
+- cpos = &ret[1];
++ /* What follows is an iterative implementation (of what was previously done
++ * recursively in a dedicated function called "build_node". The old recursive
++ * build_node could be forced into stack exhaustion from input as small as a
++ * few megabyte, and so that was a security issue. Hence, a function call
++ * stack is avoided now by resolving recursion.)
++ *
++ * The iterative approach works as follows:
++ *
++ * - We have two writing pointers, both walking up the result array; one does
++ * the work, the other creates "jobs" for its colleague to do, and leads
++ * the way:
++ *
++ * - The faster one, pointer jobDest, always leads and writes "what job
++ * to do" by the other, once they reach that place in the
++ * array: leader "jobDest" stores the source node array index (relative
++ * to array dtd->scaffold) in field "numchildren".
++ *
++ * - The slower one, pointer dest, looks at the value stored in the
++ * "numchildren" field (which actually holds a source node array index
++ * at that time) and puts the real data from dtd->scaffold in.
++ *
++ * - Before the loop starts, jobDest writes source array index 0
++ * (where the root node is located) so that dest will have something to do
++ * when it starts operation.
++ *
++ * - Whenever nodes with children are encountered, jobDest appends
++ * them as new jobs, in order. As a result, tree node siblings are
++ * adjacent in the resulting array, for example:
++ *
++ * [0] root, has two children
++ * [1] first child of 0, has three children
++ * [3] first child of 1, does not have children
++ * [4] second child of 1, does not have children
++ * [5] third child of 1, does not have children
++ * [2] second child of 0, does not have children
++ *
++ * Or (the same data) presented in flat array view:
++ *
++ * [0] root, has two children
++ *
++ * [1] first child of 0, has three children
++ * [2] second child of 0, does not have children
++ *
++ * [3] first child of 1, does not have children
++ * [4] second child of 1, does not have children
++ * [5] third child of 1, does not have children
++ *
++ * - The algorithm repeats until all target array indices have been processed.
++ */
++ XML_Content *dest = ret; /* tree node writing location, moves upwards */
++ XML_Content *const destLimit = &ret[dtd->scaffCount];
++ XML_Content *jobDest = ret; /* next free writing location in target array */
++ str = (XML_Char *)&ret[dtd->scaffCount];
++
++ /* Add the starting job, the root node (index 0) of the source tree */
++ (jobDest++)->numchildren = 0;
++
++ for (; dest < destLimit; dest++) {
++ /* Retrieve source tree array index from job storage */
++ const int src_node = (int)dest->numchildren;
++
++ /* Convert item */
++ dest->type = dtd->scaffold[src_node].type;
++ dest->quant = dtd->scaffold[src_node].quant;
++ if (dest->type == XML_CTYPE_NAME) {
++ const XML_Char *src;
++ dest->name = str;
++ src = dtd->scaffold[src_node].name;
++ for (;;) {
++ *str++ = *src;
++ if (! *src)
++ break;
++ src++;
++ }
++ dest->numchildren = 0;
++ dest->children = NULL;
++ } else {
++ unsigned int i;
++ int cn;
++ dest->name = NULL;
++ dest->numchildren = dtd->scaffold[src_node].childcnt;
++ dest->children = jobDest;
++
++ /* Append scaffold indices of children to array */
++ for (i = 0, cn = dtd->scaffold[src_node].firstchild;
++ i < dest->numchildren; i++, cn = dtd->scaffold[cn].nextsib)
++ (jobDest++)->numchildren = (unsigned int)cn;
++ }
++ }
+
+- build_node(parser, 0, ret, &cpos, &str);
+ return ret;
+ }
+
+diff --git a/tests/runtests.c b/tests/runtests.c
+index 7293d46..05f3083 100644
+--- a/tests/runtests.c
++++ b/tests/runtests.c
+@@ -2677,6 +2677,82 @@ START_TEST(test_dtd_elements) {
+ }
+ END_TEST
+
++static void XMLCALL
++element_decl_check_model(void *userData, const XML_Char *name,
++ XML_Content *model) {
++ UNUSED_P(userData);
++ uint32_t errorFlags = 0;
++
++ /* Expected model array structure is this:
++ * [0] (type 6, quant 0)
++ * [1] (type 5, quant 0)
++ * [3] (type 4, quant 0, name "bar")
++ * [4] (type 4, quant 0, name "foo")
++ * [5] (type 4, quant 3, name "xyz")
++ * [2] (type 4, quant 2, name "zebra")
++ */
++ errorFlags |= ((xcstrcmp(name, XCS("junk")) == 0) ? 0 : (1u << 0));
++ errorFlags |= ((model != NULL) ? 0 : (1u << 1));
++
++ errorFlags |= ((model[0].type == XML_CTYPE_SEQ) ? 0 : (1u << 2));
++ errorFlags |= ((model[0].quant == XML_CQUANT_NONE) ? 0 : (1u << 3));
++ errorFlags |= ((model[0].numchildren == 2) ? 0 : (1u << 4));
++ errorFlags |= ((model[0].children == &model[1]) ? 0 : (1u << 5));
++ errorFlags |= ((model[0].name == NULL) ? 0 : (1u << 6));
++
++ errorFlags |= ((model[1].type == XML_CTYPE_CHOICE) ? 0 : (1u << 7));
++ errorFlags |= ((model[1].quant == XML_CQUANT_NONE) ? 0 : (1u << 8));
++ errorFlags |= ((model[1].numchildren == 3) ? 0 : (1u << 9));
++ errorFlags |= ((model[1].children == &model[3]) ? 0 : (1u << 10));
++ errorFlags |= ((model[1].name == NULL) ? 0 : (1u << 11));
++
++ errorFlags |= ((model[2].type == XML_CTYPE_NAME) ? 0 : (1u << 12));
++ errorFlags |= ((model[2].quant == XML_CQUANT_REP) ? 0 : (1u << 13));
++ errorFlags |= ((model[2].numchildren == 0) ? 0 : (1u << 14));
++ errorFlags |= ((model[2].children == NULL) ? 0 : (1u << 15));
++ errorFlags |= ((xcstrcmp(model[2].name, XCS("zebra")) == 0) ? 0 : (1u << 16));
++
++ errorFlags |= ((model[3].type == XML_CTYPE_NAME) ? 0 : (1u << 17));
++ errorFlags |= ((model[3].quant == XML_CQUANT_NONE) ? 0 : (1u << 18));
++ errorFlags |= ((model[3].numchildren == 0) ? 0 : (1u << 19));
++ errorFlags |= ((model[3].children == NULL) ? 0 : (1u << 20));
++ errorFlags |= ((xcstrcmp(model[3].name, XCS("bar")) == 0) ? 0 : (1u << 21));
++
++ errorFlags |= ((model[4].type == XML_CTYPE_NAME) ? 0 : (1u << 22));
++ errorFlags |= ((model[4].quant == XML_CQUANT_NONE) ? 0 : (1u << 23));
++ errorFlags |= ((model[4].numchildren == 0) ? 0 : (1u << 24));
++ errorFlags |= ((model[4].children == NULL) ? 0 : (1u << 25));
++ errorFlags |= ((xcstrcmp(model[4].name, XCS("foo")) == 0) ? 0 : (1u << 26));
++
++ errorFlags |= ((model[5].type == XML_CTYPE_NAME) ? 0 : (1u << 27));
++ errorFlags |= ((model[5].quant == XML_CQUANT_PLUS) ? 0 : (1u << 28));
++ errorFlags |= ((model[5].numchildren == 0) ? 0 : (1u << 29));
++ errorFlags |= ((model[5].children == NULL) ? 0 : (1u << 30));
++ errorFlags |= ((xcstrcmp(model[5].name, XCS("xyz")) == 0) ? 0 : (1u << 31));
++
++ XML_SetUserData(g_parser, (void *)(uintptr_t)errorFlags);
++ XML_FreeContentModel(g_parser, model);
++}
++
++START_TEST(test_dtd_elements_nesting) {
++ // Payload inspired by a test in Perl's XML::Parser
++ const char *text = "<!DOCTYPE foo [\n"
++ "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>\n"
++ "]>\n"
++ "<foo/>";
++
++ XML_SetUserData(g_parser, (void *)(uintptr_t)-1);
++
++ XML_SetElementDeclHandler(g_parser, element_decl_check_model);
++ if (XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE)
++ == XML_STATUS_ERROR)
++ xml_failure(g_parser);
++
++ if ((uint32_t)(uintptr_t)XML_GetUserData(g_parser) != 0)
++ fail("Element declaration model regression detected");
++}
++END_TEST
++
+ /* Test foreign DTD handling */
+ START_TEST(test_set_foreign_dtd) {
+ const char *text1 = "<?xml version='1.0' encoding='us-ascii'?>\n";
+@@ -11487,6 +11563,7 @@ make_suite(void) {
+ tcase_add_test(tc_basic, test_memory_allocation);
+ tcase_add_test(tc_basic, test_default_current);
+ tcase_add_test(tc_basic, test_dtd_elements);
++ tcase_add_test(tc_basic, test_dtd_elements_nesting);
+ tcase_add_test__ifdef_xml_dtd(tc_basic, test_set_foreign_dtd);
+ tcase_add_test__ifdef_xml_dtd(tc_basic, test_foreign_dtd_not_standalone);
+ tcase_add_test__ifdef_xml_dtd(tc_basic, test_invalid_foreign_dtd);
diff --git a/SPECS/expat.spec b/SPECS/expat.spec
index d57f447..8752e1e 100644
--- a/SPECS/expat.spec
+++ b/SPECS/expat.spec
@@ -3,7 +3,7 @@
Summary: An XML parser library
Name: expat
Version: %(echo %{unversion} | sed 's/_/./g')
-Release: 12%{?dist}
+Release: 12%{?dist}.2
Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
URL: https://libexpat.github.io/
License: MIT
@@ -17,6 +17,8 @@ Patch4: expat-2.2.10-Detect-and-prevent-integer-overflow-in-XML_GetBuffer.patch
Patch5: expat-2.2.10-Protect-against-malicious-namespace-declarations.patch
Patch6: expat-2.2.10-Add-missing-validation-of-encoding.patch
Patch7: expat-2.2.10-Prevent-integer-overflow-in-storeRawNames.patch
+Patch8: expat-2.2.10-Prevent-integer-overflow-in-copyString.patch
+Patch9: expat-2.2.10-Prevent-stack-exhaustion-in-build_model.patch
%description
This is expat, the C library for parsing XML, written by James Clark. Expat
@@ -52,6 +54,8 @@ Install it if you need to link statically with expat.
%patch5 -p1 -b .CVE-2022-25236
%patch6 -p1 -b .CVE-2022-25235
%patch7 -p1 -b .CVE-2022-25315
+%patch8 -p1 -b .CVE-2022-25314
+%patch9 -p1 -b .CVE-2022-25313
sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am
./buildconf.sh
@@ -89,6 +93,15 @@ make check
%{_libdir}/lib*.a
%changelog
+* Tue May 03 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.10-12.2
+- Improve fix for CVE-2022-25313
+- Related: CVE-2022-25313
+
+* Tue Apr 26 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.10-12.1
+- Fix multiple CVEs
+- Resolves: CVE-2022-25314
+- Resolves: CVE-2022-25313
+
* Wed Mar 16 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.10-12
- Build fix for CVE-2022-25236 in rhel-9.0.0
- Related: CVE-2022-25236