From c22f2d887021bc0b3b72af2824c460d1614bb58c Mon Sep 17 00:00:00 2001 From: pshysimon <743031499@qq.com> Date: Tue, 3 Sep 2024 11:02:01 +0800 Subject: [PATCH] fix CVE 2024 45490 --- ._backport-008-CVE-2023-52425.patch | Bin 4096 -> 0 bytes backport-001-CVE-2024-45490.patch | 46 +++++++++++++++ backport-002-CVE-2024-45490.patch | 31 ++++++++++ backport-003-CVE-2024-45490.patch | 84 ++++++++++++++++++++++++++++ expat.spec | 8 ++- 5 files changed, 168 insertions(+), 1 deletion(-) delete mode 100644 ._backport-008-CVE-2023-52425.patch create mode 100644 backport-001-CVE-2024-45490.patch create mode 100644 backport-002-CVE-2024-45490.patch create mode 100644 backport-003-CVE-2024-45490.patch diff --git a/._backport-008-CVE-2023-52425.patch b/._backport-008-CVE-2023-52425.patch deleted file mode 100644 index d5cdec9a70df7788afd9fe8bd61193abc62791bb..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4096 zcmZQz6=P>$Vqox1Ojhs@R)|o50+1L3ClDJkFz{^v(m+1nBL)UWIUt(=a103v0xDsI z=wLViWJ{xI0htaG7hqtJO3u&KODrhJN!80qEG{W6PEAQkEJ;-k2!`sp0HnDY7(@~3 z3X1Z}Qu7k?l2aLudWffi)D`(yX@h8>rE3~y9{KdW{Wyp_3PwX +Date: Sun, 25 Aug 2024 19:09:51 +0200 +Subject: [PATCH] doc: Document that XML_Parse/XML_ParseBuffer reject "len < 0" + +--- + doc/reference.html | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/doc/reference.html b/doc/reference.html +index f4584b6..7d30fae 100644 +--- a/doc/reference.html ++++ b/doc/reference.html +@@ -1098,7 +1098,9 @@ containing part (or perhaps all) of the document. The number of bytes of s + that are part of the document is indicated by len. This means + that s doesn't have to be null terminated. It also means that + if len is larger than the number of bytes in the block of +-memory that s points at, then a memory fault is likely. The ++memory that s points at, then a memory fault is likely. ++Negative values for len are rejected since Expat 2.2.1. ++The + isFinal parameter informs the parser that this is the last + piece of the document. Frequently, the last piece is empty (i.e. + len is zero.) +@@ -1114,11 +1116,17 @@ XML_ParseBuffer(XML_Parser p, + int isFinal); + +
++

+ This is just like XML_Parse, + except in this case Expat provides the buffer. By obtaining the + buffer from Expat with the XML_GetBuffer function, the application can avoid double + copying of the input. ++

++ ++

++Negative values for len are rejected since Expat 2.6.3. ++

+
+ +

XML_GetBuffer

+-- +2.33.0 + + diff --git a/backport-002-CVE-2024-45490.patch b/backport-002-CVE-2024-45490.patch new file mode 100644 index 0000000..1eb748c --- /dev/null +++ b/backport-002-CVE-2024-45490.patch @@ -0,0 +1,31 @@ +From a5d580af424bde0c83ad64fcc8bd3beff1db317d Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 19 Aug 2024 22:26:07 +0200 +Subject: [PATCH] lib: Reject negative len for XML_ParseBuffer + +Reported by TaiYou +--- + lib/xmlparse.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index bd6aa72..8b9046e 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -2016,6 +2016,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) { + + if (parser == NULL) + return XML_STATUS_ERROR; ++ ++ if (len < 0) { ++ parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT; ++ return XML_STATUS_ERROR; ++ } ++ + switch (parser->m_parsingStatus.parsing) { + case XML_SUSPENDED: + parser->m_errorCode = XML_ERROR_SUSPENDED; +-- +2.33.0 + + diff --git a/backport-003-CVE-2024-45490.patch b/backport-003-CVE-2024-45490.patch new file mode 100644 index 0000000..db670ed --- /dev/null +++ b/backport-003-CVE-2024-45490.patch @@ -0,0 +1,84 @@ +From a882e725dd057db98907f6b03b733f0f6889aee7 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Tue, 20 Aug 2024 22:57:12 +0200 +Subject: [PATCH] tests: Cover "len < 0" for both XML_Parse and XML_ParseBuffer + +--- + tests/runtests.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 53 insertions(+) + +diff --git a/tests/runtests.c b/tests/runtests.c +index 02c8c85..4649359 100644 +--- a/tests/runtests.c ++++ b/tests/runtests.c +@@ -3978,6 +3978,57 @@ START_TEST(test_empty_parse) { + } + END_TEST + ++/* Test XML_Parse for len < 0 */ ++START_TEST(test_negative_len_parse) { ++ const char *const doc = ""; ++ for (int isFinal = 0; isFinal < 2; isFinal++) { ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_NONE) ++ fail("There was not supposed to be any initial parse error."); ++ ++ const enum XML_Status status = XML_Parse(parser, doc, -1, isFinal); ++ ++ if (status != XML_STATUS_ERROR) ++ fail("Negative len was expected to fail the parse but did not."); ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT) ++ fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT."); ++ ++ XML_ParserFree(parser); ++ } ++} ++END_TEST ++ ++/* Test XML_ParseBuffer for len < 0 */ ++START_TEST(test_negative_len_parse_buffer) { ++ const char *const doc = ""; ++ for (int isFinal = 0; isFinal < 2; isFinal++) { ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_NONE) ++ fail("There was not supposed to be any initial parse error."); ++ ++ void *const buffer = XML_GetBuffer(parser, (int)strlen(doc)); ++ ++ if (buffer == NULL) ++ fail("XML_GetBuffer failed."); ++ ++ memcpy(buffer, doc, strlen(doc)); ++ ++ const enum XML_Status status = XML_ParseBuffer(parser, -1, isFinal); ++ ++ if (status != XML_STATUS_ERROR) ++ fail("Negative len was expected to fail the parse but did not."); ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT) ++ fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT."); ++ ++ XML_ParserFree(parser); ++ } ++} ++END_TEST ++ + /* Test odd corners of the XML_GetBuffer interface */ + static enum XML_Status + get_feature(enum XML_FeatureEnum feature_id, long *presult) { +@@ -12474,6 +12525,8 @@ make_suite(void) { + tcase_add_test__ifdef_xml_dtd(tc_basic, test_user_parameters); + tcase_add_test__ifdef_xml_dtd(tc_basic, test_ext_entity_ref_parameter); + tcase_add_test(tc_basic, test_empty_parse); ++ tcase_add_test(tc_basic, test_negative_len_parse); ++ tcase_add_test(tc_basic, test_negative_len_parse_buffer); + tcase_add_test(tc_basic, test_get_buffer_1); + tcase_add_test(tc_basic, test_get_buffer_2); + #if defined(XML_CONTEXT_BYTES) +-- +2.33.0 + + diff --git a/expat.spec b/expat.spec index e450001..b53b418 100644 --- a/expat.spec +++ b/expat.spec @@ -1,7 +1,7 @@ %define Rversion %(echo %{version} | sed -e 's/\\./_/g' -e 's/^/R_/') Name: expat Version: 2.4.1 -Release: 11 +Release: 12 Summary: An XML parser library License: MIT URL: https://libexpat.github.io/ @@ -47,6 +47,9 @@ Patch36: backport-006-CVE-2023-52425.patch Patch37: backport-007-CVE-2023-52425.patch Patch38: backport-008-CVE-2023-52425.patch Patch39: backport-009-CVE-2023-52425.patch +Patch40: backport-001-CVE-2024-45490.patch +Patch41: backport-002-CVE-2024-45490.patch +Patch42: backport-003-CVE-2024-45490.patch BuildRequires: sed,autoconf,automake,gcc-c++,libtool,xmlto @@ -100,6 +103,9 @@ make check %{_mandir}/man1/* %changelog +* Tue Sep 3 2024 caixiaomeng - 2.4.1-12 +- fix CVE-2024-45490 + * Thu Apr 11 2024 caixiaomeng - 2.4.1-11 - fix CVE-2023-52425