Fix CVE-2024-50602

(cherry picked from commit 98c0bcc7be2c709830e7abeeb0851030edcae208)
2024-10-29 20:01:39 +08:00 · 2024-10-29 20:01:39 +08:00 · b17e30b0ae
commit b17e30b0ae
parent bd976649cb
3 changed files with 164 additions and 1 deletions
--- a/backport-CVE-2024-50602-testcase.patch
+++ b/backport-CVE-2024-50602-testcase.patch
@ -0,0 +1,88 @@
 From b3836ff534c7cc78128fe7b935aad3d4353814ed Mon Sep 17 00:00:00 2001
 From: Sebastian Pipping <sebastian@pipping.org>
 Date: Sun, 20 Oct 2024 23:24:27 +0200
 Subject: [PATCH 3/3] tests: Cover XML_StopParser's new handling of status
 XML_INITIALIZED
 Prior to the fix to XML_StopParser, test test_misc_resumeparser_not_crashing
 would crash with a NULL pointer dereference in function normal_updatePosition.
 This was the AddressSanitizer output:
 > AddressSanitizer:DEADLYSIGNAL
 > =================================================================
 > ==19700==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5623e07ad85f bp 0x7ffcf40da650 sp 0x7ffcf40da590 T0)
 > ==19700==The signal is caused by a READ memory access.
 > ==19700==Hint: address points to the zero page.
 >     #0 0x5623e07ad85f in normal_updatePosition [..]/lib/xmltok_impl.c:1781:13
 >     #1 0x5623e07a52ff in initUpdatePosition [..]/lib/xmltok.c:1031:3
 >     #2 0x5623e0762760 in XML_ResumeParser [..]/lib/xmlparse.c:2297:3
 >     #3 0x5623e074f7c1 in test_misc_resumeparser_not_crashing() misc_tests_cxx.cpp
 >     #4 0x5623e074e228 in srunner_run_all ([..]/build_asan_fuzzers/tests/runtests_cxx+0x136228)
 >     #5 0x5623e0753d2d in main ([..]/build_asan_fuzzers/tests/runtests_cxx+0x13bd2d)
 >     #6 0x7f802a39af79  (/lib64/libc.so.6+0x25f79)
 >     #7 0x7f802a39b034 in __libc_start_main (/lib64/libc.so.6+0x26034)
 >     #8 0x5623e064f340 in _start ([..]/build_asan_fuzzers/tests/runtests_cxx+0x37340)
 >
 > AddressSanitizer can not provide additional info.
 > SUMMARY: AddressSanitizer: SEGV [..]/lib/xmltok_impl.c:1781:13 in normal_updatePosition
 > ==19700==ABORTING
 And this the UndefinedBehaviorSanitizer output:
 > [..]/lib/xmltok_impl.c:1781:13: runtime error: load of null pointer of type 'const char'
 > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior [..]/lib/xmltok_impl.c:1781:13 in
 ---
 tests/runtests.c | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 diff --git a/tests/runtests.c b/tests/runtests.c
 index 3c710d9..9f85011 100644
 --- a/tests/runtests.c
 +++ b/tests/runtests.c
@@ -8089,6 +8089,34 @@ START_TEST(test_misc_deny_internal_entity_closing_doctype_issue_317) {
 }
 END_TEST
 +START_TEST(test_misc_resumeparser_not_crashing) {
 +  XML_Parser parser = XML_ParserCreate(NULL);
 +  XML_GetBuffer(parser, 1);
 +  XML_StopParser(parser, /*resumable=*/XML_TRUE);
 +  XML_ResumeParser(parser); // could crash here, previously
 +  XML_ParserFree(parser);
 +}
 +END_TEST
 +
 +START_TEST(test_misc_stopparser_rejects_unstarted_parser) {
 +  const XML_Bool cases[] = {XML_TRUE, XML_FALSE};
 +  for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) {
 +    const XML_Bool resumable = cases[i];
 +    XML_Parser parser = XML_ParserCreate(NULL);
 +
 +    if (XML_GetErrorCode(parser) != XML_ERROR_NONE)
 +       fail("There was not supposed to be any initial parse error.");
 +
 +   if (XML_StopParser(parser, resumable) != XML_STATUS_ERROR)
 +       fail("Attempting to suspend a subordinate parser not faulted.");
 +
 +   if (XML_GetErrorCode(parser) != XML_ERROR_NOT_STARTED)
 +       fail("parser not started.");
 +    XML_ParserFree(parser);
 +  }
 +}
 +END_TEST
 +
 static void
 alloc_setup(void) {
   XML_Memory_Handling_Suite memsuite = {duff_allocator, duff_reallocator, free};
@@ -12575,6 +12603,8 @@ make_suite(void) {
   tcase_add_test(tc_misc, test_misc_stop_during_end_handler_issue_240_2);
   tcase_add_test__ifdef_xml_dtd(
       tc_misc, test_misc_deny_internal_entity_closing_doctype_issue_317);
 +  tcase_add_test(tc_misc, test_misc_resumeparser_not_crashing);
 +  tcase_add_test(tc_misc, test_misc_stopparser_rejects_unstarted_parser);
   suite_add_tcase(s, tc_alloc);
   tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown);
 -- 
 2.27.0
--- a/backport-CVE-2024-50602.patch
+++ b/backport-CVE-2024-50602.patch
@ -0,0 +1,70 @@
 From 51c7019069b862e88d94ed228659e70bddd5de09 Mon Sep 17 00:00:00 2001
 From: Sebastian Pipping <sebastian@pipping.org>
 Date: Mon, 21 Oct 2024 01:42:54 +0200
 Subject: [PATCH 1/3] lib: Make XML_StopParser refuse to stop/suspend an
 unstarted parser
 ---
 lib/expat.h    |  4 +++-
 lib/xmlparse.c | 11 ++++++++++-
 2 files changed, 13 insertions(+), 2 deletions(-)
 diff --git a/lib/expat.h b/lib/expat.h
 index 504727a..3a9ac2c 100644
 --- a/lib/expat.h
 +++ b/lib/expat.h
@@ -127,7 +127,9 @@ enum XML_Error {
   /* Added in 2.3.0. */
   XML_ERROR_NO_BUFFER,
   /* Added in 2.4.0. */
 -  XML_ERROR_AMPLIFICATION_LIMIT_BREACH
 +  XML_ERROR_AMPLIFICATION_LIMIT_BREACH,
 +  /* Added in 2.6.4. */
 +  XML_ERROR_NOT_STARTED,
 };
 enum XML_Content_Type {
 diff --git a/lib/xmlparse.c b/lib/xmlparse.c
 index 75cb51d..e13b2bf 100644
 --- a/lib/xmlparse.c
 +++ b/lib/xmlparse.c
@@ -2208,6 +2208,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) {
   if (parser == NULL)
     return XML_STATUS_ERROR;
   switch (parser->m_parsingStatus.parsing) {
 +  case XML_INITIALIZED:
 +    parser->m_errorCode = XML_ERROR_NOT_STARTED;
 +    return XML_STATUS_ERROR;
   case XML_SUSPENDED:
     if (resumable) {
       parser->m_errorCode = XML_ERROR_SUSPENDED;
@@ -2218,7 +2221,7 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) {
   case XML_FINISHED:
     parser->m_errorCode = XML_ERROR_FINISHED;
     return XML_STATUS_ERROR;
 -  default:
 +  case XML_PARSING:
     if (resumable) {
 #ifdef XML_DTD
       if (parser->m_isParamEntity) {
@@ -2229,6 +2232,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) {
       parser->m_parsingStatus.parsing = XML_SUSPENDED;
     } else
       parser->m_parsingStatus.parsing = XML_FINISHED;
 +    break;
 +  default:
 +    assert(0);
   }
   return XML_STATUS_OK;
 }
@@ -2493,6 +2499,9 @@ XML_ErrorString(enum XML_Error code) {
   case XML_ERROR_AMPLIFICATION_LIMIT_BREACH:
     return XML_L(
         "limit on input amplification factor (from DTD and entities) breached");
 +  /* Added in 2.6.4. */
 +  case XML_ERROR_NOT_STARTED:
 +    return XML_L("parser not started");
   }
   return NULL;
 }
 -- 
 2.27.0
--- a/expat.spec
+++ b/expat.spec
@ -1,7 +1,7 @@
 %define Rversion %(echo %{version} | sed -e 's/\\./_/g' -e 's/^/R_/')
 Name:           expat
 Version:        2.4.1
-Release:        13
+Release:        14
 Summary:        An XML parser library
 License:        MIT
 URL:            https://libexpat.github.io/
@ -52,6 +52,8 @@ Patch41:        backport-002-CVE-2024-45490.patch
 Patch42:        backport-003-CVE-2024-45490.patch
 Patch43:        backport-CVE-2024-45491.patch
 Patch44:        backport-CVE-2024-45492.patch
 Patch45:        backport-CVE-2024-50602.patch
 Patch46:        backport-CVE-2024-50602-testcase.patch
 BuildRequires:  sed,autoconf,automake,gcc-c++,libtool,xmlto
@ -105,6 +107,9 @@ make check
 %{_mandir}/man1/*
 %changelog
 * Tue Oct 29 2024 liningjie <liningjie@xfusion.com> - 2.4.1-14
 - fix CVE-2024-50602
 * Wed Sep 04 2024 Funda Wang <fundawang@yeah.net> - 2.4.1-13
 - fix CVE-2024-45491, CVE-2024-45492