!135 CVE-2024-8176的后置补丁

From: @zhuofeng6 Reviewed-by: @hubin95 Signed-off-by: @hubin95
2025-04-16 06:11:34 +00:00 · 2025-04-16 06:11:34 +00:00 · 49c0d577ac
commit 49c0d577ac
parent 61225c7922 7e7d820f4e
3 changed files with 123 additions and 1 deletions
--- a/backport-Make-parser-m_eventPtr-handling-clearer.patch
+++ b/backport-Make-parser-m_eventPtr-handling-clearer.patch
@ -0,0 +1,65 @@
+From bcf353990c651d589c74aa0f283f9b392bbb68bf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Berkay=20Eren=20=C3=9Cr=C3=BCn?= <berkay.ueruen@siemens.com>
+Date: Wed, 19 Mar 2025 15:37:21 +0100
+Subject: [PATCH] Make parser->m_eventPtr handling clearer
+
+Reference: https://github.com/libexpat/libexpat/pull/989/commits/bcf353990c651d589c74aa0f283f9b392bbb68bf
+Conflict: NA
+
+---
+ lib/xmlparse.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 67bd3a54..f8ae864a 100644
+--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
+@@ -4334,12 +4334,13 @@ doCdataSection(XML_Parser parser, const ENCODING *enc, const char **startPtr,
+       /* LCOV_EXCL_STOP */
+     }
+ 
+-    *eventPP = s = next;
+     switch (parser->m_parsingStatus.parsing) {
+     case XML_SUSPENDED:
+      *eventPP = next;
+       *nextPtr = next;
+       return XML_ERROR_NONE;
+     case XML_FINISHED:
+      *eventPP = next;
+       return XML_ERROR_ABORTED;
+     case XML_PARSING:
+       if (parser->m_reenter) {
+@@ -4347,6 +4348,7 @@ doCdataSection(XML_Parser parser, const ENCODING *enc, const char **startPtr,
+       }
+       /* Fall through */
+     default:;
+      *eventPP = s = next;
+     }
+   }
+   /* not reached */
+@@ -5953,12 +5955,13 @@ epilogProcessor(XML_Parser parser, const char *s, const char *end,
+     default:
+       return XML_ERROR_JUNK_AFTER_DOC_ELEMENT;
+     }
+-    parser->m_eventPtr = s = next;
+     switch (parser->m_parsingStatus.parsing) {
+     case XML_SUSPENDED:
+      parser->m_eventPtr = next;
+       *nextPtr = next;
+       return XML_ERROR_NONE;
+     case XML_FINISHED:
+      parser->m_eventPtr = next;
+       return XML_ERROR_ABORTED;
+     case XML_PARSING:
+       if (parser->m_reenter) {
+@@ -5966,6 +5969,7 @@ epilogProcessor(XML_Parser parser, const char *s, const char *end,
+       }
+     /* Fall through */
+     default:;
+      parser->m_eventPtr = s = next;
+     }
+   }
+ }
+-- 
+2.37.3
+
--- a/backport-Stop-updating-m_eventPtr-on-exit-for-reentry.patch
+++ b/backport-Stop-updating-m_eventPtr-on-exit-for-reentry.patch
@ -0,0 +1,52 @@
+From 89a9c6807c982b4fa8aa806dd72771d6642dd8a1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Berkay=20Eren=20=C3=9Cr=C3=BCn?= <berkay.ueruen@siemens.com>
+Date: Wed, 19 Mar 2025 02:20:49 +0100
+Subject: [PATCH] Stop updating m_eventPtr on exit for reentry
+
+The fix for recursive entity processing introduced a reenter flag that
+returns the execution from the current function and switches to entity
+processing.
+
+The same fix also updates the m_eventPtr during this switch. However
+this update changes the behaviour in certain cases as the older version
+does not update the m_eventPtr while recursing into entity processing.
+
+This commit removes the pointer update and restores the old behaviour.
+
+Reference: https://github.com/libexpat/libexpat/pull/989/commits/89a9c6807c982b4fa8aa806dd72771d6642dd8a1
+Conflict: NA
+
+---
+ lib/xmlparse.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 626f56af..67bd3a54 100644
+--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
+@@ -3402,12 +3402,13 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+       break;
+       /* LCOV_EXCL_STOP */
+     }
+-    *eventPP = s = next;
+     switch (parser->m_parsingStatus.parsing) {
+     case XML_SUSPENDED:
+      *eventPP = next;
+       *nextPtr = next;
+       return XML_ERROR_NONE;
+     case XML_FINISHED:
+      *eventPP = next;
+       return XML_ERROR_ABORTED;
+     case XML_PARSING:
+       if (parser->m_reenter) {
+@@ -3416,6 +3417,7 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+       }
+       /* Fall through */
+     default:;
+      *eventPP = s = next;
+     }
+   }
+   /* not reached */
+-- 
+2.37.3
+
--- a/expat.spec
+++ b/expat.spec
@ -1,7 +1,7 @@
 %define Rversion %(echo %{version} | sed -e 's/\\./_/g' -e 's/^/R_/')
 Name:           expat
 Version:        2.5.0
-Release:        8
+Release:        9
 Summary:        An XML parser library
 License:        MIT
 URL:            https://libexpat.github.io/
@ -42,6 +42,8 @@ Patch32:        backport-008-CVE-2024-8176.patch
 Patch33:        backport-009-CVE-2024-8176.patch
 Patch34:        backport-010-CVE-2024-8176.patch
 Patch35:        backport-011-CVE-2024-8176.patch
+Patch36:        backport-Stop-updating-m_eventPtr-on-exit-for-reentry.patch
+Patch37:        backport-Make-parser-m_eventPtr-handling-clearer.patch

 BuildRequires:  sed,autoconf,automake,gcc-c++,libtool,xmlto

@ -90,6 +92,9 @@ find %{buildroot} -type f -name changelog -delete
 %{_mandir}/man1/*

 %changelog
+* Tue Apr 08 2025 zhuofeng <1107893276@qq.com> - 2.5.0-9
+- backport upstream patches
+
 * Fri Mar 28 2025 zhuofeng <1107893276@qq.com> - 2.5.0-8
 - fix CVE-2024-8176