fix CVE-2024-50602

(cherry picked from commit d033ab7be9cb380f7eada98d47759bec203376b8)
2024-10-29 13:57:11 +08:00 · 2024-10-29 13:57:11 +08:00 · b14adfa69c
commit b14adfa69c
parent 323f716435
2 changed files with 75 additions and 1 deletions
--- a/backport-CVE-2024-50602.patch
+++ b/backport-CVE-2024-50602.patch
@ -0,0 +1,70 @@
+From 51c7019069b862e88d94ed228659e70bddd5de09 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 21 Oct 2024 01:42:54 +0200
+Subject: [PATCH 1/3] lib: Make XML_StopParser refuse to stop/suspend an
+ unstarted parser
+---
+ lib/expat.h    |  4 +++-
+ lib/xmlparse.c | 11 ++++++++++-
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/lib/expat.h b/lib/expat.h
+index 504727a..3a9ac2c 100644
+--- a/lib/expat.h
+++ b/lib/expat.h
+@@ -127,7 +127,9 @@ enum XML_Error {
+   /* Added in 2.3.0. */
+   XML_ERROR_NO_BUFFER,
+   /* Added in 2.4.0. */
+-  XML_ERROR_AMPLIFICATION_LIMIT_BREACH
+  XML_ERROR_AMPLIFICATION_LIMIT_BREACH,
+  /* Added in 2.6.4. */
+  XML_ERROR_NOT_STARTED,
+ };
+ 
+ enum XML_Content_Type {
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 75cb51d..e13b2bf 100644
+--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
+@@ -2208,6 +2208,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) {
+   if (parser == NULL)
+     return XML_STATUS_ERROR;
+   switch (parser->m_parsingStatus.parsing) {
+  case XML_INITIALIZED:
+    parser->m_errorCode = XML_ERROR_NOT_STARTED;
+    return XML_STATUS_ERROR;
+   case XML_SUSPENDED:
+     if (resumable) {
+       parser->m_errorCode = XML_ERROR_SUSPENDED;
+@@ -2218,7 +2221,7 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) {
+   case XML_FINISHED:
+     parser->m_errorCode = XML_ERROR_FINISHED;
+     return XML_STATUS_ERROR;
+-  default:
+  case XML_PARSING:
+     if (resumable) {
+ #ifdef XML_DTD
+       if (parser->m_isParamEntity) {
+@@ -2229,6 +2232,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) {
+       parser->m_parsingStatus.parsing = XML_SUSPENDED;
+     } else
+       parser->m_parsingStatus.parsing = XML_FINISHED;
+    break;
+  default:
+    assert(0);
+   }
+   return XML_STATUS_OK;
+ }
+@@ -2493,6 +2499,9 @@ XML_ErrorString(enum XML_Error code) {
+   case XML_ERROR_AMPLIFICATION_LIMIT_BREACH:
+     return XML_L(
+         "limit on input amplification factor (from DTD and entities) breached");
+  /* Added in 2.6.4. */
+  case XML_ERROR_NOT_STARTED:
+    return XML_L("parser not started");
+   }
+   return NULL;
+ }
+-- 
+2.27.0
--- a/expat.spec
+++ b/expat.spec
@ -1,7 +1,7 @@
 %define Rversion %(echo %{version} | sed -e 's/\\./_/g' -e 's/^/R_/')
 Name:           expat
 Version:        2.5.0
-Release:        5
+Release:        6
 Summary:        An XML parser library
 License:        MIT
 URL:            https://libexpat.github.io/
@ -29,6 +29,7 @@ Patch19:        backport-002-CVE-2024-45490.patch
 Patch20:        backport-003-CVE-2024-45490.patch
 Patch21:        backport-CVE-2024-45491.patch
 Patch22:        backport-CVE-2024-45492.patch
+Patch23:        backport-CVE-2024-50602.patch

 BuildRequires:  sed,autoconf,automake,gcc-c++,libtool,xmlto

@ -77,6 +78,9 @@ find %{buildroot} -type f -name changelog -delete
 %{_mandir}/man1/*

 %changelog
+* Tue Oct 29 2024 liningjie <liningjie@xfusion.com> - 2.5.0-6
+- fix CVE-2024-50602
+
 * Wed Sep 04 2024 Funda Wang <fundawang@yeah.net> - 2.5.0-5
 - fix CVE-2024-45491, CVE-2024-45492