packages/expat
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!55 fix CVE-2022-43680

Browse Source 
From: @fly_fzc 
Reviewed-by: @lvying6 
Signed-off-by: @lvying6
This commit is contained in:
openeuler-ci-bot 2022-10-29 03:36:19 +00:00 committed by Gitee
commit c099ece464
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
3 changed files with 113 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
backport-CVE-2022-43680.patch Normal file
View File

@ -0,0 +1,29 @@
From 5290462a7ea1278a8d5c0d5b2860d4e244f997e4 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Tue, 20 Sep 2022 02:44:34 +0200
Subject: [PATCH] lib: Fix overeager DTD destruction in
XML_ExternalEntityParserCreate
---
lib/xmlparse.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index aacd6e7fc..57bf103cc 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -1068,6 +1068,14 @@ parserCreate(const XML_Char *encodingName,
parserInit(parser, encodingName);
if (encodingName && ! parser->m_protocolEncodingName) {
+ if (dtd) {
+ // We need to stop the upcoming call to XML_ParserFree from happily
+ // destroying parser->m_dtd because the DTD is shared with the parent
+ // parser and the only guard that keeps XML_ParserFree from destroying
+ // parser->m_dtd is parser->m_isParamEntity but it will be set to
+ // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all).
+ parser->m_dtd = NULL;
+ }
XML_ParserFree(parser);
return NULL;
}

77
backport-tests-Cover-overeager-DTD-destruction-in-XML_Externa.patch Normal file
View File

@ -0,0 +1,77 @@
From 43992e4ae25fc3dc0eec0cd3a29313555d56aee2 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Mon, 19 Sep 2022 18:16:15 +0200
Subject: [PATCH] tests: Cover overeager DTD destruction in
XML_ExternalEntityParserCreate
---
tests/runtests.c | 49 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 49 insertions(+)
diff --git a/tests/runtests.c b/tests/runtests.c
index 245fe9bda..acb744dd4 100644
--- a/tests/runtests.c
+++ b/tests/runtests.c
@@ -10208,6 +10208,53 @@ START_TEST(test_alloc_long_notation) {
}
END_TEST
+static int XMLCALL
+external_entity_parser_create_alloc_fail_handler(XML_Parser parser,
+ const XML_Char *context,
+ const XML_Char *base,
+ const XML_Char *systemId,
+ const XML_Char *publicId) {
+ UNUSED_P(base);
+ UNUSED_P(systemId);
+ UNUSED_P(publicId);
+
+ if (context != NULL)
+ fail("Unexpected non-NULL context");
+
+ // The following number intends to fail the upcoming allocation in line
+ // "parser->m_protocolEncodingName = copyString(encodingName,
+ // &(parser->m_mem));" in function parserInit.
+ allocation_count = 3;
+
+ const XML_Char *const encodingName = XCS("UTF-8"); // needs something non-NULL
+ const XML_Parser ext_parser
+ = XML_ExternalEntityParserCreate(parser, context, encodingName);
+ if (ext_parser != NULL)
+ fail(
+ "Call to XML_ExternalEntityParserCreate was expected to fail out-of-memory");
+
+ allocation_count = ALLOC_ALWAYS_SUCCEED;
+ return XML_STATUS_ERROR;
+}
+
+START_TEST(test_alloc_reset_after_external_entity_parser_create_fail) {
+ const char *const text = "<!DOCTYPE doc SYSTEM 'foo'><doc/>";
+
+ XML_SetExternalEntityRefHandler(
+ g_parser, external_entity_parser_create_alloc_fail_handler);
+ XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
+
+ if (XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE)
+ != XML_STATUS_ERROR)
+ fail("Call to parse was expected to fail");
+
+ if (XML_GetErrorCode(g_parser) != XML_ERROR_EXTERNAL_ENTITY_HANDLING)
+ fail("Call to parse was expected to fail from the external entity handler");
+
+ XML_ParserReset(g_parser, NULL);
+}
+END_TEST
+
static void
nsalloc_setup(void) {
XML_Memory_Handling_Suite memsuite = {duff_allocator, duff_reallocator, free};
@@ -12401,6 +12448,8 @@ make_suite(void) {
tcase_add_test(tc_alloc, test_alloc_long_public_id);
tcase_add_test(tc_alloc, test_alloc_long_entity_value);
tcase_add_test(tc_alloc, test_alloc_long_notation);
+ tcase_add_test__ifdef_xml_dtd(
+ tc_alloc, test_alloc_reset_after_external_entity_parser_create_fail);
suite_add_tcase(s, tc_nsalloc);
tcase_add_checked_fixture(tc_nsalloc, nsalloc_setup, nsalloc_teardown);

9
expat.spec
View File

@ -1,7 +1,7 @@
%define Rversion %(echo %{version} | sed -e 's/\\./_/g' -e 's/^/R_/') %define Rversion %(echo %{version} | sed -e 's/\\./_/g' -e 's/^/R_/')
Name: expat Name: expat
Version: 2.4.8 Version: 2.4.8
Release: 3 Release: 4
Summary: An XML parser library Summary: An XML parser library
License: MIT License: MIT
URL: https://libexpat.github.io/ URL: https://libexpat.github.io/
@ -9,6 +9,8 @@ Source0: https://github.com/libexpat/libexpat/releases/download/%{Rversio
Patch0: backport-0001-CVE-2022-40674.patch Patch0: backport-0001-CVE-2022-40674.patch
Patch1: backport-0002-CVE-2022-40674.patch Patch1: backport-0002-CVE-2022-40674.patch
Patch2: backport-CVE-2022-43680.patch
Patch3: backport-tests-Cover-overeager-DTD-destruction-in-XML_Externa.patch
BuildRequires: sed,autoconf,automake,gcc-c++,libtool,xmlto BuildRequires: sed,autoconf,automake,gcc-c++,libtool,xmlto
@ -62,10 +64,13 @@ make check
%{_mandir}/man1/* %{_mandir}/man1/*
%changelog %changelog
* Sat Oct 29 2022 fuanan <fuanan3@h-partners.com> - 2.4.8-4
- fix CVE-2022-43680
* Thu Sep 15 2022 panxiaohe <panxh.life@foxmail.com> - 2.4.8-3 * Thu Sep 15 2022 panxiaohe <panxh.life@foxmail.com> - 2.4.8-3
- add test for CVE-2022-40674 - add test for CVE-2022-40674
* Thu Sep 15 2022 dillon chen<dillon.chen@gmail.com> -2.4.8-2 * Thu Sep 15 2022 dillon chen<dillon.chen@gmail.com> - 2.4.8-2
- fix CVE-2022-40674 - fix CVE-2022-40674
* Fri Jul 1 2022 panxiaohe <panxh.life@foxmail.com> - 2.4.8-1 * Fri Jul 1 2022 panxiaohe <panxh.life@foxmail.com> - 2.4.8-1