From dcbb5846ea8852ff03093d5975deb8b30dbc12be Mon Sep 17 00:00:00 2001 From: pshysimon <743031499@qq.com> Date: Mon, 2 Sep 2024 11:19:47 +0800 Subject: [PATCH] fix CVE-2024-45491 --- backport-001-CVE-2024-45490.patch | 46 +++++++++++++++++ backport-002-CVE-2024-45490.patch | 31 ++++++++++++ backport-003-CVE-2024-45490.patch | 84 +++++++++++++++++++++++++++++++ expat.spec | 8 ++- 4 files changed, 168 insertions(+), 1 deletion(-) create mode 100644 backport-001-CVE-2024-45490.patch create mode 100644 backport-002-CVE-2024-45490.patch create mode 100644 backport-003-CVE-2024-45490.patch diff --git a/backport-001-CVE-2024-45490.patch b/backport-001-CVE-2024-45490.patch new file mode 100644 index 0000000..d9db9ec --- /dev/null +++ b/backport-001-CVE-2024-45490.patch @@ -0,0 +1,46 @@ +From d728c268c46879c5c4b8479e60f8fa7804de22d7 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Sun, 25 Aug 2024 19:09:51 +0200 +Subject: [PATCH] doc: Document that XML_Parse/XML_ParseBuffer reject "len < 0" + +--- + doc/reference.html | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/doc/reference.html b/doc/reference.html +index f4584b6..7d30fae 100644 +--- a/doc/reference.html ++++ b/doc/reference.html +@@ -1098,7 +1098,9 @@ containing part (or perhaps all) of the document. The number of bytes of s + that are part of the document is indicated by len. This means + that s doesn't have to be null terminated. It also means that + if len is larger than the number of bytes in the block of +-memory that s points at, then a memory fault is likely. The ++memory that s points at, then a memory fault is likely. ++Negative values for len are rejected since Expat 2.2.1. ++The + isFinal parameter informs the parser that this is the last + piece of the document. Frequently, the last piece is empty (i.e. + len is zero.) +@@ -1114,11 +1116,17 @@ XML_ParseBuffer(XML_Parser p, + int isFinal); + +
++

+ This is just like XML_Parse, + except in this case Expat provides the buffer. By obtaining the + buffer from Expat with the XML_GetBuffer function, the application can avoid double + copying of the input. ++

++ ++

++Negative values for len are rejected since Expat 2.6.3. ++

+
+ +

XML_GetBuffer

+-- +2.33.0 + + diff --git a/backport-002-CVE-2024-45490.patch b/backport-002-CVE-2024-45490.patch new file mode 100644 index 0000000..1eb748c --- /dev/null +++ b/backport-002-CVE-2024-45490.patch @@ -0,0 +1,31 @@ +From a5d580af424bde0c83ad64fcc8bd3beff1db317d Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 19 Aug 2024 22:26:07 +0200 +Subject: [PATCH] lib: Reject negative len for XML_ParseBuffer + +Reported by TaiYou +--- + lib/xmlparse.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index bd6aa72..8b9046e 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -2016,6 +2016,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) { + + if (parser == NULL) + return XML_STATUS_ERROR; ++ ++ if (len < 0) { ++ parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT; ++ return XML_STATUS_ERROR; ++ } ++ + switch (parser->m_parsingStatus.parsing) { + case XML_SUSPENDED: + parser->m_errorCode = XML_ERROR_SUSPENDED; +-- +2.33.0 + + diff --git a/backport-003-CVE-2024-45490.patch b/backport-003-CVE-2024-45490.patch new file mode 100644 index 0000000..db670ed --- /dev/null +++ b/backport-003-CVE-2024-45490.patch @@ -0,0 +1,84 @@ +From a882e725dd057db98907f6b03b733f0f6889aee7 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Tue, 20 Aug 2024 22:57:12 +0200 +Subject: [PATCH] tests: Cover "len < 0" for both XML_Parse and XML_ParseBuffer + +--- + tests/runtests.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 53 insertions(+) + +diff --git a/tests/runtests.c b/tests/runtests.c +index 02c8c85..4649359 100644 +--- a/tests/runtests.c ++++ b/tests/runtests.c +@@ -3978,6 +3978,57 @@ START_TEST(test_empty_parse) { + } + END_TEST + ++/* Test XML_Parse for len < 0 */ ++START_TEST(test_negative_len_parse) { ++ const char *const doc = ""; ++ for (int isFinal = 0; isFinal < 2; isFinal++) { ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_NONE) ++ fail("There was not supposed to be any initial parse error."); ++ ++ const enum XML_Status status = XML_Parse(parser, doc, -1, isFinal); ++ ++ if (status != XML_STATUS_ERROR) ++ fail("Negative len was expected to fail the parse but did not."); ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT) ++ fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT."); ++ ++ XML_ParserFree(parser); ++ } ++} ++END_TEST ++ ++/* Test XML_ParseBuffer for len < 0 */ ++START_TEST(test_negative_len_parse_buffer) { ++ const char *const doc = ""; ++ for (int isFinal = 0; isFinal < 2; isFinal++) { ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_NONE) ++ fail("There was not supposed to be any initial parse error."); ++ ++ void *const buffer = XML_GetBuffer(parser, (int)strlen(doc)); ++ ++ if (buffer == NULL) ++ fail("XML_GetBuffer failed."); ++ ++ memcpy(buffer, doc, strlen(doc)); ++ ++ const enum XML_Status status = XML_ParseBuffer(parser, -1, isFinal); ++ ++ if (status != XML_STATUS_ERROR) ++ fail("Negative len was expected to fail the parse but did not."); ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT) ++ fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT."); ++ ++ XML_ParserFree(parser); ++ } ++} ++END_TEST ++ + /* Test odd corners of the XML_GetBuffer interface */ + static enum XML_Status + get_feature(enum XML_FeatureEnum feature_id, long *presult) { +@@ -12474,6 +12525,8 @@ make_suite(void) { + tcase_add_test__ifdef_xml_dtd(tc_basic, test_user_parameters); + tcase_add_test__ifdef_xml_dtd(tc_basic, test_ext_entity_ref_parameter); + tcase_add_test(tc_basic, test_empty_parse); ++ tcase_add_test(tc_basic, test_negative_len_parse); ++ tcase_add_test(tc_basic, test_negative_len_parse_buffer); + tcase_add_test(tc_basic, test_get_buffer_1); + tcase_add_test(tc_basic, test_get_buffer_2); + #if defined(XML_CONTEXT_BYTES) +-- +2.33.0 + + diff --git a/expat.spec b/expat.spec index b4ec4af..f72e669 100644 --- a/expat.spec +++ b/expat.spec @@ -1,7 +1,7 @@ %define Rversion %(echo %{version} | sed -e 's/\\./_/g' -e 's/^/R_/') Name: expat Version: 2.5.0 -Release: 3 +Release: 4 Summary: An XML parser library License: MIT URL: https://libexpat.github.io/ @@ -24,6 +24,9 @@ Patch14: backport-006-CVE-2023-52425.patch Patch15: backport-007-CVE-2023-52425.patch Patch16: backport-008-CVE-2023-52425.patch Patch17: backport-009-CVE-2023-52425.patch +Patch18: backport-001-CVE-2024-45490.patch +Patch19: backport-002-CVE-2024-45490.patch +Patch20: backport-003-CVE-2024-45490.patch BuildRequires: sed,autoconf,automake,gcc-c++,libtool,xmlto @@ -77,6 +80,9 @@ make check %{_mandir}/man1/* %changelog +* Mon Sep 2 2024 caixiaomeng - 2.5.0-4 +- fix CVE-2024-45491 + * Wed Jun 12 2024 wangjiang - 2.5.0-3 - fix CVE-2023-52425