packages/expat
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!96 fix CVE-2024-45490

Browse Source 
From: @pshysimon 
Reviewed-by: @hubin95 
Signed-off-by: @hubin95
This commit is contained in:
openeuler-ci-bot 2024-09-02 04:00:13 +00:00 committed by Gitee
commit d120f4736b
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
4 changed files with 168 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
backport-001-CVE-2024-45490.patch Normal file
View File

@ -0,0 +1,46 @@
From d728c268c46879c5c4b8479e60f8fa7804de22d7 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Sun, 25 Aug 2024 19:09:51 +0200
Subject: [PATCH] doc: Document that XML_Parse/XML_ParseBuffer reject "len < 0"
---
doc/reference.html | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/doc/reference.html b/doc/reference.html
index f4584b6..7d30fae 100644
--- a/doc/reference.html
+++ b/doc/reference.html
@@ -1098,7 +1098,9 @@ containing part (or perhaps all) of the document. The number of bytes of s
that are part of the document is indicated by <code>len</code>. This means
that <code>s</code> doesn't have to be null terminated. It also means that
if <code>len</code> is larger than the number of bytes in the block of
-memory that <code>s</code> points at, then a memory fault is likely. The
+memory that <code>s</code> points at, then a memory fault is likely.
+Negative values for <code>len</code> are rejected since Expat 2.2.1.
+The
<code>isFinal</code> parameter informs the parser that this is the last
piece of the document. Frequently, the last piece is empty (i.e.
<code>len</code> is zero.)
@@ -1114,11 +1116,17 @@ XML_ParseBuffer(XML_Parser p,
int isFinal);
</pre>
<div class="fcndef">
+<p>
This is just like <code><a href= "#XML_Parse" >XML_Parse</a></code>,
except in this case Expat provides the buffer. By obtaining the
buffer from Expat with the <code><a href= "#XML_GetBuffer"
>XML_GetBuffer</a></code> function, the application can avoid double
copying of the input.
+</p>
+
+<p>
+Negative values for <code>len</code> are rejected since Expat 2.6.3.
+</p>
</div>
<h4 id="XML_GetBuffer">XML_GetBuffer</h4>
--
2.33.0

31
backport-002-CVE-2024-45490.patch Normal file
View File

@ -0,0 +1,31 @@
From a5d580af424bde0c83ad64fcc8bd3beff1db317d Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Mon, 19 Aug 2024 22:26:07 +0200
Subject: [PATCH] lib: Reject negative len for XML_ParseBuffer
Reported by TaiYou
---
lib/xmlparse.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index bd6aa72..8b9046e 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -2016,6 +2016,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) {
if (parser == NULL)
return XML_STATUS_ERROR;
+
+ if (len < 0) {
+ parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT;
+ return XML_STATUS_ERROR;
+ }
+
switch (parser->m_parsingStatus.parsing) {
case XML_SUSPENDED:
parser->m_errorCode = XML_ERROR_SUSPENDED;
--
2.33.0

84
backport-003-CVE-2024-45490.patch Normal file
View File

@ -0,0 +1,84 @@
From a882e725dd057db98907f6b03b733f0f6889aee7 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Tue, 20 Aug 2024 22:57:12 +0200
Subject: [PATCH] tests: Cover "len < 0" for both XML_Parse and XML_ParseBuffer
---
tests/runtests.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 53 insertions(+)
diff --git a/tests/runtests.c b/tests/runtests.c
index 02c8c85..4649359 100644
--- a/tests/runtests.c
+++ b/tests/runtests.c
@@ -3978,6 +3978,57 @@ START_TEST(test_empty_parse) {
}
END_TEST
+/* Test XML_Parse for len < 0 */
+START_TEST(test_negative_len_parse) {
+ const char *const doc = "<root/>";
+ for (int isFinal = 0; isFinal < 2; isFinal++) {
+ XML_Parser parser = XML_ParserCreate(NULL);
+
+ if (XML_GetErrorCode(parser) != XML_ERROR_NONE)
+ fail("There was not supposed to be any initial parse error.");
+
+ const enum XML_Status status = XML_Parse(parser, doc, -1, isFinal);
+
+ if (status != XML_STATUS_ERROR)
+ fail("Negative len was expected to fail the parse but did not.");
+
+ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT)
+ fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT.");
+
+ XML_ParserFree(parser);
+ }
+}
+END_TEST
+
+/* Test XML_ParseBuffer for len < 0 */
+START_TEST(test_negative_len_parse_buffer) {
+ const char *const doc = "<root/>";
+ for (int isFinal = 0; isFinal < 2; isFinal++) {
+ XML_Parser parser = XML_ParserCreate(NULL);
+
+ if (XML_GetErrorCode(parser) != XML_ERROR_NONE)
+ fail("There was not supposed to be any initial parse error.");
+
+ void *const buffer = XML_GetBuffer(parser, (int)strlen(doc));
+
+ if (buffer == NULL)
+ fail("XML_GetBuffer failed.");
+
+ memcpy(buffer, doc, strlen(doc));
+
+ const enum XML_Status status = XML_ParseBuffer(parser, -1, isFinal);
+
+ if (status != XML_STATUS_ERROR)
+ fail("Negative len was expected to fail the parse but did not.");
+
+ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT)
+ fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT.");
+
+ XML_ParserFree(parser);
+ }
+}
+END_TEST
+
/* Test odd corners of the XML_GetBuffer interface */
static enum XML_Status
get_feature(enum XML_FeatureEnum feature_id, long *presult) {
@@ -12474,6 +12525,8 @@ make_suite(void) {
tcase_add_test__ifdef_xml_dtd(tc_basic, test_user_parameters);
tcase_add_test__ifdef_xml_dtd(tc_basic, test_ext_entity_ref_parameter);
tcase_add_test(tc_basic, test_empty_parse);
+ tcase_add_test(tc_basic, test_negative_len_parse);
+ tcase_add_test(tc_basic, test_negative_len_parse_buffer);
tcase_add_test(tc_basic, test_get_buffer_1);
tcase_add_test(tc_basic, test_get_buffer_2);
#if defined(XML_CONTEXT_BYTES)
--
2.33.0

8
expat.spec
View File

@ -1,7 +1,7 @@
%define Rversion %(echo %{version} | sed -e 's/\\./_/g' -e 's/^/R_/') %define Rversion %(echo %{version} | sed -e 's/\\./_/g' -e 's/^/R_/')
Name: expat Name: expat
Version: 2.5.0 Version: 2.5.0
Release: 3 Release: 4
Summary: An XML parser library Summary: An XML parser library
License: MIT License: MIT
URL: https://libexpat.github.io/ URL: https://libexpat.github.io/
@ -24,6 +24,9 @@ Patch14: backport-006-CVE-2023-52425.patch
Patch15: backport-007-CVE-2023-52425.patch Patch15: backport-007-CVE-2023-52425.patch
Patch16: backport-008-CVE-2023-52425.patch Patch16: backport-008-CVE-2023-52425.patch
Patch17: backport-009-CVE-2023-52425.patch Patch17: backport-009-CVE-2023-52425.patch
Patch18: backport-001-CVE-2024-45490.patch
Patch19: backport-002-CVE-2024-45490.patch
Patch20: backport-003-CVE-2024-45490.patch
BuildRequires: sed,autoconf,automake,gcc-c++,libtool,xmlto BuildRequires: sed,autoconf,automake,gcc-c++,libtool,xmlto
@ -77,6 +80,9 @@ make check
%{_mandir}/man1/* %{_mandir}/man1/*
%changelog %changelog
* Mon Sep 2 2024 caixiaomeng <caixiaomeng2@huawei.com> - 2.5.0-4
- fix CVE-2024-45491
* Wed Jun 12 2024 wangjiang <wangjiang37@h-partners.com> - 2.5.0-3 * Wed Jun 12 2024 wangjiang <wangjiang37@h-partners.com> - 2.5.0-3
- fix CVE-2023-52425 - fix CVE-2023-52425