!31 [sync] PR-27: fix CVE-2023-34194

From: @openeuler-sync-bot Reviewed-by: @jianminw Signed-off-by: @jianminw
2024-12-24 05:49:50 +00:00 · 2024-12-24 05:49:50 +00:00 · 34867cd1ea
commit 34867cd1ea
parent 5b0746bade eab8578060
2 changed files with 33 additions and 1 deletions
--- a/CVE-2023-34194.patch
+++ b/CVE-2023-34194.patch
@ -0,0 +1,28 @@
 From: Guilhem Moulin <guilhem@debian.org>
 Date: Sat, 30 Dec 2023 14:15:54 +0100
 Subject: Avoid reachable assertion via crafted XML document with a '\0'
 located after whitespace
 Bug: https://www.forescout.com/resources/sierra21-vulnerabilities
 Bug-Debian: https://bugs.debian.org/1059315
 Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-34194
 Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-40462
 ---
 tinyxmlparser.cpp | 4 ++++
 1 file changed, 4 insertions(+)
 diff --git a/tinyxmlparser.cpp b/tinyxmlparser.cpp
 index 8aa0dfa..1601962 100644
 --- a/tinyxmlparser.cpp
 +++ b/tinyxmlparser.cpp
@@ -1606,6 +1606,10 @@ const char* TiXmlDeclaration::Parse( const char* p, TiXmlParsingData* data, TiXm
 		}
 		p = SkipWhiteSpace( p, _encoding );
 +		if ( !p || !*p )
 +		{
 +			break;
 +		}
 		if ( StringEqual( p, "version", true, _encoding ) )
 		{
 			TiXmlAttribute attrib;
--- a/tinyxml.spec
+++ b/tinyxml.spec
@ -1,12 +1,13 @@
 Name:           tinyxml
 Version:        2.6.2
-Release:        23
+Release:        24
 Summary:        C++ XML parser
 License:        zlib
 URL:            http://www.grinninglizard.com/tinyxml/
 Source0:        http://downloads.sourceforge.net/tinyxml/tinyxml_2_6_2.tar.gz
 Patch0001:      CVE-2021-42260.patch
 Patch0002:      2-fix-devel-package-error.patch
 Patch0003:      CVE-2023-34194.patch
 BuildRequires:  gcc-c++
 %description
@ -65,6 +66,9 @@ mkdir -p %{buildroot}%{_libdir}/pkgconfig
 %{_libdir}/*.so
 %changelog
 * Tue Dec 24 2024 Jianmin <jianmin@iscas.ac.cn> - 2.6.2-24
 - fix CVE-2023-34194
 * Fri Apr 28 2023 will_niutao <huawei2@huawei.com> - 2.6.2-23
 - fix the devel package error