packages/xmlrpc-c
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!19 fix CVE-2024-45490 CVE-2024-45491

Browse Source 
From: @sherlock2010 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12
This commit is contained in:
openeuler-ci-bot 2024-09-10 09:19:47 +00:00 committed by Gitee
commit d1b39dfc51
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
3 changed files with 107 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
backport-CVE-2024-45490-lib-Reject-negative-len-for-XML_ParseBuffer.patch Normal file
View File

@ -0,0 +1,61 @@
From 5c1a31642e243f4870c0bd1f2afc7597976521bf Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Mon, 19 Aug 2024 22:26:07 +0200
Subject: [PATCH] lib: Reject negative len for XML_ParseBuffer
Reported by TaiYou
Conflict:file path adapt
add error code XML_ERROR_INVALID_ARGUMENT
parser->m_errorCode => errorCode
return XML_STATUS_ERROR => return 0
context adapt
Reference:https://github.com/libexpat/libexpat/commit/5c1a31642e243f4870c0bd1f2afc7597976521bf
---
lib/expat/xmlparse/xmlparse.c | 8 +++++++-
lib/expat/xmlparse/xmlparse.h | 3 ++-
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c
index 8087360..d2363da 100644
--- a/lib/expat/xmlparse/xmlparse.c
+++ b/lib/expat/xmlparse/xmlparse.c
@@ -4810,6 +4810,11 @@ xmlrpc_XML_ParseBuffer(XML_Parser const xmlParserP,
return 0;
}
+ if (len < 0) {
+ errorCode = XML_ERROR_INVALID_ARGUMENT;
+ return 0;
+ }
+
parser->m_positionPtr = start;
parser->m_bufferEnd += len;
parser->m_parseEndByteIndex += len;
@@ -5017,7 +5022,8 @@ xmlrpc_XML_ErrorString(int const code) {
/* UNCLOSED_CDATA_SECTION */ XML_T("unclosed CDATA section"),
/* EXTERNAL_ENTITY_HANDLING */
XML_T("error in processing external entity reference"),
- /* NOT_STANDALONE */ XML_T("document is not standalone")
+ /* NOT_STANDALONE */ XML_T("document is not standalone"),
+ /* INVALID_ARGUMENT */ XML_T("invalid argument")
};
const XML_LChar * retval;
diff --git a/lib/expat/xmlparse/xmlparse.h b/lib/expat/xmlparse/xmlparse.h
index 76cf0db..63133ba 100644
--- a/lib/expat/xmlparse/xmlparse.h
+++ b/lib/expat/xmlparse/xmlparse.h
@@ -518,7 +518,8 @@ enum XML_Error {
XML_ERROR_INCORRECT_ENCODING,
XML_ERROR_UNCLOSED_CDATA_SECTION,
XML_ERROR_EXTERNAL_ENTITY_HANDLING,
- XML_ERROR_NOT_STANDALONE
+ XML_ERROR_NOT_STANDALONE,
+ XML_ERROR_INVALID_ARGUMENT
};
/* If xmlrpc_XML_Parse or xmlrpc_XML_ParseBuffer have returned 0, then
--
2.33.0

37
backport-CVE-2024-45491-lib-Detect-integer-overflow-in-dtdCopy.patch Normal file
View File

@ -0,0 +1,37 @@
From 8e439a9947e9dc80a395c0c7456545d8d9d9e421 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Mon, 19 Aug 2024 22:34:13 +0200
Subject: [PATCH] lib: Detect integer overflow in dtdCopy
Reported by TaiYou
Conflict:context adapt
Reference:https://github.com/libexpat/libexpat/commit/8e439a9947e9dc80a395c0c7456545d8d9d9e421
---
lib/expat/xmlparse/xmlparse.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c
index 91682c18..e2327bdc 100644
--- a/lib/expat/xmlparse/xmlparse.c
+++ b/lib/expat/xmlparse/xmlparse.c
@@ -7016,6 +7016,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd)
if (!newE)
return 0;
if (oldE->nDefaultAtts) {
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if ((size_t)oldE->nDefaultAtts
+ > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) {
+ return 0;
+ }
+#endif
newE->defaultAtts = (DEFAULT_ATTRIBUTE *)
malloc(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
if (!newE->defaultAtts)
--
2.33.0

10
xmlrpc-c.spec
View File

@ -1,6 +1,6 @@
Name: xmlrpc-c Name: xmlrpc-c
Version: 1.59.02 Version: 1.59.02
Release: 1 Release: 2
Summary: Library implementing XML-based Remote Procedure Calls Summary: Library implementing XML-based Remote Procedure Calls
License: BSD and MIT License: BSD and MIT
URL: http://xmlrpc-c.sourceforge.net/ URL: http://xmlrpc-c.sourceforge.net/
@ -8,6 +8,8 @@ Source0: https://sourceforge.net/projects/xmlrpc-c/files/Xmlrpc-c%20Super
Patch0003: backport-0001-add-meson-buildsystem-definitions.patch Patch0003: backport-0001-add-meson-buildsystem-definitions.patch
Patch0004: backport-0002-chmod-x-xml-rpc-api2txt.patch Patch0004: backport-0002-chmod-x-xml-rpc-api2txt.patch
Patch0005: backport-CVE-2024-45490-lib-Reject-negative-len-for-XML_ParseBuffer.patch
Patch0006: backport-CVE-2024-45491-lib-Detect-integer-overflow-in-dtdCopy.patch
BuildRequires: git-core meson >= 0.36.0 gcc gcc-c++ ncurses-devel BuildRequires: git-core meson >= 0.36.0 gcc gcc-c++ ncurses-devel
BuildRequires: libcurl-devel readline-devel pkgconfig(openssl) BuildRequires: libcurl-devel readline-devel pkgconfig(openssl)
@ -74,6 +76,12 @@ Header files for xmlrpc-c.
%{_mandir}/man1/* %{_mandir}/man1/*
%changelog %changelog
* Tue Sep 10 2024 zhouyihang <zhouyihang3@h-partners.com> - 1.59.02-2
- Type:CVE
- CVE:CVE-2024-45490 CVE-2024-45491
- SUG:NA
- DESC:fix CVE-2024-45490 CVE-2024-45491
* Tue Jan 09 2024 zhouyihang <zhouyihang3@h-partners.com> - 1.59.02-1 * Tue Jan 09 2024 zhouyihang <zhouyihang3@h-partners.com> - 1.59.02-1
- Type:requirement - Type:requirement
- CVE:NA - CVE:NA