!19 fix CVE-2024-45490 CVE-2024-45491

From: @sherlock2010 Reviewed-by: @jiangheng12 Signed-off-by: @jiangheng12
2024-09-10 09:19:47 +00:00 · 2024-09-10 09:19:47 +00:00 · d1b39dfc51
commit d1b39dfc51
parent 94b70ceb5a a8e9bab5fb
3 changed files with 107 additions and 1 deletions
--- a/backport-CVE-2024-45490-lib-Reject-negative-len-for-XML_ParseBuffer.patch
+++ b/backport-CVE-2024-45490-lib-Reject-negative-len-for-XML_ParseBuffer.patch
@ -0,0 +1,61 @@
+From 5c1a31642e243f4870c0bd1f2afc7597976521bf Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:26:07 +0200
+Subject: [PATCH] lib: Reject negative len for XML_ParseBuffer
+
+Reported by TaiYou
+
+Conflict:file path adapt
+add error code XML_ERROR_INVALID_ARGUMENT
+parser->m_errorCode => errorCode
+return XML_STATUS_ERROR => return 0
+context adapt
+Reference:https://github.com/libexpat/libexpat/commit/5c1a31642e243f4870c0bd1f2afc7597976521bf
+---
+ lib/expat/xmlparse/xmlparse.c | 8 +++++++-
+ lib/expat/xmlparse/xmlparse.h | 3 ++-
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c
+index 8087360..d2363da 100644
+--- a/lib/expat/xmlparse/xmlparse.c
+++ b/lib/expat/xmlparse/xmlparse.c
+@@ -4810,6 +4810,11 @@ xmlrpc_XML_ParseBuffer(XML_Parser const xmlParserP,
+         return 0;
+     }
+ 
+    if (len < 0) {
+        errorCode = XML_ERROR_INVALID_ARGUMENT;
+        return 0;
+    }
+
+     parser->m_positionPtr = start;
+     parser->m_bufferEnd += len;
+     parser->m_parseEndByteIndex += len;
+@@ -5017,7 +5022,8 @@ xmlrpc_XML_ErrorString(int const code) {
+         /* UNCLOSED_CDATA_SECTION */  XML_T("unclosed CDATA section"),
+         /* EXTERNAL_ENTITY_HANDLING */
+              XML_T("error in processing external entity reference"),
+-        /* NOT_STANDALONE */          XML_T("document is not standalone")
+        /* NOT_STANDALONE */          XML_T("document is not standalone"),
+        /* INVALID_ARGUMENT */        XML_T("invalid argument")
+     };
+ 
+     const XML_LChar * retval;
+diff --git a/lib/expat/xmlparse/xmlparse.h b/lib/expat/xmlparse/xmlparse.h
+index 76cf0db..63133ba 100644
+--- a/lib/expat/xmlparse/xmlparse.h
+++ b/lib/expat/xmlparse/xmlparse.h
+@@ -518,7 +518,8 @@ enum XML_Error {
+   XML_ERROR_INCORRECT_ENCODING,
+   XML_ERROR_UNCLOSED_CDATA_SECTION,
+   XML_ERROR_EXTERNAL_ENTITY_HANDLING,
+-  XML_ERROR_NOT_STANDALONE
+  XML_ERROR_NOT_STANDALONE,
+  XML_ERROR_INVALID_ARGUMENT
+ };
+ 
+ /* If xmlrpc_XML_Parse or xmlrpc_XML_ParseBuffer have returned 0, then
+-- 
+2.33.0
+
--- a/backport-CVE-2024-45491-lib-Detect-integer-overflow-in-dtdCopy.patch
+++ b/backport-CVE-2024-45491-lib-Detect-integer-overflow-in-dtdCopy.patch
@ -0,0 +1,37 @@
+From 8e439a9947e9dc80a395c0c7456545d8d9d9e421 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:34:13 +0200
+Subject: [PATCH] lib: Detect integer overflow in dtdCopy
+
+Reported by TaiYou
+
+Conflict:context adapt
+Reference:https://github.com/libexpat/libexpat/commit/8e439a9947e9dc80a395c0c7456545d8d9d9e421
+---
+ lib/expat/xmlparse/xmlparse.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c
+index 91682c18..e2327bdc 100644
+--- a/lib/expat/xmlparse/xmlparse.c
+++ b/lib/expat/xmlparse/xmlparse.c
+@@ -7016,6 +7016,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd)
+     if (!newE)
+       return 0;
+     if (oldE->nDefaultAtts) {
+      /* Detect and prevent integer overflow.
+       * The preprocessor guard addresses the "always false" warning
+       * from -Wtype-limits on platforms where
+       * sizeof(int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+      if ((size_t)oldE->nDefaultAtts
+          > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) {
+        return 0;
+      }
+#endif
+       newE->defaultAtts = (DEFAULT_ATTRIBUTE *)
+           malloc(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
+       if (!newE->defaultAtts)
+-- 
+2.33.0
+
--- a/xmlrpc-c.spec
+++ b/xmlrpc-c.spec
@ -1,6 +1,6 @@
 Name:		xmlrpc-c
 Version:	1.59.02
-Release:        1
+Release:        2
 Summary:	Library implementing XML-based Remote Procedure Calls
 License:	BSD and MIT
 URL:		http://xmlrpc-c.sourceforge.net/
@ -8,6 +8,8 @@ Source0:        https://sourceforge.net/projects/xmlrpc-c/files/Xmlrpc-c%20Super

 Patch0003:      backport-0001-add-meson-buildsystem-definitions.patch
 Patch0004:      backport-0002-chmod-x-xml-rpc-api2txt.patch
+Patch0005:      backport-CVE-2024-45490-lib-Reject-negative-len-for-XML_ParseBuffer.patch
+Patch0006:      backport-CVE-2024-45491-lib-Detect-integer-overflow-in-dtdCopy.patch

 BuildRequires:	git-core meson >= 0.36.0 gcc gcc-c++ ncurses-devel 
 BuildRequires:  libcurl-devel readline-devel pkgconfig(openssl)
@ -74,6 +76,12 @@ Header files for xmlrpc-c.
 %{_mandir}/man1/*

 %changelog
+* Tue Sep 10 2024 zhouyihang <zhouyihang3@h-partners.com> - 1.59.02-2
+- Type:CVE
+- CVE:CVE-2024-45490 CVE-2024-45491
+- SUG:NA
+- DESC:fix CVE-2024-45490 CVE-2024-45491
+
 * Tue Jan 09 2024 zhouyihang <zhouyihang3@h-partners.com> - 1.59.02-1
 - Type:requirement
 - CVE:NA