Projects
Mega:24.03:SP1:Everything
expat
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 2
View file
_service:tar_scm:expat.spec
Changed
@@ -1,7 +1,7 @@ %define Rversion %(echo %{version} | sed -e 's/\\./_/g' -e 's/^/R_/') Name: expat Version: 2.5.0 -Release: 5 +Release: 7 Summary: An XML parser library License: MIT URL: https://libexpat.github.io/ @@ -29,6 +29,8 @@ Patch20: backport-003-CVE-2024-45490.patch Patch21: backport-CVE-2024-45491.patch Patch22: backport-CVE-2024-45492.patch +Patch23: backport-CVE-2024-50602.patch +Patch24: backport-CVE-2024-50602-testcase.patch BuildRequires: sed,autoconf,automake,gcc-c++,libtool,xmlto @@ -77,6 +79,12 @@ %{_mandir}/man1/* %changelog +* Tue Oct 29 2024 liningjie <liningjie@xfusion.com> - 2.5.0-7 +- add testcase for CVE-2024-50602 + +* Tue Oct 29 2024 liningjie <liningjie@xfusion.com> - 2.5.0-6 +- fix CVE-2024-50602 + * Wed Sep 04 2024 Funda Wang <fundawang@yeah.net> - 2.5.0-5 - fix CVE-2024-45491, CVE-2024-45492
View file
_service:tar_scm:backport-CVE-2024-50602-testcase.patch
Added
@@ -0,0 +1,89 @@ +From b3836ff534c7cc78128fe7b935aad3d4353814ed Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Sun, 20 Oct 2024 23:24:27 +0200 +Subject: PATCH 3/3 tests: Cover XML_StopParser's new handling of status + XML_INITIALIZED + +Prior to the fix to XML_StopParser, test test_misc_resumeparser_not_crashing +would crash with a NULL pointer dereference in function normal_updatePosition. +This was the AddressSanitizer output: + +> AddressSanitizer:DEADLYSIGNAL +> ================================================================= +> ==19700==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5623e07ad85f bp 0x7ffcf40da650 sp 0x7ffcf40da590 T0) +> ==19700==The signal is caused by a READ memory access. +> ==19700==Hint: address points to the zero page. +> #0 0x5623e07ad85f in normal_updatePosition ../lib/xmltok_impl.c:1781:13 +> #1 0x5623e07a52ff in initUpdatePosition ../lib/xmltok.c:1031:3 +> #2 0x5623e0762760 in XML_ResumeParser ../lib/xmlparse.c:2297:3 +> #3 0x5623e074f7c1 in test_misc_resumeparser_not_crashing() misc_tests_cxx.cpp +> #4 0x5623e074e228 in srunner_run_all (../build_asan_fuzzers/tests/runtests_cxx+0x136228) +> #5 0x5623e0753d2d in main (../build_asan_fuzzers/tests/runtests_cxx+0x13bd2d) +> #6 0x7f802a39af79 (/lib64/libc.so.6+0x25f79) +> #7 0x7f802a39b034 in __libc_start_main (/lib64/libc.so.6+0x26034) +> #8 0x5623e064f340 in _start (../build_asan_fuzzers/tests/runtests_cxx+0x37340) +> +> AddressSanitizer can not provide additional info. +> SUMMARY: AddressSanitizer: SEGV ../lib/xmltok_impl.c:1781:13 in normal_updatePosition +> ==19700==ABORTING + +And this the UndefinedBehaviorSanitizer output: + +> ../lib/xmltok_impl.c:1781:13: runtime error: load of null pointer of type 'const char' +> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../lib/xmltok_impl.c:1781:13 in +--- +tests/runtests.c | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/tests/runtests.c b/tests/runtests.c +index 4649359..2c88c7f 100644 +--- a/tests/runtests.c ++++ b/tests/runtests.c +@@ -8207,6 +8207,35 @@ START_TEST(test_misc_tag_mismatch_reset_leak) { + } + END_TEST + ++START_TEST(test_misc_resumeparser_not_crashing) { ++ XML_Parser parser = XML_ParserCreate(NULL); ++ XML_GetBuffer(parser, 1); ++ XML_StopParser(parser, /*resumable=*/XML_TRUE); ++ XML_ResumeParser(parser); // could crash here, previously ++ XML_ParserFree(parser); ++} ++END_TEST ++ ++START_TEST(test_misc_stopparser_rejects_unstarted_parser) { ++ const XML_Bool cases = {XML_TRUE, XML_FALSE}; ++ for (size_t i = 0; i < sizeof(cases) / sizeof(cases0); i++) { ++ const XML_Bool resumable = casesi; ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_NONE) ++ fail("There was not supposed to be any initial parse error."); ++ ++ if (XML_StopParser(parser, resumable) != XML_STATUS_ERROR) ++ fail("Attempting to suspend a subordinate parser not faulted."); ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_NOT_STARTED) ++ fail("parser not started."); ++ XML_ParserFree(parser); ++ } ++} ++END_TEST ++ ++ + static void + alloc_setup(void) { + XML_Memory_Handling_Suite memsuite = {duff_allocator, duff_reallocator, free}; +@@ -12707,6 +12736,8 @@ make_suite(void) { + tcase_add_test__ifdef_xml_dtd( + tc_misc, test_misc_deny_internal_entity_closing_doctype_issue_317); + tcase_add_test(tc_misc, test_misc_tag_mismatch_reset_leak); ++ tcase_add_test(tc_misc, test_misc_resumeparser_not_crashing); ++ tcase_add_test(tc_misc, test_misc_stopparser_rejects_unstarted_parser); + + suite_add_tcase(s, tc_alloc); + tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown); +-- +2.27.0 +
View file
_service:tar_scm:backport-CVE-2024-50602.patch
Added
@@ -0,0 +1,70 @@ +From 51c7019069b862e88d94ed228659e70bddd5de09 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Mon, 21 Oct 2024 01:42:54 +0200 +Subject: PATCH 1/3 lib: Make XML_StopParser refuse to stop/suspend an + unstarted parser +--- + lib/expat.h | 4 +++- + lib/xmlparse.c | 11 ++++++++++- + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/lib/expat.h b/lib/expat.h +index 504727a..3a9ac2c 100644 +--- a/lib/expat.h ++++ b/lib/expat.h +@@ -127,7 +127,9 @@ enum XML_Error { + /* Added in 2.3.0. */ + XML_ERROR_NO_BUFFER, + /* Added in 2.4.0. */ +- XML_ERROR_AMPLIFICATION_LIMIT_BREACH ++ XML_ERROR_AMPLIFICATION_LIMIT_BREACH, ++ /* Added in 2.6.4. */ ++ XML_ERROR_NOT_STARTED, + }; + + enum XML_Content_Type { +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 75cb51d..e13b2bf 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -2208,6 +2208,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) { + if (parser == NULL) + return XML_STATUS_ERROR; + switch (parser->m_parsingStatus.parsing) { ++ case XML_INITIALIZED: ++ parser->m_errorCode = XML_ERROR_NOT_STARTED; ++ return XML_STATUS_ERROR; + case XML_SUSPENDED: + if (resumable) { + parser->m_errorCode = XML_ERROR_SUSPENDED; +@@ -2218,7 +2221,7 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) { + case XML_FINISHED: + parser->m_errorCode = XML_ERROR_FINISHED; + return XML_STATUS_ERROR; +- default: ++ case XML_PARSING: + if (resumable) { + #ifdef XML_DTD + if (parser->m_isParamEntity) { +@@ -2229,6 +2232,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) { + parser->m_parsingStatus.parsing = XML_SUSPENDED; + } else + parser->m_parsingStatus.parsing = XML_FINISHED; ++ break; ++ default: ++ assert(0); + } + return XML_STATUS_OK; + } +@@ -2493,6 +2499,9 @@ XML_ErrorString(enum XML_Error code) { + case XML_ERROR_AMPLIFICATION_LIMIT_BREACH: + return XML_L( + "limit on input amplification factor (from DTD and entities) breached"); ++ /* Added in 2.6.4. */ ++ case XML_ERROR_NOT_STARTED: ++ return XML_L("parser not started"); + } + return NULL; + } +-- +2.27.0
View file
_service
Changed
@@ -2,7 +2,7 @@ <service name="tar_scm"> <param name="scm">git</param> <param name="url">git@gitee.com:src-openeuler/expat.git</param> - <param name="revision">openEuler-24.03-LTS-Next</param> + <param name="revision">openEuler-24.03-LTS-SP1</param> <param name="exclude">*</param> <param name="extract">*</param> </service>
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2