Projects
openEuler:24.03:SP1:Everything:64G
expat
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 2
View file
_service:tar_scm:expat.spec
Changed
@@ -1,7 +1,7 @@ %define Rversion %(echo %{version} | sed -e 's/\\./_/g' -e 's/^/R_/') Name: expat Version: 2.5.0 -Release: 3 +Release: 7 Summary: An XML parser library License: MIT URL: https://libexpat.github.io/ @@ -24,6 +24,13 @@ Patch15: backport-007-CVE-2023-52425.patch Patch16: backport-008-CVE-2023-52425.patch Patch17: backport-009-CVE-2023-52425.patch +Patch18: backport-001-CVE-2024-45490.patch +Patch19: backport-002-CVE-2024-45490.patch +Patch20: backport-003-CVE-2024-45490.patch +Patch21: backport-CVE-2024-45491.patch +Patch22: backport-CVE-2024-45492.patch +Patch23: backport-CVE-2024-50602.patch +Patch24: backport-CVE-2024-50602-testcase.patch BuildRequires: sed,autoconf,automake,gcc-c++,libtool,xmlto @@ -49,34 +56,41 @@ %make_build %install -%makeinstall +%make_install find %{buildroot} -type f -name changelog -delete %check -make check - -%ldconfig_scriptlets +%make_build check %files -%defattr(-,root,root) %license COPYING AUTHORS %{_bindir}/* %{_libdir}/libexpat.so.1* %exclude %{_docdir}/%{name}/AUTHORS %files devel -%defattr(-,root,root) %{_includedir}/* %{_libdir}/{libexpat.*a,libexpat.so} %{_libdir}/cmake/expat-%{version} %{_libdir}/pkgconfig/expat.pc %files help -%defattr(-,root,root) %doc README.md %{_mandir}/man1/* %changelog +* Tue Oct 29 2024 liningjie <liningjie@xfusion.com> - 2.5.0-7 +- add testcase for CVE-2024-50602 + +* Tue Oct 29 2024 liningjie <liningjie@xfusion.com> - 2.5.0-6 +- fix CVE-2024-50602 + +* Wed Sep 04 2024 Funda Wang <fundawang@yeah.net> - 2.5.0-5 +- fix CVE-2024-45491, CVE-2024-45492 + +* Mon Sep 2 2024 caixiaomeng <caixiaomeng2@huawei.com> - 2.5.0-4 +- fix CVE-2024-45490 + * Wed Jun 12 2024 wangjiang <wangjiang37@h-partners.com> - 2.5.0-3 - fix CVE-2023-52425
View file
_service:tar_scm:backport-001-CVE-2024-45490.patch
Added
@@ -0,0 +1,46 @@ +From d728c268c46879c5c4b8479e60f8fa7804de22d7 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Sun, 25 Aug 2024 19:09:51 +0200 +Subject: PATCH doc: Document that XML_Parse/XML_ParseBuffer reject "len < 0" + +--- + doc/reference.html | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/doc/reference.html b/doc/reference.html +index f4584b6..7d30fae 100644 +--- a/doc/reference.html ++++ b/doc/reference.html +@@ -1098,7 +1098,9 @@ containing part (or perhaps all) of the document. The number of bytes of s + that are part of the document is indicated by <code>len</code>. This means + that <code>s</code> doesn't have to be null terminated. It also means that + if <code>len</code> is larger than the number of bytes in the block of +-memory that <code>s</code> points at, then a memory fault is likely. The ++memory that <code>s</code> points at, then a memory fault is likely. ++Negative values for <code>len</code> are rejected since Expat 2.2.1. ++The + <code>isFinal</code> parameter informs the parser that this is the last + piece of the document. Frequently, the last piece is empty (i.e. + <code>len</code> is zero.) +@@ -1114,11 +1116,17 @@ XML_ParseBuffer(XML_Parser p, + int isFinal); + </pre> + <div class="fcndef"> ++<p> + This is just like <code><a href= "#XML_Parse" >XML_Parse</a></code>, + except in this case Expat provides the buffer. By obtaining the + buffer from Expat with the <code><a href= "#XML_GetBuffer" + >XML_GetBuffer</a></code> function, the application can avoid double + copying of the input. ++</p> ++ ++<p> ++Negative values for <code>len</code> are rejected since Expat 2.6.3. ++</p> + </div> + + <h4 id="XML_GetBuffer">XML_GetBuffer</h4> +-- +2.33.0 + +
View file
_service:tar_scm:backport-002-CVE-2024-45490.patch
Added
@@ -0,0 +1,31 @@ +From a5d580af424bde0c83ad64fcc8bd3beff1db317d Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Mon, 19 Aug 2024 22:26:07 +0200 +Subject: PATCH lib: Reject negative len for XML_ParseBuffer + +Reported by TaiYou +--- + lib/xmlparse.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index bd6aa72..8b9046e 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -2016,6 +2016,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) { + + if (parser == NULL) + return XML_STATUS_ERROR; ++ ++ if (len < 0) { ++ parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT; ++ return XML_STATUS_ERROR; ++ } ++ + switch (parser->m_parsingStatus.parsing) { + case XML_SUSPENDED: + parser->m_errorCode = XML_ERROR_SUSPENDED; +-- +2.33.0 + +
View file
_service:tar_scm:backport-003-CVE-2024-45490.patch
Added
@@ -0,0 +1,84 @@ +From a882e725dd057db98907f6b03b733f0f6889aee7 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Tue, 20 Aug 2024 22:57:12 +0200 +Subject: PATCH tests: Cover "len < 0" for both XML_Parse and XML_ParseBuffer + +--- + tests/runtests.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 53 insertions(+) + +diff --git a/tests/runtests.c b/tests/runtests.c +index 02c8c85..4649359 100644 +--- a/tests/runtests.c ++++ b/tests/runtests.c +@@ -3978,6 +3978,57 @@ START_TEST(test_empty_parse) { + } + END_TEST + ++/* Test XML_Parse for len < 0 */ ++START_TEST(test_negative_len_parse) { ++ const char *const doc = "<root/>"; ++ for (int isFinal = 0; isFinal < 2; isFinal++) { ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_NONE) ++ fail("There was not supposed to be any initial parse error."); ++ ++ const enum XML_Status status = XML_Parse(parser, doc, -1, isFinal); ++ ++ if (status != XML_STATUS_ERROR) ++ fail("Negative len was expected to fail the parse but did not."); ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT) ++ fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT."); ++ ++ XML_ParserFree(parser); ++ } ++} ++END_TEST ++ ++/* Test XML_ParseBuffer for len < 0 */ ++START_TEST(test_negative_len_parse_buffer) { ++ const char *const doc = "<root/>"; ++ for (int isFinal = 0; isFinal < 2; isFinal++) { ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_NONE) ++ fail("There was not supposed to be any initial parse error."); ++ ++ void *const buffer = XML_GetBuffer(parser, (int)strlen(doc)); ++ ++ if (buffer == NULL) ++ fail("XML_GetBuffer failed."); ++ ++ memcpy(buffer, doc, strlen(doc)); ++ ++ const enum XML_Status status = XML_ParseBuffer(parser, -1, isFinal); ++ ++ if (status != XML_STATUS_ERROR) ++ fail("Negative len was expected to fail the parse but did not."); ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT) ++ fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT."); ++ ++ XML_ParserFree(parser); ++ } ++} ++END_TEST ++ + /* Test odd corners of the XML_GetBuffer interface */ + static enum XML_Status + get_feature(enum XML_FeatureEnum feature_id, long *presult) { +@@ -12474,6 +12525,8 @@ make_suite(void) { + tcase_add_test__ifdef_xml_dtd(tc_basic, test_user_parameters); + tcase_add_test__ifdef_xml_dtd(tc_basic, test_ext_entity_ref_parameter); + tcase_add_test(tc_basic, test_empty_parse); ++ tcase_add_test(tc_basic, test_negative_len_parse); ++ tcase_add_test(tc_basic, test_negative_len_parse_buffer); + tcase_add_test(tc_basic, test_get_buffer_1); + tcase_add_test(tc_basic, test_get_buffer_2); + #if defined(XML_CONTEXT_BYTES) +-- +2.33.0 + +
View file
_service:tar_scm:backport-CVE-2024-45491.patch
Added
@@ -0,0 +1,31 @@ +From 8e439a9947e9dc80a395c0c7456545d8d9d9e421 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Mon, 19 Aug 2024 22:34:13 +0200 +Subject: PATCH lib: Detect integer overflow in dtdCopy + +Reported by TaiYou +--- + expat/lib/xmlparse.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/lib/xmlparse.c b/expat/lib/xmlparse.c +index 91682c188..e2327bdcf 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -7016,6 +7016,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, + if (! newE) + return 0; + if (oldE->nDefaultAtts) { ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if ((size_t)oldE->nDefaultAtts ++ > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) { ++ return 0; ++ } ++#endif + newE->defaultAtts + = ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE)); + if (! newE->defaultAtts) {
View file
_service:tar_scm:backport-CVE-2024-45492.patch
Added
@@ -0,0 +1,30 @@ +From 9bf0f2c16ee86f644dd1432507edff94c08dc232 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Mon, 19 Aug 2024 22:37:16 +0200 +Subject: PATCH lib: Detect integer overflow in function nextScaffoldPart + +Reported by TaiYou +--- + expat/lib/xmlparse.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 91682c188..f737575ea 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -7558,6 +7558,15 @@ nextScaffoldPart(XML_Parser parser) { + int next; + + if (! dtd->scaffIndex) { ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) { ++ return -1; ++ } ++#endif + dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * sizeof(int)); + if (! dtd->scaffIndex) + return -1;
View file
_service:tar_scm:backport-CVE-2024-50602-testcase.patch
Added
@@ -0,0 +1,89 @@ +From b3836ff534c7cc78128fe7b935aad3d4353814ed Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Sun, 20 Oct 2024 23:24:27 +0200 +Subject: PATCH 3/3 tests: Cover XML_StopParser's new handling of status + XML_INITIALIZED + +Prior to the fix to XML_StopParser, test test_misc_resumeparser_not_crashing +would crash with a NULL pointer dereference in function normal_updatePosition. +This was the AddressSanitizer output: + +> AddressSanitizer:DEADLYSIGNAL +> ================================================================= +> ==19700==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5623e07ad85f bp 0x7ffcf40da650 sp 0x7ffcf40da590 T0) +> ==19700==The signal is caused by a READ memory access. +> ==19700==Hint: address points to the zero page. +> #0 0x5623e07ad85f in normal_updatePosition ../lib/xmltok_impl.c:1781:13 +> #1 0x5623e07a52ff in initUpdatePosition ../lib/xmltok.c:1031:3 +> #2 0x5623e0762760 in XML_ResumeParser ../lib/xmlparse.c:2297:3 +> #3 0x5623e074f7c1 in test_misc_resumeparser_not_crashing() misc_tests_cxx.cpp +> #4 0x5623e074e228 in srunner_run_all (../build_asan_fuzzers/tests/runtests_cxx+0x136228) +> #5 0x5623e0753d2d in main (../build_asan_fuzzers/tests/runtests_cxx+0x13bd2d) +> #6 0x7f802a39af79 (/lib64/libc.so.6+0x25f79) +> #7 0x7f802a39b034 in __libc_start_main (/lib64/libc.so.6+0x26034) +> #8 0x5623e064f340 in _start (../build_asan_fuzzers/tests/runtests_cxx+0x37340) +> +> AddressSanitizer can not provide additional info. +> SUMMARY: AddressSanitizer: SEGV ../lib/xmltok_impl.c:1781:13 in normal_updatePosition +> ==19700==ABORTING + +And this the UndefinedBehaviorSanitizer output: + +> ../lib/xmltok_impl.c:1781:13: runtime error: load of null pointer of type 'const char' +> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../lib/xmltok_impl.c:1781:13 in +--- +tests/runtests.c | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/tests/runtests.c b/tests/runtests.c +index 4649359..2c88c7f 100644 +--- a/tests/runtests.c ++++ b/tests/runtests.c +@@ -8207,6 +8207,35 @@ START_TEST(test_misc_tag_mismatch_reset_leak) { + } + END_TEST + ++START_TEST(test_misc_resumeparser_not_crashing) { ++ XML_Parser parser = XML_ParserCreate(NULL); ++ XML_GetBuffer(parser, 1); ++ XML_StopParser(parser, /*resumable=*/XML_TRUE); ++ XML_ResumeParser(parser); // could crash here, previously ++ XML_ParserFree(parser); ++} ++END_TEST ++ ++START_TEST(test_misc_stopparser_rejects_unstarted_parser) { ++ const XML_Bool cases = {XML_TRUE, XML_FALSE}; ++ for (size_t i = 0; i < sizeof(cases) / sizeof(cases0); i++) { ++ const XML_Bool resumable = casesi; ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_NONE) ++ fail("There was not supposed to be any initial parse error."); ++ ++ if (XML_StopParser(parser, resumable) != XML_STATUS_ERROR) ++ fail("Attempting to suspend a subordinate parser not faulted."); ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_NOT_STARTED) ++ fail("parser not started."); ++ XML_ParserFree(parser); ++ } ++} ++END_TEST ++ ++ + static void + alloc_setup(void) { + XML_Memory_Handling_Suite memsuite = {duff_allocator, duff_reallocator, free}; +@@ -12707,6 +12736,8 @@ make_suite(void) { + tcase_add_test__ifdef_xml_dtd( + tc_misc, test_misc_deny_internal_entity_closing_doctype_issue_317); + tcase_add_test(tc_misc, test_misc_tag_mismatch_reset_leak); ++ tcase_add_test(tc_misc, test_misc_resumeparser_not_crashing); ++ tcase_add_test(tc_misc, test_misc_stopparser_rejects_unstarted_parser); + + suite_add_tcase(s, tc_alloc); + tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown); +-- +2.27.0 +
View file
_service:tar_scm:backport-CVE-2024-50602.patch
Added
@@ -0,0 +1,70 @@ +From 51c7019069b862e88d94ed228659e70bddd5de09 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Mon, 21 Oct 2024 01:42:54 +0200 +Subject: PATCH 1/3 lib: Make XML_StopParser refuse to stop/suspend an + unstarted parser +--- + lib/expat.h | 4 +++- + lib/xmlparse.c | 11 ++++++++++- + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/lib/expat.h b/lib/expat.h +index 504727a..3a9ac2c 100644 +--- a/lib/expat.h ++++ b/lib/expat.h +@@ -127,7 +127,9 @@ enum XML_Error { + /* Added in 2.3.0. */ + XML_ERROR_NO_BUFFER, + /* Added in 2.4.0. */ +- XML_ERROR_AMPLIFICATION_LIMIT_BREACH ++ XML_ERROR_AMPLIFICATION_LIMIT_BREACH, ++ /* Added in 2.6.4. */ ++ XML_ERROR_NOT_STARTED, + }; + + enum XML_Content_Type { +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 75cb51d..e13b2bf 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -2208,6 +2208,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) { + if (parser == NULL) + return XML_STATUS_ERROR; + switch (parser->m_parsingStatus.parsing) { ++ case XML_INITIALIZED: ++ parser->m_errorCode = XML_ERROR_NOT_STARTED; ++ return XML_STATUS_ERROR; + case XML_SUSPENDED: + if (resumable) { + parser->m_errorCode = XML_ERROR_SUSPENDED; +@@ -2218,7 +2221,7 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) { + case XML_FINISHED: + parser->m_errorCode = XML_ERROR_FINISHED; + return XML_STATUS_ERROR; +- default: ++ case XML_PARSING: + if (resumable) { + #ifdef XML_DTD + if (parser->m_isParamEntity) { +@@ -2229,6 +2232,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) { + parser->m_parsingStatus.parsing = XML_SUSPENDED; + } else + parser->m_parsingStatus.parsing = XML_FINISHED; ++ break; ++ default: ++ assert(0); + } + return XML_STATUS_OK; + } +@@ -2493,6 +2499,9 @@ XML_ErrorString(enum XML_Error code) { + case XML_ERROR_AMPLIFICATION_LIMIT_BREACH: + return XML_L( + "limit on input amplification factor (from DTD and entities) breached"); ++ /* Added in 2.6.4. */ ++ case XML_ERROR_NOT_STARTED: ++ return XML_L("parser not started"); + } + return NULL; + } +-- +2.27.0
View file
_service
Changed
@@ -2,7 +2,7 @@ <service name="tar_scm"> <param name="scm">git</param> <param name="url">git@gitee.com:src-openeuler/expat.git</param> - <param name="revision">openEuler-24.03-LTS-Next</param> + <param name="revision">openEuler-24.03-LTS-SP1</param> <param name="exclude">*</param> <param name="extract">*</param> </service>
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2