fix CVE 2024 45490

2024-09-03 15:02:28 +08:00 · 2024-09-03 15:02:28 +08:00 · b1ec6c4caa
commit b1ec6c4caa
parent a39fbb7c4a
3 changed files with 121 additions and 1 deletions
--- a/backport-001-CVE-2024-45490.patch
+++ b/backport-001-CVE-2024-45490.patch
@ -0,0 +1,84 @@
+From a882e725dd057db98907f6b03b733f0f6889aee7 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Tue, 20 Aug 2024 22:57:12 +0200
+Subject: [PATCH] tests: Cover "len < 0" for both XML_Parse and XML_ParseBuffer
+
+---
+ tests/runtests.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 53 insertions(+)
+
+diff --git a/tests/runtests.c b/tests/runtests.c
+index 02c8c85..4649359 100644
+--- a/tests/runtests.c
+++ b/tests/runtests.c
+@@ -3978,6 +3978,57 @@ START_TEST(test_empty_parse) {
+ }
+ END_TEST
+ 
+/* Test XML_Parse for len < 0 */
+START_TEST(test_negative_len_parse) {
+  const char *const doc = "<root/>";
+  for (int isFinal = 0; isFinal < 2; isFinal++) {
+    XML_Parser parser = XML_ParserCreate(NULL);
+
+    if (XML_GetErrorCode(parser) != XML_ERROR_NONE)
+      fail("There was not supposed to be any initial parse error.");
+
+    const enum XML_Status status = XML_Parse(parser, doc, -1, isFinal);
+
+    if (status != XML_STATUS_ERROR)
+      fail("Negative len was expected to fail the parse but did not.");
+
+    if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT)
+      fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT.");
+
+    XML_ParserFree(parser);
+  }
+}
+END_TEST
+
+/* Test XML_ParseBuffer for len < 0 */
+START_TEST(test_negative_len_parse_buffer) {
+  const char *const doc = "<root/>";
+  for (int isFinal = 0; isFinal < 2; isFinal++) {
+    XML_Parser parser = XML_ParserCreate(NULL);
+
+    if (XML_GetErrorCode(parser) != XML_ERROR_NONE)
+      fail("There was not supposed to be any initial parse error.");
+
+    void *const buffer = XML_GetBuffer(parser, (int)strlen(doc));
+
+    if (buffer == NULL)
+      fail("XML_GetBuffer failed.");
+
+    memcpy(buffer, doc, strlen(doc));
+
+    const enum XML_Status status = XML_ParseBuffer(parser, -1, isFinal);
+
+    if (status != XML_STATUS_ERROR)
+      fail("Negative len was expected to fail the parse but did not.");
+
+    if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT)
+      fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT.");
+
+    XML_ParserFree(parser);
+  }
+}
+END_TEST
+
+ /* Test odd corners of the XML_GetBuffer interface */
+ static enum XML_Status
+ get_feature(enum XML_FeatureEnum feature_id, long *presult) {
+@@ -12474,6 +12525,8 @@ make_suite(void) {
+   tcase_add_test__ifdef_xml_dtd(tc_basic, test_user_parameters);
+   tcase_add_test__ifdef_xml_dtd(tc_basic, test_ext_entity_ref_parameter);
+   tcase_add_test(tc_basic, test_empty_parse);
+  tcase_add_test(tc_basic, test_negative_len_parse);
+  tcase_add_test(tc_basic, test_negative_len_parse_buffer);
+   tcase_add_test(tc_basic, test_get_buffer_1);
+   tcase_add_test(tc_basic, test_get_buffer_2);
+ #if defined(XML_CONTEXT_BYTES)
+-- 
+2.33.0
+
+
--- a/backport-002-CVE-2024-45490.patch
+++ b/backport-002-CVE-2024-45490.patch
@ -0,0 +1,31 @@
+From a5d580af424bde0c83ad64fcc8bd3beff1db317d Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:26:07 +0200
+Subject: [PATCH] lib: Reject negative len for XML_ParseBuffer
+
+Reported by TaiYou
+---
+ lib/xmlparse.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index bd6aa72..8b9046e 100644
+--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
+@@ -2016,6 +2016,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) {
+ 
+   if (parser == NULL)
+     return XML_STATUS_ERROR;
+
+  if (len < 0) {
+    parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT;
+    return XML_STATUS_ERROR;
+  }
+
+   switch (parser->m_parsingStatus.parsing) {
+   case XML_SUSPENDED:
+     parser->m_errorCode = XML_ERROR_SUSPENDED;
+-- 
+2.33.0
+
+
--- a/expat.spec
+++ b/expat.spec
@ -1,7 +1,7 @@
 %define Rversion %(echo %{version} | sed -e 's/\\./_/g' -e 's/^/R_/')
 Name:           expat
 Version:        2.2.9
-Release:        12
+Release:        13
 Summary:        An XML parser library
 License:        MIT
 URL:            https://libexpat.github.io/
@ -70,6 +70,8 @@ Patch58:        backport-006-CVE-2023-52425.patch
 Patch59:        backport-007-CVE-2023-52425.patch
 Patch60:        backport-008-CVE-2023-52425.patch
 Patch61:        backport-009-CVE-2023-52425.patch
+Patch62:        backport-001-CVE-2024-45490.patch
+Patch63:        backport-002-CVE-2024-45490.patch

 BuildRequires:  sed,autoconf,automake,gcc-c++,libtool,xmlto

@ -122,6 +124,9 @@ make check
 %{_mandir}/man1/*

 %changelog
+* Tue Sep 3 2024 caixiaomeng <caixiaomeng2@huawei.com> - 2.2.9-13
+-fix CVE-2024-45490
+
 * Thu Apr 11 2024 caixiaomeng <caixiaomeng2@huawei.com> - 2.2.9-12
 - fix CVE-2023-52425