Sync from SUSE:ALP:Source:Standard:1.0 expat revision 5a23aba6d9bf378d48d74d44e0aa6673

2024-12-06 13:34:34 +01:00 · 2024-12-06 13:34:34 +01:00 · 37f1a375bc
commit 37f1a375bc
parent 289e1448b2
3 changed files with 121 additions and 0 deletions
--- a/expat-CVE-2024-50602.patch
+++ b/expat-CVE-2024-50602.patch
@ -0,0 +1,111 @@
+From 51c7019069b862e88d94ed228659e70bddd5de09 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 21 Oct 2024 01:42:54 +0200
+Subject: [PATCH 1/3] lib: Make XML_StopParser refuse to stop/suspend an
+ unstarted parser
+
+---
+ expat/lib/expat.h    | 4 +++-
+ expat/lib/xmlparse.c | 6 ++++++
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+Index: expat-2.5.0/lib/expat.h
+===================================================================
+--- expat-2.5.0.orig/lib/expat.h
+++ expat-2.5.0/lib/expat.h
+@@ -127,7 +127,9 @@ enum XML_Error {
+   /* Added in 2.3.0. */
+   XML_ERROR_NO_BUFFER,
+   /* Added in 2.4.0. */
+-  XML_ERROR_AMPLIFICATION_LIMIT_BREACH
+  XML_ERROR_AMPLIFICATION_LIMIT_BREACH,
+  /* Added in 2.6.4. */
+  XML_ERROR_NOT_STARTED,
+ };
+ 
+ enum XML_Content_Type {
+Index: expat-2.5.0/lib/xmlparse.c
+===================================================================
+--- expat-2.5.0.orig/lib/xmlparse.c
+++ expat-2.5.0/lib/xmlparse.c
+@@ -2177,6 +2177,9 @@ XML_StopParser(XML_Parser parser, XML_Bo
+   if (parser == NULL)
+     return XML_STATUS_ERROR;
+   switch (parser->m_parsingStatus.parsing) {
+  case XML_INITIALIZED:
+    parser->m_errorCode = XML_ERROR_NOT_STARTED;
+    return XML_STATUS_ERROR;
+   case XML_SUSPENDED:
+     if (resumable) {
+       parser->m_errorCode = XML_ERROR_SUSPENDED;
+@@ -2187,7 +2190,7 @@ XML_StopParser(XML_Parser parser, XML_Bo
+   case XML_FINISHED:
+     parser->m_errorCode = XML_ERROR_FINISHED;
+     return XML_STATUS_ERROR;
+-  default:
+  case XML_PARSING:
+     if (resumable) {
+ #ifdef XML_DTD
+       if (parser->m_isParamEntity) {
+@@ -2198,6 +2201,9 @@ XML_StopParser(XML_Parser parser, XML_Bo
+       parser->m_parsingStatus.parsing = XML_SUSPENDED;
+     } else
+       parser->m_parsingStatus.parsing = XML_FINISHED;
+    break;
+  default:
+    assert(0);
+   }
+   return XML_STATUS_OK;
+ }
+@@ -2462,6 +2468,9 @@ XML_ErrorString(enum XML_Error code) {
+   case XML_ERROR_AMPLIFICATION_LIMIT_BREACH:
+     return XML_L(
+         "limit on input amplification factor (from DTD and entities) breached");
+  /* Added in 2.6.4. */
+  case XML_ERROR_NOT_STARTED:
+    return XML_L("parser not started");
+   }
+   return NULL;
+ }
+Index: expat-2.5.0/tests/runtests.c
+===================================================================
+--- expat-2.5.0.orig/tests/runtests.c
+++ expat-2.5.0/tests/runtests.c
+@@ -7991,6 +7991,28 @@ START_TEST(test_misc_tag_mismatch_reset_
+ }
+ END_TEST
+ 
+START_TEST(test_misc_resumeparser_not_crashing) {
+  XML_Parser parser = XML_ParserCreate(NULL);
+  XML_GetBuffer(parser, 1);
+  XML_StopParser(parser, /*resumable=*/XML_TRUE);
+  XML_ResumeParser(parser); // could crash here, previously
+  XML_ParserFree(parser);
+}
+END_TEST
+
+START_TEST(test_misc_stopparser_rejects_unstarted_parser) {
+  const XML_Bool cases[] = {XML_TRUE, XML_FALSE};
+  for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) {
+    const XML_Bool resumable = cases[i];
+    XML_Parser parser = XML_ParserCreate(NULL);
+    assert_true(XML_GetErrorCode(parser) == XML_ERROR_NONE);
+    assert_true(XML_StopParser(parser, resumable) == XML_STATUS_ERROR);
+    assert_true(XML_GetErrorCode(parser) == XML_ERROR_NOT_STARTED);
+    XML_ParserFree(parser);
+  }
+}
+END_TEST
+
+ static void
+ alloc_setup(void) {
+   XML_Memory_Handling_Suite memsuite = {duff_allocator, duff_reallocator, free};
+@@ -12447,6 +12469,8 @@ make_suite(void) {
+   tcase_add_test__ifdef_xml_dtd(
+       tc_misc, test_misc_deny_internal_entity_closing_doctype_issue_317);
+   tcase_add_test(tc_misc, test_misc_tag_mismatch_reset_leak);
+  tcase_add_test(tc_misc, test_misc_resumeparser_not_crashing);
+  tcase_add_test(tc_misc, test_misc_stopparser_rejects_unstarted_parser);
+ 
+   suite_add_tcase(s, tc_alloc);
+   tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown);
--- a/expat.changes
+++ b/expat.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Fri Nov  8 12:03:11 UTC 2024 - pgajdos@suse.com
+
+- security update
+- added patches
+  fix CVE-2024-50602 [bsc#1232579], DoS via XML_ResumeParser
+  + expat-CVE-2024-50602.patch
+
 -------------------------------------------------------------------
 Tue Sep  3 11:54:56 UTC 2024 - David Anes <david.anes@suse.com>

--- a/expat.spec
+++ b/expat.spec
@ -47,6 +47,8 @@ Patch3:         expat-CVE-2024-45491.patch
 # reject negative len for XML_ParseBuffer
 # UPSTREAM-FIX: (bsc#1229930, CVE-2024-45490) https://github.com/libexpat/libexpat/pull/890
 Patch4:         expat-CVE-2024-45490.patch
+# CVE-2024-50602 [bsc#1232579], DoS via XML_ResumeParser
+Patch5:         expat-CVE-2024-50602.patch


 BuildRequires:  gcc-c++