From 37f1a375bc8f6dcbc82309d660fc503e20e03446 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= <adrian@suse.de>
Date: Fri, 6 Dec 2024 13:34:34 +0100
Subject: [PATCH] Sync from SUSE:ALP:Source:Standard:1.0 expat revision
 5a23aba6d9bf378d48d74d44e0aa6673

---
 expat-CVE-2024-50602.patch | 111 +++++++++++++++++++++++++++++++++++++
 expat.changes              |   8 +++
 expat.spec                 |   2 +
 3 files changed, 121 insertions(+)
 create mode 100644 expat-CVE-2024-50602.patch

diff --git a/expat-CVE-2024-50602.patch b/expat-CVE-2024-50602.patch
new file mode 100644
index 0000000..104cc81
--- /dev/null
+++ b/expat-CVE-2024-50602.patch
@@ -0,0 +1,111 @@
+From 51c7019069b862e88d94ed228659e70bddd5de09 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 21 Oct 2024 01:42:54 +0200
+Subject: [PATCH 1/3] lib: Make XML_StopParser refuse to stop/suspend an
+ unstarted parser
+
+---
+ expat/lib/expat.h    | 4 +++-
+ expat/lib/xmlparse.c | 6 ++++++
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+Index: expat-2.5.0/lib/expat.h
+===================================================================
+--- expat-2.5.0.orig/lib/expat.h
++++ expat-2.5.0/lib/expat.h
+@@ -127,7 +127,9 @@ enum XML_Error {
+   /* Added in 2.3.0. */
+   XML_ERROR_NO_BUFFER,
+   /* Added in 2.4.0. */
+-  XML_ERROR_AMPLIFICATION_LIMIT_BREACH
++  XML_ERROR_AMPLIFICATION_LIMIT_BREACH,
++  /* Added in 2.6.4. */
++  XML_ERROR_NOT_STARTED,
+ };
+ 
+ enum XML_Content_Type {
+Index: expat-2.5.0/lib/xmlparse.c
+===================================================================
+--- expat-2.5.0.orig/lib/xmlparse.c
++++ expat-2.5.0/lib/xmlparse.c
+@@ -2177,6 +2177,9 @@ XML_StopParser(XML_Parser parser, XML_Bo
+   if (parser == NULL)
+     return XML_STATUS_ERROR;
+   switch (parser->m_parsingStatus.parsing) {
++  case XML_INITIALIZED:
++    parser->m_errorCode = XML_ERROR_NOT_STARTED;
++    return XML_STATUS_ERROR;
+   case XML_SUSPENDED:
+     if (resumable) {
+       parser->m_errorCode = XML_ERROR_SUSPENDED;
+@@ -2187,7 +2190,7 @@ XML_StopParser(XML_Parser parser, XML_Bo
+   case XML_FINISHED:
+     parser->m_errorCode = XML_ERROR_FINISHED;
+     return XML_STATUS_ERROR;
+-  default:
++  case XML_PARSING:
+     if (resumable) {
+ #ifdef XML_DTD
+       if (parser->m_isParamEntity) {
+@@ -2198,6 +2201,9 @@ XML_StopParser(XML_Parser parser, XML_Bo
+       parser->m_parsingStatus.parsing = XML_SUSPENDED;
+     } else
+       parser->m_parsingStatus.parsing = XML_FINISHED;
++    break;
++  default:
++    assert(0);
+   }
+   return XML_STATUS_OK;
+ }
+@@ -2462,6 +2468,9 @@ XML_ErrorString(enum XML_Error code) {
+   case XML_ERROR_AMPLIFICATION_LIMIT_BREACH:
+     return XML_L(
+         "limit on input amplification factor (from DTD and entities) breached");
++  /* Added in 2.6.4. */
++  case XML_ERROR_NOT_STARTED:
++    return XML_L("parser not started");
+   }
+   return NULL;
+ }
+Index: expat-2.5.0/tests/runtests.c
+===================================================================
+--- expat-2.5.0.orig/tests/runtests.c
++++ expat-2.5.0/tests/runtests.c
+@@ -7991,6 +7991,28 @@ START_TEST(test_misc_tag_mismatch_reset_
+ }
+ END_TEST
+ 
++START_TEST(test_misc_resumeparser_not_crashing) {
++  XML_Parser parser = XML_ParserCreate(NULL);
++  XML_GetBuffer(parser, 1);
++  XML_StopParser(parser, /*resumable=*/XML_TRUE);
++  XML_ResumeParser(parser); // could crash here, previously
++  XML_ParserFree(parser);
++}
++END_TEST
++
++START_TEST(test_misc_stopparser_rejects_unstarted_parser) {
++  const XML_Bool cases[] = {XML_TRUE, XML_FALSE};
++  for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) {
++    const XML_Bool resumable = cases[i];
++    XML_Parser parser = XML_ParserCreate(NULL);
++    assert_true(XML_GetErrorCode(parser) == XML_ERROR_NONE);
++    assert_true(XML_StopParser(parser, resumable) == XML_STATUS_ERROR);
++    assert_true(XML_GetErrorCode(parser) == XML_ERROR_NOT_STARTED);
++    XML_ParserFree(parser);
++  }
++}
++END_TEST
++
+ static void
+ alloc_setup(void) {
+   XML_Memory_Handling_Suite memsuite = {duff_allocator, duff_reallocator, free};
+@@ -12447,6 +12469,8 @@ make_suite(void) {
+   tcase_add_test__ifdef_xml_dtd(
+       tc_misc, test_misc_deny_internal_entity_closing_doctype_issue_317);
+   tcase_add_test(tc_misc, test_misc_tag_mismatch_reset_leak);
++  tcase_add_test(tc_misc, test_misc_resumeparser_not_crashing);
++  tcase_add_test(tc_misc, test_misc_stopparser_rejects_unstarted_parser);
+ 
+   suite_add_tcase(s, tc_alloc);
+   tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown);
diff --git a/expat.changes b/expat.changes
index 860832d..b1930b9 100644
--- a/expat.changes
+++ b/expat.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Fri Nov  8 12:03:11 UTC 2024 - pgajdos@suse.com
+
+- security update
+- added patches
+  fix CVE-2024-50602 [bsc#1232579], DoS via XML_ResumeParser
+  + expat-CVE-2024-50602.patch
+
 -------------------------------------------------------------------
 Tue Sep  3 11:54:56 UTC 2024 - David Anes <david.anes@suse.com>
 
diff --git a/expat.spec b/expat.spec
index 4e7ca54..c69fc51 100644
--- a/expat.spec
+++ b/expat.spec
@@ -47,6 +47,8 @@ Patch3:         expat-CVE-2024-45491.patch
 # reject negative len for XML_ParseBuffer
 # UPSTREAM-FIX: (bsc#1229930, CVE-2024-45490) https://github.com/libexpat/libexpat/pull/890
 Patch4:         expat-CVE-2024-45490.patch
+# CVE-2024-50602 [bsc#1232579], DoS via XML_ResumeParser
+Patch5:         expat-CVE-2024-50602.patch
 
 
 BuildRequires:  gcc-c++