Sync from SUSE:ALP:Source:Standard:1.0 uriparser revision 40960d33d7fa9b612b1dbc30e6fe983b

2024-11-28 14:25:33 +01:00 · 2024-11-28 14:25:33 +01:00 · 6b7eaf87b6
commit 6b7eaf87b6
parent ad15d508f0
4 changed files with 87 additions and 3 deletions
--- a/CVE-2024-34402.patch
+++ b/CVE-2024-34402.patch
@ -0,0 +1,44 @@
+From 760ade2947415dbb100053cf793c2f96fe257386 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 28 Apr 2024 21:26:45 +0200
+Subject: [PATCH] Protect against integer overflow in ComposeQueryEngine
+
+Requires string input that is longer than INT_MAX to exploit.
+---
+ src/UriQuery.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/src/UriQuery.c b/src/UriQuery.c
+index b2734bc2..29c6f473 100644
+--- a/src/UriQuery.c
+++ b/src/UriQuery.c
+@@ -70,6 +70,7 @@
+ 
+ 
+ #include <limits.h>
+#include <stddef.h> /* size_t */
+ 
+ 
+ 
+@@ -218,16 +219,16 @@ int URI_FUNC(ComposeQueryEngine)(URI_CHAR * dest,
+ 		const URI_CHAR * const key = queryList->key;
+ 		const URI_CHAR * const value = queryList->value;
+ 		const int worstCase = (normalizeBreaks == URI_TRUE ? 6 : 3);
+-		const int keyLen = (key == NULL) ? 0 : (int)URI_STRLEN(key);
+		const size_t keyLen = (key == NULL) ? 0 : URI_STRLEN(key);
+ 		int keyRequiredChars;
+-		const int valueLen = (value == NULL) ? 0 : (int)URI_STRLEN(value);
+		const size_t valueLen = (value == NULL) ? 0 : URI_STRLEN(value);
+ 		int valueRequiredChars;
+ 
+-		if ((keyLen >= INT_MAX / worstCase) || (valueLen >= INT_MAX / worstCase)) {
+		if ((keyLen >= (size_t)INT_MAX / worstCase) || (valueLen >= (size_t)INT_MAX / worstCase)) {
+ 			return URI_ERROR_OUTPUT_TOO_LARGE;
+ 		}
+-		keyRequiredChars = worstCase * keyLen;
+-		valueRequiredChars = worstCase * valueLen;
+		keyRequiredChars = worstCase * (int)keyLen;
+		valueRequiredChars = worstCase * (int)valueLen;
+ 
+ 		if (dest == NULL) {
+ 			(*charsRequired) += ampersandLen + keyRequiredChars + ((value == NULL)
--- a/CVE-2024-34403.patch
+++ b/CVE-2024-34403.patch
@ -0,0 +1,29 @@
+From bb6b9b3f25fbafeb12dac68574d9f677b09880e3 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 28 Apr 2024 21:57:27 +0200
+Subject: [PATCH] Protect against integer overflow in ComposeQueryMallocExMm
+
+Requires string input that is longer than INT_MAX / 6 - 1 to exploit.
+---
+ src/UriQuery.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/UriQuery.c b/src/UriQuery.c
+index b2734bc2..4885ff05 100644
+--- a/src/UriQuery.c
+++ b/src/UriQuery.c
+@@ -177,10 +177,13 @@ int URI_FUNC(ComposeQueryMallocExMm)(URI_CHAR ** dest,
+ 	if (res != URI_SUCCESS) {
+ 		return res;
+ 	}
+	if (charsRequired == INT_MAX) {
+	    return URI_ERROR_MALLOC;
+	}
+ 	charsRequired++;
+ 
+ 	/* Allocate space */
+-	queryString = memory->malloc(memory, charsRequired * sizeof(URI_CHAR));
+	queryString = memory->calloc(memory, charsRequired, sizeof(URI_CHAR));
+ 	if (queryString == NULL) {
+ 		return URI_ERROR_MALLOC;
+ 	}
--- a/uriparser.changes
+++ b/uriparser.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Wed May 29 08:35:29 UTC 2024 - Adam Majer <adam.majer@suse.de>
+
+- CVE-2024-34402.patch: Protect against integer overflow in
+  ComposeQueryEngine (bsc#1223887, CVE-2024-34402)
+- CVE-2024-34403.patch: Protect against integer overflow in
+  ComposeQueryMallocExMm (bsc#1223888, CVE-2024-34403)
+- enable unit tests
+
 -------------------------------------------------------------------
 Mon Oct 17 11:52:32 UTC 2022 - Dirk Müller <dmueller@suse.com>

--- a/uriparser.spec
+++ b/uriparser.spec
@ -16,7 +16,7 @@
 #


-%bcond_with googletest
+%bcond_without googletest

 %define so_ver  1
 Name:           uriparser
@ -28,6 +28,8 @@ Group:          Development/Libraries/C and C++
 URL:            https://uriparser.github.io
 Source:         https://github.com/uriparser/uriparser/releases/download/uriparser-%{version}/uriparser-%{version}.tar.xz
 Source1:        baselibs.conf
+Patch1:         CVE-2024-34402.patch
+Patch2:         CVE-2024-34403.patch
 BuildRequires:  cmake
 BuildRequires:  doxygen
 BuildRequires:  fdupes
@ -91,7 +93,7 @@ and supports Unicode.
 This subpackage contains the documentation for %{name}.

 %prep
-%setup -q -n %{name}-%{version}
+%autosetup -p1

 %build
 %cmake \
@ -115,7 +117,7 @@ This subpackage contains the documentation for %{name}.
 %if %{with googletest}
 %check
 export MALLOC_CHECK_=2 MALLOC_PERTURB_=$((${RANDOM:-256} % 256))
-make %{?_smp_mflags} check
+%ctest
 unset MALLOC_CHECK_ MALLOC_PERTURB_
 %endif