diff --git a/CVE-2024-34402.patch b/CVE-2024-34402.patch new file mode 100644 index 0000000..543d7ee --- /dev/null +++ b/CVE-2024-34402.patch @@ -0,0 +1,44 @@ +From 760ade2947415dbb100053cf793c2f96fe257386 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Sun, 28 Apr 2024 21:26:45 +0200 +Subject: [PATCH] Protect against integer overflow in ComposeQueryEngine + +Requires string input that is longer than INT_MAX to exploit. +--- + src/UriQuery.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/src/UriQuery.c b/src/UriQuery.c +index b2734bc2..29c6f473 100644 +--- a/src/UriQuery.c ++++ b/src/UriQuery.c +@@ -70,6 +70,7 @@ + + + #include ++#include /* size_t */ + + + +@@ -218,16 +219,16 @@ int URI_FUNC(ComposeQueryEngine)(URI_CHAR * dest, + const URI_CHAR * const key = queryList->key; + const URI_CHAR * const value = queryList->value; + const int worstCase = (normalizeBreaks == URI_TRUE ? 6 : 3); +- const int keyLen = (key == NULL) ? 0 : (int)URI_STRLEN(key); ++ const size_t keyLen = (key == NULL) ? 0 : URI_STRLEN(key); + int keyRequiredChars; +- const int valueLen = (value == NULL) ? 0 : (int)URI_STRLEN(value); ++ const size_t valueLen = (value == NULL) ? 0 : URI_STRLEN(value); + int valueRequiredChars; + +- if ((keyLen >= INT_MAX / worstCase) || (valueLen >= INT_MAX / worstCase)) { ++ if ((keyLen >= (size_t)INT_MAX / worstCase) || (valueLen >= (size_t)INT_MAX / worstCase)) { + return URI_ERROR_OUTPUT_TOO_LARGE; + } +- keyRequiredChars = worstCase * keyLen; +- valueRequiredChars = worstCase * valueLen; ++ keyRequiredChars = worstCase * (int)keyLen; ++ valueRequiredChars = worstCase * (int)valueLen; + + if (dest == NULL) { + (*charsRequired) += ampersandLen + keyRequiredChars + ((value == NULL) diff --git a/CVE-2024-34403.patch b/CVE-2024-34403.patch new file mode 100644 index 0000000..0082900 --- /dev/null +++ b/CVE-2024-34403.patch @@ -0,0 +1,29 @@ +From bb6b9b3f25fbafeb12dac68574d9f677b09880e3 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Sun, 28 Apr 2024 21:57:27 +0200 +Subject: [PATCH] Protect against integer overflow in ComposeQueryMallocExMm + +Requires string input that is longer than INT_MAX / 6 - 1 to exploit. +--- + src/UriQuery.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/UriQuery.c b/src/UriQuery.c +index b2734bc2..4885ff05 100644 +--- a/src/UriQuery.c ++++ b/src/UriQuery.c +@@ -177,10 +177,13 @@ int URI_FUNC(ComposeQueryMallocExMm)(URI_CHAR ** dest, + if (res != URI_SUCCESS) { + return res; + } ++ if (charsRequired == INT_MAX) { ++ return URI_ERROR_MALLOC; ++ } + charsRequired++; + + /* Allocate space */ +- queryString = memory->malloc(memory, charsRequired * sizeof(URI_CHAR)); ++ queryString = memory->calloc(memory, charsRequired, sizeof(URI_CHAR)); + if (queryString == NULL) { + return URI_ERROR_MALLOC; + } diff --git a/uriparser.changes b/uriparser.changes index 41cef6d..2126cca 100644 --- a/uriparser.changes +++ b/uriparser.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Wed May 29 08:35:29 UTC 2024 - Adam Majer + +- CVE-2024-34402.patch: Protect against integer overflow in + ComposeQueryEngine (bsc#1223887, CVE-2024-34402) +- CVE-2024-34403.patch: Protect against integer overflow in + ComposeQueryMallocExMm (bsc#1223888, CVE-2024-34403) +- enable unit tests + ------------------------------------------------------------------- Mon Oct 17 11:52:32 UTC 2022 - Dirk Müller diff --git a/uriparser.spec b/uriparser.spec index 655dfbe..ca5342e 100644 --- a/uriparser.spec +++ b/uriparser.spec @@ -16,7 +16,7 @@ # -%bcond_with googletest +%bcond_without googletest %define so_ver 1 Name: uriparser @@ -28,6 +28,8 @@ Group: Development/Libraries/C and C++ URL: https://uriparser.github.io Source: https://github.com/uriparser/uriparser/releases/download/uriparser-%{version}/uriparser-%{version}.tar.xz Source1: baselibs.conf +Patch1: CVE-2024-34402.patch +Patch2: CVE-2024-34403.patch BuildRequires: cmake BuildRequires: doxygen BuildRequires: fdupes @@ -91,7 +93,7 @@ and supports Unicode. This subpackage contains the documentation for %{name}. %prep -%setup -q -n %{name}-%{version} +%autosetup -p1 %build %cmake \ @@ -115,7 +117,7 @@ This subpackage contains the documentation for %{name}. %if %{with googletest} %check export MALLOC_CHECK_=2 MALLOC_PERTURB_=$((${RANDOM:-256} % 256)) -make %{?_smp_mflags} check +%ctest unset MALLOC_CHECK_ MALLOC_PERTURB_ %endif