Sync from SUSE:SLFO:Main mozjs115 revision c245091beaf2e06211fa508baf3af915

mozjs115-CVE-2024-45490-part01-5c1a3164.patch

@@ -0,0 +1,28 @@
+From 5c1a31642e243f4870c0bd1f2afc7597976521bf Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:26:07 +0200
+Subject: [PATCH] lib: Reject negative len for XML_ParseBuffer
+References: CVE-2024-45490
+References: bsc#1230036
+Upstream: Backport from upstream
+
+Reported by TaiYou
+---
+ expat/lib/xmlparse.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- firefox-115.4.0/parser/expat/lib/xmlparse.c
++++ firefox-115.4.0_new/parser/expat/lib/xmlparse.c
+@@ -1978,6 +1978,12 @@
+ 
+   if (parser == NULL)
+     return XML_STATUS_ERROR;
++
++  if (len < 0) {
++    parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT;
++    return XML_STATUS_ERROR;
++  }
++
+   switch (ps_parsing) {
+   case XML_SUSPENDED:
+     errorCode = XML_ERROR_SUSPENDED;

mozjs115-CVE-2024-45491.patch

@@ -0,0 +1,32 @@
+From 8e439a9947e9dc80a395c0c7456545d8d9d9e421 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:34:13 +0200
+Subject: [PATCH] lib: Detect integer overflow in dtdCopy
+References: CVE-2024-45491
+References: bsc#1230037
+Upstream: Backport from upstream
+
+Reported by TaiYou
+---
+ expat/lib/xmlparse.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- firefox-115.4.0/parser/expat/lib/xmlparse.c	2024-10-01 16:34:48.157843398 +0800
++++ firefox-115.4.0_new/parser/expat/lib/xmlparse.c	2024-10-01 16:59:33.700353296 +0800
+@@ -6619,6 +6619,16 @@
+     if (!newE)
+       return 0;
+     if (oldE->nDefaultAtts) {
++      /* Detect and prevent integer overflow.
++       * The preprocessor guard addresses the "always false" warning
++       * from -Wtype-limits on platforms where
++       * sizeof(int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++      if ((size_t)oldE->nDefaultAtts
++          > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) {
++        return 0;
++      }
++#endif
+       newE->defaultAtts = (DEFAULT_ATTRIBUTE *)
+           ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
+       if (!newE->defaultAtts) {

mozjs115-CVE-2024-45492.patch

@@ -0,0 +1,31 @@
+From 9bf0f2c16ee86f644dd1432507edff94c08dc232 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:37:16 +0200
+Subject: [PATCH] lib: Detect integer overflow in function nextScaffoldPart
+References: CVE-2024-45492
+References: bsc#1230038
+Upstream: Backport from upstream
+
+Reported by TaiYou
+---
+ expat/lib/xmlparse.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- firefox-115.4.0/parser/expat/lib/xmlparse.c
++++ firefox-115.4.0_new/parser/expat/lib/xmlparse.c
+@@ -7173,6 +7173,15 @@
+   int next;
+ 
+   if (!dtd->scaffIndex) {
++    /* Detect and prevent integer overflow.
++     * The preprocessor guard addresses the "always false" warning
++     * from -Wtype-limits on platforms where
++     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++    if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) {
++      return -1;
++    }
++#endif
+     dtd->scaffIndex = (int *)MALLOC(groupSize * sizeof(int));
+     if (!dtd->scaffIndex)
+       return -1;

mozjs115.changes

@@ -1,3 +1,31 @@
+-------------------------------------------------------------------
+Mon Sep 30 17:35:18 UTC 2024 - Cliff Zhao <qzhao@suse.com>
+
+- Add mozjs115-CVE-2024-45492.patch:
+  Backporting 9bf0f2c1 from libexpat upstream, Detect integer
+  overflow in function nextScaffoldPart.
+  (CVE-2024-45492, bsc#1230038)
+
+-------------------------------------------------------------------
+Mon Sep 30 17:25:22 UTC 2024 - Cliff Zhao <qzhao@suse.com>
+
+- Add mozjs115-CVE-2024-45491.patch:
+  Backporting 8e439a99 from libexpat upstream, Detect integer
+  overflow in dtdCopy.
+  (CVE-2024-45491, bsc#1230037)
+
+-------------------------------------------------------------------
+Mon Sep 30 17:15:45 UTC 2024 - Cliff Zhao <qzhao@suse.com>
+
+- Add mozjs115-CVE-2024-45490-part01-5c1a3164.patch:
+  Backporting 5c1a3164 from libexpat upstream, Reject negative len
+  for XML_ParseBuffer.
+  CVE-2024-45490's fixes including 3 parts: 5c1a3164 for libexpat
+  sources; c12f039b for libexpat tests; 2db23301 for libexpat docs;
+  Because mozjs only embeds libexpat sources, so unnecessary to
+  port prart02 and part03.
+  (CVE-2024-45490, bsc#1230036)
+
 -------------------------------------------------------------------
 Thu Apr  4 13:56:30 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
 

mozjs115.spec

@@ -78,7 +78,12 @@ Patch18:        spidermonkey_style_check_disable_s390x.patch
 Patch19:        0001-Skip-failing-tests-on-ppc64-and-s390x.patch
 # PATCH-FIX-OPENSUSE
 Patch20:        Fix-i586-float-math.patch
-
+# PATCH-FIX-UPSTREAM mozjs115-CVE-2024-45490-part01-5c1a3164.patch CVE-2024-45490 bsc#1230036 qzhao@suse.com -- Reject negative len for XML_ParseBuffer.
+Patch21:        mozjs115-CVE-2024-45490-part01-5c1a3164.patch
+# PATCH-FIX-UPSTREAM mozjs115-CVE-2024-45491.patch CVE-2024-45491 bsc#1230037 qzhao@suse.com -- Detect integer overflow in dtdCopy.
+Patch22:        mozjs115-CVE-2024-45491.patch
+# PATCH-FIX-UPSTREAM mozjs115-CVE-2024-45492.patch CVE-2024-45492 bsc#1230038 qzhao@suse.com -- Detect integer overflow in function nextScaffoldPart.
+Patch23:        mozjs115-CVE-2024-45492.patch
 BuildRequires:  autoconf213
 BuildRequires:  cargo
 BuildRequires:  ccache
@@ -163,6 +168,9 @@ pushd ../..
 # Fixes for ppc64 and s390x, there is no need to keep it in ifarch here since mozilla tests support ifarch conditions
 %patch -P 19 -p1
 %patch -P 20 -p1
+%patch -P 21 -p1
+%patch -P 22 -p1
+%patch -P 23 -p1
 
 # Copy out the LICENSE file
 cp LICENSE js/src/