From 860c603684352d3758b3b17056390417d382e0664dde1c7aca67005d7e0bd599 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Wed, 11 Sep 2019 16:22:32 +0000 Subject: [PATCH 1/2] Accepting request 730208 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ - Security fix (CVE-2019-15903, bsc#1149429) * Crafted XML input results in heap-based buffer over-read by fooling the parser into changing from DTD parsing to document parsing * Added patches: - expat-CVE-2019-15903.patch - expat-CVE-2019-15903-tests.patch OBS-URL: https://build.opensuse.org/request/show/730208 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/expat?expand=0&rev=78 --- expat-CVE-2019-15903-tests.patch | 93 ++++++++++++++++++++++++++++++++ expat-CVE-2019-15903.patch | 89 ++++++++++++++++++++++++++++++ expat.changes | 10 ++++ expat.spec | 5 ++ 4 files changed, 197 insertions(+) create mode 100644 expat-CVE-2019-15903-tests.patch create mode 100644 expat-CVE-2019-15903.patch diff --git a/expat-CVE-2019-15903-tests.patch b/expat-CVE-2019-15903-tests.patch new file mode 100644 index 0000000..3292d50 --- /dev/null +++ b/expat-CVE-2019-15903-tests.patch @@ -0,0 +1,93 @@ +From 438493691f1b8620a71d5aee658fe160103ff863 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Wed, 28 Aug 2019 15:14:19 +0200 +Subject: [PATCH] tests: Cover denying internal entities closing the doctype + +--- + expat/tests/runtests.c | 67 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 67 insertions(+) + +Index: expat-2.2.5/tests/runtests.c +=================================================================== +--- expat-2.2.5.orig/tests/runtests.c ++++ expat-2.2.5/tests/runtests.c +@@ -7193,6 +7193,69 @@ overwrite_end_checker(void *userData, co + CharData_AppendXMLChars(storage, XCS("\n"), 1); + } + ++#ifdef XML_DTD ++START_TEST(test_misc_deny_internal_entity_closing_doctype_issue_317) { ++ const char *const inputOne = "'>\n" ++ "\n" ++ "%e;"; ++ const char *const inputTwo = "'>\n" ++ "\n" ++ "%e2;"; ++ const char *const inputThree = "\n" ++ "\n" ++ "%e;"; ++ const char *const inputIssue317 = "\n" ++ "Hell'>\n" ++ "%foo;\n" ++ "]>\n" ++ "Hello, world"; ++ ++ const char *const inputs[] = {inputOne, inputTwo, inputThree, inputIssue317}; ++ size_t inputIndex = 0; ++ ++ for (; inputIndex < sizeof(inputs) / sizeof(inputs[0]); inputIndex++) { ++ XML_Parser parser; ++ enum XML_Status parseResult; ++ int setParamEntityResult; ++ XML_Size lineNumber; ++ XML_Size columnNumber; ++ const char *const input = inputs[inputIndex]; ++ ++ parser = XML_ParserCreate(NULL); ++ setParamEntityResult ++ = XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS); ++ if (setParamEntityResult != 1) ++ fail("Failed to set XML_PARAM_ENTITY_PARSING_ALWAYS."); ++ ++ parseResult = XML_Parse(parser, input, (int)strlen(input), 0); ++ if (parseResult != XML_STATUS_ERROR) { ++ parseResult = XML_Parse(parser, "", 0, 1); ++ if (parseResult != XML_STATUS_ERROR) { ++ fail("Parsing was expected to fail but succeeded."); ++ } ++ } ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_TOKEN) ++ fail("Error code does not match XML_ERROR_INVALID_TOKEN"); ++ ++ lineNumber = XML_GetCurrentLineNumber(parser); ++ if (lineNumber != 4) ++ fail("XML_GetCurrentLineNumber does not work as expected."); ++ ++ columnNumber = XML_GetCurrentColumnNumber(parser); ++ if (columnNumber != 0) ++ fail("XML_GetCurrentColumnNumber does not work as expected."); ++ ++ XML_ParserFree(parser); ++ } ++} ++END_TEST ++#endif ++ + static void + run_ns_tagname_overwrite_test(const char *text, const XML_Char *result) + { +@@ -12210,6 +12273,9 @@ make_suite(void) + tcase_add_test(tc_misc, test_misc_features); + tcase_add_test(tc_misc, test_misc_attribute_leak); + tcase_add_test(tc_misc, test_misc_utf16le); ++#ifdef XML_DTD ++ tcase_add_test(tc_misc, test_misc_deny_internal_entity_closing_doctype_issue_317); ++#endif + + suite_add_tcase(s, tc_alloc); + tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown); diff --git a/expat-CVE-2019-15903.patch b/expat-CVE-2019-15903.patch new file mode 100644 index 0000000..b89eaa2 --- /dev/null +++ b/expat-CVE-2019-15903.patch @@ -0,0 +1,89 @@ +From c20b758c332d9a13afbbb276d30db1d183a85d43 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Wed, 28 Aug 2019 00:24:59 +0200 +Subject: [PATCH] xmlparse.c: Deny internal entities closing the doctype + +--- + expat/lib/xmlparse.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +Index: expat-2.2.5/lib/xmlparse.c +=================================================================== +--- expat-2.2.5.orig/lib/xmlparse.c ++++ expat-2.2.5/lib/xmlparse.c +@@ -411,7 +411,7 @@ initializeEncoding(XML_Parser parser); + static enum XML_Error + doProlog(XML_Parser parser, const ENCODING *enc, const char *s, + const char *end, int tok, const char *next, const char **nextPtr, +- XML_Bool haveMore); ++ XML_Bool haveMore, XML_Bool allowClosingDoctype); + static enum XML_Error + processInternalEntity(XML_Parser parser, ENTITY *entity, + XML_Bool betweenDecl); +@@ -4218,7 +4218,7 @@ externalParEntProcessor(XML_Parser parse + + parser->m_processor = prologProcessor; + return doProlog(parser, parser->m_encoding, s, end, tok, next, +- nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer); ++ nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE); + } + + static enum XML_Error PTRCALL +@@ -4268,7 +4268,7 @@ prologProcessor(XML_Parser parser, + const char *next = s; + int tok = XmlPrologTok(parser->m_encoding, s, end, &next); + return doProlog(parser, parser->m_encoding, s, end, tok, next, +- nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer); ++ nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE); + } + + static enum XML_Error +@@ -4279,7 +4279,8 @@ doProlog(XML_Parser parser, + int tok, + const char *next, + const char **nextPtr, +- XML_Bool haveMore) ++ XML_Bool haveMore, ++ XML_Bool allowClosingDoctype) + { + #ifdef XML_DTD + static const XML_Char externalSubsetName[] = { ASCII_HASH , '\0' }; +@@ -4458,6 +4459,11 @@ doProlog(XML_Parser parser, + } + break; + case XML_ROLE_DOCTYPE_CLOSE: ++ if (allowClosingDoctype != XML_TRUE) { ++ /* Must not close doctype from within expanded parameter entities */ ++ return XML_ERROR_INVALID_TOKEN; ++ } ++ + if (parser->m_doctypeName) { + parser->m_startDoctypeDeclHandler(parser->m_handlerArg, parser->m_doctypeName, + parser->m_doctypeSysid, parser->m_doctypePubid, 0); +@@ -5395,7 +5401,7 @@ processInternalEntity(XML_Parser parser, + if (entity->is_param) { + int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next); + result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok, +- next, &next, XML_FALSE); ++ next, &next, XML_FALSE, XML_FALSE); + } + else + #endif /* XML_DTD */ +@@ -5442,7 +5448,7 @@ internalEntityProcessor(XML_Parser parse + if (entity->is_param) { + int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next); + result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok, +- next, &next, XML_FALSE); ++ next, &next, XML_FALSE, XML_TRUE); + } + else + #endif /* XML_DTD */ +@@ -5469,7 +5475,7 @@ internalEntityProcessor(XML_Parser parse + parser->m_processor = prologProcessor; + tok = XmlPrologTok(parser->m_encoding, s, end, &next); + return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr, +- (XML_Bool)!parser->m_parsingStatus.finalBuffer); ++ (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE); + } + else + #endif /* XML_DTD */ diff --git a/expat.changes b/expat.changes index 3cdf302..680ef4f 100644 --- a/expat.changes +++ b/expat.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Wed Sep 4 17:11:38 UTC 2019 - Pedro Monreal Gonzalez + +- Security fix (CVE-2019-15903, bsc#1149429) + * Crafted XML input results in heap-based buffer over-read by fooling + the parser into changing from DTD parsing to document parsing + * Added patches: + - expat-CVE-2019-15903.patch + - expat-CVE-2019-15903-tests.patch + ------------------------------------------------------------------- Tue Jul 2 10:33:51 UTC 2019 - Pedro Monreal Gonzalez diff --git a/expat.spec b/expat.spec index a3cde2c..34c162a 100644 --- a/expat.spec +++ b/expat.spec @@ -28,6 +28,9 @@ Source0: https://github.com/libexpat/libexpat/releases/download/R_%{unver Source1: %{name}faq.html Source2: baselibs.conf Source3: https://github.com/libexpat/libexpat/releases/download/R_%{unversion}/expat-%{version}.tar.xz.asc +# PATCH-FIX-UPSTREAM bsc#1149429 CVE-2019-15903 crafted XML input results in heap-based buffer over-read +Patch1: expat-CVE-2019-15903.patch +Patch2: expat-CVE-2019-15903-tests.patch BuildRequires: gcc-c++ BuildRequires: libtool BuildRequires: pkgconfig @@ -62,6 +65,8 @@ in libexpat. %prep %setup -q +%patch1 -p1 +%patch2 -p1 cp %{SOURCE1} . rm -f examples/*.dsp From f5ae13f1459097e19bcd74e995b78b3958aef2653a4d8a6b220c49cb0d2f1e91 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Mon, 16 Sep 2019 09:43:53 +0000 Subject: [PATCH 2/2] Accepting request 731221 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ - Version update to 2.2.8 * Security fixes: (CVE-2019-15903, bsc#1149429) - CVE-2019-15903 -- Fix heap overflow triggered by XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber), and deny internal entities closing the doctype; * Bug fixes: - Fix cases where XML_StopParser did not have any effect when called from inside of an end element handler - xmlwf: Fix exit code for operation without "-d DIRECTORY"; previously, only "-d DIRECTORY" would give you a proper exit code: Now both cases return exit code 2. * Other changes: - examples: Improve elements.c - Autotools: Add argument --enable-xml-attr-info - Autotools: Add arguments --with-getrandom --without-getrandom --with-sys-getrandom --without-sys-getrandom - Autotools: Fix linking issues with "./configure LD=clang" - Autotools: Fix "make run-xmltest" for out-of-source builds - CMake: Pull all options from Expat <=2.2.7 into namespace - CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF), default OFF - CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF), default OFF - CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF), default OFF - CMake: Add arguments -DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO - CMake: Add arguments -DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO - CMake: Install expat_config.h to include directory - CMake: Generate and install configuration files for future find_package(expat [..] CONFIG [..]) - CMake: Now produces a summary of applied configuration - CMake: Require C++ compiler only when tests are enabled - CMake: Fix compilation for 16bit character types, i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON) - CMake: Port "make run-xmltest" from GNU Autotools to CMake - CMake: Integrate OSS-Fuzz fuzzers, option -DEXPAT_BUILD_FUZZERS=(ON|OFF), default OFF - Removed patches fixed in the update: OBS-URL: https://build.opensuse.org/request/show/731221 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/expat?expand=0&rev=79 --- expat-2.2.7.tar.xz | 3 -- expat-2.2.7.tar.xz.asc | 6 --- expat-2.2.8.tar.xz | 3 ++ expat-2.2.8.tar.xz.asc | 16 ++++++ expat-CVE-2019-15903-tests.patch | 93 -------------------------------- expat-CVE-2019-15903.patch | 89 ------------------------------ expat.changes | 36 +++++++++++++ expat.spec | 13 ++--- 8 files changed, 60 insertions(+), 199 deletions(-) delete mode 100644 expat-2.2.7.tar.xz delete mode 100644 expat-2.2.7.tar.xz.asc create mode 100644 expat-2.2.8.tar.xz create mode 100644 expat-2.2.8.tar.xz.asc delete mode 100644 expat-CVE-2019-15903-tests.patch delete mode 100644 expat-CVE-2019-15903.patch diff --git a/expat-2.2.7.tar.xz b/expat-2.2.7.tar.xz deleted file mode 100644 index b7b3e04..0000000 --- a/expat-2.2.7.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:30e3f40acf9a8fdbd5c379bdcc8d1178a1d9af306de29fc8ece922bc4c57bef8 -size 424264 diff --git a/expat-2.2.7.tar.xz.asc b/expat-2.2.7.tar.xz.asc deleted file mode 100644 index 2eee835..0000000 --- a/expat-2.2.7.tar.xz.asc +++ /dev/null @@ -1,6 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iF0EABECAB0WIQQ9fpWdifrP7jg3GSGwC8ZqQBoWAAUCXQpmTQAKCRCwC8ZqQBoW -AEIpAJ9+jIcvEUpNEhXku8RShzGrE5gc3gCgml4U3lnpbC7+avvh3F17U7+vSuE= -=Jbtz ------END PGP SIGNATURE----- diff --git a/expat-2.2.8.tar.xz b/expat-2.2.8.tar.xz new file mode 100644 index 0000000..0440aa1 --- /dev/null +++ b/expat-2.2.8.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:61caa81a49d858afb2031c7b1a25c97174e7f2009aa1ec4e1ffad2316b91779b +size 422324 diff --git a/expat-2.2.8.tar.xz.asc b/expat-2.2.8.tar.xz.asc new file mode 100644 index 0000000..1dfbf74 --- /dev/null +++ b/expat-2.2.8.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEy43nCpDPv2w79cxWliYqz/vTrsYFAl18EWEACgkQliYqz/vT +rsbjsg/+Lu9ULWosv29viYV7Q9t5506vwMKLea029/JjeuBw/TnHdN/Nfth4BMtb +Iq8nw88C1+wFMX3xvqHoZsswjBsT4c6qMtSno3vAljS7mDh0Npt85qbA6IZpqDAh +Lh+lJTInwCrsWVtkDEInrqiY15zs5NMaX85NFknlANZwhXHtnqVqBedt0jNe3URM +He4NxIHDyLYs/4vnkEafKLwOPLEJ7ylsRCMjwcdL2WFUjbf/ZRG9Rz0z7fmXEWZm +WGCfNFnPOK2Mt0XRxEVsjAg1zkkMMEqOyY3XSz0pg5Kej8yJI0UU/FnemaPgGt6U +mEiLJJwvSyx3gIuLfTM6Sdi6MBHXHrbNN7XR1GRlH6w9x1HSzJQfJ4xVeHheykBq +K9IY6ZWqhjoPC0kBWuWOXnwlkOuoK3/E91G2/S1MKEHeSlDTD81sNjfdUxeXfX1L +LXk16BUeRsbj5Ykin+Cuw3lSin9RM6vNvr5gYfgw2Oeiye5b8vQ12CNUyHytU7fO +HseMaoT+ZTbgc7bs7LYzSJh/Ba+O+RDXB9gJ2iYwqQfTgBjgXZWuvVNLNdTwNWXJ +x7Hd0z+MjHFY5rOljQY/FvG8YOSHoiNhD5me+O3ZwQCz4jWXxEaW3JsxnXn/GmNV +O2zQuB74tRZbCylNC0iocdhWu2OHFDjQGTl0GoaXNQEpo+tGEsM= +=JAwW +-----END PGP SIGNATURE----- diff --git a/expat-CVE-2019-15903-tests.patch b/expat-CVE-2019-15903-tests.patch deleted file mode 100644 index 3292d50..0000000 --- a/expat-CVE-2019-15903-tests.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 438493691f1b8620a71d5aee658fe160103ff863 Mon Sep 17 00:00:00 2001 -From: Sebastian Pipping -Date: Wed, 28 Aug 2019 15:14:19 +0200 -Subject: [PATCH] tests: Cover denying internal entities closing the doctype - ---- - expat/tests/runtests.c | 67 ++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 67 insertions(+) - -Index: expat-2.2.5/tests/runtests.c -=================================================================== ---- expat-2.2.5.orig/tests/runtests.c -+++ expat-2.2.5/tests/runtests.c -@@ -7193,6 +7193,69 @@ overwrite_end_checker(void *userData, co - CharData_AppendXMLChars(storage, XCS("\n"), 1); - } - -+#ifdef XML_DTD -+START_TEST(test_misc_deny_internal_entity_closing_doctype_issue_317) { -+ const char *const inputOne = "'>\n" -+ "\n" -+ "%e;"; -+ const char *const inputTwo = "'>\n" -+ "\n" -+ "%e2;"; -+ const char *const inputThree = "\n" -+ "\n" -+ "%e;"; -+ const char *const inputIssue317 = "\n" -+ "Hell'>\n" -+ "%foo;\n" -+ "]>\n" -+ "Hello, world"; -+ -+ const char *const inputs[] = {inputOne, inputTwo, inputThree, inputIssue317}; -+ size_t inputIndex = 0; -+ -+ for (; inputIndex < sizeof(inputs) / sizeof(inputs[0]); inputIndex++) { -+ XML_Parser parser; -+ enum XML_Status parseResult; -+ int setParamEntityResult; -+ XML_Size lineNumber; -+ XML_Size columnNumber; -+ const char *const input = inputs[inputIndex]; -+ -+ parser = XML_ParserCreate(NULL); -+ setParamEntityResult -+ = XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS); -+ if (setParamEntityResult != 1) -+ fail("Failed to set XML_PARAM_ENTITY_PARSING_ALWAYS."); -+ -+ parseResult = XML_Parse(parser, input, (int)strlen(input), 0); -+ if (parseResult != XML_STATUS_ERROR) { -+ parseResult = XML_Parse(parser, "", 0, 1); -+ if (parseResult != XML_STATUS_ERROR) { -+ fail("Parsing was expected to fail but succeeded."); -+ } -+ } -+ -+ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_TOKEN) -+ fail("Error code does not match XML_ERROR_INVALID_TOKEN"); -+ -+ lineNumber = XML_GetCurrentLineNumber(parser); -+ if (lineNumber != 4) -+ fail("XML_GetCurrentLineNumber does not work as expected."); -+ -+ columnNumber = XML_GetCurrentColumnNumber(parser); -+ if (columnNumber != 0) -+ fail("XML_GetCurrentColumnNumber does not work as expected."); -+ -+ XML_ParserFree(parser); -+ } -+} -+END_TEST -+#endif -+ - static void - run_ns_tagname_overwrite_test(const char *text, const XML_Char *result) - { -@@ -12210,6 +12273,9 @@ make_suite(void) - tcase_add_test(tc_misc, test_misc_features); - tcase_add_test(tc_misc, test_misc_attribute_leak); - tcase_add_test(tc_misc, test_misc_utf16le); -+#ifdef XML_DTD -+ tcase_add_test(tc_misc, test_misc_deny_internal_entity_closing_doctype_issue_317); -+#endif - - suite_add_tcase(s, tc_alloc); - tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown); diff --git a/expat-CVE-2019-15903.patch b/expat-CVE-2019-15903.patch deleted file mode 100644 index b89eaa2..0000000 --- a/expat-CVE-2019-15903.patch +++ /dev/null @@ -1,89 +0,0 @@ -From c20b758c332d9a13afbbb276d30db1d183a85d43 Mon Sep 17 00:00:00 2001 -From: Sebastian Pipping -Date: Wed, 28 Aug 2019 00:24:59 +0200 -Subject: [PATCH] xmlparse.c: Deny internal entities closing the doctype - ---- - expat/lib/xmlparse.c | 20 +++++++++++++------- - 1 file changed, 13 insertions(+), 7 deletions(-) - -Index: expat-2.2.5/lib/xmlparse.c -=================================================================== ---- expat-2.2.5.orig/lib/xmlparse.c -+++ expat-2.2.5/lib/xmlparse.c -@@ -411,7 +411,7 @@ initializeEncoding(XML_Parser parser); - static enum XML_Error - doProlog(XML_Parser parser, const ENCODING *enc, const char *s, - const char *end, int tok, const char *next, const char **nextPtr, -- XML_Bool haveMore); -+ XML_Bool haveMore, XML_Bool allowClosingDoctype); - static enum XML_Error - processInternalEntity(XML_Parser parser, ENTITY *entity, - XML_Bool betweenDecl); -@@ -4218,7 +4218,7 @@ externalParEntProcessor(XML_Parser parse - - parser->m_processor = prologProcessor; - return doProlog(parser, parser->m_encoding, s, end, tok, next, -- nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer); -+ nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE); - } - - static enum XML_Error PTRCALL -@@ -4268,7 +4268,7 @@ prologProcessor(XML_Parser parser, - const char *next = s; - int tok = XmlPrologTok(parser->m_encoding, s, end, &next); - return doProlog(parser, parser->m_encoding, s, end, tok, next, -- nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer); -+ nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE); - } - - static enum XML_Error -@@ -4279,7 +4279,8 @@ doProlog(XML_Parser parser, - int tok, - const char *next, - const char **nextPtr, -- XML_Bool haveMore) -+ XML_Bool haveMore, -+ XML_Bool allowClosingDoctype) - { - #ifdef XML_DTD - static const XML_Char externalSubsetName[] = { ASCII_HASH , '\0' }; -@@ -4458,6 +4459,11 @@ doProlog(XML_Parser parser, - } - break; - case XML_ROLE_DOCTYPE_CLOSE: -+ if (allowClosingDoctype != XML_TRUE) { -+ /* Must not close doctype from within expanded parameter entities */ -+ return XML_ERROR_INVALID_TOKEN; -+ } -+ - if (parser->m_doctypeName) { - parser->m_startDoctypeDeclHandler(parser->m_handlerArg, parser->m_doctypeName, - parser->m_doctypeSysid, parser->m_doctypePubid, 0); -@@ -5395,7 +5401,7 @@ processInternalEntity(XML_Parser parser, - if (entity->is_param) { - int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next); - result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok, -- next, &next, XML_FALSE); -+ next, &next, XML_FALSE, XML_FALSE); - } - else - #endif /* XML_DTD */ -@@ -5442,7 +5448,7 @@ internalEntityProcessor(XML_Parser parse - if (entity->is_param) { - int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next); - result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok, -- next, &next, XML_FALSE); -+ next, &next, XML_FALSE, XML_TRUE); - } - else - #endif /* XML_DTD */ -@@ -5469,7 +5475,7 @@ internalEntityProcessor(XML_Parser parse - parser->m_processor = prologProcessor; - tok = XmlPrologTok(parser->m_encoding, s, end, &next); - return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr, -- (XML_Bool)!parser->m_parsingStatus.finalBuffer); -+ (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE); - } - else - #endif /* XML_DTD */ diff --git a/expat.changes b/expat.changes index 680ef4f..3cb3dad 100644 --- a/expat.changes +++ b/expat.changes @@ -1,3 +1,39 @@ +------------------------------------------------------------------- +Mon Sep 16 08:21:52 UTC 2019 - Pedro Monreal Gonzalez + +- Version update to 2.2.8 + * Security fixes: (CVE-2019-15903, bsc#1149429) + - CVE-2019-15903 -- Fix heap overflow triggered by XML_GetCurrentLineNumber + (or XML_GetCurrentColumnNumber), and deny internal entities closing the doctype; + * Bug fixes: + - Fix cases where XML_StopParser did not have any effect + when called from inside of an end element handler + - xmlwf: Fix exit code for operation without "-d DIRECTORY"; + previously, only "-d DIRECTORY" would give you a proper exit code: + Now both cases return exit code 2. + * Other changes: + - examples: Improve elements.c + - Autotools: Add argument --enable-xml-attr-info + - Autotools: Add arguments --with-getrandom --without-getrandom --with-sys-getrandom --without-sys-getrandom + - Autotools: Fix linking issues with "./configure LD=clang" + - Autotools: Fix "make run-xmltest" for out-of-source builds + - CMake: Pull all options from Expat <=2.2.7 into namespace + - CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF), default OFF + - CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF), default OFF + - CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF), default OFF + - CMake: Add arguments -DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO + - CMake: Add arguments -DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO + - CMake: Install expat_config.h to include directory + - CMake: Generate and install configuration files for future find_package(expat [..] CONFIG [..]) + - CMake: Now produces a summary of applied configuration + - CMake: Require C++ compiler only when tests are enabled + - CMake: Fix compilation for 16bit character types, i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON) + - CMake: Port "make run-xmltest" from GNU Autotools to CMake + - CMake: Integrate OSS-Fuzz fuzzers, option -DEXPAT_BUILD_FUZZERS=(ON|OFF), default OFF +- Removed patches fixed in the update: + * expat-CVE-2019-15903.patch + * expat-CVE-2019-15903-tests.patch + ------------------------------------------------------------------- Wed Sep 4 17:11:38 UTC 2019 - Pedro Monreal Gonzalez diff --git a/expat.spec b/expat.spec index 34c162a..bea29e8 100644 --- a/expat.spec +++ b/expat.spec @@ -16,21 +16,18 @@ # -%global unversion 2_2_7 +%global unversion 2_2_8 Name: expat -Version: 2.2.7 +Version: 2.2.8 Release: 0 Summary: XML Parser Toolkit License: MIT Group: Development/Libraries/C and C++ -URL: http://libexpat.github.io +URL: https://libexpat.github.io Source0: https://github.com/libexpat/libexpat/releases/download/R_%{unversion}/expat-%{version}.tar.xz Source1: %{name}faq.html Source2: baselibs.conf Source3: https://github.com/libexpat/libexpat/releases/download/R_%{unversion}/expat-%{version}.tar.xz.asc -# PATCH-FIX-UPSTREAM bsc#1149429 CVE-2019-15903 crafted XML input results in heap-based buffer over-read -Patch1: expat-CVE-2019-15903.patch -Patch2: expat-CVE-2019-15903-tests.patch BuildRequires: gcc-c++ BuildRequires: libtool BuildRequires: pkgconfig @@ -65,8 +62,6 @@ in libexpat. %prep %setup -q -%patch1 -p1 -%patch2 -p1 cp %{SOURCE1} . rm -f examples/*.dsp @@ -88,6 +83,8 @@ rm -f examples/*.dsp %install %make_install find %{buildroot} -type f -name "*.la" -delete -print +# Fix permissions error: spurious-executable-perm +chmod 0644 examples/elements.c %check make %{?_smp_mflags} check