diff --git a/expat-CVE-2019-15903-tests.patch b/expat-CVE-2019-15903-tests.patch new file mode 100644 index 0000000..3292d50 --- /dev/null +++ b/expat-CVE-2019-15903-tests.patch @@ -0,0 +1,93 @@ +From 438493691f1b8620a71d5aee658fe160103ff863 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Wed, 28 Aug 2019 15:14:19 +0200 +Subject: [PATCH] tests: Cover denying internal entities closing the doctype + +--- + expat/tests/runtests.c | 67 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 67 insertions(+) + +Index: expat-2.2.5/tests/runtests.c +=================================================================== +--- expat-2.2.5.orig/tests/runtests.c ++++ expat-2.2.5/tests/runtests.c +@@ -7193,6 +7193,69 @@ overwrite_end_checker(void *userData, co + CharData_AppendXMLChars(storage, XCS("\n"), 1); + } + ++#ifdef XML_DTD ++START_TEST(test_misc_deny_internal_entity_closing_doctype_issue_317) { ++ const char *const inputOne = "'>\n" ++ "\n" ++ "%e;"; ++ const char *const inputTwo = "'>\n" ++ "\n" ++ "%e2;"; ++ const char *const inputThree = "\n" ++ "\n" ++ "%e;"; ++ const char *const inputIssue317 = "\n" ++ "Hell'>\n" ++ "%foo;\n" ++ "]>\n" ++ "Hello, world"; ++ ++ const char *const inputs[] = {inputOne, inputTwo, inputThree, inputIssue317}; ++ size_t inputIndex = 0; ++ ++ for (; inputIndex < sizeof(inputs) / sizeof(inputs[0]); inputIndex++) { ++ XML_Parser parser; ++ enum XML_Status parseResult; ++ int setParamEntityResult; ++ XML_Size lineNumber; ++ XML_Size columnNumber; ++ const char *const input = inputs[inputIndex]; ++ ++ parser = XML_ParserCreate(NULL); ++ setParamEntityResult ++ = XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS); ++ if (setParamEntityResult != 1) ++ fail("Failed to set XML_PARAM_ENTITY_PARSING_ALWAYS."); ++ ++ parseResult = XML_Parse(parser, input, (int)strlen(input), 0); ++ if (parseResult != XML_STATUS_ERROR) { ++ parseResult = XML_Parse(parser, "", 0, 1); ++ if (parseResult != XML_STATUS_ERROR) { ++ fail("Parsing was expected to fail but succeeded."); ++ } ++ } ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_TOKEN) ++ fail("Error code does not match XML_ERROR_INVALID_TOKEN"); ++ ++ lineNumber = XML_GetCurrentLineNumber(parser); ++ if (lineNumber != 4) ++ fail("XML_GetCurrentLineNumber does not work as expected."); ++ ++ columnNumber = XML_GetCurrentColumnNumber(parser); ++ if (columnNumber != 0) ++ fail("XML_GetCurrentColumnNumber does not work as expected."); ++ ++ XML_ParserFree(parser); ++ } ++} ++END_TEST ++#endif ++ + static void + run_ns_tagname_overwrite_test(const char *text, const XML_Char *result) + { +@@ -12210,6 +12273,9 @@ make_suite(void) + tcase_add_test(tc_misc, test_misc_features); + tcase_add_test(tc_misc, test_misc_attribute_leak); + tcase_add_test(tc_misc, test_misc_utf16le); ++#ifdef XML_DTD ++ tcase_add_test(tc_misc, test_misc_deny_internal_entity_closing_doctype_issue_317); ++#endif + + suite_add_tcase(s, tc_alloc); + tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown); diff --git a/expat-CVE-2019-15903.patch b/expat-CVE-2019-15903.patch new file mode 100644 index 0000000..b89eaa2 --- /dev/null +++ b/expat-CVE-2019-15903.patch @@ -0,0 +1,89 @@ +From c20b758c332d9a13afbbb276d30db1d183a85d43 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Wed, 28 Aug 2019 00:24:59 +0200 +Subject: [PATCH] xmlparse.c: Deny internal entities closing the doctype + +--- + expat/lib/xmlparse.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +Index: expat-2.2.5/lib/xmlparse.c +=================================================================== +--- expat-2.2.5.orig/lib/xmlparse.c ++++ expat-2.2.5/lib/xmlparse.c +@@ -411,7 +411,7 @@ initializeEncoding(XML_Parser parser); + static enum XML_Error + doProlog(XML_Parser parser, const ENCODING *enc, const char *s, + const char *end, int tok, const char *next, const char **nextPtr, +- XML_Bool haveMore); ++ XML_Bool haveMore, XML_Bool allowClosingDoctype); + static enum XML_Error + processInternalEntity(XML_Parser parser, ENTITY *entity, + XML_Bool betweenDecl); +@@ -4218,7 +4218,7 @@ externalParEntProcessor(XML_Parser parse + + parser->m_processor = prologProcessor; + return doProlog(parser, parser->m_encoding, s, end, tok, next, +- nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer); ++ nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE); + } + + static enum XML_Error PTRCALL +@@ -4268,7 +4268,7 @@ prologProcessor(XML_Parser parser, + const char *next = s; + int tok = XmlPrologTok(parser->m_encoding, s, end, &next); + return doProlog(parser, parser->m_encoding, s, end, tok, next, +- nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer); ++ nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE); + } + + static enum XML_Error +@@ -4279,7 +4279,8 @@ doProlog(XML_Parser parser, + int tok, + const char *next, + const char **nextPtr, +- XML_Bool haveMore) ++ XML_Bool haveMore, ++ XML_Bool allowClosingDoctype) + { + #ifdef XML_DTD + static const XML_Char externalSubsetName[] = { ASCII_HASH , '\0' }; +@@ -4458,6 +4459,11 @@ doProlog(XML_Parser parser, + } + break; + case XML_ROLE_DOCTYPE_CLOSE: ++ if (allowClosingDoctype != XML_TRUE) { ++ /* Must not close doctype from within expanded parameter entities */ ++ return XML_ERROR_INVALID_TOKEN; ++ } ++ + if (parser->m_doctypeName) { + parser->m_startDoctypeDeclHandler(parser->m_handlerArg, parser->m_doctypeName, + parser->m_doctypeSysid, parser->m_doctypePubid, 0); +@@ -5395,7 +5401,7 @@ processInternalEntity(XML_Parser parser, + if (entity->is_param) { + int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next); + result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok, +- next, &next, XML_FALSE); ++ next, &next, XML_FALSE, XML_FALSE); + } + else + #endif /* XML_DTD */ +@@ -5442,7 +5448,7 @@ internalEntityProcessor(XML_Parser parse + if (entity->is_param) { + int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next); + result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok, +- next, &next, XML_FALSE); ++ next, &next, XML_FALSE, XML_TRUE); + } + else + #endif /* XML_DTD */ +@@ -5469,7 +5475,7 @@ internalEntityProcessor(XML_Parser parse + parser->m_processor = prologProcessor; + tok = XmlPrologTok(parser->m_encoding, s, end, &next); + return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr, +- (XML_Bool)!parser->m_parsingStatus.finalBuffer); ++ (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE); + } + else + #endif /* XML_DTD */ diff --git a/expat.changes b/expat.changes index 3cdf302..680ef4f 100644 --- a/expat.changes +++ b/expat.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Wed Sep 4 17:11:38 UTC 2019 - Pedro Monreal Gonzalez + +- Security fix (CVE-2019-15903, bsc#1149429) + * Crafted XML input results in heap-based buffer over-read by fooling + the parser into changing from DTD parsing to document parsing + * Added patches: + - expat-CVE-2019-15903.patch + - expat-CVE-2019-15903-tests.patch + ------------------------------------------------------------------- Tue Jul 2 10:33:51 UTC 2019 - Pedro Monreal Gonzalez diff --git a/expat.spec b/expat.spec index a3cde2c..34c162a 100644 --- a/expat.spec +++ b/expat.spec @@ -28,6 +28,9 @@ Source0: https://github.com/libexpat/libexpat/releases/download/R_%{unver Source1: %{name}faq.html Source2: baselibs.conf Source3: https://github.com/libexpat/libexpat/releases/download/R_%{unversion}/expat-%{version}.tar.xz.asc +# PATCH-FIX-UPSTREAM bsc#1149429 CVE-2019-15903 crafted XML input results in heap-based buffer over-read +Patch1: expat-CVE-2019-15903.patch +Patch2: expat-CVE-2019-15903-tests.patch BuildRequires: gcc-c++ BuildRequires: libtool BuildRequires: pkgconfig @@ -62,6 +65,8 @@ in libexpat. %prep %setup -q +%patch1 -p1 +%patch2 -p1 cp %{SOURCE1} . rm -f examples/*.dsp