Accepting request 730208 from home:pmonrealgonzalez:branches:devel:libraries:c_c++

- Security fix (CVE-2019-15903, bsc#1149429) * Crafted XML input results in heap-based buffer over-read by fooling the parser into changing from DTD parsing to document parsing * Added patches: - expat-CVE-2019-15903.patch - expat-CVE-2019-15903-tests.patch OBS-URL: https://build.opensuse.org/request/show/730208 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/expat?expand=0&rev=78
2019-09-11 16:22:32 +00:00 · 2019-09-11 16:22:32 +00:00 · 860c603684
commit 860c603684
parent 2f8abc6cde
4 changed files with 197 additions and 0 deletions
--- a/expat-CVE-2019-15903-tests.patch
+++ b/expat-CVE-2019-15903-tests.patch
@ -0,0 +1,93 @@
+From 438493691f1b8620a71d5aee658fe160103ff863 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Wed, 28 Aug 2019 15:14:19 +0200
+Subject: [PATCH] tests: Cover denying internal entities closing the doctype
+
+---
+ expat/tests/runtests.c | 67 ++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 67 insertions(+)
+
+Index: expat-2.2.5/tests/runtests.c
+===================================================================
+--- expat-2.2.5.orig/tests/runtests.c
+++ expat-2.2.5/tests/runtests.c
+@@ -7193,6 +7193,69 @@ overwrite_end_checker(void *userData, co
+     CharData_AppendXMLChars(storage, XCS("\n"), 1);
+ }
+ 
+#ifdef XML_DTD
+START_TEST(test_misc_deny_internal_entity_closing_doctype_issue_317) {
+  const char *const inputOne = "<!DOCTYPE d [\n"
+                               "<!ENTITY % e ']><d/>'>\n"
+                               "\n"
+                               "%e;";
+  const char *const inputTwo = "<!DOCTYPE d [\n"
+                               "<!ENTITY % e1 ']><d/>'><!ENTITY % e2 '&e1;'>\n"
+                               "\n"
+                               "%e2;";
+  const char *const inputThree = "<!DOCTYPE d [\n"
+                                 "<!ENTITY % e ']><d'>\n"
+                                 "\n"
+                                 "%e;";
+  const char *const inputIssue317 = "<!DOCTYPE doc [\n"
+                                    "<!ENTITY % foo ']>\n"
+                                    "<doc>Hell<oc (#PCDATA)*>'>\n"
+                                    "%foo;\n"
+                                    "]>\n"
+                                    "<doc>Hello, world</dVc>";
+
+  const char *const inputs[] = {inputOne, inputTwo, inputThree, inputIssue317};
+  size_t inputIndex = 0;
+
+  for (; inputIndex < sizeof(inputs) / sizeof(inputs[0]); inputIndex++) {
+    XML_Parser parser;
+    enum XML_Status parseResult;
+    int setParamEntityResult;
+    XML_Size lineNumber;
+    XML_Size columnNumber;
+    const char *const input = inputs[inputIndex];
+
+    parser = XML_ParserCreate(NULL);
+    setParamEntityResult
+        = XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
+    if (setParamEntityResult != 1)
+      fail("Failed to set XML_PARAM_ENTITY_PARSING_ALWAYS.");
+
+    parseResult = XML_Parse(parser, input, (int)strlen(input), 0);
+    if (parseResult != XML_STATUS_ERROR) {
+      parseResult = XML_Parse(parser, "", 0, 1);
+      if (parseResult != XML_STATUS_ERROR) {
+        fail("Parsing was expected to fail but succeeded.");
+      }
+    }
+
+    if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_TOKEN)
+      fail("Error code does not match XML_ERROR_INVALID_TOKEN");
+
+    lineNumber = XML_GetCurrentLineNumber(parser);
+    if (lineNumber != 4)
+      fail("XML_GetCurrentLineNumber does not work as expected.");
+
+    columnNumber = XML_GetCurrentColumnNumber(parser);
+    if (columnNumber != 0)
+      fail("XML_GetCurrentColumnNumber does not work as expected.");
+
+    XML_ParserFree(parser);
+  }
+}
+END_TEST
+#endif
+
+ static void
+ run_ns_tagname_overwrite_test(const char *text, const XML_Char *result)
+ {
+@@ -12210,6 +12273,9 @@ make_suite(void)
+     tcase_add_test(tc_misc, test_misc_features);
+     tcase_add_test(tc_misc, test_misc_attribute_leak);
+     tcase_add_test(tc_misc, test_misc_utf16le);
+#ifdef XML_DTD
+    tcase_add_test(tc_misc, test_misc_deny_internal_entity_closing_doctype_issue_317);
+#endif
+ 
+     suite_add_tcase(s, tc_alloc);
+     tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown);
--- a/expat-CVE-2019-15903.patch
+++ b/expat-CVE-2019-15903.patch
@ -0,0 +1,89 @@
+From c20b758c332d9a13afbbb276d30db1d183a85d43 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Wed, 28 Aug 2019 00:24:59 +0200
+Subject: [PATCH] xmlparse.c: Deny internal entities closing the doctype
+
+---
+ expat/lib/xmlparse.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+Index: expat-2.2.5/lib/xmlparse.c
+===================================================================
+--- expat-2.2.5.orig/lib/xmlparse.c
+++ expat-2.2.5/lib/xmlparse.c
+@@ -411,7 +411,7 @@ initializeEncoding(XML_Parser parser);
+ static enum XML_Error
+ doProlog(XML_Parser parser, const ENCODING *enc, const char *s,
+          const char *end, int tok, const char *next, const char **nextPtr,
+-         XML_Bool haveMore);
+         XML_Bool haveMore, XML_Bool allowClosingDoctype);
+ static enum XML_Error
+ processInternalEntity(XML_Parser parser, ENTITY *entity,
+                       XML_Bool betweenDecl);
+@@ -4218,7 +4218,7 @@ externalParEntProcessor(XML_Parser parse
+ 
+   parser->m_processor = prologProcessor;
+   return doProlog(parser, parser->m_encoding, s, end, tok, next,
+-                  nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer);
+                  nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
+ }
+ 
+ static enum XML_Error PTRCALL
+@@ -4268,7 +4268,7 @@ prologProcessor(XML_Parser parser,
+   const char *next = s;
+   int tok = XmlPrologTok(parser->m_encoding, s, end, &next);
+   return doProlog(parser, parser->m_encoding, s, end, tok, next,
+-                  nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer);
+                  nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
+ }
+ 
+ static enum XML_Error
+@@ -4279,7 +4279,8 @@ doProlog(XML_Parser parser,
+          int tok,
+          const char *next,
+          const char **nextPtr,
+-         XML_Bool haveMore)
+         XML_Bool haveMore,
+	 XML_Bool allowClosingDoctype)
+ {
+ #ifdef XML_DTD
+   static const XML_Char externalSubsetName[] = { ASCII_HASH , '\0' };
+@@ -4458,6 +4459,11 @@ doProlog(XML_Parser parser,
+       }
+       break;
+     case XML_ROLE_DOCTYPE_CLOSE:
+      if (allowClosingDoctype != XML_TRUE) {
+        /* Must not close doctype from within expanded parameter entities */
+        return XML_ERROR_INVALID_TOKEN;
+      }
+
+       if (parser->m_doctypeName) {
+         parser->m_startDoctypeDeclHandler(parser->m_handlerArg, parser->m_doctypeName,
+                                 parser->m_doctypeSysid, parser->m_doctypePubid, 0);
+@@ -5395,7 +5401,7 @@ processInternalEntity(XML_Parser parser,
+   if (entity->is_param) {
+     int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next);
+     result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok,
+-                      next, &next, XML_FALSE);
+                      next, &next, XML_FALSE, XML_FALSE);
+   }
+   else
+ #endif /* XML_DTD */
+@@ -5442,7 +5448,7 @@ internalEntityProcessor(XML_Parser parse
+   if (entity->is_param) {
+     int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next);
+     result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok,
+-                      next, &next, XML_FALSE);
+                      next, &next, XML_FALSE, XML_TRUE);
+   }
+   else
+ #endif /* XML_DTD */
+@@ -5469,7 +5475,7 @@ internalEntityProcessor(XML_Parser parse
+     parser->m_processor = prologProcessor;
+     tok = XmlPrologTok(parser->m_encoding, s, end, &next);
+     return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr,
+-                    (XML_Bool)!parser->m_parsingStatus.finalBuffer);
+                    (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
+   }
+   else
+ #endif /* XML_DTD */
--- a/expat.changes
+++ b/expat.changes
@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Wed Sep  4 17:11:38 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
+
+- Security fix (CVE-2019-15903, bsc#1149429)
+  * Crafted XML input results in heap-based buffer over-read by fooling
+    the parser into changing from DTD parsing to document parsing
+  * Added patches:
+    - expat-CVE-2019-15903.patch
+    - expat-CVE-2019-15903-tests.patch
+
 -------------------------------------------------------------------
 Tue Jul  2 10:33:51 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>

--- a/expat.spec
+++ b/expat.spec
@ -28,6 +28,9 @@ Source0:        https://github.com/libexpat/libexpat/releases/download/R_%{unver
 Source1:        %{name}faq.html
 Source2:        baselibs.conf
 Source3:        https://github.com/libexpat/libexpat/releases/download/R_%{unversion}/expat-%{version}.tar.xz.asc
+# PATCH-FIX-UPSTREAM bsc#1149429 CVE-2019-15903 crafted XML input results in heap-based buffer over-read
+Patch1:         expat-CVE-2019-15903.patch
+Patch2:         expat-CVE-2019-15903-tests.patch
 BuildRequires:  gcc-c++
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
@ -62,6 +65,8 @@ in libexpat.

 %prep
 %setup -q
+%patch1 -p1
+%patch2 -p1

 cp %{SOURCE1} .
 rm -f examples/*.dsp