From 4722b2b42f306bbfb3f9600a5af88e91ac745b69 Mon Sep 17 00:00:00 2001 From: Funda Wang Date: Wed, 4 Sep 2024 08:40:17 +0800 Subject: [PATCH] fix CVE-2024-45491, CVE-2024-45492 (cherry picked from commit cc5691c3d0f87811f91dbbe60b11805273ca0229) --- backport-CVE-2024-45491.patch | 31 +++++++++++++++++++++++++++++++ backport-CVE-2024-45492.patch | 30 ++++++++++++++++++++++++++++++ expat.spec | 18 +++++++++--------- 3 files changed, 70 insertions(+), 9 deletions(-) create mode 100644 backport-CVE-2024-45491.patch create mode 100644 backport-CVE-2024-45492.patch diff --git a/backport-CVE-2024-45491.patch b/backport-CVE-2024-45491.patch new file mode 100644 index 0000000..b4b67ff --- /dev/null +++ b/backport-CVE-2024-45491.patch @@ -0,0 +1,31 @@ +From 8e439a9947e9dc80a395c0c7456545d8d9d9e421 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 19 Aug 2024 22:34:13 +0200 +Subject: [PATCH] lib: Detect integer overflow in dtdCopy + +Reported by TaiYou +--- + expat/lib/xmlparse.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/lib/xmlparse.c b/expat/lib/xmlparse.c +index 91682c188..e2327bdcf 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -7016,6 +7016,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, + if (! newE) + return 0; + if (oldE->nDefaultAtts) { ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if ((size_t)oldE->nDefaultAtts ++ > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) { ++ return 0; ++ } ++#endif + newE->defaultAtts + = ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE)); + if (! newE->defaultAtts) { diff --git a/backport-CVE-2024-45492.patch b/backport-CVE-2024-45492.patch new file mode 100644 index 0000000..3f46bec --- /dev/null +++ b/backport-CVE-2024-45492.patch @@ -0,0 +1,30 @@ +From 9bf0f2c16ee86f644dd1432507edff94c08dc232 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 19 Aug 2024 22:37:16 +0200 +Subject: [PATCH] lib: Detect integer overflow in function nextScaffoldPart + +Reported by TaiYou +--- + expat/lib/xmlparse.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 91682c188..f737575ea 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -7558,6 +7558,15 @@ nextScaffoldPart(XML_Parser parser) { + int next; + + if (! dtd->scaffIndex) { ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) { ++ return -1; ++ } ++#endif + dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * sizeof(int)); + if (! dtd->scaffIndex) + return -1; diff --git a/expat.spec b/expat.spec index f72e669..d60238e 100644 --- a/expat.spec +++ b/expat.spec @@ -1,7 +1,7 @@ %define Rversion %(echo %{version} | sed -e 's/\\./_/g' -e 's/^/R_/') Name: expat Version: 2.5.0 -Release: 4 +Release: 5 Summary: An XML parser library License: MIT URL: https://libexpat.github.io/ @@ -27,6 +27,8 @@ Patch17: backport-009-CVE-2023-52425.patch Patch18: backport-001-CVE-2024-45490.patch Patch19: backport-002-CVE-2024-45490.patch Patch20: backport-003-CVE-2024-45490.patch +Patch21: backport-CVE-2024-45491.patch +Patch22: backport-CVE-2024-45492.patch BuildRequires: sed,autoconf,automake,gcc-c++,libtool,xmlto @@ -52,36 +54,34 @@ autoreconf -fiv %make_build %install -%makeinstall +%make_install find %{buildroot} -type f -name changelog -delete %check -make check - -%ldconfig_scriptlets +%make_build check %files -%defattr(-,root,root) %license COPYING AUTHORS %{_bindir}/* %{_libdir}/libexpat.so.1* %exclude %{_docdir}/%{name}/AUTHORS %files devel -%defattr(-,root,root) %{_includedir}/* %{_libdir}/{libexpat.*a,libexpat.so} %{_libdir}/cmake/expat-%{version} %{_libdir}/pkgconfig/expat.pc %files help -%defattr(-,root,root) %doc README.md %{_mandir}/man1/* %changelog +* Wed Sep 04 2024 Funda Wang - 2.5.0-5 +- fix CVE-2024-45491, CVE-2024-45492 + * Mon Sep 2 2024 caixiaomeng - 2.5.0-4 -- fix CVE-2024-45491 +- fix CVE-2024-45490 * Wed Jun 12 2024 wangjiang - 2.5.0-3 - fix CVE-2023-52425 -- Gitee