packages/expat
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Relax fix to CVE-2022-25236

Browse Source
This commit is contained in:
yang_zhuang_zhuang 2022-03-07 17:23:48 +08:00
parent 570b409ec8
commit 468c8d09e9
5 changed files with 283 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
backport-lib-Drop-unused-macro-UTF8_GET_NAMING.patch Normal file
View File

@ -0,0 +1,28 @@
From ee2a5b50e7d1940ba8745715b62ceb9efd3a96da Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Tue, 8 Feb 2022 17:37:14 +0100
Subject: [PATCH] lib: Drop unused macro UTF8_GET_NAMING
---
lib/xmltok.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/lib/xmltok.c b/lib/xmltok.c
index a72200e..3bddf12 100644
--- a/lib/xmltok.c
+++ b/lib/xmltok.c
@@ -98,11 +98,6 @@
+ ((((byte)[1]) & 3) << 1) + ((((byte)[2]) >> 5) & 1)] \
& (1u << (((byte)[2]) & 0x1F)))
-#define UTF8_GET_NAMING(pages, p, n) \
- ((n) == 2 \
- ? UTF8_GET_NAMING2(pages, (const unsigned char *)(p)) \
- : ((n) == 3 ? UTF8_GET_NAMING3(pages, (const unsigned char *)(p)) : 0))
-
/* Detection of invalid UTF-8 sequences is based on Table 3.1B
of Unicode 3.2: http://www.unicode.org/unicode/reports/tr28/
with the additional restriction of not allowing the Unicode
--
1.8.3.1

36
backport-lib-Fix-harmless-use-of-uninitialized-memory.patch Normal file
View File

@ -0,0 +1,36 @@
From 6881a4fc8596307ab9ff2e85e605afa2e413ab71 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Sat, 12 Feb 2022 00:19:13 +0100
Subject: [PATCH] lib: Fix (harmless) use of uninitialized memory
---
lib/xmlparse.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index 902895d..c768f85 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -718,8 +718,7 @@ XML_ParserCreate(const XML_Char *encodingName) {
XML_Parser XMLCALL
XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep) {
- XML_Char tmp[2];
- *tmp = nsSep;
+ XML_Char tmp[2] = {nsSep, 0};
return XML_ParserCreate_MM(encodingName, NULL, tmp);
}
@@ -1344,8 +1343,7 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context,
would be otherwise.
*/
if (parser->m_ns) {
- XML_Char tmp[2];
- *tmp = parser->m_namespaceSeparator;
+ XML_Char tmp[2] = {parser->m_namespaceSeparator, 0};
parser = parserCreate(encodingName, &parser->m_mem, tmp, newDtd);
} else {
parser = parserCreate(encodingName, &parser->m_mem, NULL, newDtd);
--
1.8.3.1

170
backport-lib-Relax-fix-to-CVE-2022-25236-with-regard-to-RFC-3.patch Normal file
View File

@ -0,0 +1,170 @@
From 2ba6c76fca21397959145e18c5ef376201209020 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Sun, 27 Feb 2022 16:58:08 +0100
Subject: [PATCH] lib: Relax fix to CVE-2022-25236 with regard to RFC
3986 URI characters
---
lib/xmlparse.c | 139 ++++++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 131 insertions(+), 8 deletions(-)
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index 59da19c..6fe2cf1 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -3705,6 +3705,117 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
return XML_ERROR_NONE;
}
+static XML_Bool
+is_rfc3986_uri_char(XML_Char candidate) {
+ // For the RFC 3986 ANBF grammar see
+ // https://datatracker.ietf.org/doc/html/rfc3986#appendix-A
+
+ switch (candidate) {
+ // From rule "ALPHA" (uppercase half)
+ case 'A':
+ case 'B':
+ case 'C':
+ case 'D':
+ case 'E':
+ case 'F':
+ case 'G':
+ case 'H':
+ case 'I':
+ case 'J':
+ case 'K':
+ case 'L':
+ case 'M':
+ case 'N':
+ case 'O':
+ case 'P':
+ case 'Q':
+ case 'R':
+ case 'S':
+ case 'T':
+ case 'U':
+ case 'V':
+ case 'W':
+ case 'X':
+ case 'Y':
+ case 'Z':
+
+ // From rule "ALPHA" (lowercase half)
+ case 'a':
+ case 'b':
+ case 'c':
+ case 'd':
+ case 'e':
+ case 'f':
+ case 'g':
+ case 'h':
+ case 'i':
+ case 'j':
+ case 'k':
+ case 'l':
+ case 'm':
+ case 'n':
+ case 'o':
+ case 'p':
+ case 'q':
+ case 'r':
+ case 's':
+ case 't':
+ case 'u':
+ case 'v':
+ case 'w':
+ case 'x':
+ case 'y':
+ case 'z':
+
+ // From rule "DIGIT"
+ case '0':
+ case '1':
+ case '2':
+ case '3':
+ case '4':
+ case '5':
+ case '6':
+ case '7':
+ case '8':
+ case '9':
+
+ // From rule "pct-encoded"
+ case '%':
+
+ // From rule "unreserved"
+ case '-':
+ case '.':
+ case '_':
+ case '~':
+
+ // From rule "gen-delims"
+ case ':':
+ case '/':
+ case '?':
+ case '#':
+ case '[':
+ case ']':
+ case '@':
+
+ // From rule "sub-delims"
+ case '!':
+ case '$':
+ case '&':
+ case '\'':
+ case '(':
+ case ')':
+ case '*':
+ case '+':
+ case ',':
+ case ';':
+ case '=':
+ return XML_TRUE;
+
+ default:
+ return XML_FALSE;
+ }
+}
+
/* addBinding() overwrites the value of prefix->binding without checking.
Therefore one must keep track of the old value outside of addBinding().
*/
@@ -3763,14 +3874,26 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
&& (len > xmlnsLen || uri[len] != xmlnsNamespace[len]))
isXMLNS = XML_FALSE;
- // NOTE: While Expat does not validate namespace URIs against RFC 3986,
- // we have to at least make sure that the XML processor on top of
- // Expat (that is splitting tag names by namespace separator into
- // 2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused
- // by an attacker putting additional namespace separator characters
- // into namespace declarations. That would be ambiguous and not to
- // be expected.
- if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) {
+ // NOTE: While Expat does not validate namespace URIs against RFC 3986
+ // today (and is not REQUIRED to do so with regard to the XML 1.0
+ // namespaces specification) we have to at least make sure, that
+ // the application on top of Expat (that is likely splitting expanded
+ // element names ("qualified names") of form
+ // "[uri sep] local [sep prefix] '\0'" back into 1, 2 or 3 pieces
+ // in its element handler code) cannot be confused by an attacker
+ // putting additional namespace separator characters into namespace
+ // declarations. That would be ambiguous and not to be expected.
+ //
+ // While the HTML API docs of function XML_ParserCreateNS have been
+ // advising against use of a namespace separator character that can
+ // appear in a URI for >20 years now, some widespread applications
+ // are using URI characters (':' (colon) in particular) for a
+ // namespace separator, in practice. To keep these applications
+ // functional, we only reject namespaces URIs containing the
+ // application-chosen namespace separator if the chosen separator
+ // is a non-URI character with regard to RFC 3986.
+ if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)
+ && ! is_rfc3986_uri_char(uri[len])) {
return XML_ERROR_SYNTAX;
}
}
--
1.8.3.1

38
backport-tests-Cover-relaxed-fix-to-CVE-2022-25236.patch Normal file
View File

@ -0,0 +1,38 @@
From e0f852db1e3b1e6d34922c68a653c3cc4b85361c Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Thu, 3 Mar 2022 17:29:54 +0100
Subject: [PATCH] tests: Cover relaxed fix to CVE-2022-25236
---
tests/runtests.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/tests/runtests.c b/tests/runtests.c
index 60da868..712706c 100644
--- a/tests/runtests.c
+++ b/tests/runtests.c
@@ -7406,16 +7406,18 @@ START_TEST(test_ns_separator_in_uri) {
struct test_case {
enum XML_Status expectedStatus;
const char *doc;
+ XML_Char namesep;
};
struct test_case cases[] = {
- {XML_STATUS_OK, "<doc xmlns='one_two' />"},
- {XML_STATUS_ERROR, "<doc xmlns='one&#x0A;two' />"},
+ {XML_STATUS_OK, "<doc xmlns='one_two' />", XCS('\n')},
+ {XML_STATUS_ERROR, "<doc xmlns='one&#x0A;two' />", XCS('\n')},
+ {XML_STATUS_OK, "<doc xmlns='one:two' />", XCS(':')},
};
size_t i = 0;
size_t failCount = 0;
for (; i < sizeof(cases) / sizeof(cases[0]); i++) {
- XML_Parser parser = XML_ParserCreateNS(NULL, '\n');
+ XML_Parser parser = XML_ParserCreateNS(NULL, cases[i].namesep);
XML_SetElementHandler(parser, dummy_start_element, dummy_end_element);
if (XML_Parse(parser, cases[i].doc, (int)strlen(cases[i].doc),
/*isFinal*/ XML_TRUE)
--
1.8.3.1

12
expat.spec
View File

@ -1,7 +1,7 @@
%define Rversion %(echo %{version} | sed -e 's/\\./_/g' -e 's/^/R_/') %define Rversion %(echo %{version} | sed -e 's/\\./_/g' -e 's/^/R_/')
Name: expat Name: expat
Version: 2.4.1 Version: 2.4.1
Release: 4 Release: 5
Summary: An XML parser library Summary: An XML parser library
License: MIT License: MIT
URL: https://libexpat.github.io/ URL: https://libexpat.github.io/
@ -22,6 +22,10 @@ Patch11: backport-CVE-2022-25314-Prevent-integer-overflow-in-copyString.p
Patch12: backport-CVE-2022-25315-Prevent-integer-overflow-in-storeRawNames.patch Patch12: backport-CVE-2022-25315-Prevent-integer-overflow-in-storeRawNames.patch
Patch13: backport-Fix-build_model-regression.patch Patch13: backport-Fix-build_model-regression.patch
Patch14: backport-tests-Protect-against-nested-element-declaration-mod.patch Patch14: backport-tests-Protect-against-nested-element-declaration-mod.patch
Patch15: backport-lib-Fix-harmless-use-of-uninitialized-memory.patch
Patch16: backport-lib-Drop-unused-macro-UTF8_GET_NAMING.patch
Patch17: backport-lib-Relax-fix-to-CVE-2022-25236-with-regard-to-RFC-3.patch
Patch18: backport-tests-Cover-relaxed-fix-to-CVE-2022-25236.patch
BuildRequires: sed,autoconf,automake,gcc-c++,libtool,xmlto BuildRequires: sed,autoconf,automake,gcc-c++,libtool,xmlto
@ -75,6 +79,12 @@ make check
%{_mandir}/man1/* %{_mandir}/man1/*
%changelog %changelog
* Mon Mar 7 2022 yangzhuangzhuang <yangzhuangzhuang1@h-partners.com> - 2.4.1-5
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:Relax fix to CVE-2022-25236
* Sat Feb 26 2022 yangzhuangzhuang <yangzhuangzhuang1@h-partners.com> - 2.4.1-4 * Sat Feb 26 2022 yangzhuangzhuang <yangzhuangzhuang1@h-partners.com> - 2.4.1-4
- Type:CVE - Type:CVE
- ID:CVE-2022-25235 CVE-2022-25236 CVE-2022-25313 CVE-2022-25314 CVE-2022-25315 - ID:CVE-2022-25235 CVE-2022-25236 CVE-2022-25313 CVE-2022-25314 CVE-2022-25315