diff --git a/SPECS/expat/0-lib-Reject-negative-len-for-XML_ParseBuffer.patch b/SPECS/expat/0-lib-Reject-negative-len-for-XML_ParseBuffer.patch deleted file mode 100644 index 2ac342a97e8..00000000000 --- a/SPECS/expat/0-lib-Reject-negative-len-for-XML_ParseBuffer.patch +++ /dev/null @@ -1,157 +0,0 @@ -From 5c1a31642e243f4870c0bd1f2afc7597976521bf Mon Sep 17 00:00:00 2001 -From: Sebastian Pipping -Date: Mon, 19 Aug 2024 22:26:07 +0200 -Subject: [PATCH 1/3] lib: Reject negative len for XML_ParseBuffer - -Reported by TaiYou ---- - expat/lib/xmlparse.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c -index 91682c188..ba1038119 100644 ---- a/expat/lib/xmlparse.c -+++ b/expat/lib/xmlparse.c -@@ -2038,6 +2038,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) { - - if (parser == NULL) - return XML_STATUS_ERROR; -+ -+ if (len < 0) { -+ parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT; -+ return XML_STATUS_ERROR; -+ } -+ - switch (parser->m_parsingStatus.parsing) { - case XML_SUSPENDED: - parser->m_errorCode = XML_ERROR_SUSPENDED; - -From c12f039b8024d6b9a11c20858370495ff6ff5245 Mon Sep 17 00:00:00 2001 -From: Sebastian Pipping -Date: Tue, 20 Aug 2024 22:57:12 +0200 -Subject: [PATCH 2/3] tests: Cover "len < 0" for both XML_Parse and - XML_ParseBuffer - ---- - expat/tests/basic_tests.c | 57 +++++++++++++++++++++++++++++++++++++++ - 1 file changed, 57 insertions(+) - -diff --git a/expat/tests/basic_tests.c b/expat/tests/basic_tests.c -index 91c8dd7a3..0d97b1090 100644 ---- a/expat/tests/basic_tests.c -+++ b/expat/tests/basic_tests.c -@@ -2804,6 +2804,61 @@ START_TEST(test_empty_parse) { - } - END_TEST - -+/* Test XML_Parse for len < 0 */ -+START_TEST(test_negative_len_parse) { -+ const char *const doc = ""; -+ for (int isFinal = 0; isFinal < 2; isFinal++) { -+ set_subtest("isFinal=%d", isFinal); -+ -+ XML_Parser parser = XML_ParserCreate(NULL); -+ -+ if (XML_GetErrorCode(parser) != XML_ERROR_NONE) -+ fail("There was not supposed to be any initial parse error."); -+ -+ const enum XML_Status status = XML_Parse(parser, doc, -1, isFinal); -+ -+ if (status != XML_STATUS_ERROR) -+ fail("Negative len was expected to fail the parse but did not."); -+ -+ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT) -+ fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT."); -+ -+ XML_ParserFree(parser); -+ } -+} -+END_TEST -+ -+/* Test XML_ParseBuffer for len < 0 */ -+START_TEST(test_negative_len_parse_buffer) { -+ const char *const doc = ""; -+ for (int isFinal = 0; isFinal < 2; isFinal++) { -+ set_subtest("isFinal=%d", isFinal); -+ -+ XML_Parser parser = XML_ParserCreate(NULL); -+ -+ if (XML_GetErrorCode(parser) != XML_ERROR_NONE) -+ fail("There was not supposed to be any initial parse error."); -+ -+ void *const buffer = XML_GetBuffer(parser, (int)strlen(doc)); -+ -+ if (buffer == NULL) -+ fail("XML_GetBuffer failed."); -+ -+ memcpy(buffer, doc, strlen(doc)); -+ -+ const enum XML_Status status = XML_ParseBuffer(parser, -1, isFinal); -+ -+ if (status != XML_STATUS_ERROR) -+ fail("Negative len was expected to fail the parse but did not."); -+ -+ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT) -+ fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT."); -+ -+ XML_ParserFree(parser); -+ } -+} -+END_TEST -+ - /* Test odd corners of the XML_GetBuffer interface */ - static enum XML_Status - get_feature(enum XML_FeatureEnum feature_id, long *presult) { -@@ -5955,6 +6010,8 @@ make_basic_test_case(Suite *s) { - tcase_add_test__ifdef_xml_dtd(tc_basic, test_user_parameters); - tcase_add_test__ifdef_xml_dtd(tc_basic, test_ext_entity_ref_parameter); - tcase_add_test(tc_basic, test_empty_parse); -+ tcase_add_test(tc_basic, test_negative_len_parse); -+ tcase_add_test(tc_basic, test_negative_len_parse_buffer); - tcase_add_test(tc_basic, test_get_buffer_1); - tcase_add_test(tc_basic, test_get_buffer_2); - #if XML_CONTEXT_BYTES > 0 - -From 2db233019f551fe4c701bbbc5eb0fa58ff349daa Mon Sep 17 00:00:00 2001 -From: Sebastian Pipping -Date: Sun, 25 Aug 2024 19:09:51 +0200 -Subject: [PATCH 3/3] doc: Document that XML_Parse/XML_ParseBuffer reject "len - < 0" - ---- - expat/doc/reference.html | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/expat/doc/reference.html b/expat/doc/reference.html -index bd205ed4c..c600fbba3 100644 ---- a/expat/doc/reference.html -+++ b/expat/doc/reference.html -@@ -1135,7 +1135,9 @@

XML_Parse

- that are part of the document is indicated by len. This means - that s doesn't have to be null-terminated. It also means that - if len is larger than the number of bytes in the block of --memory that s points at, then a memory fault is likely. The -+memory that s points at, then a memory fault is likely. -+Negative values for len are rejected since Expat 2.2.1. -+The - isFinal parameter informs the parser that this is the last - piece of the document. Frequently, the last piece is empty (i.e. - len is zero.) -@@ -1183,11 +1185,17 @@

XML_ParseBuffer

- int isFinal); - -
-+

- This is just like XML_Parse, - except in this case Expat provides the buffer. By obtaining the - buffer from Expat with the XML_GetBuffer function, the application can avoid double - copying of the input. -+

-+ -+

-+Negative values for len are rejected since Expat 2.6.3. -+

-
- -

XML_GetBuffer

diff --git a/SPECS/expat/1-lib-Detect-integer-overflow-in-dtdCopy.patch b/SPECS/expat/1-lib-Detect-integer-overflow-in-dtdCopy.patch deleted file mode 100644 index 0f69dd72a88..00000000000 --- a/SPECS/expat/1-lib-Detect-integer-overflow-in-dtdCopy.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 8e439a9947e9dc80a395c0c7456545d8d9d9e421 Mon Sep 17 00:00:00 2001 -From: Sebastian Pipping -Date: Mon, 19 Aug 2024 22:34:13 +0200 -Subject: [PATCH] lib: Detect integer overflow in dtdCopy - -Reported by TaiYou ---- - expat/lib/xmlparse.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c -index 91682c188..e2327bdcf 100644 ---- a/expat/lib/xmlparse.c -+++ b/expat/lib/xmlparse.c -@@ -7016,6 +7016,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, - if (! newE) - return 0; - if (oldE->nDefaultAtts) { -+ /* Detect and prevent integer overflow. -+ * The preprocessor guard addresses the "always false" warning -+ * from -Wtype-limits on platforms where -+ * sizeof(int) < sizeof(size_t), e.g. on x86_64. */ -+#if UINT_MAX >= SIZE_MAX -+ if ((size_t)oldE->nDefaultAtts -+ > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) { -+ return 0; -+ } -+#endif - newE->defaultAtts - = ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE)); - if (! newE->defaultAtts) { diff --git a/SPECS/expat/2-lib-Detect-integer-overflow-in-function-nextScaffoldPart.patch b/SPECS/expat/2-lib-Detect-integer-overflow-in-function-nextScaffoldPart.patch deleted file mode 100644 index 8950cdf8e4b..00000000000 --- a/SPECS/expat/2-lib-Detect-integer-overflow-in-function-nextScaffoldPart.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 9bf0f2c16ee86f644dd1432507edff94c08dc232 Mon Sep 17 00:00:00 2001 -From: Sebastian Pipping -Date: Mon, 19 Aug 2024 22:37:16 +0200 -Subject: [PATCH] lib: Detect integer overflow in function nextScaffoldPart - -Reported by TaiYou ---- - expat/lib/xmlparse.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c -index 91682c188..f737575ea 100644 ---- a/expat/lib/xmlparse.c -+++ b/expat/lib/xmlparse.c -@@ -7558,6 +7558,15 @@ nextScaffoldPart(XML_Parser parser) { - int next; - - if (! dtd->scaffIndex) { -+ /* Detect and prevent integer overflow. -+ * The preprocessor guard addresses the "always false" warning -+ * from -Wtype-limits on platforms where -+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ -+#if UINT_MAX >= SIZE_MAX -+ if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) { -+ return -1; -+ } -+#endif - dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * sizeof(int)); - if (! dtd->scaffIndex) - return -1; diff --git a/SPECS/expat/expat.signatures.json b/SPECS/expat/expat.signatures.json index 6f7c7d73895..8464dd011d7 100644 --- a/SPECS/expat/expat.signatures.json +++ b/SPECS/expat/expat.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "expat-2.6.2.tar.bz2": "9c7c1b5dcbc3c237c500a8fb1493e14d9582146dd9b42aa8d3ffb856a3b927e0" + "expat-2.6.3.tar.bz2": "b8baef92f328eebcf731f4d18103951c61fa8c8ec21d5ff4202fb6f2198aeb2d" } } diff --git a/SPECS/expat/expat.spec b/SPECS/expat/expat.spec index d0d2d0c1315..19defa4bd1c 100644 --- a/SPECS/expat/expat.spec +++ b/SPECS/expat/expat.spec @@ -1,20 +1,14 @@ %define underscore_version %(echo %{version} | cut -d. -f1-3 --output-delimiter="_") Summary: An XML parser library Name: expat -Version: 2.6.2 -Release: 2%{?dist} +Version: 2.6.3 +Release: 1%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux Group: System Environment/GeneralLibraries URL: https://libexpat.github.io/ Source0: https://github.com/libexpat/libexpat/releases/download/R_%{underscore_version}/%{name}-%{version}.tar.bz2 -# CVE-2024-45490 -Patch0: 0-lib-Reject-negative-len-for-XML_ParseBuffer.patch -# CVE-2024-45491 -Patch1: 1-lib-Detect-integer-overflow-in-dtdCopy.patch -# CVE-2024-45492 -Patch2: 2-lib-Detect-integer-overflow-in-function-nextScaffoldPart.patch Requires: %{name}-libs = %{version}-%{release} %description @@ -72,8 +66,8 @@ rm -rf %{buildroot}/%{_docdir}/%{name} %{_libdir}/libexpat.so.1* %changelog -* Tue Sep 03 2024 Gary Swalling - 2.6.2-2 -- Add patches to fix CVE-2024-45490, CVE-2024-45491, CVE-2024-45492 +* Tue Sep 04 2024 Gary Swalling - 2.6.3-1 +- Upgrade to 2.6.3 to fix CVE-2024-45490, CVE-2024-45491, CVE-2024-45492 * Wed May 22 2024 Neha Agarwal - 2.6.2-1 - Upgrade to v2.6.2 to fix CVE-2024-28757 diff --git a/cgmanifest.json b/cgmanifest.json index 399a62c2398..6c57cb7d77e 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -3408,8 +3408,8 @@ "type": "other", "other": { "name": "expat", - "version": "2.6.2", - "downloadUrl": "https://github.com/libexpat/libexpat/releases/download/R_2_6_2/expat-2.6.2.tar.bz2" + "version": "2.6.3", + "downloadUrl": "https://github.com/libexpat/libexpat/releases/download/R_2_6_3/expat-2.6.3.tar.bz2" } } }, diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 9f9b8550988..56d243eb341 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -99,9 +99,9 @@ elfutils-libelf-0.189-3.azl3.aarch64.rpm elfutils-libelf-devel-0.189-3.azl3.aarch64.rpm elfutils-libelf-devel-static-0.189-3.azl3.aarch64.rpm elfutils-libelf-lang-0.189-3.azl3.aarch64.rpm -expat-2.6.2-1.azl3.aarch64.rpm -expat-devel-2.6.2-1.azl3.aarch64.rpm -expat-libs-2.6.2-1.azl3.aarch64.rpm +expat-2.6.3-1.azl3.aarch64.rpm +expat-devel-2.6.3-1.azl3.aarch64.rpm +expat-libs-2.6.3-1.azl3.aarch64.rpm libpipeline-1.5.7-1.azl3.aarch64.rpm libpipeline-devel-1.5.7-1.azl3.aarch64.rpm gdbm-1.23-1.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 60d12a4aeda..07a1b1665d2 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -99,9 +99,9 @@ elfutils-libelf-0.189-3.azl3.x86_64.rpm elfutils-libelf-devel-0.189-3.azl3.x86_64.rpm elfutils-libelf-devel-static-0.189-3.azl3.x86_64.rpm elfutils-libelf-lang-0.189-3.azl3.x86_64.rpm -expat-2.6.2-1.azl3.x86_64.rpm -expat-devel-2.6.2-1.azl3.x86_64.rpm -expat-libs-2.6.2-1.azl3.x86_64.rpm +expat-2.6.3-1.azl3.x86_64.rpm +expat-devel-2.6.3-1.azl3.x86_64.rpm +expat-libs-2.6.3-1.azl3.x86_64.rpm libpipeline-1.5.7-1.azl3.x86_64.rpm libpipeline-devel-1.5.7-1.azl3.x86_64.rpm gdbm-1.23-1.azl3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 3dd4a2360b3..b672409d516 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -92,10 +92,10 @@ elfutils-libelf-0.189-3.azl3.aarch64.rpm elfutils-libelf-devel-0.189-3.azl3.aarch64.rpm elfutils-libelf-devel-static-0.189-3.azl3.aarch64.rpm elfutils-libelf-lang-0.189-3.azl3.aarch64.rpm -expat-2.6.2-1.azl3.aarch64.rpm -expat-debuginfo-2.6.2-1.azl3.aarch64.rpm -expat-devel-2.6.2-1.azl3.aarch64.rpm -expat-libs-2.6.2-1.azl3.aarch64.rpm +expat-2.6.3-1.azl3.aarch64.rpm +expat-debuginfo-2.6.3-1.azl3.aarch64.rpm +expat-devel-2.6.3-1.azl3.aarch64.rpm +expat-libs-2.6.3-1.azl3.aarch64.rpm file-5.45-1.azl3.aarch64.rpm file-debuginfo-5.45-1.azl3.aarch64.rpm file-devel-5.45-1.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 4f958c9003f..1aca4db32a9 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -95,10 +95,10 @@ elfutils-libelf-0.189-3.azl3.x86_64.rpm elfutils-libelf-devel-0.189-3.azl3.x86_64.rpm elfutils-libelf-devel-static-0.189-3.azl3.x86_64.rpm elfutils-libelf-lang-0.189-3.azl3.x86_64.rpm -expat-2.6.2-1.azl3.x86_64.rpm -expat-debuginfo-2.6.2-1.azl3.x86_64.rpm -expat-devel-2.6.2-1.azl3.x86_64.rpm -expat-libs-2.6.2-1.azl3.x86_64.rpm +expat-2.6.3-1.azl3.x86_64.rpm +expat-debuginfo-2.6.3-1.azl3.x86_64.rpm +expat-devel-2.6.3-1.azl3.x86_64.rpm +expat-libs-2.6.3-1.azl3.x86_64.rpm file-5.45-1.azl3.x86_64.rpm file-debuginfo-5.45-1.azl3.x86_64.rpm file-devel-5.45-1.azl3.x86_64.rpm