download.lst | 4 -
external/expat/CVE-2022-23852.patch | 115 ++++++++++++++++++++++++++++++++
external/expat/CVE-2022-23990.patch | 71 +++++++++++++++++++
external/expat/UnpackedTarball_expat.mk | 2
external/expat/expat-winapi.patch | 15 +---
5 files changed, 196 insertions(+), 11 deletions(-)
New commits:
commit 0ed6715e21185fb0c550efb5927664778974ffda
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Fri Jan 28 19:40:40 2022 +0000
Commit: Andras Timar <andras.ti...@collabora.com>
CommitDate: Sat Jan 29 17:47:48 2022 +0100
upgrade expat to 2.4.3 + CVE-2022-23852 and CVE-2022-23990
wget https://github.com/libexpat/libexpat/pull/550.patch -O
CVE-2022-23852.patch
wget https://github.com/libexpat/libexpat/pull/551.patch -O
CVE-2022-23990.patch
Change-Id: I1f2694abd9f577e0b4fedbf27118b52be8a1a688
diff --git a/download.lst b/download.lst
index eddf5d1d7958..7d392f182592 100644
--- a/download.lst
+++ b/download.lst
@@ -42,8 +42,8 @@ export EPUBGEN_TARBALL := libepubgen-0.1.1.tar.xz
export ETONYEK_SHA256SUM :=
b430435a6e8487888b761dc848b7981626eb814884963ffe25eb26a139301e9a
export ETONYEK_VERSION_MICRO := 10
export ETONYEK_TARBALL := libetonyek-0.1.$(ETONYEK_VERSION_MICRO).tar.xz
-export EXPAT_SHA256SUM :=
2f9b6a580b94577b150a7d5617ad4643a4301a6616ff459307df3e225bcfbf40
-export EXPAT_TARBALL := expat-2.4.1.tar.bz2
+export EXPAT_SHA256SUM :=
b1f9f1b1a5ebb0acaa88c9ff79bfa4e145823b78aa5185e5c5d85f060824778a
+export EXPAT_TARBALL := expat-2.4.3.tar.xz
export FIREBIRD_SHA256SUM :=
6994be3555e23226630c587444be19d309b25b0fcf1f87df3b4e3f88943e5860
export FIREBIRD_TARBALL := Firebird-3.0.0.32483-0.tar.bz2
export FONTCONFIG_SHA256SUM :=
19e5b1bc9d013a52063a44e1307629711f0bfef35b9aca16f9c793971e2eb1e5
diff --git a/external/expat/CVE-2022-23852.patch
b/external/expat/CVE-2022-23852.patch
new file mode 100644
index 000000000000..c2b55ca854ef
--- /dev/null
+++ b/external/expat/CVE-2022-23852.patch
@@ -0,0 +1,115 @@
+From 847a645152f5ebc10ac63b74b604d0c1a79fae40 Mon Sep 17 00:00:00 2001
+From: Samanta Navarro <feri...@riseup.net>
+Date: Sat, 22 Jan 2022 17:48:00 +0100
+Subject: [PATCH 1/3] lib: Detect and prevent integer overflow in XML_GetBuffer
+ (CVE-2022-23852)
+
+---
+ expat/lib/xmlparse.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index d54af683..5ce31402 100644
+--- a/expat/lib/xmlparse.c
++++ b/expat/lib/xmlparse.c
+@@ -2067,6 +2067,11 @@ XML_GetBuffer(XML_Parser parser, int len) {
+ keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer);
+ if (keep > XML_CONTEXT_BYTES)
+ keep = XML_CONTEXT_BYTES;
++ /* Detect and prevent integer overflow */
++ if (keep > INT_MAX - neededSize) {
++ parser->m_errorCode = XML_ERROR_NO_MEMORY;
++ return NULL;
++ }
+ neededSize += keep;
+ #endif /* defined XML_CONTEXT_BYTES */
+ if (neededSize
+
+From acf956f14bf79a5e6383a969aaffec98bfbc2e44 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebast...@pipping.org>
+Date: Sun, 23 Jan 2022 18:17:04 +0100
+Subject: [PATCH 2/3] tests: Cover integer overflow in XML_GetBuffer
+ (CVE-2022-23852)
+
+---
+ expat/tests/runtests.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c
+index e89e8220..579dad1a 100644
+--- a/expat/tests/runtests.c
++++ b/expat/tests/runtests.c
+@@ -3847,6 +3847,30 @@ START_TEST(test_get_buffer_2) {
+ }
+ END_TEST
+
++/* Test for signed integer overflow CVE-2022-23852 */
++#if defined(XML_CONTEXT_BYTES)
++START_TEST(test_get_buffer_3_overflow) {
++ XML_Parser parser = XML_ParserCreate(NULL);
++ assert(parser != NULL);
++
++ const char *const text = "\n";
++ const int expectedKeepValue = (int)strlen(text);
++
++ // After this call, variable "keep" in XML_GetBuffer will
++ // have value expectedKeepValue
++ if (XML_Parse(parser, text, (int)strlen(text), XML_FALSE /* isFinal */)
++ == XML_STATUS_ERROR)
++ xml_failure(parser);
++
++ assert(expectedKeepValue > 0);
++ if (XML_GetBuffer(parser, INT_MAX - expectedKeepValue + 1) != NULL)
++ fail("enlarging buffer not failed");
++
++ XML_ParserFree(parser);
++}
++END_TEST
++#endif // defined(XML_CONTEXT_BYTES)
++
+ /* Test position information macros */
+ START_TEST(test_byte_info_at_end) {
+ const char *text = "<doc></doc>";
+@@ -11731,6 +11755,9 @@ make_suite(void) {
+ tcase_add_test(tc_basic, test_empty_parse);
+ tcase_add_test(tc_basic, test_get_buffer_1);
+ tcase_add_test(tc_basic, test_get_buffer_2);
++#if defined(XML_CONTEXT_BYTES)
++ tcase_add_test(tc_basic, test_get_buffer_3_overflow);
++#endif
+ tcase_add_test(tc_basic, test_byte_info_at_end);
+ tcase_add_test(tc_basic, test_byte_info_at_error);
+ tcase_add_test(tc_basic, test_byte_info_at_cdata);
+
+From 99cec436fbd9444f57ee74ca8ae4c0a13e561a4f Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebast...@pipping.org>
+Date: Sat, 22 Jan 2022 17:49:17 +0100
+Subject: [PATCH 3/3] Changes: Document CVE-2022-23852
+
+---
+ expat/Changes | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/expat/Changes b/expat/Changes
+index 7540d38c..64d75d05 100644
+--- a/expat/Changes
++++ b/expat/Changes
+@@ -2,6 +2,18 @@ NOTE: We are looking for help with a few things:
+ https://github.com/libexpat/libexpat/labels/help%20wanted
+ If you can help, please get in touch. Thanks!
+
++Release x.x.x xxx xxxxxxx xx xxxx
++ Security fixes:
++ #550 CVE-2022-23852 -- Fix signed integer overflow
++ (undefined behavior) in function XML_GetBuffer
++ (that is also called by function XML_Parse internally)
++ for when XML_CONTEXT_BYTES is defined to >0 (which is both
++ common and default).
++ Impact is denial of service or more.
++
++ Special thanks to:
++ Samanta Navarro
++
+ Release 2.4.3 Sun January 16 2022
+ Security fixes:
+ #531 #534 CVE-2021-45960 -- Fix issues with left shifts by >=29 places
diff --git a/external/expat/CVE-2022-23990.patch
b/external/expat/CVE-2022-23990.patch
new file mode 100644
index 000000000000..df46631d7f35
--- /dev/null
+++ b/external/expat/CVE-2022-23990.patch
@@ -0,0 +1,71 @@
+From ede41d1e186ed2aba88a06e84cac839b770af3a1 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebast...@pipping.org>
+Date: Wed, 26 Jan 2022 02:36:43 +0100
+Subject: [PATCH 1/2] lib: Prevent integer overflow in doProlog
+ (CVE-2022-23990)
+
+The change from "int nameLen" to "size_t nameLen"
+addresses the overflow on "nameLen++" in code
+"for (; name[nameLen++];)" right above the second
+change in the patch.
+---
+ expat/lib/xmlparse.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 5ce31402..d1d17005 100644
+--- a/expat/lib/xmlparse.c
++++ b/expat/lib/xmlparse.c
+@@ -5372,7 +5372,7 @@ doProlog(XML_Parser parser, const ENCODING *enc, const
char *s, const char *end,
+ if (dtd->in_eldecl) {
+ ELEMENT_TYPE *el;
+ const XML_Char *name;
+- int nameLen;
++ size_t nameLen;
+ const char *nxt
+ = (quant == XML_CQUANT_NONE ? next : next - enc->minBytesPerChar);
+ int myindex = nextScaffoldPart(parser);
+@@ -5388,7 +5388,13 @@ doProlog(XML_Parser parser, const ENCODING *enc, const
char *s, const char *end,
+ nameLen = 0;
+ for (; name[nameLen++];)
+ ;
+- dtd->contentStringLen += nameLen;
++
++ /* Detect and prevent integer overflow */
++ if (nameLen > UINT_MAX - dtd->contentStringLen) {
++ return XML_ERROR_NO_MEMORY;
++ }
++
++ dtd->contentStringLen += (unsigned)nameLen;
+ if (parser->m_elementDeclHandler)
+ handleDefault = XML_FALSE;
+ }
+
+From 6e3449594fb2f61c92fc561f51f82196fdd15d63 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebast...@pipping.org>
+Date: Wed, 26 Jan 2022 02:51:39 +0100
+Subject: [PATCH 2/2] Changes: Document CVE-2022-23990
+
+---
+ expat/Changes | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/expat/Changes b/expat/Changes
+index 5ff5da5e..ec1f7604 100644
+--- a/expat/Changes
++++ b/expat/Changes
+@@ -10,8 +10,14 @@
+ for when XML_CONTEXT_BYTES is defined to >0 (which is both
+ common and default).
+ Impact is denial of service or more.
++ #551 CVE-2022-23990 -- Fix unsigned integer overflow in function
++ doProlog triggered by large content in element type
++ declarations when there is an element declaration handler
++ present (from a prior call to XML_SetElementDeclHandler).
++ Impact is denial of service or more.
+
+ Special thanks to:
++ Roland Illig
+ Samanta Navarro
+
+ Release 2.4.3 Sun January 16 2022
diff --git a/external/expat/UnpackedTarball_expat.mk
b/external/expat/UnpackedTarball_expat.mk
index 5d4f41f6d147..8cb6ef9b95eb 100644
--- a/external/expat/UnpackedTarball_expat.mk
+++ b/external/expat/UnpackedTarball_expat.mk
@@ -15,6 +15,8 @@ $(eval $(call
gb_UnpackedTarball_update_autoconf_configs,expat,conftools))
$(eval $(call gb_UnpackedTarball_add_patches,expat,\
external/expat/expat-winapi.patch \
+ external/expat/CVE-2022-23852.patch \
+ external/expat/CVE-2022-23990.patch \
))
# This is a bit hackish.
diff --git a/external/expat/expat-winapi.patch
b/external/expat/expat-winapi.patch
index bd4da1472fc8..7eae7d5d6139 100644
--- a/external/expat/expat-winapi.patch
+++ b/external/expat/expat-winapi.patch
@@ -13,15 +13,12 @@
--- misc/expat-2.1.0/lib/xmlparse.c 2021-05-23 16:56:25.000000000 +0100
+++ misc/build/expat-2.1.0/lib/xmlparse.c 2021-05-25 12:42:11.997173600
+0100
-@@ -92,6 +92,11 @@
+@@ -64,6 +64,8 @@
+ #endif
- #include <expat_config.h>
-
-+#ifdef _WIN32
+ #ifdef _WIN32
+# undef HAVE_GETRANDOM
+# undef HAVE_SYSCALL_GETRANDOM
-+#endif
-+
- #include "ascii.h"
- #include "expat.h"
- #include "siphash.h"
+ /* force stdlib to define rand_s() */
+ # if ! defined(_CRT_RAND_S)
+ # define _CRT_RAND_S
