From ab2306e1dd375f84feddfdd3abf2a81bb7e041a5 Mon Sep 17 00:00:00 2001
From: Jacob Wang <jacob.wang@openanolis.org>
Date: Wed, 6 Nov 2024 13:14:57 +0800
Subject: [PATCH 1/2] [CVE] update to xmlrpc-c-1.51.0-10.src.rpm

to #bug11724
update to xmlrpc-c-1.51.0-10.src.rpm for CVE-2024-45491
Project: TC2024080204
Signed-off-by: Jacob Wang <jacob.wang@openanolis.org>
---
 ...ess-segfault-found-in-CVE-2023-52425.patch | 106 ++++++++++++++++++
 ...overflow-or-wraparound-CVE-2024-4549.patch |  40 +++++++
 download                                      |   1 +
 xmlrpc-c.spec                                 |  29 ++---
 4 files changed, 157 insertions(+), 19 deletions(-)
 create mode 100644 0007-Address-segfault-found-in-CVE-2023-52425.patch
 create mode 100644 0008-Prevent-integer-overflow-or-wraparound-CVE-2024-4549.patch

diff --git a/0007-Address-segfault-found-in-CVE-2023-52425.patch b/0007-Address-segfault-found-in-CVE-2023-52425.patch
new file mode 100644
index 0000000..52533dd
--- /dev/null
+++ b/0007-Address-segfault-found-in-CVE-2023-52425.patch
@@ -0,0 +1,106 @@
+From 66e6f8700959f7a54056ed7946c179d808e838e8 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Thu, 25 Apr 2024 09:26:04 -0400
+Subject: [PATCH] Address segfault found in CVE-2023-52425
+
+The CVE addresses a possible DoS when unreasonably large tokens
+are passed into the XML parser for processing. These were taking
+upwards of 8 seconds per file processed with the exception of
+aaaaaa_cdata.xml which caused a segmentation fault. The XML
+processor was effectively losing the start of the string, setting
+it to NULL. This caused a cascade of errors trying to parse both
+the next token and in handling errors if a new token was not found.
+
+This handles both those cases but not the underlying reason why
+the pointer to inputStart is lost.
+
+Trying to backport the libexpat changes to address the performance
+issue would be enormous since the xmlrpc-c custom version of libexpat
+is extremely old. Since xmlrpc-c is mostly used as a client passing
+in random values is less of an issue.
+
+Include the libexpat upstream benchmark test to validate that the
+tests pass, albeit slowly.
+
+To run the benchmarks:
+ extract the sources
+ cd xmlrpc-c-1.51.0
+ make
+ cd test
+ make
+ cd benchmark
+ for file in *.xml; do ./benchmark $file 4096 1; done
+
+One test will error out but this is expected as part of the fix.
+
+The tests will be extracted as a Source because of their
+uncompressed size (~48M)
+
+Fixes: RHEL-24226
+---
+ lib/expat/xmlparse/xmlparse.c  | 3 +++
+ lib/expat/xmltok/xmltok_impl.c | 4 ++++
+ test/Makefile                  | 7 +++++--
+ 3 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c
+index 16ab82a..6621d18 100644
+--- a/lib/expat/xmlparse/xmlparse.c
++++ b/lib/expat/xmlparse/xmlparse.c
+@@ -35,6 +35,9 @@ extractXmlSample(const char * const start,
+                  size_t       const maximumLen) {
+ 
+     size_t const len = MIN(maximumLen, (size_t)(end - start));
++    if (start == NULL) {
++        return strdup("");
++    }
+     
+     return xmlrpc_makePrintable_lp(start, len);
+ }
+diff --git a/lib/expat/xmltok/xmltok_impl.c b/lib/expat/xmltok/xmltok_impl.c
+index bae79b9..80da94f 100644
+--- a/lib/expat/xmltok/xmltok_impl.c
++++ b/lib/expat/xmltok/xmltok_impl.c
+@@ -871,6 +871,10 @@ PREFIX(contentTok)(const ENCODING * const enc,
+             */
+         PREFIX(chopToWholeCharacters)(inputStart, inputEnd, &end);
+ 
++        if (inputStart == NULL) {
++            *nextTokPtr = NULL;
++            return XML_TOK_INVALID;
++        }
+         if (end == inputStart) {
+             *nextTokPtr = inputStart;
+             return XML_TOK_PARTIAL;
+diff --git a/test/Makefile b/test/Makefile
+index 4fce824..1242910 100644
+--- a/test/Makefile
++++ b/test/Makefile
+@@ -7,7 +7,7 @@ SUBDIR := test
+ 
+ include $(BLDDIR)/config.mk
+ 
+-SUBDIRS = cpp
++SUBDIRS = cpp benchmark
+ 
+ XMLRPC_C_CONFIG = $(BLDDIR)/xmlrpc-c-config.test
+ 
+@@ -98,11 +98,14 @@ runtests_local: test cgitest1
+ 	./test
+ 
+ .PHONY: runtests
+-runtests: runtests_local cpp/runtests
++runtests: runtests_local cpp/runtests benchmark/runtests
+ 
+ cpp/runtests: FORCE
+ 	$(MAKE) -C $(dir $@) $(notdir $@)
+ 
++benchmark/runtests:
++	$(MAKE) -C $(dir $@) $(notdir $@)
++
+ .PHONY: install
+ install:
+ 
+-- 
+2.42.0
+
diff --git a/0008-Prevent-integer-overflow-or-wraparound-CVE-2024-4549.patch b/0008-Prevent-integer-overflow-or-wraparound-CVE-2024-4549.patch
new file mode 100644
index 0000000..c0ce3e5
--- /dev/null
+++ b/0008-Prevent-integer-overflow-or-wraparound-CVE-2024-4549.patch
@@ -0,0 +1,40 @@
+From d15ba056c15db75c9153fda27a62b1a6cfb8196e Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Mon, 9 Sep 2024 14:35:28 -0400
+Subject: [PATCH] Prevent integer overflow or wraparound CVE-2024-45491
+
+An issue was discovered in libexpat before 2.6.3. dtdCopy in
+xmlparse.c can have an integer overflow for nDefaultAtts on
+32-bit platforms (where UINT_MAX equals SIZE_MAX).
+
+Backported from upstream https://github.com/libexpat/libexpat/pull/891
+
+Resolves: RHEL-57519
+---
+ lib/expat/xmlparse/xmlparse.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c
+index 359267a..40f753b 100644
+--- a/lib/expat/xmlparse/xmlparse.c
++++ b/lib/expat/xmlparse/xmlparse.c
+@@ -1020,6 +1020,16 @@ static int dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd)
+     if (!newE)
+       return 0;
+     if (oldE->nDefaultAtts) {
++      /* Detect and prevent integer overflow.
++       * The preprocessor guard addresses the "always false" warning
++       * from -Wtype-limits on platforms where
++       * sizeof(int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++      if ((size_t)oldE->nDefaultAtts
++          > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) {
++        return 0;
++      }
++#endif
+       newE->defaultAtts = (DEFAULT_ATTRIBUTE *)
+           malloc(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
+       if (!newE->defaultAtts)
+-- 
+2.45.0
+
diff --git a/download b/download
index 9024d7d..40cd30a 100644
--- a/download
+++ b/download
@@ -1 +1,2 @@
+76b0978af36bcab937d5cb501998911e  benchmark-tests.tar.xz
 4cea047e98e8cc6654c153e2d10749e0  xmlrpc-c-1.51.0.tar.xz
diff --git a/xmlrpc-c.spec b/xmlrpc-c.spec
index 7af31ce..b8a37ab 100644
--- a/xmlrpc-c.spec
+++ b/xmlrpc-c.spec
@@ -1,4 +1,3 @@
-%define anolis_release .0.1
 %global advanced_branch 1
 
 # Upstream libxml2 backend is completely broken since 2015
@@ -7,7 +6,7 @@
 
 Name:           xmlrpc-c
 Version:        1.51.0
-Release:        9%{anolis_release}%{?dist}
+Release:        10%{?dist}
 Summary:        Lightweight RPC library based on XML and HTTP
 # See doc/COPYING for details.
 # The Python 1.5.2 license used by a few files is just BSD.
@@ -18,6 +17,7 @@ URL:            http://xmlrpc-c.sourceforge.net/
 # upstream does not tag versions so we must fetch from the branch and
 # check which version was used for it
 %{?advanced_branch:Source0: xmlrpc-c-%version.tar.xz}
+%{?advanced_branch:Source1: benchmark-tests.tar.xz}
 
 # Upstreamable patches
 Patch101:       0001-xmlrpc_server_abyss-use-va_args-properly.patch
@@ -28,6 +28,8 @@ Patch103:       0003-allow-30x-redirections.patch
 Patch104:       0004-Add-missing-validation-of-encoding-CVE-2022-25235.patch
 Patch105:       0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch
 Patch106:       0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch
+Patch107:       0007-Address-segfault-found-in-CVE-2023-52425.patch
+Patch108:       0008-Prevent-integer-overflow-or-wraparound-CVE-2024-4549.patch
 
 # Backported patches
 # https://sourceforge.net/p/xmlrpc-c/code/2981/
@@ -52,7 +54,6 @@ BuildRequires:  pkgconfig(openssl)
 BuildRequires:  pkgconfig(libcurl)
 BuildRequires:  readline-devel
 BuildRequires:  ncurses-devel
-Requires: glibc
 
 %package c++
 Summary:        C++ libraries for xmlrpc-c
@@ -129,17 +130,9 @@ to a remote server using HTTP, and gets back the response as XML.
 This package contains some handy XML-RPC demo applications.
 
 
-%package doc
-Summary: Documents for %{name}
-BuildArch: noarch
-Requires: %{name} = %{version}-%{release}
-
-%description doc
-Doc pages for %{name}.
-
-
 %prep
 %autosetup -Sgit
+tar xf %{SOURCE1}
 
 %build
 %meson %{?with_libxml2:-Dlibxml2-backend=true}
@@ -155,6 +148,7 @@ Doc pages for %{name}.
 
 %files
 %license doc/COPYING lib/abyss/license.txt
+%doc doc/CREDITS doc/HISTORY
 %if ! %{with libxml2}
 %{_libdir}/libxmlrpc_xml*.so.*
 %endif
@@ -203,15 +197,12 @@ Doc pages for %{name}.
 %{_bindir}/xmlrpc_pstream
 %{_bindir}/xmlrpc_dumpserver
 
-%files doc
-%doc doc/CREDITS doc/HISTORY
-
 %changelog
-* Fri Aug 02 2024 Hangbo Fan <fanhangbo.fhb@alibaba-inc.com> - 1.51.0-9.0.1
-- Add doc sub package
+* Thu Sep 19 2024 Rob Crittenden <rcritten@redhat.com> - 1.51.0-10
+- Prevent integer overflow or wraparound, CVE-2024-4549 (RHEL-57519)
 
-* Tue Feb 27 2024 Rob Crittenden <rcritten@redhat.com> - 1.51.0-9
-- expat: Fix segmentation fault with large ctags (#24226) (CVE-2023-52425)
+* Thu Apr 25 2024 Rob Crittenden <rcritten@redhat.com> - 1.51.0-9
+- Address segfault found in CVE-2023-52425 (RHEL-24226)
 
 * Thu Apr 14 2022 Rob Crittenden <rcritten@redhat.com> - 1.51.0-8
 - Address some Coverity issues in the patch set
-- 
Gitee


From 5f0e32cddfaeca458cdaef25e918cd9b39154329 Mon Sep 17 00:00:00 2001
From: HangBo Fan <fanhangbo.fhb@alibaba-inc.com>
Date: Sun, 17 Jul 2022 16:07:42 +0800
Subject: [PATCH 2/2] spec: add doc sub package

---
 xmlrpc-c.spec | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/xmlrpc-c.spec b/xmlrpc-c.spec
index b8a37ab..d60584a 100644
--- a/xmlrpc-c.spec
+++ b/xmlrpc-c.spec
@@ -1,3 +1,4 @@
+%define anolis_release .0.1
 %global advanced_branch 1
 
 # Upstream libxml2 backend is completely broken since 2015
@@ -6,7 +7,7 @@
 
 Name:           xmlrpc-c
 Version:        1.51.0
-Release:        10%{?dist}
+Release:        10%{anolis_release}%{?dist}
 Summary:        Lightweight RPC library based on XML and HTTP
 # See doc/COPYING for details.
 # The Python 1.5.2 license used by a few files is just BSD.
@@ -54,6 +55,7 @@ BuildRequires:  pkgconfig(openssl)
 BuildRequires:  pkgconfig(libcurl)
 BuildRequires:  readline-devel
 BuildRequires:  ncurses-devel
+Requires: glibc
 
 %package c++
 Summary:        C++ libraries for xmlrpc-c
@@ -130,6 +132,15 @@ to a remote server using HTTP, and gets back the response as XML.
 This package contains some handy XML-RPC demo applications.
 
 
+%package doc
+Summary: Documents for %{name}
+BuildArch: noarch
+Requires: %{name} = %{version}-%{release}
+
+%description doc
+Doc pages for %{name}.
+
+
 %prep
 %autosetup -Sgit
 tar xf %{SOURCE1}
@@ -148,7 +159,6 @@ tar xf %{SOURCE1}
 
 %files
 %license doc/COPYING lib/abyss/license.txt
-%doc doc/CREDITS doc/HISTORY
 %if ! %{with libxml2}
 %{_libdir}/libxmlrpc_xml*.so.*
 %endif
@@ -197,7 +207,13 @@ tar xf %{SOURCE1}
 %{_bindir}/xmlrpc_pstream
 %{_bindir}/xmlrpc_dumpserver
 
+%files doc
+%doc doc/CREDITS doc/HISTORY
+
 %changelog
+* Wed Nov 06 2024 Hangbo Fan <fanhangbo.fhb@alibaba-inc.com> - 1.51.0-10.0.1
+- Add doc sub package
+
 * Thu Sep 19 2024 Rob Crittenden <rcritten@redhat.com> - 1.51.0-10
 - Prevent integer overflow or wraparound, CVE-2024-4549 (RHEL-57519)
 
-- 
Gitee