From c037a875c67e12e7724c5b923d7260ccf43826be Mon Sep 17 00:00:00 2001 From: anolis-bot Date: Thu, 10 Nov 2022 20:38:14 +0800 Subject: [PATCH 1/2] update to xmlrpc-c-1.51.0-8.el8 Signed-off-by: anolis-bot --- ...-integer-overflows-CVE-2022-22822-to.patch | 92 +++++++++++++++++++ ...overflow-on-m_groupSize-in-doProlog-.patch | 32 +++++++ dist | 1 + xmlrpc-c.spec | 31 +++---- 4 files changed, 138 insertions(+), 18 deletions(-) create mode 100644 0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch create mode 100644 0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch create mode 100644 dist diff --git a/0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch b/0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch new file mode 100644 index 0000000..4c507ee --- /dev/null +++ b/0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch @@ -0,0 +1,92 @@ +From ce6eddc1a167dafaac17c7bad9fa6b013fada31b Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Fri, 25 Feb 2022 13:07:07 -0500 +Subject: [PATCH 5/6] lib: Prevent more integer overflows (CVE-2022-22822 to + CVE-2022-22827) + +Backport fixes from https://github.com/libexpat/libexpat/pull/539 + +Resolves: #2058567, #2058576, #2058282, #2058589, #2058595, #2058602 +--- + lib/expat/xmlparse/xmlparse.c | 40 +++++++++++++++++++++++++++++++++++ + 1 file changed, 40 insertions(+) + +diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c +index 48adfb3..16ab82a 100644 +--- a/lib/expat/xmlparse/xmlparse.c ++++ b/lib/expat/xmlparse/xmlparse.c +@@ -19,6 +19,7 @@ See the file copying.txt for copying permission. + #include + #include /* UINT_MAX */ + #include /* time() */ ++#include + + #include "xmlrpc_config.h" + #include "c_util.h" +@@ -1076,6 +1077,9 @@ int addBinding(XML_Parser parser, + ; + if (namespaceSeparator) + len++; ++ if (namespaceSeparator && (uri[len] == namespaceSeparator)) { ++ return XML_ERROR_SYNTAX; ++ } + if (freeBindingList) { + b = freeBindingList; + if (len > b->uriAlloc) { +@@ -2116,10 +2120,32 @@ storeAtts(XML_Parser const xmlParserP, + } + /* get the attributes from the tokenizer */ + n = XmlGetAttributes(enc, attStr, attsSize, atts); ++ ++ ++ /* Detect and prevent integer overflow */ ++ if (n > INT_MAX - nDefaultAtts) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ + if (n + nDefaultAtts > attsSize) { + int oldAttsSize = attsSize; + ATTRIBUTE *temp; ++ /* Detect and prevent integer overflow */ ++ if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE) ++ || (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) { ++ return XML_ERROR_NO_MEMORY; ++ } + attsSize = n + nDefaultAtts + INIT_ATTS_SIZE; ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) { ++ attsSize = oldAttsSize; ++ return XML_ERROR_NO_MEMORY; ++ } ++#endif + temp = realloc((void *)atts, attsSize * sizeof(ATTRIBUTE)); + if (!temp) + return XML_ERROR_NO_MEMORY; +@@ -2297,6 +2323,20 @@ storeAtts(XML_Parser const xmlParserP, + n = i + binding->uriLen; + if (n > binding->uriAlloc) { + TAG *p; ++ ++ /* Detect and prevent integer overflow */ ++ if (n > INT_MAX - EXPAND_SPARE) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) { ++ return XML_ERROR_NO_MEMORY; ++ } ++#endif + XML_Char *uri = malloc((n + EXPAND_SPARE) * sizeof(XML_Char)); + if (!uri) + return XML_ERROR_NO_MEMORY; +-- +2.31.1 + diff --git a/0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch b/0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch new file mode 100644 index 0000000..9290060 --- /dev/null +++ b/0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch @@ -0,0 +1,32 @@ +From 06d354807ac297374973631a6418edf7e3fcbf30 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 28 Feb 2022 10:43:23 -0500 +Subject: [PATCH 6/6] Prevent integer overflow on m_groupSize in doProlog + (CVE-2021-46143) + +Backported from upstream https://github.com/libexpat/libexpat/pull/538 + +Resolves: #2058560 +--- + lib/expat/xmlparse/xmlparse.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c +index 16ab82a..b9aa927 100644 +--- a/lib/expat/xmlparse/xmlparse.c ++++ b/lib/expat/xmlparse/xmlparse.c +@@ -3991,6 +3991,11 @@ doProlog(XML_Parser const xmlParserP, + case XML_ROLE_GROUP_OPEN: + if (prologState.level >= groupSize) { + if (groupSize) { ++ /* Detect and prevent integer overflow */ ++ if (groupSize > (unsigned int)(-1) / 2u) { ++ *errorCodeP = XML_ERROR_NO_MEMORY; ++ return; ++ } + char *temp = realloc(groupConnector, groupSize *= 2); + if (!temp) { + *errorCodeP = XML_ERROR_NO_MEMORY; +-- +2.31.1 + diff --git a/dist b/dist new file mode 100644 index 0000000..9c0e36e --- /dev/null +++ b/dist @@ -0,0 +1 @@ +an8 diff --git a/xmlrpc-c.spec b/xmlrpc-c.spec index ebba44c..9732d67 100644 --- a/xmlrpc-c.spec +++ b/xmlrpc-c.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.1 %global advanced_branch 1 # Upstream libxml2 backend is completely broken since 2015 @@ -7,7 +6,7 @@ Name: xmlrpc-c Version: 1.51.0 -Release: 6%{anolis_release}%{?dist} +Release: 8%{?dist} Summary: Lightweight RPC library based on XML and HTTP # See doc/COPYING for details. # The Python 1.5.2 license used by a few files is just BSD. @@ -26,6 +25,8 @@ Patch103: 0003-allow-30x-redirections.patch #Patch104: xmlrpc-c-printf-size_t.patch #Patch105: xmlrpc-c-check-vasprintf-return-value.patch Patch104: 0004-Add-missing-validation-of-encoding-CVE-2022-25235.patch +Patch105: 0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch +Patch106: 0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch # Backported patches # https://sourceforge.net/p/xmlrpc-c/code/2981/ @@ -50,7 +51,6 @@ BuildRequires: pkgconfig(openssl) BuildRequires: pkgconfig(libcurl) BuildRequires: readline-devel BuildRequires: ncurses-devel -Requires: glibc %package c++ Summary: C++ libraries for xmlrpc-c @@ -127,15 +127,6 @@ to a remote server using HTTP, and gets back the response as XML. This package contains some handy XML-RPC demo applications. -%package doc -Summary: Documents for %{name} -BuildArch: noarch -Requires: %{name} = %{version}-%{release} - -%description doc -Doc pages for %{name}. - - %prep %autosetup -Sgit @@ -153,6 +144,7 @@ Doc pages for %{name}. %files %license doc/COPYING lib/abyss/license.txt +%doc doc/CREDITS doc/HISTORY %if ! %{with libxml2} %{_libdir}/libxmlrpc_xml*.so.* %endif @@ -201,15 +193,18 @@ Doc pages for %{name}. %{_bindir}/xmlrpc_pstream %{_bindir}/xmlrpc_dumpserver -%files doc -%doc doc/CREDITS doc/HISTORY - %changelog -* Sat Jul 16 2022 Hangbo Fan - 1.51.0-6.0.1 -- Add doc sub package +* Thu Apr 14 2022 Rob Crittenden - 1.51.0-8 +- Address some Coverity issues in the patch set + +* Tue Apr 05 2022 Rob Crittenden - 1.51.0-7 +- lib: Prevent more integer overflows (CVE-2022-22822 to CVE-2022-22827) + (#2058567, #2058576, #2058582, #2058589, #2058595, #2058602) +- Prevent integer overflow on m_groupSize in doProlog + (CVE-2021-46143) (#2058560) * Thu Mar 03 2022 Rob Crittenden - 1.51.0-6 -- Add missing validation of encoding (CVE-2022-25235) (#2058114) +- Add missing validation of encoding (CVE-2022-25235) (#2070481) * Thu Apr 19 2018 Adam Williamson - 1.51.0-5 - Backport upstream fix for console spam with debug messages (#1541868) -- Gitee From 314845485a0b043e7d340cd808224b8cd3aa221b Mon Sep 17 00:00:00 2001 From: HangBo Fan Date: Sun, 17 Jul 2022 16:07:42 +0800 Subject: [PATCH 2/2] spec: add doc sub package --- xmlrpc-c.spec | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/xmlrpc-c.spec b/xmlrpc-c.spec index 9732d67..6dca559 100644 --- a/xmlrpc-c.spec +++ b/xmlrpc-c.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.1 %global advanced_branch 1 # Upstream libxml2 backend is completely broken since 2015 @@ -6,7 +7,7 @@ Name: xmlrpc-c Version: 1.51.0 -Release: 8%{?dist} +Release: 8%{anolis_release}%{?dist} Summary: Lightweight RPC library based on XML and HTTP # See doc/COPYING for details. # The Python 1.5.2 license used by a few files is just BSD. @@ -51,6 +52,7 @@ BuildRequires: pkgconfig(openssl) BuildRequires: pkgconfig(libcurl) BuildRequires: readline-devel BuildRequires: ncurses-devel +Requires: glibc %package c++ Summary: C++ libraries for xmlrpc-c @@ -127,6 +129,15 @@ to a remote server using HTTP, and gets back the response as XML. This package contains some handy XML-RPC demo applications. +%package doc +Summary: Documents for %{name} +BuildArch: noarch +Requires: %{name} = %{version}-%{release} + +%description doc +Doc pages for %{name}. + + %prep %autosetup -Sgit @@ -144,7 +155,6 @@ This package contains some handy XML-RPC demo applications. %files %license doc/COPYING lib/abyss/license.txt -%doc doc/CREDITS doc/HISTORY %if ! %{with libxml2} %{_libdir}/libxmlrpc_xml*.so.* %endif @@ -193,7 +203,13 @@ This package contains some handy XML-RPC demo applications. %{_bindir}/xmlrpc_pstream %{_bindir}/xmlrpc_dumpserver +%files doc +%doc doc/CREDITS doc/HISTORY + %changelog +* Tue Jul 04 2023 Hangbo Fan - 1.51.0-8.0.1 +- Add doc sub package + * Thu Apr 14 2022 Rob Crittenden - 1.51.0-8 - Address some Coverity issues in the patch set -- Gitee