main/expat: fix regression for CVE-2022-25236

2 files changed, 174 insertions, 1 deletions

diff --git a/main/expat/APKBUILD b/main/expat/APKBUILD
index de2f42c504..c59fd1b732 100644
--- a/main/expat/APKBUILD
+++ b/main/expat/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Carlo Landmeter <clandmeter@gmail.com>
 pkgname=expat
 pkgver=2.2.10
-pkgrel=3
+pkgrel=4
 pkgdesc="An XML Parser library written in C"
 url="http://www.libexpat.org/"
 arch="all"
@@ -15,6 +15,7 @@ source="https://github.com/libexpat/libexpat/releases/download/R_${pkgver//./_}/
 	CVE-2022-23990.patch
 	CVE-2022-25235.patch
 	CVE-2022-25236.patch
+	CVE-2022-25236-regression.patch
 	CVE-2022-25313.patch
 	CVE-2022-25313-regression.patch
 	CVE-2022-25314.patch
@@ -78,6 +79,7 @@ cb079c0b9fe7df6afe2e06d706461489527802dce811d894587221b6316784b6cf1c7cf70573f41a
 7de120a34b5fc2fcb3779e259b24d47d8f40f38aab490b738eea52c55542b9cac45c897d90cb129c17c2d0057518f59b013c2af87a579c70b28a9aa70c1f27cb  CVE-2022-23990.patch
 c3ed585a62d5aadd9e1d1d589b636e37ffba5b5cc0c4d264a151cf308a9bfcfe9859704f43fd6d4e1ed86633fa4672378288bdc05b5e47dcb42c75f8258035f5  CVE-2022-25235.patch
 016ca726fde03ef9049404faff7122e4f6e9b8a89d4a188e1ffa7bcf4d177fe79e00a3e1f90b45424ec60586cdde7615c6f5a39db1be1e585713f1a7385aa14c  CVE-2022-25236.patch
+36d441df896a6734091c15c3cd84515114d805349123a98eb43b61a268533f36b1ae0ac437e99b26a1792863e6d23c8d0a38eac902942b768e551cf2f2ea6187  CVE-2022-25236-regression.patch
 4db9ad13e5e1461339ab93554d14acacbbdc121824a1dfd8a1d9df3194452711606da1f9f9ed5c03c0c5ca8de61237ef588897bbde95f89109160dc685fde25f  CVE-2022-25313.patch
 a0a41683fbef105a3577e845dd4d4d7a8a94561e8d578e5cd5efb77b02b6229ae26c9dc2dcb852f3dd72f155f9a886b9e68f7a54173d074528aee0d1f470ce05  CVE-2022-25313-regression.patch
 ac7d03f3ef8be557bda0294247a645db820470be47ea7fa3dab8047f7f11ada831e4f0a4cd4b82e3b2f7715ada08435b8292257a64714c0242407ef58a661b72  CVE-2022-25314.patch
diff --git a/main/expat/CVE-2022-25236-regression.patch b/main/expat/CVE-2022-25236-regression.patch
new file mode 100644
index 0000000000..2bcab60116
--- /dev/null
+++ b/main/expat/CVE-2022-25236-regression.patch
@@ -0,0 +1,171 @@
+non-code patches skipped
+---
+
+From 2ba6c76fca21397959145e18c5ef376201209020 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 27 Feb 2022 16:58:08 +0100
+Subject: [PATCH 1/5] lib: Relax fix to CVE-2022-25236 with regard to RFC 3986
+ URI characters
+
+---
+ expat/lib/xmlparse.c | 139 ++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 131 insertions(+), 8 deletions(-)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 59da19c8..6fe2cf1e 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -3705,6 +3705,117 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+   return XML_ERROR_NONE;
+ }
+ 
++static XML_Bool
++is_rfc3986_uri_char(XML_Char candidate) {
++  // For the RFC 3986 ANBF grammar see
++  // https://datatracker.ietf.org/doc/html/rfc3986#appendix-A
++
++  switch (candidate) {
++  // From rule "ALPHA" (uppercase half)
++  case 'A':
++  case 'B':
++  case 'C':
++  case 'D':
++  case 'E':
++  case 'F':
++  case 'G':
++  case 'H':
++  case 'I':
++  case 'J':
++  case 'K':
++  case 'L':
++  case 'M':
++  case 'N':
++  case 'O':
++  case 'P':
++  case 'Q':
++  case 'R':
++  case 'S':
++  case 'T':
++  case 'U':
++  case 'V':
++  case 'W':
++  case 'X':
++  case 'Y':
++  case 'Z':
++
++  // From rule "ALPHA" (lowercase half)
++  case 'a':
++  case 'b':
++  case 'c':
++  case 'd':
++  case 'e':
++  case 'f':
++  case 'g':
++  case 'h':
++  case 'i':
++  case 'j':
++  case 'k':
++  case 'l':
++  case 'm':
++  case 'n':
++  case 'o':
++  case 'p':
++  case 'q':
++  case 'r':
++  case 's':
++  case 't':
++  case 'u':
++  case 'v':
++  case 'w':
++  case 'x':
++  case 'y':
++  case 'z':
++
++  // From rule "DIGIT"
++  case '0':
++  case '1':
++  case '2':
++  case '3':
++  case '4':
++  case '5':
++  case '6':
++  case '7':
++  case '8':
++  case '9':
++
++  // From rule "pct-encoded"
++  case '%':
++
++  // From rule "unreserved"
++  case '-':
++  case '.':
++  case '_':
++  case '~':
++
++  // From rule "gen-delims"
++  case ':':
++  case '/':
++  case '?':
++  case '#':
++  case '[':
++  case ']':
++  case '@':
++
++  // From rule "sub-delims"
++  case '!':
++  case '$':
++  case '&':
++  case '\'':
++  case '(':
++  case ')':
++  case '*':
++  case '+':
++  case ',':
++  case ';':
++  case '=':
++    return XML_TRUE;
++
++  default:
++    return XML_FALSE;
++  }
++}
++
+ /* addBinding() overwrites the value of prefix->binding without checking.
+    Therefore one must keep track of the old value outside of addBinding().
+ */
+@@ -3763,14 +3874,26 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
+         && (len > xmlnsLen || uri[len] != xmlnsNamespace[len]))
+       isXMLNS = XML_FALSE;
+ 
+-    // NOTE: While Expat does not validate namespace URIs against RFC 3986,
+-    //       we have to at least make sure that the XML processor on top of
+-    //       Expat (that is splitting tag names by namespace separator into
+-    //       2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused
+-    //       by an attacker putting additional namespace separator characters
+-    //       into namespace declarations.  That would be ambiguous and not to
+-    //       be expected.
+-    if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) {
++    // NOTE: While Expat does not validate namespace URIs against RFC 3986
++    //       today (and is not REQUIRED to do so with regard to the XML 1.0
++    //       namespaces specification) we have to at least make sure, that
++    //       the application on top of Expat (that is likely splitting expanded
++    //       element names ("qualified names") of form
++    //       "[uri sep] local [sep prefix] '\0'" back into 1, 2 or 3 pieces
++    //       in its element handler code) cannot be confused by an attacker
++    //       putting additional namespace separator characters into namespace
++    //       declarations.  That would be ambiguous and not to be expected.
++    //
++    //       While the HTML API docs of function XML_ParserCreateNS have been
++    //       advising against use of a namespace separator character that can
++    //       appear in a URI for >20 years now, some widespread applications
++    //       are using URI characters (':' (colon) in particular) for a
++    //       namespace separator, in practice.  To keep these applications
++    //       functional, we only reject namespaces URIs containing the
++    //       application-chosen namespace separator if the chosen separator
++    //       is a non-URI character with regard to RFC 3986.
++    if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)
++        && ! is_rfc3986_uri_char(uri[len])) {
+       return XML_ERROR_SYNTAX;
+     }
+   }
+