aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorpsykose <alice@ayaya.dev>2022-10-25 18:57:10 +0000
committerpsykose <alice@ayaya.dev>2022-10-25 20:57:11 +0200
commitb390053cb95eb53c2ebe4972acdf71ec40cae3c6 (patch)
tree16439a71a76e4d4639d15875f06d289bc15a2423
parent312efba69eb23a1c10a70d044e67b0e061b4db09 (diff)
main/expat: fix CVE-2022-43680
-rw-r--r--main/expat/APKBUILD21
-rw-r--r--main/expat/CVE-2022-43680.patch118
2 files changed, 124 insertions, 15 deletions
diff --git a/main/expat/APKBUILD b/main/expat/APKBUILD
index df7a084ec9a..19e272874d6 100644
--- a/main/expat/APKBUILD
+++ b/main/expat/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Carlo Landmeter <clandmeter@alpinelinux.org>
pkgname=expat
pkgver=2.2.10
-pkgrel=7
+pkgrel=8
pkgdesc="XML Parser library written in C"
url="http://www.libexpat.org/"
arch="all"
@@ -21,10 +21,13 @@ source="https://github.com/libexpat/libexpat/releases/download/R_${pkgver//./_}/
CVE-2022-25314.patch
CVE-2022-25315.patch
CVE-2022-40674.patch
+ CVE-2022-43680.patch
"
subpackages="$pkgname-static $pkgname-dev $pkgname-doc"
# secfixes:
+# 2.2.10-r8:
+# - CVE-2022-43680
# 2.2.10-r7:
# - CVE-2022-40674
# 2.2.10-r4:
@@ -84,18 +87,6 @@ c3ed585a62d5aadd9e1d1d589b636e37ffba5b5cc0c4d264a151cf308a9bfcfe9859704f43fd6d4e
36d310754e76db577cdeeb0ae1563867f9db65c9de12b1423d4e67f8e2604893525474d6e07b6305553308b6b06285b1b9da3c4e858ef79874296f68b82080e8 CVE-2022-25313-regression.patch
ac7d03f3ef8be557bda0294247a645db820470be47ea7fa3dab8047f7f11ada831e4f0a4cd4b82e3b2f7715ada08435b8292257a64714c0242407ef58a661b72 CVE-2022-25314.patch
946e0983f9159ae4b01627581a99594f0e7263438ddfd40a1705b8de39ee9c6739af08598d3bc4f145a8ff142209d3fde85c20bbebe2932d9e60596f192db5b5 CVE-2022-25315.patch
+204d9ff3aea000327a700b1a6fdf9acfb866db52ac26c7b2b1f6ea087aac4086659775f3e18bf0e78b61cef4979ebd5075ad053a7af91d5be6dc728462097a44 CVE-2022-40674.patch
+08b69782ef5db8881156a2ab4dbab4780bed52a3b07fc72c4df84a548a71d8cb72f84040fe8c45ac17e832279126d20a08f7939b103e66e2dd01bc6873910e3b CVE-2022-43680.patch
"
-sha512sums="a8e0c8a9cf7e6fbacdc6e709f3c99c533ab550fba52557d24259bb8b360f9697624c7500c0e9886fa57ee2b529aadd0d1835d66fe8112e15c20df75cd3eb090f expat-2.2.10.tar.xz
-4afd3777fc682a2f9057d4cc42afe6e04680d7d24f93dc11a2677cb8b1a4b400921f6d689e2953aff4a3312118ea801c9e161f85774360b3b5c2d3bd0067f7ad CVE-2021-45960.patch
-dd0339a0cdf5b18638a5732f2f9930af7adb5b20aa3bf102317a571f0f7d4f453313f0d8fdaa60f89c7a8f2e59eeaaca4b9c2e427a45594b7e21ed7c253d547a CVE-2021-46143.patch
-dcf6bfc07b4919b1248dba5fc6d4e425d09975b09255d77456bb44b40495e92b4d4ffae6a9e949b204770848b70edfc4be1869c191cb01ebe967b1906ffc9d59 CVE-2022-22822.patch
-cb079c0b9fe7df6afe2e06d706461489527802dce811d894587221b6316784b6cf1c7cf70573f41a276b5d97f7530d17c7ed854273f4eeae9652d971f64ef282 CVE-2022-23852.patch
-7de120a34b5fc2fcb3779e259b24d47d8f40f38aab490b738eea52c55542b9cac45c897d90cb129c17c2d0057518f59b013c2af87a579c70b28a9aa70c1f27cb CVE-2022-23990.patch
-c3ed585a62d5aadd9e1d1d589b636e37ffba5b5cc0c4d264a151cf308a9bfcfe9859704f43fd6d4e1ed86633fa4672378288bdc05b5e47dcb42c75f8258035f5 CVE-2022-25235.patch
-016ca726fde03ef9049404faff7122e4f6e9b8a89d4a188e1ffa7bcf4d177fe79e00a3e1f90b45424ec60586cdde7615c6f5a39db1be1e585713f1a7385aa14c CVE-2022-25236.patch
-36d441df896a6734091c15c3cd84515114d805349123a98eb43b61a268533f36b1ae0ac437e99b26a1792863e6d23c8d0a38eac902942b768e551cf2f2ea6187 CVE-2022-25236-regression.patch
-4db9ad13e5e1461339ab93554d14acacbbdc121824a1dfd8a1d9df3194452711606da1f9f9ed5c03c0c5ca8de61237ef588897bbde95f89109160dc685fde25f CVE-2022-25313.patch
-36d310754e76db577cdeeb0ae1563867f9db65c9de12b1423d4e67f8e2604893525474d6e07b6305553308b6b06285b1b9da3c4e858ef79874296f68b82080e8 CVE-2022-25313-regression.patch
-ac7d03f3ef8be557bda0294247a645db820470be47ea7fa3dab8047f7f11ada831e4f0a4cd4b82e3b2f7715ada08435b8292257a64714c0242407ef58a661b72 CVE-2022-25314.patch
-946e0983f9159ae4b01627581a99594f0e7263438ddfd40a1705b8de39ee9c6739af08598d3bc4f145a8ff142209d3fde85c20bbebe2932d9e60596f192db5b5 CVE-2022-25315.patch
-204d9ff3aea000327a700b1a6fdf9acfb866db52ac26c7b2b1f6ea087aac4086659775f3e18bf0e78b61cef4979ebd5075ad053a7af91d5be6dc728462097a44 CVE-2022-40674.patch"
diff --git a/main/expat/CVE-2022-43680.patch b/main/expat/CVE-2022-43680.patch
new file mode 100644
index 00000000000..de01b1b47ee
--- /dev/null
+++ b/main/expat/CVE-2022-43680.patch
@@ -0,0 +1,118 @@
+Patch-Source: https://github.com/libexpat/libexpat/commit/56967f83d68d5fc750f9e66a9a76756c94c7c173
+From 5290462a7ea1278a8d5c0d5b2860d4e244f997e4 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Tue, 20 Sep 2022 02:44:34 +0200
+Subject: [PATCH 1/3] lib: Fix overeager DTD destruction in
+ XML_ExternalEntityParserCreate
+
+---
+ expat/lib/xmlparse.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index aacd6e7fc..57bf103cc 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -1068,6 +1068,14 @@ parserCreate(const XML_Char *encodingName,
+ parserInit(parser, encodingName);
+
+ if (encodingName && ! parser->m_protocolEncodingName) {
++ if (dtd) {
++ // We need to stop the upcoming call to XML_ParserFree from happily
++ // destroying parser->m_dtd because the DTD is shared with the parent
++ // parser and the only guard that keeps XML_ParserFree from destroying
++ // parser->m_dtd is parser->m_isParamEntity but it will be set to
++ // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all).
++ parser->m_dtd = NULL;
++ }
+ XML_ParserFree(parser);
+ return NULL;
+ }
+
+From 43992e4ae25fc3dc0eec0cd3a29313555d56aee2 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Sep 2022 18:16:15 +0200
+Subject: [PATCH 2/3] tests: Cover overeager DTD destruction in
+ XML_ExternalEntityParserCreate
+
+---
+ expat/tests/runtests.c | 49 ++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 49 insertions(+)
+
+diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c
+index 245fe9bda..acb744dd4 100644
+--- a/tests/runtests.c
++++ b/tests/runtests.c
+@@ -10208,6 +10208,53 @@ START_TEST(test_alloc_long_notation) {
+ }
+ END_TEST
+
++static int XMLCALL
++external_entity_parser_create_alloc_fail_handler(XML_Parser parser,
++ const XML_Char *context,
++ const XML_Char *base,
++ const XML_Char *systemId,
++ const XML_Char *publicId) {
++ UNUSED_P(base);
++ UNUSED_P(systemId);
++ UNUSED_P(publicId);
++
++ if (context != NULL)
++ fail("Unexpected non-NULL context");
++
++ // The following number intends to fail the upcoming allocation in line
++ // "parser->m_protocolEncodingName = copyString(encodingName,
++ // &(parser->m_mem));" in function parserInit.
++ allocation_count = 3;
++
++ const XML_Char *const encodingName = XCS("UTF-8"); // needs something non-NULL
++ const XML_Parser ext_parser
++ = XML_ExternalEntityParserCreate(parser, context, encodingName);
++ if (ext_parser != NULL)
++ fail(
++ "Call to XML_ExternalEntityParserCreate was expected to fail out-of-memory");
++
++ allocation_count = ALLOC_ALWAYS_SUCCEED;
++ return XML_STATUS_ERROR;
++}
++
++START_TEST(test_alloc_reset_after_external_entity_parser_create_fail) {
++ const char *const text = "<!DOCTYPE doc SYSTEM 'foo'><doc/>";
++
++ XML_SetExternalEntityRefHandler(
++ g_parser, external_entity_parser_create_alloc_fail_handler);
++ XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
++
++ if (XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE)
++ != XML_STATUS_ERROR)
++ fail("Call to parse was expected to fail");
++
++ if (XML_GetErrorCode(g_parser) != XML_ERROR_EXTERNAL_ENTITY_HANDLING)
++ fail("Call to parse was expected to fail from the external entity handler");
++
++ XML_ParserReset(g_parser, NULL);
++}
++END_TEST
++
+ static void
+ nsalloc_setup(void) {
+ XML_Memory_Handling_Suite memsuite = {duff_allocator, duff_reallocator, free};
+@@ -12401,6 +12448,8 @@ make_suite(void) {
+ tcase_add_test(tc_alloc, test_alloc_long_public_id);
+ tcase_add_test(tc_alloc, test_alloc_long_entity_value);
+ tcase_add_test(tc_alloc, test_alloc_long_notation);
++ tcase_add_test__ifdef_xml_dtd(
++ tc_alloc, test_alloc_reset_after_external_entity_parser_create_fail);
+
+ suite_add_tcase(s, tc_nsalloc);
+ tcase_add_checked_fixture(tc_nsalloc, nsalloc_setup, nsalloc_teardown);
+
+From eedc5f6de8e219130032c8ff2ff17580e18bd0c1 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Wed, 21 Sep 2022 03:32:26 +0200
+Subject: [PATCH 3/3] Changes: Document #649
+
+---
+ expat/Changes | 5 +++++
+ 1 file changed, 5 insertions(+)
+