futurile/guix-play
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

gnu: expat: Fix security vulnerabilities.

Browse Source 
Fixes CVE-2024-45490, CVE-2024-45491, CVE-2024-45492.

* gnu/packages/xml.scm (expat)[replacement]: New field.
(expat/fixed): New variable.
* gnu/packages/patches/expat-CVE-2024-45490.patch,
gnu/packages/patches/expat-CVE-2024-45491.patch,
gnu/packages/patches/expat-CVE-2024-45492.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register them.

Change-Id: I74d5d7bce98d6c983b989c1afec7cf28777d1617
This commit is contained in:
Efraim Flashner 2024-09-19 09:57:10 +03:00
parent 1b6ce1796a
commit 610b395424
No known key found for this signature in database
GPG Key ID: 41AAE7DCCA3D8351
5 changed files with 117 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
gnu/local.mk
View File

@ -1205,6 +1205,9 @@ dist_patch_DATA = \
%D%/packages/patches/esmtp-add-lesmtp.patch \ %D%/packages/patches/esmtp-add-lesmtp.patch \
%D%/packages/patches/eudev-rules-directory.patch \ %D%/packages/patches/eudev-rules-directory.patch \
%D%/packages/patches/exercism-disable-self-update.patch \ %D%/packages/patches/exercism-disable-self-update.patch \
%D%/packages/patches/expat-CVE-2024-45490.patch \
%D%/packages/patches/expat-CVE-2024-45491.patch \
%D%/packages/patches/expat-CVE-2024-45492.patch \
%D%/packages/patches/extempore-unbundle-external-dependencies.patch \ %D%/packages/patches/extempore-unbundle-external-dependencies.patch \
%D%/packages/patches/extundelete-e2fsprogs-1.44.patch \ %D%/packages/patches/extundelete-e2fsprogs-1.44.patch \
%D%/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch \ %D%/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch \

34
gnu/packages/patches/expat-CVE-2024-45490.patch Normal file
View File

@ -0,0 +1,34 @@
https://github.com/libexpat/libexpat/commit/5c1a31642e243f4870c0bd1f2afc7597976521bf.patch
Fixed in 2.6.3.
Takes only 1 of the 3 patches from
https://github.com/libexpat/libexpat/pull/890 to take the fix and not the
tests because that part doesn't apply cleanly.
From 5c1a31642e243f4870c0bd1f2afc7597976521bf Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Mon, 19 Aug 2024 22:26:07 +0200
Subject: [PATCH] lib: Reject negative len for XML_ParseBuffer
Reported by TaiYou
---
expat/lib/xmlparse.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index 91682c188..ba1038119 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -2038,6 +2038,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) {
if (parser == NULL)
return XML_STATUS_ERROR;
+
+ if (len < 0) {
+ parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT;
+ return XML_STATUS_ERROR;
+ }
+
switch (parser->m_parsingStatus.parsing) {
case XML_SUSPENDED:
parser->m_errorCode = XML_ERROR_SUSPENDED;

34
gnu/packages/patches/expat-CVE-2024-45491.patch Normal file
View File

@ -0,0 +1,34 @@
https://github.com/libexpat/libexpat/commit/8e439a9947e9dc80a395c0c7456545d8d9d9e421.patch
Fixed in 2.6.3.
From 8e439a9947e9dc80a395c0c7456545d8d9d9e421 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Mon, 19 Aug 2024 22:34:13 +0200
Subject: [PATCH] lib: Detect integer overflow in dtdCopy
Reported by TaiYou
---
expat/lib/xmlparse.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index 91682c188..e2327bdcf 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -7016,6 +7016,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd,
if (! newE)
return 0;
if (oldE->nDefaultAtts) {
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if ((size_t)oldE->nDefaultAtts
+ > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) {
+ return 0;
+ }
+#endif
newE->defaultAtts
= ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
if (! newE->defaultAtts) {

33
gnu/packages/patches/expat-CVE-2024-45492.patch Normal file
View File

@ -0,0 +1,33 @@
https://github.com/libexpat/libexpat/commit/9bf0f2c16ee86f644dd1432507edff94c08dc232.patch
Fixed in 2.6.3.
From 9bf0f2c16ee86f644dd1432507edff94c08dc232 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Mon, 19 Aug 2024 22:37:16 +0200
Subject: [PATCH] lib: Detect integer overflow in function nextScaffoldPart
Reported by TaiYou
---
expat/lib/xmlparse.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index 91682c188..f737575ea 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -7558,6 +7558,15 @@ nextScaffoldPart(XML_Parser parser) {
int next;
if (! dtd->scaffIndex) {
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) {
+ return -1;
+ }
+#endif
dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * sizeof(int));
if (! dtd->scaffIndex)
return -1;

14
gnu/packages/xml.scm
View File

@ -5,7 +5,7 @@
;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com> ;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
;;; Copyright © 2015, 2016, 2017, 2018, 2020 Ricardo Wurmus <rekado@elephly.net> ;;; Copyright © 2015, 2016, 2017, 2018, 2020 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2015, 2016, 2017 Mark H Weaver <mhw@netris.org> ;;; Copyright © 2015, 2016, 2017 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2015-2018, 2020-2022 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2015-2018, 2020-2022, 2024 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2015 Raimon Grau <raimonster@gmail.com> ;;; Copyright © 2015 Raimon Grau <raimonster@gmail.com>
;;; Copyright © 2016 Mathieu Lirzin <mthl@gnu.org> ;;; Copyright © 2016 Mathieu Lirzin <mthl@gnu.org>
;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name> ;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name>
@ -125,6 +125,7 @@ the entire document.")
(package (package
(name "expat") (name "expat")
(version "2.5.0") (version "2.5.0")
(replacement expat/fixed)
(source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c)))) (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))
(origin (origin
(method url-fetch) (method url-fetch)
@ -160,6 +161,17 @@ stream-oriented parser in which an application registers handlers for
things the parser might find in the XML document (like start tags).") things the parser might find in the XML document (like start tags).")
(license license:expat))) (license license:expat)))
(define-public expat/fixed
(hidden-package
(package
(inherit expat)
(replacement expat/fixed)
(source (origin
(inherit (package-source expat))
(patches (search-patches "expat-CVE-2024-45490.patch"
"expat-CVE-2024-45491.patch"
"expat-CVE-2024-45492.patch")))))))
(define-public libebml (define-public libebml
(package (package
(name "libebml") (name "libebml")