mirror of
https://gitlab.alpinelinux.org/alpine/aports.git
synced 2026-05-17 18:46:36 +02:00
main/expat: fix regression for CVE-2022-25236
This commit is contained in:
psykose
parent
9be35d09cb
commit
b0140ff0cb
@ -1,7 +1,7 @@
|
||||
# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
|
||||
pkgname=expat
|
||||
pkgver=2.2.10
|
||||
pkgrel=3
|
||||
pkgrel=4
|
||||
pkgdesc="An XML Parser library written in C"
|
||||
url="http://www.libexpat.org/"
|
||||
arch="all"
|
||||
@ -15,6 +15,7 @@ source="https://github.com/libexpat/libexpat/releases/download/R_${pkgver//./_}/
|
||||
CVE-2022-23990.patch
|
||||
CVE-2022-25235.patch
|
||||
CVE-2022-25236.patch
|
||||
CVE-2022-25236-regression.patch
|
||||
CVE-2022-25313.patch
|
||||
CVE-2022-25313-regression.patch
|
||||
CVE-2022-25314.patch
|
||||
@ -78,6 +79,7 @@ cb079c0b9fe7df6afe2e06d706461489527802dce811d894587221b6316784b6cf1c7cf70573f41a
|
||||
7de120a34b5fc2fcb3779e259b24d47d8f40f38aab490b738eea52c55542b9cac45c897d90cb129c17c2d0057518f59b013c2af87a579c70b28a9aa70c1f27cb CVE-2022-23990.patch
|
||||
c3ed585a62d5aadd9e1d1d589b636e37ffba5b5cc0c4d264a151cf308a9bfcfe9859704f43fd6d4e1ed86633fa4672378288bdc05b5e47dcb42c75f8258035f5 CVE-2022-25235.patch
|
||||
016ca726fde03ef9049404faff7122e4f6e9b8a89d4a188e1ffa7bcf4d177fe79e00a3e1f90b45424ec60586cdde7615c6f5a39db1be1e585713f1a7385aa14c CVE-2022-25236.patch
|
||||
36d441df896a6734091c15c3cd84515114d805349123a98eb43b61a268533f36b1ae0ac437e99b26a1792863e6d23c8d0a38eac902942b768e551cf2f2ea6187 CVE-2022-25236-regression.patch
|
||||
4db9ad13e5e1461339ab93554d14acacbbdc121824a1dfd8a1d9df3194452711606da1f9f9ed5c03c0c5ca8de61237ef588897bbde95f89109160dc685fde25f CVE-2022-25313.patch
|
||||
a0a41683fbef105a3577e845dd4d4d7a8a94561e8d578e5cd5efb77b02b6229ae26c9dc2dcb852f3dd72f155f9a886b9e68f7a54173d074528aee0d1f470ce05 CVE-2022-25313-regression.patch
|
||||
ac7d03f3ef8be557bda0294247a645db820470be47ea7fa3dab8047f7f11ada831e4f0a4cd4b82e3b2f7715ada08435b8292257a64714c0242407ef58a661b72 CVE-2022-25314.patch
|
||||
|
||||
171
main/expat/CVE-2022-25236-regression.patch
Normal file
171
main/expat/CVE-2022-25236-regression.patch
Normal file
@ -0,0 +1,171 @@
|
||||
non-code patches skipped
|
||||
---
|
||||
|
||||
From 2ba6c76fca21397959145e18c5ef376201209020 Mon Sep 17 00:00:00 2001
|
||||
From: Sebastian Pipping <sebastian@pipping.org>
|
||||
Date: Sun, 27 Feb 2022 16:58:08 +0100
|
||||
Subject: [PATCH 1/5] lib: Relax fix to CVE-2022-25236 with regard to RFC 3986
|
||||
URI characters
|
||||
|
||||
---
|
||||
expat/lib/xmlparse.c | 139 ++++++++++++++++++++++++++++++++++++++++---
|
||||
1 file changed, 131 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
|
||||
index 59da19c8..6fe2cf1e 100644
|
||||
--- a/lib/xmlparse.c
|
||||
+++ b/lib/xmlparse.c
|
||||
@@ -3705,6 +3705,117 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
|
||||
return XML_ERROR_NONE;
|
||||
}
|
||||
|
||||
+static XML_Bool
|
||||
+is_rfc3986_uri_char(XML_Char candidate) {
|
||||
+ // For the RFC 3986 ANBF grammar see
|
||||
+ // https://datatracker.ietf.org/doc/html/rfc3986#appendix-A
|
||||
+
|
||||
+ switch (candidate) {
|
||||
+ // From rule "ALPHA" (uppercase half)
|
||||
+ case 'A':
|
||||
+ case 'B':
|
||||
+ case 'C':
|
||||
+ case 'D':
|
||||
+ case 'E':
|
||||
+ case 'F':
|
||||
+ case 'G':
|
||||
+ case 'H':
|
||||
+ case 'I':
|
||||
+ case 'J':
|
||||
+ case 'K':
|
||||
+ case 'L':
|
||||
+ case 'M':
|
||||
+ case 'N':
|
||||
+ case 'O':
|
||||
+ case 'P':
|
||||
+ case 'Q':
|
||||
+ case 'R':
|
||||
+ case 'S':
|
||||
+ case 'T':
|
||||
+ case 'U':
|
||||
+ case 'V':
|
||||
+ case 'W':
|
||||
+ case 'X':
|
||||
+ case 'Y':
|
||||
+ case 'Z':
|
||||
+
|
||||
+ // From rule "ALPHA" (lowercase half)
|
||||
+ case 'a':
|
||||
+ case 'b':
|
||||
+ case 'c':
|
||||
+ case 'd':
|
||||
+ case 'e':
|
||||
+ case 'f':
|
||||
+ case 'g':
|
||||
+ case 'h':
|
||||
+ case 'i':
|
||||
+ case 'j':
|
||||
+ case 'k':
|
||||
+ case 'l':
|
||||
+ case 'm':
|
||||
+ case 'n':
|
||||
+ case 'o':
|
||||
+ case 'p':
|
||||
+ case 'q':
|
||||
+ case 'r':
|
||||
+ case 's':
|
||||
+ case 't':
|
||||
+ case 'u':
|
||||
+ case 'v':
|
||||
+ case 'w':
|
||||
+ case 'x':
|
||||
+ case 'y':
|
||||
+ case 'z':
|
||||
+
|
||||
+ // From rule "DIGIT"
|
||||
+ case '0':
|
||||
+ case '1':
|
||||
+ case '2':
|
||||
+ case '3':
|
||||
+ case '4':
|
||||
+ case '5':
|
||||
+ case '6':
|
||||
+ case '7':
|
||||
+ case '8':
|
||||
+ case '9':
|
||||
+
|
||||
+ // From rule "pct-encoded"
|
||||
+ case '%':
|
||||
+
|
||||
+ // From rule "unreserved"
|
||||
+ case '-':
|
||||
+ case '.':
|
||||
+ case '_':
|
||||
+ case '~':
|
||||
+
|
||||
+ // From rule "gen-delims"
|
||||
+ case ':':
|
||||
+ case '/':
|
||||
+ case '?':
|
||||
+ case '#':
|
||||
+ case '[':
|
||||
+ case ']':
|
||||
+ case '@':
|
||||
+
|
||||
+ // From rule "sub-delims"
|
||||
+ case '!':
|
||||
+ case '$':
|
||||
+ case '&':
|
||||
+ case '\'':
|
||||
+ case '(':
|
||||
+ case ')':
|
||||
+ case '*':
|
||||
+ case '+':
|
||||
+ case ',':
|
||||
+ case ';':
|
||||
+ case '=':
|
||||
+ return XML_TRUE;
|
||||
+
|
||||
+ default:
|
||||
+ return XML_FALSE;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
/* addBinding() overwrites the value of prefix->binding without checking.
|
||||
Therefore one must keep track of the old value outside of addBinding().
|
||||
*/
|
||||
@@ -3763,14 +3874,26 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
|
||||
&& (len > xmlnsLen || uri[len] != xmlnsNamespace[len]))
|
||||
isXMLNS = XML_FALSE;
|
||||
|
||||
- // NOTE: While Expat does not validate namespace URIs against RFC 3986,
|
||||
- // we have to at least make sure that the XML processor on top of
|
||||
- // Expat (that is splitting tag names by namespace separator into
|
||||
- // 2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused
|
||||
- // by an attacker putting additional namespace separator characters
|
||||
- // into namespace declarations. That would be ambiguous and not to
|
||||
- // be expected.
|
||||
- if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) {
|
||||
+ // NOTE: While Expat does not validate namespace URIs against RFC 3986
|
||||
+ // today (and is not REQUIRED to do so with regard to the XML 1.0
|
||||
+ // namespaces specification) we have to at least make sure, that
|
||||
+ // the application on top of Expat (that is likely splitting expanded
|
||||
+ // element names ("qualified names") of form
|
||||
+ // "[uri sep] local [sep prefix] '\0'" back into 1, 2 or 3 pieces
|
||||
+ // in its element handler code) cannot be confused by an attacker
|
||||
+ // putting additional namespace separator characters into namespace
|
||||
+ // declarations. That would be ambiguous and not to be expected.
|
||||
+ //
|
||||
+ // While the HTML API docs of function XML_ParserCreateNS have been
|
||||
+ // advising against use of a namespace separator character that can
|
||||
+ // appear in a URI for >20 years now, some widespread applications
|
||||
+ // are using URI characters (':' (colon) in particular) for a
|
||||
+ // namespace separator, in practice. To keep these applications
|
||||
+ // functional, we only reject namespaces URIs containing the
|
||||
+ // application-chosen namespace separator if the chosen separator
|
||||
+ // is a non-URI character with regard to RFC 3986.
|
||||
+ if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)
|
||||
+ && ! is_rfc3986_uri_char(uri[len])) {
|
||||
return XML_ERROR_SYNTAX;
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user