slackware-current/source/l/expat/178d26f50af21ec23d6e43814b9b602590b5865c.patch

From 847a645152f5ebc10ac63b74b604d0c1a79fae40 Mon Sep 17 00:00:00 2001
From: Samanta Navarro <ferivoz@riseup.net>
Date: Sat, 22 Jan 2022 17:48:00 +0100
Subject: [PATCH 1/3] lib: Detect and prevent integer overflow in XML_GetBuffer
 (CVE-2022-23852)

---
 expat/lib/xmlparse.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
index d54af683..5ce31402 100644
--- a/expat/lib/xmlparse.c
+++ b/expat/lib/xmlparse.c
@@ -2067,6 +2067,11 @@ XML_GetBuffer(XML_Parser parser, int len) {
     keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer);
     if (keep > XML_CONTEXT_BYTES)
       keep = XML_CONTEXT_BYTES;
+    /* Detect and prevent integer overflow */
+    if (keep > INT_MAX - neededSize) {
+      parser->m_errorCode = XML_ERROR_NO_MEMORY;
+      return NULL;
+    }
     neededSize += keep;
 #endif /* defined XML_CONTEXT_BYTES */
     if (neededSize

From acf956f14bf79a5e6383a969aaffec98bfbc2e44 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Sun, 23 Jan 2022 18:17:04 +0100
Subject: [PATCH 2/3] tests: Cover integer overflow in XML_GetBuffer
 (CVE-2022-23852)

---
 expat/tests/runtests.c | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c
index e89e8220..579dad1a 100644
--- a/expat/tests/runtests.c
+++ b/expat/tests/runtests.c
@@ -3847,6 +3847,30 @@ START_TEST(test_get_buffer_2) {
 }
 END_TEST
 
+/* Test for signed integer overflow CVE-2022-23852 */
+#if defined(XML_CONTEXT_BYTES)
+START_TEST(test_get_buffer_3_overflow) {
+  XML_Parser parser = XML_ParserCreate(NULL);
+  assert(parser != NULL);
+
+  const char *const text = "\n";
+  const int expectedKeepValue = (int)strlen(text);
+
+  // After this call, variable "keep" in XML_GetBuffer will
+  // have value expectedKeepValue
+  if (XML_Parse(parser, text, (int)strlen(text), XML_FALSE /* isFinal */)
+      == XML_STATUS_ERROR)
+    xml_failure(parser);
+
+  assert(expectedKeepValue > 0);
+  if (XML_GetBuffer(parser, INT_MAX - expectedKeepValue + 1) != NULL)
+    fail("enlarging buffer not failed");
+
+  XML_ParserFree(parser);
+}
+END_TEST
+#endif // defined(XML_CONTEXT_BYTES)
+
 /* Test position information macros */
 START_TEST(test_byte_info_at_end) {
   const char *text = "<doc></doc>";
@@ -11731,6 +11755,9 @@ make_suite(void) {
   tcase_add_test(tc_basic, test_empty_parse);
   tcase_add_test(tc_basic, test_get_buffer_1);
   tcase_add_test(tc_basic, test_get_buffer_2);
+#if defined(XML_CONTEXT_BYTES)
+  tcase_add_test(tc_basic, test_get_buffer_3_overflow);
+#endif
   tcase_add_test(tc_basic, test_byte_info_at_end);
   tcase_add_test(tc_basic, test_byte_info_at_error);
   tcase_add_test(tc_basic, test_byte_info_at_cdata);

From 99cec436fbd9444f57ee74ca8ae4c0a13e561a4f Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Sat, 22 Jan 2022 17:49:17 +0100
Subject: [PATCH 3/3] Changes: Document CVE-2022-23852

---
 expat/Changes | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/expat/Changes b/expat/Changes
index 7540d38c..64d75d05 100644
--- a/expat/Changes
+++ b/expat/Changes
@@ -2,6 +2,18 @@ NOTE: We are looking for help with a few things:
       https://github.com/libexpat/libexpat/labels/help%20wanted
       If you can help, please get in touch.  Thanks!
 
+Release x.x.x xxx xxxxxxx xx xxxx
+        Security fixes:
+            #550  CVE-2022-23852 -- Fix signed integer overflow
+                    (undefined behavior) in function XML_GetBuffer
+                    (that is also called by function XML_Parse internally)
+                    for when XML_CONTEXT_BYTES is defined to >0 (which is both
+                    common and default).
+                    Impact is denial of service or more.
+
+        Special thanks to:
+            Samanta Navarro
+
 Release 2.4.3 Sun January 16 2022
         Security fixes:
        #531 #534  CVE-2021-45960 -- Fix issues with left shifts by >=29 places
Tue Jan 25 06:16:36 UTC 2022 It may look like we're currently experiencing more stuckness, but this will lead us to Quality. We'll have this release in the can before you know it. a/aaa_glibc-solibs-2.33-x86_64-5.txz: Rebuilt. a/aaa_libraries-15.0-x86_64-16.txz: Rebuilt. Rebuilt to pick up the patched libexpat.so.1.8.3. a/kernel-firmware-20220124_eb8ea1b-noarch-1.txz: Upgraded. a/kernel-generic-5.15.16-x86_64-2.txz: Upgraded. a/kernel-huge-5.15.16-x86_64-2.txz: Upgraded. -9P_FSCACHE n 9P_FS m -> y Thanks to peake. a/kernel-modules-5.15.16-x86_64-2.txz: Upgraded. a/mkinitrd-1.4.11-x86_64-27.txz: Rebuilt. mkinitrd_command_generator.sh: properly detect partitions of a RAID device. Thanks to perrin4869. a/util-linux-2.37.3-x86_64-1.txz: Upgraded. This release fixes two security mount(8) and umount(8) issues: An issue related to parsing the /proc/self/mountinfo file allows an unprivileged user to unmount other user's filesystems that are either world-writable themselves or mounted in a world-writable directory. Improper UID check in libmount allows an unprivileged user to unmount FUSE filesystems of users with similar UID. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3995 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3996 (* Security fix ) ap/vim-8.2.4212-x86_64-1.txz: Upgraded. d/git-2.35.0-x86_64-1.txz: Upgraded. d/kernel-headers-5.15.16-x86-2.txz: Upgraded. k/kernel-source-5.15.16-noarch-2.txz: Upgraded. l/expat-2.4.3-x86_64-2.txz: Rebuilt. Fix signed integer overflow in function XML_GetBuffer for when XML_CONTEXT_BYTES is defined to >0 (which is both common and default). Impact is denial of service or other undefined behavior. While we're here, also patch a memory leak on output file opening error. Thanks to marav. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23852 ( Security fix ) l/fluidsynth-2.2.5-x86_64-1.txz: Upgraded. l/glibc-2.33-x86_64-5.txz: Rebuilt. This update patches two security issues: Unexpected return value from glibc's realpath(). Off-by-one buffer overflow/underflow in glibc's getcwd(). Thanks to Qualys Research Labs for reporting these issues. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3998 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3999 ( Security fix ) l/glibc-i18n-2.33-x86_64-5.txz: Rebuilt. l/glibc-profile-2.33-x86_64-5.txz: Rebuilt. l/tdb-1.4.6-x86_64-1.txz: Upgraded. x/xf86-input-libinput-1.2.1-x86_64-1.txz: Upgraded. xap/mozilla-thunderbird-91.5.1-x86_64-1.txz: Upgraded. This is a bugfix release. For more information, see: https://www.mozilla.org/en-US/thunderbird/91.5.1/releasenotes/ xap/vim-gvim-8.2.4212-x86_64-1.txz: Upgraded. isolinux/initrd.img: Rebuilt. kernels/: Upgraded. usb-and-pxe-installers/usbboot.img: Rebuilt. 2022-01-25 07:16:36 +01:00			`From 847a645152f5ebc10ac63b74b604d0c1a79fae40 Mon Sep 17 00:00:00 2001`
			`From: Samanta Navarro <ferivoz@riseup.net>`
			`Date: Sat, 22 Jan 2022 17:48:00 +0100`
			`Subject: [PATCH 1/3] lib: Detect and prevent integer overflow in XML_GetBuffer`
			`(CVE-2022-23852)`

			`---`
			`expat/lib/xmlparse.c \| 5 +++++`
			`1 file changed, 5 insertions(+)`

			`diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c`
			`index d54af683..5ce31402 100644`
			`--- a/expat/lib/xmlparse.c`
			`+++ b/expat/lib/xmlparse.c`
			`@@ -2067,6 +2067,11 @@ XML_GetBuffer(XML_Parser parser, int len) {`
			`keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer);`
			`if (keep > XML_CONTEXT_BYTES)`
			`keep = XML_CONTEXT_BYTES;`
			`+ /* Detect and prevent integer overflow */`
			`+ if (keep > INT_MAX - neededSize) {`
			`+ parser->m_errorCode = XML_ERROR_NO_MEMORY;`
			`+ return NULL;`
			`+ }`
			`neededSize += keep;`
			`#endif /* defined XML_CONTEXT_BYTES */`
			`if (neededSize`

			`From acf956f14bf79a5e6383a969aaffec98bfbc2e44 Mon Sep 17 00:00:00 2001`
			`From: Sebastian Pipping <sebastian@pipping.org>`
			`Date: Sun, 23 Jan 2022 18:17:04 +0100`
			`Subject: [PATCH 2/3] tests: Cover integer overflow in XML_GetBuffer`
			`(CVE-2022-23852)`

			`---`
			`expat/tests/runtests.c \| 27 +++++++++++++++++++++++++++`
			`1 file changed, 27 insertions(+)`

			`diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c`
			`index e89e8220..579dad1a 100644`
			`--- a/expat/tests/runtests.c`
			`+++ b/expat/tests/runtests.c`
			`@@ -3847,6 +3847,30 @@ START_TEST(test_get_buffer_2) {`
			`}`
			`END_TEST`

			`+/* Test for signed integer overflow CVE-2022-23852 */`
			`+#if defined(XML_CONTEXT_BYTES)`
			`+START_TEST(test_get_buffer_3_overflow) {`
			`+ XML_Parser parser = XML_ParserCreate(NULL);`
			`+ assert(parser != NULL);`
			`+`
			`+ const char *const text = "\n";`
			`+ const int expectedKeepValue = (int)strlen(text);`
			`+`
			`+ // After this call, variable "keep" in XML_GetBuffer will`
			`+ // have value expectedKeepValue`
			`+ if (XML_Parse(parser, text, (int)strlen(text), XML_FALSE /* isFinal */)`
			`+ == XML_STATUS_ERROR)`
			`+ xml_failure(parser);`
			`+`
			`+ assert(expectedKeepValue > 0);`
			`+ if (XML_GetBuffer(parser, INT_MAX - expectedKeepValue + 1) != NULL)`
			`+ fail("enlarging buffer not failed");`
			`+`
			`+ XML_ParserFree(parser);`
			`+}`
			`+END_TEST`
			`+#endif // defined(XML_CONTEXT_BYTES)`
			`+`
			`/* Test position information macros */`
			`START_TEST(test_byte_info_at_end) {`
			`const char *text = "<doc></doc>";`
			`@@ -11731,6 +11755,9 @@ make_suite(void) {`
			`tcase_add_test(tc_basic, test_empty_parse);`
			`tcase_add_test(tc_basic, test_get_buffer_1);`
			`tcase_add_test(tc_basic, test_get_buffer_2);`
			`+#if defined(XML_CONTEXT_BYTES)`
			`+ tcase_add_test(tc_basic, test_get_buffer_3_overflow);`
			`+#endif`
			`tcase_add_test(tc_basic, test_byte_info_at_end);`
			`tcase_add_test(tc_basic, test_byte_info_at_error);`
			`tcase_add_test(tc_basic, test_byte_info_at_cdata);`

			`From 99cec436fbd9444f57ee74ca8ae4c0a13e561a4f Mon Sep 17 00:00:00 2001`
			`From: Sebastian Pipping <sebastian@pipping.org>`
			`Date: Sat, 22 Jan 2022 17:49:17 +0100`
			`Subject: [PATCH 3/3] Changes: Document CVE-2022-23852`

			`---`
			`expat/Changes \| 12 ++++++++++++`
			`1 file changed, 12 insertions(+)`

			`diff --git a/expat/Changes b/expat/Changes`
			`index 7540d38c..64d75d05 100644`
			`--- a/expat/Changes`
			`+++ b/expat/Changes`
			`@@ -2,6 +2,18 @@ NOTE: We are looking for help with a few things:`
			`https://github.com/libexpat/libexpat/labels/help%20wanted`
			`If you can help, please get in touch. Thanks!`

			`+Release x.x.x xxx xxxxxxx xx xxxx`
			`+ Security fixes:`
			`+ #550 CVE-2022-23852 -- Fix signed integer overflow`
			`+ (undefined behavior) in function XML_GetBuffer`
			`+ (that is also called by function XML_Parse internally)`
			`+ for when XML_CONTEXT_BYTES is defined to >0 (which is both`
			`+ common and default).`
			`+ Impact is denial of service or more.`
			`+`
			`+ Special thanks to:`
			`+ Samanta Navarro`
			`+`
			`Release 2.4.3 Sun January 16 2022`
			`Security fixes:`
			`#531 #534 CVE-2021-45960 -- Fix issues with left shifts by >=29 places`