From 4292c49b93cd018c300cd8321151afa0cd051387 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Mon, 24 Jan 2022 19:08:38 +0000 Subject: [PATCH] expat: add patches for CVE-2022-23852 --- .../libraries/expat/CVE-2022-23852-fix.patch | 26 +++++++++ .../libraries/expat/CVE-2022-23852-test.patch | 55 +++++++++++++++++++ pkgs/development/libraries/expat/default.nix | 6 ++ 3 files changed, 87 insertions(+) create mode 100644 pkgs/development/libraries/expat/CVE-2022-23852-fix.patch create mode 100644 pkgs/development/libraries/expat/CVE-2022-23852-test.patch diff --git a/pkgs/development/libraries/expat/CVE-2022-23852-fix.patch b/pkgs/development/libraries/expat/CVE-2022-23852-fix.patch new file mode 100644 index 000000000000..fbbd080db4ed --- /dev/null +++ b/pkgs/development/libraries/expat/CVE-2022-23852-fix.patch @@ -0,0 +1,26 @@ +From 847a645152f5ebc10ac63b74b604d0c1a79fae40 Mon Sep 17 00:00:00 2001 +From: Samanta Navarro +Date: Sat, 22 Jan 2022 17:48:00 +0100 +Subject: [PATCH] lib: Detect and prevent integer overflow in XML_GetBuffer + (CVE-2022-23852) + +--- + expat/lib/xmlparse.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index d54af683..5ce31402 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -2067,6 +2067,11 @@ XML_GetBuffer(XML_Parser parser, int len) { + keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer); + if (keep > XML_CONTEXT_BYTES) + keep = XML_CONTEXT_BYTES; ++ /* Detect and prevent integer overflow */ ++ if (keep > INT_MAX - neededSize) { ++ parser->m_errorCode = XML_ERROR_NO_MEMORY; ++ return NULL; ++ } + neededSize += keep; + #endif /* defined XML_CONTEXT_BYTES */ + if (neededSize diff --git a/pkgs/development/libraries/expat/CVE-2022-23852-test.patch b/pkgs/development/libraries/expat/CVE-2022-23852-test.patch new file mode 100644 index 000000000000..3dca8f914a8f --- /dev/null +++ b/pkgs/development/libraries/expat/CVE-2022-23852-test.patch @@ -0,0 +1,55 @@ +From acf956f14bf79a5e6383a969aaffec98bfbc2e44 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Sun, 23 Jan 2022 18:17:04 +0100 +Subject: [PATCH] tests: Cover integer overflow in XML_GetBuffer + (CVE-2022-23852) + +--- + expat/tests/runtests.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c +index e89e8220..579dad1a 100644 +--- a/expat/tests/runtests.c ++++ b/expat/tests/runtests.c +@@ -3847,6 +3847,30 @@ START_TEST(test_get_buffer_2) { + } + END_TEST + ++/* Test for signed integer overflow CVE-2022-23852 */ ++#if defined(XML_CONTEXT_BYTES) ++START_TEST(test_get_buffer_3_overflow) { ++ XML_Parser parser = XML_ParserCreate(NULL); ++ assert(parser != NULL); ++ ++ const char *const text = "\n"; ++ const int expectedKeepValue = (int)strlen(text); ++ ++ // After this call, variable "keep" in XML_GetBuffer will ++ // have value expectedKeepValue ++ if (XML_Parse(parser, text, (int)strlen(text), XML_FALSE /* isFinal */) ++ == XML_STATUS_ERROR) ++ xml_failure(parser); ++ ++ assert(expectedKeepValue > 0); ++ if (XML_GetBuffer(parser, INT_MAX - expectedKeepValue + 1) != NULL) ++ fail("enlarging buffer not failed"); ++ ++ XML_ParserFree(parser); ++} ++END_TEST ++#endif // defined(XML_CONTEXT_BYTES) ++ + /* Test position information macros */ + START_TEST(test_byte_info_at_end) { + const char *text = ""; +@@ -11731,6 +11755,9 @@ make_suite(void) { + tcase_add_test(tc_basic, test_empty_parse); + tcase_add_test(tc_basic, test_get_buffer_1); + tcase_add_test(tc_basic, test_get_buffer_2); ++#if defined(XML_CONTEXT_BYTES) ++ tcase_add_test(tc_basic, test_get_buffer_3_overflow); ++#endif + tcase_add_test(tc_basic, test_byte_info_at_end); + tcase_add_test(tc_basic, test_byte_info_at_error); + tcase_add_test(tc_basic, test_byte_info_at_cdata); diff --git a/pkgs/development/libraries/expat/default.nix b/pkgs/development/libraries/expat/default.nix index 6abbd9567478..5bd03824441a 100644 --- a/pkgs/development/libraries/expat/default.nix +++ b/pkgs/development/libraries/expat/default.nix @@ -14,6 +14,12 @@ stdenv.mkDerivation rec { sha256 = "sha256-sfnxsaXrsKyqiMn/eb+k4UWCO3iqUYXlxdhfBggkd4o="; }; + patches = [ + ./CVE-2022-23852-fix.patch + ./CVE-2022-23852-test.patch + ]; + patchFlags = "-p2"; + outputs = [ "out" "dev" ]; # TODO: fix referrers outputBin = "dev";