Commit 190b36f9 authored by Leo's avatar Leo Committed by Natanael Copa

main/expat: fix CVE-2019-15903

ref #10791
parent 033f9730
# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
pkgname=expat
pkgver=2.2.7
pkgrel=0
pkgrel=1
pkgdesc="An XML Parser library written in C"
url="http://www.libexpat.org/"
arch="all"
license='MIT'
checkdepends="bash"
source="http://downloads.sourceforge.net/project/expat/expat/$pkgver/expat-$pkgver.tar.bz2"
source="https://downloads.sourceforge.net/project/expat/expat/$pkgver/expat-$pkgver.tar.bz2
CVE-2019-15903.patch
"
subpackages="$pkgname-dev $pkgname-doc"
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
# 2.2.7-r1:
# - CVE-2019-15903
# 2.2.7-r0:
# - CVE-2018-20843
# - CVE-2018-20843
# 2.2.0-r1:
# - CVE-2017-9233
# - CVE-2017-9233
build() {
cd "$builddir"
......@@ -37,4 +41,5 @@ package() {
make DESTDIR="$pkgdir/" install
}
sha512sums="a078692317b44f14a9acdca4ddc04adac6a48d22ab321bba3e9e32c92131752aa397915d7121c4a95dc1b603d6a6128f7dce3741093d4322944787e0b49b4c00 expat-2.2.7.tar.bz2"
sha512sums="a078692317b44f14a9acdca4ddc04adac6a48d22ab321bba3e9e32c92131752aa397915d7121c4a95dc1b603d6a6128f7dce3741093d4322944787e0b49b4c00 expat-2.2.7.tar.bz2
87ed7dc760a1b119cdca6af23b23eab25142a0758f55e5fd64036727ae7c3f4456a25083f3ed3d9810b9f17658b31b95212f8458765a8aec8a314b0729db1a5a CVE-2019-15903.patch"
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index 9c0987f..b8656ca 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -405,7 +405,7 @@ initializeEncoding(XML_Parser parser);
static enum XML_Error
doProlog(XML_Parser parser, const ENCODING *enc, const char *s,
const char *end, int tok, const char *next, const char **nextPtr,
- XML_Bool haveMore);
+ XML_Bool haveMore, XML_Bool allowClosingDoctype);
static enum XML_Error
processInternalEntity(XML_Parser parser, ENTITY *entity,
XML_Bool betweenDecl);
@@ -4232,7 +4232,7 @@ externalParEntProcessor(XML_Parser parser,
parser->m_processor = prologProcessor;
return doProlog(parser, parser->m_encoding, s, end, tok, next,
- nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer);
+ nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
}
static enum XML_Error PTRCALL
@@ -4282,7 +4282,7 @@ prologProcessor(XML_Parser parser,
const char *next = s;
int tok = XmlPrologTok(parser->m_encoding, s, end, &next);
return doProlog(parser, parser->m_encoding, s, end, tok, next,
- nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer);
+ nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
}
static enum XML_Error
@@ -4293,7 +4293,7 @@ doProlog(XML_Parser parser,
int tok,
const char *next,
const char **nextPtr,
- XML_Bool haveMore)
+ XML_Bool haveMore, XML_Bool allowClosingDoctype)
{
#ifdef XML_DTD
static const XML_Char externalSubsetName[] = { ASCII_HASH , '\0' };
@@ -4472,6 +4472,11 @@ doProlog(XML_Parser parser,
}
break;
case XML_ROLE_DOCTYPE_CLOSE:
+ if (allowClosingDoctype != XML_TRUE) {
+ /* Must not close doctype from within expanded parameter entities */
+ return XML_ERROR_INVALID_TOKEN;
+ }
+
if (parser->m_doctypeName) {
parser->m_startDoctypeDeclHandler(parser->m_handlerArg, parser->m_doctypeName,
parser->m_doctypeSysid, parser->m_doctypePubid, 0);
@@ -5409,7 +5414,7 @@ processInternalEntity(XML_Parser parser, ENTITY *entity,
if (entity->is_param) {
int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next);
result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok,
- next, &next, XML_FALSE);
+ next, &next, XML_FALSE, XML_FALSE);
}
else
#endif /* XML_DTD */
@@ -5456,7 +5461,7 @@ internalEntityProcessor(XML_Parser parser,
if (entity->is_param) {
int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next);
result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok,
- next, &next, XML_FALSE);
+ next, &next, XML_FALSE, XML_FALSE);
}
else
#endif /* XML_DTD */
@@ -5483,7 +5488,7 @@ internalEntityProcessor(XML_Parser parser,
parser->m_processor = prologProcessor;
tok = XmlPrologTok(parser->m_encoding, s, end, &next);
return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr,
- (XML_Bool)!parser->m_parsingStatus.finalBuffer);
+ (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
}
else
#endif /* XML_DTD */
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment