untrusted comment: verify with openbsd-75-base.pub
RWRGj1pRpprAfhwkposornSigPQWcxHwrb3d1U3DVjnLSv2a4LOx38ToGZPi+QkJ9Iy/erlgH9m199OtoH1NLop93NUCDBn2mQ0=
OpenBSD 7.5 errata 007, September 17, 2024:
In libexpat add integer range checks.
CVE-2024-45490 CVE-2024-45491 CVE-2024-45492
Apply by doing:
signify -Vep /etc/signify/openbsd-75-base.pub -x 007_expat.patch.sig \
-m - | (cd /usr/src && patch -p0)
And then rebuild and install libexpat:
cd /usr/src/lib/libexpat
make obj
make
make install
Index: lib/libexpat/Changes
===================================================================
RCS file: /cvs/src/lib/libexpat/Changes,v
diff -u -p -r1.24 Changes
--- lib/libexpat/Changes 11 Feb 2024 00:56:28 -0000 1.24
+++ lib/libexpat/Changes 4 Sep 2024 20:59:01 -0000
@@ -2,6 +2,33 @@ NOTE: We are looking for help with a few
https://github.com/libexpat/libexpat/labels/help%20wanted
If you can help, please get in touch. Thanks!
+ Security fixes:
+ #887 #890 CVE-2024-45490 -- Calling function XML_ParseBuffer with
+ len < 0 without noticing and then calling XML_GetBuffer
+ will have XML_ParseBuffer fail to recognize the problem
+ and XML_GetBuffer corrupt memory.
+ With the fix, XML_ParseBuffer now complains with error
+ XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse
+ has been doing since Expat 2.2.1, and now documented.
+ Impact is denial of service to potentially artitrary code
+ execution.
+ #888 #891 CVE-2024-45491 -- Internal function dtdCopy can have an
+ integer overflow for nDefaultAtts on 32-bit platforms
+ (where UINT_MAX equals SIZE_MAX).
+ Impact is denial of service to potentially artitrary code
+ execution.
+ #889 #892 CVE-2024-45492 -- Internal function nextScaffoldPart can
+ have an integer overflow for m_groupSize on 32-bit
+ platforms (where UINT_MAX equals SIZE_MAX).
+ Impact is denial of service to potentially artitrary code
+ execution.
+
+ Security fixes:
+ #839 #842 CVE-2024-28757 -- Prevent billion laughs attacks with
+ isolated use of external parsers. Please see the commit
+ message of commit 1d50b80cf31de87750103656f6eb693746854aa8
+ for details.
+
Release 2.6.0 Tue February 6 2024
Security fixes:
#789 #814 CVE-2023-52425 -- Fix quadratic runtime issues with big tokens
Index: lib/libexpat/lib/xmlparse.c
===================================================================
RCS file: /cvs/src/lib/libexpat/lib/xmlparse.c,v
diff -u -p -r1.37 xmlparse.c
--- lib/libexpat/lib/xmlparse.c 14 Mar 2024 17:35:37 -0000 1.37
+++ lib/libexpat/lib/xmlparse.c 4 Sep 2024 20:59:04 -0000
@@ -2030,6 +2030,12 @@ XML_ParseBuffer(XML_Parser parser, int l
if (parser == NULL)
return XML_STATUS_ERROR;
+
+ if (len < 0) {
+ parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT;
+ return XML_STATUS_ERROR;
+ }
+
switch (parser->m_parsingStatus.parsing) {
case XML_SUSPENDED:
parser->m_errorCode = XML_ERROR_SUSPENDED;
@@ -7008,6 +7014,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDt
if (! newE)
return 0;
if (oldE->nDefaultAtts) {
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if ((size_t)oldE->nDefaultAtts
+ > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) {
+ return 0;
+ }
+#endif
newE->defaultAtts
= ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
if (! newE->defaultAtts) {
@@ -7550,6 +7566,15 @@ nextScaffoldPart(XML_Parser parser) {
int next;
if (! dtd->scaffIndex) {
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) {
+ return -1;
+ }
+#endif
dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * sizeof(int));
if (! dtd->scaffIndex)
return -1;
