[AUTO-CHERRYPICK] Fix expat CVE-2024-50602 fasttrack 3.0 - branch 3.0-dev (#10895)

Co-authored-by: sindhu-karri <33163197+sindhu-karri@users.noreply.github.com>

Author: CBL-Mariner-Bot

SPECS/expat/CVE-2024-50602.patch

@@ -0,0 +1,156 @@
+From 22f1d9704ac38c7102e7a68272b07355cad4925a Mon Sep 17 00:00:00 2001
+From: Sindhu Karri <lakarri@microsoft.com>
+Date: Tue, 29 Oct 2024 10:17:59 +0000
+Subject: [PATCH] CVE-2024-50602
+
+---
+From 51c7019069b862e88d94ed228659e70bddd5de09 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 21 Oct 2024 01:42:54 +0200
+Subject: [PATCH 1/3] lib: Make XML_StopParser refuse to stop/suspend an
+ unstarted parser
+
+
+From 5fb89e7b3afa1c314b34834fe729cd063f65a4d4 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 21 Oct 2024 01:46:11 +0200
+Subject: [PATCH 2/3] lib: Be explicit about XML_PARSING in XML_StopParser
+
+From b3836ff534c7cc78128fe7b935aad3d4353814ed Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 20 Oct 2024 23:24:27 +0200
+Subject: [PATCH 3/3] tests: Cover XML_StopParser's new handling of status
+ XML_INITIALIZED
+
+Prior to the fix to XML_StopParser, test test_misc_resumeparser_not_crashing
+would crash with a NULL pointer dereference in function normal_updatePosition.
+This was the AddressSanitizer output:
+
+> AddressSanitizer:DEADLYSIGNAL
+> =================================================================
+> ==19700==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5623e07ad85f bp 0x7ffcf40da650 sp 0x7ffcf40da590 T0)
+> ==19700==The signal is caused by a READ memory access.
+> ==19700==Hint: address points to the zero page.
+>     #0 0x5623e07ad85f in normal_updatePosition [..]/lib/xmltok_impl.c:1781:13
+>     #1 0x5623e07a52ff in initUpdatePosition [..]/lib/xmltok.c:1031:3
+>     #2 0x5623e0762760 in XML_ResumeParser [..]/lib/xmlparse.c:2297:3
+>     #3 0x5623e074f7c1 in test_misc_resumeparser_not_crashing() misc_tests_cxx.cpp
+>     #4 0x5623e074e228 in srunner_run_all ([..]/build_asan_fuzzers/tests/runtests_cxx+0x136228)
+>     #5 0x5623e0753d2d in main ([..]/build_asan_fuzzers/tests/runtests_cxx+0x13bd2d)
+>     #6 0x7f802a39af79  (/lib64/libc.so.6+0x25f79)
+>     #7 0x7f802a39b034 in __libc_start_main (/lib64/libc.so.6+0x26034)
+>     #8 0x5623e064f340 in _start ([..]/build_asan_fuzzers/tests/runtests_cxx+0x37340)
+>
+> AddressSanitizer can not provide additional info.
+> SUMMARY: AddressSanitizer: SEGV [..]/lib/xmltok_impl.c:1781:13 in normal_updatePosition
+> ==19700==ABORTING
+
+And this the UndefinedBehaviorSanitizer output:
+
+> [..]/lib/xmltok_impl.c:1781:13: runtime error: load of null pointer of type 'const char'                                           > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior [..]/lib/xmltok_impl.c:1781:13 in
+---
+ lib/expat.h        |  4 +++-
+ lib/xmlparse.c     | 11 ++++++++++-
+ tests/misc_tests.c | 24 ++++++++++++++++++++++++
+ 3 files changed, 37 insertions(+), 2 deletions(-)
+
+diff --git a/lib/expat.h b/lib/expat.h
+index d0d6015..3ba6130 100644
+--- a/lib/expat.h
++++ b/lib/expat.h
+@@ -130,7 +130,9 @@ enum XML_Error {
+   /* Added in 2.3.0. */
+   XML_ERROR_NO_BUFFER,
+   /* Added in 2.4.0. */
+-  XML_ERROR_AMPLIFICATION_LIMIT_BREACH
++  XML_ERROR_AMPLIFICATION_LIMIT_BREACH,
++  /* Added in 2.6.4. */
++  XML_ERROR_NOT_STARTED,
+ };
+ 
+ enum XML_Content_Type {
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index d9285b2..983f6df 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -2234,6 +2234,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) {
+   if (parser == NULL)
+     return XML_STATUS_ERROR;
+   switch (parser->m_parsingStatus.parsing) {
++  case XML_INITIALIZED:
++    parser->m_errorCode = XML_ERROR_NOT_STARTED;
++    return XML_STATUS_ERROR;
+   case XML_SUSPENDED:
+     if (resumable) {
+       parser->m_errorCode = XML_ERROR_SUSPENDED;
+@@ -2244,7 +2247,7 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) {
+   case XML_FINISHED:
+     parser->m_errorCode = XML_ERROR_FINISHED;
+     return XML_STATUS_ERROR;
+-  default:
++  case XML_PARSING:
+     if (resumable) {
+ #ifdef XML_DTD
+       if (parser->m_isParamEntity) {
+@@ -2255,6 +2258,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) {
+       parser->m_parsingStatus.parsing = XML_SUSPENDED;
+     } else
+       parser->m_parsingStatus.parsing = XML_FINISHED;
++    break;
++  default:
++    assert(0);
+   }
+   return XML_STATUS_OK;
+ }
+@@ -2519,6 +2525,9 @@ XML_ErrorString(enum XML_Error code) {
+   case XML_ERROR_AMPLIFICATION_LIMIT_BREACH:
+     return XML_L(
+         "limit on input amplification factor (from DTD and entities) breached");
++  /* Added in 2.6.4. */
++  case XML_ERROR_NOT_STARTED:
++    return XML_L("parser not started");
+   }
+   return NULL;
+ }
+diff --git a/tests/misc_tests.c b/tests/misc_tests.c
+index 2ee9320..1766e41 100644
+--- a/tests/misc_tests.c
++++ b/tests/misc_tests.c
+@@ -496,6 +496,28 @@ START_TEST(test_misc_char_handler_stop_without_leak) {
+ }
+ END_TEST
+ 
++START_TEST(test_misc_resumeparser_not_crashing) {
++  XML_Parser parser = XML_ParserCreate(NULL);
++  XML_GetBuffer(parser, 1);
++  XML_StopParser(parser, /*resumable=*/XML_TRUE);
++  XML_ResumeParser(parser); // could crash here, previously
++  XML_ParserFree(parser);
++}
++END_TEST
++
++START_TEST(test_misc_stopparser_rejects_unstarted_parser) {
++  const XML_Bool cases[] = {XML_TRUE, XML_FALSE};
++  for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) {
++    const XML_Bool resumable = cases[i];
++    XML_Parser parser = XML_ParserCreate(NULL);
++    assert_true(XML_GetErrorCode(parser) == XML_ERROR_NONE);
++    assert_true(XML_StopParser(parser, resumable) == XML_STATUS_ERROR);
++    assert_true(XML_GetErrorCode(parser) == XML_ERROR_NOT_STARTED);
++    XML_ParserFree(parser);
++  }
++}
++END_TEST
++
+ void
+ make_miscellaneous_test_case(Suite *s) {
+   TCase *tc_misc = tcase_create("miscellaneous tests");
+@@ -520,4 +542,6 @@ make_miscellaneous_test_case(Suite *s) {
+                  test_misc_create_external_entity_parser_with_null_context);
+   tcase_add_test(tc_misc, test_misc_general_entities_support);
+   tcase_add_test(tc_misc, test_misc_char_handler_stop_without_leak);
++  tcase_add_test(tc_misc, test_misc_resumeparser_not_crashing);
++  tcase_add_test(tc_misc, test_misc_stopparser_rejects_unstarted_parser);
+ }
+-- 
+2.33.8

SPECS/expat/expat.spec

@@ -2,13 +2,14 @@
 Summary:        An XML parser library
 Name:           expat
 Version:        2.6.3
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          System Environment/GeneralLibraries
 URL:            https://libexpat.github.io/
 Source0:        https://github.com/libexpat/libexpat/releases/download/R_%{underscore_version}/%{name}-%{version}.tar.bz2
+Patch0:         CVE-2024-50602.patch
 Requires:       %{name}-libs = %{version}-%{release}
 
 %description
@@ -29,7 +30,7 @@ Group:          System Environment/Libraries
 This package contains minimal set of shared expat libraries.
 
 %prep
-%autosetup -p2
+%autosetup -p1
 
 %build
 %configure \
@@ -66,6 +67,9 @@ rm -rf %{buildroot}/%{_docdir}/%{name}
 %{_libdir}/libexpat.so.1*
 
 %changelog
+* Wed Oct 30 2024 Sindhu Karri <lakarri@microsoft.com> - 2.6.3-2
+- Fix CVE-2024-50602 with a patch
+
 * Tue Sep 04 2024 Gary Swalling <gaswal@microsoft.com> - 2.6.3-1
 - Upgrade to 2.6.3 to fix CVE-2024-45490, CVE-2024-45491, CVE-2024-45492
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -99,9 +99,9 @@ elfutils-libelf-0.189-3.azl3.aarch64.rpm
 elfutils-libelf-devel-0.189-3.azl3.aarch64.rpm
 elfutils-libelf-devel-static-0.189-3.azl3.aarch64.rpm
 elfutils-libelf-lang-0.189-3.azl3.aarch64.rpm
-expat-2.6.3-1.azl3.aarch64.rpm
-expat-devel-2.6.3-1.azl3.aarch64.rpm
-expat-libs-2.6.3-1.azl3.aarch64.rpm
+expat-2.6.3-2.azl3.aarch64.rpm
+expat-devel-2.6.3-2.azl3.aarch64.rpm
+expat-libs-2.6.3-2.azl3.aarch64.rpm
 libpipeline-1.5.7-1.azl3.aarch64.rpm
 libpipeline-devel-1.5.7-1.azl3.aarch64.rpm
 gdbm-1.23-1.azl3.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -99,9 +99,9 @@ elfutils-libelf-0.189-3.azl3.x86_64.rpm
 elfutils-libelf-devel-0.189-3.azl3.x86_64.rpm
 elfutils-libelf-devel-static-0.189-3.azl3.x86_64.rpm
 elfutils-libelf-lang-0.189-3.azl3.x86_64.rpm
-expat-2.6.3-1.azl3.x86_64.rpm
-expat-devel-2.6.3-1.azl3.x86_64.rpm
-expat-libs-2.6.3-1.azl3.x86_64.rpm
+expat-2.6.3-2.azl3.x86_64.rpm
+expat-devel-2.6.3-2.azl3.x86_64.rpm
+expat-libs-2.6.3-2.azl3.x86_64.rpm
 libpipeline-1.5.7-1.azl3.x86_64.rpm
 libpipeline-devel-1.5.7-1.azl3.x86_64.rpm
 gdbm-1.23-1.azl3.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -92,10 +92,10 @@ elfutils-libelf-0.189-3.azl3.aarch64.rpm
 elfutils-libelf-devel-0.189-3.azl3.aarch64.rpm
 elfutils-libelf-devel-static-0.189-3.azl3.aarch64.rpm
 elfutils-libelf-lang-0.189-3.azl3.aarch64.rpm
-expat-2.6.3-1.azl3.aarch64.rpm
-expat-debuginfo-2.6.3-1.azl3.aarch64.rpm
-expat-devel-2.6.3-1.azl3.aarch64.rpm
-expat-libs-2.6.3-1.azl3.aarch64.rpm
+expat-2.6.3-2.azl3.aarch64.rpm
+expat-debuginfo-2.6.3-2.azl3.aarch64.rpm
+expat-devel-2.6.3-2.azl3.aarch64.rpm
+expat-libs-2.6.3-2.azl3.aarch64.rpm
 file-5.45-1.azl3.aarch64.rpm
 file-debuginfo-5.45-1.azl3.aarch64.rpm
 file-devel-5.45-1.azl3.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -95,10 +95,10 @@ elfutils-libelf-0.189-3.azl3.x86_64.rpm
 elfutils-libelf-devel-0.189-3.azl3.x86_64.rpm
 elfutils-libelf-devel-static-0.189-3.azl3.x86_64.rpm
 elfutils-libelf-lang-0.189-3.azl3.x86_64.rpm
-expat-2.6.3-1.azl3.x86_64.rpm
-expat-debuginfo-2.6.3-1.azl3.x86_64.rpm
-expat-devel-2.6.3-1.azl3.x86_64.rpm
-expat-libs-2.6.3-1.azl3.x86_64.rpm
+expat-2.6.3-2.azl3.x86_64.rpm
+expat-debuginfo-2.6.3-2.azl3.x86_64.rpm
+expat-devel-2.6.3-2.azl3.x86_64.rpm
+expat-libs-2.6.3-2.azl3.x86_64.rpm
 file-5.45-1.azl3.x86_64.rpm
 file-debuginfo-5.45-1.azl3.x86_64.rpm
 file-devel-5.45-1.azl3.x86_64.rpm