Added expat backports of CVE-2022-25235, CVE-2022-25236 and CVE-2022-25315

(cherry picked from commit e3979a9bd41af9be3af97ad1dc3e5a665a2a622b)
2022-03-17 10:46:13 +08:00 · 2022-03-17 10:46:13 +08:00 · c54aad2e7b
commit c54aad2e7b
parent f9fdc9dc13
4 changed files with 126 additions and 1 deletions
--- a/expat-CVE-2022-25235.patch
+++ b/expat-CVE-2022-25235.patch
@ -0,0 +1,49 @@
+diff -up firefox-91.7.0/parser/expat/lib/xmltok.c.expat-CVE-2022-25235 firefox-91.7.0/parser/expat/lib/xmltok.c
+--- firefox-91.7.0/parser/expat/lib/xmltok.c.expat-CVE-2022-25235	2022-03-02 17:57:38.364361168 +0100
+++ firefox-91.7.0/parser/expat/lib/xmltok.c	2022-03-02 17:58:22.235512399 +0100
+@@ -65,13 +65,6 @@
+                       + ((((byte)[2]) >> 5) & 1)] \
+          & (1u << (((byte)[2]) & 0x1F)))
+ 
+-#define UTF8_GET_NAMING(pages, p, n) \
+-  ((n) == 2 \
+-  ? UTF8_GET_NAMING2(pages, (const unsigned char *)(p)) \
+-  : ((n) == 3 \
+-     ? UTF8_GET_NAMING3(pages, (const unsigned char *)(p)) \
+-     : 0))
+-
+ /* Detection of invalid UTF-8 sequences is based on Table 3.1B
+    of Unicode 3.2: http://www.unicode.org/unicode/reports/tr28/
+    with the additional restriction of not allowing the Unicode
+diff -up firefox-91.7.0/parser/expat/lib/xmltok_impl.c.expat-CVE-2022-25235 firefox-91.7.0/parser/expat/lib/xmltok_impl.c
+--- firefox-91.7.0/parser/expat/lib/xmltok_impl.c.expat-CVE-2022-25235	2022-03-02 17:57:38.365361172 +0100
+++ firefox-91.7.0/parser/expat/lib/xmltok_impl.c	2022-03-02 18:04:51.240853247 +0100
+@@ -34,7 +34,7 @@
+    case BT_LEAD ## n: \
+      if (end - ptr < n) \
+        return XML_TOK_PARTIAL_CHAR; \
+-     if (!IS_NAME_CHAR(enc, ptr, n)) { \
+     if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NAME_CHAR(enc, ptr, n)) { \
+        *nextTokPtr = ptr; \
+        return XML_TOK_INVALID; \
+      } \
+@@ -62,7 +62,7 @@
+    case BT_LEAD ## n: \
+      if (end - ptr < n) \
+        return XML_TOK_PARTIAL_CHAR; \
+-     if (!IS_NMSTRT_CHAR(enc, ptr, n)) { \
+     if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NMSTRT_CHAR(enc, ptr, n)) { \
+        *nextTokPtr = ptr; \
+        return XML_TOK_INVALID; \
+      } \
+@@ -1090,6 +1090,10 @@ PREFIX(prologTok)(const ENCODING *enc, c
+   case BT_LEAD ## n: \
+     if (end - ptr < n) \
+       return XML_TOK_PARTIAL_CHAR; \
+    if (IS_INVALID_CHAR(enc, ptr, n)) {                                        \
+      *nextTokPtr = ptr;                                                       \
+      return XML_TOK_INVALID;                                                  \
+    }                                                                          \
+     if (IS_NMSTRT_CHAR(enc, ptr, n)) { \
+       ptr += n; \
+       tok = XML_TOK_NAME; \
--- a/expat-CVE-2022-25236.patch
+++ b/expat-CVE-2022-25236.patch
@ -0,0 +1,40 @@
+diff -up firefox-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25236 firefox-91.7.0/parser/expat/lib/xmlparse.c
+--- firefox-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25236	2022-03-02 18:08:40.085642028 +0100
+++ firefox-91.7.0/parser/expat/lib/xmlparse.c	2022-03-02 18:13:31.838667958 +0100
+@@ -700,8 +700,7 @@ XML_ParserCreate(const XML_Char *encodin
+ XML_Parser XMLCALL
+ XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep)
+ {
+-  XML_Char tmp[2];
+-  *tmp = nsSep;
+  XML_Char tmp[2] = {nsSep, 0};
+   return XML_ParserCreate_MM(encodingName, NULL, tmp);
+ }
+ #endif
+@@ -1276,8 +1275,7 @@ XML_ExternalEntityParserCreate(XML_Parse
+      would be otherwise.
+   */
+   if (ns) {
+-    XML_Char tmp[2];
+-    *tmp = namespaceSeparator;
+    XML_Char tmp[2] = {parser->m_namespaceSeparator, 0};
+     parser = parserCreate(encodingName, &parser->m_mem, tmp, newDtd);
+   }
+   else {
+@@ -3667,6 +3665,16 @@ addBinding(XML_Parser parser, PREFIX *pr
+     if (!mustBeXML && isXMLNS
+         && (len > xmlnsLen || uri[len] != xmlnsNamespace[len]))
+       isXMLNS = XML_FALSE;
+    // NOTE: While Expat does not validate namespace URIs against RFC 3986,
+    //       we have to at least make sure that the XML processor on top of
+    //       Expat (that is splitting tag names by namespace separator into
+    //       2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused
+    //       by an attacker putting additional namespace separator characters
+    //       into namespace declarations.  That would be ambiguous and not to
+    //       be expected.
+    if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) {
+      return XML_ERROR_SYNTAX;
+    }
+   }
+   isXML = isXML && len == xmlLen;
+   isXMLNS = isXMLNS && len == xmlnsLen;
--- a/expat-CVE-2022-25315.patch
+++ b/expat-CVE-2022-25315.patch
@ -0,0 +1,24 @@
+diff -up firefox-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25315 firefox-91.7.0/parser/expat/lib/xmlparse.c
+--- firefox-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25315	2022-03-02 18:17:50.966583254 +0100
+++ firefox-91.7.0/parser/expat/lib/xmlparse.c	2022-03-02 18:19:27.636924735 +0100
+@@ -2479,6 +2479,7 @@ storeRawNames(XML_Parser parser)
+   while (tag) {
+     int bufSize;
+     int nameLen = sizeof(XML_Char) * (tag->name.strLen + 1);
+    size_t rawNameLen;
+     char *rawNameBuf = tag->buf + nameLen;
+     /* Stop if already stored.  Since tagStack is a stack, we can stop
+        at the first entry that has already been copied; everything
+@@ -2490,7 +2491,11 @@ storeRawNames(XML_Parser parser)
+     /* For re-use purposes we need to ensure that the
+        size of tag->buf is a multiple of sizeof(XML_Char).
+     */
+-    bufSize = nameLen + ROUND_UP(tag->rawNameLength, sizeof(XML_Char));
+    rawNameLen = ROUND_UP(tag->rawNameLength, sizeof(XML_Char));
+    /* Detect and prevent integer overflow. */
+    if (rawNameLen > (size_t)INT_MAX - nameLen)
+      return XML_FALSE;
+    bufSize = nameLen + (int)rawNameLen;
+     if (bufSize > tag->bufEnd - tag->buf) {
+       char *temp = (char *)REALLOC(tag->buf, bufSize);
+       if (temp == NULL)
--- a/firefox.spec
+++ b/firefox.spec
@ -88,7 +88,7 @@
 Summary:             Mozilla Firefox Web browser
 Name:                firefox
 Version:             79.0
-Release:             7
+Release:             8
 URL:                 https://www.mozilla.org/firefox/
 License:             MPLv1.1 or GPLv2+ or LGPLv2+
 Source0:             https://archive.mozilla.org/pub/firefox/releases/%{version}/source/firefox-%{version}.source.tar.xz
@ -184,6 +184,12 @@ Patch638:            Bug-1673202-Call-fstat-directly-in-Linux-sandbox-fstatat-in
 Patch639:            Bug-1673770-Extend-the-handling-of-fstatat-as-fstat-to-sandboxes-that-dont-use-a-file-broker.patch
 Patch640:            Bug-1680166-Return-EFAULT-when-given-a-null-path-to-stat-calls-in-the-sandbox-filter.patch
 Patch641:            Bug-1680166-GCC-is-smarter-than-clang-so-ignore-the-warning-properly.patch
+# https://github.com/libexpat/libexpat/pull/562
+Patch642:            expat-CVE-2022-25235.patch
+# https://github.com/libexpat/libexpat/pull/561
+Patch643:            expat-CVE-2022-25236.patch
+# https://github.com/libexpat/libexpat/pull/559
+Patch644:            expat-CVE-2022-25315.patch
 %if %{?system_nss}
 BuildRequires:       pkgconfig(nspr) >= %{nspr_version} pkgconfig(nss) >= %{nss_version}
 BuildRequires:       nss-static >= %{nss_version}
@ -359,6 +365,9 @@ tar -xf %{SOURCE3}
 %patch639 -p1
 %patch640 -p1
 %patch641 -p1
+%patch642 -p1
+%patch643 -p1
+%patch644 -p1
 %{__rm} -f .mozconfig
 %{__cp} %{SOURCE10} .mozconfig
 echo "ac_add_options --enable-default-toolkit=cairo-gtk3-wayland" >> .mozconfig
@ -806,6 +815,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 %endif

 %changelog
+* Thu Mar 17 2022 wangkai <wangkai385@huawei.com> - 79.0-8
+- Added expat backports of CVE-2022-25235, CVE-2022-25236 and CVE-2022-25315
+
 * Wed Jul  7 2021 lingsheng <lingsheng@huawei.com> - 79.0-7
 - Fix firefox video tab crash with rust 1.51