import expat-2.2.5-11.el8_9.1

1a8b8d0b · Rocky Automation · 9d480573 · 1a8b8d0b · 1a8b8d0b · 1a8b8d0b
Commit 1a8b8d0b authored 1 year ago by Rocky Automation
--- a/.expat.checksum
+++ b/.expat.checksum
+662aaa0e5e169e24f6b27e7bd79c608d8f663f104aad8fc00dc9e19573789b30
--- a/.expat.metadata
+++ b/.expat.metadata
-fa46ccce6770ccae767c28f6ac55e2428089d4a0 SOURCES/expat-2.2.5.tar.gz
+b3781742738611eaa737543ee94264dd511c52a3ba7e53111f7d705f6bff65a8 SOURCES/expat-2.2.5.tar.gz
--- a/SOURCES/expat-2.2.5-CVE-2023-52425.patch
+++ b/SOURCES/expat-2.2.5-CVE-2023-52425.patch
--- a/SPECS/expat.spec
+++ b/SPECS/expat.spec
@@ -3,7 +3,7 @@
 Summary: An XML parser library
 Name: expat
 Version: %(echo %{unversion} | sed 's/_/./g')
-Release: 11%{?dist}
+Release: 11%{?dist}.1
 Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
 URL: https://libexpat.github.io/
 License: MIT
@@ -22,6 +22,7 @@ Patch10: expat-2.2.5-Prevent-integer-overflow-in-copyString.patch
 Patch11: expat-2.2.5-Prevent-stack-exhaustion-in-build_model.patch
 Patch12: expat-2.2.5-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch
 Patch13: expat-2.2.5-CVE-2022-43680.patch
+Patch14: expat-2.2.5-CVE-2023-52425.patch

 %description
 This is expat, the C library for parsing XML, written by James Clark. Expat
@@ -63,6 +64,9 @@ Install it if you need to link statically with expat.
 %patch11 -p1 -b .CVE-2022-25313
 %patch12 -p1 -b .CVE-2022-40674
 %patch13 -p1 -b .CVE-2022-43680
+pushd ..
+%patch14 -p1 -b .CVE-2023-52425
+popd

 sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am
 ./buildconf.sh
@@ -79,6 +83,15 @@ make install DESTDIR=$RPM_BUILD_ROOT
 rm -f $RPM_BUILD_ROOT%{_libdir}/*.la

 %check
+bash -c "for i in {1..500000}; do printf AAAAAAAAAAAAAAAAAAAA >> achars.txt; done"
+for testfile in ../testdata/largefiles/aaaaaa_*; do
+        first_part="$(sed 's/\(.*\)ACHARS.*/\1/g' $testfile)"
+        second_part="$(sed 's/.*ACHARS\(.*\)/\1/g' $testfile)"
+        printf "$first_part" > "$testfile"
+        cat achars.txt >> "$testfile"
+        printf "$second_part" >> "$testfile"
+done
+
 make check

 %ldconfig_scriptlets
@@ -101,6 +114,10 @@ make check
 %{_libdir}/lib*.a

 %changelog
+* Mon Mar 25 2024 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-11.1
+- CVE-2023-52425 expat: parsing large tokens can trigger a denial of service
+- Resolves: RHEL-29320
+
 * Mon Nov 14 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-11
 - CVE-2022-43680 expat: use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate
 - Resolves: CVE-2022-43680