import expat-2.5.0-3.el9_5.1

.expat.checksum

-7b4b7b4343d2c4c16deea0ef703c8c9bdfd68898c9ef2dce31352ec830e2a43d
+8b3c398f73e7cfb93de1c34252c19ebd0efe4232e9b921bd01f11442b5dec8d5

SOURCES/expat-2.5.0-CVE-2024-50602.patch

+commit 38905b99bb78a6a691ed8358f30030116783656c
+Author: Tomas Korbar <tkorbar@redhat.com>
+Date:   Thu Nov 7 15:00:46 2024 +0100
+
+    Fix CVE-2024-50602
+    
+    See https://github.com/libexpat/libexpat/pull/915
+
+diff --git a/expat/lib/expat.h b/expat/lib/expat.h
+index 842dd70..69b0ba1 100644
+--- a/expat/lib/expat.h
++++ b/expat/lib/expat.h
+@@ -128,7 +128,9 @@ enum XML_Error {
+   /* Added in 2.3.0. */
+   XML_ERROR_NO_BUFFER,
+   /* Added in 2.4.0. */
+-  XML_ERROR_AMPLIFICATION_LIMIT_BREACH
++  XML_ERROR_AMPLIFICATION_LIMIT_BREACH,
++  /* Added in 2.6.4. */
++  XML_ERROR_NOT_STARTED,
+ };
+ 
+ enum XML_Content_Type {
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index e0c2873..8b2af91 100644
+--- a/expat/lib/xmlparse.c
++++ b/expat/lib/xmlparse.c
+@@ -2193,6 +2193,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) {
+   if (parser == NULL)
+     return XML_STATUS_ERROR;
+   switch (parser->m_parsingStatus.parsing) {
++  case XML_INITIALIZED:
++    parser->m_errorCode = XML_ERROR_NOT_STARTED;
++    return XML_STATUS_ERROR;
+   case XML_SUSPENDED:
+     if (resumable) {
+       parser->m_errorCode = XML_ERROR_SUSPENDED;
+@@ -2203,7 +2206,7 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) {
+   case XML_FINISHED:
+     parser->m_errorCode = XML_ERROR_FINISHED;
+     return XML_STATUS_ERROR;
+-  default:
++  case XML_PARSING:
+     if (resumable) {
+ #ifdef XML_DTD
+       if (parser->m_isParamEntity) {
+@@ -2214,6 +2217,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) {
+       parser->m_parsingStatus.parsing = XML_SUSPENDED;
+     } else
+       parser->m_parsingStatus.parsing = XML_FINISHED;
++    break;
++  default:
++    assert(0);
+   }
+   return XML_STATUS_OK;
+ }
+@@ -2478,6 +2484,9 @@ XML_ErrorString(enum XML_Error code) {
+   case XML_ERROR_AMPLIFICATION_LIMIT_BREACH:
+     return XML_L(
+         "limit on input amplification factor (from DTD and entities) breached");
++  /* Added in 2.6.4. */
++  case XML_ERROR_NOT_STARTED:
++    return XML_L("parser not started");
+   }
+   return NULL;
+ }
+diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c
+index ed88f9f..5769aa0 100644
+--- a/expat/tests/runtests.c
++++ b/expat/tests/runtests.c
+@@ -8711,6 +8711,28 @@ START_TEST(test_misc_tag_mismatch_reset_leak) {
+ }
+ END_TEST
+ 
++START_TEST(test_misc_resumeparser_not_crashing) {
++  XML_Parser parser = XML_ParserCreate(NULL);
++  XML_GetBuffer(parser, 1);
++  XML_StopParser(parser, /*resumable=*/XML_TRUE);
++  XML_ResumeParser(parser); // could crash here, previously
++  XML_ParserFree(parser);
++}
++END_TEST
++
++START_TEST(test_misc_stopparser_rejects_unstarted_parser) {
++  const XML_Bool cases[] = {XML_TRUE, XML_FALSE};
++  for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) {
++    const XML_Bool resumable = cases[i];
++    XML_Parser parser = XML_ParserCreate(NULL);
++    assert_true(XML_GetErrorCode(parser) == XML_ERROR_NONE);
++    assert_true(XML_StopParser(parser, resumable) == XML_STATUS_ERROR);
++    assert_true(XML_GetErrorCode(parser) == XML_ERROR_NOT_STARTED);
++    XML_ParserFree(parser);
++  }
++}
++END_TEST
++
+ static void
+ alloc_setup(void) {
+   XML_Memory_Handling_Suite memsuite = {duff_allocator, duff_reallocator, free};
+@@ -13176,6 +13198,8 @@ make_suite(void) {
+   tcase_add_test__ifdef_xml_dtd(
+       tc_misc, test_misc_deny_internal_entity_closing_doctype_issue_317);
+   tcase_add_test(tc_misc, test_misc_tag_mismatch_reset_leak);
++  tcase_add_test(tc_misc, test_misc_resumeparser_not_crashing);
++  tcase_add_test(tc_misc, test_misc_stopparser_rejects_unstarted_parser);
+ 
+   suite_add_tcase(s, tc_alloc);
+   tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown);

SPECS/expat.spec

@@ -3,7 +3,7 @@
 Summary: An XML parser library
 Name: expat
 Version: %(echo %{unversion} | sed 's/_/./g')
-Release: 2%{?dist}.1
+Release: 3%{?dist}.1
 Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
 URL: https://libexpat.github.io/
 License: MIT
@@ -13,12 +13,14 @@ BuildRequires: make
 Patch0: expat-2.5.0-CVE-2023-52425.patch
 # https://issues.redhat.com/browse/RHEL-28700
 Patch1: expat-2.5.0-CVE-2024-28757.patch
-# https://issues.redhat.com/browse/RHEL-56763
+# https://issues.redhat.com/browse/RHEL-56761
 Patch2: expat-2.5.0-CVE-2024-45490.patch
-# https://issues.redhat.com/browse/RHEL-57497
+# https://issues.redhat.com/browse/RHEL-57520
 Patch3: expat-2.5.0-CVE-2024-45491.patch
-# https://issues.redhat.com/browse/RHEL-57510
+# https://issues.redhat.com/browse/RHEL-57511
 Patch4: expat-2.5.0-CVE-2024-45492.patch
+# https://issues.redhat.com/browse/RHEL-65064
+Patch5: expat-2.5.0-CVE-2024-50602.patch
 
 %description
 This is expat, the C library for parsing XML, written by James Clark. Expat
@@ -52,6 +54,7 @@ pushd ..
 %patch2 -p1 -b .CVE-2024-45490
 %patch3 -p1 -b .CVE-2024-45491
 %patch4 -p1 -b .CVE-2024-45492
+%patch5 -p1 -b .CVE-2024-50602
 popd
 
 sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am
@@ -100,14 +103,15 @@ make check
 %{_libdir}/lib*.a
 
 %changelog
-* Wed Sep 11 2024 Tomas Korbar <tkorbar@redhat.com> - 2.5.0-2.1
-- Fix multiple CVEs
-- Fix CVE-2024-45492 integer overflow
-- Fix CVE-2024-45491 Integer Overflow or Wraparound
-- Fix CVE-2024-45490 Negative Length Parsing Vulnerability
-- Resolves: RHEL-57510
-- Resolves: RHEL-57497
-- Resolves: RHEL-56763
+* Thu Nov 07 2024 Tomas Korbar <tkorbar@redhat.com> - 2.5.0-3.1
+- Fix CVE-2024-50602
+- Resolves: RHEL-65064
+
+* Wed Oct 09 2024 Tomas Korbar <tkorbar@redhat.com> - 2.5.0-3
+- Fix CVE-2024-45490, CVE-2024-45491, CVE-2024-45492
+- Resolves: RHEL-56761
+- Resolves: RHEL-57520
+- Resolves: RHEL-57511
 
 * Tue Feb 13 2024 Tomas Korbar <tkorbar@redhat.com> - 2.5.0-2
 - Fix parsing of large tokens