current/SOURCES/CVE-2022-25236-6.patch

From 2ba6c76fca21397959145e18c5ef376201209020 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Sun, 27 Feb 2022 16:58:08 +0100
Subject: [PATCH] lib: Relax fix to CVE-2022-25236 with regard to RFC 3986 URI
 characters

---
 expat/lib/xmlparse.c | 139 ++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 131 insertions(+), 8 deletions(-)

--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -3512,6 +3512,117 @@ storeAtts(XML_Parser parser, const ENCOD
   return XML_ERROR_NONE;
 }
 
+static XML_Bool
+is_rfc3986_uri_char(XML_Char candidate) {
+  // For the RFC 3986 ANBF grammar see
+  // https://datatracker.ietf.org/doc/html/rfc3986#appendix-A
+
+  switch (candidate) {
+  // From rule "ALPHA" (uppercase half)
+  case 'A':
+  case 'B':
+  case 'C':
+  case 'D':
+  case 'E':
+  case 'F':
+  case 'G':
+  case 'H':
+  case 'I':
+  case 'J':
+  case 'K':
+  case 'L':
+  case 'M':
+  case 'N':
+  case 'O':
+  case 'P':
+  case 'Q':
+  case 'R':
+  case 'S':
+  case 'T':
+  case 'U':
+  case 'V':
+  case 'W':
+  case 'X':
+  case 'Y':
+  case 'Z':
+
+  // From rule "ALPHA" (lowercase half)
+  case 'a':
+  case 'b':
+  case 'c':
+  case 'd':
+  case 'e':
+  case 'f':
+  case 'g':
+  case 'h':
+  case 'i':
+  case 'j':
+  case 'k':
+  case 'l':
+  case 'm':
+  case 'n':
+  case 'o':
+  case 'p':
+  case 'q':
+  case 'r':
+  case 's':
+  case 't':
+  case 'u':
+  case 'v':
+  case 'w':
+  case 'x':
+  case 'y':
+  case 'z':
+
+  // From rule "DIGIT"
+  case '0':
+  case '1':
+  case '2':
+  case '3':
+  case '4':
+  case '5':
+  case '6':
+  case '7':
+  case '8':
+  case '9':
+
+  // From rule "pct-encoded"
+  case '%':
+
+  // From rule "unreserved"
+  case '-':
+  case '.':
+  case '_':
+  case '~':
+
+  // From rule "gen-delims"
+  case ':':
+  case '/':
+  case '?':
+  case '#':
+  case '[':
+  case ']':
+  case '@':
+
+  // From rule "sub-delims"
+  case '!':
+  case '$':
+  case '&':
+  case '\'':
+  case '(':
+  case ')':
+  case '*':
+  case '+':
+  case ',':
+  case ';':
+  case '=':
+    return XML_TRUE;
+
+  default:
+    return XML_FALSE;
+  }
+}
+
 /* addBinding() overwrites the value of prefix->binding without checking.
    Therefore one must keep track of the old value outside of addBinding().
 */
@@ -3568,14 +3679,26 @@ addBinding(XML_Parser parser, PREFIX *pr
         && (len > xmlnsLen || uri[len] != xmlnsNamespace[len]))
       isXMLNS = XML_FALSE;
 
-    // NOTE: While Expat does not validate namespace URIs against RFC 3986,
-    //       we have to at least make sure that the XML processor on top of
-    //       Expat (that is splitting tag names by namespace separator into
-    //       2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused
-    //       by an attacker putting additional namespace separator characters
-    //       into namespace declarations.  That would be ambiguous and not to
-    //       be expected.
-    if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) {
+    // NOTE: While Expat does not validate namespace URIs against RFC 3986
+    //       today (and is not REQUIRED to do so with regard to the XML 1.0
+    //       namespaces specification) we have to at least make sure, that
+    //       the application on top of Expat (that is likely splitting expanded
+    //       element names ("qualified names") of form
+    //       "[uri sep] local [sep prefix] '\0'" back into 1, 2 or 3 pieces
+    //       in its element handler code) cannot be confused by an attacker
+    //       putting additional namespace separator characters into namespace
+    //       declarations.  That would be ambiguous and not to be expected.
+    //
+    //       While the HTML API docs of function XML_ParserCreateNS have been
+    //       advising against use of a namespace separator character that can
+    //       appear in a URI for >20 years now, some widespread applications
+    //       are using URI characters (':' (colon) in particular) for a
+    //       namespace separator, in practice.  To keep these applications
+    //       functional, we only reject namespaces URIs containing the
+    //       application-chosen namespace separator if the chosen separator
+    //       is a non-URI character with regard to RFC 3986.
+    if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)
+        && ! is_rfc3986_uri_char(uri[len])) {
       return XML_ERROR_SYNTAX;
     }
   }
1	ns80	1790357	From 2ba6c76fca21397959145e18c5ef376201209020 Mon Sep 17 00:00:00 2001
2			From: Sebastian Pipping <sebastian@pipping.org>
3			Date: Sun, 27 Feb 2022 16:58:08 +0100
4			Subject: [PATCH] lib: Relax fix to CVE-2022-25236 with regard to RFC 3986 URI
5			characters
6
7			---
8			expat/lib/xmlparse.c \| 139 ++++++++++++++++++++++++++++++++++++++++---
9			1 file changed, 131 insertions(+), 8 deletions(-)
10
11			--- a/lib/xmlparse.c
12			+++ b/lib/xmlparse.c
13			@@ -3512,6 +3512,117 @@ storeAtts(XML_Parser parser, const ENCOD
14			return XML_ERROR_NONE;
15			}
16
17			+static XML_Bool
18			+is_rfc3986_uri_char(XML_Char candidate) {
19			+ // For the RFC 3986 ANBF grammar see
20			+ // https://datatracker.ietf.org/doc/html/rfc3986#appendix-A
21			+
22			+ switch (candidate) {
23			+ // From rule "ALPHA" (uppercase half)
24			+ case 'A':
25			+ case 'B':
26			+ case 'C':
27			+ case 'D':
28			+ case 'E':
29			+ case 'F':
30			+ case 'G':
31			+ case 'H':
32			+ case 'I':
33			+ case 'J':
34			+ case 'K':
35			+ case 'L':
36			+ case 'M':
37			+ case 'N':
38			+ case 'O':
39			+ case 'P':
40			+ case 'Q':
41			+ case 'R':
42			+ case 'S':
43			+ case 'T':
44			+ case 'U':
45			+ case 'V':
46			+ case 'W':
47			+ case 'X':
48			+ case 'Y':
49			+ case 'Z':
50			+
51			+ // From rule "ALPHA" (lowercase half)
52			+ case 'a':
53			+ case 'b':
54			+ case 'c':
55			+ case 'd':
56			+ case 'e':
57			+ case 'f':
58			+ case 'g':
59			+ case 'h':
60			+ case 'i':
61			+ case 'j':
62			+ case 'k':
63			+ case 'l':
64			+ case 'm':
65			+ case 'n':
66			+ case 'o':
67			+ case 'p':
68			+ case 'q':
69			+ case 'r':
70			+ case 's':
71			+ case 't':
72			+ case 'u':
73			+ case 'v':
74			+ case 'w':
75			+ case 'x':
76			+ case 'y':
77			+ case 'z':
78			+
79			+ // From rule "DIGIT"
80			+ case '0':
81			+ case '1':
82			+ case '2':
83			+ case '3':
84			+ case '4':
85			+ case '5':
86			+ case '6':
87			+ case '7':
88			+ case '8':
89			+ case '9':
90			+
91			+ // From rule "pct-encoded"
92			+ case '%':
93			+
94			+ // From rule "unreserved"
95			+ case '-':
96			+ case '.':
97			+ case '_':
98			+ case '~':
99			+
100			+ // From rule "gen-delims"
101			+ case ':':
102			+ case '/':
103			+ case '?':
104			+ case '#':
105			+ case '[':
106			+ case ']':
107			+ case '@':
108			+
109			+ // From rule "sub-delims"
110			+ case '!':
111			+ case '$':
112			+ case '&':
113			+ case '\'':
114			+ case '(':
115			+ case ')':
116			+ case '*':
117			+ case '+':
118			+ case ',':
119			+ case ';':
120			+ case '=':
121			+ return XML_TRUE;
122			+
123			+ default:
124			+ return XML_FALSE;
125			+ }
126			+}
127			+
128			/* addBinding() overwrites the value of prefix->binding without checking.
129			Therefore one must keep track of the old value outside of addBinding().
130			*/
131			@@ -3568,14 +3679,26 @@ addBinding(XML_Parser parser, PREFIX *pr
132			&& (len > xmlnsLen \|\| uri[len] != xmlnsNamespace[len]))
133			isXMLNS = XML_FALSE;
134
135			- // NOTE: While Expat does not validate namespace URIs against RFC 3986,
136			- // we have to at least make sure that the XML processor on top of
137			- // Expat (that is splitting tag names by namespace separator into
138			- // 2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused
139			- // by an attacker putting additional namespace separator characters
140			- // into namespace declarations. That would be ambiguous and not to
141			- // be expected.
142			- if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) {
143			+ // NOTE: While Expat does not validate namespace URIs against RFC 3986
144			+ // today (and is not REQUIRED to do so with regard to the XML 1.0
145			+ // namespaces specification) we have to at least make sure, that
146			+ // the application on top of Expat (that is likely splitting expanded
147			+ // element names ("qualified names") of form
148			+ // "[uri sep] local [sep prefix] '\0'" back into 1, 2 or 3 pieces
149			+ // in its element handler code) cannot be confused by an attacker
150			+ // putting additional namespace separator characters into namespace
151			+ // declarations. That would be ambiguous and not to be expected.
152			+ //
153			+ // While the HTML API docs of function XML_ParserCreateNS have been
154			+ // advising against use of a namespace separator character that can
155			+ // appear in a URI for >20 years now, some widespread applications
156			+ // are using URI characters (':' (colon) in particular) for a
157			+ // namespace separator, in practice. To keep these applications
158			+ // functional, we only reject namespaces URIs containing the
159			+ // application-chosen namespace separator if the chosen separator
160			+ // is a non-URI character with regard to RFC 3986.
161			+ if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)
162			+ && ! is_rfc3986_uri_char(uri[len])) {
163			return XML_ERROR_SYNTAX;
164			}
165			}