From 4171dc5c5c659c3e8c3f71a4ef84e9b15d5d2889 Mon Sep 17 00:00:00 2001
From: lvfei <lvfei@kylinos.cn>
Date: Mon, 1 Jul 2024 09:16:08 +0800
Subject: [PATCH] CVE-2022-25236

---
 expat-CVE-2022-25236.patch | 40 ++++++++++++++++++++++++++++++++++++++
 mozjs78.spec               |  6 +++++-
 2 files changed, 45 insertions(+), 1 deletion(-)
 create mode 100644 expat-CVE-2022-25236.patch

diff --git a/expat-CVE-2022-25236.patch b/expat-CVE-2022-25236.patch
new file mode 100644
index 0000000..2065dc9
--- /dev/null
+++ b/expat-CVE-2022-25236.patch
@@ -0,0 +1,40 @@
+diff -up firefox-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25236 firefox-91.7.0/parser/expat/lib/xmlparse.c
+--- firefox-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25236	2022-03-02 18:08:40.085642028 +0100
++++ firefox-91.7.0/parser/expat/lib/xmlparse.c	2022-03-02 18:13:31.838667958 +0100
+@@ -700,8 +700,7 @@ XML_ParserCreate(const XML_Char *encodin
+ XML_Parser XMLCALL
+ XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep)
+ {
+-  XML_Char tmp[2];
+-  *tmp = nsSep;
++  XML_Char tmp[2] = {nsSep, 0};
+   return XML_ParserCreate_MM(encodingName, NULL, tmp);
+ }
+ #endif
+@@ -1276,8 +1275,7 @@ XML_ExternalEntityParserCreate(XML_Parse
+      would be otherwise.
+   */
+   if (ns) {
+-    XML_Char tmp[2];
+-    *tmp = namespaceSeparator;
++    XML_Char tmp[2] = {parser->m_namespaceSeparator, 0};
+     parser = parserCreate(encodingName, &parser->m_mem, tmp, newDtd);
+   }
+   else {
+@@ -3667,6 +3665,16 @@ addBinding(XML_Parser parser, PREFIX *pr
+     if (!mustBeXML && isXMLNS
+         && (len > xmlnsLen || uri[len] != xmlnsNamespace[len]))
+       isXMLNS = XML_FALSE;
++    // NOTE: While Expat does not validate namespace URIs against RFC 3986,
++    //       we have to at least make sure that the XML processor on top of
++    //       Expat (that is splitting tag names by namespace separator into
++    //       2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused
++    //       by an attacker putting additional namespace separator characters
++    //       into namespace declarations.  That would be ambiguous and not to
++    //       be expected.
++    if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) {
++      return XML_ERROR_SYNTAX;
++    }
+   }
+   isXML = isXML && len == xmlLen;
+   isXMLNS = isXMLNS && len == xmlnsLen;
diff --git a/mozjs78.spec b/mozjs78.spec
index 0c1d5b9..1f6881e 100644
--- a/mozjs78.spec
+++ b/mozjs78.spec
@@ -2,7 +2,7 @@
 
 Name:           mozjs%{major}
 Version:        78.4.0
-Release:        9
+Release:        10
 Summary:        SpiderMonkey JavaScript library
 License:        MPLv2.0 and MPLv1.1 and BSD and GPLv2+ and GPLv3+ and LGPLv2+ and AFL and ASL 2.0
 URL:            https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey
@@ -32,6 +32,7 @@ Patch16:        CVE-2023-29532.patch
 Patch17:        CVE-2022-22740.patch
 Patch18:        CVE-2021-45960.patch
 Patch19:        expat-CVE-2022-25235.patch
+Patch20:        expat-CVE-2022-25236.patch
 
 BuildRequires:  autoconf213 cargo clang-devel gcc gcc-c++ perl-devel pkgconfig(libffi) pkgconfig(zlib) 
 BuildRequires:  python3-devel python3-six readline-devel zip nasm llvm llvm-devel icu rust
@@ -111,6 +112,9 @@ popd
 %doc js/src/README.html
 
 %changelog
+* Mon Jul 01 2024 lvfei <lvfei@kylinos.cn> - - 78.4.0-10
+- Fix CVE-2022-25236
+
 * Mon Jun 24 2024 lvfei <lvfei@kylinos.cn> - - 78.4.0-9
 - Fix CVE-2022-25235
 
-- 
Gitee