Version in base suite: 2.2.10-2
Version in overlay suite: 2.2.10-2+deb11u2

Base version: expat_2.2.10-2+deb11u2
Target version: expat_2.2.10-2+deb11u3
Base file: /srv/ftp-master.debian.org/ftp/pool/main/e/expat/expat_2.2.10-2+deb11u2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/e/expat/expat_2.2.10-2+deb11u3.dsc

 changelog                                                          |   10 
 patches/lib-Document-namespace-separator-effect-right-in-hea.patch |   28 +
 patches/lib-Relax-fix-to-CVE-2022-25236-with-regard-to-RFC-3.patch |  170 ++++++++++
 patches/lib-doc-Add-a-note-on-namespace-URI-validation.patch       |   43 ++
 patches/series                                                     |    4 
 patches/tests-Cover-relaxed-fix-to-CVE-2022-25236.patch            |   38 ++
 6 files changed, 293 insertions(+)

diff -Nru expat-2.2.10/debian/changelog expat-2.2.10/debian/changelog
--- expat-2.2.10/debian/changelog	2022-02-20 16:08:18.000000000 +0000
+++ expat-2.2.10/debian/changelog	2022-03-10 20:38:43.000000000 +0000
@@ -1,3 +1,13 @@
+expat (2.2.10-2+deb11u3) bullseye-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * lib: Relax fix to CVE-2022-25236 with regard to RFC 3986 URI characters
+  * tests: Cover relaxed fix to CVE-2022-25236
+  * lib: Document namespace separator effect right in header <expat.h>
+  * lib|doc: Add a note on namespace URI validation
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 10 Mar 2022 21:38:43 +0100
+
 expat (2.2.10-2+deb11u2) bullseye-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru expat-2.2.10/debian/patches/lib-Document-namespace-separator-effect-right-in-hea.patch expat-2.2.10/debian/patches/lib-Document-namespace-separator-effect-right-in-hea.patch
--- expat-2.2.10/debian/patches/lib-Document-namespace-separator-effect-right-in-hea.patch	1970-01-01 00:00:00.000000000 +0000
+++ expat-2.2.10/debian/patches/lib-Document-namespace-separator-effect-right-in-hea.patch	2022-03-10 20:38:43.000000000 +0000
@@ -0,0 +1,28 @@
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Tue, 1 Mar 2022 23:02:34 +0100
+Subject: lib: Document namespace separator effect right in header <expat.h>
+Origin: https://github.com/libexpat/libexpat/commit/5dd52182972a35f2251a07784eda35d3d52d3e07
+
+---
+ expat/lib/expat.h | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/expat/lib/expat.h b/expat/lib/expat.h
+index 5ab493f7e802..f66c34d62efc 100644
+--- a/expat/lib/expat.h
++++ b/expat/lib/expat.h
+@@ -239,6 +239,11 @@ XML_ParserCreate(const XML_Char *encoding);
+    and the local part will be concatenated without any separator.
+    It is a programming error to use the separator '\0' with namespace
+    triplets (see XML_SetReturnNSTriplet).
++   If a namespace separator is chosen that can be part of a URI or
++   part of an XML name, splitting an expanded name back into its
++   1, 2 or 3 original parts on application level in the element handler
++   may end up vulnerable, so these are advised against;  sane choices for
++   a namespace separator are e.g. '\n' (line feed) and '|' (pipe).
+ */
+ XMLPARSEAPI(XML_Parser)
+ XML_ParserCreateNS(const XML_Char *encoding, XML_Char namespaceSeparator);
+-- 
+2.35.1
+
diff -Nru expat-2.2.10/debian/patches/lib-Relax-fix-to-CVE-2022-25236-with-regard-to-RFC-3.patch expat-2.2.10/debian/patches/lib-Relax-fix-to-CVE-2022-25236-with-regard-to-RFC-3.patch
--- expat-2.2.10/debian/patches/lib-Relax-fix-to-CVE-2022-25236-with-regard-to-RFC-3.patch	1970-01-01 00:00:00.000000000 +0000
+++ expat-2.2.10/debian/patches/lib-Relax-fix-to-CVE-2022-25236-with-regard-to-RFC-3.patch	2022-03-10 20:38:43.000000000 +0000
@@ -0,0 +1,170 @@
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 27 Feb 2022 16:58:08 +0100
+Subject: lib: Relax fix to CVE-2022-25236 with regard to RFC 3986 URI
+ characters
+Origin: https://github.com/libexpat/libexpat/commit/2ba6c76fca21397959145e18c5ef376201209020
+
+---
+ expat/lib/xmlparse.c | 139 ++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 131 insertions(+), 8 deletions(-)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 59da19c855ac..6fe2cf1e179e 100644
+--- a/expat/lib/xmlparse.c
++++ b/expat/lib/xmlparse.c
+@@ -3705,6 +3705,117 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+   return XML_ERROR_NONE;
+ }
+ 
++static XML_Bool
++is_rfc3986_uri_char(XML_Char candidate) {
++  // For the RFC 3986 ANBF grammar see
++  // https://datatracker.ietf.org/doc/html/rfc3986#appendix-A
++
++  switch (candidate) {
++  // From rule "ALPHA" (uppercase half)
++  case 'A':
++  case 'B':
++  case 'C':
++  case 'D':
++  case 'E':
++  case 'F':
++  case 'G':
++  case 'H':
++  case 'I':
++  case 'J':
++  case 'K':
++  case 'L':
++  case 'M':
++  case 'N':
++  case 'O':
++  case 'P':
++  case 'Q':
++  case 'R':
++  case 'S':
++  case 'T':
++  case 'U':
++  case 'V':
++  case 'W':
++  case 'X':
++  case 'Y':
++  case 'Z':
++
++  // From rule "ALPHA" (lowercase half)
++  case 'a':
++  case 'b':
++  case 'c':
++  case 'd':
++  case 'e':
++  case 'f':
++  case 'g':
++  case 'h':
++  case 'i':
++  case 'j':
++  case 'k':
++  case 'l':
++  case 'm':
++  case 'n':
++  case 'o':
++  case 'p':
++  case 'q':
++  case 'r':
++  case 's':
++  case 't':
++  case 'u':
++  case 'v':
++  case 'w':
++  case 'x':
++  case 'y':
++  case 'z':
++
++  // From rule "DIGIT"
++  case '0':
++  case '1':
++  case '2':
++  case '3':
++  case '4':
++  case '5':
++  case '6':
++  case '7':
++  case '8':
++  case '9':
++
++  // From rule "pct-encoded"
++  case '%':
++
++  // From rule "unreserved"
++  case '-':
++  case '.':
++  case '_':
++  case '~':
++
++  // From rule "gen-delims"
++  case ':':
++  case '/':
++  case '?':
++  case '#':
++  case '[':
++  case ']':
++  case '@':
++
++  // From rule "sub-delims"
++  case '!':
++  case '$':
++  case '&':
++  case '\'':
++  case '(':
++  case ')':
++  case '*':
++  case '+':
++  case ',':
++  case ';':
++  case '=':
++    return XML_TRUE;
++
++  default:
++    return XML_FALSE;
++  }
++}
++
+ /* addBinding() overwrites the value of prefix->binding without checking.
+    Therefore one must keep track of the old value outside of addBinding().
+ */
+@@ -3763,14 +3874,26 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
+         && (len > xmlnsLen || uri[len] != xmlnsNamespace[len]))
+       isXMLNS = XML_FALSE;
+ 
+-    // NOTE: While Expat does not validate namespace URIs against RFC 3986,
+-    //       we have to at least make sure that the XML processor on top of
+-    //       Expat (that is splitting tag names by namespace separator into
+-    //       2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused
+-    //       by an attacker putting additional namespace separator characters
+-    //       into namespace declarations.  That would be ambiguous and not to
+-    //       be expected.
+-    if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) {
++    // NOTE: While Expat does not validate namespace URIs against RFC 3986
++    //       today (and is not REQUIRED to do so with regard to the XML 1.0
++    //       namespaces specification) we have to at least make sure, that
++    //       the application on top of Expat (that is likely splitting expanded
++    //       element names ("qualified names") of form
++    //       "[uri sep] local [sep prefix] '\0'" back into 1, 2 or 3 pieces
++    //       in its element handler code) cannot be confused by an attacker
++    //       putting additional namespace separator characters into namespace
++    //       declarations.  That would be ambiguous and not to be expected.
++    //
++    //       While the HTML API docs of function XML_ParserCreateNS have been
++    //       advising against use of a namespace separator character that can
++    //       appear in a URI for >20 years now, some widespread applications
++    //       are using URI characters (':' (colon) in particular) for a
++    //       namespace separator, in practice.  To keep these applications
++    //       functional, we only reject namespaces URIs containing the
++    //       application-chosen namespace separator if the chosen separator
++    //       is a non-URI character with regard to RFC 3986.
++    if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)
++        && ! is_rfc3986_uri_char(uri[len])) {
+       return XML_ERROR_SYNTAX;
+     }
+   }
+-- 
+2.35.1
+
diff -Nru expat-2.2.10/debian/patches/lib-doc-Add-a-note-on-namespace-URI-validation.patch expat-2.2.10/debian/patches/lib-doc-Add-a-note-on-namespace-URI-validation.patch
--- expat-2.2.10/debian/patches/lib-doc-Add-a-note-on-namespace-URI-validation.patch	1970-01-01 00:00:00.000000000 +0000
+++ expat-2.2.10/debian/patches/lib-doc-Add-a-note-on-namespace-URI-validation.patch	2022-03-10 20:38:43.000000000 +0000
@@ -0,0 +1,43 @@
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Tue, 1 Mar 2022 23:04:52 +0100
+Subject: lib|doc: Add a note on namespace URI validation
+Origin: https://github.com/libexpat/libexpat/commit/c57bea96b73eee1c6d5e288f0f57efbf5238e49a
+
+[Salvatore Bonaccorso: Backport to 2.2.10 for context changes]
+---
+ expat/doc/reference.html | 8 ++++++++
+ expat/lib/expat.h        | 6 ++++++
+ 2 files changed, 14 insertions(+)
+
+--- a/expat/doc/reference.html
++++ b/expat/doc/reference.html
+@@ -936,6 +936,14 @@ the local part will be concatenated with
+ to support RDF processors. It is a programming error to use the null separator
+ with <a href= "#XML_SetReturnNSTriplet">namespace triplets</a>.</div>
+ 
++<p><strong>Note:</strong>
++Expat does not validate namespace URIs (beyond encoding)
++against RFC 3986 today (and is not required to do so with regard to
++the XML 1.0 namespaces specification) but it may start doing that
++in future releases.  Before that, an application using Expat must
++be ready to receive namespace URIs containing non-URI characters.
++</p>
++
+ <pre class="fcndec" id="XML_ParserCreate_MM">
+ XML_Parser XMLCALL
+ XML_ParserCreate_MM(const XML_Char *encoding,
+--- a/expat/lib/expat.h
++++ b/expat/lib/expat.h
+@@ -231,6 +231,12 @@ XML_ParserCreate(const XML_Char *encodin
+    1, 2 or 3 original parts on application level in the element handler
+    may end up vulnerable, so these are advised against;  sane choices for
+    a namespace separator are e.g. '\n' (line feed) and '|' (pipe).
++
++   Note that Expat does not validate namespace URIs (beyond encoding)
++   against RFC 3986 today (and is not required to do so with regard to
++   the XML 1.0 namespaces specification) but it may start doing that
++   in future releases.  Before that, an application using Expat must
++   be ready to receive namespace URIs containing non-URI characters.
+ */
+ XMLPARSEAPI(XML_Parser)
+ XML_ParserCreateNS(const XML_Char *encoding, XML_Char namespaceSeparator);
diff -Nru expat-2.2.10/debian/patches/series expat-2.2.10/debian/patches/series
--- expat-2.2.10/debian/patches/series	2022-02-20 16:08:18.000000000 +0000
+++ expat-2.2.10/debian/patches/series	2022-03-10 20:38:43.000000000 +0000
@@ -16,3 +16,7 @@
 tests-Cover-missing-validation-of-encoding-CVE-2022-.patch
 Fix-build_model-regression.patch
 tests-Protect-against-nested-element-declaration-mod.patch
+lib-Relax-fix-to-CVE-2022-25236-with-regard-to-RFC-3.patch
+tests-Cover-relaxed-fix-to-CVE-2022-25236.patch
+lib-Document-namespace-separator-effect-right-in-hea.patch
+lib-doc-Add-a-note-on-namespace-URI-validation.patch
diff -Nru expat-2.2.10/debian/patches/tests-Cover-relaxed-fix-to-CVE-2022-25236.patch expat-2.2.10/debian/patches/tests-Cover-relaxed-fix-to-CVE-2022-25236.patch
--- expat-2.2.10/debian/patches/tests-Cover-relaxed-fix-to-CVE-2022-25236.patch	1970-01-01 00:00:00.000000000 +0000
+++ expat-2.2.10/debian/patches/tests-Cover-relaxed-fix-to-CVE-2022-25236.patch	2022-03-10 20:38:43.000000000 +0000
@@ -0,0 +1,38 @@
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Thu, 3 Mar 2022 17:29:54 +0100
+Subject: tests: Cover relaxed fix to CVE-2022-25236
+Origin: https://github.com/libexpat/libexpat/commit/e0f852db1e3b1e6d34922c68a653c3cc4b85361c
+
+---
+ expat/tests/runtests.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c
+index 60da868eb8bb..712706c4ea21 100644
+--- a/expat/tests/runtests.c
++++ b/expat/tests/runtests.c
+@@ -7406,16 +7406,18 @@ START_TEST(test_ns_separator_in_uri) {
+   struct test_case {
+     enum XML_Status expectedStatus;
+     const char *doc;
++    XML_Char namesep;
+   };
+   struct test_case cases[] = {
+-      {XML_STATUS_OK, "<doc xmlns='one_two' />"},
+-      {XML_STATUS_ERROR, "<doc xmlns='one&#x0A;two' />"},
++      {XML_STATUS_OK, "<doc xmlns='one_two' />", XCS('\n')},
++      {XML_STATUS_ERROR, "<doc xmlns='one&#x0A;two' />", XCS('\n')},
++      {XML_STATUS_OK, "<doc xmlns='one:two' />", XCS(':')},
+   };
+ 
+   size_t i = 0;
+   size_t failCount = 0;
+   for (; i < sizeof(cases) / sizeof(cases[0]); i++) {
+-    XML_Parser parser = XML_ParserCreateNS(NULL, '\n');
++    XML_Parser parser = XML_ParserCreateNS(NULL, cases[i].namesep);
+     XML_SetElementHandler(parser, dummy_start_element, dummy_end_element);
+     if (XML_Parse(parser, cases[i].doc, (int)strlen(cases[i].doc),
+                   /*isFinal*/ XML_TRUE)
+-- 
+2.35.1
+