import UBI libxml2-2.9.7-21.el8_10.1
This commit is contained in:
		
							parent
							
								
									089ccc9be7
								
							
						
					
					
						commit
						20e38c457e
					
				
							
								
								
									
										194
									
								
								SOURCES/libxml2-2.9.13-CVE-2025-49794.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										194
									
								
								SOURCES/libxml2-2.9.13-CVE-2025-49794.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,194 @@ | |||||||
|  | From b2a28a861e9d43a23b877c3994daa28f8af69618 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||||||
|  | Date: Fri, 4 Jul 2025 14:28:26 +0200 | ||||||
|  | Subject: [PATCH] schematron: Fix memory safety issues in | ||||||
|  |  xmlSchematronReportOutput | ||||||
|  | 
 | ||||||
|  | Fix use-after-free (CVE-2025-49794) and type confusion (CVE-2025-49796) | ||||||
|  | in xmlSchematronReportOutput. | ||||||
|  | 
 | ||||||
|  | Fixes #931. | ||||||
|  | Fixes #933. | ||||||
|  | ---
 | ||||||
|  |  result/schematron/cve-2025-49794_0.err |  2 + | ||||||
|  |  result/schematron/cve-2025-49796_0.err |  2 + | ||||||
|  |  schematron.c                           | 67 ++++++++++++++------------ | ||||||
|  |  test/schematron/cve-2025-49794.sct     | 10 ++++ | ||||||
|  |  test/schematron/cve-2025-49794_0.xml   |  6 +++ | ||||||
|  |  test/schematron/cve-2025-49796.sct     |  9 ++++ | ||||||
|  |  test/schematron/cve-2025-49796_0.xml   |  3 ++ | ||||||
|  |  7 files changed, 67 insertions(+), 32 deletions(-) | ||||||
|  |  create mode 100644 result/schematron/cve-2025-49794_0.err | ||||||
|  |  create mode 100644 result/schematron/cve-2025-49796_0.err | ||||||
|  |  create mode 100644 test/schematron/cve-2025-49794.sct | ||||||
|  |  create mode 100644 test/schematron/cve-2025-49794_0.xml | ||||||
|  |  create mode 100644 test/schematron/cve-2025-49796.sct | ||||||
|  |  create mode 100644 test/schematron/cve-2025-49796_0.xml | ||||||
|  | 
 | ||||||
|  | diff --git a/result/schematron/cve-2025-49794_0.err b/result/schematron/cve-2025-49794_0.err
 | ||||||
|  | new file mode 100644 | ||||||
|  | index 00000000..57752310
 | ||||||
|  | --- /dev/null
 | ||||||
|  | +++ b/result/schematron/cve-2025-49794_0.err
 | ||||||
|  | @@ -0,0 +1,2 @@
 | ||||||
|  | +./test/schematron/cve-2025-49794_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2:  
 | ||||||
|  | +./test/schematron/cve-2025-49794_0.xml fails to validate
 | ||||||
|  | diff --git a/result/schematron/cve-2025-49796_0.err b/result/schematron/cve-2025-49796_0.err
 | ||||||
|  | new file mode 100644 | ||||||
|  | index 00000000..bf875ee0
 | ||||||
|  | --- /dev/null
 | ||||||
|  | +++ b/result/schematron/cve-2025-49796_0.err
 | ||||||
|  | @@ -0,0 +1,2 @@
 | ||||||
|  | +./test/schematron/cve-2025-49796_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2:  
 | ||||||
|  | +./test/schematron/cve-2025-49796_0.xml fails to validate
 | ||||||
|  | diff --git a/schematron.c b/schematron.c
 | ||||||
|  | index ddbb069b..0c7bc84a 100644
 | ||||||
|  | --- a/schematron.c
 | ||||||
|  | +++ b/schematron.c
 | ||||||
|  | @@ -1239,27 +1239,15 @@ exit:
 | ||||||
|  |   *									* | ||||||
|  |   ************************************************************************/ | ||||||
|  |   | ||||||
|  | -static xmlNodePtr
 | ||||||
|  | +static xmlXPathObjectPtr
 | ||||||
|  |  xmlSchematronGetNode(xmlSchematronValidCtxtPtr ctxt, | ||||||
|  |                       xmlNodePtr cur, const xmlChar *xpath) { | ||||||
|  | -    xmlNodePtr node = NULL;
 | ||||||
|  | -    xmlXPathObjectPtr ret;
 | ||||||
|  | -
 | ||||||
|  |      if ((ctxt == NULL) || (cur == NULL) || (xpath == NULL)) | ||||||
|  |          return(NULL); | ||||||
|  |   | ||||||
|  |      ctxt->xctxt->doc = cur->doc; | ||||||
|  |      ctxt->xctxt->node = cur; | ||||||
|  | -    ret = xmlXPathEval(xpath, ctxt->xctxt);
 | ||||||
|  | -    if (ret == NULL)
 | ||||||
|  | -        return(NULL);
 | ||||||
|  | -
 | ||||||
|  | -    if ((ret->type == XPATH_NODESET) &&
 | ||||||
|  | -        (ret->nodesetval != NULL) && (ret->nodesetval->nodeNr > 0))
 | ||||||
|  | -	node = ret->nodesetval->nodeTab[0];
 | ||||||
|  | -
 | ||||||
|  | -    xmlXPathFreeObject(ret);
 | ||||||
|  | -    return(node);
 | ||||||
|  | +    return(xmlXPathEval(xpath, ctxt->xctxt));
 | ||||||
|  |  } | ||||||
|  |   | ||||||
|  |  /** | ||||||
|  | @@ -1301,28 +1289,43 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt,
 | ||||||
|  |      child = test->children; | ||||||
|  |      while (child != NULL) { | ||||||
|  |          if ((child->type == XML_TEXT_NODE) || | ||||||
|  | -	    (child->type == XML_CDATA_SECTION_NODE))
 | ||||||
|  | -	    ret = xmlStrcat(ret, child->content);
 | ||||||
|  | -	else if (IS_SCHEMATRON(child, "name")) {
 | ||||||
|  | -	    xmlChar *path;
 | ||||||
|  | +            (child->type == XML_CDATA_SECTION_NODE))
 | ||||||
|  | +            ret = xmlStrcat(ret, child->content);
 | ||||||
|  | +        else if (IS_SCHEMATRON(child, "name")) {
 | ||||||
|  | +            xmlXPathObject *obj = NULL;
 | ||||||
|  | +            xmlChar *path;
 | ||||||
|  |   | ||||||
|  |  	    path = xmlGetNoNsProp(child, BAD_CAST "path"); | ||||||
|  |   | ||||||
|  |              node = cur; | ||||||
|  | -	    if (path != NULL) {
 | ||||||
|  | -	        node = xmlSchematronGetNode(ctxt, cur, path);
 | ||||||
|  | -		if (node == NULL)
 | ||||||
|  | -		    node = cur;
 | ||||||
|  | -		xmlFree(path);
 | ||||||
|  | -	    }
 | ||||||
|  | -
 | ||||||
|  | -	    if ((node->ns == NULL) || (node->ns->prefix == NULL))
 | ||||||
|  | -	        ret = xmlStrcat(ret, node->name);
 | ||||||
|  | -	    else {
 | ||||||
|  | -	        ret = xmlStrcat(ret, node->ns->prefix);
 | ||||||
|  | -	        ret = xmlStrcat(ret, BAD_CAST ":");
 | ||||||
|  | -	        ret = xmlStrcat(ret, node->name);
 | ||||||
|  | -	    }
 | ||||||
|  | +            if (path != NULL) {
 | ||||||
|  | +                obj = xmlSchematronGetNode(ctxt, cur, path);
 | ||||||
|  | +                if ((obj != NULL) &&
 | ||||||
|  | +                    (obj->type == XPATH_NODESET) &&
 | ||||||
|  | +                    (obj->nodesetval != NULL) &&
 | ||||||
|  | +                    (obj->nodesetval->nodeNr > 0))
 | ||||||
|  | +                    node = obj->nodesetval->nodeTab[0];
 | ||||||
|  | +                xmlFree(path);
 | ||||||
|  | +            }
 | ||||||
|  | +
 | ||||||
|  | +            switch (node->type) {
 | ||||||
|  | +                case XML_ELEMENT_NODE:
 | ||||||
|  | +                case XML_ATTRIBUTE_NODE:
 | ||||||
|  | +                    if ((node->ns == NULL) || (node->ns->prefix == NULL))
 | ||||||
|  | +                        ret = xmlStrcat(ret, node->name);
 | ||||||
|  | +                    else {
 | ||||||
|  | +                        ret = xmlStrcat(ret, node->ns->prefix);
 | ||||||
|  | +                        ret = xmlStrcat(ret, BAD_CAST ":");
 | ||||||
|  | +                        ret = xmlStrcat(ret, node->name);
 | ||||||
|  | +                    }
 | ||||||
|  | +                    break;
 | ||||||
|  | +
 | ||||||
|  | +                /* TODO: handle other node types */
 | ||||||
|  | +                default:
 | ||||||
|  | +                    break;
 | ||||||
|  | +            }
 | ||||||
|  | +
 | ||||||
|  | +            xmlXPathFreeObject(obj);
 | ||||||
|  |  	} else { | ||||||
|  |  	    child = child->next; | ||||||
|  |  	    continue; | ||||||
|  | diff --git a/test/schematron/cve-2025-49794.sct b/test/schematron/cve-2025-49794.sct
 | ||||||
|  | new file mode 100644 | ||||||
|  | index 00000000..7fc9ee3d
 | ||||||
|  | --- /dev/null
 | ||||||
|  | +++ b/test/schematron/cve-2025-49794.sct
 | ||||||
|  | @@ -0,0 +1,10 @@
 | ||||||
|  | +<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
 | ||||||
|  | +    <sch:pattern id="">
 | ||||||
|  | +        <sch:rule context="boo0">
 | ||||||
|  | +            <sch:report test="not(0)">
 | ||||||
|  | +                <sch:name path="	e|namespace::*|e"/>
 | ||||||
|  | +            </sch:report>
 | ||||||
|  | +            <sch:report test="0"></sch:report>
 | ||||||
|  | +        </sch:rule>
 | ||||||
|  | +    </sch:pattern>
 | ||||||
|  | +</sch:schema>
 | ||||||
|  | diff --git a/test/schematron/cve-2025-49794_0.xml b/test/schematron/cve-2025-49794_0.xml
 | ||||||
|  | new file mode 100644 | ||||||
|  | index 00000000..debc64ba
 | ||||||
|  | --- /dev/null
 | ||||||
|  | +++ b/test/schematron/cve-2025-49794_0.xml
 | ||||||
|  | @@ -0,0 +1,6 @@
 | ||||||
|  | +<librar0>
 | ||||||
|  | +    <boo0 t="">
 | ||||||
|  | +        <author></author>
 | ||||||
|  | +    </boo0>
 | ||||||
|  | +    <ins></ins>
 | ||||||
|  | +</librar0>
 | ||||||
|  | diff --git a/test/schematron/cve-2025-49796.sct b/test/schematron/cve-2025-49796.sct
 | ||||||
|  | new file mode 100644 | ||||||
|  | index 00000000..e9702d75
 | ||||||
|  | --- /dev/null
 | ||||||
|  | +++ b/test/schematron/cve-2025-49796.sct
 | ||||||
|  | @@ -0,0 +1,9 @@
 | ||||||
|  | +<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
 | ||||||
|  | +    <sch:pattern id="">
 | ||||||
|  | +        <sch:rule context="boo0">
 | ||||||
|  | +            <sch:report test="not(0)">
 | ||||||
|  | +                <sch:name path="/"/>
 | ||||||
|  | +            </sch:report>
 | ||||||
|  | +        </sch:rule>
 | ||||||
|  | +    </sch:pattern>
 | ||||||
|  | +</sch:schema>
 | ||||||
|  | diff --git a/test/schematron/cve-2025-49796_0.xml b/test/schematron/cve-2025-49796_0.xml
 | ||||||
|  | new file mode 100644 | ||||||
|  | index 00000000..be33c4ec
 | ||||||
|  | --- /dev/null
 | ||||||
|  | +++ b/test/schematron/cve-2025-49796_0.xml
 | ||||||
|  | @@ -0,0 +1,3 @@
 | ||||||
|  | +<librar0>
 | ||||||
|  | +    <boo0/>
 | ||||||
|  | +</librar0>
 | ||||||
|  | -- 
 | ||||||
|  | 2.49.0 | ||||||
|  | 
 | ||||||
							
								
								
									
										49
									
								
								SOURCES/libxml2-2.9.13-CVE-2025-6021.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										49
									
								
								SOURCES/libxml2-2.9.13-CVE-2025-6021.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,49 @@ | |||||||
|  | From 1256dce1c2c928e1436a7e8bd8b40113099383c8 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||||||
|  | Date: Tue, 27 May 2025 12:53:17 +0200 | ||||||
|  | Subject: [PATCH] tree: Fix integer overflow in xmlBuildQName | ||||||
|  | 
 | ||||||
|  | This issue affects memory safety and might receive a CVE ID later. | ||||||
|  | 
 | ||||||
|  | Fixes #926. | ||||||
|  | ---
 | ||||||
|  |  tree.c | 9 ++++++--- | ||||||
|  |  1 file changed, 6 insertions(+), 3 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/tree.c b/tree.c
 | ||||||
|  | index 86afb7d6..3b0d0397 100644
 | ||||||
|  | --- a/tree.c
 | ||||||
|  | +++ b/tree.c
 | ||||||
|  | @@ -20,6 +20,7 @@
 | ||||||
|  |   | ||||||
|  |  #include <string.h> /* for memset() only ! */ | ||||||
|  |  #include <stddef.h> | ||||||
|  | +#include <stdint.h>
 | ||||||
|  |  #include <limits.h> | ||||||
|  |  #ifdef HAVE_CTYPE_H | ||||||
|  |  #include <ctype.h> | ||||||
|  | @@ -222,16 +223,18 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) {
 | ||||||
|  |  xmlChar * | ||||||
|  |  xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix, | ||||||
|  |  	      xmlChar *memory, int len) { | ||||||
|  | -    int lenn, lenp;
 | ||||||
|  | +    size_t lenn, lenp;
 | ||||||
|  |      xmlChar *ret; | ||||||
|  |   | ||||||
|  | -    if (ncname == NULL) return(NULL);
 | ||||||
|  | +    if ((ncname == NULL) || (len < 0)) return(NULL);
 | ||||||
|  |      if (prefix == NULL) return((xmlChar *) ncname); | ||||||
|  |   | ||||||
|  |      lenn = strlen((char *) ncname); | ||||||
|  |      lenp = strlen((char *) prefix); | ||||||
|  | +    if (lenn >= SIZE_MAX - lenp - 1)
 | ||||||
|  | +        return(NULL);
 | ||||||
|  |   | ||||||
|  | -    if ((memory == NULL) || (len < lenn + lenp + 2)) {
 | ||||||
|  | +    if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) {
 | ||||||
|  |  	ret = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2); | ||||||
|  |  	if (ret == NULL) { | ||||||
|  |  	    xmlTreeErrMemory("building QName"); | ||||||
|  | -- 
 | ||||||
|  | 2.49.0 | ||||||
|  | 
 | ||||||
							
								
								
									
										56
									
								
								SOURCES/libxml2-clamp-output-bytes-overflow.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										56
									
								
								SOURCES/libxml2-clamp-output-bytes-overflow.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,56 @@ | |||||||
|  | From 40e00bc5174ab61036c893078123467144b05a4a Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||||||
|  | Date: Mon, 14 Oct 2019 16:56:59 +0200 | ||||||
|  | Subject: [PATCH] Fix integer overflow when counting written bytes | ||||||
|  | 
 | ||||||
|  | Check for integer overflow when updating the `written` member of | ||||||
|  | struct xmlOutputBuffer in xmlIO.c. | ||||||
|  | 
 | ||||||
|  | Closes #112. Resolves !54 and !55. | ||||||
|  | ---
 | ||||||
|  |  xmlIO.c | 15 ++++++++++++--- | ||||||
|  |  1 file changed, 12 insertions(+), 3 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/xmlIO.c b/xmlIO.c
 | ||||||
|  | index 2a1e2cb08..752d5e0a0 100644
 | ||||||
|  | --- a/xmlIO.c
 | ||||||
|  | +++ b/xmlIO.c
 | ||||||
|  | @@ -3413,7 +3413,10 @@ xmlOutputBufferWrite(xmlOutputBufferPtr out, int len, const char *buf) {
 | ||||||
|  |  		out->error = XML_IO_WRITE; | ||||||
|  |  		return(ret); | ||||||
|  |  	    } | ||||||
|  | -	    out->written += ret;
 | ||||||
|  | +            if (out->written > INT_MAX - ret)
 | ||||||
|  | +                out->written = INT_MAX;
 | ||||||
|  | +            else
 | ||||||
|  | +                out->written += ret;
 | ||||||
|  |  	} | ||||||
|  |  	written += nbchars; | ||||||
|  |      } while (len > 0); | ||||||
|  | @@ -3609,7 +3612,10 @@ xmlOutputBufferWriteEscape(xmlOutputBufferPtr out, const xmlChar *str,
 | ||||||
|  |  		out->error = XML_IO_WRITE; | ||||||
|  |  		return(ret); | ||||||
|  |  	    } | ||||||
|  | -	    out->written += ret;
 | ||||||
|  | +            if (out->written > INT_MAX - ret)
 | ||||||
|  | +                out->written = INT_MAX;
 | ||||||
|  | +            else
 | ||||||
|  | +                out->written += ret;
 | ||||||
|  |  	} else if (xmlBufAvail(out->buffer) < MINLEN) { | ||||||
|  |  	    xmlBufGrow(out->buffer, MINLEN); | ||||||
|  |  	} | ||||||
|  | @@ -3703,7 +3709,10 @@ xmlOutputBufferFlush(xmlOutputBufferPtr out) {
 | ||||||
|  |  	out->error = XML_IO_FLUSH; | ||||||
|  |  	return(ret); | ||||||
|  |      } | ||||||
|  | -    out->written += ret;
 | ||||||
|  | +    if (out->written > INT_MAX - ret)
 | ||||||
|  | +        out->written = INT_MAX;
 | ||||||
|  | +    else
 | ||||||
|  | +        out->written += ret;
 | ||||||
|  |   | ||||||
|  |  #ifdef DEBUG_INPUT | ||||||
|  |      xmlGenericError(xmlGenericErrorContext, | ||||||
|  | -- 
 | ||||||
|  | GitLab | ||||||
|  | 
 | ||||||
| @ -7,7 +7,7 @@ | |||||||
| 
 | 
 | ||||||
| Name:           libxml2 | Name:           libxml2 | ||||||
| Version:        2.9.7 | Version:        2.9.7 | ||||||
| Release:        20%{?dist} | Release:        21%{?dist}.1 | ||||||
| Summary:        Library providing XML and HTML support | Summary:        Library providing XML and HTML support | ||||||
| 
 | 
 | ||||||
| License:        MIT | License:        MIT | ||||||
| @ -72,6 +72,13 @@ Patch27:        libxml2-2.9.13-CVE-2024-56171.patch | |||||||
| Patch28:        libxml2-2.9.13-CVE-2025-24928.patch | Patch28:        libxml2-2.9.13-CVE-2025-24928.patch | ||||||
| # https://issues.redhat.com/browse/RHEL-88198 | # https://issues.redhat.com/browse/RHEL-88198 | ||||||
| Patch29:         libxml2-2.9.13-CVE-2025-32414.patch | Patch29:         libxml2-2.9.13-CVE-2025-32414.patch | ||||||
|  | # https://issues.redhat.com/browse/RHEL-74345 | ||||||
|  | Patch30:         libxml2-clamp-output-bytes-overflow.patch | ||||||
|  | # https://issues.redhat.com/browse/RHEL-96498 | ||||||
|  | Patch31:         libxml2-2.9.13-CVE-2025-6021.patch | ||||||
|  | # https://issues.redhat.com/browse/RHEL-96398 | ||||||
|  | # https://issues.redhat.com/browse/RHEL-96424 | ||||||
|  | Patch32:        libxml2-2.9.13-CVE-2025-49794.patch | ||||||
| 
 | 
 | ||||||
| BuildRequires:  gcc | BuildRequires:  gcc | ||||||
| BuildRequires:  cmake-rpm-macros | BuildRequires:  cmake-rpm-macros | ||||||
| @ -243,6 +250,14 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz | |||||||
| %{python3_sitearch}/libxml2mod.so | %{python3_sitearch}/libxml2mod.so | ||||||
| 
 | 
 | ||||||
| %changelog | %changelog | ||||||
|  | * Mon Jun 16 2025 David King <dking@redhat.com> - 2.9.7-21.1 | ||||||
|  | - Fix CVE-2025-6021 (RHEL-96498) | ||||||
|  | - Fix CVE-2025-49794 (RHEL-96398) | ||||||
|  | - Fix CVE-2025-49796 (RHEL-96424) | ||||||
|  | 
 | ||||||
|  | * Fri Jun 13 2025 David King <dking@redhat.com> - 2.9.7-21 | ||||||
|  | - Fix integer overflow (RHEL-74345) | ||||||
|  | 
 | ||||||
| * Thu Jun 05 2025 David King <dking@redhat.com> - 2.9.7-20 | * Thu Jun 05 2025 David King <dking@redhat.com> - 2.9.7-20 | ||||||
| - Fix CVE-2025-32414 (RHEL-88198) | - Fix CVE-2025-32414 (RHEL-88198) | ||||||
| 
 | 
 | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user