import UBI libxml2-2.9.7-21.el8_10.1

2025-07-10 05:53:13 +00:00 · 2025-07-10 05:53:13 +00:00 · 20e38c457e
commit 20e38c457e
parent 089ccc9be7
4 changed files with 315 additions and 1 deletions
--- a/SOURCES/libxml2-2.9.13-CVE-2025-49794.patch
+++ b/SOURCES/libxml2-2.9.13-CVE-2025-49794.patch
@ -0,0 +1,194 @@
 From b2a28a861e9d43a23b877c3994daa28f8af69618 Mon Sep 17 00:00:00 2001
 From: Nick Wellnhofer <wellnhofer@aevum.de>
 Date: Fri, 4 Jul 2025 14:28:26 +0200
 Subject: [PATCH] schematron: Fix memory safety issues in
 xmlSchematronReportOutput
 Fix use-after-free (CVE-2025-49794) and type confusion (CVE-2025-49796)
 in xmlSchematronReportOutput.
 Fixes #931.
 Fixes #933.
 ---
 result/schematron/cve-2025-49794_0.err |  2 +
 result/schematron/cve-2025-49796_0.err |  2 +
 schematron.c                           | 67 ++++++++++++++------------
 test/schematron/cve-2025-49794.sct     | 10 ++++
 test/schematron/cve-2025-49794_0.xml   |  6 +++
 test/schematron/cve-2025-49796.sct     |  9 ++++
 test/schematron/cve-2025-49796_0.xml   |  3 ++
 7 files changed, 67 insertions(+), 32 deletions(-)
 create mode 100644 result/schematron/cve-2025-49794_0.err
 create mode 100644 result/schematron/cve-2025-49796_0.err
 create mode 100644 test/schematron/cve-2025-49794.sct
 create mode 100644 test/schematron/cve-2025-49794_0.xml
 create mode 100644 test/schematron/cve-2025-49796.sct
 create mode 100644 test/schematron/cve-2025-49796_0.xml
 diff --git a/result/schematron/cve-2025-49794_0.err b/result/schematron/cve-2025-49794_0.err
 new file mode 100644
 index 00000000..57752310
 --- /dev/null
 +++ b/result/schematron/cve-2025-49794_0.err
@@ -0,0 +1,2 @@
 +./test/schematron/cve-2025-49794_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2:  
 +./test/schematron/cve-2025-49794_0.xml fails to validate
 diff --git a/result/schematron/cve-2025-49796_0.err b/result/schematron/cve-2025-49796_0.err
 new file mode 100644
 index 00000000..bf875ee0
 --- /dev/null
 +++ b/result/schematron/cve-2025-49796_0.err
@@ -0,0 +1,2 @@
 +./test/schematron/cve-2025-49796_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2:  
 +./test/schematron/cve-2025-49796_0.xml fails to validate
 diff --git a/schematron.c b/schematron.c
 index ddbb069b..0c7bc84a 100644
 --- a/schematron.c
 +++ b/schematron.c
@@ -1239,27 +1239,15 @@ exit:
  *									*
  ************************************************************************/
 -static xmlNodePtr
 +static xmlXPathObjectPtr
 xmlSchematronGetNode(xmlSchematronValidCtxtPtr ctxt,
                      xmlNodePtr cur, const xmlChar *xpath) {
 -    xmlNodePtr node = NULL;
 -    xmlXPathObjectPtr ret;
 -
     if ((ctxt == NULL) || (cur == NULL) || (xpath == NULL))
         return(NULL);
     ctxt->xctxt->doc = cur->doc;
     ctxt->xctxt->node = cur;
 -    ret = xmlXPathEval(xpath, ctxt->xctxt);
 -    if (ret == NULL)
 -        return(NULL);
 -
 -    if ((ret->type == XPATH_NODESET) &&
 -        (ret->nodesetval != NULL) && (ret->nodesetval->nodeNr > 0))
 -	node = ret->nodesetval->nodeTab[0];
 -
 -    xmlXPathFreeObject(ret);
 -    return(node);
 +    return(xmlXPathEval(xpath, ctxt->xctxt));
 }
 /**
@@ -1301,28 +1289,43 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt,
     child = test->children;
     while (child != NULL) {
         if ((child->type == XML_TEXT_NODE) ||
 -	    (child->type == XML_CDATA_SECTION_NODE))
 -	    ret = xmlStrcat(ret, child->content);
 -	else if (IS_SCHEMATRON(child, "name")) {
 -	    xmlChar *path;
 +            (child->type == XML_CDATA_SECTION_NODE))
 +            ret = xmlStrcat(ret, child->content);
 +        else if (IS_SCHEMATRON(child, "name")) {
 +            xmlXPathObject *obj = NULL;
 +            xmlChar *path;
 	    path = xmlGetNoNsProp(child, BAD_CAST "path");
             node = cur;
 -	    if (path != NULL) {
 -	        node = xmlSchematronGetNode(ctxt, cur, path);
 -		if (node == NULL)
 -		    node = cur;
 -		xmlFree(path);
 -	    }
 -
 -	    if ((node->ns == NULL) || (node->ns->prefix == NULL))
 -	        ret = xmlStrcat(ret, node->name);
 -	    else {
 -	        ret = xmlStrcat(ret, node->ns->prefix);
 -	        ret = xmlStrcat(ret, BAD_CAST ":");
 -	        ret = xmlStrcat(ret, node->name);
 -	    }
 +            if (path != NULL) {
 +                obj = xmlSchematronGetNode(ctxt, cur, path);
 +                if ((obj != NULL) &&
 +                    (obj->type == XPATH_NODESET) &&
 +                    (obj->nodesetval != NULL) &&
 +                    (obj->nodesetval->nodeNr > 0))
 +                    node = obj->nodesetval->nodeTab[0];
 +                xmlFree(path);
 +            }
 +
 +            switch (node->type) {
 +                case XML_ELEMENT_NODE:
 +                case XML_ATTRIBUTE_NODE:
 +                    if ((node->ns == NULL) || (node->ns->prefix == NULL))
 +                        ret = xmlStrcat(ret, node->name);
 +                    else {
 +                        ret = xmlStrcat(ret, node->ns->prefix);
 +                        ret = xmlStrcat(ret, BAD_CAST ":");
 +                        ret = xmlStrcat(ret, node->name);
 +                    }
 +                    break;
 +
 +                /* TODO: handle other node types */
 +                default:
 +                    break;
 +            }
 +
 +            xmlXPathFreeObject(obj);
 	} else {
 	    child = child->next;
 	    continue;
 diff --git a/test/schematron/cve-2025-49794.sct b/test/schematron/cve-2025-49794.sct
 new file mode 100644
 index 00000000..7fc9ee3d
 --- /dev/null
 +++ b/test/schematron/cve-2025-49794.sct
@@ -0,0 +1,10 @@
 +<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
 +    <sch:pattern id="">
 +        <sch:rule context="boo0">
 +            <sch:report test="not(0)">
 +                <sch:name path="&#9;e|namespace::*|e"/>
 +            </sch:report>
 +            <sch:report test="0"></sch:report>
 +        </sch:rule>
 +    </sch:pattern>
 +</sch:schema>
 diff --git a/test/schematron/cve-2025-49794_0.xml b/test/schematron/cve-2025-49794_0.xml
 new file mode 100644
 index 00000000..debc64ba
 --- /dev/null
 +++ b/test/schematron/cve-2025-49794_0.xml
@@ -0,0 +1,6 @@
 +<librar0>
 +    <boo0 t="">
 +        <author></author>
 +    </boo0>
 +    <ins></ins>
 +</librar0>
 diff --git a/test/schematron/cve-2025-49796.sct b/test/schematron/cve-2025-49796.sct
 new file mode 100644
 index 00000000..e9702d75
 --- /dev/null
 +++ b/test/schematron/cve-2025-49796.sct
@@ -0,0 +1,9 @@
 +<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
 +    <sch:pattern id="">
 +        <sch:rule context="boo0">
 +            <sch:report test="not(0)">
 +                <sch:name path="/"/>
 +            </sch:report>
 +        </sch:rule>
 +    </sch:pattern>
 +</sch:schema>
 diff --git a/test/schematron/cve-2025-49796_0.xml b/test/schematron/cve-2025-49796_0.xml
 new file mode 100644
 index 00000000..be33c4ec
 --- /dev/null
 +++ b/test/schematron/cve-2025-49796_0.xml
@@ -0,0 +1,3 @@
 +<librar0>
 +    <boo0/>
 +</librar0>
 -- 
 2.49.0
--- a/SOURCES/libxml2-2.9.13-CVE-2025-6021.patch
+++ b/SOURCES/libxml2-2.9.13-CVE-2025-6021.patch
@ -0,0 +1,49 @@
 From 1256dce1c2c928e1436a7e8bd8b40113099383c8 Mon Sep 17 00:00:00 2001
 From: Nick Wellnhofer <wellnhofer@aevum.de>
 Date: Tue, 27 May 2025 12:53:17 +0200
 Subject: [PATCH] tree: Fix integer overflow in xmlBuildQName
 This issue affects memory safety and might receive a CVE ID later.
 Fixes #926.
 ---
 tree.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)
 diff --git a/tree.c b/tree.c
 index 86afb7d6..3b0d0397 100644
 --- a/tree.c
 +++ b/tree.c
@@ -20,6 +20,7 @@
 #include <string.h> /* for memset() only ! */
 #include <stddef.h>
 +#include <stdint.h>
 #include <limits.h>
 #ifdef HAVE_CTYPE_H
 #include <ctype.h>
@@ -222,16 +223,18 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) {
 xmlChar *
 xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
 	      xmlChar *memory, int len) {
 -    int lenn, lenp;
 +    size_t lenn, lenp;
     xmlChar *ret;
 -    if (ncname == NULL) return(NULL);
 +    if ((ncname == NULL) || (len < 0)) return(NULL);
     if (prefix == NULL) return((xmlChar *) ncname);
     lenn = strlen((char *) ncname);
     lenp = strlen((char *) prefix);
 +    if (lenn >= SIZE_MAX - lenp - 1)
 +        return(NULL);
 -    if ((memory == NULL) || (len < lenn + lenp + 2)) {
 +    if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) {
 	ret = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2);
 	if (ret == NULL) {
 	    xmlTreeErrMemory("building QName");
 -- 
 2.49.0
--- a/SOURCES/libxml2-clamp-output-bytes-overflow.patch
+++ b/SOURCES/libxml2-clamp-output-bytes-overflow.patch
@ -0,0 +1,56 @@
 From 40e00bc5174ab61036c893078123467144b05a4a Mon Sep 17 00:00:00 2001
 From: Nick Wellnhofer <wellnhofer@aevum.de>
 Date: Mon, 14 Oct 2019 16:56:59 +0200
 Subject: [PATCH] Fix integer overflow when counting written bytes
 Check for integer overflow when updating the `written` member of
 struct xmlOutputBuffer in xmlIO.c.
 Closes #112. Resolves !54 and !55.
 ---
 xmlIO.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)
 diff --git a/xmlIO.c b/xmlIO.c
 index 2a1e2cb08..752d5e0a0 100644
 --- a/xmlIO.c
 +++ b/xmlIO.c
@@ -3413,7 +3413,10 @@ xmlOutputBufferWrite(xmlOutputBufferPtr out, int len, const char *buf) {
 		out->error = XML_IO_WRITE;
 		return(ret);
 	    }
 -	    out->written += ret;
 +            if (out->written > INT_MAX - ret)
 +                out->written = INT_MAX;
 +            else
 +                out->written += ret;
 	}
 	written += nbchars;
     } while (len > 0);
@@ -3609,7 +3612,10 @@ xmlOutputBufferWriteEscape(xmlOutputBufferPtr out, const xmlChar *str,
 		out->error = XML_IO_WRITE;
 		return(ret);
 	    }
 -	    out->written += ret;
 +            if (out->written > INT_MAX - ret)
 +                out->written = INT_MAX;
 +            else
 +                out->written += ret;
 	} else if (xmlBufAvail(out->buffer) < MINLEN) {
 	    xmlBufGrow(out->buffer, MINLEN);
 	}
@@ -3703,7 +3709,10 @@ xmlOutputBufferFlush(xmlOutputBufferPtr out) {
 	out->error = XML_IO_FLUSH;
 	return(ret);
     }
 -    out->written += ret;
 +    if (out->written > INT_MAX - ret)
 +        out->written = INT_MAX;
 +    else
 +        out->written += ret;
 #ifdef DEBUG_INPUT
     xmlGenericError(xmlGenericErrorContext,
 -- 
 GitLab
--- a/SPECS/libxml2.spec
+++ b/SPECS/libxml2.spec
@ -7,7 +7,7 @@
 Name:           libxml2
 Version:        2.9.7
-Release:        20%{?dist}
+Release:        21%{?dist}.1
 Summary:        Library providing XML and HTML support
 License:        MIT
@ -72,6 +72,13 @@ Patch27:        libxml2-2.9.13-CVE-2024-56171.patch
 Patch28:        libxml2-2.9.13-CVE-2025-24928.patch
 # https://issues.redhat.com/browse/RHEL-88198
 Patch29:         libxml2-2.9.13-CVE-2025-32414.patch
 # https://issues.redhat.com/browse/RHEL-74345
 Patch30:         libxml2-clamp-output-bytes-overflow.patch
 # https://issues.redhat.com/browse/RHEL-96498
 Patch31:         libxml2-2.9.13-CVE-2025-6021.patch
 # https://issues.redhat.com/browse/RHEL-96398
 # https://issues.redhat.com/browse/RHEL-96424
 Patch32:        libxml2-2.9.13-CVE-2025-49794.patch
 BuildRequires:  gcc
 BuildRequires:  cmake-rpm-macros
@ -243,6 +250,14 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
 %{python3_sitearch}/libxml2mod.so
 %changelog
 * Mon Jun 16 2025 David King <dking@redhat.com> - 2.9.7-21.1
 - Fix CVE-2025-6021 (RHEL-96498)
 - Fix CVE-2025-49794 (RHEL-96398)
 - Fix CVE-2025-49796 (RHEL-96424)
 * Fri Jun 13 2025 David King <dking@redhat.com> - 2.9.7-21
 - Fix integer overflow (RHEL-74345)
 * Thu Jun 05 2025 David King <dking@redhat.com> - 2.9.7-20
 - Fix CVE-2025-32414 (RHEL-88198)