import UBI libxml2-2.9.7-21.el8_10.1

2025-07-10 05:53:13 +00:00 · 2025-07-10 05:53:13 +00:00 · 20e38c457e
commit 20e38c457e
parent 089ccc9be7
4 changed files with 315 additions and 1 deletions
--- a/SOURCES/libxml2-2.9.13-CVE-2025-49794.patch
+++ b/SOURCES/libxml2-2.9.13-CVE-2025-49794.patch
@ -0,0 +1,194 @@
+From b2a28a861e9d43a23b877c3994daa28f8af69618 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 4 Jul 2025 14:28:26 +0200
+Subject: [PATCH] schematron: Fix memory safety issues in
+ xmlSchematronReportOutput
+
+Fix use-after-free (CVE-2025-49794) and type confusion (CVE-2025-49796)
+in xmlSchematronReportOutput.
+
+Fixes #931.
+Fixes #933.
+---
+ result/schematron/cve-2025-49794_0.err |  2 +
+ result/schematron/cve-2025-49796_0.err |  2 +
+ schematron.c                           | 67 ++++++++++++++------------
+ test/schematron/cve-2025-49794.sct     | 10 ++++
+ test/schematron/cve-2025-49794_0.xml   |  6 +++
+ test/schematron/cve-2025-49796.sct     |  9 ++++
+ test/schematron/cve-2025-49796_0.xml   |  3 ++
+ 7 files changed, 67 insertions(+), 32 deletions(-)
+ create mode 100644 result/schematron/cve-2025-49794_0.err
+ create mode 100644 result/schematron/cve-2025-49796_0.err
+ create mode 100644 test/schematron/cve-2025-49794.sct
+ create mode 100644 test/schematron/cve-2025-49794_0.xml
+ create mode 100644 test/schematron/cve-2025-49796.sct
+ create mode 100644 test/schematron/cve-2025-49796_0.xml
+
+diff --git a/result/schematron/cve-2025-49794_0.err b/result/schematron/cve-2025-49794_0.err
+new file mode 100644
+index 00000000..57752310
+--- /dev/null
+++ b/result/schematron/cve-2025-49794_0.err
+@@ -0,0 +1,2 @@
+./test/schematron/cve-2025-49794_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2:  
+./test/schematron/cve-2025-49794_0.xml fails to validate
+diff --git a/result/schematron/cve-2025-49796_0.err b/result/schematron/cve-2025-49796_0.err
+new file mode 100644
+index 00000000..bf875ee0
+--- /dev/null
+++ b/result/schematron/cve-2025-49796_0.err
+@@ -0,0 +1,2 @@
+./test/schematron/cve-2025-49796_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2:  
+./test/schematron/cve-2025-49796_0.xml fails to validate
+diff --git a/schematron.c b/schematron.c
+index ddbb069b..0c7bc84a 100644
+--- a/schematron.c
+++ b/schematron.c
+@@ -1239,27 +1239,15 @@ exit:
+  *									*
+  ************************************************************************/
+ 
+-static xmlNodePtr
+static xmlXPathObjectPtr
+ xmlSchematronGetNode(xmlSchematronValidCtxtPtr ctxt,
+                      xmlNodePtr cur, const xmlChar *xpath) {
+-    xmlNodePtr node = NULL;
+-    xmlXPathObjectPtr ret;
+-
+     if ((ctxt == NULL) || (cur == NULL) || (xpath == NULL))
+         return(NULL);
+ 
+     ctxt->xctxt->doc = cur->doc;
+     ctxt->xctxt->node = cur;
+-    ret = xmlXPathEval(xpath, ctxt->xctxt);
+-    if (ret == NULL)
+-        return(NULL);
+-
+-    if ((ret->type == XPATH_NODESET) &&
+-        (ret->nodesetval != NULL) && (ret->nodesetval->nodeNr > 0))
+-	node = ret->nodesetval->nodeTab[0];
+-
+-    xmlXPathFreeObject(ret);
+-    return(node);
+    return(xmlXPathEval(xpath, ctxt->xctxt));
+ }
+ 
+ /**
+@@ -1301,28 +1289,43 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt,
+     child = test->children;
+     while (child != NULL) {
+         if ((child->type == XML_TEXT_NODE) ||
+-	    (child->type == XML_CDATA_SECTION_NODE))
+-	    ret = xmlStrcat(ret, child->content);
+-	else if (IS_SCHEMATRON(child, "name")) {
+-	    xmlChar *path;
+            (child->type == XML_CDATA_SECTION_NODE))
+            ret = xmlStrcat(ret, child->content);
+        else if (IS_SCHEMATRON(child, "name")) {
+            xmlXPathObject *obj = NULL;
+            xmlChar *path;
+ 
+ 	    path = xmlGetNoNsProp(child, BAD_CAST "path");
+ 
+             node = cur;
+-	    if (path != NULL) {
+-	        node = xmlSchematronGetNode(ctxt, cur, path);
+-		if (node == NULL)
+-		    node = cur;
+-		xmlFree(path);
+-	    }
+-
+-	    if ((node->ns == NULL) || (node->ns->prefix == NULL))
+-	        ret = xmlStrcat(ret, node->name);
+-	    else {
+-	        ret = xmlStrcat(ret, node->ns->prefix);
+-	        ret = xmlStrcat(ret, BAD_CAST ":");
+-	        ret = xmlStrcat(ret, node->name);
+-	    }
+            if (path != NULL) {
+                obj = xmlSchematronGetNode(ctxt, cur, path);
+                if ((obj != NULL) &&
+                    (obj->type == XPATH_NODESET) &&
+                    (obj->nodesetval != NULL) &&
+                    (obj->nodesetval->nodeNr > 0))
+                    node = obj->nodesetval->nodeTab[0];
+                xmlFree(path);
+            }
+
+            switch (node->type) {
+                case XML_ELEMENT_NODE:
+                case XML_ATTRIBUTE_NODE:
+                    if ((node->ns == NULL) || (node->ns->prefix == NULL))
+                        ret = xmlStrcat(ret, node->name);
+                    else {
+                        ret = xmlStrcat(ret, node->ns->prefix);
+                        ret = xmlStrcat(ret, BAD_CAST ":");
+                        ret = xmlStrcat(ret, node->name);
+                    }
+                    break;
+
+                /* TODO: handle other node types */
+                default:
+                    break;
+            }
+
+            xmlXPathFreeObject(obj);
+ 	} else {
+ 	    child = child->next;
+ 	    continue;
+diff --git a/test/schematron/cve-2025-49794.sct b/test/schematron/cve-2025-49794.sct
+new file mode 100644
+index 00000000..7fc9ee3d
+--- /dev/null
+++ b/test/schematron/cve-2025-49794.sct
+@@ -0,0 +1,10 @@
+<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
+    <sch:pattern id="">
+        <sch:rule context="boo0">
+            <sch:report test="not(0)">
+                <sch:name path="&#9;e|namespace::*|e"/>
+            </sch:report>
+            <sch:report test="0"></sch:report>
+        </sch:rule>
+    </sch:pattern>
+</sch:schema>
+diff --git a/test/schematron/cve-2025-49794_0.xml b/test/schematron/cve-2025-49794_0.xml
+new file mode 100644
+index 00000000..debc64ba
+--- /dev/null
+++ b/test/schematron/cve-2025-49794_0.xml
+@@ -0,0 +1,6 @@
+<librar0>
+    <boo0 t="">
+        <author></author>
+    </boo0>
+    <ins></ins>
+</librar0>
+diff --git a/test/schematron/cve-2025-49796.sct b/test/schematron/cve-2025-49796.sct
+new file mode 100644
+index 00000000..e9702d75
+--- /dev/null
+++ b/test/schematron/cve-2025-49796.sct
+@@ -0,0 +1,9 @@
+<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
+    <sch:pattern id="">
+        <sch:rule context="boo0">
+            <sch:report test="not(0)">
+                <sch:name path="/"/>
+            </sch:report>
+        </sch:rule>
+    </sch:pattern>
+</sch:schema>
+diff --git a/test/schematron/cve-2025-49796_0.xml b/test/schematron/cve-2025-49796_0.xml
+new file mode 100644
+index 00000000..be33c4ec
+--- /dev/null
+++ b/test/schematron/cve-2025-49796_0.xml
+@@ -0,0 +1,3 @@
+<librar0>
+    <boo0/>
+</librar0>
+-- 
+2.49.0
+
--- a/SOURCES/libxml2-2.9.13-CVE-2025-6021.patch
+++ b/SOURCES/libxml2-2.9.13-CVE-2025-6021.patch
@ -0,0 +1,49 @@
+From 1256dce1c2c928e1436a7e8bd8b40113099383c8 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 27 May 2025 12:53:17 +0200
+Subject: [PATCH] tree: Fix integer overflow in xmlBuildQName
+
+This issue affects memory safety and might receive a CVE ID later.
+
+Fixes #926.
+---
+ tree.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index 86afb7d6..3b0d0397 100644
+--- a/tree.c
+++ b/tree.c
+@@ -20,6 +20,7 @@
+ 
+ #include <string.h> /* for memset() only ! */
+ #include <stddef.h>
+#include <stdint.h>
+ #include <limits.h>
+ #ifdef HAVE_CTYPE_H
+ #include <ctype.h>
+@@ -222,16 +223,18 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) {
+ xmlChar *
+ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
+ 	      xmlChar *memory, int len) {
+-    int lenn, lenp;
+    size_t lenn, lenp;
+     xmlChar *ret;
+ 
+-    if (ncname == NULL) return(NULL);
+    if ((ncname == NULL) || (len < 0)) return(NULL);
+     if (prefix == NULL) return((xmlChar *) ncname);
+ 
+     lenn = strlen((char *) ncname);
+     lenp = strlen((char *) prefix);
+    if (lenn >= SIZE_MAX - lenp - 1)
+        return(NULL);
+ 
+-    if ((memory == NULL) || (len < lenn + lenp + 2)) {
+    if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) {
+ 	ret = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2);
+ 	if (ret == NULL) {
+ 	    xmlTreeErrMemory("building QName");
+-- 
+2.49.0
+
--- a/SOURCES/libxml2-clamp-output-bytes-overflow.patch
+++ b/SOURCES/libxml2-clamp-output-bytes-overflow.patch
@ -0,0 +1,56 @@
+From 40e00bc5174ab61036c893078123467144b05a4a Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 14 Oct 2019 16:56:59 +0200
+Subject: [PATCH] Fix integer overflow when counting written bytes
+
+Check for integer overflow when updating the `written` member of
+struct xmlOutputBuffer in xmlIO.c.
+
+Closes #112. Resolves !54 and !55.
+---
+ xmlIO.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/xmlIO.c b/xmlIO.c
+index 2a1e2cb08..752d5e0a0 100644
+--- a/xmlIO.c
+++ b/xmlIO.c
+@@ -3413,7 +3413,10 @@ xmlOutputBufferWrite(xmlOutputBufferPtr out, int len, const char *buf) {
+ 		out->error = XML_IO_WRITE;
+ 		return(ret);
+ 	    }
+-	    out->written += ret;
+            if (out->written > INT_MAX - ret)
+                out->written = INT_MAX;
+            else
+                out->written += ret;
+ 	}
+ 	written += nbchars;
+     } while (len > 0);
+@@ -3609,7 +3612,10 @@ xmlOutputBufferWriteEscape(xmlOutputBufferPtr out, const xmlChar *str,
+ 		out->error = XML_IO_WRITE;
+ 		return(ret);
+ 	    }
+-	    out->written += ret;
+            if (out->written > INT_MAX - ret)
+                out->written = INT_MAX;
+            else
+                out->written += ret;
+ 	} else if (xmlBufAvail(out->buffer) < MINLEN) {
+ 	    xmlBufGrow(out->buffer, MINLEN);
+ 	}
+@@ -3703,7 +3709,10 @@ xmlOutputBufferFlush(xmlOutputBufferPtr out) {
+ 	out->error = XML_IO_FLUSH;
+ 	return(ret);
+     }
+-    out->written += ret;
+    if (out->written > INT_MAX - ret)
+        out->written = INT_MAX;
+    else
+        out->written += ret;
+ 
+ #ifdef DEBUG_INPUT
+     xmlGenericError(xmlGenericErrorContext,
+-- 
+GitLab
+
--- a/SPECS/libxml2.spec
+++ b/SPECS/libxml2.spec
@ -7,7 +7,7 @@

 Name:           libxml2
 Version:        2.9.7
-Release:        20%{?dist}
+Release:        21%{?dist}.1
 Summary:        Library providing XML and HTML support

 License:        MIT
@ -72,6 +72,13 @@ Patch27:        libxml2-2.9.13-CVE-2024-56171.patch
 Patch28:        libxml2-2.9.13-CVE-2025-24928.patch
 # https://issues.redhat.com/browse/RHEL-88198
 Patch29:         libxml2-2.9.13-CVE-2025-32414.patch
+# https://issues.redhat.com/browse/RHEL-74345
+Patch30:         libxml2-clamp-output-bytes-overflow.patch
+# https://issues.redhat.com/browse/RHEL-96498
+Patch31:         libxml2-2.9.13-CVE-2025-6021.patch
+# https://issues.redhat.com/browse/RHEL-96398
+# https://issues.redhat.com/browse/RHEL-96424
+Patch32:        libxml2-2.9.13-CVE-2025-49794.patch

 BuildRequires:  gcc
 BuildRequires:  cmake-rpm-macros
@ -243,6 +250,14 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
 %{python3_sitearch}/libxml2mod.so

 %changelog
+* Mon Jun 16 2025 David King <dking@redhat.com> - 2.9.7-21.1
+- Fix CVE-2025-6021 (RHEL-96498)
+- Fix CVE-2025-49794 (RHEL-96398)
+- Fix CVE-2025-49796 (RHEL-96424)
+
+* Fri Jun 13 2025 David King <dking@redhat.com> - 2.9.7-21
+- Fix integer overflow (RHEL-74345)
+
 * Thu Jun 05 2025 David King <dking@redhat.com> - 2.9.7-20
 - Fix CVE-2025-32414 (RHEL-88198)