import UBI libxml2-2.12.5-7.el10_0

2025-07-09 16:13:31 +00:00 · 2025-07-09 16:13:31 +00:00 · 2ef99e936f
commit 2ef99e936f
parent 9c27cf30f2
4 changed files with 310 additions and 1 deletions
--- a/libxml2-2.12.5-CVE-2025-49794.patch
+++ b/libxml2-2.12.5-CVE-2025-49794.patch
@ -0,0 +1,182 @@
+From 71e1e8af5ee46dad1b57bb96cfbf1c3ad21fbd7b Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 4 Jul 2025 14:28:26 +0200
+Subject: [PATCH] schematron: Fix memory safety issues in
+ xmlSchematronReportOutput
+
+Fix use-after-free (CVE-2025-49794) and type confusion (CVE-2025-49796)
+in xmlSchematronReportOutput.
+
+Fixes #931.
+Fixes #933.
+---
+ result/schematron/cve-2025-49794_0.err |  2 ++
+ result/schematron/cve-2025-49796_0.err |  2 ++
+ schematron.c                           | 49 ++++++++++++++------------
+ test/schematron/cve-2025-49794.sct     | 10 ++++++
+ test/schematron/cve-2025-49794_0.xml   |  6 ++++
+ test/schematron/cve-2025-49796.sct     |  9 +++++
+ test/schematron/cve-2025-49796_0.xml   |  3 ++
+ 7 files changed, 58 insertions(+), 23 deletions(-)
+ create mode 100644 result/schematron/cve-2025-49794_0.err
+ create mode 100644 result/schematron/cve-2025-49796_0.err
+ create mode 100644 test/schematron/cve-2025-49794.sct
+ create mode 100644 test/schematron/cve-2025-49794_0.xml
+ create mode 100644 test/schematron/cve-2025-49796.sct
+ create mode 100644 test/schematron/cve-2025-49796_0.xml
+
+diff --git a/result/schematron/cve-2025-49794_0.err b/result/schematron/cve-2025-49794_0.err
+new file mode 100644
+index 00000000..57752310
+--- /dev/null
+++ b/result/schematron/cve-2025-49794_0.err
+@@ -0,0 +1,2 @@
+./test/schematron/cve-2025-49794_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2:  
+./test/schematron/cve-2025-49794_0.xml fails to validate
+diff --git a/result/schematron/cve-2025-49796_0.err b/result/schematron/cve-2025-49796_0.err
+new file mode 100644
+index 00000000..bf875ee0
+--- /dev/null
+++ b/result/schematron/cve-2025-49796_0.err
+@@ -0,0 +1,2 @@
+./test/schematron/cve-2025-49796_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2:  
+./test/schematron/cve-2025-49796_0.xml fails to validate
+diff --git a/schematron.c b/schematron.c
+index 85b46282..0fd37461 100644
+--- a/schematron.c
+++ b/schematron.c
+@@ -1364,27 +1364,15 @@ exit:
+  *                                                                      *
+  ************************************************************************/
+ 
+-static xmlNodePtr
+static xmlXPathObjectPtr
+ xmlSchematronGetNode(xmlSchematronValidCtxtPtr ctxt,
+                      xmlNodePtr cur, const xmlChar *xpath) {
+-    xmlNodePtr node = NULL;
+-    xmlXPathObjectPtr ret;
+-
+     if ((ctxt == NULL) || (cur == NULL) || (xpath == NULL))
+         return(NULL);
+ 
+     ctxt->xctxt->doc = cur->doc;
+     ctxt->xctxt->node = cur;
+-    ret = xmlXPathEval(xpath, ctxt->xctxt);
+-    if (ret == NULL)
+-        return(NULL);
+-
+-    if ((ret->type == XPATH_NODESET) &&
+-        (ret->nodesetval != NULL) && (ret->nodesetval->nodeNr > 0))
+-        node = ret->nodesetval->nodeTab[0];
+-
+-    xmlXPathFreeObject(ret);
+-    return(node);
+    return(xmlXPathEval(xpath, ctxt->xctxt));
+ }
+ 
+ /**
+@@ -1427,25 +1415,40 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt,
+             (child->type == XML_CDATA_SECTION_NODE))
+             ret = xmlStrcat(ret, child->content);
+         else if (IS_SCHEMATRON(child, "name")) {
+            xmlXPathObject *obj = NULL;
+             xmlChar *path;
+ 
+             path = xmlGetNoNsProp(child, BAD_CAST "path");
+ 
+             node = cur;
+             if (path != NULL) {
+-                node = xmlSchematronGetNode(ctxt, cur, path);
+-                if (node == NULL)
+-                    node = cur;
+                obj = xmlSchematronGetNode(ctxt, cur, path);
+                if ((obj != NULL) &&
+                    (obj->type == XPATH_NODESET) &&
+                    (obj->nodesetval != NULL) &&
+                    (obj->nodesetval->nodeNr > 0))
+                    node = obj->nodesetval->nodeTab[0];
+                 xmlFree(path);
+             }
+ 
+-            if ((node->ns == NULL) || (node->ns->prefix == NULL))
+-                ret = xmlStrcat(ret, node->name);
+-            else {
+-                ret = xmlStrcat(ret, node->ns->prefix);
+-                ret = xmlStrcat(ret, BAD_CAST ":");
+-                ret = xmlStrcat(ret, node->name);
+            switch (node->type) {
+                case XML_ELEMENT_NODE:
+                case XML_ATTRIBUTE_NODE:
+                    if ((node->ns == NULL) || (node->ns->prefix == NULL))
+                        ret = xmlStrcat(ret, node->name);
+                    else {
+                        ret = xmlStrcat(ret, node->ns->prefix);
+                        ret = xmlStrcat(ret, BAD_CAST ":");
+                        ret = xmlStrcat(ret, node->name);
+                    }
+                    break;
+
+                /* TODO: handle other node types */
+                default:
+                    break;
+             }
+
+            xmlXPathFreeObject(obj);
+         } else if (IS_SCHEMATRON(child, "value-of")) {
+             xmlChar *select;
+             xmlXPathObjectPtr eval;
+diff --git a/test/schematron/cve-2025-49794.sct b/test/schematron/cve-2025-49794.sct
+new file mode 100644
+index 00000000..7fc9ee3d
+--- /dev/null
+++ b/test/schematron/cve-2025-49794.sct
+@@ -0,0 +1,10 @@
+<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
+    <sch:pattern id="">
+        <sch:rule context="boo0">
+            <sch:report test="not(0)">
+                <sch:name path="&#9;e|namespace::*|e"/>
+            </sch:report>
+            <sch:report test="0"></sch:report>
+        </sch:rule>
+    </sch:pattern>
+</sch:schema>
+diff --git a/test/schematron/cve-2025-49794_0.xml b/test/schematron/cve-2025-49794_0.xml
+new file mode 100644
+index 00000000..debc64ba
+--- /dev/null
+++ b/test/schematron/cve-2025-49794_0.xml
+@@ -0,0 +1,6 @@
+<librar0>
+    <boo0 t="">
+        <author></author>
+    </boo0>
+    <ins></ins>
+</librar0>
+diff --git a/test/schematron/cve-2025-49796.sct b/test/schematron/cve-2025-49796.sct
+new file mode 100644
+index 00000000..e9702d75
+--- /dev/null
+++ b/test/schematron/cve-2025-49796.sct
+@@ -0,0 +1,9 @@
+<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
+    <sch:pattern id="">
+        <sch:rule context="boo0">
+            <sch:report test="not(0)">
+                <sch:name path="/"/>
+            </sch:report>
+        </sch:rule>
+    </sch:pattern>
+</sch:schema>
+diff --git a/test/schematron/cve-2025-49796_0.xml b/test/schematron/cve-2025-49796_0.xml
+new file mode 100644
+index 00000000..be33c4ec
+--- /dev/null
+++ b/test/schematron/cve-2025-49796_0.xml
+@@ -0,0 +1,3 @@
+<librar0>
+    <boo0/>
+</librar0>
+-- 
+2.49.0
+
--- a/libxml2-2.12.5-CVE-2025-49795.patch
+++ b/libxml2-2.12.5-CVE-2025-49795.patch
@ -0,0 +1,70 @@
+From 1d73ed887fb7d076d6113fefc6cd53742d23bc4b Mon Sep 17 00:00:00 2001
+From: Michael Mann <mmann78@netscape.net>
+Date: Sat, 21 Jun 2025 12:11:30 -0400
+Subject: [PATCH] Schematron: Fix null pointer dereference leading to DoS
+
+(CVE-2025-49795)
+
+Fixes #932
+---
+ result/schematron/zvon16_0.err | 3 +++
+ schematron.c                   | 5 +++++
+ test/schematron/zvon16.sct     | 7 +++++++
+ test/schematron/zvon16_0.xml   | 5 +++++
+ 4 files changed, 20 insertions(+)
+ create mode 100644 result/schematron/zvon16_0.err
+ create mode 100644 test/schematron/zvon16.sct
+ create mode 100644 test/schematron/zvon16_0.xml
+
+diff --git a/result/schematron/zvon16_0.err b/result/schematron/zvon16_0.err
+new file mode 100644
+index 00000000..452bcc13
+--- /dev/null
+++ b/result/schematron/zvon16_0.err
+@@ -0,0 +1,3 @@
+XPath error : Unregistered function: falae
+./test/schematron/zvon16_0.xml:2: element book: schematron error : /library/book line 2: Book 
+./test/schematron/zvon16_0.xml fails to validate
+diff --git a/schematron.c b/schematron.c
+index a8259201..86c63e64 100644
+--- a/schematron.c
+++ b/schematron.c
+@@ -1481,6 +1481,11 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt,
+             select = xmlGetNoNsProp(child, BAD_CAST "select");
+             comp = xmlXPathCtxtCompile(ctxt->xctxt, select);
+             eval = xmlXPathCompiledEval(comp, ctxt->xctxt);
+            if (eval == NULL) {
+                xmlXPathFreeCompExpr(comp);
+                xmlFree(select);
+                return ret;
+            }
+ 
+             switch (eval->type) {
+             case XPATH_NODESET: {
+diff --git a/test/schematron/zvon16.sct b/test/schematron/zvon16.sct
+new file mode 100644
+index 00000000..f03848aa
+--- /dev/null
+++ b/test/schematron/zvon16.sct
+@@ -0,0 +1,7 @@
+<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
+	<sch:pattern id="TestPattern">
+		<sch:rule context="book">
+			<sch:report test="not(@available)">Book <sch:value-of select="falae()"/> test</sch:report>
+		</sch:rule>
+	</sch:pattern>
+</sch:schema>
+diff --git a/test/schematron/zvon16_0.xml b/test/schematron/zvon16_0.xml
+new file mode 100644
+index 00000000..551e2d65
+--- /dev/null
+++ b/test/schematron/zvon16_0.xml
+@@ -0,0 +1,5 @@
+<library>
+	<book title="Test Book" id="bk101">
+		<author>Test Author</author>
+	</book>
+</library>
+-- 
+2.49.0
+
--- a/libxml2-2.12.5-CVE-2025-6021.patch
+++ b/libxml2-2.12.5-CVE-2025-6021.patch
@ -0,0 +1,41 @@
+From e90d97891190e17c69d89033ade0b66882d273ff Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 27 May 2025 12:53:17 +0200
+Subject: [PATCH] tree: Fix integer overflow in xmlBuildQName
+
+This issue affects memory safety and might receive a CVE ID later.
+
+Fixes #926.
+---
+ tree.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index dc3ac4f9..c347ccaa 100644
+--- a/tree.c
+++ b/tree.c
+@@ -216,16 +216,18 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) {
+ xmlChar *
+ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
+ 	      xmlChar *memory, int len) {
+-    int lenn, lenp;
+    size_t lenn, lenp;
+     xmlChar *ret;
+ 
+-    if (ncname == NULL) return(NULL);
+    if ((ncname == NULL) || (len < 0)) return(NULL);
+     if (prefix == NULL) return((xmlChar *) ncname);
+ 
+     lenn = strlen((char *) ncname);
+     lenp = strlen((char *) prefix);
+    if (lenn >= SIZE_MAX - lenp - 1)
+        return(NULL);
+ 
+-    if ((memory == NULL) || (len < lenn + lenp + 2)) {
+    if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) {
+ 	ret = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2);
+ 	if (ret == NULL) {
+ 	    xmlTreeErrMemory("building QName");
+-- 
+2.49.0
+
--- a/libxml2.spec
+++ b/libxml2.spec
@ -1,6 +1,6 @@
 Name:           libxml2
 Version:        2.12.5
-Release:        5%{?dist}
+Release:        7%{?dist}
 Summary:        Library providing XML and HTML support

 # list.c, dict.c and few others use ISC-Veillard
@ -24,6 +24,13 @@ Patch2:         libxml2-2.12.5-CVE-2024-40896.patch
 Patch3:         libxml2-2.12.5-CVE-2024-56171.patch
 # https://issues.redhat.com/browse/RHEL-80134
 Patch4:         libxml2-2.12.5-CVE-2025-24928.patch
+# https://issues.redhat.com/browse/RHEL-96495
+Patch5:         libxml2-2.12.5-CVE-2025-6021.patch
+# https://issues.redhat.com/browse/RHEL-96995
+# https://issues.redhat.com/browse/RHEL-96421
+Patch6:         libxml2-2.12.5-CVE-2025-49794.patch
+# https://issues.redhat.com/browse/RHEL-96408
+Patch7:         libxml2-2.12.5-CVE-2025-49795.patch

 BuildRequires:  cmake-rpm-macros
 BuildRequires:  gcc
@ -164,6 +171,15 @@ popd
 %{python3_sitelib}/__pycache__/drv_libxml2.*

 %changelog
+* Mon Jul 07 2025 David King <dking@redhat.com> - 2.12.5-7
+- Refresh patches from upstream (RHEL-96395, RHEL-96408 and RHEL-96421)
+
+* Mon Jun 16 2025 David King <dking@redhat.com> - 2.12.5-6
+- Fix CVE-2025-6021 (RHEL-96495)
+- Fix CVE-2025-49794 (RHEL-96395)
+- Fix CVE-2025-49795 (RHEL-96408)
+- Fix CVE-2025-49796 (RHEL-96421)
+
 * Mon Feb 24 2025 David King <dking@redhat.com> - 2.12.5-5
 - Fix CVE-2024-56171 (RHEL-80119)
 - Fix CVE-2025-24928 (RHEL-80134)