diff --git a/SOURCES/libxml2-2.9.13-CVE-2023-28484.2.patch b/SOURCES/libxml2-2.9.13-CVE-2023-28484.2.patch new file mode 100644 index 0000000..7e0b61d --- /dev/null +++ b/SOURCES/libxml2-2.9.13-CVE-2023-28484.2.patch @@ -0,0 +1,71 @@ +From 4c6922f763ad958c48ff66f82823ae21f2e92ee6 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 13 Sep 2022 16:40:31 +0200 +Subject: [PATCH] schemas: Fix null-pointer-deref in + xmlSchemaCheckCOSSTDerivedOK + +Found by OSS-Fuzz. +--- + result/schemas/oss-fuzz-51295_0_0.err | 2 ++ + test/schemas/oss-fuzz-51295_0.xml | 1 + + test/schemas/oss-fuzz-51295_0.xsd | 4 ++++ + xmlschemas.c | 15 +++++++++++++-- + 4 files changed, 20 insertions(+), 2 deletions(-) + create mode 100644 result/schemas/oss-fuzz-51295_0_0.err + create mode 100644 test/schemas/oss-fuzz-51295_0.xml + create mode 100644 test/schemas/oss-fuzz-51295_0.xsd + +diff --git a/result/schemas/oss-fuzz-51295_0_0.err b/result/schemas/oss-fuzz-51295_0_0.err +new file mode 100644 +index 00000000..1e89524f +--- /dev/null ++++ b/result/schemas/oss-fuzz-51295_0_0.err +@@ -0,0 +1,2 @@ ++./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'. ++./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'. +diff --git a/test/schemas/oss-fuzz-51295_0.xml b/test/schemas/oss-fuzz-51295_0.xml +new file mode 100644 +index 00000000..10a7e703 +--- /dev/null ++++ b/test/schemas/oss-fuzz-51295_0.xml +@@ -0,0 +1 @@ ++ +diff --git a/test/schemas/oss-fuzz-51295_0.xsd b/test/schemas/oss-fuzz-51295_0.xsd +new file mode 100644 +index 00000000..fde96af5 +--- /dev/null ++++ b/test/schemas/oss-fuzz-51295_0.xsd +@@ -0,0 +1,4 @@ ++ ++ ++ ++ +diff --git a/xmlschemas.c b/xmlschemas.c +index f31d3d1f..152b7c3f 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -13345,8 +13345,19 @@ xmlSchemaResolveElementReferences(xmlSchemaElementPtr elemDecl, + * declaration `resolved` to by the `actual value` + * of the substitutionGroup [attribute], if present" + */ +- if (elemDecl->subtypes == NULL) +- elemDecl->subtypes = substHead->subtypes; ++ if (elemDecl->subtypes == NULL) { ++ if (substHead->subtypes == NULL) { ++ /* ++ * This can happen with self-referencing substitution ++ * groups. The cycle will be detected later, but we have ++ * to set subtypes to avoid null-pointer dereferences. ++ */ ++ elemDecl->subtypes = xmlSchemaGetBuiltInType( ++ XML_SCHEMAS_ANYTYPE); ++ } else { ++ elemDecl->subtypes = substHead->subtypes; ++ } ++ } + } + } + /* +-- +GitLab + diff --git a/SOURCES/libxml2-2.9.13-CVE-2023-28484.patch b/SOURCES/libxml2-2.9.13-CVE-2023-28484.patch new file mode 100644 index 0000000..052ab15 --- /dev/null +++ b/SOURCES/libxml2-2.9.13-CVE-2023-28484.patch @@ -0,0 +1,74 @@ +From 647e072ea0a2f12687fa05c172f4c4713fdb0c4f Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 7 Apr 2023 11:46:35 +0200 +Subject: [PATCH] [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType + +Fix a null pointer dereference when parsing (invalid) XML schemas. + +Thanks to Robby Simpson for the report! + +Fixes #491. +--- + result/schemas/issue491_0_0.err | 1 + + test/schemas/issue491_0.xml | 1 + + test/schemas/issue491_0.xsd | 18 ++++++++++++++++++ + xmlschemas.c | 2 +- + 4 files changed, 21 insertions(+), 1 deletion(-) + create mode 100644 result/schemas/issue491_0_0.err + create mode 100644 test/schemas/issue491_0.xml + create mode 100644 test/schemas/issue491_0.xsd + +diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err +new file mode 100644 +index 00000000..9b2bb969 +--- /dev/null ++++ b/result/schemas/issue491_0_0.err +@@ -0,0 +1 @@ ++./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'. +diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml +new file mode 100644 +index 00000000..e2b2fc2e +--- /dev/null ++++ b/test/schemas/issue491_0.xml +@@ -0,0 +1 @@ ++5 +diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd +new file mode 100644 +index 00000000..81702649 +--- /dev/null ++++ b/test/schemas/issue491_0.xsd +@@ -0,0 +1,18 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ +diff --git a/xmlschemas.c b/xmlschemas.c +index 152b7c3f..eec24a95 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -18619,7 +18619,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt, + "allowed to appear inside other model groups", + NULL, NULL); + +- } else if (! dummySequence) { ++ } else if ((!dummySequence) && (baseType->subtypes != NULL)) { + xmlSchemaTreeItemPtr effectiveContent = + (xmlSchemaTreeItemPtr) type->subtypes; + /* +-- +GitLab + diff --git a/SOURCES/libxml2-2.9.7-CVE-2023-29469.patch b/SOURCES/libxml2-2.9.7-CVE-2023-29469.patch new file mode 100644 index 0000000..d7a9778 --- /dev/null +++ b/SOURCES/libxml2-2.9.7-CVE-2023-29469.patch @@ -0,0 +1,42 @@ +From a40db8fde759261b042138646da36c632a739f31 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 7 Apr 2023 11:49:27 +0200 +Subject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't + deterministic + +When hashing empty strings which aren't null-terminated, +xmlDictComputeFastKey could produce inconsistent results. This could +lead to various logic or memory errors, including double frees. + +For consistency the seed is also taken into account, but this shouldn't +have an impact on security. + +Found by OSS-Fuzz. + +Fixes #510. + +Incorporates change from commit +09a2dd453007f9c7205274623acdd73747c22d64. +--- + dict.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/dict.c b/dict.c +index 0ef3718d..5e84cfca 100644 +--- a/dict.c ++++ b/dict.c +@@ -444,8 +444,9 @@ static unsigned long + xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) { + unsigned long value = seed; + +- if (name == NULL) return(0); +- value = *name; ++ if ((name == NULL) || (namelen <= 0)) ++ return(value); ++ value += *name; + value <<= 5; + if (namelen > 10) { + value += name[namelen - 1]; +-- +2.41.0 + diff --git a/SPECS/libxml2.spec b/SPECS/libxml2.spec index 205bc36..67c68d5 100644 --- a/SPECS/libxml2.spec +++ b/SPECS/libxml2.spec @@ -7,7 +7,7 @@ Name: libxml2 Version: 2.9.7 -Release: 16%{?dist} +Release: 16%{?dist}.1 Summary: Library providing XML and HTML support License: MIT @@ -56,6 +56,10 @@ Patch18: libxml2-2.9.7-CVE-2016-3709.patch Patch19: libxml2-2.9.7-CVE-2022-40303.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2136568 Patch20: libxml2-2.9.7-CVE-2022-40304.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2186691 +Patch21: libxml2-2.9.13-CVE-2023-28484.patch +Patch22: libxml2-2.9.13-CVE-2023-28484.2.patch +Patch23: libxml2-2.9.7-CVE-2023-29469.patch BuildRequires: gcc BuildRequires: cmake-rpm-macros @@ -227,6 +231,10 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz %{python3_sitearch}/libxml2mod.so %changelog +* Fri Jul 14 2023 David King - 2.9.7-16.1 +- Fix CVE-2023-28484 (#2186691) +- Fix CVE-2023-29469 (#2186691) + * Wed Nov 02 2022 David King - 2.9.7-16 - Fix CVE-2022-40303 (#2136563) - Fix CVE-2022-40304 (#2136568)