diff --git a/libxml2-2.9.10-CVE-2021-3516.patch b/libxml2-2.9.10-CVE-2021-3516.patch new file mode 100644 index 0000000..10093b6 --- /dev/null +++ b/libxml2-2.9.10-CVE-2021-3516.patch @@ -0,0 +1,31 @@ +From 1358d157d0bd83be1dfe356a69213df9fac0b539 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 21 Apr 2021 13:23:27 +0200 +Subject: [PATCH] Fix use-after-free with `xmllint --html --push` + +Call htmlCtxtUseOptions to make sure that names aren't stored in +dictionaries. + +Note that this issue only affects xmllint using the HTML push parser. + +Fixes #230. +--- + xmllint.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xmllint.c b/xmllint.c +index 6ca1bf54..dbef273a 100644 +--- a/xmllint.c ++++ b/xmllint.c +@@ -2213,7 +2213,7 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) { + if (res > 0) { + ctxt = htmlCreatePushParserCtxt(NULL, NULL, + chars, res, filename, XML_CHAR_ENCODING_NONE); +- xmlCtxtUseOptions(ctxt, options); ++ htmlCtxtUseOptions(ctxt, options); + while ((res = fread(chars, 1, pushsize, f)) > 0) { + htmlParseChunk(ctxt, chars, res, 0); + } +-- +GitLab + diff --git a/libxml2-2.9.10-CVE-2021-3517.patch b/libxml2-2.9.10-CVE-2021-3517.patch new file mode 100644 index 0000000..e3ef736 --- /dev/null +++ b/libxml2-2.9.10-CVE-2021-3517.patch @@ -0,0 +1,49 @@ +From bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2 Mon Sep 17 00:00:00 2001 +From: Joel Hockey +Date: Sun, 16 Aug 2020 17:19:35 -0700 +Subject: [PATCH] Validate UTF8 in xmlEncodeEntities + +Code is currently assuming UTF-8 without validating. Truncated UTF-8 +input can cause out-of-bounds array access. + +Adds further checks to partial fix in 50f06b3e. + +Fixes #178 +--- + entities.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/entities.c b/entities.c +index 37b99a56..1a8f86f0 100644 +--- a/entities.c ++++ b/entities.c +@@ -704,11 +704,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) { + } else { + /* + * We assume we have UTF-8 input. ++ * It must match either: ++ * 110xxxxx 10xxxxxx ++ * 1110xxxx 10xxxxxx 10xxxxxx ++ * 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx ++ * That is: ++ * cur[0] is 11xxxxxx ++ * cur[1] is 10xxxxxx ++ * cur[2] is 10xxxxxx if cur[0] is 111xxxxx ++ * cur[3] is 10xxxxxx if cur[0] is 1111xxxx ++ * cur[0] is not 11111xxx + */ + char buf[11], *ptr; + int val = 0, l = 1; + +- if (*cur < 0xC0) { ++ if (((cur[0] & 0xC0) != 0xC0) || ++ ((cur[1] & 0xC0) != 0x80) || ++ (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) || ++ (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) || ++ (((cur[0] & 0xF8) == 0xF8))) { + xmlEntitiesErr(XML_CHECK_NOT_UTF8, + "xmlEncodeEntities: input not UTF-8"); + if (doc != NULL) +-- +GitLab + diff --git a/libxml2-2.9.10-CVE-2021-3518.patch b/libxml2-2.9.10-CVE-2021-3518.patch new file mode 100644 index 0000000..e5861c2 --- /dev/null +++ b/libxml2-2.9.10-CVE-2021-3518.patch @@ -0,0 +1,247 @@ +From 752e5f71d7cea2ca5a7e7c0b8f72ed04ce654be4 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 10 Jun 2020 16:34:52 +0200 +Subject: [PATCH 1/2] Don't recurse into xi:include children in + xmlXIncludeDoProcess + +Otherwise, nested xi:include nodes might result in a use-after-free +if XML_PARSE_NOXINCNODE is specified. + +Found with libFuzzer and ASan. +--- + result/XInclude/fallback3.xml | 8 ++++++++ + result/XInclude/fallback3.xml.err | 0 + result/XInclude/fallback3.xml.rdr | 25 +++++++++++++++++++++++++ + result/XInclude/fallback4.xml | 10 ++++++++++ + result/XInclude/fallback4.xml.err | 0 + result/XInclude/fallback4.xml.rdr | 29 +++++++++++++++++++++++++++++ + test/XInclude/docs/fallback3.xml | 9 +++++++++ + test/XInclude/docs/fallback4.xml | 7 +++++++ + xinclude.c | 24 ++++++++++-------------- + 9 files changed, 98 insertions(+), 14 deletions(-) + create mode 100644 result/XInclude/fallback3.xml + create mode 100644 result/XInclude/fallback3.xml.err + create mode 100644 result/XInclude/fallback3.xml.rdr + create mode 100644 result/XInclude/fallback4.xml + create mode 100644 result/XInclude/fallback4.xml.err + create mode 100644 result/XInclude/fallback4.xml.rdr + create mode 100644 test/XInclude/docs/fallback3.xml + create mode 100644 test/XInclude/docs/fallback4.xml + +diff --git a/result/XInclude/fallback3.xml b/result/XInclude/fallback3.xml +new file mode 100644 +index 00000000..b4235514 +--- /dev/null ++++ b/result/XInclude/fallback3.xml +@@ -0,0 +1,8 @@ ++ ++ ++ ++

something

++

really

++

simple

++ ++ +diff --git a/result/XInclude/fallback3.xml.err b/result/XInclude/fallback3.xml.err +new file mode 100644 +index 00000000..e69de29b +diff --git a/result/XInclude/fallback3.xml.rdr b/result/XInclude/fallback3.xml.rdr +new file mode 100644 +index 00000000..aa2f1374 +--- /dev/null ++++ b/result/XInclude/fallback3.xml.rdr +@@ -0,0 +1,25 @@ ++0 1 a 0 0 ++1 14 #text 0 1 ++ ++1 1 doc 0 0 ++2 14 #text 0 1 ++ ++2 1 p 0 0 ++3 3 #text 0 1 something ++2 15 p 0 0 ++2 14 #text 0 1 ++ ++2 1 p 0 0 ++3 3 #text 0 1 really ++2 15 p 0 0 ++2 14 #text 0 1 ++ ++2 1 p 0 0 ++3 3 #text 0 1 simple ++2 15 p 0 0 ++2 14 #text 0 1 ++ ++1 15 doc 0 0 ++1 14 #text 0 1 ++ ++0 15 a 0 0 +diff --git a/result/XInclude/fallback4.xml b/result/XInclude/fallback4.xml +new file mode 100644 +index 00000000..9883fd54 +--- /dev/null ++++ b/result/XInclude/fallback4.xml +@@ -0,0 +1,10 @@ ++ ++ ++ ++ ++

something

++

really

++

simple

++ ++ ++ +diff --git a/result/XInclude/fallback4.xml.err b/result/XInclude/fallback4.xml.err +new file mode 100644 +index 00000000..e69de29b +diff --git a/result/XInclude/fallback4.xml.rdr b/result/XInclude/fallback4.xml.rdr +new file mode 100644 +index 00000000..628b9513 +--- /dev/null ++++ b/result/XInclude/fallback4.xml.rdr +@@ -0,0 +1,29 @@ ++0 1 a 0 0 ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 1 doc 0 0 ++2 14 #text 0 1 ++ ++2 1 p 0 0 ++3 3 #text 0 1 something ++2 15 p 0 0 ++2 14 #text 0 1 ++ ++2 1 p 0 0 ++3 3 #text 0 1 really ++2 15 p 0 0 ++2 14 #text 0 1 ++ ++2 1 p 0 0 ++3 3 #text 0 1 simple ++2 15 p 0 0 ++2 14 #text 0 1 ++ ++1 15 doc 0 0 ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++0 15 a 0 0 +diff --git a/test/XInclude/docs/fallback3.xml b/test/XInclude/docs/fallback3.xml +new file mode 100644 +index 00000000..0c8b6c9e +--- /dev/null ++++ b/test/XInclude/docs/fallback3.xml +@@ -0,0 +1,9 @@ ++ ++ ++ ++ ++ There is no c.xml ... ++ ++ ++ ++ +diff --git a/test/XInclude/docs/fallback4.xml b/test/XInclude/docs/fallback4.xml +new file mode 100644 +index 00000000..b500a635 +--- /dev/null ++++ b/test/XInclude/docs/fallback4.xml +@@ -0,0 +1,7 @@ ++ ++ ++ ++ ++ ++ ++ +diff --git a/xinclude.c b/xinclude.c +index ba850fa5..f260c1a7 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -2392,21 +2392,19 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { + * First phase: lookup the elements in the document + */ + cur = tree; +- if (xmlXIncludeTestNode(ctxt, cur) == 1) +- xmlXIncludePreProcessNode(ctxt, cur); + while ((cur != NULL) && (cur != tree->parent)) { + /* TODO: need to work on entities -> stack */ +- if ((cur->children != NULL) && +- (cur->children->type != XML_ENTITY_DECL) && +- (cur->children->type != XML_XINCLUDE_START) && +- (cur->children->type != XML_XINCLUDE_END)) { +- cur = cur->children; +- if (xmlXIncludeTestNode(ctxt, cur)) +- xmlXIncludePreProcessNode(ctxt, cur); +- } else if (cur->next != NULL) { ++ if (xmlXIncludeTestNode(ctxt, cur) == 1) { ++ xmlXIncludePreProcessNode(ctxt, cur); ++ } else if ((cur->children != NULL) && ++ (cur->children->type != XML_ENTITY_DECL) && ++ (cur->children->type != XML_XINCLUDE_START) && ++ (cur->children->type != XML_XINCLUDE_END)) { ++ cur = cur->children; ++ continue; ++ } ++ if (cur->next != NULL) { + cur = cur->next; +- if (xmlXIncludeTestNode(ctxt, cur)) +- xmlXIncludePreProcessNode(ctxt, cur); + } else { + if (cur == tree) + break; +@@ -2416,8 +2414,6 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { + break; /* do */ + if (cur->next != NULL) { + cur = cur->next; +- if (xmlXIncludeTestNode(ctxt, cur)) +- xmlXIncludePreProcessNode(ctxt, cur); + break; /* do */ + } + } while (cur != NULL); +-- +2.31.1 + + +From 49cc4182543dba73216add4021994a81678763bd Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 22 Apr 2021 19:26:28 +0200 +Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude --dropdtd` + +The --dropdtd option can leave dangling pointers in entity reference +nodes. Make sure to skip these nodes when processing XIncludes. + +This also avoids scanning entity declarations and even modifying +them inadvertently during XInclude processing. + +Move from a block list to an allow list approach to avoid descending +into other node types that can't contain elements. + +Fixes #237. +--- + xinclude.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/xinclude.c b/xinclude.c +index f260c1a7..d7648529 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { + if (xmlXIncludeTestNode(ctxt, cur) == 1) { + xmlXIncludePreProcessNode(ctxt, cur); + } else if ((cur->children != NULL) && +- (cur->children->type != XML_ENTITY_DECL) && +- (cur->children->type != XML_XINCLUDE_START) && +- (cur->children->type != XML_XINCLUDE_END)) { ++ ((cur->type == XML_DOCUMENT_NODE) || ++ (cur->type == XML_ELEMENT_NODE))) { + cur = cur->children; + continue; + } +-- +2.31.1 + diff --git a/libxml2.spec b/libxml2.spec index 9a296b4..e7cbd86 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,6 +1,6 @@ Name: libxml2 Version: 2.9.10 -Release: 10%{?dist} +Release: 11%{?dist} Summary: Library providing XML and HTML support License: MIT @@ -22,6 +22,12 @@ Patch6: libxml2-2.9.10-fix-integer-overflow.patch Patch7: libxml2-2.9.10-CVE-2020-24977.patch # https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/87 Patch8: python-py_ssize_t.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1954227 +Patch9: libxml2-2.9.10-CVE-2021-3516.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1954234 +Patch10: libxml2-2.9.10-CVE-2021-3517.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1954243 +Patch11: libxml2-2.9.10-CVE-2021-3518.patch BuildRequires: gcc BuildRequires: make @@ -153,6 +159,11 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz %{python3_sitearch}/libxml2mod.so %changelog +* Wed May 05 2021 David King - 2.9.10-11 +- Fix CVE-2021-3516 (#1954227) +- Fix CVE-2021-3517 (#1954234) +- Fix CVE-2021-3518 (#1954243) + * Tue Jan 26 2021 Fedora Release Engineering - 2.9.10-10 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild