Add fix for CVE-2020-24977 (RHBZ#1877788).
This commit is contained in:
		
							parent
							
								
									8cdc8f4154
								
							
						
					
					
						commit
						80f8374a0f
					
				
							
								
								
									
										41
									
								
								libxml2-2.9.10-CVE-2020-24977.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										41
									
								
								libxml2-2.9.10-CVE-2020-24977.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,41 @@ | ||||
| From 8e7c20a1af8776677d7890f30b7a180567701a49 Mon Sep 17 00:00:00 2001 | ||||
| From: Nick Wellnhofer <wellnhofer@aevum.de> | ||||
| Date: Mon, 3 Aug 2020 17:30:41 +0200 | ||||
| Subject: [PATCH] Fix integer overflow when comparing schema dates | ||||
| 
 | ||||
| Found by OSS-Fuzz. | ||||
| ---
 | ||||
|  xmlschemastypes.c | 10 ++++++++++ | ||||
|  1 file changed, 10 insertions(+) | ||||
| 
 | ||||
| diff --git a/xmlschemastypes.c b/xmlschemastypes.c
 | ||||
| index 4249d700..d6b9f924 100644
 | ||||
| --- a/xmlschemastypes.c
 | ||||
| +++ b/xmlschemastypes.c
 | ||||
| @@ -3691,6 +3691,8 @@ xmlSchemaCompareDurations(xmlSchemaValPtr x, xmlSchemaValPtr y)
 | ||||
|  	minday = 0; | ||||
|  	maxday = 0; | ||||
|      } else { | ||||
| +        if (myear > LONG_MAX / 366)
 | ||||
| +            return -2;
 | ||||
|          /* FIXME: This doesn't take leap year exceptions every 100/400 years | ||||
|             into account. */ | ||||
|  	maxday = 365 * myear + (myear + 3) / 4; | ||||
| @@ -4079,6 +4081,14 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y)
 | ||||
|      if ((x == NULL) || (y == NULL)) | ||||
|          return -2; | ||||
|   | ||||
| +    if ((x->value.date.year > LONG_MAX / 366) ||
 | ||||
| +        (x->value.date.year < LONG_MIN / 366) ||
 | ||||
| +        (y->value.date.year > LONG_MAX / 366) ||
 | ||||
| +        (y->value.date.year < LONG_MIN / 366)) {
 | ||||
| +        /* Possible overflow when converting to days. */
 | ||||
| +        return -2;
 | ||||
| +    }
 | ||||
| +
 | ||||
|      if (x->value.date.tz_flag) { | ||||
|   | ||||
|          if (!y->value.date.tz_flag) { | ||||
| -- 
 | ||||
| 2.28.0.rc2 | ||||
| 
 | ||||
| @ -1,6 +1,6 @@ | ||||
| Name:           libxml2 | ||||
| Version:        2.9.10 | ||||
| Release:        6%{?dist} | ||||
| Release:        7%{?dist} | ||||
| Summary:        Library providing XML and HTML support | ||||
| 
 | ||||
| License:        MIT | ||||
| @ -17,6 +17,8 @@ Patch3:         libxml2-2.9.10-CVE-2019-20388.patch | ||||
| Patch4:         libxml2-2.9.10-CVE-2020-7595.patch | ||||
| # https://gitlab.gnome.org/GNOME/libxml2/merge_requests/71 | ||||
| Patch5:         libxml2-2.9.10-parenthesize-type-checks.patch | ||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=1877788 | ||||
| Patch6:         libxml2-2.9.10-CVE-2020-24977.patch | ||||
| 
 | ||||
| BuildRequires:  gcc | ||||
| BuildRequires:  make | ||||
| @ -145,6 +147,9 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz | ||||
| %{python3_sitearch}/libxml2mod.so | ||||
| 
 | ||||
| %changelog | ||||
| * Fri Sep 11 2020 Richard W.M. Jones <rjones@redhat.com> - 2.9.10-7 | ||||
| - Add fix for CVE-2020-24977 (RHBZ#1877788). | ||||
| 
 | ||||
| * Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.10-6 | ||||
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild | ||||
| 
 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user