Fix CVE-2024-40896 (RHEL-72060)
Resolves: RHEL-72060
This commit is contained in:
David King
parent
c1774e5d0e
commit
8f8bb25065
37
libxml2-2.12.5-CVE-2024-40896.patch
Normal file
37
libxml2-2.12.5-CVE-2024-40896.patch
Normal file
@ -0,0 +1,37 @@
|
||||
From 4c2b237174539db92f4504fbc5198d2f1561baca Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Sat, 6 Jul 2024 01:03:46 +0200
|
||||
Subject: [PATCH] [CVE-2024-40896] Fix XXE protection in downstream code
|
||||
|
||||
Some users set an entity's children manually in the getEntity SAX
|
||||
callback to restrict entity expansion. This stopped working after
|
||||
renaming the "checked" member of xmlEntity, making at least one
|
||||
downstream project and its dependants susceptible to XXE attacks.
|
||||
|
||||
See #761.
|
||||
---
|
||||
parser.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/parser.c b/parser.c
|
||||
index fe0ff4e2d..58ad02dbc 100644
|
||||
--- a/parser.c
|
||||
+++ b/parser.c
|
||||
@@ -7280,6 +7280,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
|
||||
return;
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * Some users try to parse entities on their own and used to set
|
||||
+ * the renamed "checked" member. Fix the flags to cover this
|
||||
+ * case.
|
||||
+ */
|
||||
+ if (((ent->flags & XML_ENT_PARSED) == 0) && (ent->children != NULL))
|
||||
+ ent->flags |= XML_ENT_PARSED;
|
||||
+
|
||||
/*
|
||||
* The first reference to the entity trigger a parsing phase
|
||||
* where the ent->children is filled with the result from
|
||||
--
|
||||
GitLab
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
Name: libxml2
|
||||
Version: 2.12.5
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
Summary: Library providing XML and HTML support
|
||||
|
||||
# list.c, dict.c and few others use ISC-Veillard
|
||||
@ -18,6 +18,8 @@ Patch0: libxml2-multilib.patch
|
||||
# Patch from openSUSE.
|
||||
# See: https://bugzilla.gnome.org/show_bug.cgi?id=789714
|
||||
Patch1: libxml2-2.12.0-python3-unicode-errors.patch
|
||||
# https://issues.redhat.com/browse/RHEL-72060
|
||||
Patch2: libxml2-2.12.5-CVE-2024-40896.patch
|
||||
|
||||
BuildRequires: cmake-rpm-macros
|
||||
BuildRequires: gcc
|
||||
@ -158,6 +160,9 @@ popd
|
||||
%{python3_sitelib}/__pycache__/drv_libxml2.*
|
||||
|
||||
%changelog
|
||||
* Tue Dec 24 2024 David King <amigadave@amigadave.com> - 2.12.5-4
|
||||
- Fix CVE-2024-40896 (RHEL-72060)
|
||||
|
||||
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2.12.5-3
|
||||
- Bump release for October 2024 mass rebuild:
|
||||
Resolves: RHEL-64018
|
||||
|
||||
Loading…
Reference in New Issue
Block a user