import libxml2-2.9.7-12.el8_5

This commit is contained in:
CentOS Sources 2022-03-15 05:13:57 -04:00 committed by Stepan Oksanichenko
parent d592c57642
commit 969dd136b5
2 changed files with 212 additions and 11 deletions

View File

@ -0,0 +1,196 @@
From 7f70302bfa9faeac9c9f7be8adf96d32c16acb72 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 8 Feb 2022 03:29:24 +0100
Subject: [PATCH] [CVE-2022-23308] Use-after-free of ID and IDREF attributes
If a document is parsed with XML_PARSE_DTDVALID and without
XML_PARSE_NOENT, the value of ID attributes has to be normalized after
potentially expanding entities in xmlRemoveID. Otherwise, later calls
to xmlGetID can return a pointer to previously freed memory.
ID attributes which are empty or contain only whitespace after
entity expansion are affected in a similar way. This is fixed by
not storing such attributes in the ID table.
The test to detect streaming mode when validating against a DTD was
broken. In connection with the defects above, this could result in a
use-after-free when using the xmlReader interface with validation.
Fix detection of streaming mode to avoid similar issues. (This changes
the expected result of a test case. But as far as I can tell, using the
XML reader with XIncludes referencing the root document never worked
properly, anyway.)
All of these issues can result in denial of service. Using xmlReader
with validation could result in disclosure of memory via the error
channel, typically stderr. The security impact of xmlGetID returning
a pointer to freed memory depends on the application. The typical use
case of calling xmlGetID on an unmodified document is not affected.
---
valid.c | 88 +++++++++++++++++++++++++++++++++++----------------------
1 file changed, 55 insertions(+), 33 deletions(-)
diff --git a/valid.c b/valid.c
index a64b96be..5b81059f 100644
--- a/valid.c
+++ b/valid.c
@@ -479,6 +479,35 @@ nodeVPop(xmlValidCtxtPtr ctxt)
return (ret);
}
+/**
+ * xmlValidNormalizeString:
+ * @str: a string
+ *
+ * Normalize a string in-place.
+ */
+static void
+xmlValidNormalizeString(xmlChar *str) {
+ xmlChar *dst;
+ const xmlChar *src;
+
+ if (str == NULL)
+ return;
+ src = str;
+ dst = str;
+
+ while (*src == 0x20) src++;
+ while (*src != 0) {
+ if (*src == 0x20) {
+ while (*src == 0x20) src++;
+ if (*src != 0)
+ *dst++ = 0x20;
+ } else {
+ *dst++ = *src++;
+ }
+ }
+ *dst = 0;
+}
+
#ifdef DEBUG_VALID_ALGO
static void
xmlValidPrintNode(xmlNodePtr cur) {
@@ -2546,6 +2575,24 @@ xmlDumpNotationTable(xmlBufferPtr buf, xmlNotationTablePtr table) {
(xmlDictOwns(dict, (const xmlChar *)(str)) == 0))) \
xmlFree((char *)(str));
+static int
+xmlIsStreaming(xmlValidCtxtPtr ctxt) {
+ xmlParserCtxtPtr pctxt;
+
+ if (ctxt == NULL)
+ return(0);
+ /*
+ * These magic values are also abused to detect whether we're validating
+ * while parsing a document. In this case, userData points to the parser
+ * context.
+ */
+ if ((ctxt->finishDtd != XML_CTXT_FINISH_DTD_0) &&
+ (ctxt->finishDtd != XML_CTXT_FINISH_DTD_1))
+ return(0);
+ pctxt = ctxt->userData;
+ return(pctxt->parseMode == XML_PARSE_READER);
+}
+
/**
* xmlFreeID:
* @not: A id
@@ -2589,7 +2636,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
if (doc == NULL) {
return(NULL);
}
- if (value == NULL) {
+ if ((value == NULL) || (value[0] == 0)) {
return(NULL);
}
if (attr == NULL) {
@@ -2620,7 +2667,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
*/
ret->value = xmlStrdup(value);
ret->doc = doc;
- if ((ctxt != NULL) && (ctxt->vstateNr != 0)) {
+ if (xmlIsStreaming(ctxt)) {
/*
* Operating in streaming mode, attr is gonna disapear
*/
@@ -2754,6 +2801,7 @@ xmlRemoveID(xmlDocPtr doc, xmlAttrPtr attr) {
ID = xmlNodeListGetString(doc, attr->children, 1);
if (ID == NULL)
return(-1);
+ xmlValidNormalizeString(ID);
id = xmlHashLookup(table, ID);
if (id == NULL || id->attr != attr) {
@@ -2942,7 +2990,7 @@ xmlAddRef(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
* fill the structure.
*/
ret->value = xmlStrdup(value);
- if ((ctxt != NULL) && (ctxt->vstateNr != 0)) {
+ if (xmlIsStreaming(ctxt)) {
/*
* Operating in streaming mode, attr is gonna disapear
*/
@@ -3962,8 +4010,7 @@ xmlValidateAttributeValue2(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
xmlChar *
xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
xmlNodePtr elem, const xmlChar *name, const xmlChar *value) {
- xmlChar *ret, *dst;
- const xmlChar *src;
+ xmlChar *ret;
xmlAttributePtr attrDecl = NULL;
int extsubset = 0;
@@ -4004,19 +4051,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
ret = xmlStrdup(value);
if (ret == NULL)
return(NULL);
- src = value;
- dst = ret;
- while (*src == 0x20) src++;
- while (*src != 0) {
- if (*src == 0x20) {
- while (*src == 0x20) src++;
- if (*src != 0)
- *dst++ = 0x20;
- } else {
- *dst++ = *src++;
- }
- }
- *dst = 0;
+ xmlValidNormalizeString(ret);
if ((doc->standalone) && (extsubset == 1) && (!xmlStrEqual(value, ret))) {
xmlErrValidNode(ctxt, elem, XML_DTD_NOT_STANDALONE,
"standalone: %s on %s value had to be normalized based on external subset declaration\n",
@@ -4048,8 +4083,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
xmlChar *
xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem,
const xmlChar *name, const xmlChar *value) {
- xmlChar *ret, *dst;
- const xmlChar *src;
+ xmlChar *ret;
xmlAttributePtr attrDecl = NULL;
if (doc == NULL) return(NULL);
@@ -4079,19 +4113,7 @@ xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem,
ret = xmlStrdup(value);
if (ret == NULL)
return(NULL);
- src = value;
- dst = ret;
- while (*src == 0x20) src++;
- while (*src != 0) {
- if (*src == 0x20) {
- while (*src == 0x20) src++;
- if (*src != 0)
- *dst++ = 0x20;
- } else {
- *dst++ = *src++;
- }
- }
- *dst = 0;
+ xmlValidNormalizeString(ret);
return(ret);
}
--
2.35.1

View File

@ -7,7 +7,7 @@
Name: libxml2 Name: libxml2
Version: 2.9.7 Version: 2.9.7
Release: 9%{?dist}.2 Release: 12%{?dist}
Summary: Library providing XML and HTML support Summary: Library providing XML and HTML support
License: MIT License: MIT
@ -38,14 +38,16 @@ Patch9: libxml2-2.9.7-CVE-2019-20388.patch
Patch10: libxml2-2.9.7-CVE-2020-24977.patch Patch10: libxml2-2.9.7-CVE-2020-24977.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1956976 # https://bugzilla.redhat.com/show_bug.cgi?id=1956976
Patch11: libxml2-2.9.7-CVE-2021-3516.patch Patch11: libxml2-2.9.7-CVE-2021-3516.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1957000 # https://bugzilla.redhat.com/show_bug.cgi?id=1957001
Patch12: libxml2-2.9.7-CVE-2021-3517.patch Patch12: libxml2-2.9.7-CVE-2021-3517.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1957027 # https://bugzilla.redhat.com/show_bug.cgi?id=1957028
Patch13: libxml2-2.9.7-CVE-2021-3518.patch Patch13: libxml2-2.9.7-CVE-2021-3518.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1957283 # https://bugzilla.redhat.com/show_bug.cgi?id=1957284
Patch14: libxml2-2.9.7-CVE-2021-3537.patch Patch14: libxml2-2.9.7-CVE-2021-3537.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1958782 # https://bugzilla.redhat.com/show_bug.cgi?id=1958783
Patch15: libxml2-2.9.7-CVE-2021-3541.patch Patch15: libxml2-2.9.7-CVE-2021-3541.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2057663
Patch16: libxml2-2.9.7-CVE-2022-23308.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: cmake-rpm-macros BuildRequires: cmake-rpm-macros
@ -217,14 +219,17 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
%{python3_sitearch}/libxml2mod.so %{python3_sitearch}/libxml2mod.so
%changelog %changelog
* Wed May 19 2021 David King <dking@redhat.com> - 2.9.7-9.2 * Thu Feb 24 2022 David King <dking@redhat.com> - 2.9.7-12
- Fix CVE-2022-23308 (#2057663)
* Wed May 19 2021 David King <dking@redhat.com> - 2.9.7-11
- Fix CVE-2021-3541 (#1958783) - Fix CVE-2021-3541 (#1958783)
* Fri May 07 2021 David King <dking@redhat.com> - 2.9.7-9.1 * Fri May 07 2021 David King <dking@redhat.com> - 2.9.7-10
- Fix CVE-2021-3516 (#1956975) - Fix CVE-2021-3516 (#1956976)
- Fix CVE-2021-3517 (#1957000) - Fix CVE-2021-3517 (#1957001)
- Fix CVE-2021-3518 (#1957027) - Fix CVE-2021-3518 (#1957028)
- Fix CVE-2021-3537 (#1957283) - Fix CVE-2021-3537 (#1957284)
* Mon Oct 19 2020 David King <dking@redhat.com> - 2.9.7-9 * Mon Oct 19 2020 David King <dking@redhat.com> - 2.9.7-9
- Fix CVE-2020-24977 (#1878252) - Fix CVE-2020-24977 (#1878252)