import libxml2-2.9.7-12.el8_5
This commit is contained in:
parent
d592c57642
commit
969dd136b5
196
SOURCES/libxml2-2.9.7-CVE-2022-23308.patch
Normal file
196
SOURCES/libxml2-2.9.7-CVE-2022-23308.patch
Normal file
@ -0,0 +1,196 @@
|
||||
From 7f70302bfa9faeac9c9f7be8adf96d32c16acb72 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Tue, 8 Feb 2022 03:29:24 +0100
|
||||
Subject: [PATCH] [CVE-2022-23308] Use-after-free of ID and IDREF attributes
|
||||
|
||||
If a document is parsed with XML_PARSE_DTDVALID and without
|
||||
XML_PARSE_NOENT, the value of ID attributes has to be normalized after
|
||||
potentially expanding entities in xmlRemoveID. Otherwise, later calls
|
||||
to xmlGetID can return a pointer to previously freed memory.
|
||||
|
||||
ID attributes which are empty or contain only whitespace after
|
||||
entity expansion are affected in a similar way. This is fixed by
|
||||
not storing such attributes in the ID table.
|
||||
|
||||
The test to detect streaming mode when validating against a DTD was
|
||||
broken. In connection with the defects above, this could result in a
|
||||
use-after-free when using the xmlReader interface with validation.
|
||||
Fix detection of streaming mode to avoid similar issues. (This changes
|
||||
the expected result of a test case. But as far as I can tell, using the
|
||||
XML reader with XIncludes referencing the root document never worked
|
||||
properly, anyway.)
|
||||
|
||||
All of these issues can result in denial of service. Using xmlReader
|
||||
with validation could result in disclosure of memory via the error
|
||||
channel, typically stderr. The security impact of xmlGetID returning
|
||||
a pointer to freed memory depends on the application. The typical use
|
||||
case of calling xmlGetID on an unmodified document is not affected.
|
||||
---
|
||||
valid.c | 88 +++++++++++++++++++++++++++++++++++----------------------
|
||||
1 file changed, 55 insertions(+), 33 deletions(-)
|
||||
|
||||
diff --git a/valid.c b/valid.c
|
||||
index a64b96be..5b81059f 100644
|
||||
--- a/valid.c
|
||||
+++ b/valid.c
|
||||
@@ -479,6 +479,35 @@ nodeVPop(xmlValidCtxtPtr ctxt)
|
||||
return (ret);
|
||||
}
|
||||
|
||||
+/**
|
||||
+ * xmlValidNormalizeString:
|
||||
+ * @str: a string
|
||||
+ *
|
||||
+ * Normalize a string in-place.
|
||||
+ */
|
||||
+static void
|
||||
+xmlValidNormalizeString(xmlChar *str) {
|
||||
+ xmlChar *dst;
|
||||
+ const xmlChar *src;
|
||||
+
|
||||
+ if (str == NULL)
|
||||
+ return;
|
||||
+ src = str;
|
||||
+ dst = str;
|
||||
+
|
||||
+ while (*src == 0x20) src++;
|
||||
+ while (*src != 0) {
|
||||
+ if (*src == 0x20) {
|
||||
+ while (*src == 0x20) src++;
|
||||
+ if (*src != 0)
|
||||
+ *dst++ = 0x20;
|
||||
+ } else {
|
||||
+ *dst++ = *src++;
|
||||
+ }
|
||||
+ }
|
||||
+ *dst = 0;
|
||||
+}
|
||||
+
|
||||
#ifdef DEBUG_VALID_ALGO
|
||||
static void
|
||||
xmlValidPrintNode(xmlNodePtr cur) {
|
||||
@@ -2546,6 +2575,24 @@ xmlDumpNotationTable(xmlBufferPtr buf, xmlNotationTablePtr table) {
|
||||
(xmlDictOwns(dict, (const xmlChar *)(str)) == 0))) \
|
||||
xmlFree((char *)(str));
|
||||
|
||||
+static int
|
||||
+xmlIsStreaming(xmlValidCtxtPtr ctxt) {
|
||||
+ xmlParserCtxtPtr pctxt;
|
||||
+
|
||||
+ if (ctxt == NULL)
|
||||
+ return(0);
|
||||
+ /*
|
||||
+ * These magic values are also abused to detect whether we're validating
|
||||
+ * while parsing a document. In this case, userData points to the parser
|
||||
+ * context.
|
||||
+ */
|
||||
+ if ((ctxt->finishDtd != XML_CTXT_FINISH_DTD_0) &&
|
||||
+ (ctxt->finishDtd != XML_CTXT_FINISH_DTD_1))
|
||||
+ return(0);
|
||||
+ pctxt = ctxt->userData;
|
||||
+ return(pctxt->parseMode == XML_PARSE_READER);
|
||||
+}
|
||||
+
|
||||
/**
|
||||
* xmlFreeID:
|
||||
* @not: A id
|
||||
@@ -2589,7 +2636,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
|
||||
if (doc == NULL) {
|
||||
return(NULL);
|
||||
}
|
||||
- if (value == NULL) {
|
||||
+ if ((value == NULL) || (value[0] == 0)) {
|
||||
return(NULL);
|
||||
}
|
||||
if (attr == NULL) {
|
||||
@@ -2620,7 +2667,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
|
||||
*/
|
||||
ret->value = xmlStrdup(value);
|
||||
ret->doc = doc;
|
||||
- if ((ctxt != NULL) && (ctxt->vstateNr != 0)) {
|
||||
+ if (xmlIsStreaming(ctxt)) {
|
||||
/*
|
||||
* Operating in streaming mode, attr is gonna disapear
|
||||
*/
|
||||
@@ -2754,6 +2801,7 @@ xmlRemoveID(xmlDocPtr doc, xmlAttrPtr attr) {
|
||||
ID = xmlNodeListGetString(doc, attr->children, 1);
|
||||
if (ID == NULL)
|
||||
return(-1);
|
||||
+ xmlValidNormalizeString(ID);
|
||||
|
||||
id = xmlHashLookup(table, ID);
|
||||
if (id == NULL || id->attr != attr) {
|
||||
@@ -2942,7 +2990,7 @@ xmlAddRef(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
|
||||
* fill the structure.
|
||||
*/
|
||||
ret->value = xmlStrdup(value);
|
||||
- if ((ctxt != NULL) && (ctxt->vstateNr != 0)) {
|
||||
+ if (xmlIsStreaming(ctxt)) {
|
||||
/*
|
||||
* Operating in streaming mode, attr is gonna disapear
|
||||
*/
|
||||
@@ -3962,8 +4010,7 @@ xmlValidateAttributeValue2(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
|
||||
xmlChar *
|
||||
xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
|
||||
xmlNodePtr elem, const xmlChar *name, const xmlChar *value) {
|
||||
- xmlChar *ret, *dst;
|
||||
- const xmlChar *src;
|
||||
+ xmlChar *ret;
|
||||
xmlAttributePtr attrDecl = NULL;
|
||||
int extsubset = 0;
|
||||
|
||||
@@ -4004,19 +4051,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
|
||||
ret = xmlStrdup(value);
|
||||
if (ret == NULL)
|
||||
return(NULL);
|
||||
- src = value;
|
||||
- dst = ret;
|
||||
- while (*src == 0x20) src++;
|
||||
- while (*src != 0) {
|
||||
- if (*src == 0x20) {
|
||||
- while (*src == 0x20) src++;
|
||||
- if (*src != 0)
|
||||
- *dst++ = 0x20;
|
||||
- } else {
|
||||
- *dst++ = *src++;
|
||||
- }
|
||||
- }
|
||||
- *dst = 0;
|
||||
+ xmlValidNormalizeString(ret);
|
||||
if ((doc->standalone) && (extsubset == 1) && (!xmlStrEqual(value, ret))) {
|
||||
xmlErrValidNode(ctxt, elem, XML_DTD_NOT_STANDALONE,
|
||||
"standalone: %s on %s value had to be normalized based on external subset declaration\n",
|
||||
@@ -4048,8 +4083,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
|
||||
xmlChar *
|
||||
xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem,
|
||||
const xmlChar *name, const xmlChar *value) {
|
||||
- xmlChar *ret, *dst;
|
||||
- const xmlChar *src;
|
||||
+ xmlChar *ret;
|
||||
xmlAttributePtr attrDecl = NULL;
|
||||
|
||||
if (doc == NULL) return(NULL);
|
||||
@@ -4079,19 +4113,7 @@ xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem,
|
||||
ret = xmlStrdup(value);
|
||||
if (ret == NULL)
|
||||
return(NULL);
|
||||
- src = value;
|
||||
- dst = ret;
|
||||
- while (*src == 0x20) src++;
|
||||
- while (*src != 0) {
|
||||
- if (*src == 0x20) {
|
||||
- while (*src == 0x20) src++;
|
||||
- if (*src != 0)
|
||||
- *dst++ = 0x20;
|
||||
- } else {
|
||||
- *dst++ = *src++;
|
||||
- }
|
||||
- }
|
||||
- *dst = 0;
|
||||
+ xmlValidNormalizeString(ret);
|
||||
return(ret);
|
||||
}
|
||||
|
||||
--
|
||||
2.35.1
|
||||
|
@ -7,7 +7,7 @@
|
||||
|
||||
Name: libxml2
|
||||
Version: 2.9.7
|
||||
Release: 9%{?dist}.2
|
||||
Release: 12%{?dist}
|
||||
Summary: Library providing XML and HTML support
|
||||
|
||||
License: MIT
|
||||
@ -38,14 +38,16 @@ Patch9: libxml2-2.9.7-CVE-2019-20388.patch
|
||||
Patch10: libxml2-2.9.7-CVE-2020-24977.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1956976
|
||||
Patch11: libxml2-2.9.7-CVE-2021-3516.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1957000
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1957001
|
||||
Patch12: libxml2-2.9.7-CVE-2021-3517.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1957027
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1957028
|
||||
Patch13: libxml2-2.9.7-CVE-2021-3518.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1957283
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1957284
|
||||
Patch14: libxml2-2.9.7-CVE-2021-3537.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1958782
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1958783
|
||||
Patch15: libxml2-2.9.7-CVE-2021-3541.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2057663
|
||||
Patch16: libxml2-2.9.7-CVE-2022-23308.patch
|
||||
|
||||
BuildRequires: gcc
|
||||
BuildRequires: cmake-rpm-macros
|
||||
@ -217,14 +219,17 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
|
||||
%{python3_sitearch}/libxml2mod.so
|
||||
|
||||
%changelog
|
||||
* Wed May 19 2021 David King <dking@redhat.com> - 2.9.7-9.2
|
||||
* Thu Feb 24 2022 David King <dking@redhat.com> - 2.9.7-12
|
||||
- Fix CVE-2022-23308 (#2057663)
|
||||
|
||||
* Wed May 19 2021 David King <dking@redhat.com> - 2.9.7-11
|
||||
- Fix CVE-2021-3541 (#1958783)
|
||||
|
||||
* Fri May 07 2021 David King <dking@redhat.com> - 2.9.7-9.1
|
||||
- Fix CVE-2021-3516 (#1956975)
|
||||
- Fix CVE-2021-3517 (#1957000)
|
||||
- Fix CVE-2021-3518 (#1957027)
|
||||
- Fix CVE-2021-3537 (#1957283)
|
||||
* Fri May 07 2021 David King <dking@redhat.com> - 2.9.7-10
|
||||
- Fix CVE-2021-3516 (#1956976)
|
||||
- Fix CVE-2021-3517 (#1957001)
|
||||
- Fix CVE-2021-3518 (#1957028)
|
||||
- Fix CVE-2021-3537 (#1957284)
|
||||
|
||||
* Mon Oct 19 2020 David King <dking@redhat.com> - 2.9.7-9
|
||||
- Fix CVE-2020-24977 (#1878252)
|
||||
|
Loading…
Reference in New Issue
Block a user