From 99eafa20824ce17f700cd3c8818739f235bbf4f4 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 3 Nov 2020 06:45:16 -0500 Subject: [PATCH] import libxml2-2.9.7-8.el8 --- SOURCES/libxml2-2.9.7-CVE-2019-20388.patch | 33 ++++++++++++++++++++++ SOURCES/libxml2-2.9.7-CVE-2020-7595.patch | 32 +++++++++++++++++++++ SOURCES/libxml2-CVE-2019-19956.patch | 33 ++++++++++++++++++++++ SPECS/libxml2.spec | 13 ++++++++- 4 files changed, 110 insertions(+), 1 deletion(-) create mode 100644 SOURCES/libxml2-2.9.7-CVE-2019-20388.patch create mode 100644 SOURCES/libxml2-2.9.7-CVE-2020-7595.patch create mode 100644 SOURCES/libxml2-CVE-2019-19956.patch diff --git a/SOURCES/libxml2-2.9.7-CVE-2019-20388.patch b/SOURCES/libxml2-2.9.7-CVE-2019-20388.patch new file mode 100644 index 0000000..49ff6fb --- /dev/null +++ b/SOURCES/libxml2-2.9.7-CVE-2019-20388.patch @@ -0,0 +1,33 @@ +From 7ffcd44d7e6c46704f8af0321d9314cd26e0e18a Mon Sep 17 00:00:00 2001 +From: Zhipeng Xie +Date: Tue, 20 Aug 2019 16:33:06 +0800 +Subject: [PATCH] Fix memory leak in xmlSchemaValidateStream + +When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun +alloc a new schema for ctxt->schema and set vctxt->xsiAssemble +to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize +vctxt->xsiAssemble to 0 again which cause the alloced schema +can not be freed anymore. + +Found with libFuzzer. + +Signed-off-by: Zhipeng Xie +--- + xmlschemas.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/xmlschemas.c b/xmlschemas.c +index 301c8449..39d92182 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -28090,7 +28090,6 @@ xmlSchemaPreRun(xmlSchemaValidCtxtPtr vctxt) { + vctxt->nberrors = 0; + vctxt->depth = -1; + vctxt->skipDepth = -1; +- vctxt->xsiAssemble = 0; + vctxt->hasKeyrefs = 0; + #ifdef ENABLE_IDC_NODE_TABLES_TEST + vctxt->createIDCNodeTables = 1; +-- +2.24.1 + diff --git a/SOURCES/libxml2-2.9.7-CVE-2020-7595.patch b/SOURCES/libxml2-2.9.7-CVE-2020-7595.patch new file mode 100644 index 0000000..3dd6774 --- /dev/null +++ b/SOURCES/libxml2-2.9.7-CVE-2020-7595.patch @@ -0,0 +1,32 @@ +From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001 +From: Zhipeng Xie +Date: Thu, 12 Dec 2019 17:30:55 +0800 +Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities + +When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef +return NULL which cause a infinite loop in xmlStringLenDecodeEntities + +Found with libFuzzer. + +Signed-off-by: Zhipeng Xie +--- + parser.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index d1c31963..a34bb6cd 100644 +--- a/parser.c ++++ b/parser.c +@@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + else + c = 0; + while ((c != 0) && (c != end) && /* non input consuming loop */ +- (c != end2) && (c != end3)) { ++ (c != end2) && (c != end3) && ++ (ctxt->instate != XML_PARSER_EOF)) { + + if (c == 0) break; + if ((c == '&') && (str[1] == '#')) { +-- +2.24.1 + diff --git a/SOURCES/libxml2-CVE-2019-19956.patch b/SOURCES/libxml2-CVE-2019-19956.patch new file mode 100644 index 0000000..5bfb5d5 --- /dev/null +++ b/SOURCES/libxml2-CVE-2019-19956.patch @@ -0,0 +1,33 @@ +From 5a02583c7e683896d84878bd90641d8d9b0d0549 Mon Sep 17 00:00:00 2001 +From: Zhipeng Xie +Date: Wed, 7 Aug 2019 17:39:17 +0800 +Subject: [PATCH] Fix memory leak in xmlParseBalancedChunkMemoryRecover + +When doc is NULL, namespace created in xmlTreeEnsureXMLDecl +is bind to newDoc->oldNs, in this case, set newDoc->oldNs to +NULL and free newDoc will cause a memory leak. + +Found with libFuzzer. + +Closes #82. +--- + parser.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index 1ce1ccf1..26d9f4e3 100644 +--- a/parser.c ++++ b/parser.c +@@ -13894,7 +13894,8 @@ xmlParseBalancedChunkMemoryRecover(xmlDocPtr doc, xmlSAXHandlerPtr sax, + xmlFreeParserCtxt(ctxt); + newDoc->intSubset = NULL; + newDoc->extSubset = NULL; +- newDoc->oldNs = NULL; ++ if(doc != NULL) ++ newDoc->oldNs = NULL; + xmlFreeDoc(newDoc); + + return(ret); +-- +2.24.1 + diff --git a/SPECS/libxml2.spec b/SPECS/libxml2.spec index ab17729..e393c24 100644 --- a/SPECS/libxml2.spec +++ b/SPECS/libxml2.spec @@ -7,7 +7,7 @@ Name: libxml2 Version: 2.9.7 -Release: 7%{?dist} +Release: 8%{?dist} Summary: Library providing XML and HTML support License: MIT @@ -28,6 +28,12 @@ Patch4: libxml2-python3-unicode-errors.patch Patch5: libxml2-CVE-2018-9251.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1595989 Patch6: libxml2-CVE-2018-14404.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1793001 +Patch7: libxml2-CVE-2019-19956.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1799786 +Patch8: libxml2-2.9.7-CVE-2020-7595.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1810058 +Patch9: libxml2-2.9.7-CVE-2019-20388.patch BuildRequires: gcc BuildRequires: cmake-rpm-macros @@ -199,6 +205,11 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz %{python3_sitearch}/libxml2mod.so %changelog +* Mon Jan 20 2020 David King - 2.9.7-8 +- Fix CVE-2019-19956 (#1793001) +- Fix CVE-2020-7595 (#1799786) +- Fix CVE-2019-20388 (#1810058) + * Thu Oct 24 2019 David King - 2.9.7-7 - Fix CVE-2018-14404 (#1595989)