import libxml2-2.9.7-8.el8

2020-11-03 06:45:16 -05:00 · 2020-11-03 06:45:16 -05:00 · 99eafa2082
commit 99eafa2082
parent 7280c109a3
4 changed files with 110 additions and 1 deletions
--- a/SOURCES/libxml2-2.9.7-CVE-2019-20388.patch
+++ b/SOURCES/libxml2-2.9.7-CVE-2019-20388.patch
@ -0,0 +1,33 @@
+From 7ffcd44d7e6c46704f8af0321d9314cd26e0e18a Mon Sep 17 00:00:00 2001
+From: Zhipeng Xie <xiezhipeng1@huawei.com>
+Date: Tue, 20 Aug 2019 16:33:06 +0800
+Subject: [PATCH] Fix memory leak in xmlSchemaValidateStream
+
+When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun
+alloc a new schema for ctxt->schema and set vctxt->xsiAssemble
+to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize
+vctxt->xsiAssemble to 0 again which cause the alloced schema
+can not be freed anymore.
+
+Found with libFuzzer.
+
+Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
+---
+ xmlschemas.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/xmlschemas.c b/xmlschemas.c
+index 301c8449..39d92182 100644
+--- a/xmlschemas.c
+++ b/xmlschemas.c
+@@ -28090,7 +28090,6 @@ xmlSchemaPreRun(xmlSchemaValidCtxtPtr vctxt) {
+     vctxt->nberrors = 0;
+     vctxt->depth = -1;
+     vctxt->skipDepth = -1;
+-    vctxt->xsiAssemble = 0;
+     vctxt->hasKeyrefs = 0;
+ #ifdef ENABLE_IDC_NODE_TABLES_TEST
+     vctxt->createIDCNodeTables = 1;
+-- 
+2.24.1
+
--- a/SOURCES/libxml2-2.9.7-CVE-2020-7595.patch
+++ b/SOURCES/libxml2-2.9.7-CVE-2020-7595.patch
@ -0,0 +1,32 @@
+From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001
+From: Zhipeng Xie <xiezhipeng1@huawei.com>
+Date: Thu, 12 Dec 2019 17:30:55 +0800
+Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities
+
+When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef
+return NULL which cause a infinite loop in xmlStringLenDecodeEntities
+
+Found with libFuzzer.
+
+Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
+---
+ parser.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index d1c31963..a34bb6cd 100644
+--- a/parser.c
+++ b/parser.c
+@@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+     else
+         c = 0;
+     while ((c != 0) && (c != end) && /* non input consuming loop */
+-	   (c != end2) && (c != end3)) {
+           (c != end2) && (c != end3) &&
+           (ctxt->instate != XML_PARSER_EOF)) {
+ 
+ 	if (c == 0) break;
+         if ((c == '&') && (str[1] == '#')) {
+-- 
+2.24.1
+
--- a/SOURCES/libxml2-CVE-2019-19956.patch
+++ b/SOURCES/libxml2-CVE-2019-19956.patch
@ -0,0 +1,33 @@
+From 5a02583c7e683896d84878bd90641d8d9b0d0549 Mon Sep 17 00:00:00 2001
+From: Zhipeng Xie <xiezhipeng1@huawei.com>
+Date: Wed, 7 Aug 2019 17:39:17 +0800
+Subject: [PATCH] Fix memory leak in xmlParseBalancedChunkMemoryRecover
+
+When doc is NULL, namespace created in xmlTreeEnsureXMLDecl
+is bind to newDoc->oldNs, in this case, set newDoc->oldNs to
+NULL and free newDoc will cause a memory leak.
+
+Found with libFuzzer.
+
+Closes #82.
+---
+ parser.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index 1ce1ccf1..26d9f4e3 100644
+--- a/parser.c
+++ b/parser.c
+@@ -13894,7 +13894,8 @@ xmlParseBalancedChunkMemoryRecover(xmlDocPtr doc, xmlSAXHandlerPtr sax,
+     xmlFreeParserCtxt(ctxt);
+     newDoc->intSubset = NULL;
+     newDoc->extSubset = NULL;
+-    newDoc->oldNs = NULL;
+    if(doc != NULL)
+	newDoc->oldNs = NULL;
+     xmlFreeDoc(newDoc);
+ 
+     return(ret);
+-- 
+2.24.1
+
--- a/SPECS/libxml2.spec
+++ b/SPECS/libxml2.spec
@ -7,7 +7,7 @@

 Name:           libxml2
 Version:        2.9.7
-Release:        7%{?dist}
+Release:        8%{?dist}
 Summary:        Library providing XML and HTML support

 License:        MIT
@ -28,6 +28,12 @@ Patch4:         libxml2-python3-unicode-errors.patch
 Patch5:         libxml2-CVE-2018-9251.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1595989
 Patch6:         libxml2-CVE-2018-14404.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1793001
+Patch7:         libxml2-CVE-2019-19956.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1799786
+Patch8:         libxml2-2.9.7-CVE-2020-7595.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1810058
+Patch9:         libxml2-2.9.7-CVE-2019-20388.patch

 BuildRequires:  gcc
 BuildRequires:  cmake-rpm-macros
@ -199,6 +205,11 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
 %{python3_sitearch}/libxml2mod.so

 %changelog
+* Mon Jan 20 2020 David King <dking@redhat.com> - 2.9.7-8
+- Fix CVE-2019-19956 (#1793001)
+- Fix CVE-2020-7595 (#1799786)
+- Fix CVE-2019-20388 (#1810058)
+
 * Thu Oct 24 2019 David King <dking@redhat.com> - 2.9.7-7
 - Fix CVE-2018-14404 (#1595989)