From 9c27cf30f2eb6362a6c7c36e5cbc6365d13133e6 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 14 May 2025 17:43:02 +0000 Subject: [PATCH] import UBI libxml2-2.12.5-5.el10_0 --- .gitignore | 5 +- .libxml2.metadata | 1 - .../libxml2-2.11.0-fix-CVE-2023-39615.patch | 32 - SOURCES/libxml2-2.9.0-do-not-check-crc.patch | 35 - SOURCES/libxml2-2.9.13-CVE-2022-49043.patch | 34 - SOURCES/libxml2-2.9.13-CVE-2023-28484.2.patch | 71 --- SOURCES/libxml2-2.9.13-CVE-2023-28484.patch | 74 --- .../libxml2-2.9.4-remove-pyverify_fd.patch | 12 - SOURCES/libxml2-2.9.7-CVE-2016-3709.patch | 88 --- SOURCES/libxml2-2.9.7-CVE-2019-20388.patch | 33 - SOURCES/libxml2-2.9.7-CVE-2020-24977.patch | 36 -- SOURCES/libxml2-2.9.7-CVE-2020-7595.patch | 32 - SOURCES/libxml2-2.9.7-CVE-2021-3516.patch | 31 - SOURCES/libxml2-2.9.7-CVE-2021-3517.patch | 49 -- SOURCES/libxml2-2.9.7-CVE-2021-3518.patch | 247 ------- SOURCES/libxml2-2.9.7-CVE-2021-3537.patch | 44 -- SOURCES/libxml2-2.9.7-CVE-2021-3541.patch | 67 -- SOURCES/libxml2-2.9.7-CVE-2022-23308.patch | 196 ------ SOURCES/libxml2-2.9.7-CVE-2022-29824.patch | 341 ---------- SOURCES/libxml2-2.9.7-CVE-2022-40303.patch | 600 ------------------ SOURCES/libxml2-2.9.7-CVE-2022-40304.patch | 100 --- SOURCES/libxml2-2.9.7-CVE-2023-29469.patch | 42 -- SOURCES/libxml2-2.9.7-CVE-2024-25062.patch | 29 - SOURCES/libxml2-CVE-2016-9597.patch | 191 ------ SOURCES/libxml2-CVE-2018-14404.patch | 54 -- SOURCES/libxml2-CVE-2018-9251.patch | 50 -- SOURCES/libxml2-CVE-2019-19956.patch | 33 - ...ibxml2-2.12.0-python3-unicode-errors.patch | 18 +- libxml2-2.12.5-CVE-2024-40896.patch | 37 ++ ...tch => libxml2-2.12.5-CVE-2024-56171.patch | 0 ...tch => libxml2-2.12.5-CVE-2025-24928.patch | 0 ...2-multilib.patch => libxml2-multilib.patch | 8 +- SPECS/libxml2.spec => libxml2.spec | 403 ++++++------ sources | 4 + 34 files changed, 281 insertions(+), 2716 deletions(-) delete mode 100644 .libxml2.metadata delete mode 100644 SOURCES/libxml2-2.11.0-fix-CVE-2023-39615.patch delete mode 100644 SOURCES/libxml2-2.9.0-do-not-check-crc.patch delete mode 100644 SOURCES/libxml2-2.9.13-CVE-2022-49043.patch delete mode 100644 SOURCES/libxml2-2.9.13-CVE-2023-28484.2.patch delete mode 100644 SOURCES/libxml2-2.9.13-CVE-2023-28484.patch delete mode 100644 SOURCES/libxml2-2.9.4-remove-pyverify_fd.patch delete mode 100644 SOURCES/libxml2-2.9.7-CVE-2016-3709.patch delete mode 100644 SOURCES/libxml2-2.9.7-CVE-2019-20388.patch delete mode 100644 SOURCES/libxml2-2.9.7-CVE-2020-24977.patch delete mode 100644 SOURCES/libxml2-2.9.7-CVE-2020-7595.patch delete mode 100644 SOURCES/libxml2-2.9.7-CVE-2021-3516.patch delete mode 100644 SOURCES/libxml2-2.9.7-CVE-2021-3517.patch delete mode 100644 SOURCES/libxml2-2.9.7-CVE-2021-3518.patch delete mode 100644 SOURCES/libxml2-2.9.7-CVE-2021-3537.patch delete mode 100644 SOURCES/libxml2-2.9.7-CVE-2021-3541.patch delete mode 100644 SOURCES/libxml2-2.9.7-CVE-2022-23308.patch delete mode 100644 SOURCES/libxml2-2.9.7-CVE-2022-29824.patch delete mode 100644 SOURCES/libxml2-2.9.7-CVE-2022-40303.patch delete mode 100644 SOURCES/libxml2-2.9.7-CVE-2022-40304.patch delete mode 100644 SOURCES/libxml2-2.9.7-CVE-2023-29469.patch delete mode 100644 SOURCES/libxml2-2.9.7-CVE-2024-25062.patch delete mode 100644 SOURCES/libxml2-CVE-2016-9597.patch delete mode 100644 SOURCES/libxml2-CVE-2018-14404.patch delete mode 100644 SOURCES/libxml2-CVE-2018-9251.patch delete mode 100644 SOURCES/libxml2-CVE-2019-19956.patch rename SOURCES/libxml2-python3-unicode-errors.patch => libxml2-2.12.0-python3-unicode-errors.patch (62%) create mode 100644 libxml2-2.12.5-CVE-2024-40896.patch rename SOURCES/libxml2-2.9.13-CVE-2024-56171.patch => libxml2-2.12.5-CVE-2024-56171.patch (100%) rename SOURCES/libxml2-2.9.13-CVE-2025-24928.patch => libxml2-2.12.5-CVE-2025-24928.patch (100%) rename SOURCES/libxml2-multilib.patch => libxml2-multilib.patch (92%) rename SPECS/libxml2.spec => libxml2.spec (64%) create mode 100644 sources diff --git a/.gitignore b/.gitignore index 511619f..1d0297a 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,4 @@ -SOURCES/libxml2-2.9.7.tar.gz +libxml2-2.12.5.tar.xz +xmlts20080827.tar.gz +xsts-2002-01-16.tar.gz +xsts-2004-01-14.tar.gz diff --git a/.libxml2.metadata b/.libxml2.metadata deleted file mode 100644 index 30c379d..0000000 --- a/.libxml2.metadata +++ /dev/null @@ -1 +0,0 @@ -ab3325e6cdda50ab2382fdfe0bdb6f7d1b9224a6 SOURCES/libxml2-2.9.7.tar.gz diff --git a/SOURCES/libxml2-2.11.0-fix-CVE-2023-39615.patch b/SOURCES/libxml2-2.11.0-fix-CVE-2023-39615.patch deleted file mode 100644 index 50fba55..0000000 --- a/SOURCES/libxml2-2.11.0-fix-CVE-2023-39615.patch +++ /dev/null @@ -1,32 +0,0 @@ -From d0c3f01e110d54415611c5fa0040cdf4a56053f9 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sat, 6 May 2023 17:47:37 +0200 -Subject: [PATCH] parser: Fix old SAX1 parser with custom callbacks - -For some reason, xmlCtxtUseOptionsInternal set the start and end element -SAX handlers to the internal DOM builder functions when XML_PARSE_SAX1 -was specified. This means that custom SAX handlers could never work with -that flag because these functions would receive the wrong user data -argument and crash immediately. - -Fixes #535. ---- - parser.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/parser.c b/parser.c -index bb05791d3..0c8bed129 100644 ---- a/parser.c -+++ b/parser.c -@@ -14479,8 +14479,6 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi - } - #ifdef LIBXML_SAX1_ENABLED - if (options & XML_PARSE_SAX1) { -- ctxt->sax->startElement = xmlSAX2StartElement; -- ctxt->sax->endElement = xmlSAX2EndElement; - ctxt->sax->startElementNs = NULL; - ctxt->sax->endElementNs = NULL; - ctxt->sax->initialized = 1; --- -GitLab - diff --git a/SOURCES/libxml2-2.9.0-do-not-check-crc.patch b/SOURCES/libxml2-2.9.0-do-not-check-crc.patch deleted file mode 100644 index 3e65077..0000000 --- a/SOURCES/libxml2-2.9.0-do-not-check-crc.patch +++ /dev/null @@ -1,35 +0,0 @@ -diff -up libxml2-2.9.0/xzlib.c.do-not-check-crc libxml2-2.9.0/xzlib.c ---- libxml2-2.9.0/xzlib.c.do-not-check-crc 2012-09-11 05:52:46.000000000 +0200 -+++ libxml2-2.9.0/xzlib.c 2012-11-19 19:28:42.431700534 +0100 -@@ -552,17 +552,20 @@ xz_decomp(xz_statep state) - #ifdef HAVE_ZLIB_H - if (state->how == GZIP) { - if (gz_next4(state, &crc) == -1 || gz_next4(state, &len) == -1) { -- xz_error(state, LZMA_DATA_ERROR, "unexpected end of file"); -- return -1; -- } -- if (crc != state->zstrm.adler) { -- xz_error(state, LZMA_DATA_ERROR, "incorrect data check"); -- return -1; -- } -- if (len != (state->zstrm.total_out & 0xffffffffL)) { -- xz_error(state, LZMA_DATA_ERROR, "incorrect length check"); -- return -1; -- } -+ /* -+ xz_error(state, LZMA_DATA_ERROR, "unexpected end of file"); -+ return -1; -+ */ -+ } else { -+ if (crc != state->zstrm.adler) { -+ xz_error(state, LZMA_DATA_ERROR, "incorrect data check"); -+ return -1; -+ } -+ if (len != (state->zstrm.total_out & 0xffffffffL)) { -+ xz_error(state, LZMA_DATA_ERROR, "incorrect length check"); -+ return -1; -+ } -+ } - state->strm.avail_in = 0; - state->strm.next_in = NULL; - state->strm.avail_out = 0; diff --git a/SOURCES/libxml2-2.9.13-CVE-2022-49043.patch b/SOURCES/libxml2-2.9.13-CVE-2022-49043.patch deleted file mode 100644 index e39b0eb..0000000 --- a/SOURCES/libxml2-2.9.13-CVE-2022-49043.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 6bb146a3ea24a9bacfad6fe67268f0404af37d9c Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 2 Nov 2022 16:13:27 +0100 -Subject: [PATCH] malloc-fail: Fix use-after-free in xmlXIncludeAddNode - -Found with libFuzzer, see #344. ---- - xinclude.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/xinclude.c b/xinclude.c -index 2a0614d7..e32b3419 100644 ---- a/xinclude.c -+++ b/xinclude.c -@@ -614,14 +614,15 @@ xmlXIncludeAddNode(xmlXIncludeCtxtPtr ctxt, xmlNodePtr cur) { - } - URL = xmlSaveUri(uri); - xmlFreeURI(uri); -- xmlFree(URI); - if (URL == NULL) { - xmlXIncludeErr(ctxt, cur, XML_XINCLUDE_HREF_URI, - "invalid value URI %s\n", URI); - if (fragment != NULL) - xmlFree(fragment); -+ xmlFree(URI); - return(-1); - } -+ xmlFree(URI); - - /* - * If local and xml then we need a fragment --- -2.48.1 - diff --git a/SOURCES/libxml2-2.9.13-CVE-2023-28484.2.patch b/SOURCES/libxml2-2.9.13-CVE-2023-28484.2.patch deleted file mode 100644 index 7e0b61d..0000000 --- a/SOURCES/libxml2-2.9.13-CVE-2023-28484.2.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 4c6922f763ad958c48ff66f82823ae21f2e92ee6 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 13 Sep 2022 16:40:31 +0200 -Subject: [PATCH] schemas: Fix null-pointer-deref in - xmlSchemaCheckCOSSTDerivedOK - -Found by OSS-Fuzz. ---- - result/schemas/oss-fuzz-51295_0_0.err | 2 ++ - test/schemas/oss-fuzz-51295_0.xml | 1 + - test/schemas/oss-fuzz-51295_0.xsd | 4 ++++ - xmlschemas.c | 15 +++++++++++++-- - 4 files changed, 20 insertions(+), 2 deletions(-) - create mode 100644 result/schemas/oss-fuzz-51295_0_0.err - create mode 100644 test/schemas/oss-fuzz-51295_0.xml - create mode 100644 test/schemas/oss-fuzz-51295_0.xsd - -diff --git a/result/schemas/oss-fuzz-51295_0_0.err b/result/schemas/oss-fuzz-51295_0_0.err -new file mode 100644 -index 00000000..1e89524f ---- /dev/null -+++ b/result/schemas/oss-fuzz-51295_0_0.err -@@ -0,0 +1,2 @@ -+./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'. -+./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'. -diff --git a/test/schemas/oss-fuzz-51295_0.xml b/test/schemas/oss-fuzz-51295_0.xml -new file mode 100644 -index 00000000..10a7e703 ---- /dev/null -+++ b/test/schemas/oss-fuzz-51295_0.xml -@@ -0,0 +1 @@ -+ -diff --git a/test/schemas/oss-fuzz-51295_0.xsd b/test/schemas/oss-fuzz-51295_0.xsd -new file mode 100644 -index 00000000..fde96af5 ---- /dev/null -+++ b/test/schemas/oss-fuzz-51295_0.xsd -@@ -0,0 +1,4 @@ -+ -+ -+ -+ -diff --git a/xmlschemas.c b/xmlschemas.c -index f31d3d1f..152b7c3f 100644 ---- a/xmlschemas.c -+++ b/xmlschemas.c -@@ -13345,8 +13345,19 @@ xmlSchemaResolveElementReferences(xmlSchemaElementPtr elemDecl, - * declaration `resolved` to by the `actual value` - * of the substitutionGroup [attribute], if present" - */ -- if (elemDecl->subtypes == NULL) -- elemDecl->subtypes = substHead->subtypes; -+ if (elemDecl->subtypes == NULL) { -+ if (substHead->subtypes == NULL) { -+ /* -+ * This can happen with self-referencing substitution -+ * groups. The cycle will be detected later, but we have -+ * to set subtypes to avoid null-pointer dereferences. -+ */ -+ elemDecl->subtypes = xmlSchemaGetBuiltInType( -+ XML_SCHEMAS_ANYTYPE); -+ } else { -+ elemDecl->subtypes = substHead->subtypes; -+ } -+ } - } - } - /* --- -GitLab - diff --git a/SOURCES/libxml2-2.9.13-CVE-2023-28484.patch b/SOURCES/libxml2-2.9.13-CVE-2023-28484.patch deleted file mode 100644 index 052ab15..0000000 --- a/SOURCES/libxml2-2.9.13-CVE-2023-28484.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 647e072ea0a2f12687fa05c172f4c4713fdb0c4f Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Fri, 7 Apr 2023 11:46:35 +0200 -Subject: [PATCH] [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType - -Fix a null pointer dereference when parsing (invalid) XML schemas. - -Thanks to Robby Simpson for the report! - -Fixes #491. ---- - result/schemas/issue491_0_0.err | 1 + - test/schemas/issue491_0.xml | 1 + - test/schemas/issue491_0.xsd | 18 ++++++++++++++++++ - xmlschemas.c | 2 +- - 4 files changed, 21 insertions(+), 1 deletion(-) - create mode 100644 result/schemas/issue491_0_0.err - create mode 100644 test/schemas/issue491_0.xml - create mode 100644 test/schemas/issue491_0.xsd - -diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err -new file mode 100644 -index 00000000..9b2bb969 ---- /dev/null -+++ b/result/schemas/issue491_0_0.err -@@ -0,0 +1 @@ -+./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'. -diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml -new file mode 100644 -index 00000000..e2b2fc2e ---- /dev/null -+++ b/test/schemas/issue491_0.xml -@@ -0,0 +1 @@ -+5 -diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd -new file mode 100644 -index 00000000..81702649 ---- /dev/null -+++ b/test/schemas/issue491_0.xsd -@@ -0,0 +1,18 @@ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -diff --git a/xmlschemas.c b/xmlschemas.c -index 152b7c3f..eec24a95 100644 ---- a/xmlschemas.c -+++ b/xmlschemas.c -@@ -18619,7 +18619,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt, - "allowed to appear inside other model groups", - NULL, NULL); - -- } else if (! dummySequence) { -+ } else if ((!dummySequence) && (baseType->subtypes != NULL)) { - xmlSchemaTreeItemPtr effectiveContent = - (xmlSchemaTreeItemPtr) type->subtypes; - /* --- -GitLab - diff --git a/SOURCES/libxml2-2.9.4-remove-pyverify_fd.patch b/SOURCES/libxml2-2.9.4-remove-pyverify_fd.patch deleted file mode 100644 index d05d4cb..0000000 --- a/SOURCES/libxml2-2.9.4-remove-pyverify_fd.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -Nur libxml2-2.9.4.orig/python/types.c libxml2-2.9.4/python/types.c ---- libxml2-2.9.4.orig/python/types.c 2016-02-09 03:17:33.000000000 -0700 -+++ libxml2-2.9.4/python/types.c 2016-12-21 12:34:06.755650986 -0700 -@@ -31,8 +31,6 @@ - const char *mode; - - fd = PyObject_AsFileDescriptor(f); -- if (!_PyVerify_fd(fd)) -- return(NULL); - /* - * Get the flags on the fd to understand how it was opened - */ diff --git a/SOURCES/libxml2-2.9.7-CVE-2016-3709.patch b/SOURCES/libxml2-2.9.7-CVE-2016-3709.patch deleted file mode 100644 index 1306320..0000000 --- a/SOURCES/libxml2-2.9.7-CVE-2016-3709.patch +++ /dev/null @@ -1,88 +0,0 @@ -From c1ba6f54d32b707ca6d91cb3257ce9de82876b6f Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sat, 15 Aug 2020 18:32:29 +0200 -Subject: [PATCH] Revert "Do not URI escape in server side includes" - -This reverts commit 960f0e275616cadc29671a218d7fb9b69eb35588. - -This commit introduced - -- an infinite loop, found by OSS-Fuzz, which could be easily fixed. -- an algorithm with quadratic runtime -- a security issue, see - https://bugzilla.gnome.org/show_bug.cgi?id=769760 - -A better approach is to add an option not to escape URLs at all -which libxml2 should have possibly done in the first place. ---- - HTMLtree.c | 49 +++++++++++-------------------------------------- - 1 file changed, 11 insertions(+), 38 deletions(-) - -diff --git a/HTMLtree.c b/HTMLtree.c -index 8d236bb3..cdb7f86a 100644 ---- a/HTMLtree.c -+++ b/HTMLtree.c -@@ -706,49 +706,22 @@ htmlAttrDumpOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, xmlAttrPtr cur, - (!xmlStrcasecmp(cur->name, BAD_CAST "src")) || - ((!xmlStrcasecmp(cur->name, BAD_CAST "name")) && - (!xmlStrcasecmp(cur->parent->name, BAD_CAST "a"))))) { -+ xmlChar *escaped; - xmlChar *tmp = value; -- /* xmlURIEscapeStr() escapes '"' so it can be safely used. */ -- xmlBufCCat(buf->buffer, "\""); - - while (IS_BLANK_CH(*tmp)) tmp++; - -- /* URI Escape everything, except server side includes. */ -- for ( ; ; ) { -- xmlChar *escaped; -- xmlChar endChar; -- xmlChar *end = NULL; -- xmlChar *start = (xmlChar *)xmlStrstr(tmp, BAD_CAST ""); -- if (end != NULL) { -- *start = '\0'; -- } -- } -- -- /* Escape the whole string, or until start (set to '\0'). */ -- escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+"); -- if (escaped != NULL) { -- xmlBufCat(buf->buffer, escaped); -- xmlFree(escaped); -- } else { -- xmlBufCat(buf->buffer, tmp); -- } -- -- if (end == NULL) { /* Everything has been written. */ -- break; -- } -- -- /* Do not escape anything within server side includes. */ -- *start = '<'; /* Restore the first character of "") */ -- endChar = *end; -- *end = '\0'; -- xmlBufCat(buf->buffer, start); -- *end = endChar; -- tmp = end; -+ /* -+ * the < and > have already been escaped at the entity level -+ * And doing so here breaks server side includes -+ */ -+ escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+<>"); -+ if (escaped != NULL) { -+ xmlBufWriteQuotedString(buf->buffer, escaped); -+ xmlFree(escaped); -+ } else { -+ xmlBufWriteQuotedString(buf->buffer, value); - } -- -- xmlBufCCat(buf->buffer, "\""); - } else { - xmlBufWriteQuotedString(buf->buffer, value); - } --- -GitLab - diff --git a/SOURCES/libxml2-2.9.7-CVE-2019-20388.patch b/SOURCES/libxml2-2.9.7-CVE-2019-20388.patch deleted file mode 100644 index 49ff6fb..0000000 --- a/SOURCES/libxml2-2.9.7-CVE-2019-20388.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 7ffcd44d7e6c46704f8af0321d9314cd26e0e18a Mon Sep 17 00:00:00 2001 -From: Zhipeng Xie -Date: Tue, 20 Aug 2019 16:33:06 +0800 -Subject: [PATCH] Fix memory leak in xmlSchemaValidateStream - -When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun -alloc a new schema for ctxt->schema and set vctxt->xsiAssemble -to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize -vctxt->xsiAssemble to 0 again which cause the alloced schema -can not be freed anymore. - -Found with libFuzzer. - -Signed-off-by: Zhipeng Xie ---- - xmlschemas.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/xmlschemas.c b/xmlschemas.c -index 301c8449..39d92182 100644 ---- a/xmlschemas.c -+++ b/xmlschemas.c -@@ -28090,7 +28090,6 @@ xmlSchemaPreRun(xmlSchemaValidCtxtPtr vctxt) { - vctxt->nberrors = 0; - vctxt->depth = -1; - vctxt->skipDepth = -1; -- vctxt->xsiAssemble = 0; - vctxt->hasKeyrefs = 0; - #ifdef ENABLE_IDC_NODE_TABLES_TEST - vctxt->createIDCNodeTables = 1; --- -2.24.1 - diff --git a/SOURCES/libxml2-2.9.7-CVE-2020-24977.patch b/SOURCES/libxml2-2.9.7-CVE-2020-24977.patch deleted file mode 100644 index fe4b398..0000000 --- a/SOURCES/libxml2-2.9.7-CVE-2020-24977.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Fri, 7 Aug 2020 21:54:27 +0200 -Subject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout' - -Make sure that truncated UTF-8 sequences don't cause an out-of-bounds -array access. - -Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for -the report. - -Fixes #178. ---- - xmllint.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/xmllint.c b/xmllint.c -index f6a8e4636..c647486f3 100644 ---- a/xmllint.c -+++ b/xmllint.c -@@ -528,6 +528,12 @@ static void - xmlHTMLEncodeSend(void) { - char *result; - -+ /* -+ * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might -+ * end with a truncated UTF-8 sequence. This is a hack to at least avoid -+ * an out-of-bounds read. -+ */ -+ memset(&buffer[sizeof(buffer)-4], 0, 4); - result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer); - if (result) { - xmlGenericError(xmlGenericErrorContext, "%s", result); --- -GitLab - diff --git a/SOURCES/libxml2-2.9.7-CVE-2020-7595.patch b/SOURCES/libxml2-2.9.7-CVE-2020-7595.patch deleted file mode 100644 index 3dd6774..0000000 --- a/SOURCES/libxml2-2.9.7-CVE-2020-7595.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001 -From: Zhipeng Xie -Date: Thu, 12 Dec 2019 17:30:55 +0800 -Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities - -When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef -return NULL which cause a infinite loop in xmlStringLenDecodeEntities - -Found with libFuzzer. - -Signed-off-by: Zhipeng Xie ---- - parser.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/parser.c b/parser.c -index d1c31963..a34bb6cd 100644 ---- a/parser.c -+++ b/parser.c -@@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, - else - c = 0; - while ((c != 0) && (c != end) && /* non input consuming loop */ -- (c != end2) && (c != end3)) { -+ (c != end2) && (c != end3) && -+ (ctxt->instate != XML_PARSER_EOF)) { - - if (c == 0) break; - if ((c == '&') && (str[1] == '#')) { --- -2.24.1 - diff --git a/SOURCES/libxml2-2.9.7-CVE-2021-3516.patch b/SOURCES/libxml2-2.9.7-CVE-2021-3516.patch deleted file mode 100644 index 10093b6..0000000 --- a/SOURCES/libxml2-2.9.7-CVE-2021-3516.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 1358d157d0bd83be1dfe356a69213df9fac0b539 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 21 Apr 2021 13:23:27 +0200 -Subject: [PATCH] Fix use-after-free with `xmllint --html --push` - -Call htmlCtxtUseOptions to make sure that names aren't stored in -dictionaries. - -Note that this issue only affects xmllint using the HTML push parser. - -Fixes #230. ---- - xmllint.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/xmllint.c b/xmllint.c -index 6ca1bf54..dbef273a 100644 ---- a/xmllint.c -+++ b/xmllint.c -@@ -2213,7 +2213,7 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) { - if (res > 0) { - ctxt = htmlCreatePushParserCtxt(NULL, NULL, - chars, res, filename, XML_CHAR_ENCODING_NONE); -- xmlCtxtUseOptions(ctxt, options); -+ htmlCtxtUseOptions(ctxt, options); - while ((res = fread(chars, 1, pushsize, f)) > 0) { - htmlParseChunk(ctxt, chars, res, 0); - } --- -GitLab - diff --git a/SOURCES/libxml2-2.9.7-CVE-2021-3517.patch b/SOURCES/libxml2-2.9.7-CVE-2021-3517.patch deleted file mode 100644 index e3ef736..0000000 --- a/SOURCES/libxml2-2.9.7-CVE-2021-3517.patch +++ /dev/null @@ -1,49 +0,0 @@ -From bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2 Mon Sep 17 00:00:00 2001 -From: Joel Hockey -Date: Sun, 16 Aug 2020 17:19:35 -0700 -Subject: [PATCH] Validate UTF8 in xmlEncodeEntities - -Code is currently assuming UTF-8 without validating. Truncated UTF-8 -input can cause out-of-bounds array access. - -Adds further checks to partial fix in 50f06b3e. - -Fixes #178 ---- - entities.c | 16 +++++++++++++++- - 1 file changed, 15 insertions(+), 1 deletion(-) - -diff --git a/entities.c b/entities.c -index 37b99a56..1a8f86f0 100644 ---- a/entities.c -+++ b/entities.c -@@ -704,11 +704,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) { - } else { - /* - * We assume we have UTF-8 input. -+ * It must match either: -+ * 110xxxxx 10xxxxxx -+ * 1110xxxx 10xxxxxx 10xxxxxx -+ * 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx -+ * That is: -+ * cur[0] is 11xxxxxx -+ * cur[1] is 10xxxxxx -+ * cur[2] is 10xxxxxx if cur[0] is 111xxxxx -+ * cur[3] is 10xxxxxx if cur[0] is 1111xxxx -+ * cur[0] is not 11111xxx - */ - char buf[11], *ptr; - int val = 0, l = 1; - -- if (*cur < 0xC0) { -+ if (((cur[0] & 0xC0) != 0xC0) || -+ ((cur[1] & 0xC0) != 0x80) || -+ (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) || -+ (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) || -+ (((cur[0] & 0xF8) == 0xF8))) { - xmlEntitiesErr(XML_CHECK_NOT_UTF8, - "xmlEncodeEntities: input not UTF-8"); - if (doc != NULL) --- -GitLab - diff --git a/SOURCES/libxml2-2.9.7-CVE-2021-3518.patch b/SOURCES/libxml2-2.9.7-CVE-2021-3518.patch deleted file mode 100644 index e5861c2..0000000 --- a/SOURCES/libxml2-2.9.7-CVE-2021-3518.patch +++ /dev/null @@ -1,247 +0,0 @@ -From 752e5f71d7cea2ca5a7e7c0b8f72ed04ce654be4 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 10 Jun 2020 16:34:52 +0200 -Subject: [PATCH 1/2] Don't recurse into xi:include children in - xmlXIncludeDoProcess - -Otherwise, nested xi:include nodes might result in a use-after-free -if XML_PARSE_NOXINCNODE is specified. - -Found with libFuzzer and ASan. ---- - result/XInclude/fallback3.xml | 8 ++++++++ - result/XInclude/fallback3.xml.err | 0 - result/XInclude/fallback3.xml.rdr | 25 +++++++++++++++++++++++++ - result/XInclude/fallback4.xml | 10 ++++++++++ - result/XInclude/fallback4.xml.err | 0 - result/XInclude/fallback4.xml.rdr | 29 +++++++++++++++++++++++++++++ - test/XInclude/docs/fallback3.xml | 9 +++++++++ - test/XInclude/docs/fallback4.xml | 7 +++++++ - xinclude.c | 24 ++++++++++-------------- - 9 files changed, 98 insertions(+), 14 deletions(-) - create mode 100644 result/XInclude/fallback3.xml - create mode 100644 result/XInclude/fallback3.xml.err - create mode 100644 result/XInclude/fallback3.xml.rdr - create mode 100644 result/XInclude/fallback4.xml - create mode 100644 result/XInclude/fallback4.xml.err - create mode 100644 result/XInclude/fallback4.xml.rdr - create mode 100644 test/XInclude/docs/fallback3.xml - create mode 100644 test/XInclude/docs/fallback4.xml - -diff --git a/result/XInclude/fallback3.xml b/result/XInclude/fallback3.xml -new file mode 100644 -index 00000000..b4235514 ---- /dev/null -+++ b/result/XInclude/fallback3.xml -@@ -0,0 +1,8 @@ -+ -+ -+ -+

something

-+

really

-+

simple

-+ -+ -diff --git a/result/XInclude/fallback3.xml.err b/result/XInclude/fallback3.xml.err -new file mode 100644 -index 00000000..e69de29b -diff --git a/result/XInclude/fallback3.xml.rdr b/result/XInclude/fallback3.xml.rdr -new file mode 100644 -index 00000000..aa2f1374 ---- /dev/null -+++ b/result/XInclude/fallback3.xml.rdr -@@ -0,0 +1,25 @@ -+0 1 a 0 0 -+1 14 #text 0 1 -+ -+1 1 doc 0 0 -+2 14 #text 0 1 -+ -+2 1 p 0 0 -+3 3 #text 0 1 something -+2 15 p 0 0 -+2 14 #text 0 1 -+ -+2 1 p 0 0 -+3 3 #text 0 1 really -+2 15 p 0 0 -+2 14 #text 0 1 -+ -+2 1 p 0 0 -+3 3 #text 0 1 simple -+2 15 p 0 0 -+2 14 #text 0 1 -+ -+1 15 doc 0 0 -+1 14 #text 0 1 -+ -+0 15 a 0 0 -diff --git a/result/XInclude/fallback4.xml b/result/XInclude/fallback4.xml -new file mode 100644 -index 00000000..9883fd54 ---- /dev/null -+++ b/result/XInclude/fallback4.xml -@@ -0,0 +1,10 @@ -+ -+ -+ -+ -+

something

-+

really

-+

simple

-+ -+ -+ -diff --git a/result/XInclude/fallback4.xml.err b/result/XInclude/fallback4.xml.err -new file mode 100644 -index 00000000..e69de29b -diff --git a/result/XInclude/fallback4.xml.rdr b/result/XInclude/fallback4.xml.rdr -new file mode 100644 -index 00000000..628b9513 ---- /dev/null -+++ b/result/XInclude/fallback4.xml.rdr -@@ -0,0 +1,29 @@ -+0 1 a 0 0 -+1 14 #text 0 1 -+ -+1 14 #text 0 1 -+ -+1 1 doc 0 0 -+2 14 #text 0 1 -+ -+2 1 p 0 0 -+3 3 #text 0 1 something -+2 15 p 0 0 -+2 14 #text 0 1 -+ -+2 1 p 0 0 -+3 3 #text 0 1 really -+2 15 p 0 0 -+2 14 #text 0 1 -+ -+2 1 p 0 0 -+3 3 #text 0 1 simple -+2 15 p 0 0 -+2 14 #text 0 1 -+ -+1 15 doc 0 0 -+1 14 #text 0 1 -+ -+1 14 #text 0 1 -+ -+0 15 a 0 0 -diff --git a/test/XInclude/docs/fallback3.xml b/test/XInclude/docs/fallback3.xml -new file mode 100644 -index 00000000..0c8b6c9e ---- /dev/null -+++ b/test/XInclude/docs/fallback3.xml -@@ -0,0 +1,9 @@ -+ -+ -+ -+ -+ There is no c.xml ... -+ -+ -+ -+ -diff --git a/test/XInclude/docs/fallback4.xml b/test/XInclude/docs/fallback4.xml -new file mode 100644 -index 00000000..b500a635 ---- /dev/null -+++ b/test/XInclude/docs/fallback4.xml -@@ -0,0 +1,7 @@ -+ -+ -+ -+ -+ -+ -+ -diff --git a/xinclude.c b/xinclude.c -index ba850fa5..f260c1a7 100644 ---- a/xinclude.c -+++ b/xinclude.c -@@ -2392,21 +2392,19 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { - * First phase: lookup the elements in the document - */ - cur = tree; -- if (xmlXIncludeTestNode(ctxt, cur) == 1) -- xmlXIncludePreProcessNode(ctxt, cur); - while ((cur != NULL) && (cur != tree->parent)) { - /* TODO: need to work on entities -> stack */ -- if ((cur->children != NULL) && -- (cur->children->type != XML_ENTITY_DECL) && -- (cur->children->type != XML_XINCLUDE_START) && -- (cur->children->type != XML_XINCLUDE_END)) { -- cur = cur->children; -- if (xmlXIncludeTestNode(ctxt, cur)) -- xmlXIncludePreProcessNode(ctxt, cur); -- } else if (cur->next != NULL) { -+ if (xmlXIncludeTestNode(ctxt, cur) == 1) { -+ xmlXIncludePreProcessNode(ctxt, cur); -+ } else if ((cur->children != NULL) && -+ (cur->children->type != XML_ENTITY_DECL) && -+ (cur->children->type != XML_XINCLUDE_START) && -+ (cur->children->type != XML_XINCLUDE_END)) { -+ cur = cur->children; -+ continue; -+ } -+ if (cur->next != NULL) { - cur = cur->next; -- if (xmlXIncludeTestNode(ctxt, cur)) -- xmlXIncludePreProcessNode(ctxt, cur); - } else { - if (cur == tree) - break; -@@ -2416,8 +2414,6 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { - break; /* do */ - if (cur->next != NULL) { - cur = cur->next; -- if (xmlXIncludeTestNode(ctxt, cur)) -- xmlXIncludePreProcessNode(ctxt, cur); - break; /* do */ - } - } while (cur != NULL); --- -2.31.1 - - -From 49cc4182543dba73216add4021994a81678763bd Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Thu, 22 Apr 2021 19:26:28 +0200 -Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude --dropdtd` - -The --dropdtd option can leave dangling pointers in entity reference -nodes. Make sure to skip these nodes when processing XIncludes. - -This also avoids scanning entity declarations and even modifying -them inadvertently during XInclude processing. - -Move from a block list to an allow list approach to avoid descending -into other node types that can't contain elements. - -Fixes #237. ---- - xinclude.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/xinclude.c b/xinclude.c -index f260c1a7..d7648529 100644 ---- a/xinclude.c -+++ b/xinclude.c -@@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { - if (xmlXIncludeTestNode(ctxt, cur) == 1) { - xmlXIncludePreProcessNode(ctxt, cur); - } else if ((cur->children != NULL) && -- (cur->children->type != XML_ENTITY_DECL) && -- (cur->children->type != XML_XINCLUDE_START) && -- (cur->children->type != XML_XINCLUDE_END)) { -+ ((cur->type == XML_DOCUMENT_NODE) || -+ (cur->type == XML_ELEMENT_NODE))) { - cur = cur->children; - continue; - } --- -2.31.1 - diff --git a/SOURCES/libxml2-2.9.7-CVE-2021-3537.patch b/SOURCES/libxml2-2.9.7-CVE-2021-3537.patch deleted file mode 100644 index 3df1539..0000000 --- a/SOURCES/libxml2-2.9.7-CVE-2021-3537.patch +++ /dev/null @@ -1,44 +0,0 @@ -From babe75030c7f64a37826bb3342317134568bef61 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sat, 1 May 2021 16:53:33 +0200 -Subject: [PATCH] Propagate error in xmlParseElementChildrenContentDeclPriv - -Check return value of recursive calls to -xmlParseElementChildrenContentDeclPriv and return immediately in case -of errors. Otherwise, struct xmlElementContent could contain unexpected -null pointers, leading to a null deref when post-validating documents -which aren't well-formed and parsed in recovery mode. - -Fixes #243. ---- - parser.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/parser.c b/parser.c -index b42e6043..73c27edd 100644 ---- a/parser.c -+++ b/parser.c -@@ -6208,6 +6208,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk, - SKIP_BLANKS; - cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, - depth + 1); -+ if (cur == NULL) -+ return(NULL); - SKIP_BLANKS; - GROW; - } else { -@@ -6341,6 +6343,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk, - SKIP_BLANKS; - last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, - depth + 1); -+ if (last == NULL) { -+ if (ret != NULL) -+ xmlFreeDocElementContent(ctxt->myDoc, ret); -+ return(NULL); -+ } - SKIP_BLANKS; - } else { - elem = xmlParseName(ctxt); --- -GitLab - diff --git a/SOURCES/libxml2-2.9.7-CVE-2021-3541.patch b/SOURCES/libxml2-2.9.7-CVE-2021-3541.patch deleted file mode 100644 index 2dbdafe..0000000 --- a/SOURCES/libxml2-2.9.7-CVE-2021-3541.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 8598060bacada41a0eb09d95c97744ff4e428f8e Mon Sep 17 00:00:00 2001 -From: Daniel Veillard -Date: Thu, 13 May 2021 14:55:12 +0200 -Subject: [PATCH] Patch for security issue CVE-2021-3541 - -This is relapted to parameter entities expansion and following -the line of the billion laugh attack. Somehow in that path the -counting of parameters was missed and the normal algorithm based -on entities "density" was useless. ---- - parser.c | 26 ++++++++++++++++++++++++++ - 1 file changed, 26 insertions(+) - -diff --git a/parser.c b/parser.c -index f5e5e169..c9312fa4 100644 ---- a/parser.c -+++ b/parser.c -@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, - xmlEntityPtr ent, size_t replacement) - { - size_t consumed = 0; -+ int i; - - if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE)) - return (0); -@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, - rep = NULL; - } - } -+ -+ /* -+ * Prevent entity exponential check, not just replacement while -+ * parsing the DTD -+ * The check is potentially costly so do that only once in a thousand -+ */ -+ if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) && -+ (ctxt->nbentities % 1024 == 0)) { -+ for (i = 0;i < ctxt->inputNr;i++) { -+ consumed += ctxt->inputTab[i]->consumed + -+ (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base); -+ } -+ if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) { -+ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); -+ ctxt->instate = XML_PARSER_EOF; -+ return (1); -+ } -+ consumed = 0; -+ } -+ -+ -+ - if (replacement != 0) { - if (replacement < XML_MAX_TEXT_LENGTH) - return(0); -@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) - xmlChar start[4]; - xmlCharEncoding enc; - -+ if (xmlParserEntityCheck(ctxt, 0, entity, 0)) -+ return; -+ - if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && - ((ctxt->options & XML_PARSE_NOENT) == 0) && - ((ctxt->options & XML_PARSE_DTDVALID) == 0) && --- -GitLab - diff --git a/SOURCES/libxml2-2.9.7-CVE-2022-23308.patch b/SOURCES/libxml2-2.9.7-CVE-2022-23308.patch deleted file mode 100644 index 984f15f..0000000 --- a/SOURCES/libxml2-2.9.7-CVE-2022-23308.patch +++ /dev/null @@ -1,196 +0,0 @@ -From 7f70302bfa9faeac9c9f7be8adf96d32c16acb72 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 8 Feb 2022 03:29:24 +0100 -Subject: [PATCH] [CVE-2022-23308] Use-after-free of ID and IDREF attributes - -If a document is parsed with XML_PARSE_DTDVALID and without -XML_PARSE_NOENT, the value of ID attributes has to be normalized after -potentially expanding entities in xmlRemoveID. Otherwise, later calls -to xmlGetID can return a pointer to previously freed memory. - -ID attributes which are empty or contain only whitespace after -entity expansion are affected in a similar way. This is fixed by -not storing such attributes in the ID table. - -The test to detect streaming mode when validating against a DTD was -broken. In connection with the defects above, this could result in a -use-after-free when using the xmlReader interface with validation. -Fix detection of streaming mode to avoid similar issues. (This changes -the expected result of a test case. But as far as I can tell, using the -XML reader with XIncludes referencing the root document never worked -properly, anyway.) - -All of these issues can result in denial of service. Using xmlReader -with validation could result in disclosure of memory via the error -channel, typically stderr. The security impact of xmlGetID returning -a pointer to freed memory depends on the application. The typical use -case of calling xmlGetID on an unmodified document is not affected. ---- - valid.c | 88 +++++++++++++++++++++++++++++++++++---------------------- - 1 file changed, 55 insertions(+), 33 deletions(-) - -diff --git a/valid.c b/valid.c -index a64b96be..5b81059f 100644 ---- a/valid.c -+++ b/valid.c -@@ -479,6 +479,35 @@ nodeVPop(xmlValidCtxtPtr ctxt) - return (ret); - } - -+/** -+ * xmlValidNormalizeString: -+ * @str: a string -+ * -+ * Normalize a string in-place. -+ */ -+static void -+xmlValidNormalizeString(xmlChar *str) { -+ xmlChar *dst; -+ const xmlChar *src; -+ -+ if (str == NULL) -+ return; -+ src = str; -+ dst = str; -+ -+ while (*src == 0x20) src++; -+ while (*src != 0) { -+ if (*src == 0x20) { -+ while (*src == 0x20) src++; -+ if (*src != 0) -+ *dst++ = 0x20; -+ } else { -+ *dst++ = *src++; -+ } -+ } -+ *dst = 0; -+} -+ - #ifdef DEBUG_VALID_ALGO - static void - xmlValidPrintNode(xmlNodePtr cur) { -@@ -2546,6 +2575,24 @@ xmlDumpNotationTable(xmlBufferPtr buf, xmlNotationTablePtr table) { - (xmlDictOwns(dict, (const xmlChar *)(str)) == 0))) \ - xmlFree((char *)(str)); - -+static int -+xmlIsStreaming(xmlValidCtxtPtr ctxt) { -+ xmlParserCtxtPtr pctxt; -+ -+ if (ctxt == NULL) -+ return(0); -+ /* -+ * These magic values are also abused to detect whether we're validating -+ * while parsing a document. In this case, userData points to the parser -+ * context. -+ */ -+ if ((ctxt->finishDtd != XML_CTXT_FINISH_DTD_0) && -+ (ctxt->finishDtd != XML_CTXT_FINISH_DTD_1)) -+ return(0); -+ pctxt = ctxt->userData; -+ return(pctxt->parseMode == XML_PARSE_READER); -+} -+ - /** - * xmlFreeID: - * @not: A id -@@ -2589,7 +2636,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value, - if (doc == NULL) { - return(NULL); - } -- if (value == NULL) { -+ if ((value == NULL) || (value[0] == 0)) { - return(NULL); - } - if (attr == NULL) { -@@ -2620,7 +2667,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value, - */ - ret->value = xmlStrdup(value); - ret->doc = doc; -- if ((ctxt != NULL) && (ctxt->vstateNr != 0)) { -+ if (xmlIsStreaming(ctxt)) { - /* - * Operating in streaming mode, attr is gonna disapear - */ -@@ -2754,6 +2801,7 @@ xmlRemoveID(xmlDocPtr doc, xmlAttrPtr attr) { - ID = xmlNodeListGetString(doc, attr->children, 1); - if (ID == NULL) - return(-1); -+ xmlValidNormalizeString(ID); - - id = xmlHashLookup(table, ID); - if (id == NULL || id->attr != attr) { -@@ -2942,7 +2990,7 @@ xmlAddRef(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value, - * fill the structure. - */ - ret->value = xmlStrdup(value); -- if ((ctxt != NULL) && (ctxt->vstateNr != 0)) { -+ if (xmlIsStreaming(ctxt)) { - /* - * Operating in streaming mode, attr is gonna disapear - */ -@@ -3962,8 +4010,7 @@ xmlValidateAttributeValue2(xmlValidCtxtPtr ctxt, xmlDocPtr doc, - xmlChar * - xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc, - xmlNodePtr elem, const xmlChar *name, const xmlChar *value) { -- xmlChar *ret, *dst; -- const xmlChar *src; -+ xmlChar *ret; - xmlAttributePtr attrDecl = NULL; - int extsubset = 0; - -@@ -4004,19 +4051,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc, - ret = xmlStrdup(value); - if (ret == NULL) - return(NULL); -- src = value; -- dst = ret; -- while (*src == 0x20) src++; -- while (*src != 0) { -- if (*src == 0x20) { -- while (*src == 0x20) src++; -- if (*src != 0) -- *dst++ = 0x20; -- } else { -- *dst++ = *src++; -- } -- } -- *dst = 0; -+ xmlValidNormalizeString(ret); - if ((doc->standalone) && (extsubset == 1) && (!xmlStrEqual(value, ret))) { - xmlErrValidNode(ctxt, elem, XML_DTD_NOT_STANDALONE, - "standalone: %s on %s value had to be normalized based on external subset declaration\n", -@@ -4048,8 +4083,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc, - xmlChar * - xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem, - const xmlChar *name, const xmlChar *value) { -- xmlChar *ret, *dst; -- const xmlChar *src; -+ xmlChar *ret; - xmlAttributePtr attrDecl = NULL; - - if (doc == NULL) return(NULL); -@@ -4079,19 +4113,7 @@ xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem, - ret = xmlStrdup(value); - if (ret == NULL) - return(NULL); -- src = value; -- dst = ret; -- while (*src == 0x20) src++; -- while (*src != 0) { -- if (*src == 0x20) { -- while (*src == 0x20) src++; -- if (*src != 0) -- *dst++ = 0x20; -- } else { -- *dst++ = *src++; -- } -- } -- *dst = 0; -+ xmlValidNormalizeString(ret); - return(ret); - } - --- -2.35.1 - diff --git a/SOURCES/libxml2-2.9.7-CVE-2022-29824.patch b/SOURCES/libxml2-2.9.7-CVE-2022-29824.patch deleted file mode 100644 index 516d391..0000000 --- a/SOURCES/libxml2-2.9.7-CVE-2022-29824.patch +++ /dev/null @@ -1,341 +0,0 @@ -From d410ac5b7ef6ecf1254606408d55f98547c22bda Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 8 Mar 2022 20:10:02 +0100 -Subject: [PATCH] [CVE-2022-29824] Fix integer overflows in xmlBuf and - xmlBuffer - -In several places, the code handling string buffers didn't check for -integer overflow or used wrong types for buffer sizes. This could -result in out-of-bounds writes or other memory errors when working on -large, multi-gigabyte buffers. - -Thanks to Felix Wilhelm for the report. ---- - buf.c | 86 +++++++++++++++++++++++----------------------------------- - tree.c | 72 ++++++++++++++++++------------------------------ - 2 files changed, 61 insertions(+), 97 deletions(-) - -diff --git a/buf.c b/buf.c -index 21cb9d80..f861d79b 100644 ---- a/buf.c -+++ b/buf.c -@@ -30,6 +30,10 @@ - #include /* for XML_MAX_TEXT_LENGTH */ - #include "buf.h" - -+#ifndef SIZE_MAX -+#define SIZE_MAX ((size_t) -1) -+#endif -+ - #define WITH_BUFFER_COMPAT - - /** -@@ -156,6 +160,8 @@ xmlBufPtr - xmlBufCreateSize(size_t size) { - xmlBufPtr ret; - -+ if (size == SIZE_MAX) -+ return(NULL); - ret = (xmlBufPtr) xmlMalloc(sizeof(xmlBuf)); - if (ret == NULL) { - xmlBufMemoryError(NULL, "creating buffer"); -@@ -166,8 +172,8 @@ xmlBufCreateSize(size_t size) { - ret->error = 0; - ret->buffer = NULL; - ret->alloc = xmlBufferAllocScheme; -- ret->size = (size ? size+2 : 0); /* +1 for ending null */ -- ret->compat_size = (int) ret->size; -+ ret->size = (size ? size + 1 : 0); /* +1 for ending null */ -+ ret->compat_size = (ret->size > INT_MAX ? INT_MAX : ret->size); - if (ret->size){ - ret->content = (xmlChar *) xmlMallocAtomic(ret->size * sizeof(xmlChar)); - if (ret->content == NULL) { -@@ -442,23 +448,17 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) { - CHECK_COMPAT(buf) - - if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); -- if (buf->use + len < buf->size) -+ if (len < buf->size - buf->use) - return(buf->size - buf->use); -+ if (len > SIZE_MAX - buf->use) -+ return(0); - -- /* -- * Windows has a BIG problem on realloc timing, so we try to double -- * the buffer size (if that's enough) (bug 146697) -- * Apparently BSD too, and it's probably best for linux too -- * On an embedded system this may be something to change -- */ --#if 1 -- if (buf->size > (size_t) len) -- size = buf->size * 2; -- else -- size = buf->use + len + 100; --#else -- size = buf->use + len + 100; --#endif -+ if (buf->size > (size_t) len) { -+ size = buf->size > SIZE_MAX / 2 ? SIZE_MAX : buf->size * 2; -+ } else { -+ size = buf->use + len; -+ size = size > SIZE_MAX - 100 ? SIZE_MAX : size + 100; -+ } - - if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { - /* -@@ -744,7 +744,7 @@ xmlBufIsEmpty(const xmlBufPtr buf) - int - xmlBufResize(xmlBufPtr buf, size_t size) - { -- unsigned int newSize; -+ size_t newSize; - xmlChar* rebuf = NULL; - size_t start_buf; - -@@ -772,9 +772,13 @@ xmlBufResize(xmlBufPtr buf, size_t size) - case XML_BUFFER_ALLOC_IO: - case XML_BUFFER_ALLOC_DOUBLEIT: - /*take care of empty case*/ -- newSize = (buf->size ? buf->size*2 : size + 10); -+ if (buf->size == 0) { -+ newSize = (size > SIZE_MAX - 10 ? SIZE_MAX : size + 10); -+ } else { -+ newSize = buf->size; -+ } - while (size > newSize) { -- if (newSize > UINT_MAX / 2) { -+ if (newSize > SIZE_MAX / 2) { - xmlBufMemoryError(buf, "growing buffer"); - return 0; - } -@@ -782,15 +786,15 @@ xmlBufResize(xmlBufPtr buf, size_t size) - } - break; - case XML_BUFFER_ALLOC_EXACT: -- newSize = size+10; -+ newSize = (size > SIZE_MAX - 10 ? SIZE_MAX : size + 10); - break; - case XML_BUFFER_ALLOC_HYBRID: - if (buf->use < BASE_BUFFER_SIZE) - newSize = size; - else { -- newSize = buf->size * 2; -+ newSize = buf->size; - while (size > newSize) { -- if (newSize > UINT_MAX / 2) { -+ if (newSize > SIZE_MAX / 2) { - xmlBufMemoryError(buf, "growing buffer"); - return 0; - } -@@ -800,7 +804,7 @@ xmlBufResize(xmlBufPtr buf, size_t size) - break; - - default: -- newSize = size+10; -+ newSize = (size > SIZE_MAX - 10 ? SIZE_MAX : size + 10); - break; - } - -@@ -866,7 +870,7 @@ xmlBufResize(xmlBufPtr buf, size_t size) - */ - int - xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) { -- unsigned int needSize; -+ size_t needSize; - - if ((str == NULL) || (buf == NULL) || (buf->error)) - return -1; -@@ -888,8 +892,10 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) { - if (len < 0) return -1; - if (len == 0) return 0; - -- needSize = buf->use + len + 2; -- if (needSize > buf->size){ -+ if ((size_t) len >= buf->size - buf->use) { -+ if ((size_t) len >= SIZE_MAX - buf->use) -+ return(-1); -+ needSize = buf->use + len + 1; - if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { - /* - * Used to provide parsing limits -@@ -1025,31 +1031,7 @@ xmlBufCat(xmlBufPtr buf, const xmlChar *str) { - */ - int - xmlBufCCat(xmlBufPtr buf, const char *str) { -- const char *cur; -- -- if ((buf == NULL) || (buf->error)) -- return(-1); -- CHECK_COMPAT(buf) -- if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return -1; -- if (str == NULL) { --#ifdef DEBUG_BUFFER -- xmlGenericError(xmlGenericErrorContext, -- "xmlBufCCat: str == NULL\n"); --#endif -- return -1; -- } -- for (cur = str;*cur != 0;cur++) { -- if (buf->use + 10 >= buf->size) { -- if (!xmlBufResize(buf, buf->use+10)){ -- xmlBufMemoryError(buf, "growing buffer"); -- return XML_ERR_NO_MEMORY; -- } -- } -- buf->content[buf->use++] = *cur; -- } -- buf->content[buf->use] = 0; -- UPDATE_COMPAT(buf) -- return 0; -+ return xmlBufCat(buf, (const xmlChar *) str); - } - - /** -diff --git a/tree.c b/tree.c -index 86a8da79..fc75f962 100644 ---- a/tree.c -+++ b/tree.c -@@ -7049,6 +7049,8 @@ xmlBufferPtr - xmlBufferCreateSize(size_t size) { - xmlBufferPtr ret; - -+ if (size >= UINT_MAX) -+ return(NULL); - ret = (xmlBufferPtr) xmlMalloc(sizeof(xmlBuffer)); - if (ret == NULL) { - xmlTreeErrMemory("creating buffer"); -@@ -7056,7 +7058,7 @@ xmlBufferCreateSize(size_t size) { - } - ret->use = 0; - ret->alloc = xmlBufferAllocScheme; -- ret->size = (size ? size+2 : 0); /* +1 for ending null */ -+ ret->size = (size ? size + 1 : 0); /* +1 for ending null */ - if (ret->size){ - ret->content = (xmlChar *) xmlMallocAtomic(ret->size * sizeof(xmlChar)); - if (ret->content == NULL) { -@@ -7116,6 +7118,8 @@ xmlBufferCreateStatic(void *mem, size_t size) { - - if ((mem == NULL) || (size == 0)) - return(NULL); -+ if (size > UINT_MAX) -+ return(NULL); - - ret = (xmlBufferPtr) xmlMalloc(sizeof(xmlBuffer)); - if (ret == NULL) { -@@ -7263,28 +7267,23 @@ xmlBufferShrink(xmlBufferPtr buf, unsigned int len) { - */ - int - xmlBufferGrow(xmlBufferPtr buf, unsigned int len) { -- int size; -+ unsigned int size; - xmlChar *newbuf; - - if (buf == NULL) return(-1); - - if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); -- if (len + buf->use < buf->size) return(0); -+ if (len < buf->size - buf->use) -+ return(0); -+ if (len > UINT_MAX - buf->use) -+ return(-1); - -- /* -- * Windows has a BIG problem on realloc timing, so we try to double -- * the buffer size (if that's enough) (bug 146697) -- * Apparently BSD too, and it's probably best for linux too -- * On an embedded system this may be something to change -- */ --#if 1 -- if (buf->size > len) -- size = buf->size * 2; -- else -- size = buf->use + len + 100; --#else -- size = buf->use + len + 100; --#endif -+ if (buf->size > (size_t) len) { -+ size = buf->size > UINT_MAX / 2 ? UINT_MAX : buf->size * 2; -+ } else { -+ size = buf->use + len; -+ size = size > UINT_MAX - 100 ? UINT_MAX : size + 100; -+ } - - if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) { - size_t start_buf = buf->content - buf->contentIO; -@@ -7406,7 +7405,10 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size) - case XML_BUFFER_ALLOC_IO: - case XML_BUFFER_ALLOC_DOUBLEIT: - /*take care of empty case*/ -- newSize = (buf->size ? buf->size*2 : size + 10); -+ if (buf->size == 0) -+ newSize = (size > UINT_MAX - 10 ? UINT_MAX : size + 10); -+ else -+ newSize = buf->size; - while (size > newSize) { - if (newSize > UINT_MAX / 2) { - xmlTreeErrMemory("growing buffer"); -@@ -7416,7 +7418,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size) - } - break; - case XML_BUFFER_ALLOC_EXACT: -- newSize = size+10; -+ newSize = (size > UINT_MAX - 10 ? UINT_MAX : size + 10);; - break; - case XML_BUFFER_ALLOC_HYBRID: - if (buf->use < BASE_BUFFER_SIZE) -@@ -7434,7 +7436,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size) - break; - - default: -- newSize = size+10; -+ newSize = (size > UINT_MAX - 10 ? UINT_MAX : size + 10);; - break; - } - -@@ -7520,8 +7522,10 @@ xmlBufferAdd(xmlBufferPtr buf, const xmlChar *str, int len) { - if (len < 0) return -1; - if (len == 0) return 0; - -- needSize = buf->use + len + 2; -- if (needSize > buf->size){ -+ if ((unsigned) len >= buf->size - buf->use) { -+ if ((unsigned) len >= UINT_MAX - buf->use) -+ return XML_ERR_NO_MEMORY; -+ needSize = buf->use + len + 1; - if (!xmlBufferResize(buf, needSize)){ - xmlTreeErrMemory("growing buffer"); - return XML_ERR_NO_MEMORY; -@@ -7634,29 +7638,7 @@ xmlBufferCat(xmlBufferPtr buf, const xmlChar *str) { - */ - int - xmlBufferCCat(xmlBufferPtr buf, const char *str) { -- const char *cur; -- -- if (buf == NULL) -- return(-1); -- if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return -1; -- if (str == NULL) { --#ifdef DEBUG_BUFFER -- xmlGenericError(xmlGenericErrorContext, -- "xmlBufferCCat: str == NULL\n"); --#endif -- return -1; -- } -- for (cur = str;*cur != 0;cur++) { -- if (buf->use + 10 >= buf->size) { -- if (!xmlBufferResize(buf, buf->use+10)){ -- xmlTreeErrMemory("growing buffer"); -- return XML_ERR_NO_MEMORY; -- } -- } -- buf->content[buf->use++] = *cur; -- } -- buf->content[buf->use] = 0; -- return 0; -+ return xmlBufferCat(buf, (const xmlChar *) str); - } - - /** --- -2.36.1 - diff --git a/SOURCES/libxml2-2.9.7-CVE-2022-40303.patch b/SOURCES/libxml2-2.9.7-CVE-2022-40303.patch deleted file mode 100644 index ab394e9..0000000 --- a/SOURCES/libxml2-2.9.7-CVE-2022-40303.patch +++ /dev/null @@ -1,600 +0,0 @@ -From 7afb666b26cfb17689e5da98bed610a417083f9d Mon Sep 17 00:00:00 2001 -From: David King -Date: Tue, 3 Jan 2023 09:57:28 +0000 -Subject: [PATCH 1/2] Fix CVE-2022-40303 - -Adapted from https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0 ---- - parser.c | 232 +++++++++++++++++++++++++++++-------------------------- - 1 file changed, 121 insertions(+), 111 deletions(-) - -diff --git a/parser.c b/parser.c -index 1c5e036e..e66e4196 100644 ---- a/parser.c -+++ b/parser.c -@@ -108,6 +108,8 @@ static void xmlHaltParser(xmlParserCtxtPtr ctxt); - * * - ************************************************************************/ - -+#define XML_MAX_HUGE_LENGTH 1000000000 -+ - #define XML_PARSER_BIG_ENTITY 1000 - #define XML_PARSER_LOT_ENTITY 5000 - -@@ -532,7 +534,7 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info) - errmsg = "Malformed declaration expecting version"; - break; - case XML_ERR_NAME_TOO_LONG: -- errmsg = "Name too long use XML_PARSE_HUGE option"; -+ errmsg = "Name too long"; - break; - #if 0 - case: -@@ -3150,6 +3152,9 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { - int len = 0, l; - int c; - int count = 0; -+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? -+ XML_MAX_TEXT_LENGTH : -+ XML_MAX_NAME_LENGTH; - - #ifdef DEBUG - nbParseNameComplex++; -@@ -3241,13 +3246,13 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { - if (ctxt->instate == XML_PARSER_EOF) - return(NULL); - } -- len += l; -+ if (len <= INT_MAX - l) -+ len += l; - NEXTL(l); - c = CUR_CHAR(l); - } - } -- if ((len > XML_MAX_NAME_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -+ if (len > maxLength) { - xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); - return(NULL); - } -@@ -3286,7 +3291,10 @@ const xmlChar * - xmlParseName(xmlParserCtxtPtr ctxt) { - const xmlChar *in; - const xmlChar *ret; -- int count = 0; -+ size_t count = 0; -+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? -+ XML_MAX_TEXT_LENGTH : -+ XML_MAX_NAME_LENGTH; - - GROW; - -@@ -3310,8 +3318,7 @@ xmlParseName(xmlParserCtxtPtr ctxt) { - in++; - if ((*in > 0) && (*in < 0x80)) { - count = in - ctxt->input->cur; -- if ((count > XML_MAX_NAME_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -+ if (count > maxLength) { - xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); - return(NULL); - } -@@ -3333,6 +3340,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { - int len = 0, l; - int c; - int count = 0; -+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? -+ XML_MAX_TEXT_LENGTH : -+ XML_MAX_NAME_LENGTH; - size_t startPosition = 0; - - #ifdef DEBUG -@@ -3353,17 +3363,13 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { - while ((c != ' ') && (c != '>') && (c != '/') && /* test bigname.xml */ - (xmlIsNameChar(ctxt, c) && (c != ':'))) { - if (count++ > XML_PARSER_CHUNK_SIZE) { -- if ((len > XML_MAX_NAME_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); -- return(NULL); -- } - count = 0; - GROW; - if (ctxt->instate == XML_PARSER_EOF) - return(NULL); - } -- len += l; -+ if (len <= INT_MAX - l) -+ len += l; - NEXTL(l); - c = CUR_CHAR(l); - if (c == 0) { -@@ -3381,8 +3387,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { - c = CUR_CHAR(l); - } - } -- if ((len > XML_MAX_NAME_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -+ if (len > maxLength) { - xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); - return(NULL); - } -@@ -3408,7 +3413,10 @@ static const xmlChar * - xmlParseNCName(xmlParserCtxtPtr ctxt) { - const xmlChar *in, *e; - const xmlChar *ret; -- int count = 0; -+ size_t count = 0; -+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? -+ XML_MAX_TEXT_LENGTH : -+ XML_MAX_NAME_LENGTH; - - #ifdef DEBUG - nbParseNCName++; -@@ -3433,8 +3441,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) { - goto complex; - if ((*in > 0) && (*in < 0x80)) { - count = in - ctxt->input->cur; -- if ((count > XML_MAX_NAME_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -+ if (count > maxLength) { - xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); - return(NULL); - } -@@ -3517,6 +3524,9 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { - const xmlChar *cur = *str; - int len = 0, l; - int c; -+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? -+ XML_MAX_TEXT_LENGTH : -+ XML_MAX_NAME_LENGTH; - - #ifdef DEBUG - nbParseStringName++; -@@ -3552,12 +3562,6 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { - if (len + 10 > max) { - xmlChar *tmp; - -- if ((len > XML_MAX_NAME_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); -- xmlFree(buffer); -- return(NULL); -- } - max *= 2; - tmp = (xmlChar *) xmlRealloc(buffer, - max * sizeof(xmlChar)); -@@ -3571,14 +3575,18 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { - COPY_BUF(l,buffer,len,c); - cur += l; - c = CUR_SCHAR(cur, l); -+ if (len > maxLength) { -+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); -+ xmlFree(buffer); -+ return(NULL); -+ } - } - buffer[len] = 0; - *str = cur; - return(buffer); - } - } -- if ((len > XML_MAX_NAME_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -+ if (len > maxLength) { - xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); - return(NULL); - } -@@ -3605,6 +3613,9 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { - int len = 0, l; - int c; - int count = 0; -+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? -+ XML_MAX_TEXT_LENGTH : -+ XML_MAX_NAME_LENGTH; - - #ifdef DEBUG - nbParseNmToken++; -@@ -3656,12 +3667,6 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { - if (len + 10 > max) { - xmlChar *tmp; - -- if ((max > XML_MAX_NAME_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); -- xmlFree(buffer); -- return(NULL); -- } - max *= 2; - tmp = (xmlChar *) xmlRealloc(buffer, - max * sizeof(xmlChar)); -@@ -3675,6 +3680,11 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { - COPY_BUF(l,buffer,len,c); - NEXTL(l); - c = CUR_CHAR(l); -+ if (len > maxLength) { -+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); -+ xmlFree(buffer); -+ return(NULL); -+ } - } - buffer[len] = 0; - return(buffer); -@@ -3682,8 +3692,7 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { - } - if (len == 0) - return(NULL); -- if ((len > XML_MAX_NAME_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -+ if (len > maxLength) { - xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); - return(NULL); - } -@@ -3709,6 +3718,9 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) { - int len = 0; - int size = XML_PARSER_BUFFER_SIZE; - int c, l; -+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? -+ XML_MAX_HUGE_LENGTH : -+ XML_MAX_TEXT_LENGTH; - xmlChar stop; - xmlChar *ret = NULL; - const xmlChar *cur = NULL; -@@ -3768,6 +3780,14 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) { - GROW; - c = CUR_CHAR(l); - } -+ -+ if (len > maxLength) { -+ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_NOT_FINISHED, -+ "entity value too long\n"); -+ if (buf != NULL) -+ xmlFree(buf); -+ return(ret); -+ } - } - buf[len] = 0; - if (ctxt->instate == XML_PARSER_EOF) -@@ -3855,6 +3875,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { - xmlChar *rep = NULL; - size_t len = 0; - size_t buf_size = 0; -+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? -+ XML_MAX_HUGE_LENGTH : -+ XML_MAX_TEXT_LENGTH; - int c, l, in_space = 0; - xmlChar *current = NULL; - xmlEntityPtr ent; -@@ -3886,16 +3909,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { - while (((NXT(0) != limit) && /* checked */ - (IS_CHAR(c)) && (c != '<')) && - (ctxt->instate != XML_PARSER_EOF)) { -- /* -- * Impose a reasonable limit on attribute size, unless XML_PARSE_HUGE -- * special option is given -- */ -- if ((len > XML_MAX_TEXT_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, -- "AttValue length too long\n"); -- goto mem_error; -- } - if (c == 0) break; - if (c == '&') { - in_space = 0; -@@ -4041,6 +4054,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { - } - GROW; - c = CUR_CHAR(l); -+ if (len > maxLength) { -+ xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, -+ "AttValue length too long\n"); -+ goto mem_error; -+ } - } - if (ctxt->instate == XML_PARSER_EOF) - goto error; -@@ -4062,16 +4080,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { - } else - NEXT; - -- /* -- * There we potentially risk an overflow, don't allow attribute value of -- * length more than INT_MAX it is a very reasonnable assumption ! -- */ -- if (len >= INT_MAX) { -- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, -- "AttValue length too long\n"); -- goto mem_error; -- } -- - if (attlen != NULL) *attlen = (int) len; - return(buf); - -@@ -4142,6 +4150,9 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { - int len = 0; - int size = XML_PARSER_BUFFER_SIZE; - int cur, l; -+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? -+ XML_MAX_TEXT_LENGTH : -+ XML_MAX_NAME_LENGTH; - xmlChar stop; - int state = ctxt->instate; - int count = 0; -@@ -4169,13 +4180,6 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { - if (len + 5 >= size) { - xmlChar *tmp; - -- if ((size > XML_MAX_NAME_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral"); -- xmlFree(buf); -- ctxt->instate = (xmlParserInputState) state; -- return(NULL); -- } - size *= 2; - tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar)); - if (tmp == NULL) { -@@ -4203,6 +4207,12 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { - SHRINK; - cur = CUR_CHAR(l); - } -+ if (len > maxLength) { -+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral"); -+ xmlFree(buf); -+ ctxt->instate = (xmlParserInputState) state; -+ return(NULL); -+ } - } - buf[len] = 0; - ctxt->instate = (xmlParserInputState) state; -@@ -4230,6 +4240,9 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { - xmlChar *buf = NULL; - int len = 0; - int size = XML_PARSER_BUFFER_SIZE; -+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? -+ XML_MAX_TEXT_LENGTH : -+ XML_MAX_NAME_LENGTH; - xmlChar cur; - xmlChar stop; - int count = 0; -@@ -4257,12 +4270,6 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { - if (len + 1 >= size) { - xmlChar *tmp; - -- if ((size > XML_MAX_NAME_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID"); -- xmlFree(buf); -- return(NULL); -- } - size *= 2; - tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar)); - if (tmp == NULL) { -@@ -4289,6 +4296,11 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { - SHRINK; - cur = CUR; - } -+ if (len > maxLength) { -+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID"); -+ xmlFree(buf); -+ return(NULL); -+ } - } - buf[len] = 0; - if (cur != stop) { -@@ -4686,6 +4698,9 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, - int r, rl; - int cur, l; - size_t count = 0; -+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? -+ XML_MAX_HUGE_LENGTH : -+ XML_MAX_TEXT_LENGTH; - int inputid; - - inputid = ctxt->input->id; -@@ -4731,13 +4746,6 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, - if ((r == '-') && (q == '-')) { - xmlFatalErr(ctxt, XML_ERR_HYPHEN_IN_COMMENT, NULL); - } -- if ((len > XML_MAX_TEXT_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -- xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, -- "Comment too big found", NULL); -- xmlFree (buf); -- return; -- } - if (len + 5 >= size) { - xmlChar *new_buf; - size_t new_size; -@@ -4774,6 +4782,13 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, - GROW; - cur = CUR_CHAR(l); - } -+ -+ if (len > maxLength) { -+ xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, -+ "Comment too big found", NULL); -+ xmlFree (buf); -+ return; -+ } - } - buf[len] = 0; - if (cur == 0) { -@@ -4818,6 +4833,9 @@ xmlParseComment(xmlParserCtxtPtr ctxt) { - xmlChar *buf = NULL; - size_t size = XML_PARSER_BUFFER_SIZE; - size_t len = 0; -+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? -+ XML_MAX_HUGE_LENGTH : -+ XML_MAX_TEXT_LENGTH; - xmlParserInputState state; - const xmlChar *in; - size_t nbchar = 0; -@@ -4901,8 +4919,7 @@ get_more: - buf[len] = 0; - } - } -- if ((len > XML_MAX_TEXT_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -+ if (len > maxLength) { - xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, - "Comment too big found", NULL); - xmlFree (buf); -@@ -5098,6 +5115,9 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { - xmlChar *buf = NULL; - size_t len = 0; - size_t size = XML_PARSER_BUFFER_SIZE; -+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? -+ XML_MAX_HUGE_LENGTH : -+ XML_MAX_TEXT_LENGTH; - int cur, l; - const xmlChar *target; - xmlParserInputState state; -@@ -5172,14 +5192,6 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { - return; - } - count = 0; -- if ((len > XML_MAX_TEXT_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, -- "PI %s too big found", target); -- xmlFree(buf); -- ctxt->instate = state; -- return; -- } - } - COPY_BUF(l,buf,len,cur); - NEXTL(l); -@@ -5189,15 +5201,14 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { - GROW; - cur = CUR_CHAR(l); - } -+ if (len > maxLength) { -+ xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, -+ "PI %s too big found", target); -+ xmlFree(buf); -+ ctxt->instate = state; -+ return; -+ } - } -- if ((len > XML_MAX_TEXT_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, -- "PI %s too big found", target); -- xmlFree(buf); -- ctxt->instate = state; -- return; -- } - buf[len] = 0; - if (cur != '?') { - xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, -@@ -8851,6 +8862,9 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, - const xmlChar *in = NULL, *start, *end, *last; - xmlChar *ret = NULL; - int line, col; -+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? -+ XML_MAX_HUGE_LENGTH : -+ XML_MAX_TEXT_LENGTH; - - GROW; - in = (xmlChar *) CUR_PTR; -@@ -8906,8 +8920,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, - in = in + delta; - } - end = ctxt->input->end; -- if (((in - start) > XML_MAX_TEXT_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -+ if ((in - start) > maxLength) { - xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, - "AttValue length too long\n"); - return(NULL); -@@ -8929,8 +8942,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, - in = in + delta; - } - end = ctxt->input->end; -- if (((in - start) > XML_MAX_TEXT_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -+ if ((in - start) > maxLength) { - xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, - "AttValue length too long\n"); - return(NULL); -@@ -8963,16 +8975,14 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, - last = last + delta; - } - end = ctxt->input->end; -- if (((in - start) > XML_MAX_TEXT_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -+ if ((in - start) > maxLength) { - xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, - "AttValue length too long\n"); - return(NULL); - } - } - } -- if (((in - start) > XML_MAX_TEXT_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -+ if ((in - start) > maxLength) { - xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, - "AttValue length too long\n"); - return(NULL); -@@ -8994,8 +9004,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, - in = in + delta; - } - end = ctxt->input->end; -- if (((in - start) > XML_MAX_TEXT_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -+ if ((in - start) > maxLength) { - xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, - "AttValue length too long\n"); - return(NULL); -@@ -9003,8 +9012,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, - } - } - last = in; -- if (((in - start) > XML_MAX_TEXT_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -+ if ((in - start) > maxLength) { - xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, - "AttValue length too long\n"); - return(NULL); -@@ -9711,6 +9719,9 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { - int s, sl; - int cur, l; - int count = 0; -+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? -+ XML_MAX_HUGE_LENGTH : -+ XML_MAX_TEXT_LENGTH; - - /* Check 2.6.0 was NXT(0) not RAW */ - if (CMP9(CUR_PTR, '<', '!', '[', 'C', 'D', 'A', 'T', 'A', '[')) { -@@ -9744,13 +9755,6 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { - if (len + 5 >= size) { - xmlChar *tmp; - -- if ((size > XML_MAX_TEXT_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -- xmlFatalErrMsgStr(ctxt, XML_ERR_CDATA_NOT_FINISHED, -- "CData section too big found", NULL); -- xmlFree (buf); -- return; -- } - tmp = (xmlChar *) xmlRealloc(buf, size * 2 * sizeof(xmlChar)); - if (tmp == NULL) { - xmlFree(buf); -@@ -9776,6 +9780,12 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { - } - NEXTL(l); - cur = CUR_CHAR(l); -+ if (len > maxLength) { -+ xmlFatalErrMsg(ctxt, XML_ERR_CDATA_NOT_FINISHED, -+ "CData section too big found\n"); -+ xmlFree(buf); -+ return; -+ } - } - buf[len] = 0; - ctxt->instate = XML_PARSER_CONTENT; --- -2.39.0 - diff --git a/SOURCES/libxml2-2.9.7-CVE-2022-40304.patch b/SOURCES/libxml2-2.9.7-CVE-2022-40304.patch deleted file mode 100644 index 29a28d2..0000000 --- a/SOURCES/libxml2-2.9.7-CVE-2022-40304.patch +++ /dev/null @@ -1,100 +0,0 @@ -From a8fa5f7b5c3c745397b3178405d6be9fdb3cfcbc Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 31 Aug 2022 22:11:25 +0200 -Subject: [PATCH 2/2] Fix dict corruption caused by entity reference cycles - -When an entity reference cycle is detected, the entity content is -cleared by setting its first byte to zero. But the entity content might -be allocated from a dict. In this case, the dict entry becomes corrupted -leading to all kinds of logic errors, including memory errors like -double-frees. - -Stop storing entity content, orig, ExternalID and SystemID in a dict. -These values are unlikely to occur multiple times in a document, so they -shouldn't have been stored in a dict in the first place. - -Thanks to Ned Williamson and Nathan Wachholz working with Google Project -Zero for the report! ---- - entities.c | 55 ++++++++++++++++-------------------------------------- - 1 file changed, 16 insertions(+), 39 deletions(-) - -diff --git a/entities.c b/entities.c -index c8193376..3bf1c3ce 100644 ---- a/entities.c -+++ b/entities.c -@@ -112,36 +112,19 @@ xmlFreeEntity(xmlEntityPtr entity) - if ((entity->children) && (entity->owner == 1) && - (entity == (xmlEntityPtr) entity->children->parent)) - xmlFreeNodeList(entity->children); -- if (dict != NULL) { -- if ((entity->name != NULL) && (!xmlDictOwns(dict, entity->name))) -- xmlFree((char *) entity->name); -- if ((entity->ExternalID != NULL) && -- (!xmlDictOwns(dict, entity->ExternalID))) -- xmlFree((char *) entity->ExternalID); -- if ((entity->SystemID != NULL) && -- (!xmlDictOwns(dict, entity->SystemID))) -- xmlFree((char *) entity->SystemID); -- if ((entity->URI != NULL) && (!xmlDictOwns(dict, entity->URI))) -- xmlFree((char *) entity->URI); -- if ((entity->content != NULL) -- && (!xmlDictOwns(dict, entity->content))) -- xmlFree((char *) entity->content); -- if ((entity->orig != NULL) && (!xmlDictOwns(dict, entity->orig))) -- xmlFree((char *) entity->orig); -- } else { -- if (entity->name != NULL) -- xmlFree((char *) entity->name); -- if (entity->ExternalID != NULL) -- xmlFree((char *) entity->ExternalID); -- if (entity->SystemID != NULL) -- xmlFree((char *) entity->SystemID); -- if (entity->URI != NULL) -- xmlFree((char *) entity->URI); -- if (entity->content != NULL) -- xmlFree((char *) entity->content); -- if (entity->orig != NULL) -- xmlFree((char *) entity->orig); -- } -+ if ((entity->name != NULL) && -+ ((dict == NULL) || (!xmlDictOwns(dict, entity->name)))) -+ xmlFree((char *) entity->name); -+ if (entity->ExternalID != NULL) -+ xmlFree((char *) entity->ExternalID); -+ if (entity->SystemID != NULL) -+ xmlFree((char *) entity->SystemID); -+ if (entity->URI != NULL) -+ xmlFree((char *) entity->URI); -+ if (entity->content != NULL) -+ xmlFree((char *) entity->content); -+ if (entity->orig != NULL) -+ xmlFree((char *) entity->orig); - xmlFree(entity); - } - -@@ -177,18 +160,12 @@ xmlCreateEntity(xmlDictPtr dict, const xmlChar *name, int type, - ret->SystemID = xmlStrdup(SystemID); - } else { - ret->name = xmlDictLookup(dict, name, -1); -- if (ExternalID != NULL) -- ret->ExternalID = xmlDictLookup(dict, ExternalID, -1); -- if (SystemID != NULL) -- ret->SystemID = xmlDictLookup(dict, SystemID, -1); -+ ret->ExternalID = xmlStrdup(ExternalID); -+ ret->SystemID = xmlStrdup(SystemID); - } - if (content != NULL) { - ret->length = xmlStrlen(content); -- if ((dict != NULL) && (ret->length < 5)) -- ret->content = (xmlChar *) -- xmlDictLookup(dict, content, ret->length); -- else -- ret->content = xmlStrndup(content, ret->length); -+ ret->content = xmlStrndup(content, ret->length); - } else { - ret->length = 0; - ret->content = NULL; --- -2.39.0 - diff --git a/SOURCES/libxml2-2.9.7-CVE-2023-29469.patch b/SOURCES/libxml2-2.9.7-CVE-2023-29469.patch deleted file mode 100644 index d7a9778..0000000 --- a/SOURCES/libxml2-2.9.7-CVE-2023-29469.patch +++ /dev/null @@ -1,42 +0,0 @@ -From a40db8fde759261b042138646da36c632a739f31 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Fri, 7 Apr 2023 11:49:27 +0200 -Subject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't - deterministic - -When hashing empty strings which aren't null-terminated, -xmlDictComputeFastKey could produce inconsistent results. This could -lead to various logic or memory errors, including double frees. - -For consistency the seed is also taken into account, but this shouldn't -have an impact on security. - -Found by OSS-Fuzz. - -Fixes #510. - -Incorporates change from commit -09a2dd453007f9c7205274623acdd73747c22d64. ---- - dict.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/dict.c b/dict.c -index 0ef3718d..5e84cfca 100644 ---- a/dict.c -+++ b/dict.c -@@ -444,8 +444,9 @@ static unsigned long - xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) { - unsigned long value = seed; - -- if (name == NULL) return(0); -- value = *name; -+ if ((name == NULL) || (namelen <= 0)) -+ return(value); -+ value += *name; - value <<= 5; - if (namelen > 10) { - value += name[namelen - 1]; --- -2.41.0 - diff --git a/SOURCES/libxml2-2.9.7-CVE-2024-25062.patch b/SOURCES/libxml2-2.9.7-CVE-2024-25062.patch deleted file mode 100644 index 936004d..0000000 --- a/SOURCES/libxml2-2.9.7-CVE-2024-25062.patch +++ /dev/null @@ -1,29 +0,0 @@ -From b9d4ab2fd6b7da380edab777a0414ef254804f0d Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sat, 14 Oct 2023 22:45:54 +0200 -Subject: [PATCH] [CVE-2024-25062] xmlreader: Don't expand XIncludes when - backtracking - -Fixes a use-after-free if XML Reader if used with DTD validation and -XInclude expansion. - -Fixes #604. ---- - xmlreader.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/xmlreader.c b/xmlreader.c -index 34c4c6bc..8f2f9131 100644 ---- a/xmlreader.c -+++ b/xmlreader.c -@@ -1511,6 +1511,7 @@ node_found: - * Handle XInclude if asked for - */ - if ((reader->xinclude) && (reader->node != NULL) && -+ (reader->state != XML_TEXTREADER_BACKTRACK) && - (reader->node->type == XML_ELEMENT_NODE) && - (reader->node->ns != NULL) && - ((xmlStrEqual(reader->node->ns->href, XINCLUDE_NS)) || --- -2.44.0 - diff --git a/SOURCES/libxml2-CVE-2016-9597.patch b/SOURCES/libxml2-CVE-2016-9597.patch deleted file mode 100644 index 43f0243..0000000 --- a/SOURCES/libxml2-CVE-2016-9597.patch +++ /dev/null @@ -1,191 +0,0 @@ -Make the XML entity recursion check more precise. - -libxml doesn't detect entity recursion specifically but has a variety -of related checks, such as entities not expanding too deeply or -producing exponential blow-ups in content. - -Because entity declarations are parsed in a separate context with -their own element recursion budget, a recursive entity can overflow -the stack using a lot of open elements (but within the per-context -limit) as it slowly consumes (but does not exhaust) the entity depth -budget. - -This adds a specific, precise check for recursive entities that -detects entity recursion specifically and fails immediately. - -The existing entity expansion depth checks are still relevant for long -chains of different entities. - -BUG=628581 - -Review-Url: https://codereview.chromium.org/2539003002 -Cr-Commit-Position: refs/heads/master@{#436899} - - -Index: libxml2-2.9.4/entities.c -=================================================================== ---- libxml2-2.9.4.orig/entities.c -+++ libxml2-2.9.4/entities.c -@@ -159,6 +159,7 @@ xmlCreateEntity(xmlDictPtr dict, const x - memset(ret, 0, sizeof(xmlEntity)); - ret->type = XML_ENTITY_DECL; - ret->checked = 0; -+ ret->guard = XML_ENTITY_NOT_BEING_CHECKED; - - /* - * fill the structure. -@@ -931,6 +932,7 @@ xmlCopyEntity(xmlEntityPtr ent) { - cur->orig = xmlStrdup(ent->orig); - if (ent->URI != NULL) - cur->URI = xmlStrdup(ent->URI); -+ cur->guard = 0; - return(cur); - } - -Index: libxml2-2.9.4/include/libxml/entities.h -=================================================================== ---- libxml2-2.9.4.orig/include/libxml/entities.h -+++ libxml2-2.9.4/include/libxml/entities.h -@@ -30,6 +30,11 @@ typedef enum { - XML_INTERNAL_PREDEFINED_ENTITY = 6 - } xmlEntityType; - -+typedef enum { -+ XML_ENTITY_NOT_BEING_CHECKED, -+ XML_ENTITY_BEING_CHECKED /* entity check is in progress */ -+} xmlEntityRecursionGuard; -+ - /* - * An unit of storage for an entity, contains the string, the value - * and the linkind data needed for the linking in the hash table. -@@ -60,6 +65,7 @@ struct _xmlEntity { - /* this is also used to count entities - * references done from that entity - * and if it contains '<' */ -+ xmlEntityRecursionGuard guard; - }; - - /* -Index: libxml2-2.9.4/parser.c -=================================================================== ---- libxml2-2.9.4.orig/parser.c -+++ libxml2-2.9.4/parser.c -@@ -133,6 +133,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ct - if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) - return (1); - -+ if ((ent != NULL) && (ent->guard == XML_ENTITY_BEING_CHECKED)) { -+ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); -+ return (1); -+ } - /* - * This may look absurd but is needed to detect - * entities problems -@@ -143,12 +147,14 @@ xmlParserEntityCheck(xmlParserCtxtPtr ct - unsigned long oldnbent = ctxt->nbentities; - xmlChar *rep; - -+ ent->guard = XML_ENTITY_BEING_CHECKED; - ent->checked = 1; - - ++ctxt->depth; - rep = xmlStringDecodeEntities(ctxt, ent->content, - XML_SUBSTITUTE_REF, 0, 0, 0); - --ctxt->depth; -+ ent->guard = XML_ENTITY_NOT_BEING_CHECKED; - if (ctxt->errNo == XML_ERR_ENTITY_LOOP) { - ent->content[0] = 0; - } -@@ -7337,23 +7343,28 @@ xmlParseReference(xmlParserCtxtPtr ctxt) - * if its replacement text matches the production labeled - * content. - */ -- if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) { -- ctxt->depth++; -- ret = xmlParseBalancedChunkMemoryInternal(ctxt, ent->content, -- user_data, &list); -- ctxt->depth--; -- -- } else if (ent->etype == XML_EXTERNAL_GENERAL_PARSED_ENTITY) { -- ctxt->depth++; -- ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt, ctxt->sax, -- user_data, ctxt->depth, ent->URI, -- ent->ExternalID, &list); -- ctxt->depth--; -- } else { -- ret = XML_ERR_ENTITY_PE_INTERNAL; -- xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR, -- "invalid entity type found\n", NULL); -- } -+ if (ent->guard == XML_ENTITY_BEING_CHECKED) { -+ ret = XML_ERR_ENTITY_LOOP; -+ } else { -+ ent->guard = XML_ENTITY_BEING_CHECKED; -+ if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) { -+ ctxt->depth++; -+ ret = xmlParseBalancedChunkMemoryInternal(ctxt, ent->content, -+ user_data, &list); -+ ctxt->depth--; -+ } else if (ent->etype == XML_EXTERNAL_GENERAL_PARSED_ENTITY) { -+ ctxt->depth++; -+ ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt, ctxt->sax, -+ user_data, ctxt->depth, ent->URI, -+ ent->ExternalID, &list); -+ ctxt->depth--; -+ } else { -+ ret = XML_ERR_ENTITY_PE_INTERNAL; -+ xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR, -+ "invalid entity type found\n", NULL); -+ } -+ ent->guard = XML_ENTITY_NOT_BEING_CHECKED; -+ } - - /* - * Store the number of entities needing parsing for this entity -@@ -7456,23 +7467,29 @@ xmlParseReference(xmlParserCtxtPtr ctxt) - else - user_data = ctxt->userData; - -- if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) { -- ctxt->depth++; -- ret = xmlParseBalancedChunkMemoryInternal(ctxt, -- ent->content, user_data, NULL); -- ctxt->depth--; -- } else if (ent->etype == -- XML_EXTERNAL_GENERAL_PARSED_ENTITY) { -- ctxt->depth++; -- ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt, -- ctxt->sax, user_data, ctxt->depth, -- ent->URI, ent->ExternalID, NULL); -- ctxt->depth--; -- } else { -- ret = XML_ERR_ENTITY_PE_INTERNAL; -- xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR, -- "invalid entity type found\n", NULL); -- } -+ if (ent->guard == XML_ENTITY_BEING_CHECKED) { -+ ret = XML_ERR_ENTITY_LOOP; -+ } else { -+ ent->guard = XML_ENTITY_BEING_CHECKED; -+ if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) { -+ ctxt->depth++; -+ ret = xmlParseBalancedChunkMemoryInternal(ctxt, -+ ent->content, user_data, NULL); -+ ctxt->depth--; -+ } else if (ent->etype == -+ XML_EXTERNAL_GENERAL_PARSED_ENTITY) { -+ ctxt->depth++; -+ ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt, -+ ctxt->sax, user_data, ctxt->depth, -+ ent->URI, ent->ExternalID, NULL); -+ ctxt->depth--; -+ } else { -+ ret = XML_ERR_ENTITY_PE_INTERNAL; -+ xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR, -+ "invalid entity type found\n", NULL); -+ } -+ ent->guard = XML_ENTITY_NOT_BEING_CHECKED; -+ } - if (ret == XML_ERR_ENTITY_LOOP) { - xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); - return; diff --git a/SOURCES/libxml2-CVE-2018-14404.patch b/SOURCES/libxml2-CVE-2018-14404.patch deleted file mode 100644 index 0b64b4e..0000000 --- a/SOURCES/libxml2-CVE-2018-14404.patch +++ /dev/null @@ -1,54 +0,0 @@ -From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Mon, 30 Jul 2018 12:54:38 +0200 -Subject: [PATCH] Fix nullptr deref with XPath logic ops - -If the XPath stack is corrupted, for example by a misbehaving extension -function, the "and" and "or" XPath operators could dereference NULL -pointers. Check that the XPath stack isn't empty and optimize the -logic operators slightly. - -Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5 - -Also see -https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817 -https://bugzilla.redhat.com/show_bug.cgi?id=1595985 - -This is CVE-2018-14404. - -Thanks to Guy Inbar for the report. ---- - xpath.c | 10 ++++------ - 1 file changed, 4 insertions(+), 6 deletions(-) - -diff --git a/xpath.c b/xpath.c -index 3fae0bf4..5e3bb9ff 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -13234,9 +13234,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) - return(0); - } - xmlXPathBooleanFunction(ctxt, 1); -- arg1 = valuePop(ctxt); -- arg1->boolval &= arg2->boolval; -- valuePush(ctxt, arg1); -+ if (ctxt->value != NULL) -+ ctxt->value->boolval &= arg2->boolval; - xmlXPathReleaseObject(ctxt->context, arg2); - return (total); - case XPATH_OP_OR: -@@ -13252,9 +13251,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) - return(0); - } - xmlXPathBooleanFunction(ctxt, 1); -- arg1 = valuePop(ctxt); -- arg1->boolval |= arg2->boolval; -- valuePush(ctxt, arg1); -+ if (ctxt->value != NULL) -+ ctxt->value->boolval |= arg2->boolval; - xmlXPathReleaseObject(ctxt->context, arg2); - return (total); - case XPATH_OP_EQUAL: --- -2.22.0 - diff --git a/SOURCES/libxml2-CVE-2018-9251.patch b/SOURCES/libxml2-CVE-2018-9251.patch deleted file mode 100644 index 150637a..0000000 --- a/SOURCES/libxml2-CVE-2018-9251.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Mon, 30 Jul 2018 13:14:11 +0200 -Subject: [PATCH] Fix infinite loop in LZMA decompression -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Check the liblzma error code more thoroughly to avoid infinite loops. - -Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13 -Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914 - -This is CVE-2018-9251 and CVE-2018-14567. - -Thanks to Dongliang Mu and Simon Wörner for the reports. ---- - xzlib.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/xzlib.c b/xzlib.c -index a839169e..0ba88cfa 100644 ---- a/xzlib.c -+++ b/xzlib.c -@@ -562,6 +562,10 @@ xz_decomp(xz_statep state) - "internal error: inflate stream corrupt"); - return -1; - } -+ /* -+ * FIXME: Remapping a couple of error codes and falling through -+ * to the LZMA error handling looks fragile. -+ */ - if (ret == Z_MEM_ERROR) - ret = LZMA_MEM_ERROR; - if (ret == Z_DATA_ERROR) -@@ -587,6 +591,11 @@ xz_decomp(xz_statep state) - xz_error(state, LZMA_PROG_ERROR, "compression error"); - return -1; - } -+ if ((state->how != GZIP) && -+ (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) { -+ xz_error(state, ret, "lzma error"); -+ return -1; -+ } - } while (strm->avail_out && ret != LZMA_STREAM_END); - - /* update available output and crc check value */ --- -2.22.0 - diff --git a/SOURCES/libxml2-CVE-2019-19956.patch b/SOURCES/libxml2-CVE-2019-19956.patch deleted file mode 100644 index 5bfb5d5..0000000 --- a/SOURCES/libxml2-CVE-2019-19956.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 5a02583c7e683896d84878bd90641d8d9b0d0549 Mon Sep 17 00:00:00 2001 -From: Zhipeng Xie -Date: Wed, 7 Aug 2019 17:39:17 +0800 -Subject: [PATCH] Fix memory leak in xmlParseBalancedChunkMemoryRecover - -When doc is NULL, namespace created in xmlTreeEnsureXMLDecl -is bind to newDoc->oldNs, in this case, set newDoc->oldNs to -NULL and free newDoc will cause a memory leak. - -Found with libFuzzer. - -Closes #82. ---- - parser.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/parser.c b/parser.c -index 1ce1ccf1..26d9f4e3 100644 ---- a/parser.c -+++ b/parser.c -@@ -13894,7 +13894,8 @@ xmlParseBalancedChunkMemoryRecover(xmlDocPtr doc, xmlSAXHandlerPtr sax, - xmlFreeParserCtxt(ctxt); - newDoc->intSubset = NULL; - newDoc->extSubset = NULL; -- newDoc->oldNs = NULL; -+ if(doc != NULL) -+ newDoc->oldNs = NULL; - xmlFreeDoc(newDoc); - - return(ret); --- -2.24.1 - diff --git a/SOURCES/libxml2-python3-unicode-errors.patch b/libxml2-2.12.0-python3-unicode-errors.patch similarity index 62% rename from SOURCES/libxml2-python3-unicode-errors.patch rename to libxml2-2.12.0-python3-unicode-errors.patch index e87dcde..b07e404 100644 --- a/SOURCES/libxml2-python3-unicode-errors.patch +++ b/libxml2-2.12.0-python3-unicode-errors.patch @@ -1,16 +1,16 @@ -Index: libxml2-2.9.5/python/libxml.c -=================================================================== ---- libxml2-2.9.5.orig/python/libxml.c -+++ libxml2-2.9.5/python/libxml.c -@@ -1620,6 +1620,7 @@ libxml_xmlErrorFuncHandler(ATTRIBUTE_UNU +diff --git a/python/libxml.c b/python/libxml.c +index bf048006..5f42e5b7 100644 +--- a/python/libxml.c ++++ b/python/libxml.c +@@ -1505,6 +1505,7 @@ libxml_xmlErrorFuncHandler(ATTRIBUTE_UNUSED void *ctx, const char *msg, PyObject *message; PyObject *result; char str[1000]; + unsigned char *ptr = (unsigned char *)str; - #ifdef DEBUG_ERROR - printf("libxml_xmlErrorFuncHandler(%p, %s, ...) called\n", ctx, msg); -@@ -1636,12 +1637,20 @@ libxml_xmlErrorFuncHandler(ATTRIBUTE_UNU + if (libxml_xmlPythonErrorFuncHandler == NULL) { + va_start(ap, msg); +@@ -1516,12 +1517,20 @@ libxml_xmlErrorFuncHandler(ATTRIBUTE_UNUSED void *ctx, const char *msg, str[999] = 0; va_end(ap); @@ -26,7 +26,7 @@ Index: libxml2-2.9.5/python/libxml.c - message = libxml_charPtrConstWrap(str); + message = libxml_charPtrConstWrap(ptr); PyTuple_SetItem(list, 1, message); - result = PyEval_CallObject(libxml_xmlPythonErrorFuncHandler, list); + result = PyObject_CallObject(libxml_xmlPythonErrorFuncHandler, list); + /* Forget any errors caused in the error handler. */ + PyErr_Clear(); Py_XDECREF(list); diff --git a/libxml2-2.12.5-CVE-2024-40896.patch b/libxml2-2.12.5-CVE-2024-40896.patch new file mode 100644 index 0000000..aa28523 --- /dev/null +++ b/libxml2-2.12.5-CVE-2024-40896.patch @@ -0,0 +1,37 @@ +From 4c2b237174539db92f4504fbc5198d2f1561baca Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 6 Jul 2024 01:03:46 +0200 +Subject: [PATCH] [CVE-2024-40896] Fix XXE protection in downstream code + +Some users set an entity's children manually in the getEntity SAX +callback to restrict entity expansion. This stopped working after +renaming the "checked" member of xmlEntity, making at least one +downstream project and its dependants susceptible to XXE attacks. + +See #761. +--- + parser.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/parser.c b/parser.c +index fe0ff4e2d..58ad02dbc 100644 +--- a/parser.c ++++ b/parser.c +@@ -7280,6 +7280,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { + return; + } + ++ /* ++ * Some users try to parse entities on their own and used to set ++ * the renamed "checked" member. Fix the flags to cover this ++ * case. ++ */ ++ if (((ent->flags & XML_ENT_PARSED) == 0) && (ent->children != NULL)) ++ ent->flags |= XML_ENT_PARSED; ++ + /* + * The first reference to the entity trigger a parsing phase + * where the ent->children is filled with the result from +-- +GitLab + diff --git a/SOURCES/libxml2-2.9.13-CVE-2024-56171.patch b/libxml2-2.12.5-CVE-2024-56171.patch similarity index 100% rename from SOURCES/libxml2-2.9.13-CVE-2024-56171.patch rename to libxml2-2.12.5-CVE-2024-56171.patch diff --git a/SOURCES/libxml2-2.9.13-CVE-2025-24928.patch b/libxml2-2.12.5-CVE-2025-24928.patch similarity index 100% rename from SOURCES/libxml2-2.9.13-CVE-2025-24928.patch rename to libxml2-2.12.5-CVE-2025-24928.patch diff --git a/SOURCES/libxml2-multilib.patch b/libxml2-multilib.patch similarity index 92% rename from SOURCES/libxml2-multilib.patch rename to libxml2-multilib.patch index 138d38f..dee1383 100644 --- a/SOURCES/libxml2-multilib.patch +++ b/libxml2-multilib.patch @@ -6,9 +6,9 @@ exec_prefix=@exec_prefix@ includedir=@includedir@ ! libdir=@libdir@ + cflags= + libs= - usage() - { --- 3,14 ---- prefix=@prefix@ exec_prefix=@exec_prefix@ @@ -19,6 +19,6 @@ ! else ! libdir=${exec_prefix}/lib64 ! fi + cflags= + libs= - usage() - { diff --git a/SPECS/libxml2.spec b/libxml2.spec similarity index 64% rename from SPECS/libxml2.spec rename to libxml2.spec index 9b392dd..cb81b90 100644 --- a/SPECS/libxml2.spec +++ b/libxml2.spec @@ -1,78 +1,33 @@ -%if 0%{?rhel} > 7 -# Disable python2 build by default -%bcond_with python2 -%else -%bcond_without python2 -%endif - Name: libxml2 -Version: 2.9.7 -Release: 19%{?dist} +Version: 2.12.5 +Release: 5%{?dist} Summary: Library providing XML and HTML support -License: MIT -URL: http://xmlsoft.org/ -Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz +# list.c, dict.c and few others use ISC-Veillard +# the conformance and test suite data in +# Source1, Source2 and Source3 is covered by W3C +License: MIT AND ISC-Veillard AND W3C +URL: https://gitlab.gnome.org/GNOME/libxml2/-/wikis/home +Source0: https://download.gnome.org/sources/%{name}/2.12/%{name}-%{version}.tar.xz +# https://www.w3.org/XML/Test/xmlconf-20080827.html +Source1: https://www.w3.org/XML/Test/xmlts20080827.tar.gz +# https://www.w3.org/XML/2004/xml-schema-test-suite/index.html +Source2: https://www.w3.org/XML/2004/xml-schema-test-suite/xmlschema2002-01-16/xsts-2002-01-16.tar.gz +Source3: https://www.w3.org/XML/2004/xml-schema-test-suite/xmlschema2004-01-14/xsts-2004-01-14.tar.gz Patch0: libxml2-multilib.patch -# workaround for #877567 - Very weird bug gzip decompression bug in "recent" libxml2 versions -Patch1: libxml2-2.9.0-do-not-check-crc.patch -# In python3.6 _PyVerify_fd is no more -# http://bugs.python.org/issue23524 -Patch2: libxml2-2.9.4-remove-pyverify_fd.patch -# https://codereview.chromium.org/2539003002 -Patch3: libxml2-CVE-2016-9597.patch -# Fix some crashes under Python 3 -# https://bugzilla.gnome.org/show_bug.cgi?id=789714 -Patch4: libxml2-python3-unicode-errors.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1565322 -Patch5: libxml2-CVE-2018-9251.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1595989 -Patch6: libxml2-CVE-2018-14404.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1793001 -Patch7: libxml2-CVE-2019-19956.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1799786 -Patch8: libxml2-2.9.7-CVE-2020-7595.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1810058 -Patch9: libxml2-2.9.7-CVE-2019-20388.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1878252 -Patch10: libxml2-2.9.7-CVE-2020-24977.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1956976 -Patch11: libxml2-2.9.7-CVE-2021-3516.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1957001 -Patch12: libxml2-2.9.7-CVE-2021-3517.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1957028 -Patch13: libxml2-2.9.7-CVE-2021-3518.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1957284 -Patch14: libxml2-2.9.7-CVE-2021-3537.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1958783 -Patch15: libxml2-2.9.7-CVE-2021-3541.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2057664 -Patch16: libxml2-2.9.7-CVE-2022-23308.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2082298 -Patch17: libxml2-2.9.7-CVE-2022-29824.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2120781 -Patch18: libxml2-2.9.7-CVE-2016-3709.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2136563 -Patch19: libxml2-2.9.7-CVE-2022-40303.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2136568 -Patch20: libxml2-2.9.7-CVE-2022-40304.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2186692 -Patch21: libxml2-2.9.13-CVE-2023-28484.patch -Patch22: libxml2-2.9.13-CVE-2023-28484.2.patch -Patch23: libxml2-2.9.7-CVE-2023-29469.patch -# https://issues.redhat.com/browse/RHEL-5179 -Patch24: libxml2-2.11.0-fix-CVE-2023-39615.patch -# https://issues.redhat.com/browse/RHEL-31056 -Patch25: libxml2-2.9.7-CVE-2024-25062.patch -# https://issues.redhat.com/browse/RHEL-76289 -Patch26: libxml2-2.9.13-CVE-2022-49043.patch -# https://issues.redhat.com/browse/RHEL-80122 -Patch27: libxml2-2.9.13-CVE-2024-56171.patch -# https://issues.redhat.com/browse/RHEL-80137 -Patch28: libxml2-2.9.13-CVE-2025-24928.patch +# Patch from openSUSE. +# See: https://bugzilla.gnome.org/show_bug.cgi?id=789714 +Patch1: libxml2-2.12.0-python3-unicode-errors.patch +# https://issues.redhat.com/browse/RHEL-72060 +Patch2: libxml2-2.12.5-CVE-2024-40896.patch +# https://issues.redhat.com/browse/RHEL-80119 +Patch3: libxml2-2.12.5-CVE-2024-56171.patch +# https://issues.redhat.com/browse/RHEL-80134 +Patch4: libxml2-2.12.5-CVE-2025-24928.patch -BuildRequires: gcc BuildRequires: cmake-rpm-macros +BuildRequires: gcc +BuildRequires: make BuildRequires: pkgconfig(zlib) BuildRequires: pkgconfig(liblzma) @@ -112,26 +67,6 @@ Summary: Static library for libxml2 Static library for libxml2 provided for specific uses or shaving a few microseconds when parsing, do not link to them for generic purpose packages. -%if %{with python2} -%package -n python2-%{name} -%{?python_provide:%python_provide python2-%{name}} -Summary: Python bindings for the libxml2 library -BuildRequires: python2-devel -Requires: %{name}%{?_isa} = %{version}-%{release} -Obsoletes: %{name}-python < %{version}-%{release} -Provides: %{name}-python = %{version}-%{release} - -%description -n python2-%{name} -The libxml2-python package contains a Python 2 module that permits applications -written in the Python programming language, version 2, to use the interface -supplied by the libxml2 library to manipulate XML files. - -This library allows to manipulate XML files. It includes support -to read, modify and write XML and HTML files. There is DTDs support -this includes parsing and validation even with complex DTDs, either -at parse time or later once the document has been modified. -%endif # with python2 - %package -n python3-%{name} Summary: Python 3 bindings for the libxml2 library BuildRequires: python3-devel @@ -154,26 +89,18 @@ at parse time or later once the document has been modified. find doc -type f -executable -print -exec chmod 0644 {} ';' %build -%if %{with python2} -mkdir py2 -%endif # with python2 -mkdir py3 -%global _configure ../configure -%global _configure_disable_silent_rules 1 -%if %{with python2} -( cd py2 && %configure --cache-file=../config.cache --with-python=%{__python2} ) -%endif # with python2 -( cd py3 && %configure --cache-file=../config.cache --with-python=%{__python3} ) -%if %{with python2} -%make_build -C py2 -%endif # with python2 -%make_build -C py3 +# see https://bugzilla.redhat.com/show_bug.cgi?id=2139546 , several +# of these options are needed to (mostly) retain ABI compatibility +# with earlier versions +%configure \ + --enable-static \ + --with-legacy \ + --with-ftp \ + --with-python=%{__python3} +%make_build %install -%if %{with python2} -%make_install -C py2 -%endif # with python2 -%make_install -C py3 +%make_install # multiarch crazyness on timestamp differences or Makefile/binaries for examples touch -m --reference=%{buildroot}%{_includedir}/libxml2/libxml/parser.h %{buildroot}%{_bindir}/xml2-config @@ -181,125 +108,241 @@ touch -m --reference=%{buildroot}%{_includedir}/libxml2/libxml/parser.h %{buildr find %{buildroot} -type f -name '*.la' -print -delete rm -vf %{buildroot}{%{python2_sitearch},%{python3_sitearch}}/*.a rm -vrf %{buildroot}%{_datadir}/doc/ -#(cd doc/examples ; make clean ; rm -rf .deps Makefile) gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz %check -%if %{with python2} -%make_build runtests -C py2 -%endif # with python2 -%make_build runtests -C py3 +# Tests require the XML conformance suite. +tar -xzvf %{SOURCE1} +%make_build check +rm -rf xmlconf +# Schema tests use the schema test suite. +cp %{SOURCE2} %{SOURCE3} xstc/ +pushd xstc +mkdir Tests +%make_build tests +popd +# As the directory is copied to the devel subpackage, remove any build +# artifacts. +(cd doc/examples ; make clean ; rm -rf .deps Makefile) %ldconfig_scriptlets %files %license Copyright -%doc AUTHORS NEWS README TODO +%doc NEWS README.md %{_libdir}/libxml2.so.2* -%{_mandir}/man3/libxml.3* -%{_bindir}/xmllint -%{_mandir}/man1/xmllint.1* %{_bindir}/xmlcatalog +%{_bindir}/xmllint %{_mandir}/man1/xmlcatalog.1* +%{_mandir}/man1/xmllint.1* %files devel -%doc doc/*.html doc/html doc/*.gif doc/*.png +%doc doc/*.html %doc doc/tutorial doc/libxml2-api.xml.gz %doc doc/examples %dir %{_datadir}/gtk-doc %dir %{_datadir}/gtk-doc/html -%{_datadir}/gtk-doc/html/libxml2/ -%{_libdir}/libxml2.so -%{_libdir}/xml2Conf.sh -%{_includedir}/libxml2/ -%{_bindir}/xml2-config -%{_mandir}/man1/xml2-config.1* %{_datadir}/aclocal/libxml.m4 +%{_datadir}/gtk-doc/html/libxml2/ +%{_includedir}/libxml2/ +%{_libdir}/libxml2.so %{_libdir}/pkgconfig/libxml-2.0.pc %{_libdir}/cmake/libxml2/ +%{_bindir}/xml2-config +%{_mandir}/man1/xml2-config.1* %files static %license Copyright %{_libdir}/libxml2.a -%if %{with python2} -%files -n python2-%{name} -%doc python/TODO python/libxml2class.txt -%doc doc/*.py doc/python.html -%{python2_sitearch}/libxml2.py* -%{python2_sitearch}/drv_libxml2.py* -%{python2_sitearch}/libxml2mod.so -%endif # with python2 - %files -n python3-%{name} -%doc python/TODO python/libxml2class.txt -%doc doc/*.py doc/python.html -%{python3_sitearch}/libxml2.py -%{python3_sitearch}/__pycache__/libxml2.* -%{python3_sitearch}/drv_libxml2.py -%{python3_sitearch}/__pycache__/drv_libxml2.* +%doc doc/*.py %{python3_sitearch}/libxml2mod.so +%{python3_sitelib}/libxml2.py +%{python3_sitelib}/__pycache__/libxml2.* +%{python3_sitelib}/drv_libxml2.py +%{python3_sitelib}/__pycache__/drv_libxml2.* %changelog -* Tue Mar 11 2025 Michael Catanzaro - 2.9.7-19 -- Fix CVE-2024-56171 (RHEL-80122) -- Fix CVE-2025-24928 (RHEL-80137) +* Mon Feb 24 2025 David King - 2.12.5-5 +- Fix CVE-2024-56171 (RHEL-80119) +- Fix CVE-2025-24928 (RHEL-80134) -* Tue Feb 11 2025 David King - 2.9.7.18.2 -- Fix CVE-2022-49043 (RHEL-76289) +* Tue Dec 24 2024 David King - 2.12.5-4 +- Fix CVE-2024-40896 (RHEL-72060) -* Mon Apr 29 2024 David King - 2.9.7-18.1 -- Fix CVE-2024-25062 (RHEL-31056) +* Tue Oct 29 2024 Troy Dawson - 2.12.5-3 +- Bump release for October 2024 mass rebuild: + Resolves: RHEL-64018 -* Thu Sep 14 2023 David King - 2.9.7-18 -- Fix CVE-2023-39615 (RHEL-5179) +* Mon Jun 24 2024 Troy Dawson - 2.12.5-2 +- Bump release for June 2024 mass rebuild -* Fri Jul 14 2023 David King - 2.9.7-17 -- Fix CVE-2023-28484 (#2186692) -- Fix CVE-2023-29469 (#2186692) +* Mon Feb 05 2024 David King - 2.12.5-1 +- Update to 2.12.5 (#2262648) -* Wed Nov 02 2022 David King - 2.9.7-16 -- Fix CVE-2022-40303 (#2136563) -- Fix CVE-2022-40304 (#2136568) +* Thu Jan 25 2024 Fedora Release Engineering - 2.12.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild -* Wed Aug 24 2022 David King - 2.9.7-15 -- Fix CVE-2016-3709 (#2120781) +* Sun Jan 21 2024 Fedora Release Engineering - 2.12.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild -* Thu May 12 2022 David King - 2.9.7-14 -- Fix CVE-2022-29824 (#2082298) +* Tue Jan 16 2024 David King - 2.12.4-1 +- Update to 2.12.4 (#2258493) -* Thu Feb 24 2022 David King - 2.9.7-13 -- Bump release (#2057664) +* Tue Dec 12 2023 David King - 2.12.3-1 +- Update to 2.12.3 (#2254194) -* Thu Feb 24 2022 David King - 2.9.7-12 -- Fix CVE-2022-23308 (#2057664) +* Sat Dec 09 2023 David King - 2.12.2-2 +- Upstream patch to add extra includes -* Wed May 19 2021 David King - 2.9.7-11 -- Fix CVE-2021-3541 (#1958783) +* Wed Dec 06 2023 David King - 2.12.2-1 +- Update to 2.12.2 (#2137281) +- Enable W3C XML Conformance and Schema test suites -* Fri May 07 2021 David King - 2.9.7-10 -- Fix CVE-2021-3516 (#1956976) -- Fix CVE-2021-3517 (#1957001) -- Fix CVE-2021-3518 (#1957028) -- Fix CVE-2021-3537 (#1957284) +* Fri Nov 24 2023 David King - 2.12.1-1 +- Update to 2.12.1 (#2250062) -* Mon Oct 19 2020 David King - 2.9.7-9 -- Fix CVE-2020-24977 (#1878252) +* Thu Nov 16 2023 David King - 2.12.0-1 +- Update to 2.12.0 (#2250062) -* Mon Jan 20 2020 David King - 2.9.7-8 -- Fix CVE-2019-19956 (#1793001) +* Thu Nov 16 2023 David King - 2.11.6-1 +- Update to 2.11.6 + +* Wed Aug 16 2023 David King - 2.11.5-1 +- Update to 2.11.5 (#2190441) + +* Thu Jul 20 2023 Fedora Release Engineering - 2.10.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Tue Jun 13 2023 Python Maint - 2.10.4-2 +- Rebuilt for Python 3.12 + +* Wed Apr 12 2023 David King - 2.10.4-1 +- Update to 2.10.4 (#2185870) + +* Thu Jan 19 2023 Fedora Release Engineering - 2.10.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Thu Nov 03 2022 Adam Williamson - 2.10.3-2 +- Set build options to maintain (most) symbols from 2.9.14 (#2139546) + +* Thu Oct 20 2022 David King - 2.10.3-1 +- Update to 2.10.3 (#2119077) + +* Tue Aug 30 2022 David King - 2.10.2-1 +- Update to 2.10.2 (#2119077) + +* Thu Jul 21 2022 Fedora Release Engineering - 2.9.14-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Mon Jun 13 2022 Python Maint - 2.9.14-2 +- Rebuilt for Python 3.11 + +* Mon May 02 2022 David King - 2.9.14-1 +- Update to 2.9.14 (#2080961) + +* Mon Feb 21 2022 David King - 2.9.13-1 +- Update to 2.9.13 + +* Thu Jan 20 2022 Fedora Release Engineering - 2.9.12-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Thu Jul 22 2021 Fedora Release Engineering - 2.9.12-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Thu Jun 03 2021 Python Maint - 2.9.12-5 +- Rebuilt for Python 3.10 + +* Sat May 29 2021 David King - 2.9.12-4 +- Fix xmlNodeDumpOutputInternal regression (#1965662) + +* Tue May 25 2021 David King - 2.9.12-3 +- Fix multiarch conflict in devel subpackage + +* Wed May 19 2021 David King - 2.9.12-2 +- Fix python-lxml regression with 2.9.12 + +* Thu May 13 2021 David King - 2.9.12-1 +- Update to 2.9.12 (#1960153) + +* Thu May 06 2021 David King - 2.9.10-12 +- Fix CVE-2021-3537 (#1956524) + +* Wed May 05 2021 David King - 2.9.10-11 +- Fix CVE-2021-3516 (#1954227) +- Fix CVE-2021-3517 (#1954234) +- Fix CVE-2021-3518 (#1954243) + +* Tue Jan 26 2021 Fedora Release Engineering - 2.9.10-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Nov 12 11:57:41 CET 2020 Victor Stinner - 2.9.10-9 +- Build the Python extension with the PY_SSIZE_T_CLEAN macro to make it + compatible with Python 3.10. +- Fixes: rhbz#1890878. + +* Wed Nov 11 2020 Richard W.M. Jones - 2.9.10-8 +- Add correct fix for CVE-2020-24977 (RHBZ#1877788), thanks: Jan de Groot. + +* Fri Sep 11 2020 Richard W.M. Jones - 2.9.10-7 +- Add fix for CVE-2020-24977 (RHBZ#1877788). + +* Tue Jul 28 2020 Fedora Release Engineering - 2.9.10-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Sat May 23 2020 Miro Hrončok - 2.9.10-5 +- Rebuilt for Python 3.9 + +* Mon Feb 10 2020 David King - 2.9.10-4 +- Fix CVE-2019-20388 (#1799736) - Fix CVE-2020-7595 (#1799786) -- Fix CVE-2019-20388 (#1810058) -* Thu Oct 24 2019 David King - 2.9.7-7 -- Fix CVE-2018-14404 (#1595989) +* Wed Jan 29 2020 Fedora Release Engineering - 2.9.10-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild -* Thu Oct 24 2019 David King - 2.9.7-6 -- Fix CVE-2018-9251 (#1565322) +* Fri Jan 03 2020 Jan Pokorny - 2.9.10-2 +- Fix relaxed approach to nested documents on object disposal (#1780573) -* Fri Aug 03 2018 Charalampos Stratakis - 2.9.7-5 -- Fix some crashes under Python 3 -- Conditionalize the python2 subpackage +* Fri Nov 01 2019 David King - 2.9.10-1 +- Update to 2.9.10 (#1767151) + +* Thu Oct 31 2019 Miro Hrončok - 2.9.9-7 +- Subpackage python2-libxml2 has been removed + See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal + +* Thu Oct 03 2019 Miro Hrončok - 2.9.9-6 +- Rebuilt for Python 3.8.0rc1 (#1748018) + +* Fri Aug 23 2019 Florian Weimer - 2.9.9-5 +- Rebuild to fix corrupted libxml2-static package on aarch64 (#1745020) + +* Fri Aug 16 2019 Miro Hrončok - 2.9.9-4 +- Rebuilt for Python 3.8 + +* Thu Jul 25 2019 Fedora Release Engineering - 2.9.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri Feb 01 2019 Fedora Release Engineering - 2.9.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jan 25 2019 David King - 2.9.9-1 +- Update to 2.9.9 + +* Sun Jan 06 2019 Björn Esser - 2.9.8-5 +- Add patch to fix crash: xmlParserPrintFileContextInternal mangles utf8 + +* Thu Aug 02 2018 Igor Gnatenko - 2.9.8-4 +- Backport patches from upstream + +* Fri Jul 13 2018 Fedora Release Engineering - 2.9.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Tue Jun 19 2018 Miro Hrončok - 2.9.8-2 +- Rebuilt for Python 3.7 + +* Tue Apr 03 2018 Igor Gnatenko - 2.9.8-1 +- Update to 2.9.8 * Sat Feb 24 2018 Florian Weimer - 2.9.7-4 - Rebuild with new LDFLAGS from redhat-rpm-config diff --git a/sources b/sources new file mode 100644 index 0000000..633d22a --- /dev/null +++ b/sources @@ -0,0 +1,4 @@ +SHA512 (libxml2-2.12.5.tar.xz) = da5c5afb95db80342d78d4371d029bf10ce5cd601b24b294272d9996f82357bd5262a15a2b44b0904a14471c8ff0c9fd9c796f164246551f02ee19a8f083f926 +SHA512 (xmlts20080827.tar.gz) = 7325d0977c4427fc4944b291ccf896a665f654cc24399e5565c12a849c2bc3aef4fa3ee42a09ac115abcb6570c51a8fbd052c38d64d164279ecdecad5a4e884d +SHA512 (xsts-2002-01-16.tar.gz) = 43300af6d39c1e2221b0ed7318fe14c7464eeb6eb030ed1e22eb29b4ab17f014e2a4c8887c3a46ae5d243e3072da27f00f4e285498ae6f1288177d38d1108288 +SHA512 (xsts-2004-01-14.tar.gz) = 32854388d7e720ad67156baf50bf2bae7bd878ca3e35fd7e44e57cad3f434f69d56bbbedd61509f8a1faf01c9eae74a078df8fe130780b182c05c05cb1c39ebe