From adfe0fa27d4ac3f2b9ad5fac92162902e96de87c Mon Sep 17 00:00:00 2001
From: David King <amigadave@amigadave.com>
Date: Fri, 14 Apr 2023 11:23:10 +0100
Subject: [PATCH] Fix CVE-2023-29469 (#2186694)

Resolves: #2186694
---
 libxml2-2.9.13-CVE-2023-29469.patch | 37 +++++++++++++++++++++++++++++
 libxml2.spec                        |  2 ++
 2 files changed, 39 insertions(+)
 create mode 100644 libxml2-2.9.13-CVE-2023-29469.patch

diff --git a/libxml2-2.9.13-CVE-2023-29469.patch b/libxml2-2.9.13-CVE-2023-29469.patch
new file mode 100644
index 0000000..33dc036
--- /dev/null
+++ b/libxml2-2.9.13-CVE-2023-29469.patch
@@ -0,0 +1,37 @@
+From 09a2dd453007f9c7205274623acdd73747c22d64 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 7 Apr 2023 11:49:27 +0200
+Subject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't
+ deterministic
+
+When hashing empty strings which aren't null-terminated,
+xmlDictComputeFastKey could produce inconsistent results. This could
+lead to various logic or memory errors, including double frees.
+
+For consistency the seed is also taken into account, but this shouldn't
+have an impact on security.
+
+Found by OSS-Fuzz.
+
+Fixes #510.
+---
+ dict.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/dict.c b/dict.c
+index c29d2af7..12ba94fd 100644
+--- a/dict.c
++++ b/dict.c
+@@ -453,7 +453,8 @@ static unsigned long
+ xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
+     unsigned long value = seed;
+ 
+-    if (name == NULL) return(0);
++    if ((name == NULL) || (namelen <= 0))
++        return(value);
+     value += *name;
+     value <<= 5;
+     if (namelen > 10) {
+-- 
+GitLab
+
diff --git a/libxml2.spec b/libxml2.spec
index 3e2622a..0a8bb43 100644
--- a/libxml2.spec
+++ b/libxml2.spec
@@ -19,6 +19,7 @@ Patch4:         libxml2-2.9.13-CVE-2022-40304.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2186694
 Patch5:         libxml2-2.9.13-CVE-2023-28484.patch
 Patch6:         libxml2-2.9.13-CVE-2023-28484.2.patch
+Patch7:         libxml2-2.9.13-CVE-2023-29469.patch
 
 BuildRequires:  cmake-rpm-macros
 BuildRequires:  gcc
@@ -149,6 +150,7 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
 %changelog
 * Fri Apr 14 2023 David King <amigadave@amigadave.com> - 2.9.13-4
 - Fix CVE-2023-28484 (#2186694)
+- Fix CVE-2023-29469 (#2186694)
 
 * Tue Nov 01 2022 David King <amigadave@amigadave.com> - 2.9.13-3
 - Fix CVE-2022-40303 (#2136564)