From c192f58c891abfbeea660b27edd3ba8c46a80d36 Mon Sep 17 00:00:00 2001 From: James Antill Date: Thu, 26 May 2022 11:02:50 -0400 Subject: [PATCH] Auto sync2gitlab import of libxml2-2.9.7-13.el8.src.rpm --- .gitignore | 1 + EMPTY | 1 - libxml2-2.9.0-do-not-check-crc.patch | 35 ++ libxml2-2.9.4-remove-pyverify_fd.patch | 12 + libxml2-2.9.7-CVE-2019-20388.patch | 33 ++ libxml2-2.9.7-CVE-2020-24977.patch | 36 ++ libxml2-2.9.7-CVE-2020-7595.patch | 32 ++ libxml2-2.9.7-CVE-2021-3516.patch | 31 ++ libxml2-2.9.7-CVE-2021-3517.patch | 49 +++ libxml2-2.9.7-CVE-2021-3518.patch | 247 +++++++++++ libxml2-2.9.7-CVE-2021-3537.patch | 44 ++ libxml2-2.9.7-CVE-2021-3541.patch | 67 +++ libxml2-2.9.7-CVE-2022-23308.patch | 196 +++++++++ libxml2-CVE-2016-9597.patch | 191 +++++++++ libxml2-CVE-2018-14404.patch | 54 +++ libxml2-CVE-2018-9251.patch | 50 +++ libxml2-CVE-2019-19956.patch | 33 ++ libxml2-multilib.patch | 24 ++ libxml2-python3-unicode-errors.patch | 34 ++ libxml2.spec | 555 +++++++++++++++++++++++++ sources | 1 + 21 files changed, 1725 insertions(+), 1 deletion(-) create mode 100644 .gitignore delete mode 100644 EMPTY create mode 100644 libxml2-2.9.0-do-not-check-crc.patch create mode 100644 libxml2-2.9.4-remove-pyverify_fd.patch create mode 100644 libxml2-2.9.7-CVE-2019-20388.patch create mode 100644 libxml2-2.9.7-CVE-2020-24977.patch create mode 100644 libxml2-2.9.7-CVE-2020-7595.patch create mode 100644 libxml2-2.9.7-CVE-2021-3516.patch create mode 100644 libxml2-2.9.7-CVE-2021-3517.patch create mode 100644 libxml2-2.9.7-CVE-2021-3518.patch create mode 100644 libxml2-2.9.7-CVE-2021-3537.patch create mode 100644 libxml2-2.9.7-CVE-2021-3541.patch create mode 100644 libxml2-2.9.7-CVE-2022-23308.patch create mode 100644 libxml2-CVE-2016-9597.patch create mode 100644 libxml2-CVE-2018-14404.patch create mode 100644 libxml2-CVE-2018-9251.patch create mode 100644 libxml2-CVE-2019-19956.patch create mode 100644 libxml2-multilib.patch create mode 100644 libxml2-python3-unicode-errors.patch create mode 100644 libxml2.spec create mode 100644 sources diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..0c886a5 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/libxml2-2.9.7.tar.gz diff --git a/EMPTY b/EMPTY deleted file mode 100644 index 0519ecb..0000000 --- a/EMPTY +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/libxml2-2.9.0-do-not-check-crc.patch b/libxml2-2.9.0-do-not-check-crc.patch new file mode 100644 index 0000000..3e65077 --- /dev/null +++ b/libxml2-2.9.0-do-not-check-crc.patch @@ -0,0 +1,35 @@ +diff -up libxml2-2.9.0/xzlib.c.do-not-check-crc libxml2-2.9.0/xzlib.c +--- libxml2-2.9.0/xzlib.c.do-not-check-crc 2012-09-11 05:52:46.000000000 +0200 ++++ libxml2-2.9.0/xzlib.c 2012-11-19 19:28:42.431700534 +0100 +@@ -552,17 +552,20 @@ xz_decomp(xz_statep state) + #ifdef HAVE_ZLIB_H + if (state->how == GZIP) { + if (gz_next4(state, &crc) == -1 || gz_next4(state, &len) == -1) { +- xz_error(state, LZMA_DATA_ERROR, "unexpected end of file"); +- return -1; +- } +- if (crc != state->zstrm.adler) { +- xz_error(state, LZMA_DATA_ERROR, "incorrect data check"); +- return -1; +- } +- if (len != (state->zstrm.total_out & 0xffffffffL)) { +- xz_error(state, LZMA_DATA_ERROR, "incorrect length check"); +- return -1; +- } ++ /* ++ xz_error(state, LZMA_DATA_ERROR, "unexpected end of file"); ++ return -1; ++ */ ++ } else { ++ if (crc != state->zstrm.adler) { ++ xz_error(state, LZMA_DATA_ERROR, "incorrect data check"); ++ return -1; ++ } ++ if (len != (state->zstrm.total_out & 0xffffffffL)) { ++ xz_error(state, LZMA_DATA_ERROR, "incorrect length check"); ++ return -1; ++ } ++ } + state->strm.avail_in = 0; + state->strm.next_in = NULL; + state->strm.avail_out = 0; diff --git a/libxml2-2.9.4-remove-pyverify_fd.patch b/libxml2-2.9.4-remove-pyverify_fd.patch new file mode 100644 index 0000000..d05d4cb --- /dev/null +++ b/libxml2-2.9.4-remove-pyverify_fd.patch @@ -0,0 +1,12 @@ +diff -Nur libxml2-2.9.4.orig/python/types.c libxml2-2.9.4/python/types.c +--- libxml2-2.9.4.orig/python/types.c 2016-02-09 03:17:33.000000000 -0700 ++++ libxml2-2.9.4/python/types.c 2016-12-21 12:34:06.755650986 -0700 +@@ -31,8 +31,6 @@ + const char *mode; + + fd = PyObject_AsFileDescriptor(f); +- if (!_PyVerify_fd(fd)) +- return(NULL); + /* + * Get the flags on the fd to understand how it was opened + */ diff --git a/libxml2-2.9.7-CVE-2019-20388.patch b/libxml2-2.9.7-CVE-2019-20388.patch new file mode 100644 index 0000000..49ff6fb --- /dev/null +++ b/libxml2-2.9.7-CVE-2019-20388.patch @@ -0,0 +1,33 @@ +From 7ffcd44d7e6c46704f8af0321d9314cd26e0e18a Mon Sep 17 00:00:00 2001 +From: Zhipeng Xie +Date: Tue, 20 Aug 2019 16:33:06 +0800 +Subject: [PATCH] Fix memory leak in xmlSchemaValidateStream + +When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun +alloc a new schema for ctxt->schema and set vctxt->xsiAssemble +to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize +vctxt->xsiAssemble to 0 again which cause the alloced schema +can not be freed anymore. + +Found with libFuzzer. + +Signed-off-by: Zhipeng Xie +--- + xmlschemas.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/xmlschemas.c b/xmlschemas.c +index 301c8449..39d92182 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -28090,7 +28090,6 @@ xmlSchemaPreRun(xmlSchemaValidCtxtPtr vctxt) { + vctxt->nberrors = 0; + vctxt->depth = -1; + vctxt->skipDepth = -1; +- vctxt->xsiAssemble = 0; + vctxt->hasKeyrefs = 0; + #ifdef ENABLE_IDC_NODE_TABLES_TEST + vctxt->createIDCNodeTables = 1; +-- +2.24.1 + diff --git a/libxml2-2.9.7-CVE-2020-24977.patch b/libxml2-2.9.7-CVE-2020-24977.patch new file mode 100644 index 0000000..fe4b398 --- /dev/null +++ b/libxml2-2.9.7-CVE-2020-24977.patch @@ -0,0 +1,36 @@ +From 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 7 Aug 2020 21:54:27 +0200 +Subject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout' + +Make sure that truncated UTF-8 sequences don't cause an out-of-bounds +array access. + +Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for +the report. + +Fixes #178. +--- + xmllint.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/xmllint.c b/xmllint.c +index f6a8e4636..c647486f3 100644 +--- a/xmllint.c ++++ b/xmllint.c +@@ -528,6 +528,12 @@ static void + xmlHTMLEncodeSend(void) { + char *result; + ++ /* ++ * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might ++ * end with a truncated UTF-8 sequence. This is a hack to at least avoid ++ * an out-of-bounds read. ++ */ ++ memset(&buffer[sizeof(buffer)-4], 0, 4); + result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer); + if (result) { + xmlGenericError(xmlGenericErrorContext, "%s", result); +-- +GitLab + diff --git a/libxml2-2.9.7-CVE-2020-7595.patch b/libxml2-2.9.7-CVE-2020-7595.patch new file mode 100644 index 0000000..3dd6774 --- /dev/null +++ b/libxml2-2.9.7-CVE-2020-7595.patch @@ -0,0 +1,32 @@ +From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001 +From: Zhipeng Xie +Date: Thu, 12 Dec 2019 17:30:55 +0800 +Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities + +When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef +return NULL which cause a infinite loop in xmlStringLenDecodeEntities + +Found with libFuzzer. + +Signed-off-by: Zhipeng Xie +--- + parser.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index d1c31963..a34bb6cd 100644 +--- a/parser.c ++++ b/parser.c +@@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + else + c = 0; + while ((c != 0) && (c != end) && /* non input consuming loop */ +- (c != end2) && (c != end3)) { ++ (c != end2) && (c != end3) && ++ (ctxt->instate != XML_PARSER_EOF)) { + + if (c == 0) break; + if ((c == '&') && (str[1] == '#')) { +-- +2.24.1 + diff --git a/libxml2-2.9.7-CVE-2021-3516.patch b/libxml2-2.9.7-CVE-2021-3516.patch new file mode 100644 index 0000000..10093b6 --- /dev/null +++ b/libxml2-2.9.7-CVE-2021-3516.patch @@ -0,0 +1,31 @@ +From 1358d157d0bd83be1dfe356a69213df9fac0b539 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 21 Apr 2021 13:23:27 +0200 +Subject: [PATCH] Fix use-after-free with `xmllint --html --push` + +Call htmlCtxtUseOptions to make sure that names aren't stored in +dictionaries. + +Note that this issue only affects xmllint using the HTML push parser. + +Fixes #230. +--- + xmllint.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xmllint.c b/xmllint.c +index 6ca1bf54..dbef273a 100644 +--- a/xmllint.c ++++ b/xmllint.c +@@ -2213,7 +2213,7 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) { + if (res > 0) { + ctxt = htmlCreatePushParserCtxt(NULL, NULL, + chars, res, filename, XML_CHAR_ENCODING_NONE); +- xmlCtxtUseOptions(ctxt, options); ++ htmlCtxtUseOptions(ctxt, options); + while ((res = fread(chars, 1, pushsize, f)) > 0) { + htmlParseChunk(ctxt, chars, res, 0); + } +-- +GitLab + diff --git a/libxml2-2.9.7-CVE-2021-3517.patch b/libxml2-2.9.7-CVE-2021-3517.patch new file mode 100644 index 0000000..e3ef736 --- /dev/null +++ b/libxml2-2.9.7-CVE-2021-3517.patch @@ -0,0 +1,49 @@ +From bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2 Mon Sep 17 00:00:00 2001 +From: Joel Hockey +Date: Sun, 16 Aug 2020 17:19:35 -0700 +Subject: [PATCH] Validate UTF8 in xmlEncodeEntities + +Code is currently assuming UTF-8 without validating. Truncated UTF-8 +input can cause out-of-bounds array access. + +Adds further checks to partial fix in 50f06b3e. + +Fixes #178 +--- + entities.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/entities.c b/entities.c +index 37b99a56..1a8f86f0 100644 +--- a/entities.c ++++ b/entities.c +@@ -704,11 +704,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) { + } else { + /* + * We assume we have UTF-8 input. ++ * It must match either: ++ * 110xxxxx 10xxxxxx ++ * 1110xxxx 10xxxxxx 10xxxxxx ++ * 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx ++ * That is: ++ * cur[0] is 11xxxxxx ++ * cur[1] is 10xxxxxx ++ * cur[2] is 10xxxxxx if cur[0] is 111xxxxx ++ * cur[3] is 10xxxxxx if cur[0] is 1111xxxx ++ * cur[0] is not 11111xxx + */ + char buf[11], *ptr; + int val = 0, l = 1; + +- if (*cur < 0xC0) { ++ if (((cur[0] & 0xC0) != 0xC0) || ++ ((cur[1] & 0xC0) != 0x80) || ++ (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) || ++ (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) || ++ (((cur[0] & 0xF8) == 0xF8))) { + xmlEntitiesErr(XML_CHECK_NOT_UTF8, + "xmlEncodeEntities: input not UTF-8"); + if (doc != NULL) +-- +GitLab + diff --git a/libxml2-2.9.7-CVE-2021-3518.patch b/libxml2-2.9.7-CVE-2021-3518.patch new file mode 100644 index 0000000..e5861c2 --- /dev/null +++ b/libxml2-2.9.7-CVE-2021-3518.patch @@ -0,0 +1,247 @@ +From 752e5f71d7cea2ca5a7e7c0b8f72ed04ce654be4 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 10 Jun 2020 16:34:52 +0200 +Subject: [PATCH 1/2] Don't recurse into xi:include children in + xmlXIncludeDoProcess + +Otherwise, nested xi:include nodes might result in a use-after-free +if XML_PARSE_NOXINCNODE is specified. + +Found with libFuzzer and ASan. +--- + result/XInclude/fallback3.xml | 8 ++++++++ + result/XInclude/fallback3.xml.err | 0 + result/XInclude/fallback3.xml.rdr | 25 +++++++++++++++++++++++++ + result/XInclude/fallback4.xml | 10 ++++++++++ + result/XInclude/fallback4.xml.err | 0 + result/XInclude/fallback4.xml.rdr | 29 +++++++++++++++++++++++++++++ + test/XInclude/docs/fallback3.xml | 9 +++++++++ + test/XInclude/docs/fallback4.xml | 7 +++++++ + xinclude.c | 24 ++++++++++-------------- + 9 files changed, 98 insertions(+), 14 deletions(-) + create mode 100644 result/XInclude/fallback3.xml + create mode 100644 result/XInclude/fallback3.xml.err + create mode 100644 result/XInclude/fallback3.xml.rdr + create mode 100644 result/XInclude/fallback4.xml + create mode 100644 result/XInclude/fallback4.xml.err + create mode 100644 result/XInclude/fallback4.xml.rdr + create mode 100644 test/XInclude/docs/fallback3.xml + create mode 100644 test/XInclude/docs/fallback4.xml + +diff --git a/result/XInclude/fallback3.xml b/result/XInclude/fallback3.xml +new file mode 100644 +index 00000000..b4235514 +--- /dev/null ++++ b/result/XInclude/fallback3.xml +@@ -0,0 +1,8 @@ ++ ++ ++ ++

something

++

really

++

simple

++ ++ +diff --git a/result/XInclude/fallback3.xml.err b/result/XInclude/fallback3.xml.err +new file mode 100644 +index 00000000..e69de29b +diff --git a/result/XInclude/fallback3.xml.rdr b/result/XInclude/fallback3.xml.rdr +new file mode 100644 +index 00000000..aa2f1374 +--- /dev/null ++++ b/result/XInclude/fallback3.xml.rdr +@@ -0,0 +1,25 @@ ++0 1 a 0 0 ++1 14 #text 0 1 ++ ++1 1 doc 0 0 ++2 14 #text 0 1 ++ ++2 1 p 0 0 ++3 3 #text 0 1 something ++2 15 p 0 0 ++2 14 #text 0 1 ++ ++2 1 p 0 0 ++3 3 #text 0 1 really ++2 15 p 0 0 ++2 14 #text 0 1 ++ ++2 1 p 0 0 ++3 3 #text 0 1 simple ++2 15 p 0 0 ++2 14 #text 0 1 ++ ++1 15 doc 0 0 ++1 14 #text 0 1 ++ ++0 15 a 0 0 +diff --git a/result/XInclude/fallback4.xml b/result/XInclude/fallback4.xml +new file mode 100644 +index 00000000..9883fd54 +--- /dev/null ++++ b/result/XInclude/fallback4.xml +@@ -0,0 +1,10 @@ ++ ++ ++ ++ ++

something

++

really

++

simple

++ ++ ++ +diff --git a/result/XInclude/fallback4.xml.err b/result/XInclude/fallback4.xml.err +new file mode 100644 +index 00000000..e69de29b +diff --git a/result/XInclude/fallback4.xml.rdr b/result/XInclude/fallback4.xml.rdr +new file mode 100644 +index 00000000..628b9513 +--- /dev/null ++++ b/result/XInclude/fallback4.xml.rdr +@@ -0,0 +1,29 @@ ++0 1 a 0 0 ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 1 doc 0 0 ++2 14 #text 0 1 ++ ++2 1 p 0 0 ++3 3 #text 0 1 something ++2 15 p 0 0 ++2 14 #text 0 1 ++ ++2 1 p 0 0 ++3 3 #text 0 1 really ++2 15 p 0 0 ++2 14 #text 0 1 ++ ++2 1 p 0 0 ++3 3 #text 0 1 simple ++2 15 p 0 0 ++2 14 #text 0 1 ++ ++1 15 doc 0 0 ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++0 15 a 0 0 +diff --git a/test/XInclude/docs/fallback3.xml b/test/XInclude/docs/fallback3.xml +new file mode 100644 +index 00000000..0c8b6c9e +--- /dev/null ++++ b/test/XInclude/docs/fallback3.xml +@@ -0,0 +1,9 @@ ++ ++ ++ ++ ++ There is no c.xml ... ++ ++ ++ ++ +diff --git a/test/XInclude/docs/fallback4.xml b/test/XInclude/docs/fallback4.xml +new file mode 100644 +index 00000000..b500a635 +--- /dev/null ++++ b/test/XInclude/docs/fallback4.xml +@@ -0,0 +1,7 @@ ++ ++ ++ ++ ++ ++ ++ +diff --git a/xinclude.c b/xinclude.c +index ba850fa5..f260c1a7 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -2392,21 +2392,19 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { + * First phase: lookup the elements in the document + */ + cur = tree; +- if (xmlXIncludeTestNode(ctxt, cur) == 1) +- xmlXIncludePreProcessNode(ctxt, cur); + while ((cur != NULL) && (cur != tree->parent)) { + /* TODO: need to work on entities -> stack */ +- if ((cur->children != NULL) && +- (cur->children->type != XML_ENTITY_DECL) && +- (cur->children->type != XML_XINCLUDE_START) && +- (cur->children->type != XML_XINCLUDE_END)) { +- cur = cur->children; +- if (xmlXIncludeTestNode(ctxt, cur)) +- xmlXIncludePreProcessNode(ctxt, cur); +- } else if (cur->next != NULL) { ++ if (xmlXIncludeTestNode(ctxt, cur) == 1) { ++ xmlXIncludePreProcessNode(ctxt, cur); ++ } else if ((cur->children != NULL) && ++ (cur->children->type != XML_ENTITY_DECL) && ++ (cur->children->type != XML_XINCLUDE_START) && ++ (cur->children->type != XML_XINCLUDE_END)) { ++ cur = cur->children; ++ continue; ++ } ++ if (cur->next != NULL) { + cur = cur->next; +- if (xmlXIncludeTestNode(ctxt, cur)) +- xmlXIncludePreProcessNode(ctxt, cur); + } else { + if (cur == tree) + break; +@@ -2416,8 +2414,6 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { + break; /* do */ + if (cur->next != NULL) { + cur = cur->next; +- if (xmlXIncludeTestNode(ctxt, cur)) +- xmlXIncludePreProcessNode(ctxt, cur); + break; /* do */ + } + } while (cur != NULL); +-- +2.31.1 + + +From 49cc4182543dba73216add4021994a81678763bd Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 22 Apr 2021 19:26:28 +0200 +Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude --dropdtd` + +The --dropdtd option can leave dangling pointers in entity reference +nodes. Make sure to skip these nodes when processing XIncludes. + +This also avoids scanning entity declarations and even modifying +them inadvertently during XInclude processing. + +Move from a block list to an allow list approach to avoid descending +into other node types that can't contain elements. + +Fixes #237. +--- + xinclude.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/xinclude.c b/xinclude.c +index f260c1a7..d7648529 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { + if (xmlXIncludeTestNode(ctxt, cur) == 1) { + xmlXIncludePreProcessNode(ctxt, cur); + } else if ((cur->children != NULL) && +- (cur->children->type != XML_ENTITY_DECL) && +- (cur->children->type != XML_XINCLUDE_START) && +- (cur->children->type != XML_XINCLUDE_END)) { ++ ((cur->type == XML_DOCUMENT_NODE) || ++ (cur->type == XML_ELEMENT_NODE))) { + cur = cur->children; + continue; + } +-- +2.31.1 + diff --git a/libxml2-2.9.7-CVE-2021-3537.patch b/libxml2-2.9.7-CVE-2021-3537.patch new file mode 100644 index 0000000..3df1539 --- /dev/null +++ b/libxml2-2.9.7-CVE-2021-3537.patch @@ -0,0 +1,44 @@ +From babe75030c7f64a37826bb3342317134568bef61 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 1 May 2021 16:53:33 +0200 +Subject: [PATCH] Propagate error in xmlParseElementChildrenContentDeclPriv + +Check return value of recursive calls to +xmlParseElementChildrenContentDeclPriv and return immediately in case +of errors. Otherwise, struct xmlElementContent could contain unexpected +null pointers, leading to a null deref when post-validating documents +which aren't well-formed and parsed in recovery mode. + +Fixes #243. +--- + parser.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/parser.c b/parser.c +index b42e6043..73c27edd 100644 +--- a/parser.c ++++ b/parser.c +@@ -6208,6 +6208,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk, + SKIP_BLANKS; + cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, + depth + 1); ++ if (cur == NULL) ++ return(NULL); + SKIP_BLANKS; + GROW; + } else { +@@ -6341,6 +6343,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk, + SKIP_BLANKS; + last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, + depth + 1); ++ if (last == NULL) { ++ if (ret != NULL) ++ xmlFreeDocElementContent(ctxt->myDoc, ret); ++ return(NULL); ++ } + SKIP_BLANKS; + } else { + elem = xmlParseName(ctxt); +-- +GitLab + diff --git a/libxml2-2.9.7-CVE-2021-3541.patch b/libxml2-2.9.7-CVE-2021-3541.patch new file mode 100644 index 0000000..2dbdafe --- /dev/null +++ b/libxml2-2.9.7-CVE-2021-3541.patch @@ -0,0 +1,67 @@ +From 8598060bacada41a0eb09d95c97744ff4e428f8e Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Thu, 13 May 2021 14:55:12 +0200 +Subject: [PATCH] Patch for security issue CVE-2021-3541 + +This is relapted to parameter entities expansion and following +the line of the billion laugh attack. Somehow in that path the +counting of parameters was missed and the normal algorithm based +on entities "density" was useless. +--- + parser.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/parser.c b/parser.c +index f5e5e169..c9312fa4 100644 +--- a/parser.c ++++ b/parser.c +@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + xmlEntityPtr ent, size_t replacement) + { + size_t consumed = 0; ++ int i; + + if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE)) + return (0); +@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + rep = NULL; + } + } ++ ++ /* ++ * Prevent entity exponential check, not just replacement while ++ * parsing the DTD ++ * The check is potentially costly so do that only once in a thousand ++ */ ++ if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) && ++ (ctxt->nbentities % 1024 == 0)) { ++ for (i = 0;i < ctxt->inputNr;i++) { ++ consumed += ctxt->inputTab[i]->consumed + ++ (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base); ++ } ++ if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) { ++ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); ++ ctxt->instate = XML_PARSER_EOF; ++ return (1); ++ } ++ consumed = 0; ++ } ++ ++ ++ + if (replacement != 0) { + if (replacement < XML_MAX_TEXT_LENGTH) + return(0); +@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) + xmlChar start[4]; + xmlCharEncoding enc; + ++ if (xmlParserEntityCheck(ctxt, 0, entity, 0)) ++ return; ++ + if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && + ((ctxt->options & XML_PARSE_NOENT) == 0) && + ((ctxt->options & XML_PARSE_DTDVALID) == 0) && +-- +GitLab + diff --git a/libxml2-2.9.7-CVE-2022-23308.patch b/libxml2-2.9.7-CVE-2022-23308.patch new file mode 100644 index 0000000..984f15f --- /dev/null +++ b/libxml2-2.9.7-CVE-2022-23308.patch @@ -0,0 +1,196 @@ +From 7f70302bfa9faeac9c9f7be8adf96d32c16acb72 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 8 Feb 2022 03:29:24 +0100 +Subject: [PATCH] [CVE-2022-23308] Use-after-free of ID and IDREF attributes + +If a document is parsed with XML_PARSE_DTDVALID and without +XML_PARSE_NOENT, the value of ID attributes has to be normalized after +potentially expanding entities in xmlRemoveID. Otherwise, later calls +to xmlGetID can return a pointer to previously freed memory. + +ID attributes which are empty or contain only whitespace after +entity expansion are affected in a similar way. This is fixed by +not storing such attributes in the ID table. + +The test to detect streaming mode when validating against a DTD was +broken. In connection with the defects above, this could result in a +use-after-free when using the xmlReader interface with validation. +Fix detection of streaming mode to avoid similar issues. (This changes +the expected result of a test case. But as far as I can tell, using the +XML reader with XIncludes referencing the root document never worked +properly, anyway.) + +All of these issues can result in denial of service. Using xmlReader +with validation could result in disclosure of memory via the error +channel, typically stderr. The security impact of xmlGetID returning +a pointer to freed memory depends on the application. The typical use +case of calling xmlGetID on an unmodified document is not affected. +--- + valid.c | 88 +++++++++++++++++++++++++++++++++++---------------------- + 1 file changed, 55 insertions(+), 33 deletions(-) + +diff --git a/valid.c b/valid.c +index a64b96be..5b81059f 100644 +--- a/valid.c ++++ b/valid.c +@@ -479,6 +479,35 @@ nodeVPop(xmlValidCtxtPtr ctxt) + return (ret); + } + ++/** ++ * xmlValidNormalizeString: ++ * @str: a string ++ * ++ * Normalize a string in-place. ++ */ ++static void ++xmlValidNormalizeString(xmlChar *str) { ++ xmlChar *dst; ++ const xmlChar *src; ++ ++ if (str == NULL) ++ return; ++ src = str; ++ dst = str; ++ ++ while (*src == 0x20) src++; ++ while (*src != 0) { ++ if (*src == 0x20) { ++ while (*src == 0x20) src++; ++ if (*src != 0) ++ *dst++ = 0x20; ++ } else { ++ *dst++ = *src++; ++ } ++ } ++ *dst = 0; ++} ++ + #ifdef DEBUG_VALID_ALGO + static void + xmlValidPrintNode(xmlNodePtr cur) { +@@ -2546,6 +2575,24 @@ xmlDumpNotationTable(xmlBufferPtr buf, xmlNotationTablePtr table) { + (xmlDictOwns(dict, (const xmlChar *)(str)) == 0))) \ + xmlFree((char *)(str)); + ++static int ++xmlIsStreaming(xmlValidCtxtPtr ctxt) { ++ xmlParserCtxtPtr pctxt; ++ ++ if (ctxt == NULL) ++ return(0); ++ /* ++ * These magic values are also abused to detect whether we're validating ++ * while parsing a document. In this case, userData points to the parser ++ * context. ++ */ ++ if ((ctxt->finishDtd != XML_CTXT_FINISH_DTD_0) && ++ (ctxt->finishDtd != XML_CTXT_FINISH_DTD_1)) ++ return(0); ++ pctxt = ctxt->userData; ++ return(pctxt->parseMode == XML_PARSE_READER); ++} ++ + /** + * xmlFreeID: + * @not: A id +@@ -2589,7 +2636,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value, + if (doc == NULL) { + return(NULL); + } +- if (value == NULL) { ++ if ((value == NULL) || (value[0] == 0)) { + return(NULL); + } + if (attr == NULL) { +@@ -2620,7 +2667,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value, + */ + ret->value = xmlStrdup(value); + ret->doc = doc; +- if ((ctxt != NULL) && (ctxt->vstateNr != 0)) { ++ if (xmlIsStreaming(ctxt)) { + /* + * Operating in streaming mode, attr is gonna disapear + */ +@@ -2754,6 +2801,7 @@ xmlRemoveID(xmlDocPtr doc, xmlAttrPtr attr) { + ID = xmlNodeListGetString(doc, attr->children, 1); + if (ID == NULL) + return(-1); ++ xmlValidNormalizeString(ID); + + id = xmlHashLookup(table, ID); + if (id == NULL || id->attr != attr) { +@@ -2942,7 +2990,7 @@ xmlAddRef(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value, + * fill the structure. + */ + ret->value = xmlStrdup(value); +- if ((ctxt != NULL) && (ctxt->vstateNr != 0)) { ++ if (xmlIsStreaming(ctxt)) { + /* + * Operating in streaming mode, attr is gonna disapear + */ +@@ -3962,8 +4010,7 @@ xmlValidateAttributeValue2(xmlValidCtxtPtr ctxt, xmlDocPtr doc, + xmlChar * + xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc, + xmlNodePtr elem, const xmlChar *name, const xmlChar *value) { +- xmlChar *ret, *dst; +- const xmlChar *src; ++ xmlChar *ret; + xmlAttributePtr attrDecl = NULL; + int extsubset = 0; + +@@ -4004,19 +4051,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc, + ret = xmlStrdup(value); + if (ret == NULL) + return(NULL); +- src = value; +- dst = ret; +- while (*src == 0x20) src++; +- while (*src != 0) { +- if (*src == 0x20) { +- while (*src == 0x20) src++; +- if (*src != 0) +- *dst++ = 0x20; +- } else { +- *dst++ = *src++; +- } +- } +- *dst = 0; ++ xmlValidNormalizeString(ret); + if ((doc->standalone) && (extsubset == 1) && (!xmlStrEqual(value, ret))) { + xmlErrValidNode(ctxt, elem, XML_DTD_NOT_STANDALONE, + "standalone: %s on %s value had to be normalized based on external subset declaration\n", +@@ -4048,8 +4083,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc, + xmlChar * + xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem, + const xmlChar *name, const xmlChar *value) { +- xmlChar *ret, *dst; +- const xmlChar *src; ++ xmlChar *ret; + xmlAttributePtr attrDecl = NULL; + + if (doc == NULL) return(NULL); +@@ -4079,19 +4113,7 @@ xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem, + ret = xmlStrdup(value); + if (ret == NULL) + return(NULL); +- src = value; +- dst = ret; +- while (*src == 0x20) src++; +- while (*src != 0) { +- if (*src == 0x20) { +- while (*src == 0x20) src++; +- if (*src != 0) +- *dst++ = 0x20; +- } else { +- *dst++ = *src++; +- } +- } +- *dst = 0; ++ xmlValidNormalizeString(ret); + return(ret); + } + +-- +2.35.1 + diff --git a/libxml2-CVE-2016-9597.patch b/libxml2-CVE-2016-9597.patch new file mode 100644 index 0000000..43f0243 --- /dev/null +++ b/libxml2-CVE-2016-9597.patch @@ -0,0 +1,191 @@ +Make the XML entity recursion check more precise. + +libxml doesn't detect entity recursion specifically but has a variety +of related checks, such as entities not expanding too deeply or +producing exponential blow-ups in content. + +Because entity declarations are parsed in a separate context with +their own element recursion budget, a recursive entity can overflow +the stack using a lot of open elements (but within the per-context +limit) as it slowly consumes (but does not exhaust) the entity depth +budget. + +This adds a specific, precise check for recursive entities that +detects entity recursion specifically and fails immediately. + +The existing entity expansion depth checks are still relevant for long +chains of different entities. + +BUG=628581 + +Review-Url: https://codereview.chromium.org/2539003002 +Cr-Commit-Position: refs/heads/master@{#436899} + + +Index: libxml2-2.9.4/entities.c +=================================================================== +--- libxml2-2.9.4.orig/entities.c ++++ libxml2-2.9.4/entities.c +@@ -159,6 +159,7 @@ xmlCreateEntity(xmlDictPtr dict, const x + memset(ret, 0, sizeof(xmlEntity)); + ret->type = XML_ENTITY_DECL; + ret->checked = 0; ++ ret->guard = XML_ENTITY_NOT_BEING_CHECKED; + + /* + * fill the structure. +@@ -931,6 +932,7 @@ xmlCopyEntity(xmlEntityPtr ent) { + cur->orig = xmlStrdup(ent->orig); + if (ent->URI != NULL) + cur->URI = xmlStrdup(ent->URI); ++ cur->guard = 0; + return(cur); + } + +Index: libxml2-2.9.4/include/libxml/entities.h +=================================================================== +--- libxml2-2.9.4.orig/include/libxml/entities.h ++++ libxml2-2.9.4/include/libxml/entities.h +@@ -30,6 +30,11 @@ typedef enum { + XML_INTERNAL_PREDEFINED_ENTITY = 6 + } xmlEntityType; + ++typedef enum { ++ XML_ENTITY_NOT_BEING_CHECKED, ++ XML_ENTITY_BEING_CHECKED /* entity check is in progress */ ++} xmlEntityRecursionGuard; ++ + /* + * An unit of storage for an entity, contains the string, the value + * and the linkind data needed for the linking in the hash table. +@@ -60,6 +65,7 @@ struct _xmlEntity { + /* this is also used to count entities + * references done from that entity + * and if it contains '<' */ ++ xmlEntityRecursionGuard guard; + }; + + /* +Index: libxml2-2.9.4/parser.c +=================================================================== +--- libxml2-2.9.4.orig/parser.c ++++ libxml2-2.9.4/parser.c +@@ -133,6 +133,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ct + if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) + return (1); + ++ if ((ent != NULL) && (ent->guard == XML_ENTITY_BEING_CHECKED)) { ++ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); ++ return (1); ++ } + /* + * This may look absurd but is needed to detect + * entities problems +@@ -143,12 +147,14 @@ xmlParserEntityCheck(xmlParserCtxtPtr ct + unsigned long oldnbent = ctxt->nbentities; + xmlChar *rep; + ++ ent->guard = XML_ENTITY_BEING_CHECKED; + ent->checked = 1; + + ++ctxt->depth; + rep = xmlStringDecodeEntities(ctxt, ent->content, + XML_SUBSTITUTE_REF, 0, 0, 0); + --ctxt->depth; ++ ent->guard = XML_ENTITY_NOT_BEING_CHECKED; + if (ctxt->errNo == XML_ERR_ENTITY_LOOP) { + ent->content[0] = 0; + } +@@ -7337,23 +7343,28 @@ xmlParseReference(xmlParserCtxtPtr ctxt) + * if its replacement text matches the production labeled + * content. + */ +- if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) { +- ctxt->depth++; +- ret = xmlParseBalancedChunkMemoryInternal(ctxt, ent->content, +- user_data, &list); +- ctxt->depth--; +- +- } else if (ent->etype == XML_EXTERNAL_GENERAL_PARSED_ENTITY) { +- ctxt->depth++; +- ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt, ctxt->sax, +- user_data, ctxt->depth, ent->URI, +- ent->ExternalID, &list); +- ctxt->depth--; +- } else { +- ret = XML_ERR_ENTITY_PE_INTERNAL; +- xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR, +- "invalid entity type found\n", NULL); +- } ++ if (ent->guard == XML_ENTITY_BEING_CHECKED) { ++ ret = XML_ERR_ENTITY_LOOP; ++ } else { ++ ent->guard = XML_ENTITY_BEING_CHECKED; ++ if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) { ++ ctxt->depth++; ++ ret = xmlParseBalancedChunkMemoryInternal(ctxt, ent->content, ++ user_data, &list); ++ ctxt->depth--; ++ } else if (ent->etype == XML_EXTERNAL_GENERAL_PARSED_ENTITY) { ++ ctxt->depth++; ++ ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt, ctxt->sax, ++ user_data, ctxt->depth, ent->URI, ++ ent->ExternalID, &list); ++ ctxt->depth--; ++ } else { ++ ret = XML_ERR_ENTITY_PE_INTERNAL; ++ xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR, ++ "invalid entity type found\n", NULL); ++ } ++ ent->guard = XML_ENTITY_NOT_BEING_CHECKED; ++ } + + /* + * Store the number of entities needing parsing for this entity +@@ -7456,23 +7467,29 @@ xmlParseReference(xmlParserCtxtPtr ctxt) + else + user_data = ctxt->userData; + +- if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) { +- ctxt->depth++; +- ret = xmlParseBalancedChunkMemoryInternal(ctxt, +- ent->content, user_data, NULL); +- ctxt->depth--; +- } else if (ent->etype == +- XML_EXTERNAL_GENERAL_PARSED_ENTITY) { +- ctxt->depth++; +- ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt, +- ctxt->sax, user_data, ctxt->depth, +- ent->URI, ent->ExternalID, NULL); +- ctxt->depth--; +- } else { +- ret = XML_ERR_ENTITY_PE_INTERNAL; +- xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR, +- "invalid entity type found\n", NULL); +- } ++ if (ent->guard == XML_ENTITY_BEING_CHECKED) { ++ ret = XML_ERR_ENTITY_LOOP; ++ } else { ++ ent->guard = XML_ENTITY_BEING_CHECKED; ++ if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) { ++ ctxt->depth++; ++ ret = xmlParseBalancedChunkMemoryInternal(ctxt, ++ ent->content, user_data, NULL); ++ ctxt->depth--; ++ } else if (ent->etype == ++ XML_EXTERNAL_GENERAL_PARSED_ENTITY) { ++ ctxt->depth++; ++ ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt, ++ ctxt->sax, user_data, ctxt->depth, ++ ent->URI, ent->ExternalID, NULL); ++ ctxt->depth--; ++ } else { ++ ret = XML_ERR_ENTITY_PE_INTERNAL; ++ xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR, ++ "invalid entity type found\n", NULL); ++ } ++ ent->guard = XML_ENTITY_NOT_BEING_CHECKED; ++ } + if (ret == XML_ERR_ENTITY_LOOP) { + xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); + return; diff --git a/libxml2-CVE-2018-14404.patch b/libxml2-CVE-2018-14404.patch new file mode 100644 index 0000000..0b64b4e --- /dev/null +++ b/libxml2-CVE-2018-14404.patch @@ -0,0 +1,54 @@ +From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 30 Jul 2018 12:54:38 +0200 +Subject: [PATCH] Fix nullptr deref with XPath logic ops + +If the XPath stack is corrupted, for example by a misbehaving extension +function, the "and" and "or" XPath operators could dereference NULL +pointers. Check that the XPath stack isn't empty and optimize the +logic operators slightly. + +Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5 + +Also see +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817 +https://bugzilla.redhat.com/show_bug.cgi?id=1595985 + +This is CVE-2018-14404. + +Thanks to Guy Inbar for the report. +--- + xpath.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/xpath.c b/xpath.c +index 3fae0bf4..5e3bb9ff 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -13234,9 +13234,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + return(0); + } + xmlXPathBooleanFunction(ctxt, 1); +- arg1 = valuePop(ctxt); +- arg1->boolval &= arg2->boolval; +- valuePush(ctxt, arg1); ++ if (ctxt->value != NULL) ++ ctxt->value->boolval &= arg2->boolval; + xmlXPathReleaseObject(ctxt->context, arg2); + return (total); + case XPATH_OP_OR: +@@ -13252,9 +13251,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + return(0); + } + xmlXPathBooleanFunction(ctxt, 1); +- arg1 = valuePop(ctxt); +- arg1->boolval |= arg2->boolval; +- valuePush(ctxt, arg1); ++ if (ctxt->value != NULL) ++ ctxt->value->boolval |= arg2->boolval; + xmlXPathReleaseObject(ctxt->context, arg2); + return (total); + case XPATH_OP_EQUAL: +-- +2.22.0 + diff --git a/libxml2-CVE-2018-9251.patch b/libxml2-CVE-2018-9251.patch new file mode 100644 index 0000000..150637a --- /dev/null +++ b/libxml2-CVE-2018-9251.patch @@ -0,0 +1,50 @@ +From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 30 Jul 2018 13:14:11 +0200 +Subject: [PATCH] Fix infinite loop in LZMA decompression +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Check the liblzma error code more thoroughly to avoid infinite loops. + +Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13 +Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914 + +This is CVE-2018-9251 and CVE-2018-14567. + +Thanks to Dongliang Mu and Simon Wörner for the reports. +--- + xzlib.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/xzlib.c b/xzlib.c +index a839169e..0ba88cfa 100644 +--- a/xzlib.c ++++ b/xzlib.c +@@ -562,6 +562,10 @@ xz_decomp(xz_statep state) + "internal error: inflate stream corrupt"); + return -1; + } ++ /* ++ * FIXME: Remapping a couple of error codes and falling through ++ * to the LZMA error handling looks fragile. ++ */ + if (ret == Z_MEM_ERROR) + ret = LZMA_MEM_ERROR; + if (ret == Z_DATA_ERROR) +@@ -587,6 +591,11 @@ xz_decomp(xz_statep state) + xz_error(state, LZMA_PROG_ERROR, "compression error"); + return -1; + } ++ if ((state->how != GZIP) && ++ (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) { ++ xz_error(state, ret, "lzma error"); ++ return -1; ++ } + } while (strm->avail_out && ret != LZMA_STREAM_END); + + /* update available output and crc check value */ +-- +2.22.0 + diff --git a/libxml2-CVE-2019-19956.patch b/libxml2-CVE-2019-19956.patch new file mode 100644 index 0000000..5bfb5d5 --- /dev/null +++ b/libxml2-CVE-2019-19956.patch @@ -0,0 +1,33 @@ +From 5a02583c7e683896d84878bd90641d8d9b0d0549 Mon Sep 17 00:00:00 2001 +From: Zhipeng Xie +Date: Wed, 7 Aug 2019 17:39:17 +0800 +Subject: [PATCH] Fix memory leak in xmlParseBalancedChunkMemoryRecover + +When doc is NULL, namespace created in xmlTreeEnsureXMLDecl +is bind to newDoc->oldNs, in this case, set newDoc->oldNs to +NULL and free newDoc will cause a memory leak. + +Found with libFuzzer. + +Closes #82. +--- + parser.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index 1ce1ccf1..26d9f4e3 100644 +--- a/parser.c ++++ b/parser.c +@@ -13894,7 +13894,8 @@ xmlParseBalancedChunkMemoryRecover(xmlDocPtr doc, xmlSAXHandlerPtr sax, + xmlFreeParserCtxt(ctxt); + newDoc->intSubset = NULL; + newDoc->extSubset = NULL; +- newDoc->oldNs = NULL; ++ if(doc != NULL) ++ newDoc->oldNs = NULL; + xmlFreeDoc(newDoc); + + return(ret); +-- +2.24.1 + diff --git a/libxml2-multilib.patch b/libxml2-multilib.patch new file mode 100644 index 0000000..138d38f --- /dev/null +++ b/libxml2-multilib.patch @@ -0,0 +1,24 @@ +*** XML/xml2-config.in.orig 2006-06-06 16:35:56.000000000 +0200 +--- XML/xml2-config.in 2006-06-06 16:36:24.000000000 +0200 +*************** +*** 3,9 **** + prefix=@prefix@ + exec_prefix=@exec_prefix@ + includedir=@includedir@ +! libdir=@libdir@ + + usage() + { +--- 3,14 ---- + prefix=@prefix@ + exec_prefix=@exec_prefix@ + includedir=@includedir@ +! if [ "`ldd /bin/sh | grep lib64`" = "" ] +! then +! libdir=${exec_prefix}/lib +! else +! libdir=${exec_prefix}/lib64 +! fi + + usage() + { diff --git a/libxml2-python3-unicode-errors.patch b/libxml2-python3-unicode-errors.patch new file mode 100644 index 0000000..e87dcde --- /dev/null +++ b/libxml2-python3-unicode-errors.patch @@ -0,0 +1,34 @@ +Index: libxml2-2.9.5/python/libxml.c +=================================================================== +--- libxml2-2.9.5.orig/python/libxml.c ++++ libxml2-2.9.5/python/libxml.c +@@ -1620,6 +1620,7 @@ libxml_xmlErrorFuncHandler(ATTRIBUTE_UNU + PyObject *message; + PyObject *result; + char str[1000]; ++ unsigned char *ptr = (unsigned char *)str; + + #ifdef DEBUG_ERROR + printf("libxml_xmlErrorFuncHandler(%p, %s, ...) called\n", ctx, msg); +@@ -1636,12 +1637,20 @@ libxml_xmlErrorFuncHandler(ATTRIBUTE_UNU + str[999] = 0; + va_end(ap); + ++#if PY_MAJOR_VERSION >= 3 ++ /* Ensure the error string doesn't start at UTF8 continuation. */ ++ while (*ptr && (*ptr & 0xc0) == 0x80) ++ ptr++; ++#endif ++ + list = PyTuple_New(2); + PyTuple_SetItem(list, 0, libxml_xmlPythonErrorFuncCtxt); + Py_XINCREF(libxml_xmlPythonErrorFuncCtxt); +- message = libxml_charPtrConstWrap(str); ++ message = libxml_charPtrConstWrap(ptr); + PyTuple_SetItem(list, 1, message); + result = PyEval_CallObject(libxml_xmlPythonErrorFuncHandler, list); ++ /* Forget any errors caused in the error handler. */ ++ PyErr_Clear(); + Py_XDECREF(list); + Py_XDECREF(result); + } diff --git a/libxml2.spec b/libxml2.spec new file mode 100644 index 0000000..7998fe6 --- /dev/null +++ b/libxml2.spec @@ -0,0 +1,555 @@ +%if 0%{?rhel} > 7 +# Disable python2 build by default +%bcond_with python2 +%else +%bcond_without python2 +%endif + +Name: libxml2 +Version: 2.9.7 +Release: 13%{?dist} +Summary: Library providing XML and HTML support + +License: MIT +URL: http://xmlsoft.org/ +Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz +Patch0: libxml2-multilib.patch +# workaround for #877567 - Very weird bug gzip decompression bug in "recent" libxml2 versions +Patch1: libxml2-2.9.0-do-not-check-crc.patch +# In python3.6 _PyVerify_fd is no more +# http://bugs.python.org/issue23524 +Patch2: libxml2-2.9.4-remove-pyverify_fd.patch +# https://codereview.chromium.org/2539003002 +Patch3: libxml2-CVE-2016-9597.patch +# Fix some crashes under Python 3 +# https://bugzilla.gnome.org/show_bug.cgi?id=789714 +Patch4: libxml2-python3-unicode-errors.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1565322 +Patch5: libxml2-CVE-2018-9251.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1595989 +Patch6: libxml2-CVE-2018-14404.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1793001 +Patch7: libxml2-CVE-2019-19956.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1799786 +Patch8: libxml2-2.9.7-CVE-2020-7595.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1810058 +Patch9: libxml2-2.9.7-CVE-2019-20388.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1878252 +Patch10: libxml2-2.9.7-CVE-2020-24977.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1956976 +Patch11: libxml2-2.9.7-CVE-2021-3516.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1957001 +Patch12: libxml2-2.9.7-CVE-2021-3517.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1957028 +Patch13: libxml2-2.9.7-CVE-2021-3518.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1957284 +Patch14: libxml2-2.9.7-CVE-2021-3537.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1958783 +Patch15: libxml2-2.9.7-CVE-2021-3541.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2057664 +Patch16: libxml2-2.9.7-CVE-2022-23308.patch + +BuildRequires: gcc +BuildRequires: cmake-rpm-macros +BuildRequires: pkgconfig(zlib) +BuildRequires: pkgconfig(liblzma) + +%description +This library allows to manipulate XML files. It includes support +to read, modify and write XML and HTML files. There is DTDs support +this includes parsing and validation even with complex DtDs, either +at parse time or later once the document has been modified. The output +can be a simple SAX stream or and in-memory DOM like representations. +In this case one can use the built-in XPath and XPointer implementation +to select sub nodes or ranges. A flexible Input/Output mechanism is +available, with existing HTTP and FTP modules and combined to an +URI library. + +%package devel +Summary: Libraries, includes, etc. to develop XML and HTML applications +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: zlib-devel%{?_isa} +Requires: xz-devel%{?_isa} + +%description devel +Libraries, include files, etc you can use to develop XML applications. +This library allows to manipulate XML files. It includes support +to read, modify and write XML and HTML files. There is DTDs support +this includes parsing and validation even with complex DtDs, either +at parse time or later once the document has been modified. The output +can be a simple SAX stream or and in-memory DOM like representations. +In this case one can use the built-in XPath and XPointer implementation +to select sub nodes or ranges. A flexible Input/Output mechanism is +available, with existing HTTP and FTP modules and combined to an +URI library. + +%package static +Summary: Static library for libxml2 + +%description static +Static library for libxml2 provided for specific uses or shaving a few +microseconds when parsing, do not link to them for generic purpose packages. + +%if %{with python2} +%package -n python2-%{name} +%{?python_provide:%python_provide python2-%{name}} +Summary: Python bindings for the libxml2 library +BuildRequires: python2-devel +Requires: %{name}%{?_isa} = %{version}-%{release} +Obsoletes: %{name}-python < %{version}-%{release} +Provides: %{name}-python = %{version}-%{release} + +%description -n python2-%{name} +The libxml2-python package contains a Python 2 module that permits applications +written in the Python programming language, version 2, to use the interface +supplied by the libxml2 library to manipulate XML files. + +This library allows to manipulate XML files. It includes support +to read, modify and write XML and HTML files. There is DTDs support +this includes parsing and validation even with complex DTDs, either +at parse time or later once the document has been modified. +%endif # with python2 + +%package -n python3-%{name} +Summary: Python 3 bindings for the libxml2 library +BuildRequires: python3-devel +Requires: %{name}%{?_isa} = %{version}-%{release} +Obsoletes: %{name}-python3 < %{version}-%{release} +Provides: %{name}-python3 = %{version}-%{release} + +%description -n python3-%{name} +The libxml2-python3 package contains a Python 3 module that permits +applications written in the Python programming language, version 3, to use the +interface supplied by the libxml2 library to manipulate XML files. + +This library allows to manipulate XML files. It includes support +to read, modify and write XML and HTML files. There is DTDs support +this includes parsing and validation even with complex DTDs, either +at parse time or later once the document has been modified. + +%prep +%autosetup -p1 +find doc -type f -executable -print -exec chmod 0644 {} ';' + +%build +%if %{with python2} +mkdir py2 +%endif # with python2 +mkdir py3 +%global _configure ../configure +%global _configure_disable_silent_rules 1 +%if %{with python2} +( cd py2 && %configure --cache-file=../config.cache --with-python=%{__python2} ) +%endif # with python2 +( cd py3 && %configure --cache-file=../config.cache --with-python=%{__python3} ) +%if %{with python2} +%make_build -C py2 +%endif # with python2 +%make_build -C py3 + +%install +%if %{with python2} +%make_install -C py2 +%endif # with python2 +%make_install -C py3 + +# multiarch crazyness on timestamp differences or Makefile/binaries for examples +touch -m --reference=%{buildroot}%{_includedir}/libxml2/libxml/parser.h %{buildroot}%{_bindir}/xml2-config + +find %{buildroot} -type f -name '*.la' -print -delete +rm -vf %{buildroot}{%{python2_sitearch},%{python3_sitearch}}/*.a +rm -vrf %{buildroot}%{_datadir}/doc/ +#(cd doc/examples ; make clean ; rm -rf .deps Makefile) +gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz + +%check +%if %{with python2} +%make_build runtests -C py2 +%endif # with python2 +%make_build runtests -C py3 + +%ldconfig_scriptlets + +%files +%license Copyright +%doc AUTHORS NEWS README TODO +%{_libdir}/libxml2.so.2* +%{_mandir}/man3/libxml.3* +%{_bindir}/xmllint +%{_mandir}/man1/xmllint.1* +%{_bindir}/xmlcatalog +%{_mandir}/man1/xmlcatalog.1* + +%files devel +%doc doc/*.html doc/html doc/*.gif doc/*.png +%doc doc/tutorial doc/libxml2-api.xml.gz +%doc doc/examples +%dir %{_datadir}/gtk-doc +%dir %{_datadir}/gtk-doc/html +%{_datadir}/gtk-doc/html/libxml2/ +%{_libdir}/libxml2.so +%{_libdir}/xml2Conf.sh +%{_includedir}/libxml2/ +%{_bindir}/xml2-config +%{_mandir}/man1/xml2-config.1* +%{_datadir}/aclocal/libxml.m4 +%{_libdir}/pkgconfig/libxml-2.0.pc +%{_libdir}/cmake/libxml2/ + +%files static +%license Copyright +%{_libdir}/libxml2.a + +%if %{with python2} +%files -n python2-%{name} +%doc python/TODO python/libxml2class.txt +%doc doc/*.py doc/python.html +%{python2_sitearch}/libxml2.py* +%{python2_sitearch}/drv_libxml2.py* +%{python2_sitearch}/libxml2mod.so +%endif # with python2 + +%files -n python3-%{name} +%doc python/TODO python/libxml2class.txt +%doc doc/*.py doc/python.html +%{python3_sitearch}/libxml2.py +%{python3_sitearch}/__pycache__/libxml2.* +%{python3_sitearch}/drv_libxml2.py +%{python3_sitearch}/__pycache__/drv_libxml2.* +%{python3_sitearch}/libxml2mod.so + +%changelog +* Thu Feb 24 2022 David King - 2.9.7-13 +- Bump release (#2057664) + +* Thu Feb 24 2022 David King - 2.9.7-12 +- Fix CVE-2022-23308 (#2057664) + +* Wed May 19 2021 David King - 2.9.7-11 +- Fix CVE-2021-3541 (#1958783) + +* Fri May 07 2021 David King - 2.9.7-10 +- Fix CVE-2021-3516 (#1956976) +- Fix CVE-2021-3517 (#1957001) +- Fix CVE-2021-3518 (#1957028) +- Fix CVE-2021-3537 (#1957284) + +* Mon Oct 19 2020 David King - 2.9.7-9 +- Fix CVE-2020-24977 (#1878252) + +* Mon Jan 20 2020 David King - 2.9.7-8 +- Fix CVE-2019-19956 (#1793001) +- Fix CVE-2020-7595 (#1799786) +- Fix CVE-2019-20388 (#1810058) + +* Thu Oct 24 2019 David King - 2.9.7-7 +- Fix CVE-2018-14404 (#1595989) + +* Thu Oct 24 2019 David King - 2.9.7-6 +- Fix CVE-2018-9251 (#1565322) + +* Fri Aug 03 2018 Charalampos Stratakis - 2.9.7-5 +- Fix some crashes under Python 3 +- Conditionalize the python2 subpackage + +* Sat Feb 24 2018 Florian Weimer - 2.9.7-4 +- Rebuild with new LDFLAGS from redhat-rpm-config + +* Wed Feb 07 2018 Fedora Release Engineering - 2.9.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Tue Jan 30 2018 Igor Gnatenko - 2.9.7-2 +- Switch to %%ldconfig_scriptlets + +* Wed Jan 24 2018 Igor Gnatenko - 2.9.7-1 +- Update to 2.9.7 +- Cleanups in packaging + +* Tue Jan 09 2018 Iryna Shcherbina - 2.9.5-3 +- Update Python 2 dependency declarations to new packaging standards + (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) + +* Fri Sep 22 2017 Petr Pisar - 2.9.5-2 +- Fix reporting error about undefined XPath variables (bug #1493613) + +* Mon Sep 4 2017 Daniel Veillard - 2.9.5-1 +- update to 2.9.5 + +* Sat Aug 19 2017 Zbigniew Jędrzejewski-Szmek - 2.9.4-5 +- Python 2 binary package renamed to python2-libxml2 + See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 + +* Thu Aug 03 2017 Fedora Release Engineering - 2.9.4-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 2.9.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Feb 10 2017 Fedora Release Engineering - 2.9.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Wed Dec 21 2016 Kevin Fenzi - 2.9.4-1 +- Update to 2.9.4. +- Apply very hacky patch that removes the no longer in python-3.6 PyVerify_fd symbol. + +* Mon Dec 12 2016 Charalampos Stratakis - 2.9.3-5 +- Rebuild for Python 3.6 + +* Tue Jul 19 2016 Fedora Release Engineering - 2.9.3-4 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Thu Feb 04 2016 Fedora Release Engineering - 2.9.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Dec 02 2015 Kalev Lember - 2.9.3-2 +- Fix obsoletes versions now that F22 has libxml2 2.9.3 (#1287262) + +* Fri Nov 20 2015 Daniel Veillard - 2.9.2-1 +- upstream release of 2.9.3 +- Fixes for CVE-2015-8035, CVE-2015-7942, CVE-2015-7941, CVE-2015-1819 + CVE-2015-7497, CVE-2015-7498, CVE-2015-5312, CVE-2015-7499, CVE-2015-7500 + and CVE-2015-8242 +- many other bug fixes + +* Fri Nov 06 2015 Robert Kuska - 2.9.2-9 +- Rebuilt for Python3.5 rebuild +- Python3.5 has new naming convention for byte compiled files + +* Tue Nov 3 2015 Toshio Kuratomi - 2.9.2-8 +- Remove executable permissions from documentation. Complies with packaging + guidelines and solves issue of libxml2-python3 package depending on python2 + +* Thu Aug 27 2015 Miro Hrončok - 2.9.2-7 +- Remove dependency on python2 from python3 subpackage, rhbz#1250940 + +* Sat Aug 22 2015 Kalev Lember - 2.9.2-6 +- Rename the Python 3 subpackage to python3-libxml2 as per guidelines + +* Wed Jun 17 2015 Fedora Release Engineering - 2.9.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sat Feb 21 2015 Till Maas - 2.9.2-4 +- Rebuilt for Fedora 23 Change + https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code + +* Wed Jan 21 2015 Tomas Radej - 2.9.2-3 +- Added Python 3 subpackage + +* Thu Oct 16 2014 Lubomir Rintel - 2.9.2-2 +- Avoid corrupting the xml catalogs + +* Thu Oct 16 2014 Daniel Veillard - 2.9.2-1 +- upstream release of 2.9.2 +- Fix for CVE-214-3660 billion laugh DOS +- many other bug fixes + +* Sun Aug 17 2014 Fedora Release Engineering - 2.9.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Fri Jul 18 2014 Tom Callaway - 2.9.1-4 +- fix license handling + +* Sat Jun 07 2014 Fedora Release Engineering - 2.9.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sat Aug 03 2013 Fedora Release Engineering - 2.9.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Fri Apr 19 2013 Daniel Veillard - 2.9.1-1 +- upstream release of 2.9.1 +- a couple more API entry point +- compatibility with python3 +- a lot of bug fixes + +* Mon Feb 11 2013 Daniel Veillard - 2.9.0-4 +- fix --nocheck build which I broke in october rhbz#909767 + +* Mon Nov 19 2012 Jaroslav Reznik - 2.9.0-3 +- workaround for crc/len check failure, rhbz#877567 + +* Thu Oct 11 2012 Daniel Veillard - 2.9.0-2 +- remaining cleanups from merge bug rhbz#226079 +- do not put the docs in the main package, only in -devel rhbz#864731 + +* Tue Sep 11 2012 Daniel Veillard - 2.9.0-1 +- upstream release of 2.9.0 +- A few new API entry points +- More resilient push parser mode +- A lot of portability improvement +- Faster XPath evaluation +- a lot of bug fixes and smaller improvement + +* Fri Aug 10 2012 Daniel Veillard - 2.9.0-0rc1 +- upstream release candidate 1 of 2.9.0 +- introduce a small API change, but ABI compatible, see + https://mail.gnome.org/archives/xml/2012-August/msg00005.html + patches for php, gcc/libjava and evolution-data-connector are upstream + Grab me in cases of problems veillard@redhat.com +- many bug fixes including security aspects and small improvements + +* Thu Jul 19 2012 Fedora Release Engineering - 2.8.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Wed May 23 2012 Daniel Veillard - 2.8.0-1 +- upstream release of 2.8.0 +- add lzma compression support +- many bug fixes and small improvements + +* Fri Jan 13 2012 Fedora Release Engineering - 2.7.8-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Fri Mar 4 2011 Daniel Veillard - 2.7.8-6 +- fix a double free in XPath CVE-2010-4494 bug 665965 + +* Tue Feb 08 2011 Fedora Release Engineering - 2.7.8-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Fri Nov 5 2010 Daniel Veillard - 2.7.8-4 +- reactivate shared libs versionning script + +* Thu Nov 4 2010 Daniel Veillard - 2.7.8-1 +- Upstream release of 2.7.8 +- various bug fixes, including potential crashes +- new non-destructive formatting option +- date parsing updated to RFC 5646 + +* Wed Jul 21 2010 David Malcolm - 2.7.7-2 +- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild + +* Mon Mar 15 2010 Daniel Veillard - 2.7.7-1 +- Upstream release of 2.7.7 +- fix serious trouble with zlib >= 1.2.4 +- xmllint new option --xpath +- various HTML parser improvements +- includes a number of nug fixes + +* Tue Oct 6 2009 Daniel Veillard - 2.7.6-1 +- Upstream release of 2.7.6 +- restore thread support off by default in 2.7.5 + +* Thu Sep 24 2009 Daniel Veillard - 2.7.5-1 +- Upstream release of 2.7.5 +- fix a couple of Relax-NG validation problems +- couple more fixes + +* Tue Sep 15 2009 Daniel Veillard - 2.7.4-2 +- fix a problem with little data at startup affecting inkscape #523002 + +* Thu Sep 10 2009 Daniel Veillard - 2.7.4-1 +- upstream release 2.7.4 +- symbol versioning of libxml2 shared libs +- very large number of bug fixes + +* Mon Aug 10 2009 Daniel Veillard - 2.7.3-4 +- two patches for parsing problems CVE-2009-2414 and CVE-2009-2416 + +* Sat Jul 25 2009 Fedora Release Engineering - 2.7.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Feb 25 2009 Fedora Release Engineering - 2.7.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Sun Jan 18 2009 Daniel Veillard - 2.7.3-1 +- new release 2.7.3 +- limit default max size of text nodes +- special parser mode for PHP +- bug fixes and more compiler checks + +* Wed Dec 3 2008 Ignacio Vazquez-Abrams - 2.7.2-7 +- Pull back into Python 2.6 + +* Wed Dec 3 2008 Caolán McNamara - 2.7.2-6 +- AutoProvides requires BuildRequires pkgconfig + +* Wed Dec 3 2008 Caolán McNamara - 2.7.2-5 +- rebuild to get provides(libxml-2.0) into HEAD rawhide + +* Mon Dec 1 2008 Ignacio Vazquez-Abrams - 2.7.2-4 +- Rebuild for pkgconfig logic + +* Fri Nov 28 2008 Ignacio Vazquez-Abrams - 2.7.2-3 +- Rebuild for Python 2.6 + +* Wed Nov 12 2008 Daniel Veillard - 2.7.2-2.fc11 +- two patches for size overflows problems CVE-2008-4225 and CVE-2008-4226 + +* Fri Oct 3 2008 Daniel Veillard 2.7.2-1.fc10 +- new release 2.7.2 +- Fixes the known problems in 2.7.1 +- increase the set of options when saving documents + +* Thu Oct 2 2008 Daniel Veillard 2.7.1-2.fc10 +- fix a nasty bug in 2.7.x, http://bugzilla.gnome.org/show_bug.cgi?id=554660 + +* Mon Sep 1 2008 Daniel Veillard 2.7.1-1.fc10 +- fix python serialization which was broken in 2.7.0 +- Resolve: rhbz#460774 + +* Sat Aug 30 2008 Daniel Veillard 2.7.0-1.fc10 +- upstream release of 2.7.0 +- switch to XML 1.0 5th edition +- switch to RFC 3986 for URI parsing +- better entity handling +- option to remove hardcoded limitations in the parser +- more testing +- a new API to allocate entity nodes +- and lot of fixes and clanups + +* Mon Aug 25 2008 Daniel Veillard 2.6.32-4.fc10 +- fix for entities recursion problem +- Resolve: rhbz#459714 + +* Fri May 30 2008 Daniel Veillard 2.6.32-3.fc10 +- cleanup based on Fedora packaging guidelines, should fix #226079 +- separate a -static package + +* Thu May 15 2008 Daniel Veillard 2.6.32-2.fc10 +- try to fix multiarch problems like #440206 + +* Tue Apr 8 2008 Daniel Veillard 2.6.32-1.fc9 +- upstream release 2.6.32 see http://xmlsoft.org/news.html +- many bug fixed upstream + +* Wed Feb 20 2008 Fedora Release Engineering - 2.6.31-2 +- Autorebuild for GCC 4.3 + +* Fri Jan 11 2008 Daniel Veillard 2.6.31-1.fc9 +- upstream release 2.6.31 see http://xmlsoft.org/news.html +- many bug fixed upstream + +* Thu Aug 23 2007 Daniel Veillard 2.6.30-1 +- upstream release 2.6.30 see http://xmlsoft.org/news.html +- many bug fixed upstream + +* Tue Jun 12 2007 Daniel Veillard 2.6.29-1 +- upstream release 2.6.29 see http://xmlsoft.org/news.html +- many bug fixed upstream + +* Wed May 16 2007 Matthias Clasen 2.6.28-2 +- Bump revision to fix N-V-R problem + +* Tue Apr 17 2007 Daniel Veillard 2.6.28-1 +- upstream release 2.6.28 see http://xmlsoft.org/news.html +- many bug fixed upstream + +* Thu Dec 7 2006 Jeremy Katz - 2.6.27-2 +- rebuild against python 2.5 + +* Wed Oct 25 2006 Daniel Veillard 2.6.27-1 +- upstream release 2.6.27 see http://xmlsoft.org/news.html +- very large amount of bug fixes reported upstream + +* Wed Jul 12 2006 Jesse Keating - 2.6.26-2.1.1 +- rebuild + +* Wed Jul 12 2006 Jesse Keating - 2.6.26-2.1 +- rebuild + +* Wed Jun 7 2006 Daniel Veillard 2.6.26-2 +- fix bug #192873 +* Tue Jun 6 2006 Daniel Veillard 2.6.26-1 +- upstream release 2.6.26 see http://xmlsoft.org/news.html + +* Tue Jun 6 2006 Daniel Veillard +- upstream release 2.6.25 broken, do not ship ! + diff --git a/sources b/sources new file mode 100644 index 0000000..b2fb4ec --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (libxml2-2.9.7.tar.gz) = da06cb7c5032ef4b7c8e902fabb9d2c74634c42c161be07a7c66a00d53a68029f89b0d4de32a6b9d4ff338c2d1d9c4e53aefb9cf50cb1c2d6c6b06b442ef42d5