rpms/libxml2
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import CS libxml2-2.12.5-5.el10

Browse Source
This commit is contained in:
eabdullin 2025-03-27 13:10:27 +00:00
parent c0b384b0f9
commit d32ba58f0d
34 changed files with 281 additions and 2716 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.gitignore vendored
View File

@ -1 +1,4 @@
SOURCES/libxml2-2.9.7.tar.gz
libxml2-2.12.5.tar.xz
xmlts20080827.tar.gz
xsts-2002-01-16.tar.gz
xsts-2004-01-14.tar.gz

1
.libxml2.metadata
View File

@ -1 +0,0 @@
ab3325e6cdda50ab2382fdfe0bdb6f7d1b9224a6 SOURCES/libxml2-2.9.7.tar.gz

32
SOURCES/libxml2-2.11.0-fix-CVE-2023-39615.patch
View File

@ -1,32 +0,0 @@
From d0c3f01e110d54415611c5fa0040cdf4a56053f9 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sat, 6 May 2023 17:47:37 +0200
Subject: [PATCH] parser: Fix old SAX1 parser with custom callbacks
For some reason, xmlCtxtUseOptionsInternal set the start and end element
SAX handlers to the internal DOM builder functions when XML_PARSE_SAX1
was specified. This means that custom SAX handlers could never work with
that flag because these functions would receive the wrong user data
argument and crash immediately.
Fixes #535.
---
parser.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/parser.c b/parser.c
index bb05791d3..0c8bed129 100644
--- a/parser.c
+++ b/parser.c
@@ -14479,8 +14479,6 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi
}
#ifdef LIBXML_SAX1_ENABLED
if (options & XML_PARSE_SAX1) {
- ctxt->sax->startElement = xmlSAX2StartElement;
- ctxt->sax->endElement = xmlSAX2EndElement;
ctxt->sax->startElementNs = NULL;
ctxt->sax->endElementNs = NULL;
ctxt->sax->initialized = 1;
--
GitLab

35
SOURCES/libxml2-2.9.0-do-not-check-crc.patch
View File

@ -1,35 +0,0 @@
diff -up libxml2-2.9.0/xzlib.c.do-not-check-crc libxml2-2.9.0/xzlib.c
--- libxml2-2.9.0/xzlib.c.do-not-check-crc 2012-09-11 05:52:46.000000000 +0200
+++ libxml2-2.9.0/xzlib.c 2012-11-19 19:28:42.431700534 +0100
@@ -552,17 +552,20 @@ xz_decomp(xz_statep state)
#ifdef HAVE_ZLIB_H
if (state->how == GZIP) {
if (gz_next4(state, &crc) == -1 || gz_next4(state, &len) == -1) {
- xz_error(state, LZMA_DATA_ERROR, "unexpected end of file");
- return -1;
- }
- if (crc != state->zstrm.adler) {
- xz_error(state, LZMA_DATA_ERROR, "incorrect data check");
- return -1;
- }
- if (len != (state->zstrm.total_out & 0xffffffffL)) {
- xz_error(state, LZMA_DATA_ERROR, "incorrect length check");
- return -1;
- }
+ /*
+ xz_error(state, LZMA_DATA_ERROR, "unexpected end of file");
+ return -1;
+ */
+ } else {
+ if (crc != state->zstrm.adler) {
+ xz_error(state, LZMA_DATA_ERROR, "incorrect data check");
+ return -1;
+ }
+ if (len != (state->zstrm.total_out & 0xffffffffL)) {
+ xz_error(state, LZMA_DATA_ERROR, "incorrect length check");
+ return -1;
+ }
+ }
state->strm.avail_in = 0;
state->strm.next_in = NULL;
state->strm.avail_out = 0;

34
SOURCES/libxml2-2.9.13-CVE-2022-49043.patch
View File

@ -1,34 +0,0 @@
From 6bb146a3ea24a9bacfad6fe67268f0404af37d9c Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Wed, 2 Nov 2022 16:13:27 +0100
Subject: [PATCH] malloc-fail: Fix use-after-free in xmlXIncludeAddNode
Found with libFuzzer, see #344.
---
xinclude.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/xinclude.c b/xinclude.c
index 2a0614d7..e32b3419 100644
--- a/xinclude.c
+++ b/xinclude.c
@@ -614,14 +614,15 @@ xmlXIncludeAddNode(xmlXIncludeCtxtPtr ctxt, xmlNodePtr cur) {
}
URL = xmlSaveUri(uri);
xmlFreeURI(uri);
- xmlFree(URI);
if (URL == NULL) {
xmlXIncludeErr(ctxt, cur, XML_XINCLUDE_HREF_URI,
"invalid value URI %s\n", URI);
if (fragment != NULL)
xmlFree(fragment);
+ xmlFree(URI);
return(-1);
}
+ xmlFree(URI);
/*
* If local and xml then we need a fragment
--
2.48.1

71
SOURCES/libxml2-2.9.13-CVE-2023-28484.2.patch
View File

@ -1,71 +0,0 @@
From 4c6922f763ad958c48ff66f82823ae21f2e92ee6 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 13 Sep 2022 16:40:31 +0200
Subject: [PATCH] schemas: Fix null-pointer-deref in
xmlSchemaCheckCOSSTDerivedOK
Found by OSS-Fuzz.
---
result/schemas/oss-fuzz-51295_0_0.err | 2 ++
test/schemas/oss-fuzz-51295_0.xml | 1 +
test/schemas/oss-fuzz-51295_0.xsd | 4 ++++
xmlschemas.c | 15 +++++++++++++--
4 files changed, 20 insertions(+), 2 deletions(-)
create mode 100644 result/schemas/oss-fuzz-51295_0_0.err
create mode 100644 test/schemas/oss-fuzz-51295_0.xml
create mode 100644 test/schemas/oss-fuzz-51295_0.xsd
diff --git a/result/schemas/oss-fuzz-51295_0_0.err b/result/schemas/oss-fuzz-51295_0_0.err
new file mode 100644
index 00000000..1e89524f
--- /dev/null
+++ b/result/schemas/oss-fuzz-51295_0_0.err
@@ -0,0 +1,2 @@
+./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'.
+./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'.
diff --git a/test/schemas/oss-fuzz-51295_0.xml b/test/schemas/oss-fuzz-51295_0.xml
new file mode 100644
index 00000000..10a7e703
--- /dev/null
+++ b/test/schemas/oss-fuzz-51295_0.xml
@@ -0,0 +1 @@
+<e/>
diff --git a/test/schemas/oss-fuzz-51295_0.xsd b/test/schemas/oss-fuzz-51295_0.xsd
new file mode 100644
index 00000000..fde96af5
--- /dev/null
+++ b/test/schemas/oss-fuzz-51295_0.xsd
@@ -0,0 +1,4 @@
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
+ <xs:element name="e" substitutionGroup="e"/>
+ <xs:element name="t" substitutionGroup="e" type='xs:decimal'/>
+</xs:schema>
diff --git a/xmlschemas.c b/xmlschemas.c
index f31d3d1f..152b7c3f 100644
--- a/xmlschemas.c
+++ b/xmlschemas.c
@@ -13345,8 +13345,19 @@ xmlSchemaResolveElementReferences(xmlSchemaElementPtr elemDecl,
* declaration `resolved` to by the `actual value`
* of the substitutionGroup [attribute], if present"
*/
- if (elemDecl->subtypes == NULL)
- elemDecl->subtypes = substHead->subtypes;
+ if (elemDecl->subtypes == NULL) {
+ if (substHead->subtypes == NULL) {
+ /*
+ * This can happen with self-referencing substitution
+ * groups. The cycle will be detected later, but we have
+ * to set subtypes to avoid null-pointer dereferences.
+ */
+ elemDecl->subtypes = xmlSchemaGetBuiltInType(
+ XML_SCHEMAS_ANYTYPE);
+ } else {
+ elemDecl->subtypes = substHead->subtypes;
+ }
+ }
}
}
/*
--
GitLab

74
SOURCES/libxml2-2.9.13-CVE-2023-28484.patch
View File

@ -1,74 +0,0 @@
From 647e072ea0a2f12687fa05c172f4c4713fdb0c4f Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Fri, 7 Apr 2023 11:46:35 +0200
Subject: [PATCH] [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
Fix a null pointer dereference when parsing (invalid) XML schemas.
Thanks to Robby Simpson for the report!
Fixes #491.
---
result/schemas/issue491_0_0.err | 1 +
test/schemas/issue491_0.xml | 1 +
test/schemas/issue491_0.xsd | 18 ++++++++++++++++++
xmlschemas.c | 2 +-
4 files changed, 21 insertions(+), 1 deletion(-)
create mode 100644 result/schemas/issue491_0_0.err
create mode 100644 test/schemas/issue491_0.xml
create mode 100644 test/schemas/issue491_0.xsd
diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err
new file mode 100644
index 00000000..9b2bb969
--- /dev/null
+++ b/result/schemas/issue491_0_0.err
@@ -0,0 +1 @@
+./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'.
diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml
new file mode 100644
index 00000000..e2b2fc2e
--- /dev/null
+++ b/test/schemas/issue491_0.xml
@@ -0,0 +1 @@
+<Child xmlns="http://www.test.com">5</Child>
diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd
new file mode 100644
index 00000000..81702649
--- /dev/null
+++ b/test/schemas/issue491_0.xsd
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://www.test.com" targetNamespace="http://www.test.com" elementFormDefault="qualified" attributeFormDefault="unqualified">
+ <xs:complexType name="BaseType">
+ <xs:simpleContent>
+ <xs:extension base="xs:int" />
+ </xs:simpleContent>
+ </xs:complexType>
+ <xs:complexType name="ChildType">
+ <xs:complexContent>
+ <xs:extension base="BaseType">
+ <xs:sequence>
+ <xs:element name="bad" type="xs:int" minOccurs="0" maxOccurs="1"/>
+ </xs:sequence>
+ </xs:extension>
+ </xs:complexContent>
+ </xs:complexType>
+ <xs:element name="Child" type="ChildType" />
+</xs:schema>
diff --git a/xmlschemas.c b/xmlschemas.c
index 152b7c3f..eec24a95 100644
--- a/xmlschemas.c
+++ b/xmlschemas.c
@@ -18619,7 +18619,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt,
"allowed to appear inside other model groups",
NULL, NULL);
- } else if (! dummySequence) {
+ } else if ((!dummySequence) && (baseType->subtypes != NULL)) {
xmlSchemaTreeItemPtr effectiveContent =
(xmlSchemaTreeItemPtr) type->subtypes;
/*
--
GitLab

12
SOURCES/libxml2-2.9.4-remove-pyverify_fd.patch
View File

@ -1,12 +0,0 @@
diff -Nur libxml2-2.9.4.orig/python/types.c libxml2-2.9.4/python/types.c
--- libxml2-2.9.4.orig/python/types.c 2016-02-09 03:17:33.000000000 -0700
+++ libxml2-2.9.4/python/types.c 2016-12-21 12:34:06.755650986 -0700
@@ -31,8 +31,6 @@
const char *mode;
fd = PyObject_AsFileDescriptor(f);
- if (!_PyVerify_fd(fd))
- return(NULL);
/*
* Get the flags on the fd to understand how it was opened
*/

88
SOURCES/libxml2-2.9.7-CVE-2016-3709.patch
View File

@ -1,88 +0,0 @@
From c1ba6f54d32b707ca6d91cb3257ce9de82876b6f Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sat, 15 Aug 2020 18:32:29 +0200
Subject: [PATCH] Revert "Do not URI escape in server side includes"
This reverts commit 960f0e275616cadc29671a218d7fb9b69eb35588.
This commit introduced
- an infinite loop, found by OSS-Fuzz, which could be easily fixed.
- an algorithm with quadratic runtime
- a security issue, see
https://bugzilla.gnome.org/show_bug.cgi?id=769760
A better approach is to add an option not to escape URLs at all
which libxml2 should have possibly done in the first place.
---
HTMLtree.c | 49 +++++++++++--------------------------------------
1 file changed, 11 insertions(+), 38 deletions(-)
diff --git a/HTMLtree.c b/HTMLtree.c
index 8d236bb3..cdb7f86a 100644
--- a/HTMLtree.c
+++ b/HTMLtree.c
@@ -706,49 +706,22 @@ htmlAttrDumpOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, xmlAttrPtr cur,
(!xmlStrcasecmp(cur->name, BAD_CAST "src")) ||
((!xmlStrcasecmp(cur->name, BAD_CAST "name")) &&
(!xmlStrcasecmp(cur->parent->name, BAD_CAST "a"))))) {
+ xmlChar *escaped;
xmlChar *tmp = value;
- /* xmlURIEscapeStr() escapes '"' so it can be safely used. */
- xmlBufCCat(buf->buffer, "\"");
while (IS_BLANK_CH(*tmp)) tmp++;
- /* URI Escape everything, except server side includes. */
- for ( ; ; ) {
- xmlChar *escaped;
- xmlChar endChar;
- xmlChar *end = NULL;
- xmlChar *start = (xmlChar *)xmlStrstr(tmp, BAD_CAST "<!--");
- if (start != NULL) {
- end = (xmlChar *)xmlStrstr(tmp, BAD_CAST "-->");
- if (end != NULL) {
- *start = '\0';
- }
- }
-
- /* Escape the whole string, or until start (set to '\0'). */
- escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+");
- if (escaped != NULL) {
- xmlBufCat(buf->buffer, escaped);
- xmlFree(escaped);
- } else {
- xmlBufCat(buf->buffer, tmp);
- }
-
- if (end == NULL) { /* Everything has been written. */
- break;
- }
-
- /* Do not escape anything within server side includes. */
- *start = '<'; /* Restore the first character of "<!--". */
- end += 3; /* strlen("-->") */
- endChar = *end;
- *end = '\0';
- xmlBufCat(buf->buffer, start);
- *end = endChar;
- tmp = end;
+ /*
+ * the < and > have already been escaped at the entity level
+ * And doing so here breaks server side includes
+ */
+ escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+<>");
+ if (escaped != NULL) {
+ xmlBufWriteQuotedString(buf->buffer, escaped);
+ xmlFree(escaped);
+ } else {
+ xmlBufWriteQuotedString(buf->buffer, value);
}
-
- xmlBufCCat(buf->buffer, "\"");
} else {
xmlBufWriteQuotedString(buf->buffer, value);
}
--
GitLab

33
SOURCES/libxml2-2.9.7-CVE-2019-20388.patch
View File

@ -1,33 +0,0 @@
From 7ffcd44d7e6c46704f8af0321d9314cd26e0e18a Mon Sep 17 00:00:00 2001
From: Zhipeng Xie <xiezhipeng1@huawei.com>
Date: Tue, 20 Aug 2019 16:33:06 +0800
Subject: [PATCH] Fix memory leak in xmlSchemaValidateStream
When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun
alloc a new schema for ctxt->schema and set vctxt->xsiAssemble
to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize
vctxt->xsiAssemble to 0 again which cause the alloced schema
can not be freed anymore.
Found with libFuzzer.
Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
---
xmlschemas.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/xmlschemas.c b/xmlschemas.c
index 301c8449..39d92182 100644
--- a/xmlschemas.c
+++ b/xmlschemas.c
@@ -28090,7 +28090,6 @@ xmlSchemaPreRun(xmlSchemaValidCtxtPtr vctxt) {
vctxt->nberrors = 0;
vctxt->depth = -1;
vctxt->skipDepth = -1;
- vctxt->xsiAssemble = 0;
vctxt->hasKeyrefs = 0;
#ifdef ENABLE_IDC_NODE_TABLES_TEST
vctxt->createIDCNodeTables = 1;
--
2.24.1

36
SOURCES/libxml2-2.9.7-CVE-2020-24977.patch
View File

@ -1,36 +0,0 @@
From 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Fri, 7 Aug 2020 21:54:27 +0200
Subject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout'
Make sure that truncated UTF-8 sequences don't cause an out-of-bounds
array access.
Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for
the report.
Fixes #178.
---
xmllint.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/xmllint.c b/xmllint.c
index f6a8e4636..c647486f3 100644
--- a/xmllint.c
+++ b/xmllint.c
@@ -528,6 +528,12 @@ static void
xmlHTMLEncodeSend(void) {
char *result;
+ /*
+ * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might
+ * end with a truncated UTF-8 sequence. This is a hack to at least avoid
+ * an out-of-bounds read.
+ */
+ memset(&buffer[sizeof(buffer)-4], 0, 4);
result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer);
if (result) {
xmlGenericError(xmlGenericErrorContext, "%s", result);
--
GitLab

32
SOURCES/libxml2-2.9.7-CVE-2020-7595.patch
View File

@ -1,32 +0,0 @@
From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001
From: Zhipeng Xie <xiezhipeng1@huawei.com>
Date: Thu, 12 Dec 2019 17:30:55 +0800
Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities
When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef
return NULL which cause a infinite loop in xmlStringLenDecodeEntities
Found with libFuzzer.
Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
---
parser.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/parser.c b/parser.c
index d1c31963..a34bb6cd 100644
--- a/parser.c
+++ b/parser.c
@@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
else
c = 0;
while ((c != 0) && (c != end) && /* non input consuming loop */
- (c != end2) && (c != end3)) {
+ (c != end2) && (c != end3) &&
+ (ctxt->instate != XML_PARSER_EOF)) {
if (c == 0) break;
if ((c == '&') && (str[1] == '#')) {
--
2.24.1

31
SOURCES/libxml2-2.9.7-CVE-2021-3516.patch
View File

@ -1,31 +0,0 @@
From 1358d157d0bd83be1dfe356a69213df9fac0b539 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Wed, 21 Apr 2021 13:23:27 +0200
Subject: [PATCH] Fix use-after-free with `xmllint --html --push`
Call htmlCtxtUseOptions to make sure that names aren't stored in
dictionaries.
Note that this issue only affects xmllint using the HTML push parser.
Fixes #230.
---
xmllint.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xmllint.c b/xmllint.c
index 6ca1bf54..dbef273a 100644
--- a/xmllint.c
+++ b/xmllint.c
@@ -2213,7 +2213,7 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) {
if (res > 0) {
ctxt = htmlCreatePushParserCtxt(NULL, NULL,
chars, res, filename, XML_CHAR_ENCODING_NONE);
- xmlCtxtUseOptions(ctxt, options);
+ htmlCtxtUseOptions(ctxt, options);
while ((res = fread(chars, 1, pushsize, f)) > 0) {
htmlParseChunk(ctxt, chars, res, 0);
}
--
GitLab

49
SOURCES/libxml2-2.9.7-CVE-2021-3517.patch
View File

@ -1,49 +0,0 @@
From bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2 Mon Sep 17 00:00:00 2001
From: Joel Hockey <joel.hockey@gmail.com>
Date: Sun, 16 Aug 2020 17:19:35 -0700
Subject: [PATCH] Validate UTF8 in xmlEncodeEntities
Code is currently assuming UTF-8 without validating. Truncated UTF-8
input can cause out-of-bounds array access.
Adds further checks to partial fix in 50f06b3e.
Fixes #178
---
entities.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/entities.c b/entities.c
index 37b99a56..1a8f86f0 100644
--- a/entities.c
+++ b/entities.c
@@ -704,11 +704,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) {
} else {
/*
* We assume we have UTF-8 input.
+ * It must match either:
+ * 110xxxxx 10xxxxxx
+ * 1110xxxx 10xxxxxx 10xxxxxx
+ * 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
+ * That is:
+ * cur[0] is 11xxxxxx
+ * cur[1] is 10xxxxxx
+ * cur[2] is 10xxxxxx if cur[0] is 111xxxxx
+ * cur[3] is 10xxxxxx if cur[0] is 1111xxxx
+ * cur[0] is not 11111xxx
*/
char buf[11], *ptr;
int val = 0, l = 1;
- if (*cur < 0xC0) {
+ if (((cur[0] & 0xC0) != 0xC0) ||
+ ((cur[1] & 0xC0) != 0x80) ||
+ (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) ||
+ (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) ||
+ (((cur[0] & 0xF8) == 0xF8))) {
xmlEntitiesErr(XML_CHECK_NOT_UTF8,
"xmlEncodeEntities: input not UTF-8");
if (doc != NULL)
--
GitLab

247
SOURCES/libxml2-2.9.7-CVE-2021-3518.patch
View File

@ -1,247 +0,0 @@
From 752e5f71d7cea2ca5a7e7c0b8f72ed04ce654be4 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Wed, 10 Jun 2020 16:34:52 +0200
Subject: [PATCH 1/2] Don't recurse into xi:include children in
xmlXIncludeDoProcess
Otherwise, nested xi:include nodes might result in a use-after-free
if XML_PARSE_NOXINCNODE is specified.
Found with libFuzzer and ASan.
---
result/XInclude/fallback3.xml | 8 ++++++++
result/XInclude/fallback3.xml.err | 0
result/XInclude/fallback3.xml.rdr | 25 +++++++++++++++++++++++++
result/XInclude/fallback4.xml | 10 ++++++++++
result/XInclude/fallback4.xml.err | 0
result/XInclude/fallback4.xml.rdr | 29 +++++++++++++++++++++++++++++
test/XInclude/docs/fallback3.xml | 9 +++++++++
test/XInclude/docs/fallback4.xml | 7 +++++++
xinclude.c | 24 ++++++++++--------------
9 files changed, 98 insertions(+), 14 deletions(-)
create mode 100644 result/XInclude/fallback3.xml
create mode 100644 result/XInclude/fallback3.xml.err
create mode 100644 result/XInclude/fallback3.xml.rdr
create mode 100644 result/XInclude/fallback4.xml
create mode 100644 result/XInclude/fallback4.xml.err
create mode 100644 result/XInclude/fallback4.xml.rdr
create mode 100644 test/XInclude/docs/fallback3.xml
create mode 100644 test/XInclude/docs/fallback4.xml
diff --git a/result/XInclude/fallback3.xml b/result/XInclude/fallback3.xml
new file mode 100644
index 00000000..b4235514
--- /dev/null
+++ b/result/XInclude/fallback3.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0"?>
+<a>
+ <doc xml:base="../ents/something.xml">
+<p>something</p>
+<p>really</p>
+<p>simple</p>
+</doc>
+</a>
diff --git a/result/XInclude/fallback3.xml.err b/result/XInclude/fallback3.xml.err
new file mode 100644
index 00000000..e69de29b
diff --git a/result/XInclude/fallback3.xml.rdr b/result/XInclude/fallback3.xml.rdr
new file mode 100644
index 00000000..aa2f1374
--- /dev/null
+++ b/result/XInclude/fallback3.xml.rdr
@@ -0,0 +1,25 @@
+0 1 a 0 0
+1 14 #text 0 1
+
+1 1 doc 0 0
+2 14 #text 0 1
+
+2 1 p 0 0
+3 3 #text 0 1 something
+2 15 p 0 0
+2 14 #text 0 1
+
+2 1 p 0 0
+3 3 #text 0 1 really
+2 15 p 0 0
+2 14 #text 0 1
+
+2 1 p 0 0
+3 3 #text 0 1 simple
+2 15 p 0 0
+2 14 #text 0 1
+
+1 15 doc 0 0
+1 14 #text 0 1
+
+0 15 a 0 0
diff --git a/result/XInclude/fallback4.xml b/result/XInclude/fallback4.xml
new file mode 100644
index 00000000..9883fd54
--- /dev/null
+++ b/result/XInclude/fallback4.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0"?>
+<a>
+
+ <doc xml:base="../ents/something.xml">
+<p>something</p>
+<p>really</p>
+<p>simple</p>
+</doc>
+
+</a>
diff --git a/result/XInclude/fallback4.xml.err b/result/XInclude/fallback4.xml.err
new file mode 100644
index 00000000..e69de29b
diff --git a/result/XInclude/fallback4.xml.rdr b/result/XInclude/fallback4.xml.rdr
new file mode 100644
index 00000000..628b9513
--- /dev/null
+++ b/result/XInclude/fallback4.xml.rdr
@@ -0,0 +1,29 @@
+0 1 a 0 0
+1 14 #text 0 1
+
+1 14 #text 0 1
+
+1 1 doc 0 0
+2 14 #text 0 1
+
+2 1 p 0 0
+3 3 #text 0 1 something
+2 15 p 0 0
+2 14 #text 0 1
+
+2 1 p 0 0
+3 3 #text 0 1 really
+2 15 p 0 0
+2 14 #text 0 1
+
+2 1 p 0 0
+3 3 #text 0 1 simple
+2 15 p 0 0
+2 14 #text 0 1
+
+1 15 doc 0 0
+1 14 #text 0 1
+
+1 14 #text 0 1
+
+0 15 a 0 0
diff --git a/test/XInclude/docs/fallback3.xml b/test/XInclude/docs/fallback3.xml
new file mode 100644
index 00000000..0c8b6c9e
--- /dev/null
+++ b/test/XInclude/docs/fallback3.xml
@@ -0,0 +1,9 @@
+<a>
+ <xi:include href="../ents/something.xml" xmlns:xi="http://www.w3.org/2001/XInclude">
+ <xi:fallback>
+ <xi:include href="c.xml">
+ <xi:fallback>There is no c.xml ... </xi:fallback>
+ </xi:include>
+ </xi:fallback>
+ </xi:include>
+</a>
diff --git a/test/XInclude/docs/fallback4.xml b/test/XInclude/docs/fallback4.xml
new file mode 100644
index 00000000..b500a635
--- /dev/null
+++ b/test/XInclude/docs/fallback4.xml
@@ -0,0 +1,7 @@
+<a>
+ <xi:include href="c.xml" xmlns:xi="http://www.w3.org/2001/XInclude">
+ <xi:fallback>
+ <xi:include href="../ents/something.xml"/>
+ </xi:fallback>
+ </xi:include>
+</a>
diff --git a/xinclude.c b/xinclude.c
index ba850fa5..f260c1a7 100644
--- a/xinclude.c
+++ b/xinclude.c
@@ -2392,21 +2392,19 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
* First phase: lookup the elements in the document
*/
cur = tree;
- if (xmlXIncludeTestNode(ctxt, cur) == 1)
- xmlXIncludePreProcessNode(ctxt, cur);
while ((cur != NULL) && (cur != tree->parent)) {
/* TODO: need to work on entities -> stack */
- if ((cur->children != NULL) &&
- (cur->children->type != XML_ENTITY_DECL) &&
- (cur->children->type != XML_XINCLUDE_START) &&
- (cur->children->type != XML_XINCLUDE_END)) {
- cur = cur->children;
- if (xmlXIncludeTestNode(ctxt, cur))
- xmlXIncludePreProcessNode(ctxt, cur);
- } else if (cur->next != NULL) {
+ if (xmlXIncludeTestNode(ctxt, cur) == 1) {
+ xmlXIncludePreProcessNode(ctxt, cur);
+ } else if ((cur->children != NULL) &&
+ (cur->children->type != XML_ENTITY_DECL) &&
+ (cur->children->type != XML_XINCLUDE_START) &&
+ (cur->children->type != XML_XINCLUDE_END)) {
+ cur = cur->children;
+ continue;
+ }
+ if (cur->next != NULL) {
cur = cur->next;
- if (xmlXIncludeTestNode(ctxt, cur))
- xmlXIncludePreProcessNode(ctxt, cur);
} else {
if (cur == tree)
break;
@@ -2416,8 +2414,6 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
break; /* do */
if (cur->next != NULL) {
cur = cur->next;
- if (xmlXIncludeTestNode(ctxt, cur))
- xmlXIncludePreProcessNode(ctxt, cur);
break; /* do */
}
} while (cur != NULL);
--
2.31.1
From 49cc4182543dba73216add4021994a81678763bd Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Thu, 22 Apr 2021 19:26:28 +0200
Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude --dropdtd`
The --dropdtd option can leave dangling pointers in entity reference
nodes. Make sure to skip these nodes when processing XIncludes.
This also avoids scanning entity declarations and even modifying
them inadvertently during XInclude processing.
Move from a block list to an allow list approach to avoid descending
into other node types that can't contain elements.
Fixes #237.
---
xinclude.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/xinclude.c b/xinclude.c
index f260c1a7..d7648529 100644
--- a/xinclude.c
+++ b/xinclude.c
@@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
if (xmlXIncludeTestNode(ctxt, cur) == 1) {
xmlXIncludePreProcessNode(ctxt, cur);
} else if ((cur->children != NULL) &&
- (cur->children->type != XML_ENTITY_DECL) &&
- (cur->children->type != XML_XINCLUDE_START) &&
- (cur->children->type != XML_XINCLUDE_END)) {
+ ((cur->type == XML_DOCUMENT_NODE) ||
+ (cur->type == XML_ELEMENT_NODE))) {
cur = cur->children;
continue;
}
--
2.31.1

44
SOURCES/libxml2-2.9.7-CVE-2021-3537.patch
View File

@ -1,44 +0,0 @@
From babe75030c7f64a37826bb3342317134568bef61 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sat, 1 May 2021 16:53:33 +0200
Subject: [PATCH] Propagate error in xmlParseElementChildrenContentDeclPriv
Check return value of recursive calls to
xmlParseElementChildrenContentDeclPriv and return immediately in case
of errors. Otherwise, struct xmlElementContent could contain unexpected
null pointers, leading to a null deref when post-validating documents
which aren't well-formed and parsed in recovery mode.
Fixes #243.
---
parser.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/parser.c b/parser.c
index b42e6043..73c27edd 100644
--- a/parser.c
+++ b/parser.c
@@ -6208,6 +6208,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
SKIP_BLANKS;
cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
depth + 1);
+ if (cur == NULL)
+ return(NULL);
SKIP_BLANKS;
GROW;
} else {
@@ -6341,6 +6343,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
SKIP_BLANKS;
last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
depth + 1);
+ if (last == NULL) {
+ if (ret != NULL)
+ xmlFreeDocElementContent(ctxt->myDoc, ret);
+ return(NULL);
+ }
SKIP_BLANKS;
} else {
elem = xmlParseName(ctxt);
--
GitLab

67
SOURCES/libxml2-2.9.7-CVE-2021-3541.patch
View File

@ -1,67 +0,0 @@
From 8598060bacada41a0eb09d95c97744ff4e428f8e Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Thu, 13 May 2021 14:55:12 +0200
Subject: [PATCH] Patch for security issue CVE-2021-3541
This is relapted to parameter entities expansion and following
the line of the billion laugh attack. Somehow in that path the
counting of parameters was missed and the normal algorithm based
on entities "density" was useless.
---
parser.c | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/parser.c b/parser.c
index f5e5e169..c9312fa4 100644
--- a/parser.c
+++ b/parser.c
@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
xmlEntityPtr ent, size_t replacement)
{
size_t consumed = 0;
+ int i;
if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE))
return (0);
@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
rep = NULL;
}
}
+
+ /*
+ * Prevent entity exponential check, not just replacement while
+ * parsing the DTD
+ * The check is potentially costly so do that only once in a thousand
+ */
+ if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) &&
+ (ctxt->nbentities % 1024 == 0)) {
+ for (i = 0;i < ctxt->inputNr;i++) {
+ consumed += ctxt->inputTab[i]->consumed +
+ (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base);
+ }
+ if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) {
+ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
+ ctxt->instate = XML_PARSER_EOF;
+ return (1);
+ }
+ consumed = 0;
+ }
+
+
+
if (replacement != 0) {
if (replacement < XML_MAX_TEXT_LENGTH)
return(0);
@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
xmlChar start[4];
xmlCharEncoding enc;
+ if (xmlParserEntityCheck(ctxt, 0, entity, 0))
+ return;
+
if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
((ctxt->options & XML_PARSE_NOENT) == 0) &&
((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
--
GitLab

196
SOURCES/libxml2-2.9.7-CVE-2022-23308.patch
View File

@ -1,196 +0,0 @@
From 7f70302bfa9faeac9c9f7be8adf96d32c16acb72 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 8 Feb 2022 03:29:24 +0100
Subject: [PATCH] [CVE-2022-23308] Use-after-free of ID and IDREF attributes
If a document is parsed with XML_PARSE_DTDVALID and without
XML_PARSE_NOENT, the value of ID attributes has to be normalized after
potentially expanding entities in xmlRemoveID. Otherwise, later calls
to xmlGetID can return a pointer to previously freed memory.
ID attributes which are empty or contain only whitespace after
entity expansion are affected in a similar way. This is fixed by
not storing such attributes in the ID table.
The test to detect streaming mode when validating against a DTD was
broken. In connection with the defects above, this could result in a
use-after-free when using the xmlReader interface with validation.
Fix detection of streaming mode to avoid similar issues. (This changes
the expected result of a test case. But as far as I can tell, using the
XML reader with XIncludes referencing the root document never worked
properly, anyway.)
All of these issues can result in denial of service. Using xmlReader
with validation could result in disclosure of memory via the error
channel, typically stderr. The security impact of xmlGetID returning
a pointer to freed memory depends on the application. The typical use
case of calling xmlGetID on an unmodified document is not affected.
---
valid.c | 88 +++++++++++++++++++++++++++++++++++----------------------
1 file changed, 55 insertions(+), 33 deletions(-)
diff --git a/valid.c b/valid.c
index a64b96be..5b81059f 100644
--- a/valid.c
+++ b/valid.c
@@ -479,6 +479,35 @@ nodeVPop(xmlValidCtxtPtr ctxt)
return (ret);
}
+/**
+ * xmlValidNormalizeString:
+ * @str: a string
+ *
+ * Normalize a string in-place.
+ */
+static void
+xmlValidNormalizeString(xmlChar *str) {
+ xmlChar *dst;
+ const xmlChar *src;
+
+ if (str == NULL)
+ return;
+ src = str;
+ dst = str;
+
+ while (*src == 0x20) src++;
+ while (*src != 0) {
+ if (*src == 0x20) {
+ while (*src == 0x20) src++;
+ if (*src != 0)
+ *dst++ = 0x20;
+ } else {
+ *dst++ = *src++;
+ }
+ }
+ *dst = 0;
+}
+
#ifdef DEBUG_VALID_ALGO
static void
xmlValidPrintNode(xmlNodePtr cur) {
@@ -2546,6 +2575,24 @@ xmlDumpNotationTable(xmlBufferPtr buf, xmlNotationTablePtr table) {
(xmlDictOwns(dict, (const xmlChar *)(str)) == 0))) \
xmlFree((char *)(str));
+static int
+xmlIsStreaming(xmlValidCtxtPtr ctxt) {
+ xmlParserCtxtPtr pctxt;
+
+ if (ctxt == NULL)
+ return(0);
+ /*
+ * These magic values are also abused to detect whether we're validating
+ * while parsing a document. In this case, userData points to the parser
+ * context.
+ */
+ if ((ctxt->finishDtd != XML_CTXT_FINISH_DTD_0) &&
+ (ctxt->finishDtd != XML_CTXT_FINISH_DTD_1))
+ return(0);
+ pctxt = ctxt->userData;
+ return(pctxt->parseMode == XML_PARSE_READER);
+}
+
/**
* xmlFreeID:
* @not: A id
@@ -2589,7 +2636,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
if (doc == NULL) {
return(NULL);
}
- if (value == NULL) {
+ if ((value == NULL) || (value[0] == 0)) {
return(NULL);
}
if (attr == NULL) {
@@ -2620,7 +2667,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
*/
ret->value = xmlStrdup(value);
ret->doc = doc;
- if ((ctxt != NULL) && (ctxt->vstateNr != 0)) {
+ if (xmlIsStreaming(ctxt)) {
/*
* Operating in streaming mode, attr is gonna disapear
*/
@@ -2754,6 +2801,7 @@ xmlRemoveID(xmlDocPtr doc, xmlAttrPtr attr) {
ID = xmlNodeListGetString(doc, attr->children, 1);
if (ID == NULL)
return(-1);
+ xmlValidNormalizeString(ID);
id = xmlHashLookup(table, ID);
if (id == NULL || id->attr != attr) {
@@ -2942,7 +2990,7 @@ xmlAddRef(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
* fill the structure.
*/
ret->value = xmlStrdup(value);
- if ((ctxt != NULL) && (ctxt->vstateNr != 0)) {
+ if (xmlIsStreaming(ctxt)) {
/*
* Operating in streaming mode, attr is gonna disapear
*/
@@ -3962,8 +4010,7 @@ xmlValidateAttributeValue2(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
xmlChar *
xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
xmlNodePtr elem, const xmlChar *name, const xmlChar *value) {
- xmlChar *ret, *dst;
- const xmlChar *src;
+ xmlChar *ret;
xmlAttributePtr attrDecl = NULL;
int extsubset = 0;
@@ -4004,19 +4051,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
ret = xmlStrdup(value);
if (ret == NULL)
return(NULL);
- src = value;
- dst = ret;
- while (*src == 0x20) src++;
- while (*src != 0) {
- if (*src == 0x20) {
- while (*src == 0x20) src++;
- if (*src != 0)
- *dst++ = 0x20;
- } else {
- *dst++ = *src++;
- }
- }
- *dst = 0;
+ xmlValidNormalizeString(ret);
if ((doc->standalone) && (extsubset == 1) && (!xmlStrEqual(value, ret))) {
xmlErrValidNode(ctxt, elem, XML_DTD_NOT_STANDALONE,
"standalone: %s on %s value had to be normalized based on external subset declaration\n",
@@ -4048,8 +4083,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
xmlChar *
xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem,
const xmlChar *name, const xmlChar *value) {
- xmlChar *ret, *dst;
- const xmlChar *src;
+ xmlChar *ret;
xmlAttributePtr attrDecl = NULL;
if (doc == NULL) return(NULL);
@@ -4079,19 +4113,7 @@ xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem,
ret = xmlStrdup(value);
if (ret == NULL)
return(NULL);
- src = value;
- dst = ret;
- while (*src == 0x20) src++;
- while (*src != 0) {
- if (*src == 0x20) {
- while (*src == 0x20) src++;
- if (*src != 0)
- *dst++ = 0x20;
- } else {
- *dst++ = *src++;
- }
- }
- *dst = 0;
+ xmlValidNormalizeString(ret);
return(ret);
}
--
2.35.1

341
SOURCES/libxml2-2.9.7-CVE-2022-29824.patch
View File

@ -1,341 +0,0 @@
From d410ac5b7ef6ecf1254606408d55f98547c22bda Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 8 Mar 2022 20:10:02 +0100
Subject: [PATCH] [CVE-2022-29824] Fix integer overflows in xmlBuf and
xmlBuffer
In several places, the code handling string buffers didn't check for
integer overflow or used wrong types for buffer sizes. This could
result in out-of-bounds writes or other memory errors when working on
large, multi-gigabyte buffers.
Thanks to Felix Wilhelm for the report.
---
buf.c | 86 +++++++++++++++++++++++-----------------------------------
tree.c | 72 ++++++++++++++++++------------------------------
2 files changed, 61 insertions(+), 97 deletions(-)
diff --git a/buf.c b/buf.c
index 21cb9d80..f861d79b 100644
--- a/buf.c
+++ b/buf.c
@@ -30,6 +30,10 @@
#include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */
#include "buf.h"
+#ifndef SIZE_MAX
+#define SIZE_MAX ((size_t) -1)
+#endif
+
#define WITH_BUFFER_COMPAT
/**
@@ -156,6 +160,8 @@ xmlBufPtr
xmlBufCreateSize(size_t size) {
xmlBufPtr ret;
+ if (size == SIZE_MAX)
+ return(NULL);
ret = (xmlBufPtr) xmlMalloc(sizeof(xmlBuf));
if (ret == NULL) {
xmlBufMemoryError(NULL, "creating buffer");
@@ -166,8 +172,8 @@ xmlBufCreateSize(size_t size) {
ret->error = 0;
ret->buffer = NULL;
ret->alloc = xmlBufferAllocScheme;
- ret->size = (size ? size+2 : 0); /* +1 for ending null */
- ret->compat_size = (int) ret->size;
+ ret->size = (size ? size + 1 : 0); /* +1 for ending null */
+ ret->compat_size = (ret->size > INT_MAX ? INT_MAX : ret->size);
if (ret->size){
ret->content = (xmlChar *) xmlMallocAtomic(ret->size * sizeof(xmlChar));
if (ret->content == NULL) {
@@ -442,23 +448,17 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) {
CHECK_COMPAT(buf)
if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
- if (buf->use + len < buf->size)
+ if (len < buf->size - buf->use)
return(buf->size - buf->use);
+ if (len > SIZE_MAX - buf->use)
+ return(0);
- /*
- * Windows has a BIG problem on realloc timing, so we try to double
- * the buffer size (if that's enough) (bug 146697)
- * Apparently BSD too, and it's probably best for linux too
- * On an embedded system this may be something to change
- */
-#if 1
- if (buf->size > (size_t) len)
- size = buf->size * 2;
- else
- size = buf->use + len + 100;
-#else
- size = buf->use + len + 100;
-#endif
+ if (buf->size > (size_t) len) {
+ size = buf->size > SIZE_MAX / 2 ? SIZE_MAX : buf->size * 2;
+ } else {
+ size = buf->use + len;
+ size = size > SIZE_MAX - 100 ? SIZE_MAX : size + 100;
+ }
if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
/*
@@ -744,7 +744,7 @@ xmlBufIsEmpty(const xmlBufPtr buf)
int
xmlBufResize(xmlBufPtr buf, size_t size)
{
- unsigned int newSize;
+ size_t newSize;
xmlChar* rebuf = NULL;
size_t start_buf;
@@ -772,9 +772,13 @@ xmlBufResize(xmlBufPtr buf, size_t size)
case XML_BUFFER_ALLOC_IO:
case XML_BUFFER_ALLOC_DOUBLEIT:
/*take care of empty case*/
- newSize = (buf->size ? buf->size*2 : size + 10);
+ if (buf->size == 0) {
+ newSize = (size > SIZE_MAX - 10 ? SIZE_MAX : size + 10);
+ } else {
+ newSize = buf->size;
+ }
while (size > newSize) {
- if (newSize > UINT_MAX / 2) {
+ if (newSize > SIZE_MAX / 2) {
xmlBufMemoryError(buf, "growing buffer");
return 0;
}
@@ -782,15 +786,15 @@ xmlBufResize(xmlBufPtr buf, size_t size)
}
break;
case XML_BUFFER_ALLOC_EXACT:
- newSize = size+10;
+ newSize = (size > SIZE_MAX - 10 ? SIZE_MAX : size + 10);
break;
case XML_BUFFER_ALLOC_HYBRID:
if (buf->use < BASE_BUFFER_SIZE)
newSize = size;
else {
- newSize = buf->size * 2;
+ newSize = buf->size;
while (size > newSize) {
- if (newSize > UINT_MAX / 2) {
+ if (newSize > SIZE_MAX / 2) {
xmlBufMemoryError(buf, "growing buffer");
return 0;
}
@@ -800,7 +804,7 @@ xmlBufResize(xmlBufPtr buf, size_t size)
break;
default:
- newSize = size+10;
+ newSize = (size > SIZE_MAX - 10 ? SIZE_MAX : size + 10);
break;
}
@@ -866,7 +870,7 @@ xmlBufResize(xmlBufPtr buf, size_t size)
*/
int
xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
- unsigned int needSize;
+ size_t needSize;
if ((str == NULL) || (buf == NULL) || (buf->error))
return -1;
@@ -888,8 +892,10 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
if (len < 0) return -1;
if (len == 0) return 0;
- needSize = buf->use + len + 2;
- if (needSize > buf->size){
+ if ((size_t) len >= buf->size - buf->use) {
+ if ((size_t) len >= SIZE_MAX - buf->use)
+ return(-1);
+ needSize = buf->use + len + 1;
if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
/*
* Used to provide parsing limits
@@ -1025,31 +1031,7 @@ xmlBufCat(xmlBufPtr buf, const xmlChar *str) {
*/
int
xmlBufCCat(xmlBufPtr buf, const char *str) {
- const char *cur;
-
- if ((buf == NULL) || (buf->error))
- return(-1);
- CHECK_COMPAT(buf)
- if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return -1;
- if (str == NULL) {
-#ifdef DEBUG_BUFFER
- xmlGenericError(xmlGenericErrorContext,
- "xmlBufCCat: str == NULL\n");
-#endif
- return -1;
- }
- for (cur = str;*cur != 0;cur++) {
- if (buf->use + 10 >= buf->size) {
- if (!xmlBufResize(buf, buf->use+10)){
- xmlBufMemoryError(buf, "growing buffer");
- return XML_ERR_NO_MEMORY;
- }
- }
- buf->content[buf->use++] = *cur;
- }
- buf->content[buf->use] = 0;
- UPDATE_COMPAT(buf)
- return 0;
+ return xmlBufCat(buf, (const xmlChar *) str);
}
/**
diff --git a/tree.c b/tree.c
index 86a8da79..fc75f962 100644
--- a/tree.c
+++ b/tree.c
@@ -7049,6 +7049,8 @@ xmlBufferPtr
xmlBufferCreateSize(size_t size) {
xmlBufferPtr ret;
+ if (size >= UINT_MAX)
+ return(NULL);
ret = (xmlBufferPtr) xmlMalloc(sizeof(xmlBuffer));
if (ret == NULL) {
xmlTreeErrMemory("creating buffer");
@@ -7056,7 +7058,7 @@ xmlBufferCreateSize(size_t size) {
}
ret->use = 0;
ret->alloc = xmlBufferAllocScheme;
- ret->size = (size ? size+2 : 0); /* +1 for ending null */
+ ret->size = (size ? size + 1 : 0); /* +1 for ending null */
if (ret->size){
ret->content = (xmlChar *) xmlMallocAtomic(ret->size * sizeof(xmlChar));
if (ret->content == NULL) {
@@ -7116,6 +7118,8 @@ xmlBufferCreateStatic(void *mem, size_t size) {
if ((mem == NULL) || (size == 0))
return(NULL);
+ if (size > UINT_MAX)
+ return(NULL);
ret = (xmlBufferPtr) xmlMalloc(sizeof(xmlBuffer));
if (ret == NULL) {
@@ -7263,28 +7267,23 @@ xmlBufferShrink(xmlBufferPtr buf, unsigned int len) {
*/
int
xmlBufferGrow(xmlBufferPtr buf, unsigned int len) {
- int size;
+ unsigned int size;
xmlChar *newbuf;
if (buf == NULL) return(-1);
if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
- if (len + buf->use < buf->size) return(0);
+ if (len < buf->size - buf->use)
+ return(0);
+ if (len > UINT_MAX - buf->use)
+ return(-1);
- /*
- * Windows has a BIG problem on realloc timing, so we try to double
- * the buffer size (if that's enough) (bug 146697)
- * Apparently BSD too, and it's probably best for linux too
- * On an embedded system this may be something to change
- */
-#if 1
- if (buf->size > len)
- size = buf->size * 2;
- else
- size = buf->use + len + 100;
-#else
- size = buf->use + len + 100;
-#endif
+ if (buf->size > (size_t) len) {
+ size = buf->size > UINT_MAX / 2 ? UINT_MAX : buf->size * 2;
+ } else {
+ size = buf->use + len;
+ size = size > UINT_MAX - 100 ? UINT_MAX : size + 100;
+ }
if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {
size_t start_buf = buf->content - buf->contentIO;
@@ -7406,7 +7405,10 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
case XML_BUFFER_ALLOC_IO:
case XML_BUFFER_ALLOC_DOUBLEIT:
/*take care of empty case*/
- newSize = (buf->size ? buf->size*2 : size + 10);
+ if (buf->size == 0)
+ newSize = (size > UINT_MAX - 10 ? UINT_MAX : size + 10);
+ else
+ newSize = buf->size;
while (size > newSize) {
if (newSize > UINT_MAX / 2) {
xmlTreeErrMemory("growing buffer");
@@ -7416,7 +7418,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
}
break;
case XML_BUFFER_ALLOC_EXACT:
- newSize = size+10;
+ newSize = (size > UINT_MAX - 10 ? UINT_MAX : size + 10);;
break;
case XML_BUFFER_ALLOC_HYBRID:
if (buf->use < BASE_BUFFER_SIZE)
@@ -7434,7 +7436,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
break;
default:
- newSize = size+10;
+ newSize = (size > UINT_MAX - 10 ? UINT_MAX : size + 10);;
break;
}
@@ -7520,8 +7522,10 @@ xmlBufferAdd(xmlBufferPtr buf, const xmlChar *str, int len) {
if (len < 0) return -1;
if (len == 0) return 0;
- needSize = buf->use + len + 2;
- if (needSize > buf->size){
+ if ((unsigned) len >= buf->size - buf->use) {
+ if ((unsigned) len >= UINT_MAX - buf->use)
+ return XML_ERR_NO_MEMORY;
+ needSize = buf->use + len + 1;
if (!xmlBufferResize(buf, needSize)){
xmlTreeErrMemory("growing buffer");
return XML_ERR_NO_MEMORY;
@@ -7634,29 +7638,7 @@ xmlBufferCat(xmlBufferPtr buf, const xmlChar *str) {
*/
int
xmlBufferCCat(xmlBufferPtr buf, const char *str) {
- const char *cur;
-
- if (buf == NULL)
- return(-1);
- if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return -1;
- if (str == NULL) {
-#ifdef DEBUG_BUFFER
- xmlGenericError(xmlGenericErrorContext,
- "xmlBufferCCat: str == NULL\n");
-#endif
- return -1;
- }
- for (cur = str;*cur != 0;cur++) {
- if (buf->use + 10 >= buf->size) {
- if (!xmlBufferResize(buf, buf->use+10)){
- xmlTreeErrMemory("growing buffer");
- return XML_ERR_NO_MEMORY;
- }
- }
- buf->content[buf->use++] = *cur;
- }
- buf->content[buf->use] = 0;
- return 0;
+ return xmlBufferCat(buf, (const xmlChar *) str);
}
/**
--
2.36.1

600
SOURCES/libxml2-2.9.7-CVE-2022-40303.patch
View File

@ -1,600 +0,0 @@
From 7afb666b26cfb17689e5da98bed610a417083f9d Mon Sep 17 00:00:00 2001
From: David King <amigadave@amigadave.com>
Date: Tue, 3 Jan 2023 09:57:28 +0000
Subject: [PATCH 1/2] Fix CVE-2022-40303
Adapted from https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0
---
parser.c | 232 +++++++++++++++++++++++++++++--------------------------
1 file changed, 121 insertions(+), 111 deletions(-)
diff --git a/parser.c b/parser.c
index 1c5e036e..e66e4196 100644
--- a/parser.c
+++ b/parser.c
@@ -108,6 +108,8 @@ static void xmlHaltParser(xmlParserCtxtPtr ctxt);
* *
************************************************************************/
+#define XML_MAX_HUGE_LENGTH 1000000000
+
#define XML_PARSER_BIG_ENTITY 1000
#define XML_PARSER_LOT_ENTITY 5000
@@ -532,7 +534,7 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info)
errmsg = "Malformed declaration expecting version";
break;
case XML_ERR_NAME_TOO_LONG:
- errmsg = "Name too long use XML_PARSE_HUGE option";
+ errmsg = "Name too long";
break;
#if 0
case:
@@ -3150,6 +3152,9 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
int len = 0, l;
int c;
int count = 0;
+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+ XML_MAX_TEXT_LENGTH :
+ XML_MAX_NAME_LENGTH;
#ifdef DEBUG
nbParseNameComplex++;
@@ -3241,13 +3246,13 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
if (ctxt->instate == XML_PARSER_EOF)
return(NULL);
}
- len += l;
+ if (len <= INT_MAX - l)
+ len += l;
NEXTL(l);
c = CUR_CHAR(l);
}
}
- if ((len > XML_MAX_NAME_LENGTH) &&
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+ if (len > maxLength) {
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
return(NULL);
}
@@ -3286,7 +3291,10 @@ const xmlChar *
xmlParseName(xmlParserCtxtPtr ctxt) {
const xmlChar *in;
const xmlChar *ret;
- int count = 0;
+ size_t count = 0;
+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+ XML_MAX_TEXT_LENGTH :
+ XML_MAX_NAME_LENGTH;
GROW;
@@ -3310,8 +3318,7 @@ xmlParseName(xmlParserCtxtPtr ctxt) {
in++;
if ((*in > 0) && (*in < 0x80)) {
count = in - ctxt->input->cur;
- if ((count > XML_MAX_NAME_LENGTH) &&
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+ if (count > maxLength) {
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
return(NULL);
}
@@ -3333,6 +3340,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
int len = 0, l;
int c;
int count = 0;
+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+ XML_MAX_TEXT_LENGTH :
+ XML_MAX_NAME_LENGTH;
size_t startPosition = 0;
#ifdef DEBUG
@@ -3353,17 +3363,13 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
while ((c != ' ') && (c != '>') && (c != '/') && /* test bigname.xml */
(xmlIsNameChar(ctxt, c) && (c != ':'))) {
if (count++ > XML_PARSER_CHUNK_SIZE) {
- if ((len > XML_MAX_NAME_LENGTH) &&
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
- return(NULL);
- }
count = 0;
GROW;
if (ctxt->instate == XML_PARSER_EOF)
return(NULL);
}
- len += l;
+ if (len <= INT_MAX - l)
+ len += l;
NEXTL(l);
c = CUR_CHAR(l);
if (c == 0) {
@@ -3381,8 +3387,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
c = CUR_CHAR(l);
}
}
- if ((len > XML_MAX_NAME_LENGTH) &&
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+ if (len > maxLength) {
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
return(NULL);
}
@@ -3408,7 +3413,10 @@ static const xmlChar *
xmlParseNCName(xmlParserCtxtPtr ctxt) {
const xmlChar *in, *e;
const xmlChar *ret;
- int count = 0;
+ size_t count = 0;
+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+ XML_MAX_TEXT_LENGTH :
+ XML_MAX_NAME_LENGTH;
#ifdef DEBUG
nbParseNCName++;
@@ -3433,8 +3441,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
goto complex;
if ((*in > 0) && (*in < 0x80)) {
count = in - ctxt->input->cur;
- if ((count > XML_MAX_NAME_LENGTH) &&
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+ if (count > maxLength) {
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
return(NULL);
}
@@ -3517,6 +3524,9 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
const xmlChar *cur = *str;
int len = 0, l;
int c;
+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+ XML_MAX_TEXT_LENGTH :
+ XML_MAX_NAME_LENGTH;
#ifdef DEBUG
nbParseStringName++;
@@ -3552,12 +3562,6 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
if (len + 10 > max) {
xmlChar *tmp;
- if ((len > XML_MAX_NAME_LENGTH) &&
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
- xmlFree(buffer);
- return(NULL);
- }
max *= 2;
tmp = (xmlChar *) xmlRealloc(buffer,
max * sizeof(xmlChar));
@@ -3571,14 +3575,18 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
COPY_BUF(l,buffer,len,c);
cur += l;
c = CUR_SCHAR(cur, l);
+ if (len > maxLength) {
+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
+ xmlFree(buffer);
+ return(NULL);
+ }
}
buffer[len] = 0;
*str = cur;
return(buffer);
}
}
- if ((len > XML_MAX_NAME_LENGTH) &&
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+ if (len > maxLength) {
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
return(NULL);
}
@@ -3605,6 +3613,9 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
int len = 0, l;
int c;
int count = 0;
+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+ XML_MAX_TEXT_LENGTH :
+ XML_MAX_NAME_LENGTH;
#ifdef DEBUG
nbParseNmToken++;
@@ -3656,12 +3667,6 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
if (len + 10 > max) {
xmlChar *tmp;
- if ((max > XML_MAX_NAME_LENGTH) &&
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
- xmlFree(buffer);
- return(NULL);
- }
max *= 2;
tmp = (xmlChar *) xmlRealloc(buffer,
max * sizeof(xmlChar));
@@ -3675,6 +3680,11 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
COPY_BUF(l,buffer,len,c);
NEXTL(l);
c = CUR_CHAR(l);
+ if (len > maxLength) {
+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
+ xmlFree(buffer);
+ return(NULL);
+ }
}
buffer[len] = 0;
return(buffer);
@@ -3682,8 +3692,7 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
}
if (len == 0)
return(NULL);
- if ((len > XML_MAX_NAME_LENGTH) &&
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+ if (len > maxLength) {
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
return(NULL);
}
@@ -3709,6 +3718,9 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
int len = 0;
int size = XML_PARSER_BUFFER_SIZE;
int c, l;
+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+ XML_MAX_HUGE_LENGTH :
+ XML_MAX_TEXT_LENGTH;
xmlChar stop;
xmlChar *ret = NULL;
const xmlChar *cur = NULL;
@@ -3768,6 +3780,14 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
GROW;
c = CUR_CHAR(l);
}
+
+ if (len > maxLength) {
+ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
+ "entity value too long\n");
+ if (buf != NULL)
+ xmlFree(buf);
+ return(ret);
+ }
}
buf[len] = 0;
if (ctxt->instate == XML_PARSER_EOF)
@@ -3855,6 +3875,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
xmlChar *rep = NULL;
size_t len = 0;
size_t buf_size = 0;
+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+ XML_MAX_HUGE_LENGTH :
+ XML_MAX_TEXT_LENGTH;
int c, l, in_space = 0;
xmlChar *current = NULL;
xmlEntityPtr ent;
@@ -3886,16 +3909,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
while (((NXT(0) != limit) && /* checked */
(IS_CHAR(c)) && (c != '<')) &&
(ctxt->instate != XML_PARSER_EOF)) {
- /*
- * Impose a reasonable limit on attribute size, unless XML_PARSE_HUGE
- * special option is given
- */
- if ((len > XML_MAX_TEXT_LENGTH) &&
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
- "AttValue length too long\n");
- goto mem_error;
- }
if (c == 0) break;
if (c == '&') {
in_space = 0;
@@ -4041,6 +4054,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
}
GROW;
c = CUR_CHAR(l);
+ if (len > maxLength) {
+ xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
+ "AttValue length too long\n");
+ goto mem_error;
+ }
}
if (ctxt->instate == XML_PARSER_EOF)
goto error;
@@ -4062,16 +4080,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
} else
NEXT;
- /*
- * There we potentially risk an overflow, don't allow attribute value of
- * length more than INT_MAX it is a very reasonnable assumption !
- */
- if (len >= INT_MAX) {
- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
- "AttValue length too long\n");
- goto mem_error;
- }
-
if (attlen != NULL) *attlen = (int) len;
return(buf);
@@ -4142,6 +4150,9 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
int len = 0;
int size = XML_PARSER_BUFFER_SIZE;
int cur, l;
+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+ XML_MAX_TEXT_LENGTH :
+ XML_MAX_NAME_LENGTH;
xmlChar stop;
int state = ctxt->instate;
int count = 0;
@@ -4169,13 +4180,6 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
if (len + 5 >= size) {
xmlChar *tmp;
- if ((size > XML_MAX_NAME_LENGTH) &&
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral");
- xmlFree(buf);
- ctxt->instate = (xmlParserInputState) state;
- return(NULL);
- }
size *= 2;
tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar));
if (tmp == NULL) {
@@ -4203,6 +4207,12 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
SHRINK;
cur = CUR_CHAR(l);
}
+ if (len > maxLength) {
+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral");
+ xmlFree(buf);
+ ctxt->instate = (xmlParserInputState) state;
+ return(NULL);
+ }
}
buf[len] = 0;
ctxt->instate = (xmlParserInputState) state;
@@ -4230,6 +4240,9 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
xmlChar *buf = NULL;
int len = 0;
int size = XML_PARSER_BUFFER_SIZE;
+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+ XML_MAX_TEXT_LENGTH :
+ XML_MAX_NAME_LENGTH;
xmlChar cur;
xmlChar stop;
int count = 0;
@@ -4257,12 +4270,6 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
if (len + 1 >= size) {
xmlChar *tmp;
- if ((size > XML_MAX_NAME_LENGTH) &&
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID");
- xmlFree(buf);
- return(NULL);
- }
size *= 2;
tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar));
if (tmp == NULL) {
@@ -4289,6 +4296,11 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
SHRINK;
cur = CUR;
}
+ if (len > maxLength) {
+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID");
+ xmlFree(buf);
+ return(NULL);
+ }
}
buf[len] = 0;
if (cur != stop) {
@@ -4686,6 +4698,9 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
int r, rl;
int cur, l;
size_t count = 0;
+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+ XML_MAX_HUGE_LENGTH :
+ XML_MAX_TEXT_LENGTH;
int inputid;
inputid = ctxt->input->id;
@@ -4731,13 +4746,6 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
if ((r == '-') && (q == '-')) {
xmlFatalErr(ctxt, XML_ERR_HYPHEN_IN_COMMENT, NULL);
}
- if ((len > XML_MAX_TEXT_LENGTH) &&
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
- xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
- "Comment too big found", NULL);
- xmlFree (buf);
- return;
- }
if (len + 5 >= size) {
xmlChar *new_buf;
size_t new_size;
@@ -4774,6 +4782,13 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
GROW;
cur = CUR_CHAR(l);
}
+
+ if (len > maxLength) {
+ xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
+ "Comment too big found", NULL);
+ xmlFree (buf);
+ return;
+ }
}
buf[len] = 0;
if (cur == 0) {
@@ -4818,6 +4833,9 @@ xmlParseComment(xmlParserCtxtPtr ctxt) {
xmlChar *buf = NULL;
size_t size = XML_PARSER_BUFFER_SIZE;
size_t len = 0;
+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+ XML_MAX_HUGE_LENGTH :
+ XML_MAX_TEXT_LENGTH;
xmlParserInputState state;
const xmlChar *in;
size_t nbchar = 0;
@@ -4901,8 +4919,7 @@ get_more:
buf[len] = 0;
}
}
- if ((len > XML_MAX_TEXT_LENGTH) &&
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+ if (len > maxLength) {
xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
"Comment too big found", NULL);
xmlFree (buf);
@@ -5098,6 +5115,9 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
xmlChar *buf = NULL;
size_t len = 0;
size_t size = XML_PARSER_BUFFER_SIZE;
+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+ XML_MAX_HUGE_LENGTH :
+ XML_MAX_TEXT_LENGTH;
int cur, l;
const xmlChar *target;
xmlParserInputState state;
@@ -5172,14 +5192,6 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
return;
}
count = 0;
- if ((len > XML_MAX_TEXT_LENGTH) &&
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
- "PI %s too big found", target);
- xmlFree(buf);
- ctxt->instate = state;
- return;
- }
}
COPY_BUF(l,buf,len,cur);
NEXTL(l);
@@ -5189,15 +5201,14 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
GROW;
cur = CUR_CHAR(l);
}
+ if (len > maxLength) {
+ xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
+ "PI %s too big found", target);
+ xmlFree(buf);
+ ctxt->instate = state;
+ return;
+ }
}
- if ((len > XML_MAX_TEXT_LENGTH) &&
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
- "PI %s too big found", target);
- xmlFree(buf);
- ctxt->instate = state;
- return;
- }
buf[len] = 0;
if (cur != '?') {
xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
@@ -8851,6 +8862,9 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
const xmlChar *in = NULL, *start, *end, *last;
xmlChar *ret = NULL;
int line, col;
+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+ XML_MAX_HUGE_LENGTH :
+ XML_MAX_TEXT_LENGTH;
GROW;
in = (xmlChar *) CUR_PTR;
@@ -8906,8 +8920,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
in = in + delta;
}
end = ctxt->input->end;
- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+ if ((in - start) > maxLength) {
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
"AttValue length too long\n");
return(NULL);
@@ -8929,8 +8942,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
in = in + delta;
}
end = ctxt->input->end;
- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+ if ((in - start) > maxLength) {
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
"AttValue length too long\n");
return(NULL);
@@ -8963,16 +8975,14 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
last = last + delta;
}
end = ctxt->input->end;
- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+ if ((in - start) > maxLength) {
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
"AttValue length too long\n");
return(NULL);
}
}
}
- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+ if ((in - start) > maxLength) {
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
"AttValue length too long\n");
return(NULL);
@@ -8994,8 +9004,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
in = in + delta;
}
end = ctxt->input->end;
- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+ if ((in - start) > maxLength) {
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
"AttValue length too long\n");
return(NULL);
@@ -9003,8 +9012,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
}
}
last = in;
- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+ if ((in - start) > maxLength) {
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
"AttValue length too long\n");
return(NULL);
@@ -9711,6 +9719,9 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
int s, sl;
int cur, l;
int count = 0;
+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+ XML_MAX_HUGE_LENGTH :
+ XML_MAX_TEXT_LENGTH;
/* Check 2.6.0 was NXT(0) not RAW */
if (CMP9(CUR_PTR, '<', '!', '[', 'C', 'D', 'A', 'T', 'A', '[')) {
@@ -9744,13 +9755,6 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
if (len + 5 >= size) {
xmlChar *tmp;
- if ((size > XML_MAX_TEXT_LENGTH) &&
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
- xmlFatalErrMsgStr(ctxt, XML_ERR_CDATA_NOT_FINISHED,
- "CData section too big found", NULL);
- xmlFree (buf);
- return;
- }
tmp = (xmlChar *) xmlRealloc(buf, size * 2 * sizeof(xmlChar));
if (tmp == NULL) {
xmlFree(buf);
@@ -9776,6 +9780,12 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
}
NEXTL(l);
cur = CUR_CHAR(l);
+ if (len > maxLength) {
+ xmlFatalErrMsg(ctxt, XML_ERR_CDATA_NOT_FINISHED,
+ "CData section too big found\n");
+ xmlFree(buf);
+ return;
+ }
}
buf[len] = 0;
ctxt->instate = XML_PARSER_CONTENT;
--
2.39.0

100
SOURCES/libxml2-2.9.7-CVE-2022-40304.patch
View File

@ -1,100 +0,0 @@
From a8fa5f7b5c3c745397b3178405d6be9fdb3cfcbc Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Wed, 31 Aug 2022 22:11:25 +0200
Subject: [PATCH 2/2] Fix dict corruption caused by entity reference cycles
When an entity reference cycle is detected, the entity content is
cleared by setting its first byte to zero. But the entity content might
be allocated from a dict. In this case, the dict entry becomes corrupted
leading to all kinds of logic errors, including memory errors like
double-frees.
Stop storing entity content, orig, ExternalID and SystemID in a dict.
These values are unlikely to occur multiple times in a document, so they
shouldn't have been stored in a dict in the first place.
Thanks to Ned Williamson and Nathan Wachholz working with Google Project
Zero for the report!
---
entities.c | 55 ++++++++++++++++--------------------------------------
1 file changed, 16 insertions(+), 39 deletions(-)
diff --git a/entities.c b/entities.c
index c8193376..3bf1c3ce 100644
--- a/entities.c
+++ b/entities.c
@@ -112,36 +112,19 @@ xmlFreeEntity(xmlEntityPtr entity)
if ((entity->children) && (entity->owner == 1) &&
(entity == (xmlEntityPtr) entity->children->parent))
xmlFreeNodeList(entity->children);
- if (dict != NULL) {
- if ((entity->name != NULL) && (!xmlDictOwns(dict, entity->name)))
- xmlFree((char *) entity->name);
- if ((entity->ExternalID != NULL) &&
- (!xmlDictOwns(dict, entity->ExternalID)))
- xmlFree((char *) entity->ExternalID);
- if ((entity->SystemID != NULL) &&
- (!xmlDictOwns(dict, entity->SystemID)))
- xmlFree((char *) entity->SystemID);
- if ((entity->URI != NULL) && (!xmlDictOwns(dict, entity->URI)))
- xmlFree((char *) entity->URI);
- if ((entity->content != NULL)
- && (!xmlDictOwns(dict, entity->content)))
- xmlFree((char *) entity->content);
- if ((entity->orig != NULL) && (!xmlDictOwns(dict, entity->orig)))
- xmlFree((char *) entity->orig);
- } else {
- if (entity->name != NULL)
- xmlFree((char *) entity->name);
- if (entity->ExternalID != NULL)
- xmlFree((char *) entity->ExternalID);
- if (entity->SystemID != NULL)
- xmlFree((char *) entity->SystemID);
- if (entity->URI != NULL)
- xmlFree((char *) entity->URI);
- if (entity->content != NULL)
- xmlFree((char *) entity->content);
- if (entity->orig != NULL)
- xmlFree((char *) entity->orig);
- }
+ if ((entity->name != NULL) &&
+ ((dict == NULL) || (!xmlDictOwns(dict, entity->name))))
+ xmlFree((char *) entity->name);
+ if (entity->ExternalID != NULL)
+ xmlFree((char *) entity->ExternalID);
+ if (entity->SystemID != NULL)
+ xmlFree((char *) entity->SystemID);
+ if (entity->URI != NULL)
+ xmlFree((char *) entity->URI);
+ if (entity->content != NULL)
+ xmlFree((char *) entity->content);
+ if (entity->orig != NULL)
+ xmlFree((char *) entity->orig);
xmlFree(entity);
}
@@ -177,18 +160,12 @@ xmlCreateEntity(xmlDictPtr dict, const xmlChar *name, int type,
ret->SystemID = xmlStrdup(SystemID);
} else {
ret->name = xmlDictLookup(dict, name, -1);
- if (ExternalID != NULL)
- ret->ExternalID = xmlDictLookup(dict, ExternalID, -1);
- if (SystemID != NULL)
- ret->SystemID = xmlDictLookup(dict, SystemID, -1);
+ ret->ExternalID = xmlStrdup(ExternalID);
+ ret->SystemID = xmlStrdup(SystemID);
}
if (content != NULL) {
ret->length = xmlStrlen(content);
- if ((dict != NULL) && (ret->length < 5))
- ret->content = (xmlChar *)
- xmlDictLookup(dict, content, ret->length);
- else
- ret->content = xmlStrndup(content, ret->length);
+ ret->content = xmlStrndup(content, ret->length);
} else {
ret->length = 0;
ret->content = NULL;
--
2.39.0

42
SOURCES/libxml2-2.9.7-CVE-2023-29469.patch
View File

@ -1,42 +0,0 @@
From a40db8fde759261b042138646da36c632a739f31 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Fri, 7 Apr 2023 11:49:27 +0200
Subject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't
deterministic
When hashing empty strings which aren't null-terminated,
xmlDictComputeFastKey could produce inconsistent results. This could
lead to various logic or memory errors, including double frees.
For consistency the seed is also taken into account, but this shouldn't
have an impact on security.
Found by OSS-Fuzz.
Fixes #510.
Incorporates change from commit
09a2dd453007f9c7205274623acdd73747c22d64.
---
dict.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/dict.c b/dict.c
index 0ef3718d..5e84cfca 100644
--- a/dict.c
+++ b/dict.c
@@ -444,8 +444,9 @@ static unsigned long
xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
unsigned long value = seed;
- if (name == NULL) return(0);
- value = *name;
+ if ((name == NULL) || (namelen <= 0))
+ return(value);
+ value += *name;
value <<= 5;
if (namelen > 10) {
value += name[namelen - 1];
--
2.41.0

29
SOURCES/libxml2-2.9.7-CVE-2024-25062.patch
View File

@ -1,29 +0,0 @@
From b9d4ab2fd6b7da380edab777a0414ef254804f0d Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sat, 14 Oct 2023 22:45:54 +0200
Subject: [PATCH] [CVE-2024-25062] xmlreader: Don't expand XIncludes when
backtracking
Fixes a use-after-free if XML Reader if used with DTD validation and
XInclude expansion.
Fixes #604.
---
xmlreader.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/xmlreader.c b/xmlreader.c
index 34c4c6bc..8f2f9131 100644
--- a/xmlreader.c
+++ b/xmlreader.c
@@ -1511,6 +1511,7 @@ node_found:
* Handle XInclude if asked for
*/
if ((reader->xinclude) && (reader->node != NULL) &&
+ (reader->state != XML_TEXTREADER_BACKTRACK) &&
(reader->node->type == XML_ELEMENT_NODE) &&
(reader->node->ns != NULL) &&
((xmlStrEqual(reader->node->ns->href, XINCLUDE_NS)) ||
--
2.44.0

191
SOURCES/libxml2-CVE-2016-9597.patch
View File

@ -1,191 +0,0 @@
Make the XML entity recursion check more precise.
libxml doesn't detect entity recursion specifically but has a variety
of related checks, such as entities not expanding too deeply or
producing exponential blow-ups in content.
Because entity declarations are parsed in a separate context with
their own element recursion budget, a recursive entity can overflow
the stack using a lot of open elements (but within the per-context
limit) as it slowly consumes (but does not exhaust) the entity depth
budget.
This adds a specific, precise check for recursive entities that
detects entity recursion specifically and fails immediately.
The existing entity expansion depth checks are still relevant for long
chains of different entities.
BUG=628581
Review-Url: https://codereview.chromium.org/2539003002
Cr-Commit-Position: refs/heads/master@{#436899}
Index: libxml2-2.9.4/entities.c
===================================================================
--- libxml2-2.9.4.orig/entities.c
+++ libxml2-2.9.4/entities.c
@@ -159,6 +159,7 @@ xmlCreateEntity(xmlDictPtr dict, const x
memset(ret, 0, sizeof(xmlEntity));
ret->type = XML_ENTITY_DECL;
ret->checked = 0;
+ ret->guard = XML_ENTITY_NOT_BEING_CHECKED;
/*
* fill the structure.
@@ -931,6 +932,7 @@ xmlCopyEntity(xmlEntityPtr ent) {
cur->orig = xmlStrdup(ent->orig);
if (ent->URI != NULL)
cur->URI = xmlStrdup(ent->URI);
+ cur->guard = 0;
return(cur);
}
Index: libxml2-2.9.4/include/libxml/entities.h
===================================================================
--- libxml2-2.9.4.orig/include/libxml/entities.h
+++ libxml2-2.9.4/include/libxml/entities.h
@@ -30,6 +30,11 @@ typedef enum {
XML_INTERNAL_PREDEFINED_ENTITY = 6
} xmlEntityType;
+typedef enum {
+ XML_ENTITY_NOT_BEING_CHECKED,
+ XML_ENTITY_BEING_CHECKED /* entity check is in progress */
+} xmlEntityRecursionGuard;
+
/*
* An unit of storage for an entity, contains the string, the value
* and the linkind data needed for the linking in the hash table.
@@ -60,6 +65,7 @@ struct _xmlEntity {
/* this is also used to count entities
* references done from that entity
* and if it contains '<' */
+ xmlEntityRecursionGuard guard;
};
/*
Index: libxml2-2.9.4/parser.c
===================================================================
--- libxml2-2.9.4.orig/parser.c
+++ libxml2-2.9.4/parser.c
@@ -133,6 +133,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ct
if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
return (1);
+ if ((ent != NULL) && (ent->guard == XML_ENTITY_BEING_CHECKED)) {
+ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
+ return (1);
+ }
/*
* This may look absurd but is needed to detect
* entities problems
@@ -143,12 +147,14 @@ xmlParserEntityCheck(xmlParserCtxtPtr ct
unsigned long oldnbent = ctxt->nbentities;
xmlChar *rep;
+ ent->guard = XML_ENTITY_BEING_CHECKED;
ent->checked = 1;
++ctxt->depth;
rep = xmlStringDecodeEntities(ctxt, ent->content,
XML_SUBSTITUTE_REF, 0, 0, 0);
--ctxt->depth;
+ ent->guard = XML_ENTITY_NOT_BEING_CHECKED;
if (ctxt->errNo == XML_ERR_ENTITY_LOOP) {
ent->content[0] = 0;
}
@@ -7337,23 +7343,28 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
* if its replacement text matches the production labeled
* content.
*/
- if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) {
- ctxt->depth++;
- ret = xmlParseBalancedChunkMemoryInternal(ctxt, ent->content,
- user_data, &list);
- ctxt->depth--;
-
- } else if (ent->etype == XML_EXTERNAL_GENERAL_PARSED_ENTITY) {
- ctxt->depth++;
- ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt, ctxt->sax,
- user_data, ctxt->depth, ent->URI,
- ent->ExternalID, &list);
- ctxt->depth--;
- } else {
- ret = XML_ERR_ENTITY_PE_INTERNAL;
- xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR,
- "invalid entity type found\n", NULL);
- }
+ if (ent->guard == XML_ENTITY_BEING_CHECKED) {
+ ret = XML_ERR_ENTITY_LOOP;
+ } else {
+ ent->guard = XML_ENTITY_BEING_CHECKED;
+ if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) {
+ ctxt->depth++;
+ ret = xmlParseBalancedChunkMemoryInternal(ctxt, ent->content,
+ user_data, &list);
+ ctxt->depth--;
+ } else if (ent->etype == XML_EXTERNAL_GENERAL_PARSED_ENTITY) {
+ ctxt->depth++;
+ ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt, ctxt->sax,
+ user_data, ctxt->depth, ent->URI,
+ ent->ExternalID, &list);
+ ctxt->depth--;
+ } else {
+ ret = XML_ERR_ENTITY_PE_INTERNAL;
+ xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR,
+ "invalid entity type found\n", NULL);
+ }
+ ent->guard = XML_ENTITY_NOT_BEING_CHECKED;
+ }
/*
* Store the number of entities needing parsing for this entity
@@ -7456,23 +7467,29 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
else
user_data = ctxt->userData;
- if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) {
- ctxt->depth++;
- ret = xmlParseBalancedChunkMemoryInternal(ctxt,
- ent->content, user_data, NULL);
- ctxt->depth--;
- } else if (ent->etype ==
- XML_EXTERNAL_GENERAL_PARSED_ENTITY) {
- ctxt->depth++;
- ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt,
- ctxt->sax, user_data, ctxt->depth,
- ent->URI, ent->ExternalID, NULL);
- ctxt->depth--;
- } else {
- ret = XML_ERR_ENTITY_PE_INTERNAL;
- xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR,
- "invalid entity type found\n", NULL);
- }
+ if (ent->guard == XML_ENTITY_BEING_CHECKED) {
+ ret = XML_ERR_ENTITY_LOOP;
+ } else {
+ ent->guard = XML_ENTITY_BEING_CHECKED;
+ if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) {
+ ctxt->depth++;
+ ret = xmlParseBalancedChunkMemoryInternal(ctxt,
+ ent->content, user_data, NULL);
+ ctxt->depth--;
+ } else if (ent->etype ==
+ XML_EXTERNAL_GENERAL_PARSED_ENTITY) {
+ ctxt->depth++;
+ ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt,
+ ctxt->sax, user_data, ctxt->depth,
+ ent->URI, ent->ExternalID, NULL);
+ ctxt->depth--;
+ } else {
+ ret = XML_ERR_ENTITY_PE_INTERNAL;
+ xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR,
+ "invalid entity type found\n", NULL);
+ }
+ ent->guard = XML_ENTITY_NOT_BEING_CHECKED;
+ }
if (ret == XML_ERR_ENTITY_LOOP) {
xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
return;

54
SOURCES/libxml2-CVE-2018-14404.patch
View File

@ -1,54 +0,0 @@
From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 30 Jul 2018 12:54:38 +0200
Subject: [PATCH] Fix nullptr deref with XPath logic ops
If the XPath stack is corrupted, for example by a misbehaving extension
function, the "and" and "or" XPath operators could dereference NULL
pointers. Check that the XPath stack isn't empty and optimize the
logic operators slightly.
Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5
Also see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
https://bugzilla.redhat.com/show_bug.cgi?id=1595985
This is CVE-2018-14404.
Thanks to Guy Inbar for the report.
---
xpath.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/xpath.c b/xpath.c
index 3fae0bf4..5e3bb9ff 100644
--- a/xpath.c
+++ b/xpath.c
@@ -13234,9 +13234,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
return(0);
}
xmlXPathBooleanFunction(ctxt, 1);
- arg1 = valuePop(ctxt);
- arg1->boolval &= arg2->boolval;
- valuePush(ctxt, arg1);
+ if (ctxt->value != NULL)
+ ctxt->value->boolval &= arg2->boolval;
xmlXPathReleaseObject(ctxt->context, arg2);
return (total);
case XPATH_OP_OR:
@@ -13252,9 +13251,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
return(0);
}
xmlXPathBooleanFunction(ctxt, 1);
- arg1 = valuePop(ctxt);
- arg1->boolval |= arg2->boolval;
- valuePush(ctxt, arg1);
+ if (ctxt->value != NULL)
+ ctxt->value->boolval |= arg2->boolval;
xmlXPathReleaseObject(ctxt->context, arg2);
return (total);
case XPATH_OP_EQUAL:
--
2.22.0

50
SOURCES/libxml2-CVE-2018-9251.patch
View File

@ -1,50 +0,0 @@
From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 30 Jul 2018 13:14:11 +0200
Subject: [PATCH] Fix infinite loop in LZMA decompression
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Check the liblzma error code more thoroughly to avoid infinite loops.
Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13
Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914
This is CVE-2018-9251 and CVE-2018-14567.
Thanks to Dongliang Mu and Simon Wörner for the reports.
---
xzlib.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/xzlib.c b/xzlib.c
index a839169e..0ba88cfa 100644
--- a/xzlib.c
+++ b/xzlib.c
@@ -562,6 +562,10 @@ xz_decomp(xz_statep state)
"internal error: inflate stream corrupt");
return -1;
}
+ /*
+ * FIXME: Remapping a couple of error codes and falling through
+ * to the LZMA error handling looks fragile.
+ */
if (ret == Z_MEM_ERROR)
ret = LZMA_MEM_ERROR;
if (ret == Z_DATA_ERROR)
@@ -587,6 +591,11 @@ xz_decomp(xz_statep state)
xz_error(state, LZMA_PROG_ERROR, "compression error");
return -1;
}
+ if ((state->how != GZIP) &&
+ (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) {
+ xz_error(state, ret, "lzma error");
+ return -1;
+ }
} while (strm->avail_out && ret != LZMA_STREAM_END);
/* update available output and crc check value */
--
2.22.0

33
SOURCES/libxml2-CVE-2019-19956.patch
View File

@ -1,33 +0,0 @@
From 5a02583c7e683896d84878bd90641d8d9b0d0549 Mon Sep 17 00:00:00 2001
From: Zhipeng Xie <xiezhipeng1@huawei.com>
Date: Wed, 7 Aug 2019 17:39:17 +0800
Subject: [PATCH] Fix memory leak in xmlParseBalancedChunkMemoryRecover
When doc is NULL, namespace created in xmlTreeEnsureXMLDecl
is bind to newDoc->oldNs, in this case, set newDoc->oldNs to
NULL and free newDoc will cause a memory leak.
Found with libFuzzer.
Closes #82.
---
parser.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/parser.c b/parser.c
index 1ce1ccf1..26d9f4e3 100644
--- a/parser.c
+++ b/parser.c
@@ -13894,7 +13894,8 @@ xmlParseBalancedChunkMemoryRecover(xmlDocPtr doc, xmlSAXHandlerPtr sax,
xmlFreeParserCtxt(ctxt);
newDoc->intSubset = NULL;
newDoc->extSubset = NULL;
- newDoc->oldNs = NULL;
+ if(doc != NULL)
+ newDoc->oldNs = NULL;
xmlFreeDoc(newDoc);
return(ret);
--
2.24.1

18
SOURCES/libxml2-python3-unicode-errors.patch → libxml2-2.12.0-python3-unicode-errors.patch
View File

@ -1,16 +1,16 @@
Index: libxml2-2.9.5/python/libxml.c
===================================================================
--- libxml2-2.9.5.orig/python/libxml.c
+++ libxml2-2.9.5/python/libxml.c
@@ -1620,6 +1620,7 @@ libxml_xmlErrorFuncHandler(ATTRIBUTE_UNU
diff --git a/python/libxml.c b/python/libxml.c
index bf048006..5f42e5b7 100644
--- a/python/libxml.c
+++ b/python/libxml.c
@@ -1505,6 +1505,7 @@ libxml_xmlErrorFuncHandler(ATTRIBUTE_UNUSED void *ctx, const char *msg,
PyObject *message;
PyObject *result;
char str[1000];
+ unsigned char *ptr = (unsigned char *)str;
#ifdef DEBUG_ERROR
printf("libxml_xmlErrorFuncHandler(%p, %s, ...) called\n", ctx, msg);
@@ -1636,12 +1637,20 @@ libxml_xmlErrorFuncHandler(ATTRIBUTE_UNU
if (libxml_xmlPythonErrorFuncHandler == NULL) {
va_start(ap, msg);
@@ -1516,12 +1517,20 @@ libxml_xmlErrorFuncHandler(ATTRIBUTE_UNUSED void *ctx, const char *msg,
str[999] = 0;
va_end(ap);
@ -26,7 +26,7 @@ Index: libxml2-2.9.5/python/libxml.c
- message = libxml_charPtrConstWrap(str);
+ message = libxml_charPtrConstWrap(ptr);
PyTuple_SetItem(list, 1, message);
result = PyEval_CallObject(libxml_xmlPythonErrorFuncHandler, list);
result = PyObject_CallObject(libxml_xmlPythonErrorFuncHandler, list);
+ /* Forget any errors caused in the error handler. */
+ PyErr_Clear();
Py_XDECREF(list);

37
libxml2-2.12.5-CVE-2024-40896.patch Normal file
View File

@ -0,0 +1,37 @@
From 4c2b237174539db92f4504fbc5198d2f1561baca Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sat, 6 Jul 2024 01:03:46 +0200
Subject: [PATCH] [CVE-2024-40896] Fix XXE protection in downstream code
Some users set an entity's children manually in the getEntity SAX
callback to restrict entity expansion. This stopped working after
renaming the "checked" member of xmlEntity, making at least one
downstream project and its dependants susceptible to XXE attacks.
See #761.
---
parser.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/parser.c b/parser.c
index fe0ff4e2d..58ad02dbc 100644
--- a/parser.c
+++ b/parser.c
@@ -7280,6 +7280,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
return;
}
+ /*
+ * Some users try to parse entities on their own and used to set
+ * the renamed "checked" member. Fix the flags to cover this
+ * case.
+ */
+ if (((ent->flags & XML_ENT_PARSED) == 0) && (ent->children != NULL))
+ ent->flags |= XML_ENT_PARSED;
+
/*
* The first reference to the entity trigger a parsing phase
* where the ent->children is filled with the result from
--
GitLab

0
SOURCES/libxml2-2.9.13-CVE-2024-56171.patch → libxml2-2.12.5-CVE-2024-56171.patch
View File

0
SOURCES/libxml2-2.9.13-CVE-2025-24928.patch → libxml2-2.12.5-CVE-2025-24928.patch
View File

8
SOURCES/libxml2-multilib.patch → libxml2-multilib.patch
View File

@ -6,9 +6,9 @@
exec_prefix=@exec_prefix@
includedir=@includedir@
! libdir=@libdir@
cflags=
libs=
usage()
{
--- 3,14 ----
prefix=@prefix@
exec_prefix=@exec_prefix@
@ -19,6 +19,6 @@
! else
! libdir=${exec_prefix}/lib64
! fi
cflags=
libs=
usage()
{

403
SPECS/libxml2.spec → libxml2.spec
View File

@ -1,78 +1,33 @@
%if 0%{?rhel} > 7
# Disable python2 build by default
%bcond_with python2
%else
%bcond_without python2
%endif
Name: libxml2
Version: 2.9.7
Release: 19%{?dist}
Version: 2.12.5
Release: 5%{?dist}
Summary: Library providing XML and HTML support
License: MIT
URL: http://xmlsoft.org/
Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
# list.c, dict.c and few others use ISC-Veillard
# the conformance and test suite data in
# Source1, Source2 and Source3 is covered by W3C
License: MIT AND ISC-Veillard AND W3C
URL: https://gitlab.gnome.org/GNOME/libxml2/-/wikis/home
Source0: https://download.gnome.org/sources/%{name}/2.12/%{name}-%{version}.tar.xz
# https://www.w3.org/XML/Test/xmlconf-20080827.html
Source1: https://www.w3.org/XML/Test/xmlts20080827.tar.gz
# https://www.w3.org/XML/2004/xml-schema-test-suite/index.html
Source2: https://www.w3.org/XML/2004/xml-schema-test-suite/xmlschema2002-01-16/xsts-2002-01-16.tar.gz
Source3: https://www.w3.org/XML/2004/xml-schema-test-suite/xmlschema2004-01-14/xsts-2004-01-14.tar.gz
Patch0: libxml2-multilib.patch
# workaround for #877567 - Very weird bug gzip decompression bug in "recent" libxml2 versions
Patch1: libxml2-2.9.0-do-not-check-crc.patch
# In python3.6 _PyVerify_fd is no more
# http://bugs.python.org/issue23524
Patch2: libxml2-2.9.4-remove-pyverify_fd.patch
# https://codereview.chromium.org/2539003002
Patch3: libxml2-CVE-2016-9597.patch
# Fix some crashes under Python 3
# https://bugzilla.gnome.org/show_bug.cgi?id=789714
Patch4: libxml2-python3-unicode-errors.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1565322
Patch5: libxml2-CVE-2018-9251.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1595989
Patch6: libxml2-CVE-2018-14404.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1793001
Patch7: libxml2-CVE-2019-19956.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1799786
Patch8: libxml2-2.9.7-CVE-2020-7595.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1810058
Patch9: libxml2-2.9.7-CVE-2019-20388.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1878252
Patch10: libxml2-2.9.7-CVE-2020-24977.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1956976
Patch11: libxml2-2.9.7-CVE-2021-3516.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1957001
Patch12: libxml2-2.9.7-CVE-2021-3517.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1957028
Patch13: libxml2-2.9.7-CVE-2021-3518.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1957284
Patch14: libxml2-2.9.7-CVE-2021-3537.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1958783
Patch15: libxml2-2.9.7-CVE-2021-3541.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2057664
Patch16: libxml2-2.9.7-CVE-2022-23308.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2082298
Patch17: libxml2-2.9.7-CVE-2022-29824.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2120781
Patch18: libxml2-2.9.7-CVE-2016-3709.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2136563
Patch19: libxml2-2.9.7-CVE-2022-40303.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2136568
Patch20: libxml2-2.9.7-CVE-2022-40304.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2186692
Patch21: libxml2-2.9.13-CVE-2023-28484.patch
Patch22: libxml2-2.9.13-CVE-2023-28484.2.patch
Patch23: libxml2-2.9.7-CVE-2023-29469.patch
# https://issues.redhat.com/browse/RHEL-5179
Patch24: libxml2-2.11.0-fix-CVE-2023-39615.patch
# https://issues.redhat.com/browse/RHEL-31056
Patch25: libxml2-2.9.7-CVE-2024-25062.patch
# https://issues.redhat.com/browse/RHEL-76289
Patch26: libxml2-2.9.13-CVE-2022-49043.patch
# https://issues.redhat.com/browse/RHEL-80122
Patch27: libxml2-2.9.13-CVE-2024-56171.patch
# https://issues.redhat.com/browse/RHEL-80137
Patch28: libxml2-2.9.13-CVE-2025-24928.patch
# Patch from openSUSE.
# See: https://bugzilla.gnome.org/show_bug.cgi?id=789714
Patch1: libxml2-2.12.0-python3-unicode-errors.patch
# https://issues.redhat.com/browse/RHEL-72060
Patch2: libxml2-2.12.5-CVE-2024-40896.patch
# https://issues.redhat.com/browse/RHEL-80119
Patch3: libxml2-2.12.5-CVE-2024-56171.patch
# https://issues.redhat.com/browse/RHEL-80134
Patch4: libxml2-2.12.5-CVE-2025-24928.patch
BuildRequires: gcc
BuildRequires: cmake-rpm-macros
BuildRequires: gcc
BuildRequires: make
BuildRequires: pkgconfig(zlib)
BuildRequires: pkgconfig(liblzma)
@ -112,26 +67,6 @@ Summary: Static library for libxml2
Static library for libxml2 provided for specific uses or shaving a few
microseconds when parsing, do not link to them for generic purpose packages.
%if %{with python2}
%package -n python2-%{name}
%{?python_provide:%python_provide python2-%{name}}
Summary: Python bindings for the libxml2 library
BuildRequires: python2-devel
Requires: %{name}%{?_isa} = %{version}-%{release}
Obsoletes: %{name}-python < %{version}-%{release}
Provides: %{name}-python = %{version}-%{release}
%description -n python2-%{name}
The libxml2-python package contains a Python 2 module that permits applications
written in the Python programming language, version 2, to use the interface
supplied by the libxml2 library to manipulate XML files.
This library allows to manipulate XML files. It includes support
to read, modify and write XML and HTML files. There is DTDs support
this includes parsing and validation even with complex DTDs, either
at parse time or later once the document has been modified.
%endif # with python2
%package -n python3-%{name}
Summary: Python 3 bindings for the libxml2 library
BuildRequires: python3-devel
@ -154,26 +89,18 @@ at parse time or later once the document has been modified.
find doc -type f -executable -print -exec chmod 0644 {} ';'
%build
%if %{with python2}
mkdir py2
%endif # with python2
mkdir py3
%global _configure ../configure
%global _configure_disable_silent_rules 1
%if %{with python2}
( cd py2 && %configure --cache-file=../config.cache --with-python=%{__python2} )
%endif # with python2
( cd py3 && %configure --cache-file=../config.cache --with-python=%{__python3} )
%if %{with python2}
%make_build -C py2
%endif # with python2
%make_build -C py3
# see https://bugzilla.redhat.com/show_bug.cgi?id=2139546 , several
# of these options are needed to (mostly) retain ABI compatibility
# with earlier versions
%configure \
--enable-static \
--with-legacy \
--with-ftp \
--with-python=%{__python3}
%make_build
%install
%if %{with python2}
%make_install -C py2
%endif # with python2
%make_install -C py3
%make_install
# multiarch crazyness on timestamp differences or Makefile/binaries for examples
touch -m --reference=%{buildroot}%{_includedir}/libxml2/libxml/parser.h %{buildroot}%{_bindir}/xml2-config
@ -181,125 +108,241 @@ touch -m --reference=%{buildroot}%{_includedir}/libxml2/libxml/parser.h %{buildr
find %{buildroot} -type f -name '*.la' -print -delete
rm -vf %{buildroot}{%{python2_sitearch},%{python3_sitearch}}/*.a
rm -vrf %{buildroot}%{_datadir}/doc/
#(cd doc/examples ; make clean ; rm -rf .deps Makefile)
gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
%check
%if %{with python2}
%make_build runtests -C py2
%endif # with python2
%make_build runtests -C py3
# Tests require the XML conformance suite.
tar -xzvf %{SOURCE1}
%make_build check
rm -rf xmlconf
# Schema tests use the schema test suite.
cp %{SOURCE2} %{SOURCE3} xstc/
pushd xstc
mkdir Tests
%make_build tests
popd
# As the directory is copied to the devel subpackage, remove any build
# artifacts.
(cd doc/examples ; make clean ; rm -rf .deps Makefile)
%ldconfig_scriptlets
%files
%license Copyright
%doc AUTHORS NEWS README TODO
%doc NEWS README.md
%{_libdir}/libxml2.so.2*
%{_mandir}/man3/libxml.3*
%{_bindir}/xmllint
%{_mandir}/man1/xmllint.1*
%{_bindir}/xmlcatalog
%{_bindir}/xmllint
%{_mandir}/man1/xmlcatalog.1*
%{_mandir}/man1/xmllint.1*
%files devel
%doc doc/*.html doc/html doc/*.gif doc/*.png
%doc doc/*.html
%doc doc/tutorial doc/libxml2-api.xml.gz
%doc doc/examples
%dir %{_datadir}/gtk-doc
%dir %{_datadir}/gtk-doc/html
%{_datadir}/gtk-doc/html/libxml2/
%{_libdir}/libxml2.so
%{_libdir}/xml2Conf.sh
%{_includedir}/libxml2/
%{_bindir}/xml2-config
%{_mandir}/man1/xml2-config.1*
%{_datadir}/aclocal/libxml.m4
%{_datadir}/gtk-doc/html/libxml2/
%{_includedir}/libxml2/
%{_libdir}/libxml2.so
%{_libdir}/pkgconfig/libxml-2.0.pc
%{_libdir}/cmake/libxml2/
%{_bindir}/xml2-config
%{_mandir}/man1/xml2-config.1*
%files static
%license Copyright
%{_libdir}/libxml2.a
%if %{with python2}
%files -n python2-%{name}
%doc python/TODO python/libxml2class.txt
%doc doc/*.py doc/python.html
%{python2_sitearch}/libxml2.py*
%{python2_sitearch}/drv_libxml2.py*
%{python2_sitearch}/libxml2mod.so
%endif # with python2
%files -n python3-%{name}
%doc python/TODO python/libxml2class.txt
%doc doc/*.py doc/python.html
%{python3_sitearch}/libxml2.py
%{python3_sitearch}/__pycache__/libxml2.*
%{python3_sitearch}/drv_libxml2.py
%{python3_sitearch}/__pycache__/drv_libxml2.*
%doc doc/*.py
%{python3_sitearch}/libxml2mod.so
%{python3_sitelib}/libxml2.py
%{python3_sitelib}/__pycache__/libxml2.*
%{python3_sitelib}/drv_libxml2.py
%{python3_sitelib}/__pycache__/drv_libxml2.*
%changelog
* Tue Mar 11 2025 Michael Catanzaro <mcatanzaro@redhat.com> - 2.9.7-19
- Fix CVE-2024-56171 (RHEL-80122)
- Fix CVE-2025-24928 (RHEL-80137)
* Mon Feb 24 2025 David King <dking@redhat.com> - 2.12.5-5
- Fix CVE-2024-56171 (RHEL-80119)
- Fix CVE-2025-24928 (RHEL-80134)
* Tue Feb 11 2025 David King <dking@redhat.com> - 2.9.7.18.2
- Fix CVE-2022-49043 (RHEL-76289)
* Tue Dec 24 2024 David King <amigadave@amigadave.com> - 2.12.5-4
- Fix CVE-2024-40896 (RHEL-72060)
* Mon Apr 29 2024 David King <amigadave@amigadave.com> - 2.9.7-18.1
- Fix CVE-2024-25062 (RHEL-31056)
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2.12.5-3
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Thu Sep 14 2023 David King <amigadave@amigadave.com> - 2.9.7-18
- Fix CVE-2023-39615 (RHEL-5179)
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2.12.5-2
- Bump release for June 2024 mass rebuild
* Fri Jul 14 2023 David King <amigadave@amigadave.com> - 2.9.7-17
- Fix CVE-2023-28484 (#2186692)
- Fix CVE-2023-29469 (#2186692)
* Mon Feb 05 2024 David King <amigadave@amigadave.com> - 2.12.5-1
- Update to 2.12.5 (#2262648)
* Wed Nov 02 2022 David King <dking@redhat.com> - 2.9.7-16
- Fix CVE-2022-40303 (#2136563)
- Fix CVE-2022-40304 (#2136568)
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.12.4-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Wed Aug 24 2022 David King <dking@redhat.com> - 2.9.7-15
- Fix CVE-2016-3709 (#2120781)
* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.12.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Thu May 12 2022 David King <dking@redhat.com> - 2.9.7-14
- Fix CVE-2022-29824 (#2082298)
* Tue Jan 16 2024 David King <amigadave@amigadave.com> - 2.12.4-1
- Update to 2.12.4 (#2258493)
* Thu Feb 24 2022 David King <dking@redhat.com> - 2.9.7-13
- Bump release (#2057664)
* Tue Dec 12 2023 David King <amigadave@amigadave.com> - 2.12.3-1
- Update to 2.12.3 (#2254194)
* Thu Feb 24 2022 David King <dking@redhat.com> - 2.9.7-12
- Fix CVE-2022-23308 (#2057664)
* Sat Dec 09 2023 David King <amigadave@amigadave.com> - 2.12.2-2
- Upstream patch to add extra includes
* Wed May 19 2021 David King <dking@redhat.com> - 2.9.7-11
- Fix CVE-2021-3541 (#1958783)
* Wed Dec 06 2023 David King <amigadave@amigadave.com> - 2.12.2-1
- Update to 2.12.2 (#2137281)
- Enable W3C XML Conformance and Schema test suites
* Fri May 07 2021 David King <dking@redhat.com> - 2.9.7-10
- Fix CVE-2021-3516 (#1956976)
- Fix CVE-2021-3517 (#1957001)
- Fix CVE-2021-3518 (#1957028)
- Fix CVE-2021-3537 (#1957284)
* Fri Nov 24 2023 David King <amigadave@amigadave.com> - 2.12.1-1
- Update to 2.12.1 (#2250062)
* Mon Oct 19 2020 David King <dking@redhat.com> - 2.9.7-9
- Fix CVE-2020-24977 (#1878252)
* Thu Nov 16 2023 David King <amigadave@amigadave.com> - 2.12.0-1
- Update to 2.12.0 (#2250062)
* Mon Jan 20 2020 David King <dking@redhat.com> - 2.9.7-8
- Fix CVE-2019-19956 (#1793001)
* Thu Nov 16 2023 David King <amigadave@amigadave.com> - 2.11.6-1
- Update to 2.11.6
* Wed Aug 16 2023 David King <amigadave@amigadave.com> - 2.11.5-1
- Update to 2.11.5 (#2190441)
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.10.4-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 2.10.4-2
- Rebuilt for Python 3.12
* Wed Apr 12 2023 David King <amigadave@amigadave.com> - 2.10.4-1
- Update to 2.10.4 (#2185870)
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.10.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Thu Nov 03 2022 Adam Williamson <awilliam@redhat.com> - 2.10.3-2
- Set build options to maintain (most) symbols from 2.9.14 (#2139546)
* Thu Oct 20 2022 David King <amigadave@amigadave.com> - 2.10.3-1
- Update to 2.10.3 (#2119077)
* Tue Aug 30 2022 David King <amigadave@amigadave.com> - 2.10.2-1
- Update to 2.10.2 (#2119077)
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.14-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 2.9.14-2
- Rebuilt for Python 3.11
* Mon May 02 2022 David King <amigadave@amigadave.com> - 2.9.14-1
- Update to 2.9.14 (#2080961)
* Mon Feb 21 2022 David King <amigadave@amigadave.com> - 2.9.13-1
- Update to 2.9.13
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.12-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.12-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Thu Jun 03 2021 Python Maint <python-maint@redhat.com> - 2.9.12-5
- Rebuilt for Python 3.10
* Sat May 29 2021 David King <amigadave@amigadave.com> - 2.9.12-4
- Fix xmlNodeDumpOutputInternal regression (#1965662)
* Tue May 25 2021 David King <amigadave@amigadave.com> - 2.9.12-3
- Fix multiarch conflict in devel subpackage
* Wed May 19 2021 David King <amigadave@amigadave.com> - 2.9.12-2
- Fix python-lxml regression with 2.9.12
* Thu May 13 2021 David King <amigadave@amigadave.com> - 2.9.12-1
- Update to 2.9.12 (#1960153)
* Thu May 06 2021 David King <amigadave@amigadave.com> - 2.9.10-12
- Fix CVE-2021-3537 (#1956524)
* Wed May 05 2021 David King <amigadave@amigadave.com> - 2.9.10-11
- Fix CVE-2021-3516 (#1954227)
- Fix CVE-2021-3517 (#1954234)
- Fix CVE-2021-3518 (#1954243)
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.10-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Thu Nov 12 11:57:41 CET 2020 Victor Stinner <vstinner@python.org> - 2.9.10-9
- Build the Python extension with the PY_SSIZE_T_CLEAN macro to make it
compatible with Python 3.10.
- Fixes: rhbz#1890878.
* Wed Nov 11 2020 Richard W.M. Jones <rjones@redhat.com> - 2.9.10-8
- Add correct fix for CVE-2020-24977 (RHBZ#1877788), thanks: Jan de Groot.
* Fri Sep 11 2020 Richard W.M. Jones <rjones@redhat.com> - 2.9.10-7
- Add fix for CVE-2020-24977 (RHBZ#1877788).
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.10-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Sat May 23 2020 Miro Hrončok <mhroncok@redhat.com> - 2.9.10-5
- Rebuilt for Python 3.9
* Mon Feb 10 2020 David King <amigadave@amigadave.com> - 2.9.10-4
- Fix CVE-2019-20388 (#1799736)
- Fix CVE-2020-7595 (#1799786)
- Fix CVE-2019-20388 (#1810058)
* Thu Oct 24 2019 David King <dking@redhat.com> - 2.9.7-7
- Fix CVE-2018-14404 (#1595989)
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.10-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Oct 24 2019 David King <dking@redhat.com> - 2.9.7-6
- Fix CVE-2018-9251 (#1565322)
* Fri Jan 03 2020 Jan Pokorny <jpokorny@fedoraproject.org> - 2.9.10-2
- Fix relaxed approach to nested documents on object disposal (#1780573)
* Fri Aug 03 2018 Charalampos Stratakis <cstratak@redhat.com> - 2.9.7-5
- Fix some crashes under Python 3
- Conditionalize the python2 subpackage
* Fri Nov 01 2019 David King <amigadave@amigadave.com> - 2.9.10-1
- Update to 2.9.10 (#1767151)
* Thu Oct 31 2019 Miro Hrončok <mhroncok@redhat.com> - 2.9.9-7
- Subpackage python2-libxml2 has been removed
See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal
* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 2.9.9-6
- Rebuilt for Python 3.8.0rc1 (#1748018)
* Fri Aug 23 2019 Florian Weimer <fweimer@redhat.com> - 2.9.9-5
- Rebuild to fix corrupted libxml2-static package on aarch64 (#1745020)
* Fri Aug 16 2019 Miro Hrončok <mhroncok@redhat.com> - 2.9.9-4
- Rebuilt for Python 3.8
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.9-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.9-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jan 25 2019 David King <amigadave@amigadave.com> - 2.9.9-1
- Update to 2.9.9
* Sun Jan 06 2019 Björn Esser <besser82@fedoraproject.org> - 2.9.8-5
- Add patch to fix crash: xmlParserPrintFileContextInternal mangles utf8
* Thu Aug 02 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.9.8-4
- Backport patches from upstream
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.8-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 2.9.8-2
- Rebuilt for Python 3.7
* Tue Apr 03 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.9.8-1
- Update to 2.9.8
* Sat Feb 24 2018 Florian Weimer <fweimer@redhat.com> - 2.9.7-4
- Rebuild with new LDFLAGS from redhat-rpm-config

4
sources Normal file
View File

@ -0,0 +1,4 @@
SHA512 (libxml2-2.12.5.tar.xz) = da5c5afb95db80342d78d4371d029bf10ce5cd601b24b294272d9996f82357bd5262a15a2b44b0904a14471c8ff0c9fd9c796f164246551f02ee19a8f083f926
SHA512 (xmlts20080827.tar.gz) = 7325d0977c4427fc4944b291ccf896a665f654cc24399e5565c12a849c2bc3aef4fa3ee42a09ac115abcb6570c51a8fbd052c38d64d164279ecdecad5a4e884d
SHA512 (xsts-2002-01-16.tar.gz) = 43300af6d39c1e2221b0ed7318fe14c7464eeb6eb030ed1e22eb29b4ab17f014e2a4c8887c3a46ae5d243e3072da27f00f4e285498ae6f1288177d38d1108288
SHA512 (xsts-2004-01-14.tar.gz) = 32854388d7e720ad67156baf50bf2bae7bd878ca3e35fd7e44e57cad3f434f69d56bbbedd61509f8a1faf01c9eae74a078df8fe130780b182c05c05cb1c39ebe