import libxml2-2.9.7-15.el8
This commit is contained in:
CentOS Sources
Stepan Oksanichenko
parent
cce4829298
commit
d9f10a179a
88
SOURCES/libxml2-2.9.7-CVE-2016-3709.patch
Normal file
88
SOURCES/libxml2-2.9.7-CVE-2016-3709.patch
Normal file
@ -0,0 +1,88 @@
|
|||||||
|
From c1ba6f54d32b707ca6d91cb3257ce9de82876b6f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||||
|
Date: Sat, 15 Aug 2020 18:32:29 +0200
|
||||||
|
Subject: [PATCH] Revert "Do not URI escape in server side includes"
|
||||||
|
|
||||||
|
This reverts commit 960f0e275616cadc29671a218d7fb9b69eb35588.
|
||||||
|
|
||||||
|
This commit introduced
|
||||||
|
|
||||||
|
- an infinite loop, found by OSS-Fuzz, which could be easily fixed.
|
||||||
|
- an algorithm with quadratic runtime
|
||||||
|
- a security issue, see
|
||||||
|
https://bugzilla.gnome.org/show_bug.cgi?id=769760
|
||||||
|
|
||||||
|
A better approach is to add an option not to escape URLs at all
|
||||||
|
which libxml2 should have possibly done in the first place.
|
||||||
|
---
|
||||||
|
HTMLtree.c | 49 +++++++++++--------------------------------------
|
||||||
|
1 file changed, 11 insertions(+), 38 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/HTMLtree.c b/HTMLtree.c
|
||||||
|
index 8d236bb3..cdb7f86a 100644
|
||||||
|
--- a/HTMLtree.c
|
||||||
|
+++ b/HTMLtree.c
|
||||||
|
@@ -706,49 +706,22 @@ htmlAttrDumpOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, xmlAttrPtr cur,
|
||||||
|
(!xmlStrcasecmp(cur->name, BAD_CAST "src")) ||
|
||||||
|
((!xmlStrcasecmp(cur->name, BAD_CAST "name")) &&
|
||||||
|
(!xmlStrcasecmp(cur->parent->name, BAD_CAST "a"))))) {
|
||||||
|
+ xmlChar *escaped;
|
||||||
|
xmlChar *tmp = value;
|
||||||
|
- /* xmlURIEscapeStr() escapes '"' so it can be safely used. */
|
||||||
|
- xmlBufCCat(buf->buffer, "\"");
|
||||||
|
|
||||||
|
while (IS_BLANK_CH(*tmp)) tmp++;
|
||||||
|
|
||||||
|
- /* URI Escape everything, except server side includes. */
|
||||||
|
- for ( ; ; ) {
|
||||||
|
- xmlChar *escaped;
|
||||||
|
- xmlChar endChar;
|
||||||
|
- xmlChar *end = NULL;
|
||||||
|
- xmlChar *start = (xmlChar *)xmlStrstr(tmp, BAD_CAST "<!--");
|
||||||
|
- if (start != NULL) {
|
||||||
|
- end = (xmlChar *)xmlStrstr(tmp, BAD_CAST "-->");
|
||||||
|
- if (end != NULL) {
|
||||||
|
- *start = '\0';
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- /* Escape the whole string, or until start (set to '\0'). */
|
||||||
|
- escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+");
|
||||||
|
- if (escaped != NULL) {
|
||||||
|
- xmlBufCat(buf->buffer, escaped);
|
||||||
|
- xmlFree(escaped);
|
||||||
|
- } else {
|
||||||
|
- xmlBufCat(buf->buffer, tmp);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (end == NULL) { /* Everything has been written. */
|
||||||
|
- break;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- /* Do not escape anything within server side includes. */
|
||||||
|
- *start = '<'; /* Restore the first character of "<!--". */
|
||||||
|
- end += 3; /* strlen("-->") */
|
||||||
|
- endChar = *end;
|
||||||
|
- *end = '\0';
|
||||||
|
- xmlBufCat(buf->buffer, start);
|
||||||
|
- *end = endChar;
|
||||||
|
- tmp = end;
|
||||||
|
+ /*
|
||||||
|
+ * the < and > have already been escaped at the entity level
|
||||||
|
+ * And doing so here breaks server side includes
|
||||||
|
+ */
|
||||||
|
+ escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+<>");
|
||||||
|
+ if (escaped != NULL) {
|
||||||
|
+ xmlBufWriteQuotedString(buf->buffer, escaped);
|
||||||
|
+ xmlFree(escaped);
|
||||||
|
+ } else {
|
||||||
|
+ xmlBufWriteQuotedString(buf->buffer, value);
|
||||||
|
}
|
||||||
|
-
|
||||||
|
- xmlBufCCat(buf->buffer, "\"");
|
||||||
|
} else {
|
||||||
|
xmlBufWriteQuotedString(buf->buffer, value);
|
||||||
|
}
|
||||||
|
--
|
||||||
|
GitLab
|
||||||
|
|
||||||
@ -7,7 +7,7 @@
|
|||||||
|
|
||||||
Name: libxml2
|
Name: libxml2
|
||||||
Version: 2.9.7
|
Version: 2.9.7
|
||||||
Release: 13%{?dist}.1
|
Release: 15%{?dist}
|
||||||
Summary: Library providing XML and HTML support
|
Summary: Library providing XML and HTML support
|
||||||
|
|
||||||
License: MIT
|
License: MIT
|
||||||
@ -48,8 +48,10 @@ Patch14: libxml2-2.9.7-CVE-2021-3537.patch
|
|||||||
Patch15: libxml2-2.9.7-CVE-2021-3541.patch
|
Patch15: libxml2-2.9.7-CVE-2021-3541.patch
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2057664
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2057664
|
||||||
Patch16: libxml2-2.9.7-CVE-2022-23308.patch
|
Patch16: libxml2-2.9.7-CVE-2022-23308.patch
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2082297
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2082298
|
||||||
Patch17: libxml2-2.9.7-CVE-2022-29824.patch
|
Patch17: libxml2-2.9.7-CVE-2022-29824.patch
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2120781
|
||||||
|
Patch18: libxml2-2.9.7-CVE-2016-3709.patch
|
||||||
|
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: cmake-rpm-macros
|
BuildRequires: cmake-rpm-macros
|
||||||
@ -221,8 +223,11 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
|
|||||||
%{python3_sitearch}/libxml2mod.so
|
%{python3_sitearch}/libxml2mod.so
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Thu May 12 2022 David King <dking@redhat.com> - 2.9.7-13.1
|
* Wed Aug 24 2022 David King <dking@redhat.com> - 2.9.7-15
|
||||||
- Fix CVE-2022-29824 (#2082297)
|
- Fix CVE-2016-3709 (#2120781)
|
||||||
|
|
||||||
|
* Thu May 12 2022 David King <dking@redhat.com> - 2.9.7-14
|
||||||
|
- Fix CVE-2022-29824 (#2082298)
|
||||||
|
|
||||||
* Thu Feb 24 2022 David King <dking@redhat.com> - 2.9.7-13
|
* Thu Feb 24 2022 David King <dking@redhat.com> - 2.9.7-13
|
||||||
- Bump release (#2057664)
|
- Bump release (#2057664)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user