import CS libxml2-2.9.13-4.el9
This commit is contained in:
parent
96143e4ad4
commit
dbda0c16ab
71
SOURCES/libxml2-2.9.13-CVE-2023-28484.2.patch
Normal file
71
SOURCES/libxml2-2.9.13-CVE-2023-28484.2.patch
Normal file
@ -0,0 +1,71 @@
|
||||
From 4c6922f763ad958c48ff66f82823ae21f2e92ee6 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Tue, 13 Sep 2022 16:40:31 +0200
|
||||
Subject: [PATCH] schemas: Fix null-pointer-deref in
|
||||
xmlSchemaCheckCOSSTDerivedOK
|
||||
|
||||
Found by OSS-Fuzz.
|
||||
---
|
||||
result/schemas/oss-fuzz-51295_0_0.err | 2 ++
|
||||
test/schemas/oss-fuzz-51295_0.xml | 1 +
|
||||
test/schemas/oss-fuzz-51295_0.xsd | 4 ++++
|
||||
xmlschemas.c | 15 +++++++++++++--
|
||||
4 files changed, 20 insertions(+), 2 deletions(-)
|
||||
create mode 100644 result/schemas/oss-fuzz-51295_0_0.err
|
||||
create mode 100644 test/schemas/oss-fuzz-51295_0.xml
|
||||
create mode 100644 test/schemas/oss-fuzz-51295_0.xsd
|
||||
|
||||
diff --git a/result/schemas/oss-fuzz-51295_0_0.err b/result/schemas/oss-fuzz-51295_0_0.err
|
||||
new file mode 100644
|
||||
index 00000000..1e89524f
|
||||
--- /dev/null
|
||||
+++ b/result/schemas/oss-fuzz-51295_0_0.err
|
||||
@@ -0,0 +1,2 @@
|
||||
+./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'.
|
||||
+./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'.
|
||||
diff --git a/test/schemas/oss-fuzz-51295_0.xml b/test/schemas/oss-fuzz-51295_0.xml
|
||||
new file mode 100644
|
||||
index 00000000..10a7e703
|
||||
--- /dev/null
|
||||
+++ b/test/schemas/oss-fuzz-51295_0.xml
|
||||
@@ -0,0 +1 @@
|
||||
+<e/>
|
||||
diff --git a/test/schemas/oss-fuzz-51295_0.xsd b/test/schemas/oss-fuzz-51295_0.xsd
|
||||
new file mode 100644
|
||||
index 00000000..fde96af5
|
||||
--- /dev/null
|
||||
+++ b/test/schemas/oss-fuzz-51295_0.xsd
|
||||
@@ -0,0 +1,4 @@
|
||||
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
|
||||
+ <xs:element name="e" substitutionGroup="e"/>
|
||||
+ <xs:element name="t" substitutionGroup="e" type='xs:decimal'/>
|
||||
+</xs:schema>
|
||||
diff --git a/xmlschemas.c b/xmlschemas.c
|
||||
index f31d3d1f..152b7c3f 100644
|
||||
--- a/xmlschemas.c
|
||||
+++ b/xmlschemas.c
|
||||
@@ -13345,8 +13345,19 @@ xmlSchemaResolveElementReferences(xmlSchemaElementPtr elemDecl,
|
||||
* declaration `resolved` to by the `actual value`
|
||||
* of the substitutionGroup [attribute], if present"
|
||||
*/
|
||||
- if (elemDecl->subtypes == NULL)
|
||||
- elemDecl->subtypes = substHead->subtypes;
|
||||
+ if (elemDecl->subtypes == NULL) {
|
||||
+ if (substHead->subtypes == NULL) {
|
||||
+ /*
|
||||
+ * This can happen with self-referencing substitution
|
||||
+ * groups. The cycle will be detected later, but we have
|
||||
+ * to set subtypes to avoid null-pointer dereferences.
|
||||
+ */
|
||||
+ elemDecl->subtypes = xmlSchemaGetBuiltInType(
|
||||
+ XML_SCHEMAS_ANYTYPE);
|
||||
+ } else {
|
||||
+ elemDecl->subtypes = substHead->subtypes;
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
}
|
||||
/*
|
||||
--
|
||||
GitLab
|
||||
|
74
SOURCES/libxml2-2.9.13-CVE-2023-28484.patch
Normal file
74
SOURCES/libxml2-2.9.13-CVE-2023-28484.patch
Normal file
@ -0,0 +1,74 @@
|
||||
From 647e072ea0a2f12687fa05c172f4c4713fdb0c4f Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Fri, 7 Apr 2023 11:46:35 +0200
|
||||
Subject: [PATCH] [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
|
||||
|
||||
Fix a null pointer dereference when parsing (invalid) XML schemas.
|
||||
|
||||
Thanks to Robby Simpson for the report!
|
||||
|
||||
Fixes #491.
|
||||
---
|
||||
result/schemas/issue491_0_0.err | 1 +
|
||||
test/schemas/issue491_0.xml | 1 +
|
||||
test/schemas/issue491_0.xsd | 18 ++++++++++++++++++
|
||||
xmlschemas.c | 2 +-
|
||||
4 files changed, 21 insertions(+), 1 deletion(-)
|
||||
create mode 100644 result/schemas/issue491_0_0.err
|
||||
create mode 100644 test/schemas/issue491_0.xml
|
||||
create mode 100644 test/schemas/issue491_0.xsd
|
||||
|
||||
diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err
|
||||
new file mode 100644
|
||||
index 00000000..9b2bb969
|
||||
--- /dev/null
|
||||
+++ b/result/schemas/issue491_0_0.err
|
||||
@@ -0,0 +1 @@
|
||||
+./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'.
|
||||
diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml
|
||||
new file mode 100644
|
||||
index 00000000..e2b2fc2e
|
||||
--- /dev/null
|
||||
+++ b/test/schemas/issue491_0.xml
|
||||
@@ -0,0 +1 @@
|
||||
+<Child xmlns="http://www.test.com">5</Child>
|
||||
diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd
|
||||
new file mode 100644
|
||||
index 00000000..81702649
|
||||
--- /dev/null
|
||||
+++ b/test/schemas/issue491_0.xsd
|
||||
@@ -0,0 +1,18 @@
|
||||
+<?xml version='1.0' encoding='UTF-8'?>
|
||||
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://www.test.com" targetNamespace="http://www.test.com" elementFormDefault="qualified" attributeFormDefault="unqualified">
|
||||
+ <xs:complexType name="BaseType">
|
||||
+ <xs:simpleContent>
|
||||
+ <xs:extension base="xs:int" />
|
||||
+ </xs:simpleContent>
|
||||
+ </xs:complexType>
|
||||
+ <xs:complexType name="ChildType">
|
||||
+ <xs:complexContent>
|
||||
+ <xs:extension base="BaseType">
|
||||
+ <xs:sequence>
|
||||
+ <xs:element name="bad" type="xs:int" minOccurs="0" maxOccurs="1"/>
|
||||
+ </xs:sequence>
|
||||
+ </xs:extension>
|
||||
+ </xs:complexContent>
|
||||
+ </xs:complexType>
|
||||
+ <xs:element name="Child" type="ChildType" />
|
||||
+</xs:schema>
|
||||
diff --git a/xmlschemas.c b/xmlschemas.c
|
||||
index 152b7c3f..eec24a95 100644
|
||||
--- a/xmlschemas.c
|
||||
+++ b/xmlschemas.c
|
||||
@@ -18619,7 +18619,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt,
|
||||
"allowed to appear inside other model groups",
|
||||
NULL, NULL);
|
||||
|
||||
- } else if (! dummySequence) {
|
||||
+ } else if ((!dummySequence) && (baseType->subtypes != NULL)) {
|
||||
xmlSchemaTreeItemPtr effectiveContent =
|
||||
(xmlSchemaTreeItemPtr) type->subtypes;
|
||||
/*
|
||||
--
|
||||
GitLab
|
||||
|
37
SOURCES/libxml2-2.9.13-CVE-2023-29469.patch
Normal file
37
SOURCES/libxml2-2.9.13-CVE-2023-29469.patch
Normal file
@ -0,0 +1,37 @@
|
||||
From 09a2dd453007f9c7205274623acdd73747c22d64 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Fri, 7 Apr 2023 11:49:27 +0200
|
||||
Subject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't
|
||||
deterministic
|
||||
|
||||
When hashing empty strings which aren't null-terminated,
|
||||
xmlDictComputeFastKey could produce inconsistent results. This could
|
||||
lead to various logic or memory errors, including double frees.
|
||||
|
||||
For consistency the seed is also taken into account, but this shouldn't
|
||||
have an impact on security.
|
||||
|
||||
Found by OSS-Fuzz.
|
||||
|
||||
Fixes #510.
|
||||
---
|
||||
dict.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/dict.c b/dict.c
|
||||
index c29d2af7..12ba94fd 100644
|
||||
--- a/dict.c
|
||||
+++ b/dict.c
|
||||
@@ -453,7 +453,8 @@ static unsigned long
|
||||
xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
|
||||
unsigned long value = seed;
|
||||
|
||||
- if (name == NULL) return(0);
|
||||
+ if ((name == NULL) || (namelen <= 0))
|
||||
+ return(value);
|
||||
value += *name;
|
||||
value <<= 5;
|
||||
if (namelen > 10) {
|
||||
--
|
||||
GitLab
|
||||
|
@ -1,6 +1,6 @@
|
||||
Name: libxml2
|
||||
Version: 2.9.13
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
Summary: Library providing XML and HTML support
|
||||
|
||||
License: MIT
|
||||
@ -16,6 +16,10 @@ Patch2: libxml2-2.9.13-CVE-2022-29824.patch
|
||||
Patch3: libxml2-2.9.13-CVE-2022-40303.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2136569
|
||||
Patch4: libxml2-2.9.13-CVE-2022-40304.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2186694
|
||||
Patch5: libxml2-2.9.13-CVE-2023-28484.patch
|
||||
Patch6: libxml2-2.9.13-CVE-2023-28484.2.patch
|
||||
Patch7: libxml2-2.9.13-CVE-2023-29469.patch
|
||||
|
||||
BuildRequires: cmake-rpm-macros
|
||||
BuildRequires: gcc
|
||||
@ -144,6 +148,10 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
|
||||
%{python3_sitearch}/libxml2mod.so
|
||||
|
||||
%changelog
|
||||
* Fri Apr 14 2023 David King <amigadave@amigadave.com> - 2.9.13-4
|
||||
- Fix CVE-2023-28484 (#2186694)
|
||||
- Fix CVE-2023-29469 (#2186694)
|
||||
|
||||
* Tue Nov 01 2022 David King <amigadave@amigadave.com> - 2.9.13-3
|
||||
- Fix CVE-2022-40303 (#2136564)
|
||||
- Fix CVE-2022-40304 (#2136569)
|
||||
|
Loading…
Reference in New Issue
Block a user