Compare commits
No commits in common. "c8-beta" and "c8" have entirely different histories.
32
SOURCES/libxml2-2.11.0-fix-CVE-2023-39615.patch
Normal file
32
SOURCES/libxml2-2.11.0-fix-CVE-2023-39615.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From d0c3f01e110d54415611c5fa0040cdf4a56053f9 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Sat, 6 May 2023 17:47:37 +0200
|
||||
Subject: [PATCH] parser: Fix old SAX1 parser with custom callbacks
|
||||
|
||||
For some reason, xmlCtxtUseOptionsInternal set the start and end element
|
||||
SAX handlers to the internal DOM builder functions when XML_PARSE_SAX1
|
||||
was specified. This means that custom SAX handlers could never work with
|
||||
that flag because these functions would receive the wrong user data
|
||||
argument and crash immediately.
|
||||
|
||||
Fixes #535.
|
||||
---
|
||||
parser.c | 2 --
|
||||
1 file changed, 2 deletions(-)
|
||||
|
||||
diff --git a/parser.c b/parser.c
|
||||
index bb05791d3..0c8bed129 100644
|
||||
--- a/parser.c
|
||||
+++ b/parser.c
|
||||
@@ -14479,8 +14479,6 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi
|
||||
}
|
||||
#ifdef LIBXML_SAX1_ENABLED
|
||||
if (options & XML_PARSE_SAX1) {
|
||||
- ctxt->sax->startElement = xmlSAX2StartElement;
|
||||
- ctxt->sax->endElement = xmlSAX2EndElement;
|
||||
ctxt->sax->startElementNs = NULL;
|
||||
ctxt->sax->endElementNs = NULL;
|
||||
ctxt->sax->initialized = 1;
|
||||
--
|
||||
GitLab
|
||||
|
71
SOURCES/libxml2-2.9.13-CVE-2023-28484.2.patch
Normal file
71
SOURCES/libxml2-2.9.13-CVE-2023-28484.2.patch
Normal file
@ -0,0 +1,71 @@
|
||||
From 4c6922f763ad958c48ff66f82823ae21f2e92ee6 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Tue, 13 Sep 2022 16:40:31 +0200
|
||||
Subject: [PATCH] schemas: Fix null-pointer-deref in
|
||||
xmlSchemaCheckCOSSTDerivedOK
|
||||
|
||||
Found by OSS-Fuzz.
|
||||
---
|
||||
result/schemas/oss-fuzz-51295_0_0.err | 2 ++
|
||||
test/schemas/oss-fuzz-51295_0.xml | 1 +
|
||||
test/schemas/oss-fuzz-51295_0.xsd | 4 ++++
|
||||
xmlschemas.c | 15 +++++++++++++--
|
||||
4 files changed, 20 insertions(+), 2 deletions(-)
|
||||
create mode 100644 result/schemas/oss-fuzz-51295_0_0.err
|
||||
create mode 100644 test/schemas/oss-fuzz-51295_0.xml
|
||||
create mode 100644 test/schemas/oss-fuzz-51295_0.xsd
|
||||
|
||||
diff --git a/result/schemas/oss-fuzz-51295_0_0.err b/result/schemas/oss-fuzz-51295_0_0.err
|
||||
new file mode 100644
|
||||
index 00000000..1e89524f
|
||||
--- /dev/null
|
||||
+++ b/result/schemas/oss-fuzz-51295_0_0.err
|
||||
@@ -0,0 +1,2 @@
|
||||
+./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'.
|
||||
+./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'.
|
||||
diff --git a/test/schemas/oss-fuzz-51295_0.xml b/test/schemas/oss-fuzz-51295_0.xml
|
||||
new file mode 100644
|
||||
index 00000000..10a7e703
|
||||
--- /dev/null
|
||||
+++ b/test/schemas/oss-fuzz-51295_0.xml
|
||||
@@ -0,0 +1 @@
|
||||
+<e/>
|
||||
diff --git a/test/schemas/oss-fuzz-51295_0.xsd b/test/schemas/oss-fuzz-51295_0.xsd
|
||||
new file mode 100644
|
||||
index 00000000..fde96af5
|
||||
--- /dev/null
|
||||
+++ b/test/schemas/oss-fuzz-51295_0.xsd
|
||||
@@ -0,0 +1,4 @@
|
||||
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
|
||||
+ <xs:element name="e" substitutionGroup="e"/>
|
||||
+ <xs:element name="t" substitutionGroup="e" type='xs:decimal'/>
|
||||
+</xs:schema>
|
||||
diff --git a/xmlschemas.c b/xmlschemas.c
|
||||
index f31d3d1f..152b7c3f 100644
|
||||
--- a/xmlschemas.c
|
||||
+++ b/xmlschemas.c
|
||||
@@ -13345,8 +13345,19 @@ xmlSchemaResolveElementReferences(xmlSchemaElementPtr elemDecl,
|
||||
* declaration `resolved` to by the `actual value`
|
||||
* of the substitutionGroup [attribute], if present"
|
||||
*/
|
||||
- if (elemDecl->subtypes == NULL)
|
||||
- elemDecl->subtypes = substHead->subtypes;
|
||||
+ if (elemDecl->subtypes == NULL) {
|
||||
+ if (substHead->subtypes == NULL) {
|
||||
+ /*
|
||||
+ * This can happen with self-referencing substitution
|
||||
+ * groups. The cycle will be detected later, but we have
|
||||
+ * to set subtypes to avoid null-pointer dereferences.
|
||||
+ */
|
||||
+ elemDecl->subtypes = xmlSchemaGetBuiltInType(
|
||||
+ XML_SCHEMAS_ANYTYPE);
|
||||
+ } else {
|
||||
+ elemDecl->subtypes = substHead->subtypes;
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
}
|
||||
/*
|
||||
--
|
||||
GitLab
|
||||
|
74
SOURCES/libxml2-2.9.13-CVE-2023-28484.patch
Normal file
74
SOURCES/libxml2-2.9.13-CVE-2023-28484.patch
Normal file
@ -0,0 +1,74 @@
|
||||
From 647e072ea0a2f12687fa05c172f4c4713fdb0c4f Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Fri, 7 Apr 2023 11:46:35 +0200
|
||||
Subject: [PATCH] [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
|
||||
|
||||
Fix a null pointer dereference when parsing (invalid) XML schemas.
|
||||
|
||||
Thanks to Robby Simpson for the report!
|
||||
|
||||
Fixes #491.
|
||||
---
|
||||
result/schemas/issue491_0_0.err | 1 +
|
||||
test/schemas/issue491_0.xml | 1 +
|
||||
test/schemas/issue491_0.xsd | 18 ++++++++++++++++++
|
||||
xmlschemas.c | 2 +-
|
||||
4 files changed, 21 insertions(+), 1 deletion(-)
|
||||
create mode 100644 result/schemas/issue491_0_0.err
|
||||
create mode 100644 test/schemas/issue491_0.xml
|
||||
create mode 100644 test/schemas/issue491_0.xsd
|
||||
|
||||
diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err
|
||||
new file mode 100644
|
||||
index 00000000..9b2bb969
|
||||
--- /dev/null
|
||||
+++ b/result/schemas/issue491_0_0.err
|
||||
@@ -0,0 +1 @@
|
||||
+./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'.
|
||||
diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml
|
||||
new file mode 100644
|
||||
index 00000000..e2b2fc2e
|
||||
--- /dev/null
|
||||
+++ b/test/schemas/issue491_0.xml
|
||||
@@ -0,0 +1 @@
|
||||
+<Child xmlns="http://www.test.com">5</Child>
|
||||
diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd
|
||||
new file mode 100644
|
||||
index 00000000..81702649
|
||||
--- /dev/null
|
||||
+++ b/test/schemas/issue491_0.xsd
|
||||
@@ -0,0 +1,18 @@
|
||||
+<?xml version='1.0' encoding='UTF-8'?>
|
||||
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://www.test.com" targetNamespace="http://www.test.com" elementFormDefault="qualified" attributeFormDefault="unqualified">
|
||||
+ <xs:complexType name="BaseType">
|
||||
+ <xs:simpleContent>
|
||||
+ <xs:extension base="xs:int" />
|
||||
+ </xs:simpleContent>
|
||||
+ </xs:complexType>
|
||||
+ <xs:complexType name="ChildType">
|
||||
+ <xs:complexContent>
|
||||
+ <xs:extension base="BaseType">
|
||||
+ <xs:sequence>
|
||||
+ <xs:element name="bad" type="xs:int" minOccurs="0" maxOccurs="1"/>
|
||||
+ </xs:sequence>
|
||||
+ </xs:extension>
|
||||
+ </xs:complexContent>
|
||||
+ </xs:complexType>
|
||||
+ <xs:element name="Child" type="ChildType" />
|
||||
+</xs:schema>
|
||||
diff --git a/xmlschemas.c b/xmlschemas.c
|
||||
index 152b7c3f..eec24a95 100644
|
||||
--- a/xmlschemas.c
|
||||
+++ b/xmlschemas.c
|
||||
@@ -18619,7 +18619,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt,
|
||||
"allowed to appear inside other model groups",
|
||||
NULL, NULL);
|
||||
|
||||
- } else if (! dummySequence) {
|
||||
+ } else if ((!dummySequence) && (baseType->subtypes != NULL)) {
|
||||
xmlSchemaTreeItemPtr effectiveContent =
|
||||
(xmlSchemaTreeItemPtr) type->subtypes;
|
||||
/*
|
||||
--
|
||||
GitLab
|
||||
|
42
SOURCES/libxml2-2.9.7-CVE-2023-29469.patch
Normal file
42
SOURCES/libxml2-2.9.7-CVE-2023-29469.patch
Normal file
@ -0,0 +1,42 @@
|
||||
From a40db8fde759261b042138646da36c632a739f31 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Fri, 7 Apr 2023 11:49:27 +0200
|
||||
Subject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't
|
||||
deterministic
|
||||
|
||||
When hashing empty strings which aren't null-terminated,
|
||||
xmlDictComputeFastKey could produce inconsistent results. This could
|
||||
lead to various logic or memory errors, including double frees.
|
||||
|
||||
For consistency the seed is also taken into account, but this shouldn't
|
||||
have an impact on security.
|
||||
|
||||
Found by OSS-Fuzz.
|
||||
|
||||
Fixes #510.
|
||||
|
||||
Incorporates change from commit
|
||||
09a2dd453007f9c7205274623acdd73747c22d64.
|
||||
---
|
||||
dict.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/dict.c b/dict.c
|
||||
index 0ef3718d..5e84cfca 100644
|
||||
--- a/dict.c
|
||||
+++ b/dict.c
|
||||
@@ -444,8 +444,9 @@ static unsigned long
|
||||
xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
|
||||
unsigned long value = seed;
|
||||
|
||||
- if (name == NULL) return(0);
|
||||
- value = *name;
|
||||
+ if ((name == NULL) || (namelen <= 0))
|
||||
+ return(value);
|
||||
+ value += *name;
|
||||
value <<= 5;
|
||||
if (namelen > 10) {
|
||||
value += name[namelen - 1];
|
||||
--
|
||||
2.41.0
|
||||
|
29
SOURCES/libxml2-2.9.7-CVE-2024-25062.patch
Normal file
29
SOURCES/libxml2-2.9.7-CVE-2024-25062.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From b9d4ab2fd6b7da380edab777a0414ef254804f0d Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Sat, 14 Oct 2023 22:45:54 +0200
|
||||
Subject: [PATCH] [CVE-2024-25062] xmlreader: Don't expand XIncludes when
|
||||
backtracking
|
||||
|
||||
Fixes a use-after-free if XML Reader if used with DTD validation and
|
||||
XInclude expansion.
|
||||
|
||||
Fixes #604.
|
||||
---
|
||||
xmlreader.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/xmlreader.c b/xmlreader.c
|
||||
index 34c4c6bc..8f2f9131 100644
|
||||
--- a/xmlreader.c
|
||||
+++ b/xmlreader.c
|
||||
@@ -1511,6 +1511,7 @@ node_found:
|
||||
* Handle XInclude if asked for
|
||||
*/
|
||||
if ((reader->xinclude) && (reader->node != NULL) &&
|
||||
+ (reader->state != XML_TEXTREADER_BACKTRACK) &&
|
||||
(reader->node->type == XML_ELEMENT_NODE) &&
|
||||
(reader->node->ns != NULL) &&
|
||||
((xmlStrEqual(reader->node->ns->href, XINCLUDE_NS)) ||
|
||||
--
|
||||
2.44.0
|
||||
|
@ -7,7 +7,7 @@
|
||||
|
||||
Name: libxml2
|
||||
Version: 2.9.7
|
||||
Release: 16%{?dist}
|
||||
Release: 18%{?dist}.1
|
||||
Summary: Library providing XML and HTML support
|
||||
|
||||
License: MIT
|
||||
@ -56,6 +56,14 @@ Patch18: libxml2-2.9.7-CVE-2016-3709.patch
|
||||
Patch19: libxml2-2.9.7-CVE-2022-40303.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2136568
|
||||
Patch20: libxml2-2.9.7-CVE-2022-40304.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2186692
|
||||
Patch21: libxml2-2.9.13-CVE-2023-28484.patch
|
||||
Patch22: libxml2-2.9.13-CVE-2023-28484.2.patch
|
||||
Patch23: libxml2-2.9.7-CVE-2023-29469.patch
|
||||
# https://issues.redhat.com/browse/RHEL-5179
|
||||
Patch24: libxml2-2.11.0-fix-CVE-2023-39615.patch
|
||||
# https://issues.redhat.com/browse/RHEL-31056
|
||||
Patch25: libxml2-2.9.7-CVE-2024-25062.patch
|
||||
|
||||
BuildRequires: gcc
|
||||
BuildRequires: cmake-rpm-macros
|
||||
@ -227,6 +235,16 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
|
||||
%{python3_sitearch}/libxml2mod.so
|
||||
|
||||
%changelog
|
||||
* Mon Apr 29 2024 David King <amigadave@amigadave.com> - 2.9.7-18.1
|
||||
- Fix CVE-2024-25062 (RHEL-31056)
|
||||
|
||||
* Thu Sep 14 2023 David King <amigadave@amigadave.com> - 2.9.7-18
|
||||
- Fix CVE-2023-39615 (RHEL-5179)
|
||||
|
||||
* Fri Jul 14 2023 David King <amigadave@amigadave.com> - 2.9.7-17
|
||||
- Fix CVE-2023-28484 (#2186692)
|
||||
- Fix CVE-2023-29469 (#2186692)
|
||||
|
||||
* Wed Nov 02 2022 David King <dking@redhat.com> - 2.9.7-16
|
||||
- Fix CVE-2022-40303 (#2136563)
|
||||
- Fix CVE-2022-40304 (#2136568)
|
||||
|
Loading…
Reference in New Issue
Block a user