Compare commits
No commits in common. "c8-beta" and "c8" have entirely different histories.
32
SOURCES/libxml2-2.11.0-fix-CVE-2023-39615.patch
Normal file
32
SOURCES/libxml2-2.11.0-fix-CVE-2023-39615.patch
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
From d0c3f01e110d54415611c5fa0040cdf4a56053f9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||||
|
Date: Sat, 6 May 2023 17:47:37 +0200
|
||||||
|
Subject: [PATCH] parser: Fix old SAX1 parser with custom callbacks
|
||||||
|
|
||||||
|
For some reason, xmlCtxtUseOptionsInternal set the start and end element
|
||||||
|
SAX handlers to the internal DOM builder functions when XML_PARSE_SAX1
|
||||||
|
was specified. This means that custom SAX handlers could never work with
|
||||||
|
that flag because these functions would receive the wrong user data
|
||||||
|
argument and crash immediately.
|
||||||
|
|
||||||
|
Fixes #535.
|
||||||
|
---
|
||||||
|
parser.c | 2 --
|
||||||
|
1 file changed, 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/parser.c b/parser.c
|
||||||
|
index bb05791d3..0c8bed129 100644
|
||||||
|
--- a/parser.c
|
||||||
|
+++ b/parser.c
|
||||||
|
@@ -14479,8 +14479,6 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi
|
||||||
|
}
|
||||||
|
#ifdef LIBXML_SAX1_ENABLED
|
||||||
|
if (options & XML_PARSE_SAX1) {
|
||||||
|
- ctxt->sax->startElement = xmlSAX2StartElement;
|
||||||
|
- ctxt->sax->endElement = xmlSAX2EndElement;
|
||||||
|
ctxt->sax->startElementNs = NULL;
|
||||||
|
ctxt->sax->endElementNs = NULL;
|
||||||
|
ctxt->sax->initialized = 1;
|
||||||
|
--
|
||||||
|
GitLab
|
||||||
|
|
71
SOURCES/libxml2-2.9.13-CVE-2023-28484.2.patch
Normal file
71
SOURCES/libxml2-2.9.13-CVE-2023-28484.2.patch
Normal file
@ -0,0 +1,71 @@
|
|||||||
|
From 4c6922f763ad958c48ff66f82823ae21f2e92ee6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||||
|
Date: Tue, 13 Sep 2022 16:40:31 +0200
|
||||||
|
Subject: [PATCH] schemas: Fix null-pointer-deref in
|
||||||
|
xmlSchemaCheckCOSSTDerivedOK
|
||||||
|
|
||||||
|
Found by OSS-Fuzz.
|
||||||
|
---
|
||||||
|
result/schemas/oss-fuzz-51295_0_0.err | 2 ++
|
||||||
|
test/schemas/oss-fuzz-51295_0.xml | 1 +
|
||||||
|
test/schemas/oss-fuzz-51295_0.xsd | 4 ++++
|
||||||
|
xmlschemas.c | 15 +++++++++++++--
|
||||||
|
4 files changed, 20 insertions(+), 2 deletions(-)
|
||||||
|
create mode 100644 result/schemas/oss-fuzz-51295_0_0.err
|
||||||
|
create mode 100644 test/schemas/oss-fuzz-51295_0.xml
|
||||||
|
create mode 100644 test/schemas/oss-fuzz-51295_0.xsd
|
||||||
|
|
||||||
|
diff --git a/result/schemas/oss-fuzz-51295_0_0.err b/result/schemas/oss-fuzz-51295_0_0.err
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..1e89524f
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/result/schemas/oss-fuzz-51295_0_0.err
|
||||||
|
@@ -0,0 +1,2 @@
|
||||||
|
+./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'.
|
||||||
|
+./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'.
|
||||||
|
diff --git a/test/schemas/oss-fuzz-51295_0.xml b/test/schemas/oss-fuzz-51295_0.xml
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..10a7e703
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/test/schemas/oss-fuzz-51295_0.xml
|
||||||
|
@@ -0,0 +1 @@
|
||||||
|
+<e/>
|
||||||
|
diff --git a/test/schemas/oss-fuzz-51295_0.xsd b/test/schemas/oss-fuzz-51295_0.xsd
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..fde96af5
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/test/schemas/oss-fuzz-51295_0.xsd
|
||||||
|
@@ -0,0 +1,4 @@
|
||||||
|
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
|
||||||
|
+ <xs:element name="e" substitutionGroup="e"/>
|
||||||
|
+ <xs:element name="t" substitutionGroup="e" type='xs:decimal'/>
|
||||||
|
+</xs:schema>
|
||||||
|
diff --git a/xmlschemas.c b/xmlschemas.c
|
||||||
|
index f31d3d1f..152b7c3f 100644
|
||||||
|
--- a/xmlschemas.c
|
||||||
|
+++ b/xmlschemas.c
|
||||||
|
@@ -13345,8 +13345,19 @@ xmlSchemaResolveElementReferences(xmlSchemaElementPtr elemDecl,
|
||||||
|
* declaration `resolved` to by the `actual value`
|
||||||
|
* of the substitutionGroup [attribute], if present"
|
||||||
|
*/
|
||||||
|
- if (elemDecl->subtypes == NULL)
|
||||||
|
- elemDecl->subtypes = substHead->subtypes;
|
||||||
|
+ if (elemDecl->subtypes == NULL) {
|
||||||
|
+ if (substHead->subtypes == NULL) {
|
||||||
|
+ /*
|
||||||
|
+ * This can happen with self-referencing substitution
|
||||||
|
+ * groups. The cycle will be detected later, but we have
|
||||||
|
+ * to set subtypes to avoid null-pointer dereferences.
|
||||||
|
+ */
|
||||||
|
+ elemDecl->subtypes = xmlSchemaGetBuiltInType(
|
||||||
|
+ XML_SCHEMAS_ANYTYPE);
|
||||||
|
+ } else {
|
||||||
|
+ elemDecl->subtypes = substHead->subtypes;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
/*
|
||||||
|
--
|
||||||
|
GitLab
|
||||||
|
|
74
SOURCES/libxml2-2.9.13-CVE-2023-28484.patch
Normal file
74
SOURCES/libxml2-2.9.13-CVE-2023-28484.patch
Normal file
@ -0,0 +1,74 @@
|
|||||||
|
From 647e072ea0a2f12687fa05c172f4c4713fdb0c4f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||||
|
Date: Fri, 7 Apr 2023 11:46:35 +0200
|
||||||
|
Subject: [PATCH] [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
|
||||||
|
|
||||||
|
Fix a null pointer dereference when parsing (invalid) XML schemas.
|
||||||
|
|
||||||
|
Thanks to Robby Simpson for the report!
|
||||||
|
|
||||||
|
Fixes #491.
|
||||||
|
---
|
||||||
|
result/schemas/issue491_0_0.err | 1 +
|
||||||
|
test/schemas/issue491_0.xml | 1 +
|
||||||
|
test/schemas/issue491_0.xsd | 18 ++++++++++++++++++
|
||||||
|
xmlschemas.c | 2 +-
|
||||||
|
4 files changed, 21 insertions(+), 1 deletion(-)
|
||||||
|
create mode 100644 result/schemas/issue491_0_0.err
|
||||||
|
create mode 100644 test/schemas/issue491_0.xml
|
||||||
|
create mode 100644 test/schemas/issue491_0.xsd
|
||||||
|
|
||||||
|
diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..9b2bb969
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/result/schemas/issue491_0_0.err
|
||||||
|
@@ -0,0 +1 @@
|
||||||
|
+./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'.
|
||||||
|
diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..e2b2fc2e
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/test/schemas/issue491_0.xml
|
||||||
|
@@ -0,0 +1 @@
|
||||||
|
+<Child xmlns="http://www.test.com">5</Child>
|
||||||
|
diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..81702649
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/test/schemas/issue491_0.xsd
|
||||||
|
@@ -0,0 +1,18 @@
|
||||||
|
+<?xml version='1.0' encoding='UTF-8'?>
|
||||||
|
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://www.test.com" targetNamespace="http://www.test.com" elementFormDefault="qualified" attributeFormDefault="unqualified">
|
||||||
|
+ <xs:complexType name="BaseType">
|
||||||
|
+ <xs:simpleContent>
|
||||||
|
+ <xs:extension base="xs:int" />
|
||||||
|
+ </xs:simpleContent>
|
||||||
|
+ </xs:complexType>
|
||||||
|
+ <xs:complexType name="ChildType">
|
||||||
|
+ <xs:complexContent>
|
||||||
|
+ <xs:extension base="BaseType">
|
||||||
|
+ <xs:sequence>
|
||||||
|
+ <xs:element name="bad" type="xs:int" minOccurs="0" maxOccurs="1"/>
|
||||||
|
+ </xs:sequence>
|
||||||
|
+ </xs:extension>
|
||||||
|
+ </xs:complexContent>
|
||||||
|
+ </xs:complexType>
|
||||||
|
+ <xs:element name="Child" type="ChildType" />
|
||||||
|
+</xs:schema>
|
||||||
|
diff --git a/xmlschemas.c b/xmlschemas.c
|
||||||
|
index 152b7c3f..eec24a95 100644
|
||||||
|
--- a/xmlschemas.c
|
||||||
|
+++ b/xmlschemas.c
|
||||||
|
@@ -18619,7 +18619,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt,
|
||||||
|
"allowed to appear inside other model groups",
|
||||||
|
NULL, NULL);
|
||||||
|
|
||||||
|
- } else if (! dummySequence) {
|
||||||
|
+ } else if ((!dummySequence) && (baseType->subtypes != NULL)) {
|
||||||
|
xmlSchemaTreeItemPtr effectiveContent =
|
||||||
|
(xmlSchemaTreeItemPtr) type->subtypes;
|
||||||
|
/*
|
||||||
|
--
|
||||||
|
GitLab
|
||||||
|
|
42
SOURCES/libxml2-2.9.7-CVE-2023-29469.patch
Normal file
42
SOURCES/libxml2-2.9.7-CVE-2023-29469.patch
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
From a40db8fde759261b042138646da36c632a739f31 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||||
|
Date: Fri, 7 Apr 2023 11:49:27 +0200
|
||||||
|
Subject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't
|
||||||
|
deterministic
|
||||||
|
|
||||||
|
When hashing empty strings which aren't null-terminated,
|
||||||
|
xmlDictComputeFastKey could produce inconsistent results. This could
|
||||||
|
lead to various logic or memory errors, including double frees.
|
||||||
|
|
||||||
|
For consistency the seed is also taken into account, but this shouldn't
|
||||||
|
have an impact on security.
|
||||||
|
|
||||||
|
Found by OSS-Fuzz.
|
||||||
|
|
||||||
|
Fixes #510.
|
||||||
|
|
||||||
|
Incorporates change from commit
|
||||||
|
09a2dd453007f9c7205274623acdd73747c22d64.
|
||||||
|
---
|
||||||
|
dict.c | 5 +++--
|
||||||
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/dict.c b/dict.c
|
||||||
|
index 0ef3718d..5e84cfca 100644
|
||||||
|
--- a/dict.c
|
||||||
|
+++ b/dict.c
|
||||||
|
@@ -444,8 +444,9 @@ static unsigned long
|
||||||
|
xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
|
||||||
|
unsigned long value = seed;
|
||||||
|
|
||||||
|
- if (name == NULL) return(0);
|
||||||
|
- value = *name;
|
||||||
|
+ if ((name == NULL) || (namelen <= 0))
|
||||||
|
+ return(value);
|
||||||
|
+ value += *name;
|
||||||
|
value <<= 5;
|
||||||
|
if (namelen > 10) {
|
||||||
|
value += name[namelen - 1];
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
29
SOURCES/libxml2-2.9.7-CVE-2024-25062.patch
Normal file
29
SOURCES/libxml2-2.9.7-CVE-2024-25062.patch
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
From b9d4ab2fd6b7da380edab777a0414ef254804f0d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||||
|
Date: Sat, 14 Oct 2023 22:45:54 +0200
|
||||||
|
Subject: [PATCH] [CVE-2024-25062] xmlreader: Don't expand XIncludes when
|
||||||
|
backtracking
|
||||||
|
|
||||||
|
Fixes a use-after-free if XML Reader if used with DTD validation and
|
||||||
|
XInclude expansion.
|
||||||
|
|
||||||
|
Fixes #604.
|
||||||
|
---
|
||||||
|
xmlreader.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/xmlreader.c b/xmlreader.c
|
||||||
|
index 34c4c6bc..8f2f9131 100644
|
||||||
|
--- a/xmlreader.c
|
||||||
|
+++ b/xmlreader.c
|
||||||
|
@@ -1511,6 +1511,7 @@ node_found:
|
||||||
|
* Handle XInclude if asked for
|
||||||
|
*/
|
||||||
|
if ((reader->xinclude) && (reader->node != NULL) &&
|
||||||
|
+ (reader->state != XML_TEXTREADER_BACKTRACK) &&
|
||||||
|
(reader->node->type == XML_ELEMENT_NODE) &&
|
||||||
|
(reader->node->ns != NULL) &&
|
||||||
|
((xmlStrEqual(reader->node->ns->href, XINCLUDE_NS)) ||
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
@ -7,7 +7,7 @@
|
|||||||
|
|
||||||
Name: libxml2
|
Name: libxml2
|
||||||
Version: 2.9.7
|
Version: 2.9.7
|
||||||
Release: 16%{?dist}
|
Release: 18%{?dist}.1
|
||||||
Summary: Library providing XML and HTML support
|
Summary: Library providing XML and HTML support
|
||||||
|
|
||||||
License: MIT
|
License: MIT
|
||||||
@ -56,6 +56,14 @@ Patch18: libxml2-2.9.7-CVE-2016-3709.patch
|
|||||||
Patch19: libxml2-2.9.7-CVE-2022-40303.patch
|
Patch19: libxml2-2.9.7-CVE-2022-40303.patch
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2136568
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2136568
|
||||||
Patch20: libxml2-2.9.7-CVE-2022-40304.patch
|
Patch20: libxml2-2.9.7-CVE-2022-40304.patch
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2186692
|
||||||
|
Patch21: libxml2-2.9.13-CVE-2023-28484.patch
|
||||||
|
Patch22: libxml2-2.9.13-CVE-2023-28484.2.patch
|
||||||
|
Patch23: libxml2-2.9.7-CVE-2023-29469.patch
|
||||||
|
# https://issues.redhat.com/browse/RHEL-5179
|
||||||
|
Patch24: libxml2-2.11.0-fix-CVE-2023-39615.patch
|
||||||
|
# https://issues.redhat.com/browse/RHEL-31056
|
||||||
|
Patch25: libxml2-2.9.7-CVE-2024-25062.patch
|
||||||
|
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: cmake-rpm-macros
|
BuildRequires: cmake-rpm-macros
|
||||||
@ -227,6 +235,16 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
|
|||||||
%{python3_sitearch}/libxml2mod.so
|
%{python3_sitearch}/libxml2mod.so
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Apr 29 2024 David King <amigadave@amigadave.com> - 2.9.7-18.1
|
||||||
|
- Fix CVE-2024-25062 (RHEL-31056)
|
||||||
|
|
||||||
|
* Thu Sep 14 2023 David King <amigadave@amigadave.com> - 2.9.7-18
|
||||||
|
- Fix CVE-2023-39615 (RHEL-5179)
|
||||||
|
|
||||||
|
* Fri Jul 14 2023 David King <amigadave@amigadave.com> - 2.9.7-17
|
||||||
|
- Fix CVE-2023-28484 (#2186692)
|
||||||
|
- Fix CVE-2023-29469 (#2186692)
|
||||||
|
|
||||||
* Wed Nov 02 2022 David King <dking@redhat.com> - 2.9.7-16
|
* Wed Nov 02 2022 David King <dking@redhat.com> - 2.9.7-16
|
||||||
- Fix CVE-2022-40303 (#2136563)
|
- Fix CVE-2022-40303 (#2136563)
|
||||||
- Fix CVE-2022-40304 (#2136568)
|
- Fix CVE-2022-40304 (#2136568)
|
||||||
|
Loading…
Reference in New Issue
Block a user