6 changed files with 1 additions and 267 deletions
--- a/SOURCES/libxml2-2.11.0-fix-CVE-2023-39615.patch
+++ b/SOURCES/libxml2-2.11.0-fix-CVE-2023-39615.patch
@ -1,32 +0,0 @@
 From d0c3f01e110d54415611c5fa0040cdf4a56053f9 Mon Sep 17 00:00:00 2001
 From: Nick Wellnhofer <wellnhofer@aevum.de>
 Date: Sat, 6 May 2023 17:47:37 +0200
 Subject: [PATCH] parser: Fix old SAX1 parser with custom callbacks
 For some reason, xmlCtxtUseOptionsInternal set the start and end element
 SAX handlers to the internal DOM builder functions when XML_PARSE_SAX1
 was specified. This means that custom SAX handlers could never work with
 that flag because these functions would receive the wrong user data
 argument and crash immediately.
 Fixes #535.
 ---
 parser.c | 2 --
 1 file changed, 2 deletions(-)
 diff --git a/parser.c b/parser.c
 index bb05791d3..0c8bed129 100644
 --- a/parser.c
 +++ b/parser.c
@@ -14479,8 +14479,6 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi
     }
 #ifdef LIBXML_SAX1_ENABLED
     if (options & XML_PARSE_SAX1) {
 -        ctxt->sax->startElement = xmlSAX2StartElement;
 -        ctxt->sax->endElement = xmlSAX2EndElement;
         ctxt->sax->startElementNs = NULL;
         ctxt->sax->endElementNs = NULL;
         ctxt->sax->initialized = 1;
 -- 
 GitLab
--- a/SOURCES/libxml2-2.9.13-CVE-2023-28484.2.patch
+++ b/SOURCES/libxml2-2.9.13-CVE-2023-28484.2.patch
@ -1,71 +0,0 @@
 From 4c6922f763ad958c48ff66f82823ae21f2e92ee6 Mon Sep 17 00:00:00 2001
 From: Nick Wellnhofer <wellnhofer@aevum.de>
 Date: Tue, 13 Sep 2022 16:40:31 +0200
 Subject: [PATCH] schemas: Fix null-pointer-deref in
 xmlSchemaCheckCOSSTDerivedOK
 Found by OSS-Fuzz.
 ---
 result/schemas/oss-fuzz-51295_0_0.err |  2 ++
 test/schemas/oss-fuzz-51295_0.xml     |  1 +
 test/schemas/oss-fuzz-51295_0.xsd     |  4 ++++
 xmlschemas.c                          | 15 +++++++++++++--
 4 files changed, 20 insertions(+), 2 deletions(-)
 create mode 100644 result/schemas/oss-fuzz-51295_0_0.err
 create mode 100644 test/schemas/oss-fuzz-51295_0.xml
 create mode 100644 test/schemas/oss-fuzz-51295_0.xsd
 diff --git a/result/schemas/oss-fuzz-51295_0_0.err b/result/schemas/oss-fuzz-51295_0_0.err
 new file mode 100644
 index 00000000..1e89524f
 --- /dev/null
 +++ b/result/schemas/oss-fuzz-51295_0_0.err
@@ -0,0 +1,2 @@
 +./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'.
 +./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'.
 diff --git a/test/schemas/oss-fuzz-51295_0.xml b/test/schemas/oss-fuzz-51295_0.xml
 new file mode 100644
 index 00000000..10a7e703
 --- /dev/null
 +++ b/test/schemas/oss-fuzz-51295_0.xml
@@ -0,0 +1 @@
 +<e/>
 diff --git a/test/schemas/oss-fuzz-51295_0.xsd b/test/schemas/oss-fuzz-51295_0.xsd
 new file mode 100644
 index 00000000..fde96af5
 --- /dev/null
 +++ b/test/schemas/oss-fuzz-51295_0.xsd
@@ -0,0 +1,4 @@
 +<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
 +    <xs:element name="e" substitutionGroup="e"/>
 +    <xs:element name="t" substitutionGroup="e" type='xs:decimal'/>
 +</xs:schema>
 diff --git a/xmlschemas.c b/xmlschemas.c
 index f31d3d1f..152b7c3f 100644
 --- a/xmlschemas.c
 +++ b/xmlschemas.c
@@ -13345,8 +13345,19 @@ xmlSchemaResolveElementReferences(xmlSchemaElementPtr elemDecl,
 	    * declaration `resolved` to by the `actual value`
 	    * of the substitutionGroup [attribute], if present"
 	    */
 -	    if (elemDecl->subtypes == NULL)
 -		elemDecl->subtypes = substHead->subtypes;
 +	    if (elemDecl->subtypes == NULL) {
 +                if (substHead->subtypes == NULL) {
 +                    /*
 +                     * This can happen with self-referencing substitution
 +                     * groups. The cycle will be detected later, but we have
 +                     * to set subtypes to avoid null-pointer dereferences.
 +                     */
 +	            elemDecl->subtypes = xmlSchemaGetBuiltInType(
 +                            XML_SCHEMAS_ANYTYPE);
 +                } else {
 +		    elemDecl->subtypes = substHead->subtypes;
 +                }
 +            }
 	}
     }
     /*
 -- 
 GitLab
--- a/SOURCES/libxml2-2.9.13-CVE-2023-28484.patch
+++ b/SOURCES/libxml2-2.9.13-CVE-2023-28484.patch
@ -1,74 +0,0 @@
 From 647e072ea0a2f12687fa05c172f4c4713fdb0c4f Mon Sep 17 00:00:00 2001
 From: Nick Wellnhofer <wellnhofer@aevum.de>
 Date: Fri, 7 Apr 2023 11:46:35 +0200
 Subject: [PATCH] [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
 Fix a null pointer dereference when parsing (invalid) XML schemas.
 Thanks to Robby Simpson for the report!
 Fixes #491.
 ---
 result/schemas/issue491_0_0.err |  1 +
 test/schemas/issue491_0.xml     |  1 +
 test/schemas/issue491_0.xsd     | 18 ++++++++++++++++++
 xmlschemas.c                    |  2 +-
 4 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 result/schemas/issue491_0_0.err
 create mode 100644 test/schemas/issue491_0.xml
 create mode 100644 test/schemas/issue491_0.xsd
 diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err
 new file mode 100644
 index 00000000..9b2bb969
 --- /dev/null
 +++ b/result/schemas/issue491_0_0.err
@@ -0,0 +1 @@
 +./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'.
 diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml
 new file mode 100644
 index 00000000..e2b2fc2e
 --- /dev/null
 +++ b/test/schemas/issue491_0.xml
@@ -0,0 +1 @@
 +<Child xmlns="http://www.test.com">5</Child>
 diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd
 new file mode 100644
 index 00000000..81702649
 --- /dev/null
 +++ b/test/schemas/issue491_0.xsd
@@ -0,0 +1,18 @@
 +<?xml version='1.0' encoding='UTF-8'?>
 +<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://www.test.com" targetNamespace="http://www.test.com" elementFormDefault="qualified" attributeFormDefault="unqualified">
 +  <xs:complexType name="BaseType">
 +    <xs:simpleContent>
 +      <xs:extension base="xs:int" />
 +    </xs:simpleContent>
 +  </xs:complexType>
 +  <xs:complexType name="ChildType">
 +    <xs:complexContent>
 +      <xs:extension base="BaseType">
 +        <xs:sequence>
 +          <xs:element name="bad" type="xs:int" minOccurs="0" maxOccurs="1"/>
 +        </xs:sequence>
 +      </xs:extension>
 +    </xs:complexContent>
 +  </xs:complexType>
 +  <xs:element name="Child" type="ChildType" />
 +</xs:schema>
 diff --git a/xmlschemas.c b/xmlschemas.c
 index 152b7c3f..eec24a95 100644
 --- a/xmlschemas.c
 +++ b/xmlschemas.c
@@ -18619,7 +18619,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt,
 			"allowed to appear inside other model groups",
 			NULL, NULL);
 -		} else if (! dummySequence) {
 +		} else if ((!dummySequence) && (baseType->subtypes != NULL)) {
 		    xmlSchemaTreeItemPtr effectiveContent =
 			(xmlSchemaTreeItemPtr) type->subtypes;
 		    /*
 -- 
 GitLab
--- a/SOURCES/libxml2-2.9.7-CVE-2023-29469.patch
+++ b/SOURCES/libxml2-2.9.7-CVE-2023-29469.patch
@ -1,42 +0,0 @@
 From a40db8fde759261b042138646da36c632a739f31 Mon Sep 17 00:00:00 2001
 From: Nick Wellnhofer <wellnhofer@aevum.de>
 Date: Fri, 7 Apr 2023 11:49:27 +0200
 Subject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't
 deterministic
 When hashing empty strings which aren't null-terminated,
 xmlDictComputeFastKey could produce inconsistent results. This could
 lead to various logic or memory errors, including double frees.
 For consistency the seed is also taken into account, but this shouldn't
 have an impact on security.
 Found by OSS-Fuzz.
 Fixes #510.
 Incorporates change from commit
 09a2dd453007f9c7205274623acdd73747c22d64.
 ---
 dict.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/dict.c b/dict.c
 index 0ef3718d..5e84cfca 100644
 --- a/dict.c
 +++ b/dict.c
@@ -444,8 +444,9 @@ static unsigned long
 xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
     unsigned long value = seed;
 -    if (name == NULL) return(0);
 -    value = *name;
 +    if ((name == NULL) || (namelen <= 0))
 +        return(value);
 +    value += *name;
     value <<= 5;
     if (namelen > 10) {
         value += name[namelen - 1];
 -- 
 2.41.0
--- a/SOURCES/libxml2-2.9.7-CVE-2024-25062.patch
+++ b/SOURCES/libxml2-2.9.7-CVE-2024-25062.patch
@ -1,29 +0,0 @@
 From b9d4ab2fd6b7da380edab777a0414ef254804f0d Mon Sep 17 00:00:00 2001
 From: Nick Wellnhofer <wellnhofer@aevum.de>
 Date: Sat, 14 Oct 2023 22:45:54 +0200
 Subject: [PATCH] [CVE-2024-25062] xmlreader: Don't expand XIncludes when
 backtracking
 Fixes a use-after-free if XML Reader if used with DTD validation and
 XInclude expansion.
 Fixes #604.
 ---
 xmlreader.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/xmlreader.c b/xmlreader.c
 index 34c4c6bc..8f2f9131 100644
 --- a/xmlreader.c
 +++ b/xmlreader.c
@@ -1511,6 +1511,7 @@ node_found:
      * Handle XInclude if asked for
      */
     if ((reader->xinclude) && (reader->node != NULL) &&
 +        (reader->state != XML_TEXTREADER_BACKTRACK) &&
 	(reader->node->type == XML_ELEMENT_NODE) &&
 	(reader->node->ns != NULL) &&
 	((xmlStrEqual(reader->node->ns->href, XINCLUDE_NS)) ||
 -- 
 2.44.0
--- a/SPECS/libxml2.spec
+++ b/SPECS/libxml2.spec
@ -7,7 +7,7 @@
 Name:           libxml2
 Version:        2.9.7
-Release:        18%{?dist}.1
+Release:        16%{?dist}
 Summary:        Library providing XML and HTML support
 License:        MIT
@ -56,14 +56,6 @@ Patch18:        libxml2-2.9.7-CVE-2016-3709.patch
 Patch19:        libxml2-2.9.7-CVE-2022-40303.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2136568
 Patch20:        libxml2-2.9.7-CVE-2022-40304.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2186692
 Patch21:         libxml2-2.9.13-CVE-2023-28484.patch
 Patch22:         libxml2-2.9.13-CVE-2023-28484.2.patch
 Patch23:         libxml2-2.9.7-CVE-2023-29469.patch
 # https://issues.redhat.com/browse/RHEL-5179
 Patch24:         libxml2-2.11.0-fix-CVE-2023-39615.patch
 # https://issues.redhat.com/browse/RHEL-31056
 Patch25:         libxml2-2.9.7-CVE-2024-25062.patch
 BuildRequires:  gcc
 BuildRequires:  cmake-rpm-macros
@ -235,16 +227,6 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
 %{python3_sitearch}/libxml2mod.so
 %changelog
 * Mon Apr 29 2024 David King <amigadave@amigadave.com> - 2.9.7-18.1
 - Fix CVE-2024-25062 (RHEL-31056)
 * Thu Sep 14 2023 David King <amigadave@amigadave.com> - 2.9.7-18
 - Fix CVE-2023-39615 (RHEL-5179)
 * Fri Jul 14 2023 David King <amigadave@amigadave.com> - 2.9.7-17
 - Fix CVE-2023-28484 (#2186692)
 - Fix CVE-2023-29469 (#2186692)
 * Wed Nov 02 2022 David King <dking@redhat.com> - 2.9.7-16
 - Fix CVE-2022-40303 (#2136563)
 - Fix CVE-2022-40304 (#2136568)