diff --git a/SOURCES/0001-resource-leaks.patch b/SOURCES/0001-resource-leaks.patch new file mode 100644 index 0000000..06bcf63 --- /dev/null +++ b/SOURCES/0001-resource-leaks.patch @@ -0,0 +1,88 @@ +diff -up xmlsec1-1.2.25/src/c14n.c.orig xmlsec1-1.2.25/src/c14n.c +--- xmlsec1-1.2.25/src/c14n.c.orig 2017-09-12 15:21:09.000000000 +0200 ++++ xmlsec1-1.2.25/src/c14n.c 2024-05-14 09:55:35.800202266 +0200 +@@ -228,7 +228,10 @@ xmlSecTransformC14NPushXml(xmlSecTransfo + /* we are using a semi-hack here: we know that xmlSecPtrList keeps + * all pointers in the big array */ + nsList = xmlSecTransformC14NGetNsList(transform); +- xmlSecAssert2(xmlSecPtrListCheckId(nsList, xmlSecStringListId), -1); ++ if (! xmlSecPtrListCheckId(nsList, xmlSecStringListId)) { ++ xmlOutputBufferClose(buf); ++ xmlSecAssert2(0, -1); ++ }; + + ret = xmlSecTransformC14NExecute(transform->id, nodes, (xmlChar**)(nsList->data), buf); + if(ret < 0) { +@@ -292,7 +295,10 @@ xmlSecTransformC14NPopBin(xmlSecTransfor + /* we are using a semi-hack here: we know that xmlSecPtrList keeps + * all pointers in the big array */ + nsList = xmlSecTransformC14NGetNsList(transform); +- xmlSecAssert2(xmlSecPtrListCheckId(nsList, xmlSecStringListId), -1); ++ if (! xmlSecPtrListCheckId(nsList, xmlSecStringListId)) { ++ xmlOutputBufferClose(buf); ++ xmlSecAssert2(0, -1); ++ } + + ret = xmlSecTransformC14NExecute(transform->id, transform->inNodes, (xmlChar**)(nsList->data), buf); + if(ret < 0) { +@@ -732,4 +738,3 @@ xmlSecTransformId + xmlSecTransformRemoveXmlTagsC14NGetKlass(void) { + return(&xmlSecTransformRemoveXmlTagsC14NKlass); + } +- +diff -up xmlsec1-1.2.25/src/gcrypt/asymkeys.c.orig xmlsec1-1.2.25/src/gcrypt/asymkeys.c +--- xmlsec1-1.2.25/src/gcrypt/asymkeys.c.orig 2017-09-12 15:21:09.000000000 +0200 ++++ xmlsec1-1.2.25/src/gcrypt/asymkeys.c 2024-05-14 09:55:35.801202265 +0200 +@@ -186,6 +186,9 @@ xmlSecGCryptAsymKeyDataAdoptKey(xmlSecKe + pub_key = NULL; /* data owns it now */ + priv_key = NULL; /* data owns it now */ + ++ /* Adopt functions assume ownership thus the caller would expect this to be released */ ++ gcry_sexp_release(key_pair); ++ + /* success */ + res = 0; + +diff -up xmlsec1-1.2.25/src/parser.c.orig xmlsec1-1.2.25/src/parser.c +--- xmlsec1-1.2.25/src/parser.c.orig 2017-09-12 15:21:09.000000000 +0200 ++++ xmlsec1-1.2.25/src/parser.c 2024-05-14 09:55:35.802202264 +0200 +@@ -354,7 +354,6 @@ xmlDocPtr + xmlSecParseFile(const char *filename) { + xmlParserCtxtPtr ctxt; + xmlDocPtr res = NULL; +- char *directory = NULL; + int ret; + + xmlSecAssert2(filename != NULL, NULL); +@@ -371,23 +370,15 @@ xmlSecParseFile(const char *filename) { + /* crashes on x64 xmlCtxtUseOptions (ctxt, XML_PARSE_HUGE); */ + + /* todo: set directories from current doc? */ +- if ((ctxt->directory == NULL) && (directory == NULL)) { +- directory = xmlParserGetDirectory(filename); +- if(directory == NULL) { ++ if (ctxt->directory == NULL) { ++ ctxt->directory = xmlParserGetDirectory(filename); ++ if(ctxt->directory == NULL) { + xmlSecXmlError2("xmlParserGetDirectory", NULL, + "filename=%s", xmlSecErrorsSafeString(filename)); + xmlFreeParserCtxt(ctxt); + return(NULL); + } + } +- if ((ctxt->directory == NULL) && (directory != NULL)) { +- ctxt->directory = (char *) xmlStrdup(BAD_CAST directory); +- if(ctxt->directory == NULL) { +- xmlSecStrdupError(BAD_CAST directory, NULL); +- xmlFreeParserCtxt(ctxt); +- return(NULL); +- } +- } + + /* required for c14n! */ + ctxt->loadsubset = XML_DETECT_IDS | XML_COMPLETE_ATTRS; +@@ -547,4 +538,3 @@ xmlSecParseMemory(const xmlSecByte *buff + xmlFreeParserCtxt(ctxt); + return(res); + } +- diff --git a/SPECS/xmlsec1.spec b/SPECS/xmlsec1.spec index 9d32888..ddacd16 100644 --- a/SPECS/xmlsec1.spec +++ b/SPECS/xmlsec1.spec @@ -1,7 +1,7 @@ Summary: Library providing support for "XML Signature" and "XML Encryption" standards Name: xmlsec1 Version: 1.2.25 -Release: 4%{?dist}%{?extra_release} +Release: 8%{?dist}%{?extra_release} License: MIT Source0: http://www.aleksey.com/xmlsec/download/xmlsec1-%{version}.tar.gz URL: http://www.aleksey.com/xmlsec/ @@ -18,7 +18,7 @@ BuildRequires: autoconf BuildRequires: automake BuildRequires: gettext-devel BuildRequires: libtool - +Patch0: 0001-resource-leaks.patch Patch1: xmlSecOpenSSLX509DataNodeRead-error.patch %description @@ -70,6 +70,7 @@ Libraries, includes, etc. for developing XML Security applications with GCrypt. %package gnutls Summary: GNUTls crypto plugin for XML Security Library Requires: xmlsec1%{?_isa} = %{version}-%{release} +Requires: xmlsec1-gcrypt%{?_isa} = %{version}-%{release} %description gnutls GNUTls plugin for XML Security Library provides GNUTls based crypto services @@ -102,8 +103,7 @@ Requires: xmlsec1-nss%{?_isa} = %{version}-%{release} Libraries, includes, etc. for developing XML Security applications with NSS. %prep -%setup -q -%patch1 -p1 +%autosetup -p1 %build autoreconf -vfi @@ -180,6 +180,22 @@ mv %{buildroot}%{_docdir}/xmlsec1/* __tmp_doc %{_libdir}/pkgconfig/xmlsec1-nss.pc %changelog +* Fri May 31 2024 Tomas Halman - 1.2.25-8 +- Add gating tests + Related: RHEL-36185 + +* Mon May 20 2024 Tomas Halman - 1.2.25-7 +- Fix adopt function the same way as in upstream + Related: RHEL-36185 + +* Fri May 17 2024 Tomas Halman - 1.2.25-6 +- Add xmlsec1-gnutls dependency on xmlsec1-gcrypt + Related: RHEL-36185 + +* Mon May 13 2024 Tomas Halman - 1.2.25-5 +- Fix memory leaks found by SAST + Resolves: RHEL-36185 + * Thu Apr 12 2018 John Dennis - 1.2.25-4 - Resolves: rhbz#1566748 xmlSecOpenSSLX509DataNodeRead fails to return error