diff --git a/backport-CVE-2024-25062.patch b/backport-CVE-2024-25062.patch new file mode 100644 index 0000000000000000000000000000000000000000..88e3e356d2547e7769618ecb9d45243674db2c5d --- /dev/null +++ b/backport-CVE-2024-25062.patch @@ -0,0 +1,29 @@ +From 2b0aac140d739905c7848a42efc60bfe783a39b7 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 14 Oct 2023 22:45:54 +0200 +Subject: [PATCH] [CVE-2024-25062] xmlreader: Don't expand XIncludes when + backtracking + +Fixes a use-after-free if XML Reader if used with DTD validation and +XInclude expansion. + +Fixes #604. +--- + xmlreader.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/xmlreader.c b/xmlreader.c +index 979385a13..fefd68e0b 100644 +--- a/xmlreader.c ++++ b/xmlreader.c +@@ -1443,6 +1443,7 @@ node_found: + * Handle XInclude if asked for + */ + if ((reader->xinclude) && (reader->in_xinclude == 0) && ++ (reader->state != XML_TEXTREADER_BACKTRACK) && + (reader->node != NULL) && + (reader->node->type == XML_ELEMENT_NODE) && + (reader->node->ns != NULL) && +-- +GitLab + diff --git a/backport-CVE-2024-34459.patch b/backport-CVE-2024-34459.patch new file mode 100644 index 0000000000000000000000000000000000000000..bed5dcd7e959564a5004c17e310808a48e279424 --- /dev/null +++ b/backport-CVE-2024-34459.patch @@ -0,0 +1,26 @@ +From 2876ac5392a4e891b81e40e592c3ac6cb46016ce Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 17 May 2024 08:50:50 +0800 +Subject: [PATCH] [CVE-2024-34459] Fix buffer overread with `xmllint --htmlout` + +Add a missing bounds check. +--- + xmllint.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xmllint.c b/xmllint.c +index 398670b..3f4bfb2 100644 +--- a/xmllint.c ++++ b/xmllint.c +@@ -559,7 +559,7 @@ xmlHTMLPrintFileContext(xmlParserInputPtr input) { + len = strlen(buffer); + snprintf(&buffer[len], sizeof(buffer) - len, "\n"); + cur = input->cur; +- while ((*cur == '\n') || (*cur == '\r')) ++ while ((cur > base) && ((*cur == '\n') || (*cur == '\r'))) + cur--; + n = 0; + while ((cur != base) && (n++ < 80)) { +-- +2.33.0 + diff --git a/backport-CVE-2024-40896.patch b/backport-CVE-2024-40896.patch new file mode 100644 index 0000000000000000000000000000000000000000..9fddd1ec7cd2aa0b6bddafecd4836a46cf45dc78 --- /dev/null +++ b/backport-CVE-2024-40896.patch @@ -0,0 +1,37 @@ +From ae8f0ac0a2900219c3d762ae0b513e199dcf19a5 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 6 Jul 2024 01:03:46 +0200 +Subject: [PATCH] [CVE-2024-40896] Fix XXE protection in downstream code + +Some users set an entity's children manually in the getEntity SAX +callback to restrict entity expansion. This stopped working after +renaming the "checked" member of xmlEntity, making at least one +downstream project and its dependants susceptible to XXE attacks. + +See #761. +--- + parser.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/parser.c b/parser.c +index 4feb21a28..8fe0a064d 100644 +--- a/parser.c ++++ b/parser.c +@@ -7148,6 +7148,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { + return; + } + ++ /* ++ * Some users try to parse entities on their own and used to set ++ * the renamed "checked" member. Fix the flags to cover this ++ * case. ++ */ ++ if (((ent->flags & XML_ENT_PARSED) == 0) && (ent->children != NULL)) ++ ent->flags |= XML_ENT_PARSED; ++ + /* + * The first reference to the entity trigger a parsing phase + * where the ent->children is filled with the result from +-- +GitLab + diff --git a/libxml2-2.11.5.tar.xz b/libxml2-2.11.5.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..578d7a09247404650198dd977d6fda2bf82a0722 Binary files /dev/null and b/libxml2-2.11.5.tar.xz differ diff --git a/libxml2-2.11.9.tar.xz b/libxml2-2.11.9.tar.xz deleted file mode 100644 index 669db75f6cf52320abe4e93e9cbc0115f1b28c93..0000000000000000000000000000000000000000 Binary files a/libxml2-2.11.9.tar.xz and /dev/null differ diff --git a/libxml2.spec b/libxml2.spec index eb337125ce82cef0e81867095f286d66f315fae8..4937c27ba08f7da544a4b5372a7efd05636d61d3 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,7 +1,7 @@ Summary: Library providing XML and HTML support Name: libxml2 -Version: 2.11.9 -Release: 1 +Version: 2.11.5 +Release: 4 License: MIT Group: Development/Libraries Source: https://download.gnome.org/sources/%{name}/2.11/%{name}-%{version}.tar.xz @@ -10,7 +10,11 @@ Patch0: libxml2-multilib.patch Patch1: backport-CVE-2023-45322.patch Patch2: backport-xpath-Remove-remaining-references-to-valueFrame.patch Patch3: backport-examples-Don-t-call-xmlCleanupParser-and-xmlMemoryDu.patch +Patch4: backport-CVE-2024-25062.patch +Patch5: backport-CVE-2024-34459.patch +Patch6: backport-CVE-2024-40896.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRequires: python3-devel BuildRequires: zlib-devel BuildRequires: pkgconfig @@ -102,12 +106,21 @@ rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/libxml2-python-%{version}/* gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz %check -%make_build runtests +make runtests (cd doc/examples ; make clean ; rm -rf .deps Makefile) +%clean +rm -fr %{buildroot} + + +%post -p /sbin/ldconfig + +%postun -p /sbin/ldconfig %files +%defattr(-, root, root) + %doc %{_datadir}/doc/libxml2 %{_libdir}/lib*.so.* @@ -115,6 +128,8 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz %{_bindir}/xmlcatalog %files devel +%defattr(-, root, root) + %doc NEWS README.md Copyright %doc doc/tutorial doc/libxml2-api.xml.gz %doc doc/examples @@ -134,6 +149,8 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz %{_libdir}/*.a %files -n python3-%{name} +%defattr(-, root, root) + %{python3_sitearch}/libxml2mod.so %{python3_sitelib}/*.py %{python3_sitelib}/__pycache__/*.pyc @@ -147,9 +164,6 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz %changelog -* Tue Jul 30 2024 Funda Wang - 2.11.9-1 -- update to 2.11.9 - * Mon Jul 29 2024 Funda Wang - 2.11.5-4 - Type:CVE - CVE:CVE-2024-40896