From 5463c1089e6641ae98ee2392c611be3ca1029732 Mon Sep 17 00:00:00 2001 From: "@ran-zhao-yu" Date: Mon, 18 Nov 2024 10:02:17 +0800 Subject: [PATCH] =?UTF-8?q?45322=E4=BA=8C=E6=AC=A1=E4=BF=AE=E8=A1=A5?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: @ran-zhao-yu --- Fix-CVE-2023-45322-first.patch | 50 +++++++++++++ ...atch.patch => Fix-CVE-2023-45322-pre.patch | 6 +- Fix-CVE-2023-45322-second.patch | 42 +++++++++++ Fix-CVE-2023-45322.patch | 74 ------------------- install.py | 5 +- 5 files changed, 98 insertions(+), 79 deletions(-) create mode 100644 Fix-CVE-2023-45322-first.patch rename Fix-CVE-2023-45322-pre-patch.patch => Fix-CVE-2023-45322-pre.patch (85%) mode change 100755 => 100644 create mode 100644 Fix-CVE-2023-45322-second.patch delete mode 100755 Fix-CVE-2023-45322.patch diff --git a/Fix-CVE-2023-45322-first.patch b/Fix-CVE-2023-45322-first.patch new file mode 100644 index 0000000..482840a --- /dev/null +++ b/Fix-CVE-2023-45322-first.patch @@ -0,0 +1,50 @@ +From 30d7660ba87c8487b26582ccc050f4d2880ccb3c Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 28 Nov 2023 13:27:25 +0100 +Subject: [PATCH] tree: Fix #583 again + +Only set doc->intSubset after successful copy to avoid dangling pointers +in error case. +--- + tree.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tree.c b/tree.c +index 5a9c24d1b..35dabb97c 100644 +--- a/tree.c ++++ b/tree.c +@@ -4378,6 +4378,7 @@ xmlNodePtr + xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { + xmlNodePtr ret = NULL; + xmlNodePtr p = NULL,q; ++ xmlDtdPtr newSubset = NULL; + + while (node != NULL) { + #ifdef LIBXML_TREE_ENABLED +@@ -4385,12 +4386,12 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { + node = node->next; + continue; + } +- if (doc->intSubset == NULL) { ++ if ((doc->intSubset == NULL) && (newSubset == NULL)) { + q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node ); + if (q == NULL) goto error; + q->doc = doc; + q->parent = parent; +- doc->intSubset = (xmlDtdPtr) q; ++ newSubset = (xmlDtdPtr) q; + xmlAddChild(parent, q); + } else { + q = (xmlNodePtr) doc->intSubset; +@@ -4411,6 +4412,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { + } + node = node->next; + } ++ if ((doc != NULL) && (newSubset != NULL)) ++ doc->intSubset = newSubset; + return(ret); + error: + xmlFreeNodeList(ret); +-- +GitLab + diff --git a/Fix-CVE-2023-45322-pre-patch.patch b/Fix-CVE-2023-45322-pre.patch old mode 100755 new mode 100644 similarity index 85% rename from Fix-CVE-2023-45322-pre-patch.patch rename to Fix-CVE-2023-45322-pre.patch index e80a8ea..c5d0e6e --- a/Fix-CVE-2023-45322-pre-patch.patch +++ b/Fix-CVE-2023-45322-pre.patch @@ -12,7 +12,7 @@ diff --git a/tree.c b/tree.c index 507869efe..647288ce3 100644 --- a/tree.c +++ b/tree.c -@@ -4380,7 +4380,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { +@@ -4388,7 +4388,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { } if (doc->intSubset == NULL) { q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node ); @@ -21,7 +21,7 @@ index 507869efe..647288ce3 100644 q->doc = doc; q->parent = parent; doc->intSubset = (xmlDtdPtr) q; -@@ -4392,7 +4392,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { +@@ -4400,7 +4400,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { } else #endif /* LIBXML_TREE_ENABLED */ q = xmlStaticCopyNode(node, doc, parent, 1); @@ -30,7 +30,7 @@ index 507869efe..647288ce3 100644 if (ret == NULL) { q->prev = NULL; ret = p = q; -@@ -4405,6 +4405,9 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { +@@ -4413,6 +4413,9 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { node = node->next; } return(ret); diff --git a/Fix-CVE-2023-45322-second.patch b/Fix-CVE-2023-45322-second.patch new file mode 100644 index 0000000..53adbe8 --- /dev/null +++ b/Fix-CVE-2023-45322-second.patch @@ -0,0 +1,42 @@ +From 502971cc23e0ebb2677124b41b70c321c6dd5c02 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 1 Dec 2023 17:49:48 +0100 +Subject: [PATCH] tree: Another fix related to #538 + +Should fix #639. +--- + tree.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tree.c b/tree.c +index 35dabb97c..dc3ac4f92 100644 +--- a/tree.c ++++ b/tree.c +@@ -4379,6 +4379,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { + xmlNodePtr ret = NULL; + xmlNodePtr p = NULL,q; + xmlDtdPtr newSubset = NULL; ++ int linkedSubset = 0; + + while (node != NULL) { + #ifdef LIBXML_TREE_ENABLED +@@ -4395,6 +4396,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { + newSubset = (xmlDtdPtr) q; + xmlAddChild(parent, q); + } else { ++ linkedSubset = 1; + q = (xmlNodePtr) doc->intSubset; + xmlAddChild(parent, q); + } +@@ -4417,6 +4419,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { + doc->intSubset = newSubset; + return(ret); + error: ++ if (linkedSubset != 0) ++ xmlUnlinkNode((xmlNodePtr) doc->intSubset); + xmlFreeNodeList(ret); + return(NULL); + } +-- +GitLab + diff --git a/Fix-CVE-2023-45322.patch b/Fix-CVE-2023-45322.patch deleted file mode 100755 index 44cb26b..0000000 --- a/Fix-CVE-2023-45322.patch +++ /dev/null @@ -1,74 +0,0 @@ -From d39f78069dff496ec865c73aa44d7110e429bce9 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 23 Aug 2023 20:24:24 +0200 -Subject: [PATCH] tree: Fix copying of DTDs - -- Don't create multiple DTD nodes. -- Fix UAF if malloc fails. -- Skip DTD nodes if tree module is disabled. - -Fixes #583. ---- - tree.c | 31 ++++++++++++++++--------------- - 1 file changed, 16 insertions(+), 15 deletions(-) - -diff --git a/tree.c b/tree.c -index 6c8a875b9..02c1b5791 100644 ---- a/tree.c -+++ b/tree.c -@@ -4370,29 +4370,28 @@ xmlNodePtr - xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { - xmlNodePtr ret = NULL; - xmlNodePtr p = NULL,q; -+ xmlDtdPtr newSubset = NULL; - - while (node != NULL) { --#ifdef LIBXML_TREE_ENABLED - if (node->type == XML_DTD_NODE ) { -- if (doc == NULL) { -+#ifdef LIBXML_TREE_ENABLED -+ if ((doc == NULL) || (doc->intSubset != NULL)) { - node = node->next; - continue; - } -- if (doc->intSubset == NULL) { -- q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node ); -- if (q == NULL) goto error; -- q->doc = doc; -- q->parent = parent; -- doc->intSubset = (xmlDtdPtr) q; -- xmlAddChild(parent, q); -- } else { -- q = (xmlNodePtr) doc->intSubset; -- xmlAddChild(parent, q); -- } -- } else -+ q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node ); -+ if (q == NULL) goto error; -+ q->doc = doc; -+ q->parent = parent; -+ newSubset = (xmlDtdPtr) q; -+#else -+ node = node->next; -+ continue; - #endif /* LIBXML_TREE_ENABLED */ -+ } else { - q = xmlStaticCopyNode(node, doc, parent, 1); -- if (q == NULL) goto error; -+ if (q == NULL) goto error; -+ } - if (ret == NULL) { - q->prev = NULL; - ret = p = q; -@@ -4404,6 +4403,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { - } - node = node->next; - } -+ if (newSubset != NULL) -+ doc->intSubset = newSubset; - return(ret); - error: - xmlFreeNodeList(ret); --- -GitLab - diff --git a/install.py b/install.py index 59a7308..09d1bfa 100755 --- a/install.py +++ b/install.py @@ -56,9 +56,10 @@ def do_patch(args, target_dir): "backport-CVE-2022-40304-Fix-dict-corruption-caused-by-entity-.patch", "backport-schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch", "libxml2-multilib.patch", - "Fix-CVE-2023-45322-pre-patch.patch", - "Fix-CVE-2023-45322.patch", "Fix-CVE-2023-25062.patch", + "Fix-CVE-2023-45322-pre.patch", + "Fix-CVE-2023-45322-first.patch", + "Fix-CVE-2023-45322-second.patch", "Fix-CVE-2024-34459.patch" ] -- Gitee