From 982dd76d793cfd004829da93ef8421ddb8b294da Mon Sep 17 00:00:00 2001
From: mgb01105731 <mgb01105731@alibaba-inc.com>
Date: Sun, 12 Jan 2025 21:15:22 -0500
Subject: [PATCH] to #IBHBVL add patch to fix CVE-2024-40896 Project:
 TC2024080204 Signed-off-by: mgb01105731 mgb01105731@alibaba-inc.com

---
 1001-fix-CVE-2024-40896.patch | 31 +++++++++++++++++++++++++++++++
 libxml2.spec                  | 16 +++++++++++++---
 2 files changed, 44 insertions(+), 3 deletions(-)
 create mode 100644 1001-fix-CVE-2024-40896.patch

diff --git a/1001-fix-CVE-2024-40896.patch b/1001-fix-CVE-2024-40896.patch
new file mode 100644
index 0000000..15166d0
--- /dev/null
+++ b/1001-fix-CVE-2024-40896.patch
@@ -0,0 +1,31 @@
+From eac86b7a951c15739c400b9c6581227e30ba190a Mon Sep 17 00:00:00 2001
+From: mgb01105731 <mgb01105731@alibaba-inc.com>
+Date: Sun, 12 Jan 2025 21:13:16 -0500
+Subject: [PATCH 1/1] fix CVE-2024-40896
+
+---
+ parser.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index d3f30b2..8c76da8 100644
+--- a/parser.c
++++ b/parser.c
+@@ -7146,6 +7146,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+ 	return;
+     }
+ 
++    /*
++     * Some users try to parse entities on their own and used to set
++     * the renamed "checked" member. Fix the flags to cover this
++     * case.
++     */
++    if (((ent->flags & XML_ENT_PARSED) == 0) && (ent->children != NULL))
++        ent->flags |= XML_ENT_PARSED;
++
+     /*
+      * The first reference to the entity trigger a parsing phase
+      * where the ent->children is filled with the result from
+-- 
+2.41.0
+
diff --git a/libxml2.spec b/libxml2.spec
index 58f1104..1f81a91 100644
--- a/libxml2.spec
+++ b/libxml2.spec
@@ -1,4 +1,4 @@
-%define anolis_release 4
+%define anolis_release 5
 Name:           libxml2
 Version:        2.11.5
 Release:        %{anolis_release}%{?dist}
@@ -22,6 +22,10 @@ Patch3:         Bugfix-for-CVE-2024-34459.patch
 # Upstream fix: https://gitlab.gnome.org/GNOME/libxml2/-/commit/2b0aac140d739905c7848a42efc60bfe783a39b7
 Patch4:         Bugfix-for-CVE-2024-25062.patch
 
+# CVE-2024-40896
+# Upstream fix: https://gitlab.gnome.org/GNOME/libxml2/-/commit/ae8f0ac0a2900219c3d762ae0b513e199dcf19a5
+Patch5:         1001-fix-CVE-2024-40896.patch
+
 BuildRequires:  cmake-rpm-macros
 BuildRequires:  gcc
 BuildRequires:  make
@@ -166,10 +170,16 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
 %doc NEWS README.md
 
 %changelog
-* Mon Aug 12 2024 lidongyue <dongyue@nfschina.com> 2.11.5-4
+* Mon Jan 13 2025 mgb01105731 <mgb01105731@alibaba-inc.com> - 2.11.5-5
+- to #IBHBVL
+- add patch to fix CVE-2024-40896
+- Project: TC2024080204
+- Signed-off-by: mgb01105731 mgb01105731@alibaba-inc.com
+
+* Mon Aug 12 2024 lidongyue <dongyue@nfschina.com> - 2.11.5-4
 - Fix CVE-2024-25062
 
-* Fri Jul 12 2024 lidongyue <dongyue@nfschina.com> 2.11.5-3
+* Fri Jul 12 2024 lidongyue <dongyue@nfschina.com> - 2.11.5-3
 - Fix CVE-2024-34459
 
 * Tue Mar 12 2024 Bo Ren <rb01097748@alibaba-inc.com> - 2.11.5-2
-- 
Gitee