diff --git a/dist b/dist index 9c0e36ec42a2d9bfefacb21ac6354c9ddd910533..1fe92cf0fdf9c2625d878a2ace258f64c1e8ca44 100644 --- a/dist +++ b/dist @@ -1 +1 @@ -an8 +an8_10 diff --git a/libxml2-2.9.7-CVE-2023-39615.patch b/libxml2-2.11.0-fix-CVE-2023-39615.patch similarity index 100% rename from libxml2-2.9.7-CVE-2023-39615.patch rename to libxml2-2.11.0-fix-CVE-2023-39615.patch diff --git a/libxml2-2.9.13-CVE-2023-28484.2.patch b/libxml2-2.9.13-CVE-2023-28484.2.patch new file mode 100644 index 0000000000000000000000000000000000000000..7e0b61dd88654cadf50a2576e38d03e4d863d602 --- /dev/null +++ b/libxml2-2.9.13-CVE-2023-28484.2.patch @@ -0,0 +1,71 @@ +From 4c6922f763ad958c48ff66f82823ae21f2e92ee6 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 13 Sep 2022 16:40:31 +0200 +Subject: [PATCH] schemas: Fix null-pointer-deref in + xmlSchemaCheckCOSSTDerivedOK + +Found by OSS-Fuzz. +--- + result/schemas/oss-fuzz-51295_0_0.err | 2 ++ + test/schemas/oss-fuzz-51295_0.xml | 1 + + test/schemas/oss-fuzz-51295_0.xsd | 4 ++++ + xmlschemas.c | 15 +++++++++++++-- + 4 files changed, 20 insertions(+), 2 deletions(-) + create mode 100644 result/schemas/oss-fuzz-51295_0_0.err + create mode 100644 test/schemas/oss-fuzz-51295_0.xml + create mode 100644 test/schemas/oss-fuzz-51295_0.xsd + +diff --git a/result/schemas/oss-fuzz-51295_0_0.err b/result/schemas/oss-fuzz-51295_0_0.err +new file mode 100644 +index 00000000..1e89524f +--- /dev/null ++++ b/result/schemas/oss-fuzz-51295_0_0.err +@@ -0,0 +1,2 @@ ++./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'. ++./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'. +diff --git a/test/schemas/oss-fuzz-51295_0.xml b/test/schemas/oss-fuzz-51295_0.xml +new file mode 100644 +index 00000000..10a7e703 +--- /dev/null ++++ b/test/schemas/oss-fuzz-51295_0.xml +@@ -0,0 +1 @@ ++ +diff --git a/test/schemas/oss-fuzz-51295_0.xsd b/test/schemas/oss-fuzz-51295_0.xsd +new file mode 100644 +index 00000000..fde96af5 +--- /dev/null ++++ b/test/schemas/oss-fuzz-51295_0.xsd +@@ -0,0 +1,4 @@ ++ ++ ++ ++ +diff --git a/xmlschemas.c b/xmlschemas.c +index f31d3d1f..152b7c3f 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -13345,8 +13345,19 @@ xmlSchemaResolveElementReferences(xmlSchemaElementPtr elemDecl, + * declaration `resolved` to by the `actual value` + * of the substitutionGroup [attribute], if present" + */ +- if (elemDecl->subtypes == NULL) +- elemDecl->subtypes = substHead->subtypes; ++ if (elemDecl->subtypes == NULL) { ++ if (substHead->subtypes == NULL) { ++ /* ++ * This can happen with self-referencing substitution ++ * groups. The cycle will be detected later, but we have ++ * to set subtypes to avoid null-pointer dereferences. ++ */ ++ elemDecl->subtypes = xmlSchemaGetBuiltInType( ++ XML_SCHEMAS_ANYTYPE); ++ } else { ++ elemDecl->subtypes = substHead->subtypes; ++ } ++ } + } + } + /* +-- +GitLab + diff --git a/libxml2-2.9.7-CVE-2023-28484.patch b/libxml2-2.9.13-CVE-2023-28484.patch similarity index 95% rename from libxml2-2.9.7-CVE-2023-28484.patch rename to libxml2-2.9.13-CVE-2023-28484.patch index c5c4d9cfe8c7d6e4a3c57a09d7e36bdb583cfa37..052ab155b4faebb59f02da22e82e22a97a392644 100644 --- a/libxml2-2.9.7-CVE-2023-28484.patch +++ b/libxml2-2.9.13-CVE-2023-28484.patch @@ -20,21 +20,21 @@ Fixes #491. diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err new file mode 100644 -index 000000000..9b2bb9691 +index 00000000..9b2bb969 --- /dev/null +++ b/result/schemas/issue491_0_0.err @@ -0,0 +1 @@ +./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'. diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml new file mode 100644 -index 000000000..e2b2fc2e3 +index 00000000..e2b2fc2e --- /dev/null +++ b/test/schemas/issue491_0.xml @@ -0,0 +1 @@ +5 diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd new file mode 100644 -index 000000000..817026498 +index 00000000..81702649 --- /dev/null +++ b/test/schemas/issue491_0.xsd @@ -0,0 +1,18 @@ @@ -57,7 +57,7 @@ index 000000000..817026498 + + diff --git a/xmlschemas.c b/xmlschemas.c -index 152b7c3f5..eec24a95f 100644 +index 152b7c3f..eec24a95 100644 --- a/xmlschemas.c +++ b/xmlschemas.c @@ -18619,7 +18619,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt, @@ -71,3 +71,4 @@ index 152b7c3f5..eec24a95f 100644 /* -- GitLab + diff --git a/libxml2-2.9.13-CVE-2024-56171.patch b/libxml2-2.9.13-CVE-2024-56171.patch new file mode 100644 index 0000000000000000000000000000000000000000..96a2ab19336852d019dacb27eb8d2c06a0c7264a --- /dev/null +++ b/libxml2-2.9.13-CVE-2024-56171.patch @@ -0,0 +1,41 @@ +From 245b70d7d2768572ae1b05b3668ca858b9ec4ed4 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 10 Dec 2024 16:52:05 +0100 +Subject: [PATCH] [CVE-2024-56171] Fix use-after-free after + xmlSchemaItemListAdd + +xmlSchemaItemListAdd can reallocate the items array. Update local +variables after adding item in + +- xmlSchemaIDCFillNodeTables +- xmlSchemaBubbleIDCNodeTables + +Fixes #828. +--- + xmlschemas.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/xmlschemas.c b/xmlschemas.c +index d276faf10..28b14bd44 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -23388,6 +23388,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaValidCtxtPtr vctxt, + } + if (xmlSchemaItemListAdd(bind->dupls, bind->nodeTable[j]) == -1) + goto internal_error; ++ dupls = (xmlSchemaPSVIIDCNodePtr *) bind->dupls->items; + /* + * Remove the duplicate entry from the IDC node-table. + */ +@@ -23604,6 +23605,8 @@ xmlSchemaBubbleIDCNodeTables(xmlSchemaValidCtxtPtr vctxt) + goto internal_error; + } + xmlSchemaItemListAdd(parBind->dupls, parNode); ++ dupls = (xmlSchemaPSVIIDCNodePtr *) ++ parBind->dupls->items; + } else { + /* + * Add the node-table entry (node and key-sequence) of +-- +GitLab + diff --git a/libxml2-2.9.13-CVE-2025-24928.patch b/libxml2-2.9.13-CVE-2025-24928.patch new file mode 100644 index 0000000000000000000000000000000000000000..22e5686d11941d236d3f651581b8ca5c6f92d52f --- /dev/null +++ b/libxml2-2.9.13-CVE-2025-24928.patch @@ -0,0 +1,57 @@ +From 858ca26c0689161a6b903a6682cc8a1cc10a0ea8 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 11 Feb 2025 17:30:40 +0100 +Subject: [PATCH] [CVE-2025-24928] Fix stack-buffer-overflow in + xmlSnprintfElements + +Fixes #847. +--- + valid.c | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +diff --git a/valid.c b/valid.c +index 76d657d62..abefdc50a 100644 +--- a/valid.c ++++ b/valid.c +@@ -5057,25 +5057,26 @@ xmlSnprintfElements(char *buf, int size, xmlNodePtr node, int glob) { + return; + } + switch (cur->type) { +- case XML_ELEMENT_NODE: ++ case XML_ELEMENT_NODE: { ++ int qnameLen = xmlStrlen(cur->name); ++ ++ if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) ++ qnameLen += xmlStrlen(cur->ns->prefix) + 1; ++ if (size - len < qnameLen + 10) { ++ if ((size - len > 4) && (buf[len - 1] != '.')) ++ strcat(buf, " ..."); ++ return; ++ } + if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) { +- if (size - len < xmlStrlen(cur->ns->prefix) + 10) { +- if ((size - len > 4) && (buf[len - 1] != '.')) +- strcat(buf, " ..."); +- return; +- } + strcat(buf, (char *) cur->ns->prefix); + strcat(buf, ":"); + } +- if (size - len < xmlStrlen(cur->name) + 10) { +- if ((size - len > 4) && (buf[len - 1] != '.')) +- strcat(buf, " ..."); +- return; +- } +- strcat(buf, (char *) cur->name); ++ if (cur->name != NULL) ++ strcat(buf, (char *) cur->name); + if (cur->next != NULL) + strcat(buf, " "); + break; ++ } + case XML_TEXT_NODE: + if (xmlIsBlankNode(cur)) + break; +-- +GitLab + diff --git a/libxml2-2.9.7-CVE-2023-29469.patch b/libxml2-2.9.7-CVE-2023-29469.patch index bcd9fe0c21e90fecb7928384e3c8fc4d1b979f6b..d7a97781a9cc9f4d2239c7ef09dedba539011bd6 100644 --- a/libxml2-2.9.7-CVE-2023-29469.patch +++ b/libxml2-2.9.7-CVE-2023-29469.patch @@ -1,4 +1,4 @@ -From 09a2dd453007f9c7205274623acdd73747c22d64 Mon Sep 17 00:00:00 2001 +From a40db8fde759261b042138646da36c632a739f31 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Fri, 7 Apr 2023 11:49:27 +0200 Subject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't @@ -14,23 +14,29 @@ have an impact on security. Found by OSS-Fuzz. Fixes #510. + +Incorporates change from commit +09a2dd453007f9c7205274623acdd73747c22d64. --- - dict.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) + dict.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/dict.c b/dict.c -index c29d2af77..12ba94fd5 100644 +index 0ef3718d..5e84cfca 100644 --- a/dict.c +++ b/dict.c -@@ -453,7 +453,8 @@ static unsigned long +@@ -444,8 +444,9 @@ static unsigned long xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) { unsigned long value = seed; - if (name == NULL) return(0); +- value = *name; + if ((name == NULL) || (namelen <= 0)) + return(value); - value = *name; ++ value += *name; value <<= 5; if (namelen > 10) { + value += name[namelen - 1]; -- -GitLab +2.41.0 + diff --git a/libxml2.spec b/libxml2.spec index 04221e3fd125ca21ad048a9fdf341ecc1ea587f7..0df273589d9601e77be67a5d1e2e4c099606a705 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,4 +1,4 @@ -%define anolis_release .0.4 +%define anolis_release .0.1 %if 0%{?rhel} > 7 # Disable python2 build by default @@ -9,7 +9,7 @@ Name: libxml2 Version: 2.9.7 -Release: 18%{anolis_release}%{?dist} +Release: 19%{anolis_release}%{?dist} Summary: Library providing XML and HTML support License: MIT @@ -58,17 +58,20 @@ Patch18: libxml2-2.9.7-CVE-2016-3709.patch Patch19: libxml2-2.9.7-CVE-2022-40303.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2136568 Patch20: libxml2-2.9.7-CVE-2022-40304.patch -# https://gitlab.gnome.org/GNOME/libxml2/-/commit/647e072ea0a2f12687fa05c172f4c4713fdb0c4f -Patch21: libxml2-2.9.7-CVE-2023-28484.patch -# https://gitlab.gnome.org/GNOME/libxml2/-/commit/09a2dd453007f9c7205274623acdd73747c22d64.patch -Patch22: libxml2-2.9.7-CVE-2023-29469.patch -# https://gitlab.gnome.org/GNOME/libxml2/-/commit/d0c3f01e110d54415611c5fa0040cdf4a56053f9 -Patch23: libxml2-2.9.7-CVE-2023-39615.patch - -# upstream fix:https://gitlab.gnome.org/GNOME/libxml2/-/commit/1a66b176055d25ee635bf328c7b35b381db0b71d -Patch24: libxml2-2.9.7-CVE-2024-25062.patch -# https://gitlab.gnome.org/GNOME/libxml2/-/commit/5a19e21605398cef6a8b1452477a8705cb41562b -Patch25: libxml2-2.9.13-CVE-2022-49043.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2186692 +Patch21: libxml2-2.9.13-CVE-2023-28484.patch +Patch22: libxml2-2.9.13-CVE-2023-28484.2.patch +Patch23: libxml2-2.9.7-CVE-2023-29469.patch +# https://issues.redhat.com/browse/RHEL-5179 +Patch24: libxml2-2.11.0-fix-CVE-2023-39615.patch +# https://issues.redhat.com/browse/RHEL-31056 +Patch25: libxml2-2.9.7-CVE-2024-25062.patch +# https://issues.redhat.com/browse/RHEL-76289 +Patch26: libxml2-2.9.13-CVE-2022-49043.patch +# https://issues.redhat.com/browse/RHEL-80122 +Patch27: libxml2-2.9.13-CVE-2024-56171.patch +# https://issues.redhat.com/browse/RHEL-80137 +Patch28: libxml2-2.9.13-CVE-2025-24928.patch # Add by Anolis Patch1000: 0001-modify-home-page.patch @@ -244,24 +247,26 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz %{python3_sitearch}/libxml2mod.so %changelog -* Tue Feb 18 2025 wangzhe - 2.9.7-18.0.4 -- Fix CVE-2022-49043 +* Fri Mar 14 2025 Mahailiang - 2.9.7-19.0.1 +- Modify home page +- Replace logo in html doc with anolis.gif -* Fri Jun 07 2024 Kai Song - 2.9.7-18.0.3 -- Fix CVE-2024-25062 +* Tue Mar 11 2025 Michael Catanzaro - 2.9.7-19 +- Fix CVE-2024-56171 (RHEL-80122) +- Fix CVE-2025-24928 (RHEL-80137) -* Tue Dec 05 2023 Bo Liu - 2.9.7-18.0.2 -- Fix CVE-2023-39615 +* Tue Feb 11 2025 David King - 2.9.7.18.2 +- Fix CVE-2022-49043 (RHEL-76289) -* Wed Sep 06 2023 chengshengyu - 2.9.7-17.0.2 -- Fix CVE-2023-29469 (#2185984) +* Mon Apr 29 2024 David King - 2.9.7-18.1 +- Fix CVE-2024-25062 (RHEL-31056) -* Wed May 24 2023 Mahailiang - 2.9.7-17.0.1 -- Modify home page -- Replace logo in html doc with anolis.gif +* Thu Sep 14 2023 David King - 2.9.7-18 +- Fix CVE-2023-39615 (RHEL-5179) -* Fri Apr 07 2023 Nick Wellnhofer - 2.9.7-17 -- Fix CVE-2023-28484 (#2185994) +* Fri Jul 14 2023 David King - 2.9.7-17 +- Fix CVE-2023-28484 (#2186692) +- Fix CVE-2023-29469 (#2186692) * Wed Nov 02 2022 David King - 2.9.7-16 - Fix CVE-2022-40303 (#2136563)