diff --git a/libxml2-2.9.13-CVE-2025-49794.patch b/libxml2-2.9.13-CVE-2025-49794.patch new file mode 100644 index 0000000000000000000000000000000000000000..e2e70148b7090943a5fb4f8b59089f55ba8b5e7c --- /dev/null +++ b/libxml2-2.9.13-CVE-2025-49794.patch @@ -0,0 +1,194 @@ +From b2a28a861e9d43a23b877c3994daa28f8af69618 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 4 Jul 2025 14:28:26 +0200 +Subject: [PATCH] schematron: Fix memory safety issues in + xmlSchematronReportOutput + +Fix use-after-free (CVE-2025-49794) and type confusion (CVE-2025-49796) +in xmlSchematronReportOutput. + +Fixes #931. +Fixes #933. +--- + result/schematron/cve-2025-49794_0.err | 2 + + result/schematron/cve-2025-49796_0.err | 2 + + schematron.c | 67 ++++++++++++++------------ + test/schematron/cve-2025-49794.sct | 10 ++++ + test/schematron/cve-2025-49794_0.xml | 6 +++ + test/schematron/cve-2025-49796.sct | 9 ++++ + test/schematron/cve-2025-49796_0.xml | 3 ++ + 7 files changed, 67 insertions(+), 32 deletions(-) + create mode 100644 result/schematron/cve-2025-49794_0.err + create mode 100644 result/schematron/cve-2025-49796_0.err + create mode 100644 test/schematron/cve-2025-49794.sct + create mode 100644 test/schematron/cve-2025-49794_0.xml + create mode 100644 test/schematron/cve-2025-49796.sct + create mode 100644 test/schematron/cve-2025-49796_0.xml + +diff --git a/result/schematron/cve-2025-49794_0.err b/result/schematron/cve-2025-49794_0.err +new file mode 100644 +index 00000000..57752310 +--- /dev/null ++++ b/result/schematron/cve-2025-49794_0.err +@@ -0,0 +1,2 @@ ++./test/schematron/cve-2025-49794_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2: ++./test/schematron/cve-2025-49794_0.xml fails to validate +diff --git a/result/schematron/cve-2025-49796_0.err b/result/schematron/cve-2025-49796_0.err +new file mode 100644 +index 00000000..bf875ee0 +--- /dev/null ++++ b/result/schematron/cve-2025-49796_0.err +@@ -0,0 +1,2 @@ ++./test/schematron/cve-2025-49796_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2: ++./test/schematron/cve-2025-49796_0.xml fails to validate +diff --git a/schematron.c b/schematron.c +index ddbb069b..0c7bc84a 100644 +--- a/schematron.c ++++ b/schematron.c +@@ -1239,27 +1239,15 @@ exit: + * * + ************************************************************************/ + +-static xmlNodePtr ++static xmlXPathObjectPtr + xmlSchematronGetNode(xmlSchematronValidCtxtPtr ctxt, + xmlNodePtr cur, const xmlChar *xpath) { +- xmlNodePtr node = NULL; +- xmlXPathObjectPtr ret; +- + if ((ctxt == NULL) || (cur == NULL) || (xpath == NULL)) + return(NULL); + + ctxt->xctxt->doc = cur->doc; + ctxt->xctxt->node = cur; +- ret = xmlXPathEval(xpath, ctxt->xctxt); +- if (ret == NULL) +- return(NULL); +- +- if ((ret->type == XPATH_NODESET) && +- (ret->nodesetval != NULL) && (ret->nodesetval->nodeNr > 0)) +- node = ret->nodesetval->nodeTab[0]; +- +- xmlXPathFreeObject(ret); +- return(node); ++ return(xmlXPathEval(xpath, ctxt->xctxt)); + } + + /** +@@ -1301,28 +1289,43 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt, + child = test->children; + while (child != NULL) { + if ((child->type == XML_TEXT_NODE) || +- (child->type == XML_CDATA_SECTION_NODE)) +- ret = xmlStrcat(ret, child->content); +- else if (IS_SCHEMATRON(child, "name")) { +- xmlChar *path; ++ (child->type == XML_CDATA_SECTION_NODE)) ++ ret = xmlStrcat(ret, child->content); ++ else if (IS_SCHEMATRON(child, "name")) { ++ xmlXPathObject *obj = NULL; ++ xmlChar *path; + + path = xmlGetNoNsProp(child, BAD_CAST "path"); + + node = cur; +- if (path != NULL) { +- node = xmlSchematronGetNode(ctxt, cur, path); +- if (node == NULL) +- node = cur; +- xmlFree(path); +- } +- +- if ((node->ns == NULL) || (node->ns->prefix == NULL)) +- ret = xmlStrcat(ret, node->name); +- else { +- ret = xmlStrcat(ret, node->ns->prefix); +- ret = xmlStrcat(ret, BAD_CAST ":"); +- ret = xmlStrcat(ret, node->name); +- } ++ if (path != NULL) { ++ obj = xmlSchematronGetNode(ctxt, cur, path); ++ if ((obj != NULL) && ++ (obj->type == XPATH_NODESET) && ++ (obj->nodesetval != NULL) && ++ (obj->nodesetval->nodeNr > 0)) ++ node = obj->nodesetval->nodeTab[0]; ++ xmlFree(path); ++ } ++ ++ switch (node->type) { ++ case XML_ELEMENT_NODE: ++ case XML_ATTRIBUTE_NODE: ++ if ((node->ns == NULL) || (node->ns->prefix == NULL)) ++ ret = xmlStrcat(ret, node->name); ++ else { ++ ret = xmlStrcat(ret, node->ns->prefix); ++ ret = xmlStrcat(ret, BAD_CAST ":"); ++ ret = xmlStrcat(ret, node->name); ++ } ++ break; ++ ++ /* TODO: handle other node types */ ++ default: ++ break; ++ } ++ ++ xmlXPathFreeObject(obj); + } else { + child = child->next; + continue; +diff --git a/test/schematron/cve-2025-49794.sct b/test/schematron/cve-2025-49794.sct +new file mode 100644 +index 00000000..7fc9ee3d +--- /dev/null ++++ b/test/schematron/cve-2025-49794.sct +@@ -0,0 +1,10 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ +diff --git a/test/schematron/cve-2025-49794_0.xml b/test/schematron/cve-2025-49794_0.xml +new file mode 100644 +index 00000000..debc64ba +--- /dev/null ++++ b/test/schematron/cve-2025-49794_0.xml +@@ -0,0 +1,6 @@ ++ ++ ++ ++ ++ ++ +diff --git a/test/schematron/cve-2025-49796.sct b/test/schematron/cve-2025-49796.sct +new file mode 100644 +index 00000000..e9702d75 +--- /dev/null ++++ b/test/schematron/cve-2025-49796.sct +@@ -0,0 +1,9 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ +diff --git a/test/schematron/cve-2025-49796_0.xml b/test/schematron/cve-2025-49796_0.xml +new file mode 100644 +index 00000000..be33c4ec +--- /dev/null ++++ b/test/schematron/cve-2025-49796_0.xml +@@ -0,0 +1,3 @@ ++ ++ ++ +-- +2.49.0 + diff --git a/libxml2-2.9.13-CVE-2025-6021.patch b/libxml2-2.9.13-CVE-2025-6021.patch new file mode 100644 index 0000000000000000000000000000000000000000..faced867c2a0591ea0ee3cc1a4a559a97a02fe7a --- /dev/null +++ b/libxml2-2.9.13-CVE-2025-6021.patch @@ -0,0 +1,49 @@ +From 1256dce1c2c928e1436a7e8bd8b40113099383c8 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 27 May 2025 12:53:17 +0200 +Subject: [PATCH] tree: Fix integer overflow in xmlBuildQName + +This issue affects memory safety and might receive a CVE ID later. + +Fixes #926. +--- + tree.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/tree.c b/tree.c +index 86afb7d6..3b0d0397 100644 +--- a/tree.c ++++ b/tree.c +@@ -20,6 +20,7 @@ + + #include /* for memset() only ! */ + #include ++#include + #include + #ifdef HAVE_CTYPE_H + #include +@@ -222,16 +223,18 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) { + xmlChar * + xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix, + xmlChar *memory, int len) { +- int lenn, lenp; ++ size_t lenn, lenp; + xmlChar *ret; + +- if (ncname == NULL) return(NULL); ++ if ((ncname == NULL) || (len < 0)) return(NULL); + if (prefix == NULL) return((xmlChar *) ncname); + + lenn = strlen((char *) ncname); + lenp = strlen((char *) prefix); ++ if (lenn >= SIZE_MAX - lenp - 1) ++ return(NULL); + +- if ((memory == NULL) || (len < lenn + lenp + 2)) { ++ if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) { + ret = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2); + if (ret == NULL) { + xmlTreeErrMemory("building QName"); +-- +2.49.0 + diff --git a/libxml2-clamp-output-bytes-overflow.patch b/libxml2-clamp-output-bytes-overflow.patch new file mode 100644 index 0000000000000000000000000000000000000000..fdfcb41d02eb82307d95c55046b0bcbe715fa7c4 --- /dev/null +++ b/libxml2-clamp-output-bytes-overflow.patch @@ -0,0 +1,56 @@ +From 40e00bc5174ab61036c893078123467144b05a4a Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 14 Oct 2019 16:56:59 +0200 +Subject: [PATCH] Fix integer overflow when counting written bytes + +Check for integer overflow when updating the `written` member of +struct xmlOutputBuffer in xmlIO.c. + +Closes #112. Resolves !54 and !55. +--- + xmlIO.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/xmlIO.c b/xmlIO.c +index 2a1e2cb08..752d5e0a0 100644 +--- a/xmlIO.c ++++ b/xmlIO.c +@@ -3413,7 +3413,10 @@ xmlOutputBufferWrite(xmlOutputBufferPtr out, int len, const char *buf) { + out->error = XML_IO_WRITE; + return(ret); + } +- out->written += ret; ++ if (out->written > INT_MAX - ret) ++ out->written = INT_MAX; ++ else ++ out->written += ret; + } + written += nbchars; + } while (len > 0); +@@ -3609,7 +3612,10 @@ xmlOutputBufferWriteEscape(xmlOutputBufferPtr out, const xmlChar *str, + out->error = XML_IO_WRITE; + return(ret); + } +- out->written += ret; ++ if (out->written > INT_MAX - ret) ++ out->written = INT_MAX; ++ else ++ out->written += ret; + } else if (xmlBufAvail(out->buffer) < MINLEN) { + xmlBufGrow(out->buffer, MINLEN); + } +@@ -3703,7 +3709,10 @@ xmlOutputBufferFlush(xmlOutputBufferPtr out) { + out->error = XML_IO_FLUSH; + return(ret); + } +- out->written += ret; ++ if (out->written > INT_MAX - ret) ++ out->written = INT_MAX; ++ else ++ out->written += ret; + + #ifdef DEBUG_INPUT + xmlGenericError(xmlGenericErrorContext, +-- +GitLab + diff --git a/libxml2.spec b/libxml2.spec index 0a99d770f710a3623551a3fecbadd696f9468913..54187d759124339807fa2f8fc5c4f2b6fda38382 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -9,7 +9,7 @@ Name: libxml2 Version: 2.9.7 -Release: 20%{anolis_release}%{?dist} +Release: 21%{anolis_release}%{?dist}.1 Summary: Library providing XML and HTML support License: MIT @@ -74,6 +74,13 @@ Patch27: libxml2-2.9.13-CVE-2024-56171.patch Patch28: libxml2-2.9.13-CVE-2025-24928.patch # https://issues.redhat.com/browse/RHEL-88198 Patch29: libxml2-2.9.13-CVE-2025-32414.patch +# https://issues.redhat.com/browse/RHEL-74345 +Patch30: libxml2-clamp-output-bytes-overflow.patch +# https://issues.redhat.com/browse/RHEL-96498 +Patch31: libxml2-2.9.13-CVE-2025-6021.patch +# https://issues.redhat.com/browse/RHEL-96398 +# https://issues.redhat.com/browse/RHEL-96424 +Patch32: libxml2-2.9.13-CVE-2025-49794.patch # Add by Anolis Patch1000: 0001-modify-home-page.patch @@ -249,10 +256,18 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz %{python3_sitearch}/libxml2mod.so %changelog -* Mon Jun 16 2025 Mahailiang - 2.9.7-20.0.1 +* Thu Jul 10 2025 Mahailiang - 2.9.7-21.0.1.1 - Modify home page - Replace logo in html doc with anolis.gif +* Mon Jun 16 2025 David King - 2.9.7-21.1 +- Fix CVE-2025-6021 (RHEL-96498) +- Fix CVE-2025-49794 (RHEL-96398) +- Fix CVE-2025-49796 (RHEL-96424) + +* Fri Jun 13 2025 David King - 2.9.7-21 +- Fix integer overflow (RHEL-74345) + * Thu Jun 05 2025 David King - 2.9.7-20 - Fix CVE-2025-32414 (RHEL-88198)