diff --git a/backport-CVE-2016-3709.patch b/backport-CVE-2016-3709.patch new file mode 100644 index 0000000000000000000000000000000000000000..0b89fdc64c1b1d3554de16e76b520ffd39a61aaa --- /dev/null +++ b/backport-CVE-2016-3709.patch @@ -0,0 +1,85 @@ +From c1ba6f54d32b707ca6d91cb3257ce9de82876b6f Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 15 Aug 2020 18:32:29 +0200 +Subject: [PATCH] Revert "Do not URI escape in server side includes" + +This reverts commit 960f0e275616cadc29671a218d7fb9b69eb35588. + +This commit introduced + +- an infinite loop, found by OSS-Fuzz, which could be easily fixed. +- an algorithm with quadratic runtime +- a security issue, see + https://bugzilla.gnome.org/show_bug.cgi?id=769760 + +A better approach is to add an option not to escape URLs at all +which libxml2 should have possibly done in the first place. +--- + HTMLtree.c | 49 +++++++++++-------------------------------------- + 1 file changed, 11 insertions(+), 38 deletions(-) + +diff --git a/HTMLtree.c b/HTMLtree.c +index 8d236bb35..cdb7f86a6 100644 +--- a/HTMLtree.c ++++ b/HTMLtree.c +@@ -706,49 +706,22 @@ htmlAttrDumpOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, xmlAttrPtr cur, + (!xmlStrcasecmp(cur->name, BAD_CAST "src")) || + ((!xmlStrcasecmp(cur->name, BAD_CAST "name")) && + (!xmlStrcasecmp(cur->parent->name, BAD_CAST "a"))))) { ++ xmlChar *escaped; + xmlChar *tmp = value; +- /* xmlURIEscapeStr() escapes '"' so it can be safely used. */ +- xmlBufCCat(buf->buffer, "\""); + + while (IS_BLANK_CH(*tmp)) tmp++; + +- /* URI Escape everything, except server side includes. */ +- for ( ; ; ) { +- xmlChar *escaped; +- xmlChar endChar; +- xmlChar *end = NULL; +- xmlChar *start = (xmlChar *)xmlStrstr(tmp, BAD_CAST ""); +- if (end != NULL) { +- *start = '\0'; +- } +- } +- +- /* Escape the whole string, or until start (set to '\0'). */ +- escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+"); +- if (escaped != NULL) { +- xmlBufCat(buf->buffer, escaped); +- xmlFree(escaped); +- } else { +- xmlBufCat(buf->buffer, tmp); +- } +- +- if (end == NULL) { /* Everything has been written. */ +- break; +- } +- +- /* Do not escape anything within server side includes. */ +- *start = '<'; /* Restore the first character of "") */ +- endChar = *end; +- *end = '\0'; +- xmlBufCat(buf->buffer, start); +- *end = endChar; +- tmp = end; ++ /* ++ * the < and > have already been escaped at the entity level ++ * And doing so here breaks server side includes ++ */ ++ escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+<>"); ++ if (escaped != NULL) { ++ xmlBufWriteQuotedString(buf->buffer, escaped); ++ xmlFree(escaped); ++ } else { ++ xmlBufWriteQuotedString(buf->buffer, value); + } +- +- xmlBufCCat(buf->buffer, "\""); + } else { + xmlBufWriteQuotedString(buf->buffer, value); + } diff --git a/libxml2.spec b/libxml2.spec index 3e3decda36adac4f44d7210c8c30a53536cb2ca0..92e06054cb9311cedd0416a947c6cba2cc3fc07c 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,7 +1,7 @@ Summary: Library providing XML and HTML support Name: libxml2 Version: 2.9.10 -Release: 30 +Release: 31 License: MIT Group: Development/Libraries Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz @@ -122,6 +122,7 @@ Patch109:backport-CVE-2022-23308-Use-after-free-of-ID-and-IDREF-attrib.patch Patch110:backport-CVE-2022-29824-Fix-integer-overflows-in-xmlBuf-and-xmlBuffer.patch Patch111:Fix-memory-leaks-for-xmlACatalogAdd.patch Patch112:Fix-memory-leaks-in-xmlACatalogAdd-when-xmlHashAddEntry-failed.patch +Patch113:backport-CVE-2016-3709.patch BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRequires: python2-devel @@ -314,6 +315,12 @@ rm -fr %{buildroot} %changelog +* Mon Aug 08 2022 fuanan - 2.9.10-31 +- Type:CVE +- CVE:CVE-2016-3709 +- SUG:NA +- DESC:Fix CVE-2016-3709 + * Fri Jun 24 2022 fuanan - 2.9.10-30 - Type:bugfix - ID:NA