diff --git a/backport-CVE-2023-45322.patch b/backport-CVE-2023-45322.patch new file mode 100644 index 0000000000000000000000000000000000000000..6b7bc5b4583841947b7850d81be051e0d868ec9b --- /dev/null +++ b/backport-CVE-2023-45322.patch @@ -0,0 +1,74 @@ +From d39f78069dff496ec865c73aa44d7110e429bce9 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 23 Aug 2023 20:24:24 +0200 +Subject: [PATCH] tree: Fix copying of DTDs + +- Don't create multiple DTD nodes. +- Fix UAF if malloc fails. +- Skip DTD nodes if tree module is disabled. + +Fixes #583. +--- + tree.c | 31 ++++++++++++++++--------------- + 1 file changed, 16 insertions(+), 15 deletions(-) + +diff --git a/tree.c b/tree.c +index 6c8a875b..02c1b579 100644 +--- a/tree.c ++++ b/tree.c +@@ -4386,29 +4386,28 @@ xmlNodePtr + xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { + xmlNodePtr ret = NULL; + xmlNodePtr p = NULL,q; ++ xmlDtdPtr newSubset = NULL; + + while (node != NULL) { +-#ifdef LIBXML_TREE_ENABLED + if (node->type == XML_DTD_NODE ) { +- if (doc == NULL) { ++#ifdef LIBXML_TREE_ENABLED ++ if ((doc == NULL) || (doc->intSubset != NULL)) { + node = node->next; + continue; + } +- if (doc->intSubset == NULL) { +- q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node ); +- if (q == NULL) goto error; +- q->doc = doc; +- q->parent = parent; +- doc->intSubset = (xmlDtdPtr) q; +- xmlAddChild(parent, q); +- } else { +- q = (xmlNodePtr) doc->intSubset; +- xmlAddChild(parent, q); +- } +- } else ++ q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node ); ++ if (q == NULL) goto error; ++ q->doc = doc; ++ q->parent = parent; ++ newSubset = (xmlDtdPtr) q; ++#else ++ node = node->next; ++ continue; + #endif /* LIBXML_TREE_ENABLED */ ++ } else { + q = xmlStaticCopyNode(node, doc, parent, 1); +- if (q == NULL) goto error; ++ if (q == NULL) goto error; ++ } + if (ret == NULL) { + q->prev = NULL; + ret = p = q; +@@ -4420,6 +4419,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { + } + node = node->next; + } ++ if (newSubset != NULL) ++ doc->intSubset = newSubset; + return(ret); + error: + xmlFreeNodeList(ret); +-- +2.27.0 + diff --git a/backport-CVE-2024-25062.patch b/backport-CVE-2024-25062.patch new file mode 100644 index 0000000000000000000000000000000000000000..49b08d8306fb93a6fb0f17bef694749a69af4e6a --- /dev/null +++ b/backport-CVE-2024-25062.patch @@ -0,0 +1,28 @@ +From 2b0aac140d739905c7848a42efc60bfe783a39b7 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 14 Oct 2023 22:45:54 +0200 +Subject: [PATCH] [CVE-2024-25062] xmlreader: Don't expand XIncludes when + backtracking + +Fixes a use-after-free if XML Reader if used with DTD validation and +XInclude expansion. + +Fixes #604. +--- + xmlreader.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/xmlreader.c b/xmlreader.c +index 979385a13..fefd68e0b 100644 +--- a/xmlreader.c ++++ b/xmlreader.c +@@ -1443,6 +1443,7 @@ node_found: + * Handle XInclude if asked for + */ + if ((reader->xinclude) && (reader->in_xinclude == 0) && ++ (reader->state != XML_TEXTREADER_BACKTRACK) && + (reader->node != NULL) && + (reader->node->type == XML_ELEMENT_NODE) && + (reader->node->ns != NULL) && +-- +GitLab diff --git a/backport-examples-Don-t-call-xmlCleanupParser-and-xmlMemoryDu.patch b/backport-examples-Don-t-call-xmlCleanupParser-and-xmlMemoryDu.patch new file mode 100644 index 0000000000000000000000000000000000000000..7014b9930acfc0c27849cb4abb71aa873787bf48 --- /dev/null +++ b/backport-examples-Don-t-call-xmlCleanupParser-and-xmlMemoryDu.patch @@ -0,0 +1,766 @@ +From fc119e329069fae2ac7c25bc36ccb8847bac04ad Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 30 Apr 2023 15:28:12 +0200 +Subject: [PATCH] examples: Don't call xmlCleanupParser and xmlMemoryDump + +xmlCleanupParser is dangerous and shouldn't be called in most cases. +Being part of the examples led many people to use it incorrectly. + +xmlMemoryDump is an obsolete way to test for memory leaks. +--- + doc/examples/Makefile.am | 18 ----- + doc/examples/examples.xml | 136 +++++++++++++++----------------------- + doc/examples/index.html | 106 +++++++++++++---------------- + doc/examples/index.py | 2 - + doc/examples/io1.c | 8 --- + doc/examples/parse1.c | 8 --- + doc/examples/parse2.c | 8 --- + doc/examples/parse3.c | 8 --- + doc/examples/parse4.c | 8 --- + doc/examples/reader1.c | 8 --- + doc/examples/reader2.c | 8 --- + doc/examples/reader3.c | 9 --- + doc/examples/reader4.c | 8 --- + doc/examples/testWriter.c | 8 --- + doc/examples/tree1.c | 6 -- + doc/examples/tree2.c | 10 --- + doc/examples/xpath1.c | 7 -- + doc/examples/xpath2.c | 7 -- + 18 files changed, 101 insertions(+), 272 deletions(-) + +diff --git a/doc/examples/Makefile.am b/doc/examples/Makefile.am +index 75e138be..e30c02b4 100644 +--- a/doc/examples/Makefile.am ++++ b/doc/examples/Makefile.am +@@ -22,7 +22,6 @@ uninstall-local: + + clean-local: + test -f Makefile.am || rm -f test?.xml +- rm -f .memdump + + EXTRA_DIST = \ + examples.xml \ +@@ -86,35 +85,18 @@ valgrind: + check-local: + @test -f Makefile.am || test -f test1.xml || $(LN_S) $(srcdir)/test?.xml . + @(echo '## examples regression tests') +- @(echo > .memdump) + @$(CHECKER) ./io1 >/dev/null +- @grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0" ; exit 0 + @$(CHECKER) ./io2 >/dev/null +- @grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0" ; exit 0 + @$(CHECKER) ./parse1 test1.xml +- @grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0" ; exit 0 + @$(CHECKER) ./parse2 test2.xml +- @grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0" ; exit 0 + @$(CHECKER) ./parse3 +- @grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0" ; exit 0 + @$(CHECKER) ./parse4 test3.xml +- @grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0" ; exit 0 + @$(CHECKER) ./reader1 test2.xml >/dev/null +- @grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0" ; exit 0 + @$(CHECKER) ./reader2 test2.xml >/dev/null +- @grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0" ; exit 0 + @$(CHECKER) ./reader3 >/dev/null +- @grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0" ; exit 0 + @$(CHECKER) ./reader4 test1.xml test2.xml test3.xml >/dev/null +- @grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0" ; exit 0 + @$(CHECKER) ./testWriter +- @grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0" ; exit 0 + @$(CHECKER) ./tree1 test2.xml >/dev/null +- @grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0" ; exit 0 + @$(CHECKER) ./tree2 >/dev/null +- @grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0" ; exit 0 +- @$(CHECKER) ./xpath1 test3.xml '//child2' >/dev/null +- @grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0" ; exit 0 + @$(CHECKER) ./xpath2 test3.xml '//discarded' discarded >/dev/null +- @grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0" ; exit 0 + @rm -f *.tmp +diff --git a/doc/examples/examples.xml b/doc/examples/examples.xml +index 465ea824..177e8159 100644 +--- a/doc/examples/examples.xml ++++ b/doc/examples/examples.xml +@@ -15,11 +15,9 @@ + + + +- + + + +- + + + +@@ -62,10 +60,8 @@ + + + +- + + +- + + + +@@ -84,12 +80,10 @@ + + + +- + + + + +- + + + +@@ -108,10 +102,8 @@ + + + +- + + +- + + + +@@ -129,12 +121,10 @@ + + + +- + + + + +- + + + +@@ -152,9 +142,7 @@ + + + +- + +- + + + +@@ -250,35 +238,35 @@ + <libxml/xmlwriter.h> + + +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + + + +@@ -338,22 +326,22 @@ + <libxml/xpathInternals.h> + + +- +- +- ++ ++ ++ + +- +- +- +- +- +- +- +- +- +- +- +- ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + + + +@@ -371,17 +359,17 @@ + <libxml/xpathInternals.h> + + +- +- ++ ++ + +- +- +- +- +- +- +- +- ++ ++ ++ ++ ++ ++ ++ ++ + + + +@@ -429,14 +417,6 @@ + + + +- +- +- +- +- +- +- +- + + + +@@ -506,14 +486,6 @@ + + + +- +- +- +- +- +- +- +- + + + +diff --git a/doc/examples/index.html b/doc/examples/index.html +index ff7b1cd3..b4d29f31 100644 +--- a/doc/examples/index.html ++++ b/doc/examples/index.html +@@ -87,8 +87,6 @@ install step or when installing the libxml2 development package:

+
  • line 134: Function xmlXIncludeProcess from xinclude.h
    • +
  • line 143: Function xmlDocDump from tree.h
    • +
  • line 149: Function xmlFreeDoc from tree.h
    • +-
  • line 154: Function xmlCleanupParser from parser.h
    • +-
  • line 158: Function xmlMemoryDump from xmlmemory.h
    • + +

    Usage:

    +

    io1

    +@@ -133,8 +131,6 @@ install step or when installing the libxml2 development package:

    +
  • line 26: Function xmlReadFile from parser.h
    • +
  • line 31: Function xmlFreeDoc from tree.h
    • +
  • line 45: Macro LIBXML_TEST_VERSION from xmlversion.h
    • +-
  • line 50: Function xmlCleanupParser from parser.h
    • +-
  • line 54: Function xmlMemoryDump from xmlmemory.h
    • + +

    Usage:

    +

    parse1 test1.xml

    +@@ -159,8 +155,6 @@ install step or when installing the libxml2 development package:

    +
  • line 44: Function xmlFreeDoc from tree.h
    • +
  • line 47: Function xmlFreeParserCtxt from parser.h
    • +
  • line 61: Macro LIBXML_TEST_VERSION from xmlversion.h
    • +-
  • line 66: Function xmlCleanupParser from parser.h
    • +-
  • line 70: Function xmlMemoryDump from xmlmemory.h
    • + +

    Usage:

    +

    parse2 test2.xml

    +@@ -182,8 +176,6 @@ install step or when installing the libxml2 development package:

    +
  • line 33: Function xmlReadMemory from parser.h
    • +
  • line 38: Function xmlFreeDoc from tree.h
    • +
  • line 49: Macro LIBXML_TEST_VERSION from xmlversion.h
    • +-
  • line 54: Function xmlCleanupParser from parser.h
    • +-
  • line 58: Function xmlMemoryDump from xmlmemory.h
    • + +

    Usage:

    +

    parse3

    +@@ -208,8 +200,6 @@ install step or when installing the libxml2 development package:

    +
  • line 94: Function xmlFreeParserCtxt from parser.h
    • +
  • line 103: Function xmlFreeDoc from tree.h
    • +
  • line 120: Macro LIBXML_TEST_VERSION from xmlversion.h
    • +-
  • line 131: Function xmlCleanupParser from parser.h
    • +-
  • line 135: Function xmlMemoryDump from xmlmemory.h
    • + +

    Usage:

    +

    parse4 test3.xml

    +@@ -281,18 +271,18 @@ install step or when installing the libxml2 development package:

    +

    Uses:

    + +

    Usage:

    +

    xpath1 <xml-file> <xpath-expr> [<known-ns-list>]

    +@@ -317,15 +307,15 @@ install step or when installing the libxml2 development package:

    +

    Uses:

    + +

    Usage:

    +

    xpath2 <xml-file> <xpath-expr> <new-value>

    +@@ -353,8 +343,6 @@ install step or when installing the libxml2 development package:

    +
  • line 64: Function xmlTextReaderRead from xmlreader.h
    • +
  • line 69: Function xmlFreeTextReader from xmlreader.h
    • +
  • line 89: Macro LIBXML_TEST_VERSION from xmlversion.h
    • +-
  • line 94: Function xmlCleanupParser from parser.h
    • +-
  • line 98: Function xmlMemoryDump from xmlmemory.h
    • + +

    Usage:

    +

    reader1 <filename>

    +@@ -440,32 +428,32 @@ install step or when installing the libxml2 development package:

    + +

    Uses:

    + +

    Usage:

    +

    testWriter

    +diff --git a/doc/examples/index.py b/doc/examples/index.py +index c422904f..bceae8b9 100755 +--- a/doc/examples/index.py ++++ b/doc/examples/index.py +@@ -262,10 +262,8 @@ clean-local: + Makefile = Makefile + "tests: $(check_PROGRAMS)\n" + Makefile = Makefile + "\t@test -f Makefile.am || test -f test1.xml || $(LN_S) $(srcdir)/test?.xml .\n" + Makefile = Makefile + "\t@(echo '## examples regression tests')\n" +- Makefile = Makefile + "\t@(echo > .memdump)\n" + for test in tests: + Makefile = Makefile + "\t@$(CHECKER) %s\n" % (test) +- Makefile = Makefile + '\t@grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0" ; exit 0\n' + Makefile = Makefile + "\t@rm *.tmp\n" + try: + old = open("Makefile.am", "r").read() +diff --git a/doc/examples/io1.c b/doc/examples/io1.c +index 5c2b25d7..366c63cb 100644 +--- a/doc/examples/io1.c ++++ b/doc/examples/io1.c +@@ -148,14 +148,6 @@ int main(void) { + */ + xmlFreeDoc(doc); + +- /* +- * Cleanup function for the XML library. +- */ +- xmlCleanupParser(); +- /* +- * this is to debug memory for regression tests +- */ +- xmlMemoryDump(); + return(0); + } + #else +diff --git a/doc/examples/parse1.c b/doc/examples/parse1.c +index e3c9d3a6..01087d1a 100644 +--- a/doc/examples/parse1.c ++++ b/doc/examples/parse1.c +@@ -44,13 +44,5 @@ int main(int argc, char **argv) { + + example1Func(argv[1]); + +- /* +- * Cleanup function for the XML library. +- */ +- xmlCleanupParser(); +- /* +- * this is to debug memory for regression tests +- */ +- xmlMemoryDump(); + return(0); + } +diff --git a/doc/examples/parse2.c b/doc/examples/parse2.c +index 4dcbfde9..0732e1e5 100644 +--- a/doc/examples/parse2.c ++++ b/doc/examples/parse2.c +@@ -60,13 +60,5 @@ int main(int argc, char **argv) { + + exampleFunc(argv[1]); + +- /* +- * Cleanup function for the XML library. +- */ +- xmlCleanupParser(); +- /* +- * this is to debug memory for regression tests +- */ +- xmlMemoryDump(); + return(0); + } +diff --git a/doc/examples/parse3.c b/doc/examples/parse3.c +index 076a786a..15349dcc 100644 +--- a/doc/examples/parse3.c ++++ b/doc/examples/parse3.c +@@ -48,13 +48,5 @@ int main(void) { + + example3Func(document, 6); + +- /* +- * Cleanup function for the XML library. +- */ +- xmlCleanupParser(); +- /* +- * this is to debug memory for regression tests +- */ +- xmlMemoryDump(); + return(0); + } +diff --git a/doc/examples/parse4.c b/doc/examples/parse4.c +index ae8d332a..eaeab40c 100644 +--- a/doc/examples/parse4.c ++++ b/doc/examples/parse4.c +@@ -125,14 +125,6 @@ int main(int argc, char **argv) { + fprintf(stderr, "Failed to parse %s\n", argv[1]); + } + +- /* +- * Cleanup function for the XML library. +- */ +- xmlCleanupParser(); +- /* +- * this is to debug memory for regression tests +- */ +- xmlMemoryDump(); + return(0); + } + #else /* ! LIBXML_PUSH_ENABLED */ +diff --git a/doc/examples/reader1.c b/doc/examples/reader1.c +index 10301686..eafb6e1d 100644 +--- a/doc/examples/reader1.c ++++ b/doc/examples/reader1.c +@@ -88,14 +88,6 @@ int main(int argc, char **argv) { + + streamFile(argv[1]); + +- /* +- * Cleanup function for the XML library. +- */ +- xmlCleanupParser(); +- /* +- * this is to debug memory for regression tests +- */ +- xmlMemoryDump(); + return(0); + } + +diff --git a/doc/examples/reader2.c b/doc/examples/reader2.c +index 9c2d2e6b..d8d7f924 100644 +--- a/doc/examples/reader2.c ++++ b/doc/examples/reader2.c +@@ -103,14 +103,6 @@ int main(int argc, char **argv) { + + streamFile(argv[1]); + +- /* +- * Cleanup function for the XML library. +- */ +- xmlCleanupParser(); +- /* +- * this is to debug memory for regression tests +- */ +- xmlMemoryDump(); + return(0); + } + +diff --git a/doc/examples/reader3.c b/doc/examples/reader3.c +index f6082979..d6a43b1b 100644 +--- a/doc/examples/reader3.c ++++ b/doc/examples/reader3.c +@@ -100,15 +100,6 @@ int main(int argc, char **argv) { + xmlFreeDoc(doc); + } + +- +- /* +- * Cleanup function for the XML library. +- */ +- xmlCleanupParser(); +- /* +- * this is to debug memory for regression tests +- */ +- xmlMemoryDump(); + return(0); + } + +diff --git a/doc/examples/reader4.c b/doc/examples/reader4.c +index f4277ec4..3c0d1b97 100644 +--- a/doc/examples/reader4.c ++++ b/doc/examples/reader4.c +@@ -103,14 +103,6 @@ int main(int argc, char **argv) { + */ + xmlFreeTextReader(readerPtr); + +- /* +- * Cleanup function for the XML library. +- */ +- xmlCleanupParser(); +- /* +- * this is to debug memory for regression tests +- */ +- xmlMemoryDump(); + return(0); + } + +diff --git a/doc/examples/testWriter.c b/doc/examples/testWriter.c +index a77eec71..948cf16f 100644 +--- a/doc/examples/testWriter.c ++++ b/doc/examples/testWriter.c +@@ -48,14 +48,6 @@ main(void) + /* next, the tree version */ + testXmlwriterTree("writer4.tmp"); + +- /* +- * Cleanup function for the XML library. +- */ +- xmlCleanupParser(); +- /* +- * this is to debug memory for regression tests +- */ +- xmlMemoryDump(); + return 0; + } + +diff --git a/doc/examples/tree1.c b/doc/examples/tree1.c +index e8fc8d1b..28fc1b70 100644 +--- a/doc/examples/tree1.c ++++ b/doc/examples/tree1.c +@@ -78,12 +78,6 @@ main(int argc, char **argv) + /*free the document */ + xmlFreeDoc(doc); + +- /* +- *Free the global variables that may +- *have been allocated by the parser. +- */ +- xmlCleanupParser(); +- + return 0; + } + #else +diff --git a/doc/examples/tree2.c b/doc/examples/tree2.c +index 83f29a0b..78dcac14 100644 +--- a/doc/examples/tree2.c ++++ b/doc/examples/tree2.c +@@ -97,16 +97,6 @@ main(int argc, char **argv) + /*free the document */ + xmlFreeDoc(doc); + +- /* +- *Free the global variables that may +- *have been allocated by the parser. +- */ +- xmlCleanupParser(); +- +- /* +- * this is to debug memory for regression tests +- */ +- xmlMemoryDump(); + return(0); + } + #else +diff --git a/doc/examples/xpath1.c b/doc/examples/xpath1.c +index af996e69..14efcbab 100644 +--- a/doc/examples/xpath1.c ++++ b/doc/examples/xpath1.c +@@ -45,13 +45,6 @@ main(int argc, char **argv) { + return(-1); + } + +- /* Shutdown libxml */ +- xmlCleanupParser(); +- +- /* +- * this is to debug memory for regression tests +- */ +- xmlMemoryDump(); + return 0; + } + +diff --git a/doc/examples/xpath2.c b/doc/examples/xpath2.c +index a17a0256..bf4e631d 100644 +--- a/doc/examples/xpath2.c ++++ b/doc/examples/xpath2.c +@@ -47,13 +47,6 @@ main(int argc, char **argv) { + return(-1); + } + +- /* Shutdown libxml */ +- xmlCleanupParser(); +- +- /* +- * this is to debug memory for regression tests +- */ +- xmlMemoryDump(); + return 0; + } + +-- +2.27.0 + diff --git a/backport-xpath-Remove-remaining-references-to-valueFrame.patch b/backport-xpath-Remove-remaining-references-to-valueFrame.patch new file mode 100644 index 0000000000000000000000000000000000000000..02b70284ca48b985e999b8fa5f1c0a76e40020b7 --- /dev/null +++ b/backport-xpath-Remove-remaining-references-to-valueFrame.patch @@ -0,0 +1,53 @@ +From fa993130f91a09c5b8d1454514a4ad44dd54f116 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 30 Apr 2023 12:57:09 +0200 +Subject: [PATCH] xpath: Remove remaining references to valueFrame + +Fixes #529. +--- + include/libxml/xpath.h | 2 +- + include/libxml/xpathInternals.h | 2 +- + xpointer.c | 1 - + 3 files changed, 2 insertions(+), 3 deletions(-) + +diff --git a/include/libxml/xpath.h b/include/libxml/xpath.h +index b57985a2..6dae0780 100644 +--- a/include/libxml/xpath.h ++++ b/include/libxml/xpath.h +@@ -400,7 +400,7 @@ struct _xmlXPathParserContext { + int xptr; /* it this an XPointer expression */ + xmlNodePtr ancestor; /* used for walking preceding axis */ + +- int valueFrame; /* unused */ ++ int valueFrame; /* always zero for compatibility */ + }; + + /************************************************************************ +diff --git a/include/libxml/xpathInternals.h b/include/libxml/xpathInternals.h +index cb0991d7..870055f9 100644 +--- a/include/libxml/xpathInternals.h ++++ b/include/libxml/xpathInternals.h +@@ -297,7 +297,7 @@ XMLPUBFUN void * + if (ctxt == NULL) return; \ + if (nargs != (x)) \ + XP_ERROR(XPATH_INVALID_ARITY); \ +- if (ctxt->valueNr < ctxt->valueFrame + (x)) \ ++ if (ctxt->valueNr < (x)) \ + XP_ERROR(XPATH_STACK_ERROR); + + /** +diff --git a/xpointer.c b/xpointer.c +index d8c18d7a..73514215 100644 +--- a/xpointer.c ++++ b/xpointer.c +@@ -1248,7 +1248,6 @@ xmlXPtrEvalXPointer(xmlXPathParserContextPtr ctxt) { + ctxt->valueNr = 0; + ctxt->valueMax = 10; + ctxt->value = NULL; +- ctxt->valueFrame = 0; + } + SKIP_BLANKS; + if (CUR == '/') { +-- +2.27.0 + diff --git a/libxml2-2.11.5.tar.xz b/libxml2-2.11.5.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..578d7a09247404650198dd977d6fda2bf82a0722 Binary files /dev/null and b/libxml2-2.11.5.tar.xz differ diff --git a/libxml2-2.12.5.tar.xz b/libxml2-2.12.5.tar.xz deleted file mode 100644 index 01639ce1f2feeebba33b1fac7fb94e73ae29c516..0000000000000000000000000000000000000000 Binary files a/libxml2-2.12.5.tar.xz and /dev/null differ diff --git a/libxml2.spec b/libxml2.spec index d235e43ff96b782c961e1af53e01f0c4de812a83..295ab9982274d82c21a71d562a804fa992e8e480 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,12 +1,16 @@ Summary: Library providing XML and HTML support Name: libxml2 -Version: 2.12.5 -Release: 1 +Version: 2.11.5 +Release: 2 License: MIT Group: Development/Libraries Source: https://download.gnome.org/sources/%{name}/2.11/%{name}-%{version}.tar.xz Patch0: libxml2-multilib.patch +Patch1: backport-CVE-2023-45322.patch +Patch2: backport-xpath-Remove-remaining-references-to-valueFrame.patch +Patch3: backport-examples-Don-t-call-xmlCleanupParser-and-xmlMemoryDu.patch +Patch4: backport-CVE-2024-25062.patch BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRequires: python3-devel @@ -158,12 +162,6 @@ rm -fr %{buildroot} %changelog -* Wed Feb 28 2024 Zhipeng Xie - 2.12.5-1 -- Type:enhancement -- CVE:NA -- SUG:NA -- DESC:upgrade to upstream v2.12.5 - * Mon Feb 05 2024 Paul Thomas - 2.11.5-2 - Type:CVE - CVE:CVE-2024-25062