From d9c8ce795f26b1416707a2a6accb4a4e275f6a59 Mon Sep 17 00:00:00 2001 From: Funda Wang Date: Wed, 19 Feb 2025 14:02:28 +0800 Subject: [PATCH] fix CVE-2024-56171, CVE-2025-24928, CVE-2025-27113 (cherry picked from commit 9efb27c3c959b8e7fea4d94069bdc91f511942c4) --- backport-CVE-2024-56171.patch | 41 +++++++++++++++++++++++++ backport-CVE-2025-24928.patch | 57 +++++++++++++++++++++++++++++++++++ backport-CVE-2025-27113.patch | 31 +++++++++++++++++++ libxml2.spec | 8 ++++- 4 files changed, 136 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2024-56171.patch create mode 100644 backport-CVE-2025-24928.patch create mode 100644 backport-CVE-2025-27113.patch diff --git a/backport-CVE-2024-56171.patch b/backport-CVE-2024-56171.patch new file mode 100644 index 0000000..96a2ab1 --- /dev/null +++ b/backport-CVE-2024-56171.patch @@ -0,0 +1,41 @@ +From 245b70d7d2768572ae1b05b3668ca858b9ec4ed4 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 10 Dec 2024 16:52:05 +0100 +Subject: [PATCH] [CVE-2024-56171] Fix use-after-free after + xmlSchemaItemListAdd + +xmlSchemaItemListAdd can reallocate the items array. Update local +variables after adding item in + +- xmlSchemaIDCFillNodeTables +- xmlSchemaBubbleIDCNodeTables + +Fixes #828. +--- + xmlschemas.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/xmlschemas.c b/xmlschemas.c +index d276faf10..28b14bd44 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -23388,6 +23388,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaValidCtxtPtr vctxt, + } + if (xmlSchemaItemListAdd(bind->dupls, bind->nodeTable[j]) == -1) + goto internal_error; ++ dupls = (xmlSchemaPSVIIDCNodePtr *) bind->dupls->items; + /* + * Remove the duplicate entry from the IDC node-table. + */ +@@ -23604,6 +23605,8 @@ xmlSchemaBubbleIDCNodeTables(xmlSchemaValidCtxtPtr vctxt) + goto internal_error; + } + xmlSchemaItemListAdd(parBind->dupls, parNode); ++ dupls = (xmlSchemaPSVIIDCNodePtr *) ++ parBind->dupls->items; + } else { + /* + * Add the node-table entry (node and key-sequence) of +-- +GitLab + diff --git a/backport-CVE-2025-24928.patch b/backport-CVE-2025-24928.patch new file mode 100644 index 0000000..22e5686 --- /dev/null +++ b/backport-CVE-2025-24928.patch @@ -0,0 +1,57 @@ +From 858ca26c0689161a6b903a6682cc8a1cc10a0ea8 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 11 Feb 2025 17:30:40 +0100 +Subject: [PATCH] [CVE-2025-24928] Fix stack-buffer-overflow in + xmlSnprintfElements + +Fixes #847. +--- + valid.c | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +diff --git a/valid.c b/valid.c +index 76d657d62..abefdc50a 100644 +--- a/valid.c ++++ b/valid.c +@@ -5057,25 +5057,26 @@ xmlSnprintfElements(char *buf, int size, xmlNodePtr node, int glob) { + return; + } + switch (cur->type) { +- case XML_ELEMENT_NODE: ++ case XML_ELEMENT_NODE: { ++ int qnameLen = xmlStrlen(cur->name); ++ ++ if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) ++ qnameLen += xmlStrlen(cur->ns->prefix) + 1; ++ if (size - len < qnameLen + 10) { ++ if ((size - len > 4) && (buf[len - 1] != '.')) ++ strcat(buf, " ..."); ++ return; ++ } + if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) { +- if (size - len < xmlStrlen(cur->ns->prefix) + 10) { +- if ((size - len > 4) && (buf[len - 1] != '.')) +- strcat(buf, " ..."); +- return; +- } + strcat(buf, (char *) cur->ns->prefix); + strcat(buf, ":"); + } +- if (size - len < xmlStrlen(cur->name) + 10) { +- if ((size - len > 4) && (buf[len - 1] != '.')) +- strcat(buf, " ..."); +- return; +- } +- strcat(buf, (char *) cur->name); ++ if (cur->name != NULL) ++ strcat(buf, (char *) cur->name); + if (cur->next != NULL) + strcat(buf, " "); + break; ++ } + case XML_TEXT_NODE: + if (xmlIsBlankNode(cur)) + break; +-- +GitLab + diff --git a/backport-CVE-2025-27113.patch b/backport-CVE-2025-27113.patch new file mode 100644 index 0000000..89710c0 --- /dev/null +++ b/backport-CVE-2025-27113.patch @@ -0,0 +1,31 @@ +From 503f788e84f1c1f1d769c2c7258d77faee94b5a3 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 13 Feb 2025 16:48:53 +0100 +Subject: [PATCH] pattern: Fix compilation of explicit child axis + +The child axis is the default axis and should generate XML_OP_ELEM like +the case without an axis. +--- + pattern.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/pattern.c b/pattern.c +index 55ae2d3e5..b0f7f1601 100644 +--- a/pattern.c ++++ b/pattern.c +@@ -1164,10 +1164,10 @@ xmlCompileStepPattern(xmlPatParserContextPtr ctxt) { + goto error; + } + } else { +- PUSH(XML_OP_CHILD, token, URL); ++ PUSH(XML_OP_ELEM, token, URL); + } + } else +- PUSH(XML_OP_CHILD, name, NULL); ++ PUSH(XML_OP_ELEM, name, NULL); + return; + } else if (xmlStrEqual(name, (const xmlChar *) "attribute")) { + XML_PAT_FREE_STRING(ctxt, name) +-- +GitLab + diff --git a/libxml2.spec b/libxml2.spec index eb33712..9f5be1d 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,7 +1,7 @@ Summary: Library providing XML and HTML support Name: libxml2 Version: 2.11.9 -Release: 1 +Release: 2 License: MIT Group: Development/Libraries Source: https://download.gnome.org/sources/%{name}/2.11/%{name}-%{version}.tar.xz @@ -10,6 +10,9 @@ Patch0: libxml2-multilib.patch Patch1: backport-CVE-2023-45322.patch Patch2: backport-xpath-Remove-remaining-references-to-valueFrame.patch Patch3: backport-examples-Don-t-call-xmlCleanupParser-and-xmlMemoryDu.patch +Patch4: backport-CVE-2024-56171.patch +Patch5: backport-CVE-2025-24928.patch +Patch6: backport-CVE-2025-27113.patch BuildRequires: python3-devel BuildRequires: zlib-devel @@ -147,6 +150,9 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz %changelog +* Wed Feb 19 2025 Funda Wang - 2.11.9-2 +- fix CVE-2024-56171, CVE-2025-24928, CVE-2025-27113 + * Tue Jul 30 2024 Funda Wang - 2.11.9-1 - update to 2.11.9 -- Gitee