From 64e9cb1a3040e12d9567203513a1be5123c9a52b Mon Sep 17 00:00:00 2001
From: baiguo <baiguo@kylinos.cn>
Date: Tue, 19 Jul 2022 14:13:59 +0800
Subject: [PATCH] fix CVE-2022-2309

---
 CVE-2022-2309.patch | 95 +++++++++++++++++++++++++++++++++++++++++++++
 python-lxml.spec    |  7 +++-
 2 files changed, 101 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2022-2309.patch

diff --git a/CVE-2022-2309.patch b/CVE-2022-2309.patch
new file mode 100644
index 0000000..105f3a3
--- /dev/null
+++ b/CVE-2022-2309.patch
@@ -0,0 +1,95 @@
+From b19713dd42d25342db70a0d61215096bdf637e7e Mon Sep 17 00:00:00 2001
+From: baiguo <baiguo@kylinos.cn>
+Date: Tue, 19 Jul 2022 14:03:16 +0800
+Subject: [PATCH] =?UTF-8?q?Fix=20a=20crash=20when=20incorrect=20parser=20i?=
+ =?UTF-8?q?nput=20occurs=20together=20with=20usages=20o=E2=80=A6?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+---
+ src/lxml/apihelpers.pxi      |  7 ++++---
+ src/lxml/iterparse.pxi       | 11 ++++++-----
+ src/lxml/tests/test_etree.py | 20 ++++++++++++++++++++
+ 3 files changed, 30 insertions(+), 8 deletions(-)
+
+diff --git a/src/lxml/apihelpers.pxi b/src/lxml/apihelpers.pxi
+index 5eb3416..88a031d 100644
+--- a/src/lxml/apihelpers.pxi
++++ b/src/lxml/apihelpers.pxi
+@@ -246,9 +246,10 @@ cdef dict _build_nsmap(xmlNode* c_node):
+     while c_node is not NULL and c_node.type == tree.XML_ELEMENT_NODE:
+         c_ns = c_node.nsDef
+         while c_ns is not NULL:
+-            prefix = funicodeOrNone(c_ns.prefix)
+-            if prefix not in nsmap:
+-                nsmap[prefix] = funicodeOrNone(c_ns.href)
++            if c_ns.prefix or c_ns.href:
++                prefix = funicodeOrNone(c_ns.prefix)
++                if prefix not in nsmap:
++                    nsmap[prefix] = funicodeOrNone(c_ns.href)
+             c_ns = c_ns.next
+         c_node = c_node.parent
+     return nsmap
+diff --git a/src/lxml/iterparse.pxi b/src/lxml/iterparse.pxi
+index 4c20506..3da7485 100644
+--- a/src/lxml/iterparse.pxi
++++ b/src/lxml/iterparse.pxi
+@@ -419,7 +419,7 @@ cdef int _countNsDefs(xmlNode* c_node):
+     count = 0
+     c_ns = c_node.nsDef
+     while c_ns is not NULL:
+-        count += 1
++        count += (c_ns.href is not NULL)
+         c_ns = c_ns.next
+     return count
+ 
+@@ -430,9 +430,10 @@ cdef int _appendStartNsEvents(xmlNode* c_node, list event_list) except -1:
+     count = 0
+     c_ns = c_node.nsDef
+     while c_ns is not NULL:
+-        ns_tuple = (funicode(c_ns.prefix) if c_ns.prefix is not NULL else '',
+-                    funicode(c_ns.href))
+-        event_list.append( (u"start-ns", ns_tuple) )
+-        count += 1
++        if c_ns.href:
++            ns_tuple = (funicodeOrEmpty(c_ns.prefix),
++                        funicode(c_ns.href))
++            event_list.append( (u"start-ns", ns_tuple) )
++            count += 1
+         c_ns = c_ns.next
+     return count
+diff --git a/src/lxml/tests/test_etree.py b/src/lxml/tests/test_etree.py
+index ef5c54b..7b85596 100644
+--- a/src/lxml/tests/test_etree.py
++++ b/src/lxml/tests/test_etree.py
+@@ -1459,6 +1459,26 @@ class ETreeOnlyTestCase(HelperTestCase):
+             [1,2,1,4],
+             counts)
+ 
++    def test_walk_after_parse_failure(self):
++        # This used to be an issue because libxml2 can leak empty namespaces
++        # between failed parser runs.  iterwalk() failed to handle such a tree.
++        try:
++            etree.XML('''<anot xmlns="1">''')
++        except etree.XMLSyntaxError:
++            pass
++        else:
++            assert False, "invalid input did not fail to parse"
++
++        et = etree.XML('''<root>  </root>''')
++        try:
++            ns = next(etree.iterwalk(et, events=('start-ns',)))
++        except StopIteration:
++            # This would be the expected result, because there was no namespace
++            pass
++        else:
++            # This is a bug in libxml2
++            assert not ns, repr(ns)
++
+     def test_itertext_comment_pi(self):
+         # https://bugs.launchpad.net/lxml/+bug/1844674
+         XML = self.etree.XML
+-- 
+2.33.0
+
diff --git a/python-lxml.spec b/python-lxml.spec
index 53346f4..e58c23e 100644
--- a/python-lxml.spec
+++ b/python-lxml.spec
@@ -7,12 +7,14 @@ The latest release works with all CPython versions from 2.7 to 3.7.
 
 Name:           python-%{modname}
 Version:        4.7.1
-Release:        2
+Release:        3
 Summary:        XML processing library combining libxml2/libxslt with the ElementTree API
 License:        BSD
 URL:            https://github.com/lxml/lxml
 Source0:        https://github.com/lxml/lxml/releases/download/lxml-4.7.1/lxml-4.7.1.tar.gz
 
+Patch1000:     CVE-2022-2309.patch 
+
 BuildRequires:  gcc libxml2-devel libxslt-devel
 
 %description %{_description}
@@ -50,6 +52,9 @@ make test3
 %doc README.rst src/lxml/isoschematron/resources/xsl/iso-schematron-xslt1/readme.txt
 
 %changelog 
+* Tue Jul 19 2022 Bai guo <baiguo@kylinos.cn> - 4.7.1-3
+- Fix CVE-2022-2309 
+
 * Wed Jan 19 2022 shixuantong <shixuantong@huawei.com> - 4.7.1-2
 - enable check
 
-- 
Gitee