Compare commits
10 Commits
c9dc397231
...
68e024f89b
| Author | SHA1 | Date | |
|---|---|---|---|
|
68e024f89b | ||
|
|
f9e8490034 | ||
|
|
cbe7be18e3 | ||
|
|
d9c8ce795f | ||
|
|
0e164f4c01 | ||
|
|
4d4420d07a | ||
|
|
4508765510 | ||
|
|
8e6046164f | ||
|
|
e864c8e0df | ||
|
|
ff159e8f17 |
@ -1,29 +0,0 @@
|
||||
From 2b0aac140d739905c7848a42efc60bfe783a39b7 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Sat, 14 Oct 2023 22:45:54 +0200
|
||||
Subject: [PATCH] [CVE-2024-25062] xmlreader: Don't expand XIncludes when
|
||||
backtracking
|
||||
|
||||
Fixes a use-after-free if XML Reader if used with DTD validation and
|
||||
XInclude expansion.
|
||||
|
||||
Fixes #604.
|
||||
---
|
||||
xmlreader.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/xmlreader.c b/xmlreader.c
|
||||
index 979385a13..fefd68e0b 100644
|
||||
--- a/xmlreader.c
|
||||
+++ b/xmlreader.c
|
||||
@@ -1443,6 +1443,7 @@ node_found:
|
||||
* Handle XInclude if asked for
|
||||
*/
|
||||
if ((reader->xinclude) && (reader->in_xinclude == 0) &&
|
||||
+ (reader->state != XML_TEXTREADER_BACKTRACK) &&
|
||||
(reader->node != NULL) &&
|
||||
(reader->node->type == XML_ELEMENT_NODE) &&
|
||||
(reader->node->ns != NULL) &&
|
||||
--
|
||||
GitLab
|
||||
|
||||
41
backport-CVE-2024-56171.patch
Normal file
41
backport-CVE-2024-56171.patch
Normal file
@ -0,0 +1,41 @@
|
||||
From 245b70d7d2768572ae1b05b3668ca858b9ec4ed4 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Tue, 10 Dec 2024 16:52:05 +0100
|
||||
Subject: [PATCH] [CVE-2024-56171] Fix use-after-free after
|
||||
xmlSchemaItemListAdd
|
||||
|
||||
xmlSchemaItemListAdd can reallocate the items array. Update local
|
||||
variables after adding item in
|
||||
|
||||
- xmlSchemaIDCFillNodeTables
|
||||
- xmlSchemaBubbleIDCNodeTables
|
||||
|
||||
Fixes #828.
|
||||
---
|
||||
xmlschemas.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/xmlschemas.c b/xmlschemas.c
|
||||
index d276faf10..28b14bd44 100644
|
||||
--- a/xmlschemas.c
|
||||
+++ b/xmlschemas.c
|
||||
@@ -23388,6 +23388,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaValidCtxtPtr vctxt,
|
||||
}
|
||||
if (xmlSchemaItemListAdd(bind->dupls, bind->nodeTable[j]) == -1)
|
||||
goto internal_error;
|
||||
+ dupls = (xmlSchemaPSVIIDCNodePtr *) bind->dupls->items;
|
||||
/*
|
||||
* Remove the duplicate entry from the IDC node-table.
|
||||
*/
|
||||
@@ -23604,6 +23605,8 @@ xmlSchemaBubbleIDCNodeTables(xmlSchemaValidCtxtPtr vctxt)
|
||||
goto internal_error;
|
||||
}
|
||||
xmlSchemaItemListAdd(parBind->dupls, parNode);
|
||||
+ dupls = (xmlSchemaPSVIIDCNodePtr *)
|
||||
+ parBind->dupls->items;
|
||||
} else {
|
||||
/*
|
||||
* Add the node-table entry (node and key-sequence) of
|
||||
--
|
||||
GitLab
|
||||
|
||||
57
backport-CVE-2025-24928.patch
Normal file
57
backport-CVE-2025-24928.patch
Normal file
@ -0,0 +1,57 @@
|
||||
From 858ca26c0689161a6b903a6682cc8a1cc10a0ea8 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Tue, 11 Feb 2025 17:30:40 +0100
|
||||
Subject: [PATCH] [CVE-2025-24928] Fix stack-buffer-overflow in
|
||||
xmlSnprintfElements
|
||||
|
||||
Fixes #847.
|
||||
---
|
||||
valid.c | 25 +++++++++++++------------
|
||||
1 file changed, 13 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/valid.c b/valid.c
|
||||
index 76d657d62..abefdc50a 100644
|
||||
--- a/valid.c
|
||||
+++ b/valid.c
|
||||
@@ -5057,25 +5057,26 @@ xmlSnprintfElements(char *buf, int size, xmlNodePtr node, int glob) {
|
||||
return;
|
||||
}
|
||||
switch (cur->type) {
|
||||
- case XML_ELEMENT_NODE:
|
||||
+ case XML_ELEMENT_NODE: {
|
||||
+ int qnameLen = xmlStrlen(cur->name);
|
||||
+
|
||||
+ if ((cur->ns != NULL) && (cur->ns->prefix != NULL))
|
||||
+ qnameLen += xmlStrlen(cur->ns->prefix) + 1;
|
||||
+ if (size - len < qnameLen + 10) {
|
||||
+ if ((size - len > 4) && (buf[len - 1] != '.'))
|
||||
+ strcat(buf, " ...");
|
||||
+ return;
|
||||
+ }
|
||||
if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) {
|
||||
- if (size - len < xmlStrlen(cur->ns->prefix) + 10) {
|
||||
- if ((size - len > 4) && (buf[len - 1] != '.'))
|
||||
- strcat(buf, " ...");
|
||||
- return;
|
||||
- }
|
||||
strcat(buf, (char *) cur->ns->prefix);
|
||||
strcat(buf, ":");
|
||||
}
|
||||
- if (size - len < xmlStrlen(cur->name) + 10) {
|
||||
- if ((size - len > 4) && (buf[len - 1] != '.'))
|
||||
- strcat(buf, " ...");
|
||||
- return;
|
||||
- }
|
||||
- strcat(buf, (char *) cur->name);
|
||||
+ if (cur->name != NULL)
|
||||
+ strcat(buf, (char *) cur->name);
|
||||
if (cur->next != NULL)
|
||||
strcat(buf, " ");
|
||||
break;
|
||||
+ }
|
||||
case XML_TEXT_NODE:
|
||||
if (xmlIsBlankNode(cur))
|
||||
break;
|
||||
--
|
||||
GitLab
|
||||
|
||||
31
backport-CVE-2025-27113.patch
Normal file
31
backport-CVE-2025-27113.patch
Normal file
@ -0,0 +1,31 @@
|
||||
From 503f788e84f1c1f1d769c2c7258d77faee94b5a3 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Thu, 13 Feb 2025 16:48:53 +0100
|
||||
Subject: [PATCH] pattern: Fix compilation of explicit child axis
|
||||
|
||||
The child axis is the default axis and should generate XML_OP_ELEM like
|
||||
the case without an axis.
|
||||
---
|
||||
pattern.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/pattern.c b/pattern.c
|
||||
index 55ae2d3e5..b0f7f1601 100644
|
||||
--- a/pattern.c
|
||||
+++ b/pattern.c
|
||||
@@ -1164,10 +1164,10 @@ xmlCompileStepPattern(xmlPatParserContextPtr ctxt) {
|
||||
goto error;
|
||||
}
|
||||
} else {
|
||||
- PUSH(XML_OP_CHILD, token, URL);
|
||||
+ PUSH(XML_OP_ELEM, token, URL);
|
||||
}
|
||||
} else
|
||||
- PUSH(XML_OP_CHILD, name, NULL);
|
||||
+ PUSH(XML_OP_ELEM, name, NULL);
|
||||
return;
|
||||
} else if (xmlStrEqual(name, (const xmlChar *) "attribute")) {
|
||||
XML_PAT_FREE_STRING(ctxt, name)
|
||||
--
|
||||
GitLab
|
||||
|
||||
73
backport-CVE-2025-32414.patch
Normal file
73
backport-CVE-2025-32414.patch
Normal file
@ -0,0 +1,73 @@
|
||||
From d7657811964eac1cb9743bb98649278ad948f0d2 Mon Sep 17 00:00:00 2001
|
||||
From: Maks Verver <maks@verver.ch>
|
||||
Date: Tue, 8 Apr 2025 13:13:55 +0200
|
||||
Subject: [PATCH] [CVE-2025-32414] python: Read at most len/4 characters.
|
||||
|
||||
Fixes #889 by reserving space in the buffer for UTF-8 encoding of text.
|
||||
---
|
||||
python/libxml.c | 28 ++++++++++++++++++----------
|
||||
1 file changed, 18 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/python/libxml.c b/python/libxml.c
|
||||
index 1fe8d6850..2bf140786 100644
|
||||
--- a/python/libxml.c
|
||||
+++ b/python/libxml.c
|
||||
@@ -266,7 +266,9 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) {
|
||||
#endif
|
||||
file = (PyObject *) context;
|
||||
if (file == NULL) return(-1);
|
||||
- ret = PyObject_CallMethod(file, (char *) "read", (char *) "(i)", len);
|
||||
+ /* When read() returns a string, the length is in characters not bytes, so
|
||||
+ request at most len / 4 characters to leave space for UTF-8 encoding. */
|
||||
+ ret = PyObject_CallMethod(file, (char *) "read", (char *) "(i)", len / 4);
|
||||
if (ret == NULL) {
|
||||
printf("xmlPythonFileReadRaw: result is NULL\n");
|
||||
return(-1);
|
||||
@@ -301,10 +303,12 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) {
|
||||
Py_DECREF(ret);
|
||||
return(-1);
|
||||
}
|
||||
- if (lenread > len)
|
||||
- memcpy(buffer, data, len);
|
||||
- else
|
||||
- memcpy(buffer, data, lenread);
|
||||
+ if (lenread < 0 || lenread > len) {
|
||||
+ printf("xmlPythonFileReadRaw: invalid lenread\n");
|
||||
+ Py_DECREF(ret);
|
||||
+ return(-1);
|
||||
+ }
|
||||
+ memcpy(buffer, data, lenread);
|
||||
Py_DECREF(ret);
|
||||
return(lenread);
|
||||
}
|
||||
@@ -331,7 +335,9 @@ xmlPythonFileRead (void * context, char * buffer, int len) {
|
||||
#endif
|
||||
file = (PyObject *) context;
|
||||
if (file == NULL) return(-1);
|
||||
- ret = PyObject_CallMethod(file, (char *) "io_read", (char *) "(i)", len);
|
||||
+ /* When io_read() returns a string, the length is in characters not bytes, so
|
||||
+ request at most len / 4 characters to leave space for UTF-8 encoding. */
|
||||
+ ret = PyObject_CallMethod(file, (char *) "io_read", (char *) "(i)", len / 4);
|
||||
if (ret == NULL) {
|
||||
printf("xmlPythonFileRead: result is NULL\n");
|
||||
return(-1);
|
||||
@@ -366,10 +372,12 @@ xmlPythonFileRead (void * context, char * buffer, int len) {
|
||||
Py_DECREF(ret);
|
||||
return(-1);
|
||||
}
|
||||
- if (lenread > len)
|
||||
- memcpy(buffer, data, len);
|
||||
- else
|
||||
- memcpy(buffer, data, lenread);
|
||||
+ if (lenread < 0 || lenread > len) {
|
||||
+ printf("xmlPythonFileRead: invalid lenread\n");
|
||||
+ Py_DECREF(ret);
|
||||
+ return(-1);
|
||||
+ }
|
||||
+ memcpy(buffer, data, lenread);
|
||||
Py_DECREF(ret);
|
||||
return(lenread);
|
||||
}
|
||||
--
|
||||
GitLab
|
||||
|
||||
38
backport-CVE-2025-32415.patch
Normal file
38
backport-CVE-2025-32415.patch
Normal file
@ -0,0 +1,38 @@
|
||||
From 384cc7c182fc00c6d5e2ab4b5e3671b2e3f93c84 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Sun, 6 Apr 2025 12:41:11 +0200
|
||||
Subject: [PATCH] [CVE-2025-32415] schemas: Fix heap buffer overflow in
|
||||
xmlSchemaIDCFillNodeTables
|
||||
|
||||
Don't use local variable which could contain a stale value.
|
||||
|
||||
Fixes #890.
|
||||
---
|
||||
xmlschemas.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/xmlschemas.c b/xmlschemas.c
|
||||
index e35c117ef..4bdabd129 100644
|
||||
--- a/xmlschemas.c
|
||||
+++ b/xmlschemas.c
|
||||
@@ -23324,7 +23324,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaValidCtxtPtr vctxt,
|
||||
j++;
|
||||
} while (j < nbDupls);
|
||||
}
|
||||
- if (nbNodeTable) {
|
||||
+ if (bind->nbNodes) {
|
||||
j = 0;
|
||||
do {
|
||||
if (nbFields == 1) {
|
||||
@@ -23375,7 +23375,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaValidCtxtPtr vctxt,
|
||||
|
||||
next_node_table_entry:
|
||||
j++;
|
||||
- } while (j < nbNodeTable);
|
||||
+ } while (j < bind->nbNodes);
|
||||
}
|
||||
/*
|
||||
* If everything is fine, then add the IDC target-node to
|
||||
--
|
||||
GitLab
|
||||
|
||||
Binary file not shown.
BIN
libxml2-2.11.9.tar.xz
Normal file
BIN
libxml2-2.11.9.tar.xz
Normal file
Binary file not shown.
47
libxml2.spec
47
libxml2.spec
@ -1,7 +1,7 @@
|
||||
Summary: Library providing XML and HTML support
|
||||
Name: libxml2
|
||||
Version: 2.11.5
|
||||
Release: 2
|
||||
Version: 2.11.9
|
||||
Release: 3
|
||||
License: MIT
|
||||
Group: Development/Libraries
|
||||
Source: https://download.gnome.org/sources/%{name}/2.11/%{name}-%{version}.tar.xz
|
||||
@ -10,9 +10,12 @@ Patch0: libxml2-multilib.patch
|
||||
Patch1: backport-CVE-2023-45322.patch
|
||||
Patch2: backport-xpath-Remove-remaining-references-to-valueFrame.patch
|
||||
Patch3: backport-examples-Don-t-call-xmlCleanupParser-and-xmlMemoryDu.patch
|
||||
Patch4: backport-CVE-2024-25062.patch
|
||||
Patch4: backport-CVE-2024-56171.patch
|
||||
Patch5: backport-CVE-2025-24928.patch
|
||||
Patch6: backport-CVE-2025-27113.patch
|
||||
Patch7: backport-CVE-2025-32414.patch
|
||||
Patch8: backport-CVE-2025-32415.patch
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-root
|
||||
BuildRequires: python3-devel
|
||||
BuildRequires: zlib-devel
|
||||
BuildRequires: pkgconfig
|
||||
@ -104,21 +107,12 @@ rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/libxml2-python-%{version}/*
|
||||
gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
|
||||
|
||||
%check
|
||||
make runtests
|
||||
%make_build runtests
|
||||
|
||||
(cd doc/examples ; make clean ; rm -rf .deps Makefile)
|
||||
|
||||
%clean
|
||||
rm -fr %{buildroot}
|
||||
|
||||
|
||||
%post -p /sbin/ldconfig
|
||||
|
||||
%postun -p /sbin/ldconfig
|
||||
|
||||
%files
|
||||
%defattr(-, root, root)
|
||||
|
||||
%doc %{_datadir}/doc/libxml2
|
||||
|
||||
%{_libdir}/lib*.so.*
|
||||
@ -126,8 +120,6 @@ rm -fr %{buildroot}
|
||||
%{_bindir}/xmlcatalog
|
||||
|
||||
%files devel
|
||||
%defattr(-, root, root)
|
||||
|
||||
%doc NEWS README.md Copyright
|
||||
%doc doc/tutorial doc/libxml2-api.xml.gz
|
||||
%doc doc/examples
|
||||
@ -147,8 +139,6 @@ rm -fr %{buildroot}
|
||||
%{_libdir}/*.a
|
||||
|
||||
%files -n python3-%{name}
|
||||
%defattr(-, root, root)
|
||||
|
||||
%{python3_sitearch}/libxml2mod.so
|
||||
%{python3_sitelib}/*.py
|
||||
%{python3_sitelib}/__pycache__/*.pyc
|
||||
@ -162,6 +152,27 @@ rm -fr %{buildroot}
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon Apr 14 2025 Funda Wang <fundawang@yeah.net> - 2.11.9-3
|
||||
- fix CVE-2025-32414, CVE-2025-32415
|
||||
|
||||
* Wed Feb 19 2025 Funda Wang <fundawang@yeah.net> - 2.11.9-2
|
||||
- fix CVE-2024-56171, CVE-2025-24928, CVE-2025-27113
|
||||
|
||||
* Tue Jul 30 2024 Funda Wang <fundawang@yeah.net> - 2.11.9-1
|
||||
- update to 2.11.9
|
||||
|
||||
* Mon Jul 29 2024 Funda Wang <fundawang@yeah.net> - 2.11.5-4
|
||||
- Type:CVE
|
||||
- CVE:CVE-2024-40896
|
||||
- SUG:NA
|
||||
- DESC:fix CVE-2024-40896
|
||||
|
||||
* Fri May 17 2024 cenhuilin <cenhuilin@kylinos.cn> - 2.11.5-3
|
||||
- Type:CVE
|
||||
- CVE:CVE-2024-34459
|
||||
- SUG:NA
|
||||
- DESC:fix CVE-2024-34459
|
||||
|
||||
* Mon Feb 05 2024 Paul Thomas <paulthomas100199@gmail.com> - 2.11.5-2
|
||||
- Type:CVE
|
||||
- CVE:CVE-2024-25062
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user