rpms / libxml2

Clone
Source Code
GIT

Blame SOURCES/libxml2-2.9.7-CVE-2021-3518.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s c9 c9-beta
  1.   c8-beta
  2.   SOURCES
  3.   libxml2-2.9.7-CVE-2021-3518.patch
Blob History Raw
f74686 
From 752e5f71d7cea2ca5a7e7c0b8f72ed04ce654be4 Mon Sep 17 00:00:00 2001
f74686 
From: Nick Wellnhofer <wellnhofer@aevum.de>
f74686 
Date: Wed, 10 Jun 2020 16:34:52 +0200
f74686 
Subject: [PATCH 1/2] Don't recurse into xi:include children in
f74686 
 xmlXIncludeDoProcess
f74686
f74686 
Otherwise, nested xi:include nodes might result in a use-after-free
f74686 
if XML_PARSE_NOXINCNODE is specified.
f74686
f74686 
Found with libFuzzer and ASan.
f74686 
---
f74686 
 result/XInclude/fallback3.xml     |  8 ++++++++
f74686 
 result/XInclude/fallback3.xml.err |  0
f74686 
 result/XInclude/fallback3.xml.rdr | 25 +++++++++++++++++++++++++
f74686 
 result/XInclude/fallback4.xml     | 10 ++++++++++
f74686 
 result/XInclude/fallback4.xml.err |  0
f74686 
 result/XInclude/fallback4.xml.rdr | 29 +++++++++++++++++++++++++++++
f74686 
 test/XInclude/docs/fallback3.xml  |  9 +++++++++
f74686 
 test/XInclude/docs/fallback4.xml  |  7 +++++++
f74686 
 xinclude.c                        | 24 ++++++++++--------------
f74686 
 9 files changed, 98 insertions(+), 14 deletions(-)
f74686 
 create mode 100644 result/XInclude/fallback3.xml
f74686 
 create mode 100644 result/XInclude/fallback3.xml.err
f74686 
 create mode 100644 result/XInclude/fallback3.xml.rdr
f74686 
 create mode 100644 result/XInclude/fallback4.xml
f74686 
 create mode 100644 result/XInclude/fallback4.xml.err
f74686 
 create mode 100644 result/XInclude/fallback4.xml.rdr
f74686 
 create mode 100644 test/XInclude/docs/fallback3.xml
f74686 
 create mode 100644 test/XInclude/docs/fallback4.xml
f74686
f74686 
diff --git a/result/XInclude/fallback3.xml b/result/XInclude/fallback3.xml
f74686 
new file mode 100644
f74686 
index 00000000..b4235514
f74686 
--- /dev/null
f74686 
+++ b/result/XInclude/fallback3.xml
f74686 
@@ -0,0 +1,8 @@
f74686 
+
f74686 
+
f74686 
+    <doc xml:base="../ents/something.xml">
f74686 
+
something
f74686 
+
really
f74686 
+
simple
f74686 
+</doc>
f74686 
+
f74686 
diff --git a/result/XInclude/fallback3.xml.err b/result/XInclude/fallback3.xml.err
f74686 
new file mode 100644
f74686 
index 00000000..e69de29b
f74686 
diff --git a/result/XInclude/fallback3.xml.rdr b/result/XInclude/fallback3.xml.rdr
f74686 
new file mode 100644
f74686 
index 00000000..aa2f1374
f74686 
--- /dev/null
f74686 
+++ b/result/XInclude/fallback3.xml.rdr
f74686 
@@ -0,0 +1,25 @@
f74686 
+0 1 a 0 0
f74686 
+1 14 #text 0 1
f74686 
+
f74686 
+1 1 doc 0 0
f74686 
+2 14 #text 0 1
f74686 
+
f74686 
+2 1 p 0 0
f74686 
+3 3 #text 0 1 something
f74686 
+2 15 p 0 0
f74686 
+2 14 #text 0 1
f74686 
+
f74686 
+2 1 p 0 0
f74686 
+3 3 #text 0 1 really
f74686 
+2 15 p 0 0
f74686 
+2 14 #text 0 1
f74686 
+
f74686 
+2 1 p 0 0
f74686 
+3 3 #text 0 1 simple
f74686 
+2 15 p 0 0
f74686 
+2 14 #text 0 1
f74686 
+
f74686 
+1 15 doc 0 0
f74686 
+1 14 #text 0 1
f74686 
+
f74686 
+0 15 a 0 0
f74686 
diff --git a/result/XInclude/fallback4.xml b/result/XInclude/fallback4.xml
f74686 
new file mode 100644
f74686 
index 00000000..9883fd54
f74686 
--- /dev/null
f74686 
+++ b/result/XInclude/fallback4.xml
f74686 
@@ -0,0 +1,10 @@
f74686 
+
f74686 
+
f74686 
+
f74686 
+            <doc xml:base="../ents/something.xml">
f74686 
+
something
f74686 
+
really
f74686 
+
simple
f74686 
+</doc>
f74686 
+
f74686 
+
f74686 
diff --git a/result/XInclude/fallback4.xml.err b/result/XInclude/fallback4.xml.err
f74686 
new file mode 100644
f74686 
index 00000000..e69de29b
f74686 
diff --git a/result/XInclude/fallback4.xml.rdr b/result/XInclude/fallback4.xml.rdr
f74686 
new file mode 100644
f74686 
index 00000000..628b9513
f74686 
--- /dev/null
f74686 
+++ b/result/XInclude/fallback4.xml.rdr
f74686 
@@ -0,0 +1,29 @@
f74686 
+0 1 a 0 0
f74686 
+1 14 #text 0 1
f74686 
+
f74686 
+1 14 #text 0 1
f74686 
+
f74686 
+1 1 doc 0 0
f74686 
+2 14 #text 0 1
f74686 
+
f74686 
+2 1 p 0 0
f74686 
+3 3 #text 0 1 something
f74686 
+2 15 p 0 0
f74686 
+2 14 #text 0 1
f74686 
+
f74686 
+2 1 p 0 0
f74686 
+3 3 #text 0 1 really
f74686 
+2 15 p 0 0
f74686 
+2 14 #text 0 1
f74686 
+
f74686 
+2 1 p 0 0
f74686 
+3 3 #text 0 1 simple
f74686 
+2 15 p 0 0
f74686 
+2 14 #text 0 1
f74686 
+
f74686 
+1 15 doc 0 0
f74686 
+1 14 #text 0 1
f74686 
+
f74686 
+1 14 #text 0 1
f74686 
+
f74686 
+0 15 a 0 0
f74686 
diff --git a/test/XInclude/docs/fallback3.xml b/test/XInclude/docs/fallback3.xml
f74686 
new file mode 100644
f74686 
index 00000000..0c8b6c9e
f74686 
--- /dev/null
f74686 
+++ b/test/XInclude/docs/fallback3.xml
f74686 
@@ -0,0 +1,9 @@
f74686 
+
f74686 
+    <xi:include href="../ents/something.xml" xmlns:xi="http://www.w3.org/2001/XInclude">
f74686 
+        <xi:fallback>
f74686 
+            <xi:include href="c.xml">
f74686 
+                <xi:fallback>There is no c.xml ... </xi:fallback>
f74686 
+            </xi:include>
f74686 
+        </xi:fallback>
f74686 
+    </xi:include>
f74686 
+
f74686 
diff --git a/test/XInclude/docs/fallback4.xml b/test/XInclude/docs/fallback4.xml
f74686 
new file mode 100644
f74686 
index 00000000..b500a635
f74686 
--- /dev/null
f74686 
+++ b/test/XInclude/docs/fallback4.xml
f74686 
@@ -0,0 +1,7 @@
f74686 
+
f74686 
+    <xi:include href="c.xml" xmlns:xi="http://www.w3.org/2001/XInclude">
f74686 
+        <xi:fallback>
f74686 
+            <xi:include href="../ents/something.xml"/>
f74686 
+        </xi:fallback>
f74686 
+    </xi:include>
f74686 
+
f74686 
diff --git a/xinclude.c b/xinclude.c
f74686 
index ba850fa5..f260c1a7 100644
f74686 
--- a/xinclude.c
f74686 
+++ b/xinclude.c
f74686 
@@ -2392,21 +2392,19 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
f74686 
      * First phase: lookup the elements in the document
f74686 
      */
f74686 
     cur = tree;
f74686 
-    if (xmlXIncludeTestNode(ctxt, cur) == 1)
f74686 
-	xmlXIncludePreProcessNode(ctxt, cur);
f74686 
     while ((cur != NULL) && (cur != tree->parent)) {
f74686 
 	/* TODO: need to work on entities -> stack */
f74686 
-	if ((cur->children != NULL) &&
f74686 
-	    (cur->children->type != XML_ENTITY_DECL) &&
f74686 
-	    (cur->children->type != XML_XINCLUDE_START) &&
f74686 
-	    (cur->children->type != XML_XINCLUDE_END)) {
f74686 
-	    cur = cur->children;
f74686 
-	    if (xmlXIncludeTestNode(ctxt, cur))
f74686 
-		xmlXIncludePreProcessNode(ctxt, cur);
f74686 
-	} else if (cur->next != NULL) {
f74686 
+        if (xmlXIncludeTestNode(ctxt, cur) == 1) {
f74686 
+            xmlXIncludePreProcessNode(ctxt, cur);
f74686 
+        } else if ((cur->children != NULL) &&
f74686 
+                   (cur->children->type != XML_ENTITY_DECL) &&
f74686 
+                   (cur->children->type != XML_XINCLUDE_START) &&
f74686 
+                   (cur->children->type != XML_XINCLUDE_END)) {
f74686 
+            cur = cur->children;
f74686 
+            continue;
f74686 
+        }
f74686 
+	if (cur->next != NULL) {
f74686 
 	    cur = cur->next;
f74686 
-	    if (xmlXIncludeTestNode(ctxt, cur))
f74686 
-		xmlXIncludePreProcessNode(ctxt, cur);
f74686 
 	} else {
f74686 
 	    if (cur == tree)
f74686 
 	        break;
f74686 
@@ -2416,8 +2414,6 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
f74686 
 		    break; /* do */
f74686 
 		if (cur->next != NULL) {
f74686 
 		    cur = cur->next;
f74686 
-		    if (xmlXIncludeTestNode(ctxt, cur))
f74686 
-			xmlXIncludePreProcessNode(ctxt, cur);
f74686 
 		    break; /* do */
f74686 
 		}
f74686 
 	    } while (cur != NULL);
f74686 
--
f74686 
2.31.1
f74686
f74686
f74686 
From 49cc4182543dba73216add4021994a81678763bd Mon Sep 17 00:00:00 2001
f74686 
From: Nick Wellnhofer <wellnhofer@aevum.de>
f74686 
Date: Thu, 22 Apr 2021 19:26:28 +0200
f74686 
Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude --dropdtd`
f74686
f74686 
The --dropdtd option can leave dangling pointers in entity reference
f74686 
nodes. Make sure to skip these nodes when processing XIncludes.
f74686
f74686 
This also avoids scanning entity declarations and even modifying
f74686 
them inadvertently during XInclude processing.
f74686
f74686 
Move from a block list to an allow list approach to avoid descending
f74686 
into other node types that can't contain elements.
f74686
f74686 
Fixes #237.
f74686 
---
f74686 
 xinclude.c | 5 ++---
f74686 
 1 file changed, 2 insertions(+), 3 deletions(-)
f74686
f74686 
diff --git a/xinclude.c b/xinclude.c
f74686 
index f260c1a7..d7648529 100644
f74686 
--- a/xinclude.c
f74686 
+++ b/xinclude.c
f74686 
@@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
f74686 
         if (xmlXIncludeTestNode(ctxt, cur) == 1) {
f74686 
             xmlXIncludePreProcessNode(ctxt, cur);
f74686 
         } else if ((cur->children != NULL) &&
f74686 
-                   (cur->children->type != XML_ENTITY_DECL) &&
f74686 
-                   (cur->children->type != XML_XINCLUDE_START) &&
f74686 
-                   (cur->children->type != XML_XINCLUDE_END)) {
f74686 
+                   ((cur->type == XML_DOCUMENT_NODE) ||
f74686 
+                    (cur->type == XML_ELEMENT_NODE))) {
f74686 
             cur = cur->children;
f74686 
             continue;
f74686 
         }
f74686 
--
f74686 
2.31.1
f74686

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation