From 1b2bf5e786a313a8c28369d5b70a2d2a7e3aa823 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sep 29 2020 07:03:26 +0000 Subject: import libxml2-2.9.1-6.el7.5 --- diff --git a/SOURCES/libxml2-2.9.1-CVE-2019-19956.patch b/SOURCES/libxml2-2.9.1-CVE-2019-19956.patch new file mode 100644 index 0000000..5bfb5d5 --- /dev/null +++ b/SOURCES/libxml2-2.9.1-CVE-2019-19956.patch @@ -0,0 +1,33 @@ +From 5a02583c7e683896d84878bd90641d8d9b0d0549 Mon Sep 17 00:00:00 2001 +From: Zhipeng Xie +Date: Wed, 7 Aug 2019 17:39:17 +0800 +Subject: [PATCH] Fix memory leak in xmlParseBalancedChunkMemoryRecover + +When doc is NULL, namespace created in xmlTreeEnsureXMLDecl +is bind to newDoc->oldNs, in this case, set newDoc->oldNs to +NULL and free newDoc will cause a memory leak. + +Found with libFuzzer. + +Closes #82. +--- + parser.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index 1ce1ccf1..26d9f4e3 100644 +--- a/parser.c ++++ b/parser.c +@@ -13894,7 +13894,8 @@ xmlParseBalancedChunkMemoryRecover(xmlDocPtr doc, xmlSAXHandlerPtr sax, + xmlFreeParserCtxt(ctxt); + newDoc->intSubset = NULL; + newDoc->extSubset = NULL; +- newDoc->oldNs = NULL; ++ if(doc != NULL) ++ newDoc->oldNs = NULL; + xmlFreeDoc(newDoc); + + return(ret); +-- +2.24.1 + diff --git a/SOURCES/libxml2-2.9.1-CVE-2019-20388.patch b/SOURCES/libxml2-2.9.1-CVE-2019-20388.patch new file mode 100644 index 0000000..a6f4082 --- /dev/null +++ b/SOURCES/libxml2-2.9.1-CVE-2019-20388.patch @@ -0,0 +1,33 @@ +From 7ffcd44d7e6c46704f8af0321d9314cd26e0e18a Mon Sep 17 00:00:00 2001 +From: Zhipeng Xie +Date: Tue, 20 Aug 2019 16:33:06 +0800 +Subject: [PATCH] Fix memory leak in xmlSchemaValidateStream + +When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun +alloc a new schema for ctxt->schema and set vctxt->xsiAssemble +to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize +vctxt->xsiAssemble to 0 again which cause the alloced schema +can not be freed anymore. + +Found with libFuzzer. + +Signed-off-by: Zhipeng Xie +--- + xmlschemas.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/xmlschemas.c b/xmlschemas.c +index 301c8449..39d92182 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -28090,7 +28090,6 @@ xmlSchemaPreRun(xmlSchemaValidCtxtPtr vctxt) { + vctxt->nberrors = 0; + vctxt->depth = -1; + vctxt->skipDepth = -1; +- vctxt->xsiAssemble = 0; + vctxt->hasKeyrefs = 0; + #ifdef ENABLE_IDC_NODE_TABLES_TEST + vctxt->createIDCNodeTables = 1; +-- +2.24.2 + diff --git a/SOURCES/libxml2-2.9.1-CVE-2020-7595.patch b/SOURCES/libxml2-2.9.1-CVE-2020-7595.patch new file mode 100644 index 0000000..c1b996f --- /dev/null +++ b/SOURCES/libxml2-2.9.1-CVE-2020-7595.patch @@ -0,0 +1,32 @@ +From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001 +From: Zhipeng Xie +Date: Thu, 12 Dec 2019 17:30:55 +0800 +Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities + +When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef +return NULL which cause a infinite loop in xmlStringLenDecodeEntities + +Found with libFuzzer. + +Signed-off-by: Zhipeng Xie +--- + parser.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index d1c31963..a34bb6cd 100644 +--- a/parser.c ++++ b/parser.c +@@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + else + c = 0; + while ((c != 0) && (c != end) && /* non input consuming loop */ +- (c != end2) && (c != end3)) { ++ (c != end2) && (c != end3) && ++ (ctxt->instate != XML_PARSER_EOF)) { + + if (c == 0) break; + if ((c == '&') && (str[1] == '#')) { +-- +2.24.2 + diff --git a/SOURCES/libxml2-2.9.1-xsd-any.patch b/SOURCES/libxml2-2.9.1-xsd-any.patch new file mode 100644 index 0000000..5a14deb --- /dev/null +++ b/SOURCES/libxml2-2.9.1-xsd-any.patch @@ -0,0 +1,85 @@ +From e8c9cd5c7a0d2ea95edf08b13af3baabce62dd63 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 16 Sep 2019 15:36:02 +0200 +Subject: [PATCH] Fix Schema determinism check of ##other namespaces + +Non-compound (##local) and compound string atoms are always disjoint +regardless of whether the compound atom is negated (##other). + +Closes #40. +--- + result/schemas/issue40_0_0 | 1 + + result/schemas/issue40_0_0.err | 0 + test/schemas/issue40_0.xml | 3 +++ + test/schemas/issue40_0.xsd | 10 ++++++++++ + xmlregexp.c | 15 ++++++++++++--- + 5 files changed, 26 insertions(+), 3 deletions(-) + create mode 100644 result/schemas/issue40_0_0 + create mode 100644 result/schemas/issue40_0_0.err + create mode 100644 test/schemas/issue40_0.xml + create mode 100644 test/schemas/issue40_0.xsd + +diff --git a/result/schemas/issue40_0_0 b/result/schemas/issue40_0_0 +new file mode 100644 +index 00000000..73c9e696 +--- /dev/null ++++ b/result/schemas/issue40_0_0 +@@ -0,0 +1 @@ ++./test/schemas/issue40_0.xml validates +diff --git a/result/schemas/issue40_0_0.err b/result/schemas/issue40_0_0.err +new file mode 100644 +index 00000000..e69de29b +diff --git a/test/schemas/issue40_0.xml b/test/schemas/issue40_0.xml +new file mode 100644 +index 00000000..86cff1d0 +--- /dev/null ++++ b/test/schemas/issue40_0.xml +@@ -0,0 +1,3 @@ ++ ++ ++ +diff --git a/test/schemas/issue40_0.xsd b/test/schemas/issue40_0.xsd +new file mode 100644 +index 00000000..a7eff55b +--- /dev/null ++++ b/test/schemas/issue40_0.xsd +@@ -0,0 +1,10 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ +diff --git a/xmlregexp.c b/xmlregexp.c +index 1e8bf934..10969177 100644 +--- a/xmlregexp.c ++++ b/xmlregexp.c +@@ -2528,9 +2528,18 @@ xmlFACompareAtoms(xmlRegAtomPtr atom1, xmlRegAtomPtr atom2, int deep) { + case XML_REGEXP_STRING: + if (!deep) + ret = (atom1->valuep != atom2->valuep); +- else +- ret = xmlRegStrEqualWildcard((xmlChar *)atom1->valuep, +- (xmlChar *)atom2->valuep); ++ else { ++ xmlChar *val1 = (xmlChar *)atom1->valuep; ++ xmlChar *val2 = (xmlChar *)atom2->valuep; ++ int compound1 = (xmlStrchr(val1, '|') != NULL); ++ int compound2 = (xmlStrchr(val2, '|') != NULL); ++ ++ /* Ignore negative match flag for ##other namespaces */ ++ if (compound1 != compound2) ++ return(0); ++ ++ ret = xmlRegStrEqualWildcard(val1, val2); ++ } + break; + case XML_REGEXP_EPSILON: + goto not_determinist; +-- +2.24.2 + diff --git a/SPECS/libxml2.spec b/SPECS/libxml2.spec index b262772..f2cc2e4 100644 --- a/SPECS/libxml2.spec +++ b/SPECS/libxml2.spec @@ -4,7 +4,7 @@ Summary: Library providing XML and HTML support Name: libxml2 Version: 2.9.1 -Release: 6%{?dist}%{?extra_release}.4 +Release: 6%{?dist}%{?extra_release}.5 License: MIT Group: Development/Libraries Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz @@ -66,6 +66,14 @@ patch143: libxml2-2.9.1-CVE-2016-5131.patch patch144: libxml2-2.9.1-CVE-2017-18258.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1622715 patch145: libxml2-2.9.1-CVE-2018-14567.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1793000 +patch146: libxml2-2.9.1-CVE-2019-19956.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1810057 +patch147: libxml2-2.9.1-CVE-2019-20388.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1810073 +patch148: libxml2-2.9.1-CVE-2020-7595.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1812145 +patch149: libxml2-2.9.1-xsd-any.patch %description @@ -175,6 +183,10 @@ at parse time or later once the document has been modified. %patch143 -p1 %patch144 -p1 %patch145 -p1 +%patch146 -p1 +%patch147 -p1 +%patch148 -p1 +%patch149 -p1 %build %configure @@ -257,6 +269,12 @@ rm -fr %{buildroot} %doc doc/python.html %changelog +* Wed Apr 22 2020 David King - 2.9.1-6.5 +- Fix CVE-2019-19956 (#1793000) +- Fix CVE-2019-20388 (#1810057) +- Fix CVE-2020-7595 (#1810073) +- Fix xsd:any schema validation (#1812145) + * Fri Nov 01 2019 David King - 2.9.1-6.4 - Fix CVE-2015-8035 (#1595697) - Fix CVE-2018-14404 (#1602817)