From 83ebca79ec5212217df7709efb72a2520f82d077 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: May 20 2020 11:37:50 +0000
Subject: import libxml2-2.9.1-6.el7.4
---
diff --git a/SOURCES/libxml2-2.9.1-CVE-2015-8035.patch b/SOURCES/libxml2-2.9.1-CVE-2015-8035.patch
new file mode 100644
index 0000000..056faa4
--- /dev/null
+++ b/SOURCES/libxml2-2.9.1-CVE-2015-8035.patch
@@ -0,0 +1,31 @@
+From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 3 Nov 2015 15:31:25 +0800
+Subject: [PATCH] CVE-2015-8035 Fix XZ compression support loop
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=757466
+DoS when parsing specially crafted XML document if XZ support
+is compiled in (which wasn't the case for 2.9.2 and master since
+Nov 2013, fixed in next commit !)
+---
+ xzlib.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/xzlib.c b/xzlib.c
+index 0dcb9f48..1fab5463 100644
+--- a/xzlib.c
++++ b/xzlib.c
+@@ -581,6 +581,10 @@ xz_decomp(xz_statep state)
+ xz_error(state, LZMA_DATA_ERROR, "compressed data error");
+ return -1;
+ }
++ if (ret == LZMA_PROG_ERROR) {
++ xz_error(state, LZMA_PROG_ERROR, "compression error");
++ return -1;
++ }
+ } while (strm->avail_out && ret != LZMA_STREAM_END);
+
+ /* update available output and crc check value */
+--
+2.22.0
+
diff --git a/SOURCES/libxml2-2.9.1-CVE-2016-5131.patch b/SOURCES/libxml2-2.9.1-CVE-2016-5131.patch
new file mode 100644
index 0000000..8e77405
--- /dev/null
+++ b/SOURCES/libxml2-2.9.1-CVE-2016-5131.patch
@@ -0,0 +1,131 @@
+commit 3189fa5b5d1cce13e70cf282936736b2e7889a46
+Author: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue Jun 28 14:22:23 2016 +0200
+
+ Fix XPointer paths beginning with range-to
+
+ The old code would invoke the totally broken xmlXPtrRangeToFunction.
+ range-to isn't really a function but a special kind of location step.
+ Remove this function and always handle range-to in the XPath code.
+
+ The old xmlXPtrRangeToFunction could also be abused to trigger a
+ use-after-free error with the potential for remote code execution.
+
+diff --git a/xpath.c b/xpath.c
+index 751665b..7c24a82 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -10691,13 +10691,16 @@ xmlXPathCompPathExpr(xmlXPathParserContextPtr ctxt) {
+ lc = 1;
+ break;
+ } else if ((NXT(len) == '(')) {
+- /* Note Type or Function */
++ /* Node Type or Function */
+ if (xmlXPathIsNodeType(name)) {
+ #ifdef DEBUG_STEP
+ xmlGenericError(xmlGenericErrorContext,
+ "PathExpr: Type search\n");
+ #endif
+ lc = 1;
++ } else if (ctxt->xptr &&
++ xmlStrEqual(name, BAD_CAST "range-to")) {
++ lc = 1;
+ } else {
+ #ifdef DEBUG_STEP
+ xmlGenericError(xmlGenericErrorContext,
+diff --git a/xpointer.c b/xpointer.c
+index 676c510..d74174a 100644
+--- a/xpointer.c
++++ b/xpointer.c
+@@ -1332,8 +1332,6 @@ xmlXPtrNewContext(xmlDocPtr doc, xmlNodePtr here, xmlNodePtr origin) {
+ ret->here = here;
+ ret->origin = origin;
+
+- xmlXPathRegisterFunc(ret, (xmlChar *)"range-to",
+- xmlXPtrRangeToFunction);
+ xmlXPathRegisterFunc(ret, (xmlChar *)"range",
+ xmlXPtrRangeFunction);
+ xmlXPathRegisterFunc(ret, (xmlChar *)"range-inside",
+@@ -2243,76 +2241,14 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) {
+ * @nargs: the number of args
+ *
+ * Implement the range-to() XPointer function
++ *
++ * Obsolete. range-to is not a real function but a special type of location
++ * step which is handled in xpath.c.
+ */
+ void
+-xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, int nargs) {
+- xmlXPathObjectPtr range;
+- const xmlChar *cur;
+- xmlXPathObjectPtr res, obj;
+- xmlXPathObjectPtr tmp;
+- xmlLocationSetPtr newset = NULL;
+- xmlNodeSetPtr oldset;
+- int i;
+-
+- if (ctxt == NULL) return;
+- CHECK_ARITY(1);
+- /*
+- * Save the expression pointer since we will have to evaluate
+- * it multiple times. Initialize the new set.
+- */
+- CHECK_TYPE(XPATH_NODESET);
+- obj = valuePop(ctxt);
+- oldset = obj->nodesetval;
+- ctxt->context->node = NULL;
+-
+- cur = ctxt->cur;
+- newset = xmlXPtrLocationSetCreate(NULL);
+-
+- for (i = 0; i < oldset->nodeNr; i++) {
+- ctxt->cur = cur;
+-
+- /*
+- * Run the evaluation with a node list made of a single item
+- * in the nodeset.
+- */
+- ctxt->context->node = oldset->nodeTab[i];
+- tmp = xmlXPathNewNodeSet(ctxt->context->node);
+- valuePush(ctxt, tmp);
+-
+- xmlXPathEvalExpr(ctxt);
+- CHECK_ERROR;
+-
+- /*
+- * The result of the evaluation need to be tested to
+- * decided whether the filter succeeded or not
+- */
+- res = valuePop(ctxt);
+- range = xmlXPtrNewRangeNodeObject(oldset->nodeTab[i], res);
+- if (range != NULL) {
+- xmlXPtrLocationSetAdd(newset, range);
+- }
+-
+- /*
+- * Cleanup
+- */
+- if (res != NULL)
+- xmlXPathFreeObject(res);
+- if (ctxt->value == tmp) {
+- res = valuePop(ctxt);
+- xmlXPathFreeObject(res);
+- }
+-
+- ctxt->context->node = NULL;
+- }
+-
+- /*
+- * The result is used as the new evaluation set.
+- */
+- xmlXPathFreeObject(obj);
+- ctxt->context->node = NULL;
+- ctxt->context->contextSize = -1;
+- ctxt->context->proximityPosition = -1;
+- valuePush(ctxt, xmlXPtrWrapLocationSet(newset));
++xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt,
++ int nargs ATTRIBUTE_UNUSED) {
++ XP_ERROR(XPATH_EXPR_ERROR);
+ }
+
+ /**
diff --git a/SOURCES/libxml2-2.9.1-CVE-2017-15412.patch b/SOURCES/libxml2-2.9.1-CVE-2017-15412.patch
new file mode 100644
index 0000000..c708fc4
--- /dev/null
+++ b/SOURCES/libxml2-2.9.1-CVE-2017-15412.patch
@@ -0,0 +1,36 @@
+From 0f3b843b3534784ef57a4f9b874238aa1fda5a73 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 1 Jun 2017 23:12:19 +0200
+Subject: [PATCH] Fix XPath stack frame logic
+
+Move the calls to xmlXPathSetFrame and xmlXPathPopFrame around in
+xmlXPathCompOpEvalPositionalPredicate to make sure that the context
+object on the stack is actually protected. Otherwise, memory corruption
+can occur when calling sloppily coded XPath extension functions.
+
+Fixes bug 783160.
+---
+ xpath.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/xpath.c b/xpath.c
+index 94815075..b816bd36 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -11932,11 +11932,11 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt,
+ }
+ }
+
+- frame = xmlXPathSetFrame(ctxt);
+ valuePush(ctxt, contextObj);
++ frame = xmlXPathSetFrame(ctxt);
+ res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1);
+- tmp = valuePop(ctxt);
+ xmlXPathPopFrame(ctxt, frame);
++ tmp = valuePop(ctxt);
+
+ if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
+ while (tmp != contextObj) {
+--
+2.22.0
+
diff --git a/SOURCES/libxml2-2.9.1-CVE-2017-18258.patch b/SOURCES/libxml2-2.9.1-CVE-2017-18258.patch
new file mode 100644
index 0000000..be7c3ae
--- /dev/null
+++ b/SOURCES/libxml2-2.9.1-CVE-2017-18258.patch
@@ -0,0 +1,32 @@
+From e2a9122b8dde53d320750451e9907a7dcb2ca8bb Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 7 Sep 2017 18:36:01 +0200
+Subject: [PATCH] Set memory limit for LZMA decompression
+
+Otherwise malicious LZMA compressed files could consume large amounts
+of memory when decompressed.
+
+According to the xz man page, files compressed with `xz -9` currently
+require 65 MB to decompress, so set the limit to 100 MB.
+
+Should fix bug 786696.
+---
+ xzlib.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xzlib.c b/xzlib.c
+index 782957f6..f43632bd 100644
+--- a/xzlib.c
++++ b/xzlib.c
+@@ -408,7 +408,7 @@ xz_head(xz_statep state)
+ state->strm = init;
+ state->strm.avail_in = 0;
+ state->strm.next_in = NULL;
+- if (lzma_auto_decoder(&state->strm, UINT64_MAX, 0) != LZMA_OK) {
++ if (lzma_auto_decoder(&state->strm, 100000000, 0) != LZMA_OK) {
+ xmlFree(state->out);
+ xmlFree(state->in);
+ state->size = 0;
+--
+2.22.0
+
diff --git a/SOURCES/libxml2-2.9.1-CVE-2018-14404.patch b/SOURCES/libxml2-2.9.1-CVE-2018-14404.patch
new file mode 100644
index 0000000..0b64b4e
--- /dev/null
+++ b/SOURCES/libxml2-2.9.1-CVE-2018-14404.patch
@@ -0,0 +1,54 @@
+From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 30 Jul 2018 12:54:38 +0200
+Subject: [PATCH] Fix nullptr deref with XPath logic ops
+
+If the XPath stack is corrupted, for example by a misbehaving extension
+function, the "and" and "or" XPath operators could dereference NULL
+pointers. Check that the XPath stack isn't empty and optimize the
+logic operators slightly.
+
+Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5
+
+Also see
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
+https://bugzilla.redhat.com/show_bug.cgi?id=1595985
+
+This is CVE-2018-14404.
+
+Thanks to Guy Inbar for the report.
+---
+ xpath.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/xpath.c b/xpath.c
+index 3fae0bf4..5e3bb9ff 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -13234,9 +13234,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+ return(0);
+ }
+ xmlXPathBooleanFunction(ctxt, 1);
+- arg1 = valuePop(ctxt);
+- arg1->boolval &= arg2->boolval;
+- valuePush(ctxt, arg1);
++ if (ctxt->value != NULL)
++ ctxt->value->boolval &= arg2->boolval;
+ xmlXPathReleaseObject(ctxt->context, arg2);
+ return (total);
+ case XPATH_OP_OR:
+@@ -13252,9 +13251,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+ return(0);
+ }
+ xmlXPathBooleanFunction(ctxt, 1);
+- arg1 = valuePop(ctxt);
+- arg1->boolval |= arg2->boolval;
+- valuePush(ctxt, arg1);
++ if (ctxt->value != NULL)
++ ctxt->value->boolval |= arg2->boolval;
+ xmlXPathReleaseObject(ctxt->context, arg2);
+ return (total);
+ case XPATH_OP_EQUAL:
+--
+2.22.0
+
diff --git a/SOURCES/libxml2-2.9.1-CVE-2018-14567.patch b/SOURCES/libxml2-2.9.1-CVE-2018-14567.patch
new file mode 100644
index 0000000..150637a
--- /dev/null
+++ b/SOURCES/libxml2-2.9.1-CVE-2018-14567.patch
@@ -0,0 +1,50 @@
+From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 30 Jul 2018 13:14:11 +0200
+Subject: [PATCH] Fix infinite loop in LZMA decompression
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Check the liblzma error code more thoroughly to avoid infinite loops.
+
+Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13
+Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914
+
+This is CVE-2018-9251 and CVE-2018-14567.
+
+Thanks to Dongliang Mu and Simon Wörner for the reports.
+---
+ xzlib.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/xzlib.c b/xzlib.c
+index a839169e..0ba88cfa 100644
+--- a/xzlib.c
++++ b/xzlib.c
+@@ -562,6 +562,10 @@ xz_decomp(xz_statep state)
+ "internal error: inflate stream corrupt");
+ return -1;
+ }
++ /*
++ * FIXME: Remapping a couple of error codes and falling through
++ * to the LZMA error handling looks fragile.
++ */
+ if (ret == Z_MEM_ERROR)
+ ret = LZMA_MEM_ERROR;
+ if (ret == Z_DATA_ERROR)
+@@ -587,6 +591,11 @@ xz_decomp(xz_statep state)
+ xz_error(state, LZMA_PROG_ERROR, "compression error");
+ return -1;
+ }
++ if ((state->how != GZIP) &&
++ (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) {
++ xz_error(state, ret, "lzma error");
++ return -1;
++ }
+ } while (strm->avail_out && ret != LZMA_STREAM_END);
+
+ /* update available output and crc check value */
+--
+2.22.0
+
diff --git a/SPECS/libxml2.spec b/SPECS/libxml2.spec
index 96cb4d2..b262772 100644
--- a/SPECS/libxml2.spec
+++ b/SPECS/libxml2.spec
@@ -4,7 +4,7 @@
Summary: Library providing XML and HTML support
Name: libxml2
Version: 2.9.1
-Release: 6%{?dist}%{?extra_release}.3
+Release: 6%{?dist}%{?extra_release}.4
License: MIT
Group: Development/Libraries
Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
@@ -54,6 +54,18 @@ patch136: libxml2-Heap-based-buffer-underreads-due-to-xmlParseName.patch
patch137: libxml2-Heap-use-after-free-in-htmlParsePubidLiteral-and-htmlParseSystemiteral.patch
patch138: libxml2-Heap-use-after-free-in-xmlSAX2AttributeNs.patch
patch139: libxml2-More-format-string-warnings-with-possible-format-string-vulnerability.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1595697
+patch140: libxml2-2.9.1-CVE-2015-8035.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1602817
+patch141: libxml2-2.9.1-CVE-2018-14404.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1729857
+patch142: libxml2-2.9.1-CVE-2017-15412.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1714050
+patch143: libxml2-2.9.1-CVE-2016-5131.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1579211
+patch144: libxml2-2.9.1-CVE-2017-18258.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1622715
+patch145: libxml2-2.9.1-CVE-2018-14567.patch
%description
@@ -157,6 +169,12 @@ at parse time or later once the document has been modified.
%patch137 -p1
%patch138 -p1
%patch139 -p1
+%patch140 -p1
+%patch141 -p1
+%patch142 -p1
+%patch143 -p1
+%patch144 -p1
+%patch145 -p1
%build
%configure
@@ -239,6 +257,14 @@ rm -fr %{buildroot}
%doc doc/python.html
%changelog
+* Fri Nov 01 2019 David King <dking@redhat.com> - 2.9.1-6.4
+- Fix CVE-2015-8035 (#1595697)
+- Fix CVE-2018-14404 (#1602817)
+- Fix CVE-2017-15412 (#1729857)
+- Fix CVE-2016-5131 (#1714050)
+- Fix CVE-2017-18258 (#1579211)
+- Fix CVE-2018-1456 (#1622715)
+
* Mon Jun 6 2016 Daniel Veillard <veillard@redhat.com> - libxml2-2.9.1-6.3
- Heap-based buffer overread in xmlNextChar (CVE-2016-1762)
- Bug 763071: Heap-buffer-overflow in xmlStrncat <https://bugzilla.gnome.org/show_bug.cgi?id=763071> (CVE-2016-1834)