From 83ebca79ec5212217df7709efb72a2520f82d077 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: May 20 2020 11:37:50 +0000
Subject: import libxml2-2.9.1-6.el7.4


---

diff --git a/SOURCES/libxml2-2.9.1-CVE-2015-8035.patch b/SOURCES/libxml2-2.9.1-CVE-2015-8035.patch
new file mode 100644
index 0000000..056faa4
--- /dev/null
+++ b/SOURCES/libxml2-2.9.1-CVE-2015-8035.patch
@@ -0,0 +1,31 @@
+From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 3 Nov 2015 15:31:25 +0800
+Subject: [PATCH] CVE-2015-8035 Fix XZ compression support loop
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=757466
+DoS when parsing specially crafted XML document if XZ support
+is compiled in (which wasn't the case for 2.9.2 and master since
+Nov 2013, fixed in next commit !)
+---
+ xzlib.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/xzlib.c b/xzlib.c
+index 0dcb9f48..1fab5463 100644
+--- a/xzlib.c
++++ b/xzlib.c
+@@ -581,6 +581,10 @@ xz_decomp(xz_statep state)
+             xz_error(state, LZMA_DATA_ERROR, "compressed data error");
+             return -1;
+         }
++        if (ret == LZMA_PROG_ERROR) {
++            xz_error(state, LZMA_PROG_ERROR, "compression error");
++            return -1;
++        }
+     } while (strm->avail_out && ret != LZMA_STREAM_END);
+ 
+     /* update available output and crc check value */
+-- 
+2.22.0
+
diff --git a/SOURCES/libxml2-2.9.1-CVE-2016-5131.patch b/SOURCES/libxml2-2.9.1-CVE-2016-5131.patch
new file mode 100644
index 0000000..8e77405
--- /dev/null
+++ b/SOURCES/libxml2-2.9.1-CVE-2016-5131.patch
@@ -0,0 +1,131 @@
+commit 3189fa5b5d1cce13e70cf282936736b2e7889a46
+Author: Nick Wellnhofer <wellnhofer@aevum.de>
+Date:   Tue Jun 28 14:22:23 2016 +0200
+
+    Fix XPointer paths beginning with range-to
+    
+    The old code would invoke the totally broken xmlXPtrRangeToFunction.
+    range-to isn't really a function but a special kind of location step.
+    Remove this function and always handle range-to in the XPath code.
+    
+    The old xmlXPtrRangeToFunction could also be abused to trigger a
+    use-after-free error with the potential for remote code execution.
+
+diff --git a/xpath.c b/xpath.c
+index 751665b..7c24a82 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -10691,13 +10691,16 @@ xmlXPathCompPathExpr(xmlXPathParserContextPtr ctxt) {
+ 		    lc = 1;
+ 		    break;
+ 		} else if ((NXT(len) == '(')) {
+-		    /* Note Type or Function */
++		    /* Node Type or Function */
+ 		    if (xmlXPathIsNodeType(name)) {
+ #ifdef DEBUG_STEP
+ 		        xmlGenericError(xmlGenericErrorContext,
+ 				"PathExpr: Type search\n");
+ #endif
+ 			lc = 1;
++                    } else if (ctxt->xptr &&
++                               xmlStrEqual(name, BAD_CAST "range-to")) {
++                        lc = 1;
+ 		    } else {
+ #ifdef DEBUG_STEP
+ 		        xmlGenericError(xmlGenericErrorContext,
+diff --git a/xpointer.c b/xpointer.c
+index 676c510..d74174a 100644
+--- a/xpointer.c
++++ b/xpointer.c
+@@ -1332,8 +1332,6 @@ xmlXPtrNewContext(xmlDocPtr doc, xmlNodePtr here, xmlNodePtr origin) {
+     ret->here = here;
+     ret->origin = origin;
+ 
+-    xmlXPathRegisterFunc(ret, (xmlChar *)"range-to",
+-	                 xmlXPtrRangeToFunction);
+     xmlXPathRegisterFunc(ret, (xmlChar *)"range",
+ 	                 xmlXPtrRangeFunction);
+     xmlXPathRegisterFunc(ret, (xmlChar *)"range-inside",
+@@ -2243,76 +2241,14 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) {
+  * @nargs:  the number of args
+  *
+  * Implement the range-to() XPointer function
++ *
++ * Obsolete. range-to is not a real function but a special type of location
++ * step which is handled in xpath.c.
+  */
+ void
+-xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, int nargs) {
+-    xmlXPathObjectPtr range;
+-    const xmlChar *cur;
+-    xmlXPathObjectPtr res, obj;
+-    xmlXPathObjectPtr tmp;
+-    xmlLocationSetPtr newset = NULL;
+-    xmlNodeSetPtr oldset;
+-    int i;
+-
+-    if (ctxt == NULL) return;
+-    CHECK_ARITY(1);
+-    /*
+-     * Save the expression pointer since we will have to evaluate
+-     * it multiple times. Initialize the new set.
+-     */
+-    CHECK_TYPE(XPATH_NODESET);
+-    obj = valuePop(ctxt);
+-    oldset = obj->nodesetval;
+-    ctxt->context->node = NULL;
+-
+-    cur = ctxt->cur;
+-    newset = xmlXPtrLocationSetCreate(NULL);
+-
+-    for (i = 0; i < oldset->nodeNr; i++) {
+-	ctxt->cur = cur;
+-
+-	/*
+-	 * Run the evaluation with a node list made of a single item
+-	 * in the nodeset.
+-	 */
+-	ctxt->context->node = oldset->nodeTab[i];
+-	tmp = xmlXPathNewNodeSet(ctxt->context->node);
+-	valuePush(ctxt, tmp);
+-
+-	xmlXPathEvalExpr(ctxt);
+-	CHECK_ERROR;
+-
+-	/*
+-	 * The result of the evaluation need to be tested to
+-	 * decided whether the filter succeeded or not
+-	 */
+-	res = valuePop(ctxt);
+-	range = xmlXPtrNewRangeNodeObject(oldset->nodeTab[i], res);
+-	if (range != NULL) {
+-	    xmlXPtrLocationSetAdd(newset, range);
+-	}
+-
+-	/*
+-	 * Cleanup
+-	 */
+-	if (res != NULL)
+-	    xmlXPathFreeObject(res);
+-	if (ctxt->value == tmp) {
+-	    res = valuePop(ctxt);
+-	    xmlXPathFreeObject(res);
+-	}
+-
+-	ctxt->context->node = NULL;
+-    }
+-
+-    /*
+-     * The result is used as the new evaluation set.
+-     */
+-    xmlXPathFreeObject(obj);
+-    ctxt->context->node = NULL;
+-    ctxt->context->contextSize = -1;
+-    ctxt->context->proximityPosition = -1;
+-    valuePush(ctxt, xmlXPtrWrapLocationSet(newset));
++xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt,
++                       int nargs ATTRIBUTE_UNUSED) {
++    XP_ERROR(XPATH_EXPR_ERROR);
+ }
+ 
+ /**
diff --git a/SOURCES/libxml2-2.9.1-CVE-2017-15412.patch b/SOURCES/libxml2-2.9.1-CVE-2017-15412.patch
new file mode 100644
index 0000000..c708fc4
--- /dev/null
+++ b/SOURCES/libxml2-2.9.1-CVE-2017-15412.patch
@@ -0,0 +1,36 @@
+From 0f3b843b3534784ef57a4f9b874238aa1fda5a73 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 1 Jun 2017 23:12:19 +0200
+Subject: [PATCH] Fix XPath stack frame logic
+
+Move the calls to xmlXPathSetFrame and xmlXPathPopFrame around in
+xmlXPathCompOpEvalPositionalPredicate to make sure that the context
+object on the stack is actually protected. Otherwise, memory corruption
+can occur when calling sloppily coded XPath extension functions.
+
+Fixes bug 783160.
+---
+ xpath.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/xpath.c b/xpath.c
+index 94815075..b816bd36 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -11932,11 +11932,11 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt,
+ 		}
+ 	    }
+ 
+-            frame = xmlXPathSetFrame(ctxt);
+ 	    valuePush(ctxt, contextObj);
++            frame = xmlXPathSetFrame(ctxt);
+ 	    res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1);
+-            tmp = valuePop(ctxt);
+             xmlXPathPopFrame(ctxt, frame);
++            tmp = valuePop(ctxt);
+ 
+ 	    if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
+                 while (tmp != contextObj) {
+-- 
+2.22.0
+
diff --git a/SOURCES/libxml2-2.9.1-CVE-2017-18258.patch b/SOURCES/libxml2-2.9.1-CVE-2017-18258.patch
new file mode 100644
index 0000000..be7c3ae
--- /dev/null
+++ b/SOURCES/libxml2-2.9.1-CVE-2017-18258.patch
@@ -0,0 +1,32 @@
+From e2a9122b8dde53d320750451e9907a7dcb2ca8bb Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 7 Sep 2017 18:36:01 +0200
+Subject: [PATCH] Set memory limit for LZMA decompression
+
+Otherwise malicious LZMA compressed files could consume large amounts
+of memory when decompressed.
+
+According to the xz man page, files compressed with `xz -9` currently
+require 65 MB to decompress, so set the limit to 100 MB.
+
+Should fix bug 786696.
+---
+ xzlib.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xzlib.c b/xzlib.c
+index 782957f6..f43632bd 100644
+--- a/xzlib.c
++++ b/xzlib.c
+@@ -408,7 +408,7 @@ xz_head(xz_statep state)
+         state->strm = init;
+         state->strm.avail_in = 0;
+         state->strm.next_in = NULL;
+-        if (lzma_auto_decoder(&state->strm, UINT64_MAX, 0) != LZMA_OK) {
++        if (lzma_auto_decoder(&state->strm, 100000000, 0) != LZMA_OK) {
+             xmlFree(state->out);
+             xmlFree(state->in);
+             state->size = 0;
+-- 
+2.22.0
+
diff --git a/SOURCES/libxml2-2.9.1-CVE-2018-14404.patch b/SOURCES/libxml2-2.9.1-CVE-2018-14404.patch
new file mode 100644
index 0000000..0b64b4e
--- /dev/null
+++ b/SOURCES/libxml2-2.9.1-CVE-2018-14404.patch
@@ -0,0 +1,54 @@
+From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 30 Jul 2018 12:54:38 +0200
+Subject: [PATCH] Fix nullptr deref with XPath logic ops
+
+If the XPath stack is corrupted, for example by a misbehaving extension
+function, the "and" and "or" XPath operators could dereference NULL
+pointers. Check that the XPath stack isn't empty and optimize the
+logic operators slightly.
+
+Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5
+
+Also see
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
+https://bugzilla.redhat.com/show_bug.cgi?id=1595985
+
+This is CVE-2018-14404.
+
+Thanks to Guy Inbar for the report.
+---
+ xpath.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/xpath.c b/xpath.c
+index 3fae0bf4..5e3bb9ff 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -13234,9 +13234,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+ 		return(0);
+ 	    }
+             xmlXPathBooleanFunction(ctxt, 1);
+-            arg1 = valuePop(ctxt);
+-            arg1->boolval &= arg2->boolval;
+-            valuePush(ctxt, arg1);
++            if (ctxt->value != NULL)
++                ctxt->value->boolval &= arg2->boolval;
+ 	    xmlXPathReleaseObject(ctxt->context, arg2);
+             return (total);
+         case XPATH_OP_OR:
+@@ -13252,9 +13251,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+ 		return(0);
+ 	    }
+             xmlXPathBooleanFunction(ctxt, 1);
+-            arg1 = valuePop(ctxt);
+-            arg1->boolval |= arg2->boolval;
+-            valuePush(ctxt, arg1);
++            if (ctxt->value != NULL)
++                ctxt->value->boolval |= arg2->boolval;
+ 	    xmlXPathReleaseObject(ctxt->context, arg2);
+             return (total);
+         case XPATH_OP_EQUAL:
+-- 
+2.22.0
+
diff --git a/SOURCES/libxml2-2.9.1-CVE-2018-14567.patch b/SOURCES/libxml2-2.9.1-CVE-2018-14567.patch
new file mode 100644
index 0000000..150637a
--- /dev/null
+++ b/SOURCES/libxml2-2.9.1-CVE-2018-14567.patch
@@ -0,0 +1,50 @@
+From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 30 Jul 2018 13:14:11 +0200
+Subject: [PATCH] Fix infinite loop in LZMA decompression
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Check the liblzma error code more thoroughly to avoid infinite loops.
+
+Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13
+Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914
+
+This is CVE-2018-9251 and CVE-2018-14567.
+
+Thanks to Dongliang Mu and Simon Wörner for the reports.
+---
+ xzlib.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/xzlib.c b/xzlib.c
+index a839169e..0ba88cfa 100644
+--- a/xzlib.c
++++ b/xzlib.c
+@@ -562,6 +562,10 @@ xz_decomp(xz_statep state)
+                          "internal error: inflate stream corrupt");
+                 return -1;
+             }
++            /*
++             * FIXME: Remapping a couple of error codes and falling through
++             * to the LZMA error handling looks fragile.
++             */
+             if (ret == Z_MEM_ERROR)
+                 ret = LZMA_MEM_ERROR;
+             if (ret == Z_DATA_ERROR)
+@@ -587,6 +591,11 @@ xz_decomp(xz_statep state)
+             xz_error(state, LZMA_PROG_ERROR, "compression error");
+             return -1;
+         }
++        if ((state->how != GZIP) &&
++            (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) {
++            xz_error(state, ret, "lzma error");
++            return -1;
++        }
+     } while (strm->avail_out && ret != LZMA_STREAM_END);
+ 
+     /* update available output and crc check value */
+-- 
+2.22.0
+
diff --git a/SPECS/libxml2.spec b/SPECS/libxml2.spec
index 96cb4d2..b262772 100644
--- a/SPECS/libxml2.spec
+++ b/SPECS/libxml2.spec
@@ -4,7 +4,7 @@
 Summary: Library providing XML and HTML support
 Name: libxml2
 Version: 2.9.1
-Release: 6%{?dist}%{?extra_release}.3
+Release: 6%{?dist}%{?extra_release}.4
 License: MIT
 Group: Development/Libraries
 Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
@@ -54,6 +54,18 @@ patch136: libxml2-Heap-based-buffer-underreads-due-to-xmlParseName.patch
 patch137: libxml2-Heap-use-after-free-in-htmlParsePubidLiteral-and-htmlParseSystemiteral.patch
 patch138: libxml2-Heap-use-after-free-in-xmlSAX2AttributeNs.patch
 patch139: libxml2-More-format-string-warnings-with-possible-format-string-vulnerability.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1595697
+patch140: libxml2-2.9.1-CVE-2015-8035.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1602817
+patch141: libxml2-2.9.1-CVE-2018-14404.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1729857
+patch142: libxml2-2.9.1-CVE-2017-15412.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1714050
+patch143: libxml2-2.9.1-CVE-2016-5131.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1579211
+patch144: libxml2-2.9.1-CVE-2017-18258.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1622715
+patch145: libxml2-2.9.1-CVE-2018-14567.patch
 
 
 %description
@@ -157,6 +169,12 @@ at parse time or later once the document has been modified.
 %patch137 -p1
 %patch138 -p1
 %patch139 -p1
+%patch140 -p1
+%patch141 -p1
+%patch142 -p1
+%patch143 -p1
+%patch144 -p1
+%patch145 -p1
 
 %build
 %configure
@@ -239,6 +257,14 @@ rm -fr %{buildroot}
 %doc doc/python.html
 
 %changelog
+* Fri Nov 01 2019 David King <dking@redhat.com> - 2.9.1-6.4
+- Fix CVE-2015-8035 (#1595697)
+- Fix CVE-2018-14404 (#1602817)
+- Fix CVE-2017-15412 (#1729857)
+- Fix CVE-2016-5131 (#1714050)
+- Fix CVE-2017-18258 (#1579211)
+- Fix CVE-2018-1456 (#1622715)
+
 * Mon Jun  6 2016 Daniel Veillard <veillard@redhat.com> - libxml2-2.9.1-6.3
 - Heap-based buffer overread in xmlNextChar (CVE-2016-1762)
 - Bug 763071: Heap-buffer-overflow in xmlStrncat <https://bugzilla.gnome.org/show_bug.cgi?id=763071> (CVE-2016-1834)