diff --git a/SOURCES/libxml2-2.9.7-CVE-2021-3516.patch b/SOURCES/libxml2-2.9.7-CVE-2021-3516.patch
new file mode 100644
index 0000000..10093b6
--- /dev/null
+++ b/SOURCES/libxml2-2.9.7-CVE-2021-3516.patch
@@ -0,0 +1,31 @@
+From 1358d157d0bd83be1dfe356a69213df9fac0b539 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 21 Apr 2021 13:23:27 +0200
+Subject: [PATCH] Fix use-after-free with `xmllint --html --push`
+
+Call htmlCtxtUseOptions to make sure that names aren't stored in
+dictionaries.
+
+Note that this issue only affects xmllint using the HTML push parser.
+
+Fixes #230.
+---
+ xmllint.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xmllint.c b/xmllint.c
+index 6ca1bf54..dbef273a 100644
+--- a/xmllint.c
++++ b/xmllint.c
+@@ -2213,7 +2213,7 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) {
+ if (res > 0) {
+ ctxt = htmlCreatePushParserCtxt(NULL, NULL,
+ chars, res, filename, XML_CHAR_ENCODING_NONE);
+- xmlCtxtUseOptions(ctxt, options);
++ htmlCtxtUseOptions(ctxt, options);
+ while ((res = fread(chars, 1, pushsize, f)) > 0) {
+ htmlParseChunk(ctxt, chars, res, 0);
+ }
+--
+GitLab
+
diff --git a/SOURCES/libxml2-2.9.7-CVE-2021-3517.patch b/SOURCES/libxml2-2.9.7-CVE-2021-3517.patch
new file mode 100644
index 0000000..e3ef736
--- /dev/null
+++ b/SOURCES/libxml2-2.9.7-CVE-2021-3517.patch
@@ -0,0 +1,49 @@
+From bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2 Mon Sep 17 00:00:00 2001
+From: Joel Hockey <joel.hockey@gmail.com>
+Date: Sun, 16 Aug 2020 17:19:35 -0700
+Subject: [PATCH] Validate UTF8 in xmlEncodeEntities
+
+Code is currently assuming UTF-8 without validating. Truncated UTF-8
+input can cause out-of-bounds array access.
+
+Adds further checks to partial fix in 50f06b3e.
+
+Fixes #178
+---
+ entities.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/entities.c b/entities.c
+index 37b99a56..1a8f86f0 100644
+--- a/entities.c
++++ b/entities.c
+@@ -704,11 +704,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) {
+ } else {
+ /*
+ * We assume we have UTF-8 input.
++ * It must match either:
++ * 110xxxxx 10xxxxxx
++ * 1110xxxx 10xxxxxx 10xxxxxx
++ * 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
++ * That is:
++ * cur[0] is 11xxxxxx
++ * cur[1] is 10xxxxxx
++ * cur[2] is 10xxxxxx if cur[0] is 111xxxxx
++ * cur[3] is 10xxxxxx if cur[0] is 1111xxxx
++ * cur[0] is not 11111xxx
+ */
+ char buf[11], *ptr;
+ int val = 0, l = 1;
+
+- if (*cur < 0xC0) {
++ if (((cur[0] & 0xC0) != 0xC0) ||
++ ((cur[1] & 0xC0) != 0x80) ||
++ (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) ||
++ (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) ||
++ (((cur[0] & 0xF8) == 0xF8))) {
+ xmlEntitiesErr(XML_CHECK_NOT_UTF8,
+ "xmlEncodeEntities: input not UTF-8");
+ if (doc != NULL)
+--
+GitLab
+
diff --git a/SOURCES/libxml2-2.9.7-CVE-2021-3518.patch b/SOURCES/libxml2-2.9.7-CVE-2021-3518.patch
new file mode 100644
index 0000000..e5861c2
--- /dev/null
+++ b/SOURCES/libxml2-2.9.7-CVE-2021-3518.patch
@@ -0,0 +1,247 @@
+From 752e5f71d7cea2ca5a7e7c0b8f72ed04ce654be4 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 10 Jun 2020 16:34:52 +0200
+Subject: [PATCH 1/2] Don't recurse into xi:include children in
+ xmlXIncludeDoProcess
+
+Otherwise, nested xi:include nodes might result in a use-after-free
+if XML_PARSE_NOXINCNODE is specified.
+
+Found with libFuzzer and ASan.
+---
+ result/XInclude/fallback3.xml | 8 ++++++++
+ result/XInclude/fallback3.xml.err | 0
+ result/XInclude/fallback3.xml.rdr | 25 +++++++++++++++++++++++++
+ result/XInclude/fallback4.xml | 10 ++++++++++
+ result/XInclude/fallback4.xml.err | 0
+ result/XInclude/fallback4.xml.rdr | 29 +++++++++++++++++++++++++++++
+ test/XInclude/docs/fallback3.xml | 9 +++++++++
+ test/XInclude/docs/fallback4.xml | 7 +++++++
+ xinclude.c | 24 ++++++++++--------------
+ 9 files changed, 98 insertions(+), 14 deletions(-)
+ create mode 100644 result/XInclude/fallback3.xml
+ create mode 100644 result/XInclude/fallback3.xml.err
+ create mode 100644 result/XInclude/fallback3.xml.rdr
+ create mode 100644 result/XInclude/fallback4.xml
+ create mode 100644 result/XInclude/fallback4.xml.err
+ create mode 100644 result/XInclude/fallback4.xml.rdr
+ create mode 100644 test/XInclude/docs/fallback3.xml
+ create mode 100644 test/XInclude/docs/fallback4.xml
+
+diff --git a/result/XInclude/fallback3.xml b/result/XInclude/fallback3.xml
+new file mode 100644
+index 00000000..b4235514
+--- /dev/null
++++ b/result/XInclude/fallback3.xml
+@@ -0,0 +1,8 @@
++<?xml version="1.0"?>
++<a>
++ <doc xml:base="../ents/something.xml">
++<p>something</p>
++<p>really</p>
++<p>simple</p>
++</doc>
++</a>
+diff --git a/result/XInclude/fallback3.xml.err b/result/XInclude/fallback3.xml.err
+new file mode 100644
+index 00000000..e69de29b
+diff --git a/result/XInclude/fallback3.xml.rdr b/result/XInclude/fallback3.xml.rdr
+new file mode 100644
+index 00000000..aa2f1374
+--- /dev/null
++++ b/result/XInclude/fallback3.xml.rdr
+@@ -0,0 +1,25 @@
++0 1 a 0 0
++1 14 #text 0 1
++
++1 1 doc 0 0
++2 14 #text 0 1
++
++2 1 p 0 0
++3 3 #text 0 1 something
++2 15 p 0 0
++2 14 #text 0 1
++
++2 1 p 0 0
++3 3 #text 0 1 really
++2 15 p 0 0
++2 14 #text 0 1
++
++2 1 p 0 0
++3 3 #text 0 1 simple
++2 15 p 0 0
++2 14 #text 0 1
++
++1 15 doc 0 0
++1 14 #text 0 1
++
++0 15 a 0 0
+diff --git a/result/XInclude/fallback4.xml b/result/XInclude/fallback4.xml
+new file mode 100644
+index 00000000..9883fd54
+--- /dev/null
++++ b/result/XInclude/fallback4.xml
+@@ -0,0 +1,10 @@
++<?xml version="1.0"?>
++<a>
++
++ <doc xml:base="../ents/something.xml">
++<p>something</p>
++<p>really</p>
++<p>simple</p>
++</doc>
++
++</a>
+diff --git a/result/XInclude/fallback4.xml.err b/result/XInclude/fallback4.xml.err
+new file mode 100644
+index 00000000..e69de29b
+diff --git a/result/XInclude/fallback4.xml.rdr b/result/XInclude/fallback4.xml.rdr
+new file mode 100644
+index 00000000..628b9513
+--- /dev/null
++++ b/result/XInclude/fallback4.xml.rdr
+@@ -0,0 +1,29 @@
++0 1 a 0 0
++1 14 #text 0 1
++
++1 14 #text 0 1
++
++1 1 doc 0 0
++2 14 #text 0 1
++
++2 1 p 0 0
++3 3 #text 0 1 something
++2 15 p 0 0
++2 14 #text 0 1
++
++2 1 p 0 0
++3 3 #text 0 1 really
++2 15 p 0 0
++2 14 #text 0 1
++
++2 1 p 0 0
++3 3 #text 0 1 simple
++2 15 p 0 0
++2 14 #text 0 1
++
++1 15 doc 0 0
++1 14 #text 0 1
++
++1 14 #text 0 1
++
++0 15 a 0 0
+diff --git a/test/XInclude/docs/fallback3.xml b/test/XInclude/docs/fallback3.xml
+new file mode 100644
+index 00000000..0c8b6c9e
+--- /dev/null
++++ b/test/XInclude/docs/fallback3.xml
+@@ -0,0 +1,9 @@
++<a>
++ <xi:include href="../ents/something.xml" xmlns:xi="http://www.w3.org/2001/XInclude">
++ <xi:fallback>
++ <xi:include href="c.xml">
++ <xi:fallback>There is no c.xml ... </xi:fallback>
++ </xi:include>
++ </xi:fallback>
++ </xi:include>
++</a>
+diff --git a/test/XInclude/docs/fallback4.xml b/test/XInclude/docs/fallback4.xml
+new file mode 100644
+index 00000000..b500a635
+--- /dev/null
++++ b/test/XInclude/docs/fallback4.xml
+@@ -0,0 +1,7 @@
++<a>
++ <xi:include href="c.xml" xmlns:xi="http://www.w3.org/2001/XInclude">
++ <xi:fallback>
++ <xi:include href="../ents/something.xml"/>
++ </xi:fallback>
++ </xi:include>
++</a>
+diff --git a/xinclude.c b/xinclude.c
+index ba850fa5..f260c1a7 100644
+--- a/xinclude.c
++++ b/xinclude.c
+@@ -2392,21 +2392,19 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
+ * First phase: lookup the elements in the document
+ */
+ cur = tree;
+- if (xmlXIncludeTestNode(ctxt, cur) == 1)
+- xmlXIncludePreProcessNode(ctxt, cur);
+ while ((cur != NULL) && (cur != tree->parent)) {
+ /* TODO: need to work on entities -> stack */
+- if ((cur->children != NULL) &&
+- (cur->children->type != XML_ENTITY_DECL) &&
+- (cur->children->type != XML_XINCLUDE_START) &&
+- (cur->children->type != XML_XINCLUDE_END)) {
+- cur = cur->children;
+- if (xmlXIncludeTestNode(ctxt, cur))
+- xmlXIncludePreProcessNode(ctxt, cur);
+- } else if (cur->next != NULL) {
++ if (xmlXIncludeTestNode(ctxt, cur) == 1) {
++ xmlXIncludePreProcessNode(ctxt, cur);
++ } else if ((cur->children != NULL) &&
++ (cur->children->type != XML_ENTITY_DECL) &&
++ (cur->children->type != XML_XINCLUDE_START) &&
++ (cur->children->type != XML_XINCLUDE_END)) {
++ cur = cur->children;
++ continue;
++ }
++ if (cur->next != NULL) {
+ cur = cur->next;
+- if (xmlXIncludeTestNode(ctxt, cur))
+- xmlXIncludePreProcessNode(ctxt, cur);
+ } else {
+ if (cur == tree)
+ break;
+@@ -2416,8 +2414,6 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
+ break; /* do */
+ if (cur->next != NULL) {
+ cur = cur->next;
+- if (xmlXIncludeTestNode(ctxt, cur))
+- xmlXIncludePreProcessNode(ctxt, cur);
+ break; /* do */
+ }
+ } while (cur != NULL);
+--
+2.31.1
+
+
+From 49cc4182543dba73216add4021994a81678763bd Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 22 Apr 2021 19:26:28 +0200
+Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude --dropdtd`
+
+The --dropdtd option can leave dangling pointers in entity reference
+nodes. Make sure to skip these nodes when processing XIncludes.
+
+This also avoids scanning entity declarations and even modifying
+them inadvertently during XInclude processing.
+
+Move from a block list to an allow list approach to avoid descending
+into other node types that can't contain elements.
+
+Fixes #237.
+---
+ xinclude.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/xinclude.c b/xinclude.c
+index f260c1a7..d7648529 100644
+--- a/xinclude.c
++++ b/xinclude.c
+@@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
+ if (xmlXIncludeTestNode(ctxt, cur) == 1) {
+ xmlXIncludePreProcessNode(ctxt, cur);
+ } else if ((cur->children != NULL) &&
+- (cur->children->type != XML_ENTITY_DECL) &&
+- (cur->children->type != XML_XINCLUDE_START) &&
+- (cur->children->type != XML_XINCLUDE_END)) {
++ ((cur->type == XML_DOCUMENT_NODE) ||
++ (cur->type == XML_ELEMENT_NODE))) {
+ cur = cur->children;
+ continue;
+ }
+--
+2.31.1
+
diff --git a/SOURCES/libxml2-2.9.7-CVE-2021-3537.patch b/SOURCES/libxml2-2.9.7-CVE-2021-3537.patch
new file mode 100644
index 0000000..3df1539
--- /dev/null
+++ b/SOURCES/libxml2-2.9.7-CVE-2021-3537.patch
@@ -0,0 +1,44 @@
+From babe75030c7f64a37826bb3342317134568bef61 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 1 May 2021 16:53:33 +0200
+Subject: [PATCH] Propagate error in xmlParseElementChildrenContentDeclPriv
+
+Check return value of recursive calls to
+xmlParseElementChildrenContentDeclPriv and return immediately in case
+of errors. Otherwise, struct xmlElementContent could contain unexpected
+null pointers, leading to a null deref when post-validating documents
+which aren't well-formed and parsed in recovery mode.
+
+Fixes #243.
+---
+ parser.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index b42e6043..73c27edd 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6208,6 +6208,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
+ SKIP_BLANKS;
+ cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
+ depth + 1);
++ if (cur == NULL)
++ return(NULL);
+ SKIP_BLANKS;
+ GROW;
+ } else {
+@@ -6341,6 +6343,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
+ SKIP_BLANKS;
+ last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
+ depth + 1);
++ if (last == NULL) {
++ if (ret != NULL)
++ xmlFreeDocElementContent(ctxt->myDoc, ret);
++ return(NULL);
++ }
+ SKIP_BLANKS;
+ } else {
+ elem = xmlParseName(ctxt);
+--
+GitLab
+
diff --git a/SOURCES/libxml2-2.9.7-CVE-2021-3541.patch b/SOURCES/libxml2-2.9.7-CVE-2021-3541.patch
new file mode 100644
index 0000000..2dbdafe
--- /dev/null
+++ b/SOURCES/libxml2-2.9.7-CVE-2021-3541.patch
@@ -0,0 +1,67 @@
+From 8598060bacada41a0eb09d95c97744ff4e428f8e Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Thu, 13 May 2021 14:55:12 +0200
+Subject: [PATCH] Patch for security issue CVE-2021-3541
+
+This is relapted to parameter entities expansion and following
+the line of the billion laugh attack. Somehow in that path the
+counting of parameters was missed and the normal algorithm based
+on entities "density" was useless.
+---
+ parser.c | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index f5e5e169..c9312fa4 100644
+--- a/parser.c
++++ b/parser.c
+@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+ xmlEntityPtr ent, size_t replacement)
+ {
+ size_t consumed = 0;
++ int i;
+
+ if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE))
+ return (0);
+@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+ rep = NULL;
+ }
+ }
++
++ /*
++ * Prevent entity exponential check, not just replacement while
++ * parsing the DTD
++ * The check is potentially costly so do that only once in a thousand
++ */
++ if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) &&
++ (ctxt->nbentities % 1024 == 0)) {
++ for (i = 0;i < ctxt->inputNr;i++) {
++ consumed += ctxt->inputTab[i]->consumed +
++ (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base);
++ }
++ if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) {
++ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
++ ctxt->instate = XML_PARSER_EOF;
++ return (1);
++ }
++ consumed = 0;
++ }
++
++
++
+ if (replacement != 0) {
+ if (replacement < XML_MAX_TEXT_LENGTH)
+ return(0);
+@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+ xmlChar start[4];
+ xmlCharEncoding enc;
+
++ if (xmlParserEntityCheck(ctxt, 0, entity, 0))
++ return;
++
+ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
+ ((ctxt->options & XML_PARSE_NOENT) == 0) &&
+ ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
+--
+GitLab
+
diff --git a/SPECS/libxml2.spec b/SPECS/libxml2.spec
index 164a752..e72ab06 100644
--- a/SPECS/libxml2.spec
+++ b/SPECS/libxml2.spec
@@ -7,7 +7,7 @@
Name: libxml2
Version: 2.9.7
-Release: 9%{?dist}
+Release: 11%{?dist}
Summary: Library providing XML and HTML support
License: MIT
@@ -36,6 +36,16 @@ Patch8: libxml2-2.9.7-CVE-2020-7595.patch
Patch9: libxml2-2.9.7-CVE-2019-20388.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1878252
Patch10: libxml2-2.9.7-CVE-2020-24977.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1956976
+Patch11: libxml2-2.9.7-CVE-2021-3516.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1957001
+Patch12: libxml2-2.9.7-CVE-2021-3517.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1957028
+Patch13: libxml2-2.9.7-CVE-2021-3518.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1957284
+Patch14: libxml2-2.9.7-CVE-2021-3537.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1958783
+Patch15: libxml2-2.9.7-CVE-2021-3541.patch
BuildRequires: gcc
BuildRequires: cmake-rpm-macros
@@ -207,6 +217,15 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
%{python3_sitearch}/libxml2mod.so
%changelog
+* Wed May 19 2021 David King <dking@redhat.com> - 2.9.7-11
+- Fix CVE-2021-3541 (#1958783)
+
+* Fri May 07 2021 David King <dking@redhat.com> - 2.9.7-10
+- Fix CVE-2021-3516 (#1956976)
+- Fix CVE-2021-3517 (#1957001)
+- Fix CVE-2021-3518 (#1957028)
+- Fix CVE-2021-3537 (#1957284)
+
* Mon Oct 19 2020 David King <dking@redhat.com> - 2.9.7-9
- Fix CVE-2020-24977 (#1878252)