diff --git a/backport-parser-Fix-potential-memory-leak-in-xmlParseAttValue.patch b/backport-parser-Fix-potential-memory-leak-in-xmlParseAttValue.patch new file mode 100644 index 0000000000000000000000000000000000000000..00aaf69a9381ab54bc80d1ace35d9f9eeed5a386 --- /dev/null +++ b/backport-parser-Fix-potential-memory-leak-in-xmlParseAttValue.patch @@ -0,0 +1,42 @@ +From 1a2d8ddc066143d256fdb8cc554707fe141dd2f6 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 11 Oct 2022 13:02:47 +0200 +Subject: [PATCH] parser: Fix potential memory leak in xmlParseAttValueInternal + +Fix memory leak in case xmlParseAttValueInternal is called with a NULL +`len` a non-NULL `alloc` argument. This static function is never called +with such arguments internally, but the misleading code should be fixed +nevertheless. + +Fixes #422. + +Reference:https://github.com/GNOME/libxml2/commit/1a2d8ddc066143d256fdb8cc554707fe141dd2f6 +Conflict:NA + +--- + parser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index 7bb47366..337e62f6 100644 +--- a/parser.c ++++ b/parser.c +@@ -9155,6 +9155,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + in++; + col++; + if (len != NULL) { ++ if (alloc) *alloc = 0; + *len = last - start; + ret = (xmlChar *) start; + } else { +@@ -9164,7 +9165,6 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + CUR_PTR = in; + ctxt->input->line = line; + ctxt->input->col = col; +- if (alloc) *alloc = 0; + return ret; + need_complex: + if (alloc) *alloc = 1; +-- +2.27.0 + diff --git a/backport-schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch b/backport-schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch new file mode 100644 index 0000000000000000000000000000000000000000..da0b3871a4970157820857ab26c2f8163006db74 --- /dev/null +++ b/backport-schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch @@ -0,0 +1,75 @@ +From 1d4f5d24ac3976012ab1f5b811385e7b00caaecf Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 13 Sep 2022 16:40:31 +0200 +Subject: [PATCH] schemas: Fix null-pointer-deref in + xmlSchemaCheckCOSSTDerivedOK + +Found by OSS-Fuzz. + +Reference:https://github.com/GNOME/libxml2/commit/1d4f5d24ac3976012ab1f5b811385e7b00caaecf +Conflict:NA + +--- + result/schemas/oss-fuzz-51295_0_0.err | 2 ++ + test/schemas/oss-fuzz-51295_0.xml | 1 + + test/schemas/oss-fuzz-51295_0.xsd | 4 ++++ + xmlschemas.c | 15 +++++++++++++-- + 4 files changed, 20 insertions(+), 2 deletions(-) + create mode 100644 result/schemas/oss-fuzz-51295_0_0.err + create mode 100644 test/schemas/oss-fuzz-51295_0.xml + create mode 100644 test/schemas/oss-fuzz-51295_0.xsd + +diff --git a/result/schemas/oss-fuzz-51295_0_0.err b/result/schemas/oss-fuzz-51295_0_0.err +new file mode 100644 +index 00000000..1e89524f +--- /dev/null ++++ b/result/schemas/oss-fuzz-51295_0_0.err +@@ -0,0 +1,2 @@ ++./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'. ++./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'. +diff --git a/test/schemas/oss-fuzz-51295_0.xml b/test/schemas/oss-fuzz-51295_0.xml +new file mode 100644 +index 00000000..10a7e703 +--- /dev/null ++++ b/test/schemas/oss-fuzz-51295_0.xml +@@ -0,0 +1 @@ ++ +diff --git a/test/schemas/oss-fuzz-51295_0.xsd b/test/schemas/oss-fuzz-51295_0.xsd +new file mode 100644 +index 00000000..fde96af5 +--- /dev/null ++++ b/test/schemas/oss-fuzz-51295_0.xsd +@@ -0,0 +1,4 @@ ++ ++ ++ ++ +diff --git a/xmlschemas.c b/xmlschemas.c +index ade10f78..de6ea2b0 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -13348,8 +13348,19 @@ xmlSchemaResolveElementReferences(xmlSchemaElementPtr elemDecl, + * declaration `resolved` to by the `actual value` + * of the substitutionGroup [attribute], if present" + */ +- if (elemDecl->subtypes == NULL) +- elemDecl->subtypes = substHead->subtypes; ++ if (elemDecl->subtypes == NULL) { ++ if (substHead->subtypes == NULL) { ++ /* ++ * This can happen with self-referencing substitution ++ * groups. The cycle will be detected later, but we have ++ * to set subtypes to avoid null-pointer dereferences. ++ */ ++ elemDecl->subtypes = xmlSchemaGetBuiltInType( ++ XML_SCHEMAS_ANYTYPE); ++ } else { ++ elemDecl->subtypes = substHead->subtypes; ++ } ++ } + } + } + /* +-- +2.27.0 + diff --git a/libxml2.spec b/libxml2.spec index 0d48b11b851359da95fc21f2c59c5705534a85b8..775f77c5683f274f12f77b84da846407962db5b7 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,7 +1,7 @@ Summary: Library providing XML and HTML support Name: libxml2 Version: 2.9.14 -Release: 3 +Release: 4 License: MIT Group: Development/Libraries Source: https://download.gnome.org/sources/%{name}/2.9/%{name}-%{version}.tar.xz @@ -12,6 +12,8 @@ Patch2: Fix-memory-leaks-for-xmlACatalogAdd.patch Patch3: Fix-memory-leaks-in-xmlACatalogAdd-when-xmlHashAddEntry-failed.patch Patch4: backport-CVE-2022-40303-Fix-integer-overflows-with-XML_PARSE_.patch Patch5: backport-CVE-2022-40304-Fix-dict-corruption-caused-by-entity-.patch +Patch6: backport-schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch +Patch7: backport-parser-Fix-potential-memory-leak-in-xmlParseAttValue.patch BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRequires: python3-devel @@ -167,6 +169,12 @@ rm -fr %{buildroot} %changelog +* Mon Nov 21 2022 fuanan - 2.9.14-4 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:backport upstream patches + * Tue Nov 08 2022 fuanan - 2.9.14-3 - fix CVE-2022-40303 CVE-2022-40304