From c080bd5cc270070218dfbd58135113796cb9a98b Mon Sep 17 00:00:00 2001 From: BruceGW Date: Thu, 20 Apr 2023 21:00:04 +0800 Subject: [PATCH] fix CVE-2023-28484 CVE-2023-29469 Signed-off-by: BruceGW --- ...ix-null-deref-in-xmlSchemaFixupCompl.patch | 74 +++++++++++++++++++ ...ashing-of-empty-dict-strings-isn-t-d.patch | 37 ++++++++++ libxml2.spec | 10 ++- 3 files changed, 120 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch create mode 100644 backport-CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch diff --git a/backport-CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch b/backport-CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch new file mode 100644 index 0000000..7201dde --- /dev/null +++ b/backport-CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch @@ -0,0 +1,74 @@ +From 647e072ea0a2f12687fa05c172f4c4713fdb0c4f Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 7 Apr 2023 11:46:35 +0200 +Subject: [PATCH] [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType + +Fix a null pointer dereference when parsing (invalid) XML schemas. + +Thanks to Robby Simpson for the report! + +Fixes #491. +--- + result/schemas/issue491_0_0.err | 1 + + test/schemas/issue491_0.xml | 1 + + test/schemas/issue491_0.xsd | 18 ++++++++++++++++++ + xmlschemas.c | 2 +- + 4 files changed, 21 insertions(+), 1 deletion(-) + create mode 100644 result/schemas/issue491_0_0.err + create mode 100644 test/schemas/issue491_0.xml + create mode 100644 test/schemas/issue491_0.xsd + +diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err +new file mode 100644 +index 00000000..9b2bb969 +--- /dev/null ++++ b/result/schemas/issue491_0_0.err +@@ -0,0 +1 @@ ++./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'. +diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml +new file mode 100644 +index 00000000..e2b2fc2e +--- /dev/null ++++ b/test/schemas/issue491_0.xml +@@ -0,0 +1 @@ ++5 +diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd +new file mode 100644 +index 00000000..81702649 +--- /dev/null ++++ b/test/schemas/issue491_0.xsd +@@ -0,0 +1,18 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ +diff --git a/xmlschemas.c b/xmlschemas.c +index 17aa6dfa..36cd6730 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -18563,7 +18563,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt, + "allowed to appear inside other model groups", + NULL, NULL); + +- } else if (! dummySequence) { ++ } else if ((!dummySequence) && (baseType->subtypes != NULL)) { + xmlSchemaTreeItemPtr effectiveContent = + (xmlSchemaTreeItemPtr) type->subtypes; + /* +-- +2.27.0 + diff --git a/backport-CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch b/backport-CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch new file mode 100644 index 0000000..8b702ce --- /dev/null +++ b/backport-CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch @@ -0,0 +1,37 @@ +From 09a2dd453007f9c7205274623acdd73747c22d64 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 7 Apr 2023 11:49:27 +0200 +Subject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't + deterministic + +When hashing empty strings which aren't null-terminated, +xmlDictComputeFastKey could produce inconsistent results. This could +lead to various logic or memory errors, including double frees. + +For consistency the seed is also taken into account, but this shouldn't +have an impact on security. + +Found by OSS-Fuzz. + +Fixes #510. +--- + dict.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/dict.c b/dict.c +index 26ce516d..57b76fae 100644 +--- a/dict.c ++++ b/dict.c +@@ -451,7 +451,8 @@ static unsigned long + xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) { + unsigned long value = seed; + +- if (name == NULL) return(0); ++ if ((name == NULL) || (namelen <= 0)) ++ return(value); + value += *name; + value <<= 5; + if (namelen > 10) { +-- +2.27.0 + diff --git a/libxml2.spec b/libxml2.spec index fad2c61..208e4f1 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,7 +1,7 @@ Summary: Library providing XML and HTML support Name: libxml2 Version: 2.9.10 -Release: 33 +Release: 34 License: MIT Group: Development/Libraries Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz @@ -129,6 +129,8 @@ Patch115:backport-CVE-2022-40303-Fix-integer-overflows-with-XML_PARSE_.patch Patch116:backport-CVE-2022-40304-Fix-dict-corruption-caused-by-entity-.patch Patch117:backport-schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch Patch118:backport-parser-Fix-potential-memory-leak-in-xmlParseAttValue.patch +Patch119:backport-CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch +Patch120:backport-CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRequires: python2-devel @@ -320,6 +322,12 @@ rm -fr %{buildroot} %changelog +* Thu Apr 20 2023 BruceGW - 2.9.10-34 +- Type:CVE +- CVE:CVE-2023-28484 CVE-2023-29469 +- SUG:NA +- DESC:fix CVE-2023-28484CVE-2023-29469 + * Mon Nov 21 2022 fuanan - 2.9.10-33 - Type:bugfix - CVE:NA -- Gitee