libxml2: Fix CVE-2023-45322 and CVE-2024-34459 (#12060)

Co-authored-by: kavyasree <[email protected]> Co-authored-by: jslobodzian <[email protected]>
microsoft · Jan 26, 2025 · dee5b0b · dee5b0b
1 parent b7dce41
commit dee5b0b
Show file tree

Hide file tree

Showing 7 changed files with 118 additions and 13 deletions.
diff --git a/SPECS/libxml2/CVE-2023-45322.patch b/SPECS/libxml2/CVE-2023-45322.patch
@@ -0,0 +1,74 @@
+From d39f78069dff496ec865c73aa44d7110e429bce9 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <[email protected]>
+Date: Wed, 23 Aug 2023 20:24:24 +0200
+Subject: [PATCH] tree: Fix copying of DTDs
+
+- Don't create multiple DTD nodes.
+- Fix UAF if malloc fails.
+- Skip DTD nodes if tree module is disabled.
+
+Fixes #583.
+---
+ tree.c | 31 ++++++++++++++++---------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index 6c8a875b9..02c1b5791 100644
+--- a/tree.c
++++ b/tree.c
+@@ -4471,29 +4471,28 @@ xmlNodePtr
+ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+     xmlNodePtr ret = NULL;
+     xmlNodePtr p = NULL,q;
++    xmlDtdPtr newSubset = NULL;
+
+     while (node != NULL) {
+-#ifdef LIBXML_TREE_ENABLED
+ 	if (node->type == XML_DTD_NODE ) {
+-	    if (doc == NULL) {
++#ifdef LIBXML_TREE_ENABLED
++	    if ((doc == NULL) || (doc->intSubset != NULL)) {
+ 		node = node->next;
+ 		continue;
+ 	    }
+-	    if (doc->intSubset == NULL) {
+-		q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+-		if (q == NULL) goto error;
+-		q->doc = doc;
+-		q->parent = parent;
+-		doc->intSubset = (xmlDtdPtr) q;
+-		xmlAddChild(parent, q);
+-	    } else {
+-		q = (xmlNodePtr) doc->intSubset;
+-		xmlAddChild(parent, q);
+-	    }
+-	} else
++            q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
++            if (q == NULL) goto error;
++            q->doc = doc;
++            q->parent = parent;
++            newSubset = (xmlDtdPtr) q;
++#else
++            node = node->next;
++            continue;
+ #endif /* LIBXML_TREE_ENABLED */
++	} else {
+ 	    q = xmlStaticCopyNode(node, doc, parent, 1);
+-	if (q == NULL) goto error;
++	    if (q == NULL) goto error;
++        }
+ 	if (ret == NULL) {
+ 	    q->prev = NULL;
+ 	    ret = p = q;
+@@ -4505,6 +4504,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+ 	}
+ 	node = node->next;
+     }
++    if (newSubset != NULL)
++        doc->intSubset = newSubset;
+     return(ret);
+ error:
+     xmlFreeNodeList(ret);
+-- 
+GitLab
+
diff --git a/SPECS/libxml2/CVE-2024-34459.patch b/SPECS/libxml2/CVE-2024-34459.patch
@@ -0,0 +1,26 @@
+From 8ddc7f13337c9fe7c6b6e616f404b0fffb8a5145 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <[email protected]>
+Date: Wed, 8 May 2024 11:49:31 +0200
+Subject: [PATCH] [CVE-2024-34459] Fix buffer overread with `xmllint --htmlout`
+
+Add a missing bounds check.
+---
+ xmllint.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xmllint.c b/xmllint.c
+index 0e433b721..62f6b0273 100644
+--- a/xmllint.c
++++ b/xmllint.c
+@@ -559,7 +559,7 @@ xmlHTMLPrintFileContext(xmlParserInputPtr input) {
+     len = strlen(buffer);
+     snprintf(&buffer[len], sizeof(buffer) - len, "\n");
+     cur = input->cur;
+-    while ((*cur == '\n') || (*cur == '\r'))
++    while ((cur > base) && ((*cur == '\n') || (*cur == '\r')))
+ 	cur--;
+     n = 0;
+     while ((cur != base) && (n++ < 80)) {
+-- 
+GitLab
+
diff --git a/SPECS/libxml2/libxml2.spec b/SPECS/libxml2/libxml2.spec
@@ -1,14 +1,16 @@
 Summary:        Libxml2
 Name:           libxml2
 Version:        2.11.5
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          System Environment/General Libraries
 URL:            https://gitlab.gnome.org/GNOME/libxml2/-/wikis/home
 Source0:        https://gitlab.gnome.org/GNOME/%{name}/-/archive/v%{version}/%{name}-v%{version}.tar.gz
 Patch0:         CVE-2024-40896.patch
+Patch1:		CVE-2023-45322.patch
+Patch2:		CVE-2024-34459.patch
 BuildRequires:  python3-devel
 BuildRequires:  python3-xml
 Provides:       %{name}-tools = %{version}-%{release}
@@ -79,6 +81,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_libdir}/cmake/libxml2/libxml2-config.cmake
 
 %changelog
+* Fri Jan 24 2025 Kavya Sree Kaitepalli <[email protected]> -2.11.5-3
+- Fix CVE-2023-45322 & CVE-2024-34459
+
 * Thu Dec 26 2024 Muhammad Falak <[email protected]> - 2.11.5-2
 - Patch CVE-2024-40896
 

diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -199,8 +199,8 @@ curl-8.8.0-3.azl3.aarch64.rpm
 curl-devel-8.8.0-3.azl3.aarch64.rpm
 curl-libs-8.8.0-3.azl3.aarch64.rpm
 createrepo_c-1.0.3-1.azl3.aarch64.rpm
-libxml2-2.11.5-2.azl3.aarch64.rpm
-libxml2-devel-2.11.5-2.azl3.aarch64.rpm
+libxml2-2.11.5-3.azl3.aarch64.rpm
+libxml2-devel-2.11.5-3.azl3.aarch64.rpm
 docbook-dtd-xml-4.5-11.azl3.noarch.rpm
 docbook-style-xsl-1.79.1-14.azl3.noarch.rpm
 libsepol-3.6-1.azl3.aarch64.rpm

diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -199,8 +199,8 @@ curl-8.8.0-3.azl3.x86_64.rpm
 curl-devel-8.8.0-3.azl3.x86_64.rpm
 curl-libs-8.8.0-3.azl3.x86_64.rpm
 createrepo_c-1.0.3-1.azl3.x86_64.rpm
-libxml2-2.11.5-2.azl3.x86_64.rpm
-libxml2-devel-2.11.5-2.azl3.x86_64.rpm
+libxml2-2.11.5-3.azl3.x86_64.rpm
+libxml2-devel-2.11.5-3.azl3.x86_64.rpm
 docbook-dtd-xml-4.5-11.azl3.noarch.rpm
 docbook-style-xsl-1.79.1-14.azl3.noarch.rpm
 libsepol-3.6-1.azl3.x86_64.rpm

diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -240,9 +240,9 @@ libtool-debuginfo-2.4.7-1.azl3.aarch64.rpm
 libxcrypt-4.4.36-2.azl3.aarch64.rpm
 libxcrypt-debuginfo-4.4.36-2.azl3.aarch64.rpm
 libxcrypt-devel-4.4.36-2.azl3.aarch64.rpm
-libxml2-2.11.5-2.azl3.aarch64.rpm
-libxml2-debuginfo-2.11.5-2.azl3.aarch64.rpm
-libxml2-devel-2.11.5-2.azl3.aarch64.rpm
+libxml2-2.11.5-3.azl3.aarch64.rpm
+libxml2-debuginfo-2.11.5-3.azl3.aarch64.rpm
+libxml2-devel-2.11.5-3.azl3.aarch64.rpm
 libxslt-1.1.39-1.azl3.aarch64.rpm
 libxslt-debuginfo-1.1.39-1.azl3.aarch64.rpm
 libxslt-devel-1.1.39-1.azl3.aarch64.rpm
@@ -541,7 +541,7 @@ python3-gpg-1.23.2-2.azl3.aarch64.rpm
 python3-jinja2-3.1.2-2.azl3.noarch.rpm
 python3-libcap-ng-0.8.4-1.azl3.aarch64.rpm
 python3-libs-3.12.3-5.azl3.aarch64.rpm
-python3-libxml2-2.11.5-2.azl3.aarch64.rpm
+python3-libxml2-2.11.5-3.azl3.aarch64.rpm
 python3-lxml-4.9.3-1.azl3.aarch64.rpm
 python3-magic-5.45-1.azl3.noarch.rpm
 python3-markupsafe-2.1.3-1.azl3.aarch64.rpm

diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -245,9 +245,9 @@ libtasn1-debuginfo-4.19.0-1.azl3.x86_64.rpm
 libtasn1-devel-4.19.0-1.azl3.x86_64.rpm
 libtool-2.4.7-1.azl3.x86_64.rpm
 libtool-debuginfo-2.4.7-1.azl3.x86_64.rpm
-libxml2-2.11.5-2.azl3.x86_64.rpm
-libxml2-debuginfo-2.11.5-2.azl3.x86_64.rpm
-libxml2-devel-2.11.5-2.azl3.x86_64.rpm
+libxml2-2.11.5-3.azl3.x86_64.rpm
+libxml2-debuginfo-2.11.5-3.azl3.x86_64.rpm
+libxml2-devel-2.11.5-3.azl3.x86_64.rpm
 libxcrypt-4.4.36-2.azl3.x86_64.rpm
 libxcrypt-debuginfo-4.4.36-2.azl3.x86_64.rpm
 libxcrypt-devel-4.4.36-2.azl3.x86_64.rpm
@@ -549,7 +549,7 @@ python3-gpg-1.23.2-2.azl3.x86_64.rpm
 python3-jinja2-3.1.2-2.azl3.noarch.rpm
 python3-libcap-ng-0.8.4-1.azl3.x86_64.rpm
 python3-libs-3.12.3-5.azl3.x86_64.rpm
-python3-libxml2-2.11.5-2.azl3.x86_64.rpm
+python3-libxml2-2.11.5-3.azl3.x86_64.rpm
 python3-lxml-4.9.3-1.azl3.x86_64.rpm
 python3-magic-5.45-1.azl3.noarch.rpm
 python3-markupsafe-2.1.3-1.azl3.x86_64.rpm