diff --git a/.gitignore b/.gitignore index f5ce246..654f66c 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,4 @@ libxml2-2.7.6.tar.gz /libxml2-2.9.2.tar.gz /libxml2-2.9.3.tar.gz /libxml2-2.9.9.tar.gz +/libxml2-2.9.10.tar.gz diff --git a/mingw-libxml2-2.9.10-CVE-2019-20388.patch b/mingw-libxml2-2.9.10-CVE-2019-20388.patch new file mode 100644 index 0000000..3763354 --- /dev/null +++ b/mingw-libxml2-2.9.10-CVE-2019-20388.patch @@ -0,0 +1,33 @@ +From 6088a74bcf7d0c42e24cff4594d804e1d3c9fbca Mon Sep 17 00:00:00 2001 +From: Zhipeng Xie +Date: Tue, 20 Aug 2019 16:33:06 +0800 +Subject: [PATCH] Fix memory leak in xmlSchemaValidateStream + +When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun +alloc a new schema for ctxt->schema and set vctxt->xsiAssemble +to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize +vctxt->xsiAssemble to 0 again which cause the alloced schema +can not be freed anymore. + +Found with libFuzzer. + +Signed-off-by: Zhipeng Xie +--- + xmlschemas.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/xmlschemas.c b/xmlschemas.c +index 301c8449..39d92182 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -28090,7 +28090,6 @@ xmlSchemaPreRun(xmlSchemaValidCtxtPtr vctxt) { + vctxt->nberrors = 0; + vctxt->depth = -1; + vctxt->skipDepth = -1; +- vctxt->xsiAssemble = 0; + vctxt->hasKeyrefs = 0; + #ifdef ENABLE_IDC_NODE_TABLES_TEST + vctxt->createIDCNodeTables = 1; +-- +2.24.1 + diff --git a/mingw-libxml2-2.9.10-CVE-2020-7595.patch b/mingw-libxml2-2.9.10-CVE-2020-7595.patch new file mode 100644 index 0000000..3dd6774 --- /dev/null +++ b/mingw-libxml2-2.9.10-CVE-2020-7595.patch @@ -0,0 +1,32 @@ +From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001 +From: Zhipeng Xie +Date: Thu, 12 Dec 2019 17:30:55 +0800 +Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities + +When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef +return NULL which cause a infinite loop in xmlStringLenDecodeEntities + +Found with libFuzzer. + +Signed-off-by: Zhipeng Xie +--- + parser.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index d1c31963..a34bb6cd 100644 +--- a/parser.c ++++ b/parser.c +@@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + else + c = 0; + while ((c != 0) && (c != end) && /* non input consuming loop */ +- (c != end2) && (c != end3)) { ++ (c != end2) && (c != end3) && ++ (ctxt->instate != XML_PARSER_EOF)) { + + if (c == 0) break; + if ((c == '&') && (str[1] == '#')) { +-- +2.24.1 + diff --git a/mingw-libxml2-2.9.10-fix-relaxed-approach-to-nested-documents.patch b/mingw-libxml2-2.9.10-fix-relaxed-approach-to-nested-documents.patch new file mode 100644 index 0000000..0a63636 --- /dev/null +++ b/mingw-libxml2-2.9.10-fix-relaxed-approach-to-nested-documents.patch @@ -0,0 +1,33 @@ +From 0815302dee2b78139832c2080348086a0564836b Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 6 Dec 2019 12:27:29 +0100 +Subject: [PATCH] Fix freeing of nested documents + +Apparently, some libxslt RVTs can contain nested document nodes, see +issue #132. I'm not sure how this happens exactly but it can cause a +segfault in xmlFreeNodeList after the changes in commit 0762c9b6. + +Make sure not to touch the (nonexistent) `content` member of xmlDocs. +--- + tree.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/tree.c b/tree.c +index 070670f1..0d7fc98c 100644 +--- a/tree.c ++++ b/tree.c +@@ -3708,6 +3708,11 @@ xmlFreeNodeList(xmlNodePtr cur) { + (cur->type != XML_XINCLUDE_START) && + (cur->type != XML_XINCLUDE_END) && + (cur->type != XML_ENTITY_REF_NODE) && ++ (cur->type != XML_DOCUMENT_NODE) && ++#ifdef LIBXML_DOCB_ENABLED ++ (cur->type != XML_DOCB_DOCUMENT_NODE) && ++#endif ++ (cur->type != XML_HTML_DOCUMENT_NODE) && + (cur->content != (xmlChar *) &(cur->properties))) { + DICT_FREE(cur->content) + } +-- +2.22.0 + diff --git a/mingw-libxml2.spec b/mingw-libxml2.spec index 6d96517..b2c33ca 100644 --- a/mingw-libxml2.spec +++ b/mingw-libxml2.spec @@ -1,8 +1,8 @@ %{?mingw_package_header} Name: mingw-libxml2 -Version: 2.9.9 -Release: 4%{?dist} +Version: 2.9.10 +Release: 1%{?dist} Summary: MinGW Windows libxml2 XML processing library License: MIT @@ -12,9 +12,12 @@ Patch0: libxml2-multilib.patch # Patch from openSUSE. # See: https://bugzilla.gnome.org/show_bug.cgi?id=789714 Patch1: libxml2-2.9.8-python3-unicode-errors.patch - -# MinGW-specific patches. -#Patch1001: mingw32-libxml2-static-build-compile-fix.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1780573 +Patch2: mingw-libxml2-2.9.10-fix-relaxed-approach-to-nested-documents.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1799738 +Patch3: mingw-libxml2-2.9.10-CVE-2019-20388.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1799788 +Patch4: mingw-libxml2-2.9.10-CVE-2020-7595.patch BuildArch: noarch @@ -146,6 +149,12 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %changelog +* Thu Apr 23 2020 David King - 2.9.10-1 +- Update to 2.9.10 +- Fix CVE-2019-19956 (#1788858) +- Fix CVE-2019-20388 (#1799738) +- Fix CVE-2020-7595 (#1799788) + * Wed Jan 29 2020 Fedora Release Engineering - 2.9.9-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild diff --git a/mingw32-libxml2-static-build-compile-fix.patch b/mingw32-libxml2-static-build-compile-fix.patch deleted file mode 100644 index d153092..0000000 --- a/mingw32-libxml2-static-build-compile-fix.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- threads.c.orig 2009-09-10 17:03:39.000000000 +0200 -+++ threads.c 2009-09-11 19:00:59.660192916 +0200 -@@ -993,7 +993,7 @@ - #elif defined(HAVE_WIN32_THREADS) && !defined(HAVE_COMPILER_TLS) && (!defined(LIBXML_STATIC) || defined(LIBXML_STATIC_FOR_DLL)) - #if defined(LIBXML_STATIC_FOR_DLL) - BOOL XMLCALL --xmlDllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) -+xmlDllMain(void *hinstDLL, unsigned long fdwReason, void *lpvReserved) - #else - BOOL WINAPI - DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) diff --git a/sources b/sources index bd52436..9aa6848 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (libxml2-2.9.9.tar.gz) = cb7784ba4e72e942614e12e4f83f4ceb275f3d738b30e3b5c1f25edf8e9fa6789e854685974eed95b362049dbf6c8e7357e0327d64c681ed390534ac154e6810 +SHA512 (libxml2-2.9.10.tar.gz) = 0adfd12bfde89cbd6296ba6e66b6bed4edb814a74b4265bda34d95c41d9d92c696ee7adb0c737aaf9cc6e10426a31a35079b2a23d26c074e299858da12c072ed