Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2021-05-01 00:46:07 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.1947 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libxml2" Sat May 1 00:46:07 2021 rev:104 rq:889189 version:2.9.10 Changes: -------- --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2021-03-02 12:25:28.327317030 +0100 +++ /work/SRC/openSUSE:Factory/.libxml2.new.1947/libxml2.changes 2021-05-01 00:46:09.387596940 +0200 @@ -1,0 +2,21 @@ +Wed Apr 28 16:24:13 UTC 2021 - Pedro Monreal <[email protected]> + +- Security fix: [bsc#1185408, CVE-2021-3518] + * Fix use-after-free in xinclude.c:xmlXIncludeDoProcess() + * Add libxml2-CVE-2021-3518.patch + +------------------------------------------------------------------- +Wed Apr 28 16:23:42 UTC 2021 - Pedro Monreal <[email protected]> + +- Security fix: [bsc#1185410, CVE-2021-3517] + * Fix heap-based buffer overflow in entities.c:xmlEncodeEntitiesInternal() + * Add libxml2-CVE-2021-3517.patch + +------------------------------------------------------------------- +Wed Apr 28 15:38:46 UTC 2021 - Pedro Monreal <[email protected]> + +- Security fix: [bsc#1185409, CVE-2021-3516] + * Fix use-after-free in entities.c:xmlEncodeEntitiesInternal() + * Add libxml2-CVE-2021-3516.patch + +------------------------------------------------------------------- New: ---- libxml2-CVE-2021-3516.patch libxml2-CVE-2021-3517.patch libxml2-CVE-2021-3518.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libxml2.spec ++++++ --- /var/tmp/diff_new_pack.WnPs6U/_old 2021-05-01 00:46:10.303592859 +0200 +++ /var/tmp/diff_new_pack.WnPs6U/_new 2021-05-01 00:46:10.307592842 +0200 @@ -1,7 +1,7 @@ # -# spec file for package libxml2 +# spec file for package python-libxml2 # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -66,6 +66,12 @@ Patch9: libxml2-CVE-2019-20388.patch # PATCH-FIX-UPSTREAM Fix building against Python 3.9 Patch10: libxml2-python39.patch +# PATCH-FIX-UPSTREAM bsc#1185409 CVE-2021-3516 use-after-free in entities.c:xmlEncodeEntitiesInternal() +Patch11: libxml2-CVE-2021-3516.patch +# PATCH-FIX-UPSTREAM bsc#1185410 CVE-2021-3517 heap-based buffer overflow entities.c:xmlEncodeEntitiesInternal() +Patch12: libxml2-CVE-2021-3517.patch +# PATCH-FIX-UPSTREAM bsc#1185408 CVE-2021-3518 use-after-free in xinclude.c:xmlXIncludeDoProcess() +Patch13: libxml2-CVE-2021-3518.patch BuildRequires: fdupes BuildRequires: pkgconfig BuildRequires: python-rpm-macros @@ -172,6 +178,9 @@ %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 %build %if !%{with python} @@ -263,6 +272,7 @@ %dir %{_datadir}/gtk-doc/html %else + %files %{python_files} %doc python/TODO %doc python/libxml2class.txt ++++++ libxml2-CVE-2021-3516.patch ++++++ >From 1358d157d0bd83be1dfe356a69213df9fac0b539 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer <[email protected]> Date: Wed, 21 Apr 2021 13:23:27 +0200 Subject: [PATCH] Fix use-after-free with `xmllint --html --push` Call htmlCtxtUseOptions to make sure that names aren't stored in dictionaries. Note that this issue only affects xmllint using the HTML push parser. Fixes #230. --- xmllint.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: libxml2-2.9.10/xmllint.c =================================================================== --- libxml2-2.9.10.orig/xmllint.c +++ libxml2-2.9.10/xmllint.c @@ -2204,7 +2204,7 @@ static void parseAndPrintFile(char *file if (res > 0) { ctxt = htmlCreatePushParserCtxt(NULL, NULL, chars, res, filename, XML_CHAR_ENCODING_NONE); - xmlCtxtUseOptions(ctxt, options); + htmlCtxtUseOptions(ctxt, options); while ((res = fread(chars, 1, pushsize, f)) > 0) { htmlParseChunk(ctxt, chars, res, 0); } ++++++ libxml2-CVE-2021-3517.patch ++++++ >From bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2 Mon Sep 17 00:00:00 2001 From: Joel Hockey <[email protected]> Date: Sun, 16 Aug 2020 17:19:35 -0700 Subject: [PATCH] Validate UTF8 in xmlEncodeEntities Code is currently assuming UTF-8 without validating. Truncated UTF-8 input can cause out-of-bounds array access. Adds further checks to partial fix in 50f06b3e. Fixes #178 --- entities.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) Index: libxml2-2.9.10/entities.c =================================================================== --- libxml2-2.9.10.orig/entities.c +++ libxml2-2.9.10/entities.c @@ -666,11 +666,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, } else { /* * We assume we have UTF-8 input. + * It must match either: + * 110xxxxx 10xxxxxx + * 1110xxxx 10xxxxxx 10xxxxxx + * 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx + * That is: + * cur[0] is 11xxxxxx + * cur[1] is 10xxxxxx + * cur[2] is 10xxxxxx if cur[0] is 111xxxxx + * cur[3] is 10xxxxxx if cur[0] is 1111xxxx + * cur[0] is not 11111xxx */ char buf[11], *ptr; int val = 0, l = 1; - if (*cur < 0xC0) { + if (((cur[0] & 0xC0) != 0xC0) || + ((cur[1] & 0xC0) != 0x80) || + (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) || + (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) || + (((cur[0] & 0xF8) == 0xF8))) { xmlEntitiesErr(XML_CHECK_NOT_UTF8, "xmlEncodeEntities: input not UTF-8"); if (doc != NULL) ++++++ libxml2-CVE-2021-3518.patch ++++++ >From 1098c30a040e72a4654968547f415be4e4c40fe7 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer <[email protected]> Date: Thu, 22 Apr 2021 19:26:28 +0200 Subject: [PATCH] Fix user-after-free with `xmllint --xinclude --dropdtd` The --dropdtd option can leave dangling pointers in entity reference nodes. Make sure to skip these nodes when processing XIncludes. This also avoids scanning entity declarations and even modifying them inadvertently during XInclude processing. Move from a block list to an allow list approach to avoid descending into other node types that can't contain elements. Fixes #237. --- xinclude.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) Index: libxml2-2.9.10/xinclude.c =================================================================== --- libxml2-2.9.10.orig/xinclude.c +++ libxml2-2.9.10/xinclude.c @@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr while ((cur != NULL) && (cur != tree->parent)) { /* TODO: need to work on entities -> stack */ if ((cur->children != NULL) && - (cur->children->type != XML_ENTITY_DECL) && - (cur->children->type != XML_XINCLUDE_START) && - (cur->children->type != XML_XINCLUDE_END)) { + ((cur->type == XML_DOCUMENT_NODE) || + (cur->type == XML_ELEMENT_NODE))) { cur = cur->children; if (xmlXIncludeTestNode(ctxt, cur)) xmlXIncludePreProcessNode(ctxt, cur);
