Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2024-02-12 18:49:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.1815 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libxml2" Mon Feb 12 18:49:26 2024 rev:123 rq:1145598 version:2.11.6 Changes: -------- --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2023-11-20 21:18:41.508904754 +0100 +++ /work/SRC/openSUSE:Factory/.libxml2.new.1815/libxml2.changes 2024-02-12 18:49:27.744551992 +0100 @@ -1,0 +2,6 @@ +Sat Feb 10 10:56:46 UTC 2024 - David Anes <david.a...@suse.com> + +- Security fix (CVE-2024-25062, bsc#1219576) use-after-free in XMLReader + * Added libxml2-CVE-2024-25062.patch + +------------------------------------------------------------------- New: ---- libxml2-CVE-2024-25062.patch BETA DEBUG BEGIN: New:- Security fix (CVE-2024-25062, bsc#1219576) use-after-free in XMLReader * Added libxml2-CVE-2024-25062.patch BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libxml2.spec ++++++ --- /var/tmp/diff_new_pack.2Lv6rk/_old 2024-02-12 18:49:28.528580324 +0100 +++ /var/tmp/diff_new_pack.2Lv6rk/_new 2024-02-12 18:49:28.528580324 +0100 @@ -1,7 +1,7 @@ # -# spec file +# spec file for package libxml2 # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -51,6 +51,9 @@ # PATCH-FIX-UPSTREAM CVE-2023-45322 bsc#1216129 # https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9 Patch4: libxml2-CVE-2023-45322.patch +# PATCH-FIX-UPSTREAM use-after-free in XMLReader bsc#1219576 david.a...@suse.com +# https://gitlab.gnome.org/GNOME/libxml2/-/commit/1a66b176055d25ee635bf328c7b35b381db0b71d +Patch5: libxml2-CVE-2024-25062.patch # ### -- openSUSE patches range from 1000 to 1999 -- ### # PATCH-FIX-OPENSUSE ++++++ libxml2-CVE-2024-25062.patch ++++++ >From 1a66b176055d25ee635bf328c7b35b381db0b71d Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer <wellnho...@aevum.de> Date: Sat, 14 Oct 2023 22:45:54 +0200 Subject: [PATCH] [CVE-2024-25062] xmlreader: Don't expand XIncludes when backtracking Fixes a use-after-free if XML Reader if used with DTD validation and XInclude expansion. Fixes #604. --- xmlreader.c | 1 + 1 file changed, 1 insertion(+) diff --git a/xmlreader.c b/xmlreader.c index 3bdb8228..6486c7da 100644 --- a/xmlreader.c +++ b/xmlreader.c @@ -1428,6 +1428,7 @@ node_found: * Handle XInclude if asked for */ if ((reader->xinclude) && (reader->in_xinclude == 0) && + (reader->state != XML_TEXTREADER_BACKTRACK) && (reader->node != NULL) && (reader->node->type == XML_ELEMENT_NODE) && (reader->node->ns != NULL) && -- GitLab
