Hello community, here is the log from the commit of package libxml2 for openSUSE:Leap:15.2 checked in at 2020-05-26 18:32:23 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/libxml2 (Old) and /work/SRC/openSUSE:Leap:15.2/.libxml2.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libxml2" Tue May 26 18:32:23 2020 rev:36 rq:808117 version:2.9.7 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/libxml2/libxml2.changes 2020-01-15 15:25:48.802589694 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.libxml2.new.2738/libxml2.changes 2020-05-26 18:32:27.813586696 +0200 @@ -1,0 +2,22 @@ +Fri Feb 28 18:36:53 UTC 2020 - Pedro Monreal Gonzalez <[email protected]> + +- Security fix: [bsc#1161521, CVE-2019-20388] + * Memory leak in xmlSchemaPreRun in xmlschemas.c +- Add libxml2-CVE-2019-20388.patch + +------------------------------------------------------------------- +Wed Jan 22 11:16:39 UTC 2020 - Pedro Monreal Gonzalez <[email protected]> + +- Security fix: [bsc#1161517, CVE-2020-7595] + * xmlStringLenDecodeEntities in parser.c has an infinite loop in + a certain end-of-file situation +- Add libxml2-CVE-2020-7595.patch + +------------------------------------------------------------------- +Thu Jan 2 12:01:22 UTC 2020 - Pedro Monreal Gonzalez <[email protected]> + +- Security fix: [bsc#1159928, CVE-2019-19956] + * Memory leak related to newDoc->oldNs in xmlParseBalancedChunkMemoryRecover:parser.c +- Add libxml2-CVE-2019-19956.patch + +------------------------------------------------------------------- python-libxml2-python.changes: same change New: ---- libxml2-CVE-2019-19956.patch libxml2-CVE-2019-20388.patch libxml2-CVE-2020-7595.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libxml2.spec ++++++ --- /var/tmp/diff_new_pack.hkGiJf/_old 2020-05-26 18:32:29.545590480 +0200 +++ /var/tmp/diff_new_pack.hkGiJf/_new 2020-05-26 18:32:29.549590488 +0200 @@ -35,6 +35,12 @@ Patch2: libxml2-CVE-2018-14567.patch # PATCH-FIX-SUSE bsc#1135123 Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit Patch3: libxml2-make-XPATH_MAX_NODESET_LENGTH-configurable.patch +# PATCH-FIX-UPSTREAM bsc#1159928 CVE-2019-19956 Fix memory leak in xmlParseBalancedChunkMemoryRecover +Patch4: libxml2-CVE-2019-19956.patch +# PATCH-FIX-UPSTREAM bsc#1161517 CVE-2020-7595 Infinite loop in xmlStringLenDecodeEntities +Patch5: libxml2-CVE-2020-7595.patch +# PATCH-FIX-UPSTREAM bsc#1161521 CVE-2019-20388 Memory leak in xmlSchemaPreRun +Patch6: libxml2-CVE-2019-20388.patch BuildRequires: fdupes BuildRequires: pkgconfig BuildRequires: readline-devel @@ -109,6 +115,9 @@ %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 %build %configure \ ++++++ python-libxml2-python.spec ++++++ --- /var/tmp/diff_new_pack.hkGiJf/_old 2020-05-26 18:32:29.573590541 +0200 +++ /var/tmp/diff_new_pack.hkGiJf/_new 2020-05-26 18:32:29.573590541 +0200 @@ -30,6 +30,12 @@ Patch1: libxml2-python3-unicode-errors.patch # PATCH-FIX-UPSTREAM libxml2-python3-string-null-check.patch bsc#1065270 [email protected] -- don't return a NULL string for an invalid UTF-8 conversion. Patch2: libxml2-python3-string-null-check.patch +# PATCH-FIX-UPSTREAM bsc#1159928 CVE-2019-19956 Fix memory leak in xmlParseBalancedChunkMemoryRecover +Patch3: libxml2-CVE-2019-19956.patch +# PATCH-FIX-UPSTREAM bsc#1161517 CVE-2020-7595 Infinite loop in xmlStringLenDecodeEntities +Patch4: libxml2-CVE-2020-7595.patch +# PATCH-FIX-UPSTREAM bsc#1161521 CVE-2019-20388 Memory leak in xmlSchemaPreRun +Patch5: libxml2-CVE-2019-20388.patch BuildRequires: %{python_module devel} BuildRequires: %{python_module xml} BuildRequires: pkgconfig @@ -59,6 +65,9 @@ %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 %build export CFLAGS="%{optflags} -fno-strict-aliasing" ++++++ libxml2-CVE-2019-19956.patch ++++++ >From 5a02583c7e683896d84878bd90641d8d9b0d0549 Mon Sep 17 00:00:00 2001 From: Zhipeng Xie <[email protected]> Date: Wed, 7 Aug 2019 17:39:17 +0800 Subject: [PATCH] Fix memory leak in xmlParseBalancedChunkMemoryRecover When doc is NULL, namespace created in xmlTreeEnsureXMLDecl is bind to newDoc->oldNs, in this case, set newDoc->oldNs to NULL and free newDoc will cause a memory leak. Found with libFuzzer. Closes #82. --- parser.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/parser.c b/parser.c index 1ce1ccf1..26d9f4e3 100644 --- a/parser.c +++ b/parser.c @@ -13894,7 +13894,8 @@ xmlParseBalancedChunkMemoryRecover(xmlDocPtr doc, xmlSAXHandlerPtr sax, xmlFreeParserCtxt(ctxt); newDoc->intSubset = NULL; newDoc->extSubset = NULL; - newDoc->oldNs = NULL; + if(doc != NULL) + newDoc->oldNs = NULL; xmlFreeDoc(newDoc); return(ret); -- 2.24.1 ++++++ libxml2-CVE-2019-20388.patch ++++++ >From 7ffcd44d7e6c46704f8af0321d9314cd26e0e18a Mon Sep 17 00:00:00 2001 From: Zhipeng Xie <[email protected]> Date: Tue, 20 Aug 2019 16:33:06 +0800 Subject: [PATCH] Fix memory leak in xmlSchemaValidateStream When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun alloc a new schema for ctxt->schema and set vctxt->xsiAssemble to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize vctxt->xsiAssemble to 0 again which cause the alloced schema can not be freed anymore. Found with libFuzzer. Signed-off-by: Zhipeng Xie <[email protected]> --- xmlschemas.c | 1 - 1 file changed, 1 deletion(-) diff --git a/xmlschemas.c b/xmlschemas.c index 301c84499..39d92182f 100644 --- a/xmlschemas.c +++ b/xmlschemas.c @@ -28090,7 +28090,6 @@ xmlSchemaPreRun(xmlSchemaValidCtxtPtr vctxt) { vctxt->nberrors = 0; vctxt->depth = -1; vctxt->skipDepth = -1; - vctxt->xsiAssemble = 0; vctxt->hasKeyrefs = 0; #ifdef ENABLE_IDC_NODE_TABLES_TEST vctxt->createIDCNodeTables = 1; ++++++ libxml2-CVE-2020-7595.patch ++++++ >From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001 From: Zhipeng Xie <[email protected]> Date: Thu, 12 Dec 2019 17:30:55 +0800 Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef return NULL which cause a infinite loop in xmlStringLenDecodeEntities Found with libFuzzer. Signed-off-by: Zhipeng Xie <[email protected]> --- parser.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/parser.c b/parser.c index d1c31963..a34bb6cd 100644 --- a/parser.c +++ b/parser.c @@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, else c = 0; while ((c != 0) && (c != end) && /* non input consuming loop */ - (c != end2) && (c != end3)) { + (c != end2) && (c != end3) && + (ctxt->instate != XML_PARSER_EOF)) { if (c == 0) break; if ((c == '&') && (str[1] == '#')) { -- 2.24.1
