Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2020-06-11 14:38:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.3606 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libxml2" Thu Jun 11 14:38:13 2020 rev:98 rq:810571 version:2.9.10 Changes: -------- --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2020-04-19 21:41:16.451094155 +0200 +++ /work/SRC/openSUSE:Factory/.libxml2.new.3606/libxml2.changes 2020-06-11 14:38:27.400219318 +0200 @@ -1,0 +2,15 @@ +Wed May 27 12:09:35 UTC 2020 - Pedro Monreal Gonzalez <[email protected]> + +- Fix invalid xmlns references since the fix for CVE-2019-19956 [bsc#1172021] +- Revert upstream commit 5a02583c7e683896d84878bd90641d8d9b0d0549 + * Add patch libxml2-CVE-2019-19956.patch + +------------------------------------------------------------------- +Mon Mar 16 12:02:39 UTC 2020 - Pedro Monreal Gonzalez <[email protected]> + +- Security fix: [bsc#1161517, CVE-2020-7595] + * xmlStringLenDecodeEntities in parser.c has an infinite loop in + a certain end-of-file situation +- Add libxml2-CVE-2020-7595.patch + +------------------------------------------------------------------- New: ---- libxml2-CVE-2019-19956.patch libxml2-CVE-2020-7595.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libxml2.spec ++++++ --- /var/tmp/diff_new_pack.Qq3Ajj/_old 2020-06-11 14:38:28.300221892 +0200 +++ /var/tmp/diff_new_pack.Qq3Ajj/_new 2020-06-11 14:38:28.304221903 +0200 @@ -49,6 +49,10 @@ Patch3: libxml2-make-XPATH_MAX_NODESET_LENGTH-configurable.patch # PATCH-FIX-UPSTREAM bsc#1157450 This commit breaks perl-XML-LibXSLT Patch4: libxml2-xmlFreeNodeList-recursive.patch +# PATCH-FIX-UPSTREAM bsc#1161517 CVE-2020-7595 Infinite loop in xmlStringLenDecodeEntities +Patch5: libxml2-CVE-2020-7595.patch +# PATCH-FIX-UPSTREAM bsc#1159928 CVE-2019-19956 Revert usptream commit +Patch6: libxml2-CVE-2019-19956.patch BuildRequires: fdupes BuildRequires: pkgconfig %if !%{with python} @@ -169,6 +173,8 @@ %patch2 -p1 %patch3 -p1 %patch4 -p1 -R +%patch5 -p1 +%patch6 -p1 -R %build %if !%{with python} ++++++ libxml2-CVE-2019-19956.patch ++++++ >From 5a02583c7e683896d84878bd90641d8d9b0d0549 Mon Sep 17 00:00:00 2001 From: Zhipeng Xie <[email protected]> Date: Wed, 7 Aug 2019 17:39:17 +0800 Subject: [PATCH] Fix memory leak in xmlParseBalancedChunkMemoryRecover When doc is NULL, namespace created in xmlTreeEnsureXMLDecl is bind to newDoc->oldNs, in this case, set newDoc->oldNs to NULL and free newDoc will cause a memory leak. Found with libFuzzer. Closes #82. --- parser.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/parser.c b/parser.c index 1ce1ccf14..26d9f4e3b 100644 --- a/parser.c +++ b/parser.c @@ -13894,7 +13894,8 @@ xmlParseBalancedChunkMemoryRecover(xmlDocPtr doc, xmlSAXHandlerPtr sax, xmlFreeParserCtxt(ctxt); newDoc->intSubset = NULL; newDoc->extSubset = NULL; - newDoc->oldNs = NULL; + if(doc != NULL) + newDoc->oldNs = NULL; xmlFreeDoc(newDoc); return(ret); ++++++ libxml2-CVE-2020-7595.patch ++++++ >From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001 From: Zhipeng Xie <[email protected]> Date: Thu, 12 Dec 2019 17:30:55 +0800 Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef return NULL which cause a infinite loop in xmlStringLenDecodeEntities Found with libFuzzer. Signed-off-by: Zhipeng Xie <[email protected]> --- parser.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/parser.c b/parser.c index d1c31963..a34bb6cd 100644 --- a/parser.c +++ b/parser.c @@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, else c = 0; while ((c != 0) && (c != end) && /* non input consuming loop */ - (c != end2) && (c != end3)) { + (c != end2) && (c != end3) && + (ctxt->instate != XML_PARSER_EOF)) { if (c == 0) break; if ((c == '&') && (str[1] == '#')) { -- 2.24.1
