packages/libxml2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix 2023-28484 CVE-2023-29469

Browse Source 
Signed-off-by: BruceGW <gyl93216@163.com>
This commit is contained in:
BruceGW 2023-04-20 22:05:32 +08:00
parent 6d4d54d8e9
commit a5c2f6879e
3 changed files with 120 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
backport-CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch Normal file
View File

@ -0,0 +1,74 @@
From 647e072ea0a2f12687fa05c172f4c4713fdb0c4f Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Fri, 7 Apr 2023 11:46:35 +0200
Subject: [PATCH] [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
Fix a null pointer dereference when parsing (invalid) XML schemas.
Thanks to Robby Simpson for the report!
Fixes #491.
---
result/schemas/issue491_0_0.err | 1 +
test/schemas/issue491_0.xml | 1 +
test/schemas/issue491_0.xsd | 18 ++++++++++++++++++
xmlschemas.c | 2 +-
4 files changed, 21 insertions(+), 1 deletion(-)
create mode 100644 result/schemas/issue491_0_0.err
create mode 100644 test/schemas/issue491_0.xml
create mode 100644 test/schemas/issue491_0.xsd
diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err
new file mode 100644
index 00000000..9b2bb969
--- /dev/null
+++ b/result/schemas/issue491_0_0.err
@@ -0,0 +1 @@
+./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'.
diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml
new file mode 100644
index 00000000..e2b2fc2e
--- /dev/null
+++ b/test/schemas/issue491_0.xml
@@ -0,0 +1 @@
+<Child xmlns="http://www.test.com">5</Child>
diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd
new file mode 100644
index 00000000..81702649
--- /dev/null
+++ b/test/schemas/issue491_0.xsd
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://www.test.com" targetNamespace="http://www.test.com" elementFormDefault="qualified" attributeFormDefault="unqualified">
+ <xs:complexType name="BaseType">
+ <xs:simpleContent>
+ <xs:extension base="xs:int" />
+ </xs:simpleContent>
+ </xs:complexType>
+ <xs:complexType name="ChildType">
+ <xs:complexContent>
+ <xs:extension base="BaseType">
+ <xs:sequence>
+ <xs:element name="bad" type="xs:int" minOccurs="0" maxOccurs="1"/>
+ </xs:sequence>
+ </xs:extension>
+ </xs:complexContent>
+ </xs:complexType>
+ <xs:element name="Child" type="ChildType" />
+</xs:schema>
diff --git a/xmlschemas.c b/xmlschemas.c
index 17aa6dfa..36cd6730 100644
--- a/xmlschemas.c
+++ b/xmlschemas.c
@@ -18563,7 +18563,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt,
"allowed to appear inside other model groups",
NULL, NULL);
- } else if (! dummySequence) {
+ } else if ((!dummySequence) && (baseType->subtypes != NULL)) {
xmlSchemaTreeItemPtr effectiveContent =
(xmlSchemaTreeItemPtr) type->subtypes;
/*
--
2.27.0

37
backport-CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch Normal file
View File

@ -0,0 +1,37 @@
From 09a2dd453007f9c7205274623acdd73747c22d64 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Fri, 7 Apr 2023 11:49:27 +0200
Subject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't
deterministic
When hashing empty strings which aren't null-terminated,
xmlDictComputeFastKey could produce inconsistent results. This could
lead to various logic or memory errors, including double frees.
For consistency the seed is also taken into account, but this shouldn't
have an impact on security.
Found by OSS-Fuzz.
Fixes #510.
---
dict.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/dict.c b/dict.c
index 26ce516d..57b76fae 100644
--- a/dict.c
+++ b/dict.c
@@ -451,7 +451,8 @@ static unsigned long
xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
unsigned long value = seed;
- if (name == NULL) return(0);
+ if ((name == NULL) || (namelen <= 0))
+ return(value);
value += *name;
value <<= 5;
if (namelen > 10) {
--
2.27.0

10
libxml2.spec
View File

@ -1,7 +1,7 @@
Summary: Library providing XML and HTML support Summary: Library providing XML and HTML support
Name: libxml2 Name: libxml2
Version: 2.9.14 Version: 2.9.14
Release: 8 Release: 9
License: MIT License: MIT
Group: Development/Libraries Group: Development/Libraries
Source: https://download.gnome.org/sources/%{name}/2.9/%{name}-%{version}.tar.xz Source: https://download.gnome.org/sources/%{name}/2.9/%{name}-%{version}.tar.xz
@ -22,6 +22,8 @@ Patch12: backport-parser-Fix-potential-memory-leak-in-xmlParseAttValue.patch
Patch13: backport-Fix-unused-variable-warnings-with-disabled-features.patch Patch13: backport-Fix-unused-variable-warnings-with-disabled-features.patch
Patch14: backport-Update-xmlStrlen-to-use-POSIX-ISO-C-strlen.patch Patch14: backport-Update-xmlStrlen-to-use-POSIX-ISO-C-strlen.patch
Patch15: backport-schemas-Fix-infinite-loop-in-xmlSchemaCheckElemSubst.patch Patch15: backport-schemas-Fix-infinite-loop-in-xmlSchemaCheckElemSubst.patch
Patch16: backport-CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch
Patch17: backport-CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRoot: %{_tmppath}/%{name}-%{version}-root
BuildRequires: python3-devel BuildRequires: python3-devel
@ -177,6 +179,12 @@ rm -fr %{buildroot}
%changelog %changelog
* Thu Apr 20 2023 BruceGW <gyl93216@163.com> - 2.9.14-9
- Type:CVE
- CVE:CVE-2023-28484 CVE-2023-29469
- SUG:NA
- DESC:fix CVE-2023-28484CVE-2023-29469
* Mon Feb 27 2023 Zhipeng Xie <xiezhipeng1@huawei.com> - 2.9.14-8 * Mon Feb 27 2023 Zhipeng Xie <xiezhipeng1@huawei.com> - 2.9.14-8
- Type:bugfix - Type:bugfix
- CVE:NA - CVE:NA