!176 fix CVE-2023-28484 CVE-2023-29469

From: @BruceGW Reviewed-by: @hubin95 Signed-off-by: @hubin95
2023-04-23 03:42:30 +00:00 · 2023-04-23 03:42:30 +00:00 · bf69a87436
commit bf69a87436
parent 6d4d54d8e9 a5c2f6879e
3 changed files with 120 additions and 1 deletions
--- a/backport-CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch
+++ b/backport-CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch
@ -0,0 +1,74 @@
+From 647e072ea0a2f12687fa05c172f4c4713fdb0c4f Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 7 Apr 2023 11:46:35 +0200
+Subject: [PATCH] [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
+
+Fix a null pointer dereference when parsing (invalid) XML schemas.
+
+Thanks to Robby Simpson for the report!
+
+Fixes #491.
+---
+ result/schemas/issue491_0_0.err |  1 +
+ test/schemas/issue491_0.xml     |  1 +
+ test/schemas/issue491_0.xsd     | 18 ++++++++++++++++++
+ xmlschemas.c                    |  2 +-
+ 4 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 result/schemas/issue491_0_0.err
+ create mode 100644 test/schemas/issue491_0.xml
+ create mode 100644 test/schemas/issue491_0.xsd
+
+diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err
+new file mode 100644
+index 00000000..9b2bb969
+--- /dev/null
+++ b/result/schemas/issue491_0_0.err
+@@ -0,0 +1 @@
+./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'.
+diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml
+new file mode 100644
+index 00000000..e2b2fc2e
+--- /dev/null
+++ b/test/schemas/issue491_0.xml
+@@ -0,0 +1 @@
+<Child xmlns="http://www.test.com">5</Child>
+diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd
+new file mode 100644
+index 00000000..81702649
+--- /dev/null
+++ b/test/schemas/issue491_0.xsd
+@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://www.test.com" targetNamespace="http://www.test.com" elementFormDefault="qualified" attributeFormDefault="unqualified">
+  <xs:complexType name="BaseType">
+    <xs:simpleContent>
+      <xs:extension base="xs:int" />
+    </xs:simpleContent>
+  </xs:complexType>
+  <xs:complexType name="ChildType">
+    <xs:complexContent>
+      <xs:extension base="BaseType">
+        <xs:sequence>
+          <xs:element name="bad" type="xs:int" minOccurs="0" maxOccurs="1"/>
+        </xs:sequence>
+      </xs:extension>
+    </xs:complexContent>
+  </xs:complexType>
+  <xs:element name="Child" type="ChildType" />
+</xs:schema>
+diff --git a/xmlschemas.c b/xmlschemas.c
+index 17aa6dfa..36cd6730 100644
+--- a/xmlschemas.c
+++ b/xmlschemas.c
+@@ -18563,7 +18563,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt,
+ 			"allowed to appear inside other model groups",
+ 			NULL, NULL);
+ 
+-		} else if (! dummySequence) {
+		} else if ((!dummySequence) && (baseType->subtypes != NULL)) {
+ 		    xmlSchemaTreeItemPtr effectiveContent =
+ 			(xmlSchemaTreeItemPtr) type->subtypes;
+ 		    /*
+-- 
+2.27.0
+
--- a/backport-CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch
+++ b/backport-CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch
@ -0,0 +1,37 @@
+From 09a2dd453007f9c7205274623acdd73747c22d64 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 7 Apr 2023 11:49:27 +0200
+Subject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't
+ deterministic
+
+When hashing empty strings which aren't null-terminated,
+xmlDictComputeFastKey could produce inconsistent results. This could
+lead to various logic or memory errors, including double frees.
+
+For consistency the seed is also taken into account, but this shouldn't
+have an impact on security.
+
+Found by OSS-Fuzz.
+
+Fixes #510.
+---
+ dict.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/dict.c b/dict.c
+index 26ce516d..57b76fae 100644
+--- a/dict.c
+++ b/dict.c
+@@ -451,7 +451,8 @@ static unsigned long
+ xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
+     unsigned long value = seed;
+ 
+-    if (name == NULL) return(0);
+    if ((name == NULL) || (namelen <= 0))
+        return(value);
+     value += *name;
+     value <<= 5;
+     if (namelen > 10) {
+-- 
+2.27.0
+
--- a/libxml2.spec
+++ b/libxml2.spec
@ -1,7 +1,7 @@
 Summary: Library providing XML and HTML support
 Name: libxml2
 Version: 2.9.14
-Release: 8
+Release: 9
 License: MIT
 Group: Development/Libraries
 Source: https://download.gnome.org/sources/%{name}/2.9/%{name}-%{version}.tar.xz
@ -22,6 +22,8 @@ Patch12: backport-parser-Fix-potential-memory-leak-in-xmlParseAttValue.patch
 Patch13: backport-Fix-unused-variable-warnings-with-disabled-features.patch
 Patch14: backport-Update-xmlStrlen-to-use-POSIX-ISO-C-strlen.patch
 Patch15: backport-schemas-Fix-infinite-loop-in-xmlSchemaCheckElemSubst.patch
+Patch16: backport-CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch
+Patch17: backport-CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch

 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 BuildRequires: python3-devel
@ -177,6 +179,12 @@ rm -fr %{buildroot}


 %changelog
+* Thu Apr 20 2023 BruceGW <gyl93216@163.com> - 2.9.14-9
+- Type:CVE
+- CVE:CVE-2023-28484 CVE-2023-29469
+- SUG:NA
+- DESC:fix CVE-2023-28484CVE-2023-29469
+
 * Mon Feb 27 2023 Zhipeng Xie <xiezhipeng1@huawei.com> - 2.9.14-8
 - Type:bugfix
 - CVE:NA