!258 fix CVE-2024-40896

From: @fundawang Reviewed-by: @zhuofeng6, @hubin95 Signed-off-by: @hubin95
2024-07-30 03:07:19 +00:00 · 2024-07-30 03:07:19 +00:00 · d821e01dc2
commit d821e01dc2
parent b4e91f5c86 2abb988b9c
2 changed files with 45 additions and 1 deletions
--- a/backport-CVE-2024-40896.patch
+++ b/backport-CVE-2024-40896.patch
@ -0,0 +1,37 @@
+From ae8f0ac0a2900219c3d762ae0b513e199dcf19a5 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 6 Jul 2024 01:03:46 +0200
+Subject: [PATCH] [CVE-2024-40896] Fix XXE protection in downstream code
+
+Some users set an entity's children manually in the getEntity SAX
+callback to restrict entity expansion. This stopped working after
+renaming the "checked" member of xmlEntity, making at least one
+downstream project and its dependants susceptible to XXE attacks.
+
+See #761.
+---
+ parser.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index 4feb21a28..8fe0a064d 100644
+--- a/parser.c
+++ b/parser.c
+@@ -7148,6 +7148,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+ 	return;
+     }
+ 
+    /*
+     * Some users try to parse entities on their own and used to set
+     * the renamed "checked" member. Fix the flags to cover this
+     * case.
+     */
+    if (((ent->flags & XML_ENT_PARSED) == 0) && (ent->children != NULL))
+        ent->flags |= XML_ENT_PARSED;
+
+     /*
+      * The first reference to the entity trigger a parsing phase
+      * where the ent->children is filled with the result from
+-- 
+GitLab
+
--- a/libxml2.spec
+++ b/libxml2.spec
@ -1,7 +1,7 @@
 Summary: Library providing XML and HTML support
 Name: libxml2
 Version: 2.11.5
-Release: 3
+Release: 4
 License: MIT
 Group: Development/Libraries
 Source: https://download.gnome.org/sources/%{name}/2.11/%{name}-%{version}.tar.xz
@ -12,6 +12,7 @@ Patch2: backport-xpath-Remove-remaining-references-to-valueFrame.patch
 Patch3: backport-examples-Don-t-call-xmlCleanupParser-and-xmlMemoryDu.patch
 Patch4: backport-CVE-2024-25062.patch
 Patch5: backport-CVE-2024-34459.patch
+Patch6: backport-CVE-2024-40896.patch

 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 BuildRequires: python3-devel
@ -163,6 +164,12 @@ rm -fr %{buildroot}


 %changelog
+* Mon Jul 29 2024 Funda Wang <fundawang@yeah.net> - 2.11.5-4
+- Type:CVE
+- CVE:CVE-2024-40896
+- SUG:NA
+- DESC:fix CVE-2024-40896
+
 * Fri May 17 2024 cenhuilin <cenhuilin@kylinos.cn> - 2.11.5-3
 - Type:CVE
 - CVE:CVE-2024-34459