From 2abb988b9cd34d48c78ffe2955b195a577463930 Mon Sep 17 00:00:00 2001 From: Funda Wang Date: Mon, 29 Jul 2024 00:09:42 +0800 Subject: [PATCH] fix CVE-2024-40896 --- backport-CVE-2024-40896.patch | 37 +++++++++++++++++++++++++++++++++++ libxml2.spec | 9 ++++++++- 2 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2024-40896.patch diff --git a/backport-CVE-2024-40896.patch b/backport-CVE-2024-40896.patch new file mode 100644 index 0000000..9fddd1e --- /dev/null +++ b/backport-CVE-2024-40896.patch @@ -0,0 +1,37 @@ +From ae8f0ac0a2900219c3d762ae0b513e199dcf19a5 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 6 Jul 2024 01:03:46 +0200 +Subject: [PATCH] [CVE-2024-40896] Fix XXE protection in downstream code + +Some users set an entity's children manually in the getEntity SAX +callback to restrict entity expansion. This stopped working after +renaming the "checked" member of xmlEntity, making at least one +downstream project and its dependants susceptible to XXE attacks. + +See #761. +--- + parser.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/parser.c b/parser.c +index 4feb21a28..8fe0a064d 100644 +--- a/parser.c ++++ b/parser.c +@@ -7148,6 +7148,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { + return; + } + ++ /* ++ * Some users try to parse entities on their own and used to set ++ * the renamed "checked" member. Fix the flags to cover this ++ * case. ++ */ ++ if (((ent->flags & XML_ENT_PARSED) == 0) && (ent->children != NULL)) ++ ent->flags |= XML_ENT_PARSED; ++ + /* + * The first reference to the entity trigger a parsing phase + * where the ent->children is filled with the result from +-- +GitLab + diff --git a/libxml2.spec b/libxml2.spec index bda50bc..4937c27 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,7 +1,7 @@ Summary: Library providing XML and HTML support Name: libxml2 Version: 2.11.5 -Release: 3 +Release: 4 License: MIT Group: Development/Libraries Source: https://download.gnome.org/sources/%{name}/2.11/%{name}-%{version}.tar.xz @@ -12,6 +12,7 @@ Patch2: backport-xpath-Remove-remaining-references-to-valueFrame.patch Patch3: backport-examples-Don-t-call-xmlCleanupParser-and-xmlMemoryDu.patch Patch4: backport-CVE-2024-25062.patch Patch5: backport-CVE-2024-34459.patch +Patch6: backport-CVE-2024-40896.patch BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRequires: python3-devel @@ -163,6 +164,12 @@ rm -fr %{buildroot} %changelog +* Mon Jul 29 2024 Funda Wang - 2.11.5-4 +- Type:CVE +- CVE:CVE-2024-40896 +- SUG:NA +- DESC:fix CVE-2024-40896 + * Fri May 17 2024 cenhuilin - 2.11.5-3 - Type:CVE - CVE:CVE-2024-34459 -- Gitee