Patch CVE-2023-45322 in libxml2 (#6628)

2023-11-01 09:50:43 +05:30 · 2023-11-01 09:50:43 +05:30 · 7bb826d753
parent b39325a6bd
commit 7bb826d753
6 changed files with 97 additions and 14 deletions
--- a/SPECS/libxml2/CVE-2023-45322.patch
+++ b/SPECS/libxml2/CVE-2023-45322.patch
@ -0,0 +1,79 @@
+From 5f289bb20d098da4bd695c4237910fcccf70ac6c Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 23 Aug 2023 20:24:24 +0200
+Subject: [PATCH] tree: Fix copying of DTDs
+
+- Don't create multiple DTD nodes.
+- Fix UAF if malloc fails.
+- Skip DTD nodes if tree module is disabled.
+
+Fixes #583.
+---
+ tree.c | 33 ++++++++++++++++++---------------
+ 1 file changed, 18 insertions(+), 15 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index 4c9f00d..03572ff 100644
+--- a/tree.c
+++ b/tree.c
+@@ -4457,29 +4457,28 @@ static xmlNodePtr
+ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+     xmlNodePtr ret = NULL;
+     xmlNodePtr p = NULL,q;
+	xmlDtdPtr newSubset = NULL;
+ 
+     while (node != NULL) {
+-#ifdef LIBXML_TREE_ENABLED
+ 	if (node->type == XML_DTD_NODE ) {
+-	    if (doc == NULL) {
+-		node = node->next;
+-		continue;
+#ifdef LIBXML_TREE_ENABLED
+	    if ((doc == NULL) || (doc->intSubset != NULL)) {
+			node = node->next;
+			continue;
+ 	    }
+-	    if (doc->intSubset == NULL) {
+ 		q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+-		if (q == NULL) return(NULL);
+		if (q == NULL) goto error;
+ 		q->doc = doc;
+ 		q->parent = parent;
+-		doc->intSubset = (xmlDtdPtr) q;
+-		xmlAddChild(parent, q);
+-	    } else {
+-		q = (xmlNodePtr) doc->intSubset;
+-		xmlAddChild(parent, q);
+-	    }
+-	} else
+		newSubset = (xmlDtdPtr) q;
+#else
+		node = node->next;
+		continue;
+ #endif /* LIBXML_TREE_ENABLED */
+	} else {
+ 	    q = xmlStaticCopyNode(node, doc, parent, 1);
+-	if (q == NULL) return(NULL);
+		if (q == NULL) goto error;
+	}
+ 	if (ret == NULL) {
+ 	    q->prev = NULL;
+ 	    ret = p = q;
+@@ -4489,9 +4488,13 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+ 	    q->prev = p;
+ 	    p = q;
+ 	}
+-	node = node->next;
+		node = node->next;
+     }
+	if (newSubset != NULL)
+		doc->intSubset = newSubset;
+     return(ret);
+error:
+    xmlFreeNodeList(ret);
+ }
+ 
+ /**
+-- 
+2.38.1
+
--- a/SPECS/libxml2/libxml2.spec
+++ b/SPECS/libxml2/libxml2.spec
@ -1,13 +1,14 @@
 Summary:        Libxml2
 Name:           libxml2
 Version:        2.10.4
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          System Environment/General Libraries
 URL:            https://gitlab.gnome.org/GNOME/libxml2/-/wikis/home
 Source0:        https://gitlab.gnome.org/GNOME/%{name}/-/archive/v%{version}/%{name}-v%{version}.tar.gz
+Patch0:         CVE-2023-45322.patch
 BuildRequires:  python3-devel
 BuildRequires:  python3-xml
 Provides:       %{name}-tools = %{version}-%{release}
@ -36,7 +37,7 @@ Provides:       %{name}-devel%{?_isa} = %{version}-%{release}
 Static libraries and header files for the support library for libxml

 %prep
-%autosetup -n %{name}-v%{version}
+%autosetup -n %{name}-v%{version} -p1

 %build
 ./autogen.sh
@ -78,6 +79,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_libdir}/cmake/libxml2/libxml2-config.cmake

 %changelog
+* Mon Oct 30 2023 Suresh Thelkar <sthelkar@microsoft.com> - 2.10.4-2
+- Backport upstream patch to fix CVE-2023-45322
+
 * Tue May 23 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 2.10.4-1
 - Auto-upgrade to 2.10.4 - to fix CVE-2023-28484, CVE-2023-29469

--- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@ -194,8 +194,8 @@ curl-8.3.0-2.cm2.aarch64.rpm
 curl-devel-8.3.0-2.cm2.aarch64.rpm
 curl-libs-8.3.0-2.cm2.aarch64.rpm
 createrepo_c-0.17.5-1.cm2.aarch64.rpm
-libxml2-2.10.4-1.cm2.aarch64.rpm
-libxml2-devel-2.10.4-1.cm2.aarch64.rpm
+libxml2-2.10.4-2.cm2.aarch64.rpm
+libxml2-devel-2.10.4-2.cm2.aarch64.rpm
 docbook-dtd-xml-4.5-11.cm2.noarch.rpm
 docbook-style-xsl-1.79.1-13.cm2.noarch.rpm
 libsepol-3.2-2.cm2.aarch64.rpm
--- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@ -194,8 +194,8 @@ curl-8.3.0-2.cm2.x86_64.rpm
 curl-devel-8.3.0-2.cm2.x86_64.rpm
 curl-libs-8.3.0-2.cm2.x86_64.rpm
 createrepo_c-0.17.5-1.cm2.x86_64.rpm
-libxml2-2.10.4-1.cm2.x86_64.rpm
-libxml2-devel-2.10.4-1.cm2.x86_64.rpm
+libxml2-2.10.4-2.cm2.x86_64.rpm
+libxml2-devel-2.10.4-2.cm2.x86_64.rpm
 docbook-dtd-xml-4.5-11.cm2.noarch.rpm
 docbook-style-xsl-1.79.1-13.cm2.noarch.rpm
 libsepol-3.2-2.cm2.x86_64.rpm
--- a/toolkit/resources/manifests/package/toolchain_aarch64.txt
+++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@ -209,9 +209,9 @@ libtasn1-debuginfo-4.19.0-1.cm2.aarch64.rpm
 libtasn1-devel-4.19.0-1.cm2.aarch64.rpm
 libtool-2.4.6-8.cm2.aarch64.rpm
 libtool-debuginfo-2.4.6-8.cm2.aarch64.rpm
-libxml2-2.10.4-1.cm2.aarch64.rpm
-libxml2-debuginfo-2.10.4-1.cm2.aarch64.rpm
-libxml2-devel-2.10.4-1.cm2.aarch64.rpm
+libxml2-2.10.4-2.cm2.aarch64.rpm
+libxml2-debuginfo-2.10.4-2.cm2.aarch64.rpm
+libxml2-devel-2.10.4-2.cm2.aarch64.rpm
 libxslt-1.1.34-7.cm2.aarch64.rpm
 libxslt-debuginfo-1.1.34-7.cm2.aarch64.rpm
 libxslt-devel-1.1.34-7.cm2.aarch64.rpm
@ -519,7 +519,7 @@ python3-gpg-1.16.0-2.cm2.aarch64.rpm
 python3-jinja2-3.0.3-2.cm2.noarch.rpm
 python3-libcap-ng-0.8.2-2.cm2.aarch64.rpm
 python3-libs-3.9.14-8.cm2.aarch64.rpm
-python3-libxml2-2.10.4-1.cm2.aarch64.rpm
+python3-libxml2-2.10.4-2.cm2.aarch64.rpm
 python3-lxml-4.9.1-1.cm2.aarch64.rpm
 python3-magic-5.40-2.cm2.noarch.rpm
 python3-markupsafe-2.1.0-1.cm2.aarch64.rpm
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@ -209,9 +209,9 @@ libtasn1-debuginfo-4.19.0-1.cm2.x86_64.rpm
 libtasn1-devel-4.19.0-1.cm2.x86_64.rpm
 libtool-2.4.6-8.cm2.x86_64.rpm
 libtool-debuginfo-2.4.6-8.cm2.x86_64.rpm
-libxml2-2.10.4-1.cm2.x86_64.rpm
-libxml2-debuginfo-2.10.4-1.cm2.x86_64.rpm
-libxml2-devel-2.10.4-1.cm2.x86_64.rpm
+libxml2-2.10.4-2.cm2.x86_64.rpm
+libxml2-debuginfo-2.10.4-2.cm2.x86_64.rpm
+libxml2-devel-2.10.4-2.cm2.x86_64.rpm
 libxslt-1.1.34-7.cm2.x86_64.rpm
 libxslt-debuginfo-1.1.34-7.cm2.x86_64.rpm
 libxslt-devel-1.1.34-7.cm2.x86_64.rpm
@ -519,7 +519,7 @@ python3-gpg-1.16.0-2.cm2.x86_64.rpm
 python3-jinja2-3.0.3-2.cm2.noarch.rpm
 python3-libcap-ng-0.8.2-2.cm2.x86_64.rpm
 python3-libs-3.9.14-8.cm2.x86_64.rpm
-python3-libxml2-2.10.4-1.cm2.x86_64.rpm
+python3-libxml2-2.10.4-2.cm2.x86_64.rpm
 python3-lxml-4.9.1-1.cm2.x86_64.rpm
 python3-magic-5.40-2.cm2.noarch.rpm
 python3-markupsafe-2.1.0-1.cm2.x86_64.rpm