[AUTO-CHERRYPICK] Patch libxml2 for CVE-2025-24928, CVE-2024-56171, CVE-2025-27113 & CVE-2024-25062 [High] - branch 3.0-dev (#12580)

Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>

Author: CBL-Mariner-Bot

SPECS/libxml2/CVE-2024-25062.patch

@@ -0,0 +1,26 @@
+From 2b0aac140d739905c7848a42efc60bfe783a39b7 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 14 Oct 2023 22:45:54 +0200
+Subject: [PATCH] [CVE-2024-25062] xmlreader: Don't expand XIncludes when
+ backtracking
+
+Fixes a use-after-free if XML Reader if used with DTD validation and
+XInclude expansion.
+
+Fixes #604.
+---
+ xmlreader.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/xmlreader.c b/xmlreader.c
+index 979385a13..fefd68e0b 100644
+--- a/xmlreader.c
++++ b/xmlreader.c
+@@ -1443,6 +1443,7 @@ xmlTextReaderRead(xmlTextReaderPtr reader) {
+      * Handle XInclude if asked for
+      */
+     if ((reader->xinclude) && (reader->in_xinclude == 0) &&
++        (reader->state != XML_TEXTREADER_BACKTRACK) &&
+         (reader->node != NULL) &&
+ 	(reader->node->type == XML_ELEMENT_NODE) &&
+ 	(reader->node->ns != NULL) &&

SPECS/libxml2/CVE-2024-56171.patch

@@ -0,0 +1,38 @@
+From 5880a9a6bd97c0f9ac8fc4f30110fe023f484746 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 10 Dec 2024 16:52:05 +0100
+Subject: [PATCH] [CVE-2024-56171] Fix use-after-free after
+ xmlSchemaItemListAdd
+
+xmlSchemaItemListAdd can reallocate the items array. Update local
+variables after adding item in
+
+- xmlSchemaIDCFillNodeTables
+- xmlSchemaBubbleIDCNodeTables
+
+Fixes #828.
+---
+ xmlschemas.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/xmlschemas.c b/xmlschemas.c
+index 1b3c524f2..95be97c96 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -23374,6 +23374,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaValidCtxtPtr vctxt,
+ 			}
+ 			if (xmlSchemaItemListAdd(bind->dupls, bind->nodeTable[j]) == -1)
+ 			    goto internal_error;
++                        dupls = (xmlSchemaPSVIIDCNodePtr *) bind->dupls->items;
+ 			/*
+ 			* Remove the duplicate entry from the IDC node-table.
+ 			*/
+@@ -23590,6 +23591,8 @@ xmlSchemaBubbleIDCNodeTables(xmlSchemaValidCtxtPtr vctxt)
+ 				goto internal_error;
+ 			}
+ 			xmlSchemaItemListAdd(parBind->dupls, parNode);
++		        dupls = (xmlSchemaPSVIIDCNodePtr *)
++                            parBind->dupls->items;
+ 		    } else {
+ 			/*
+ 			* Add the node-table entry (node and key-sequence) of

SPECS/libxml2/CVE-2025-24928.patch

@@ -0,0 +1,57 @@
+From 29f5d2b67e31c435cbc08954a12a0267c5887d39 Mon Sep 17 00:00:00 2001
+From: Kanishk-Bansal <kbkanishk975@gmail.com>
+Date: Sat, 22 Feb 2025 18:12:41 +0000
+Subject: [PATCH] CVE-2025-24928
+
+Upstream Reference: https://github.com/GNOME/libxml2/commit/8c8753ad5280ee13aee5eec9b0f6eee2ed920f57
+
+---
+ valid.c | 25 +++++++++++++------------
+ 1 file changed, 13 insertions(+), 12 deletions(-)
+
+diff --git a/valid.c b/valid.c
+index 67e1b1d..7eb2dd3 100644
+--- a/valid.c
++++ b/valid.c
+@@ -5252,25 +5252,26 @@ xmlSnprintfElements(char *buf, int size, xmlNodePtr node, int glob) {
+ 	    return;
+ 	}
+         switch (cur->type) {
+-            case XML_ELEMENT_NODE:
++            case XML_ELEMENT_NODE: {
++                int qnameLen = xmlStrlen(cur->name);
++
++                if ((cur->ns != NULL) && (cur->ns->prefix != NULL))
++                    qnameLen += xmlStrlen(cur->ns->prefix) + 1;
++                if (size - len < qnameLen + 10) {
++                    if ((size - len > 4) && (buf[len - 1] != '.'))
++                        strcat(buf, " ...");
++                    return;
++                }
+ 		if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) {
+-		    if (size - len < xmlStrlen(cur->ns->prefix) + 10) {
+-			if ((size - len > 4) && (buf[len - 1] != '.'))
+-			    strcat(buf, " ...");
+-			return;
+-		    }
+ 		    strcat(buf, (char *) cur->ns->prefix);
+ 		    strcat(buf, ":");
+ 		}
+-                if (size - len < xmlStrlen(cur->name) + 10) {
+-		    if ((size - len > 4) && (buf[len - 1] != '.'))
+-			strcat(buf, " ...");
+-		    return;
+-		}
+-	        strcat(buf, (char *) cur->name);
++                if (cur->name != NULL)
++	            strcat(buf, (char *) cur->name);
+ 		if (cur->next != NULL)
+ 		    strcat(buf, " ");
+ 		break;
++            }
+             case XML_TEXT_NODE:
+ 		if (xmlIsBlankNode(cur))
+ 		    break;
+-- 
+2.45.2
+

SPECS/libxml2/CVE-2025-27113.patch

@@ -0,0 +1,28 @@
+From 6c716d491dd2e67f08066f4dc0619efeb49e43e6 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 13 Feb 2025 16:48:53 +0100
+Subject: [PATCH] pattern: Fix compilation of explicit child axis
+
+The child axis is the default axis and should generate XML_OP_ELEM like
+the case without an axis.
+---
+ pattern.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/pattern.c b/pattern.c
+index 0877fc1a0..6fa88f759 100644
+--- a/pattern.c
++++ b/pattern.c
+@@ -1035,10 +1035,10 @@ xmlCompileStepPattern(xmlPatParserContextPtr ctxt) {
+ 			    goto error;
+ 			}
+ 		    } else {
+-			PUSH(XML_OP_CHILD, token, URL);
++			PUSH(XML_OP_ELEM, token, URL);
+ 		    }
+ 		} else
+-		    PUSH(XML_OP_CHILD, name, NULL);
++		    PUSH(XML_OP_ELEM, name, NULL);
+ 		return;
+ 	    } else if (xmlStrEqual(name, (const xmlChar *) "attribute")) {
+ 		XML_PAT_FREE_STRING(ctxt, name)

SPECS/libxml2/libxml2.spec

@@ -1,16 +1,20 @@
 Summary:        Libxml2
 Name:           libxml2
 Version:        2.11.5
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          System Environment/General Libraries
 URL:            https://gitlab.gnome.org/GNOME/libxml2/-/wikis/home
 Source0:        https://gitlab.gnome.org/GNOME/%{name}/-/archive/v%{version}/%{name}-v%{version}.tar.gz
 Patch0:         CVE-2024-40896.patch
-Patch1:		CVE-2023-45322.patch
-Patch2:		CVE-2024-34459.patch
+Patch1:         CVE-2023-45322.patch
+Patch2:         CVE-2024-34459.patch
+Patch3:         CVE-2024-56171.patch
+Patch4:         CVE-2025-24928.patch
+Patch5:         CVE-2024-25062.patch
+Patch6:         CVE-2025-27113.patch
 BuildRequires:  python3-devel
 BuildRequires:  python3-xml
 Provides:       %{name}-tools = %{version}-%{release}
@@ -81,7 +85,10 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_libdir}/cmake/libxml2/libxml2-config.cmake
 
 %changelog
-* Fri Jan 24 2025 Kavya Sree Kaitepalli <kkaitepalli@microsoft.com> -2.11.5-3
+* Sat Feb 22 2025 Kanishk Bansal <kanbansal@microsoft.com> - 2.11.5-4
+- Patch CVE-2025-24928, CVE-2024-56171, CVE-2024-25062, CVE-2025-27113
+
+* Fri Jan 24 2025 Kavya Sree Kaitepalli <kkaitepalli@microsoft.com> - 2.11.5-3
 - Fix CVE-2023-45322 & CVE-2024-34459
 
 * Thu Dec 26 2024 Muhammad Falak <mwani@microsoft.com> - 2.11.5-2

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -203,8 +203,8 @@ curl-8.11.1-1.azl3.aarch64.rpm
 curl-devel-8.11.1-1.azl3.aarch64.rpm
 curl-libs-8.11.1-1.azl3.aarch64.rpm
 createrepo_c-1.0.3-1.azl3.aarch64.rpm
-libxml2-2.11.5-3.azl3.aarch64.rpm
-libxml2-devel-2.11.5-3.azl3.aarch64.rpm
+libxml2-2.11.5-4.azl3.aarch64.rpm
+libxml2-devel-2.11.5-4.azl3.aarch64.rpm
 docbook-dtd-xml-4.5-11.azl3.noarch.rpm
 docbook-style-xsl-1.79.1-14.azl3.noarch.rpm
 libsepol-3.6-1.azl3.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -203,8 +203,8 @@ curl-8.11.1-1.azl3.x86_64.rpm
 curl-devel-8.11.1-1.azl3.x86_64.rpm
 curl-libs-8.11.1-1.azl3.x86_64.rpm
 createrepo_c-1.0.3-1.azl3.x86_64.rpm
-libxml2-2.11.5-3.azl3.x86_64.rpm
-libxml2-devel-2.11.5-3.azl3.x86_64.rpm
+libxml2-2.11.5-4.azl3.x86_64.rpm
+libxml2-devel-2.11.5-4.azl3.x86_64.rpm
 docbook-dtd-xml-4.5-11.azl3.noarch.rpm
 docbook-style-xsl-1.79.1-14.azl3.noarch.rpm
 libsepol-3.6-1.azl3.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -240,9 +240,9 @@ libtool-debuginfo-2.4.7-1.azl3.aarch64.rpm
 libxcrypt-4.4.36-2.azl3.aarch64.rpm
 libxcrypt-debuginfo-4.4.36-2.azl3.aarch64.rpm
 libxcrypt-devel-4.4.36-2.azl3.aarch64.rpm
-libxml2-2.11.5-3.azl3.aarch64.rpm
-libxml2-debuginfo-2.11.5-3.azl3.aarch64.rpm
-libxml2-devel-2.11.5-3.azl3.aarch64.rpm
+libxml2-2.11.5-4.azl3.aarch64.rpm
+libxml2-debuginfo-2.11.5-4.azl3.aarch64.rpm
+libxml2-devel-2.11.5-4.azl3.aarch64.rpm
 libxslt-1.1.39-1.azl3.aarch64.rpm
 libxslt-debuginfo-1.1.39-1.azl3.aarch64.rpm
 libxslt-devel-1.1.39-1.azl3.aarch64.rpm
@@ -541,7 +541,7 @@ python3-gpg-1.23.2-2.azl3.aarch64.rpm
 python3-jinja2-3.1.2-2.azl3.noarch.rpm
 python3-libcap-ng-0.8.4-1.azl3.aarch64.rpm
 python3-libs-3.12.3-6.azl3.aarch64.rpm
-python3-libxml2-2.11.5-3.azl3.aarch64.rpm
+python3-libxml2-2.11.5-4.azl3.aarch64.rpm
 python3-lxml-4.9.3-1.azl3.aarch64.rpm
 python3-magic-5.45-1.azl3.noarch.rpm
 python3-markupsafe-2.1.3-1.azl3.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -245,9 +245,9 @@ libtasn1-debuginfo-4.19.0-1.azl3.x86_64.rpm
 libtasn1-devel-4.19.0-1.azl3.x86_64.rpm
 libtool-2.4.7-1.azl3.x86_64.rpm
 libtool-debuginfo-2.4.7-1.azl3.x86_64.rpm
-libxml2-2.11.5-3.azl3.x86_64.rpm
-libxml2-debuginfo-2.11.5-3.azl3.x86_64.rpm
-libxml2-devel-2.11.5-3.azl3.x86_64.rpm
+libxml2-2.11.5-4.azl3.x86_64.rpm
+libxml2-debuginfo-2.11.5-4.azl3.x86_64.rpm
+libxml2-devel-2.11.5-4.azl3.x86_64.rpm
 libxcrypt-4.4.36-2.azl3.x86_64.rpm
 libxcrypt-debuginfo-4.4.36-2.azl3.x86_64.rpm
 libxcrypt-devel-4.4.36-2.azl3.x86_64.rpm
@@ -549,7 +549,7 @@ python3-gpg-1.23.2-2.azl3.x86_64.rpm
 python3-jinja2-3.1.2-2.azl3.noarch.rpm
 python3-libcap-ng-0.8.4-1.azl3.x86_64.rpm
 python3-libs-3.12.3-6.azl3.x86_64.rpm
-python3-libxml2-2.11.5-3.azl3.x86_64.rpm
+python3-libxml2-2.11.5-4.azl3.x86_64.rpm
 python3-lxml-4.9.3-1.azl3.x86_64.rpm
 python3-magic-5.45-1.azl3.noarch.rpm
 python3-markupsafe-2.1.3-1.azl3.x86_64.rpm