[AUTO-CHERRYPICK] Patch libxml2 for CVE-2022-49043 - branch main (#12116)

CBL-Mariner-Bot · Kanishk-Bansal · web-flow · commit c89c217487bf · 2025-01-29T15:28:53.000-05:00
Co-authored-by: Kanishk Bansal &lt;103916909+Kanishk-Bansal@users.noreply.github.com&gt;
diff --git a/SPECS/libxml2/CVE-2022-49043.patch b/SPECS/libxml2/CVE-2022-49043.patch
@@ -0,0 +1,34 @@
+From 845e694cfa7d4b4f1635f44f0bafeb6ae5520740 Mon Sep 17 00:00:00 2001
+From: Kanishk-Bansal <kbkanishk975@gmail.com>
+Date: Mon, 27 Jan 2025 19:18:35 +0000
+Subject: [PATCH] Address CVE-2022-49043
+
+---
+ xinclude.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/xinclude.c b/xinclude.c
+index 0c6b3f2..55210e5 100644
+--- a/xinclude.c
++++ b/xinclude.c
+@@ -612,14 +612,15 @@ xmlXIncludeAddNode(xmlXIncludeCtxtPtr ctxt, xmlNodePtr cur) {
+     }
+     URL = xmlSaveUri(uri);
+     xmlFreeURI(uri);
+-    xmlFree(URI);
+     if (URL == NULL) {
+ 	xmlXIncludeErr(ctxt, cur, XML_XINCLUDE_HREF_URI,
+ 	               "invalid value URI %s\n", URI);
+ 	if (fragment != NULL)
+ 	    xmlFree(fragment);
+-	return(-1);
++	xmlFree(URI);
++	return(NULL);
+     }
++	xmlFree(URI);
+ 
+     if (xmlStrEqual(URL, ctxt->doc->URL))
+ 	local = 1;
+-- 
+2.45.2
+
diff --git a/SPECS/libxml2/libxml2.spec b/SPECS/libxml2/libxml2.spec
@@ -1,7 +1,7 @@
 Summary:        Libxml2
 Name:           libxml2
 Version:        2.10.4
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -11,6 +11,7 @@ Source0:        https://gitlab.gnome.org/GNOME/%{name}/-/archive/v%{version}/%{n
 Patch0:         CVE-2023-45322.patch
 Patch1:         CVE-2024-34459.patch
 Patch2:         CVE-2024-25062.patch
+Patch3:         CVE-2022-49043.patch
 BuildRequires:  python3-devel
 BuildRequires:  python3-xml
 Provides:       %{name}-tools = %{version}-%{release}
@@ -81,6 +82,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_libdir}/cmake/libxml2/libxml2-config.cmake
 
 %changelog
+* Tue Jan 28 2025 Kanishk Bansal <kanbansal@microsoft.com> - 2.10.4-5 
+- Fix CVE-2022-49043 with an upstream patch
+
 * Tue Sep 17 2024 Sumedh Sharma <sumsharma@microsoft.com> - 2.10.4-4
 - Add patch to resolve CVE-2024-25062
 
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -194,8 +194,8 @@ curl-8.8.0-3.cm2.aarch64.rpm
 curl-devel-8.8.0-3.cm2.aarch64.rpm
 curl-libs-8.8.0-3.cm2.aarch64.rpm
 createrepo_c-0.17.5-1.cm2.aarch64.rpm
-libxml2-2.10.4-4.cm2.aarch64.rpm
-libxml2-devel-2.10.4-4.cm2.aarch64.rpm
+libxml2-2.10.4-5.cm2.aarch64.rpm
+libxml2-devel-2.10.4-5.cm2.aarch64.rpm
 docbook-dtd-xml-4.5-11.cm2.noarch.rpm
 docbook-style-xsl-1.79.1-14.cm2.noarch.rpm
 libsepol-3.2-2.cm2.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -194,8 +194,8 @@ curl-8.8.0-3.cm2.x86_64.rpm
 curl-devel-8.8.0-3.cm2.x86_64.rpm
 curl-libs-8.8.0-3.cm2.x86_64.rpm
 createrepo_c-0.17.5-1.cm2.x86_64.rpm
-libxml2-2.10.4-4.cm2.x86_64.rpm
-libxml2-devel-2.10.4-4.cm2.x86_64.rpm
+libxml2-2.10.4-5.cm2.x86_64.rpm
+libxml2-devel-2.10.4-5.cm2.x86_64.rpm
 docbook-dtd-xml-4.5-11.cm2.noarch.rpm
 docbook-style-xsl-1.79.1-14.cm2.noarch.rpm
 libsepol-3.2-2.cm2.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -209,9 +209,9 @@ libtasn1-debuginfo-4.19.0-1.cm2.aarch64.rpm
 libtasn1-devel-4.19.0-1.cm2.aarch64.rpm
 libtool-2.4.6-8.cm2.aarch64.rpm
 libtool-debuginfo-2.4.6-8.cm2.aarch64.rpm
-libxml2-2.10.4-4.cm2.aarch64.rpm
-libxml2-debuginfo-2.10.4-4.cm2.aarch64.rpm
-libxml2-devel-2.10.4-4.cm2.aarch64.rpm
+libxml2-2.10.4-5.cm2.aarch64.rpm
+libxml2-debuginfo-2.10.4-5.cm2.aarch64.rpm
+libxml2-devel-2.10.4-5.cm2.aarch64.rpm
 libxslt-1.1.34-7.cm2.aarch64.rpm
 libxslt-debuginfo-1.1.34-7.cm2.aarch64.rpm
 libxslt-devel-1.1.34-7.cm2.aarch64.rpm
@@ -521,7 +521,7 @@ python3-gpg-1.16.0-2.cm2.aarch64.rpm
 python3-jinja2-3.0.3-5.cm2.noarch.rpm
 python3-libcap-ng-0.8.2-2.cm2.aarch64.rpm
 python3-libs-3.9.19-8.cm2.aarch64.rpm
-python3-libxml2-2.10.4-4.cm2.aarch64.rpm
+python3-libxml2-2.10.4-5.cm2.aarch64.rpm
 python3-lxml-4.9.1-1.cm2.aarch64.rpm
 python3-magic-5.40-3.cm2.noarch.rpm
 python3-markupsafe-2.1.0-1.cm2.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -215,9 +215,9 @@ libtasn1-debuginfo-4.19.0-1.cm2.x86_64.rpm
 libtasn1-devel-4.19.0-1.cm2.x86_64.rpm
 libtool-2.4.6-8.cm2.x86_64.rpm
 libtool-debuginfo-2.4.6-8.cm2.x86_64.rpm
-libxml2-2.10.4-4.cm2.x86_64.rpm
-libxml2-debuginfo-2.10.4-4.cm2.x86_64.rpm
-libxml2-devel-2.10.4-4.cm2.x86_64.rpm
+libxml2-2.10.4-5.cm2.x86_64.rpm
+libxml2-debuginfo-2.10.4-5.cm2.x86_64.rpm
+libxml2-devel-2.10.4-5.cm2.x86_64.rpm
 libxslt-1.1.34-7.cm2.x86_64.rpm
 libxslt-debuginfo-1.1.34-7.cm2.x86_64.rpm
 libxslt-devel-1.1.34-7.cm2.x86_64.rpm
@@ -527,7 +527,7 @@ python3-gpg-1.16.0-2.cm2.x86_64.rpm
 python3-jinja2-3.0.3-5.cm2.noarch.rpm
 python3-libcap-ng-0.8.2-2.cm2.x86_64.rpm
 python3-libs-3.9.19-8.cm2.x86_64.rpm
-python3-libxml2-2.10.4-4.cm2.x86_64.rpm
+python3-libxml2-2.10.4-5.cm2.x86_64.rpm
 python3-lxml-4.9.1-1.cm2.x86_64.rpm
 python3-magic-5.40-3.cm2.noarch.rpm
 python3-markupsafe-2.1.0-1.cm2.x86_64.rpm
