Skip to content

Commit c89c217

Browse files
[AUTO-CHERRYPICK] Patch libxml2 for CVE-2022-49043 - branch main (#12116)
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
1 parent 35ed337 commit c89c217

6 files changed

Lines changed: 51 additions & 13 deletions

File tree

SPECS/libxml2/CVE-2022-49043.patch

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
From 845e694cfa7d4b4f1635f44f0bafeb6ae5520740 Mon Sep 17 00:00:00 2001
2+
From: Kanishk-Bansal <kbkanishk975@gmail.com>
3+
Date: Mon, 27 Jan 2025 19:18:35 +0000
4+
Subject: [PATCH] Address CVE-2022-49043
5+
6+
---
7+
xinclude.c | 5 +++--
8+
1 file changed, 3 insertions(+), 2 deletions(-)
9+
10+
diff --git a/xinclude.c b/xinclude.c
11+
index 0c6b3f2..55210e5 100644
12+
--- a/xinclude.c
13+
+++ b/xinclude.c
14+
@@ -612,14 +612,15 @@ xmlXIncludeAddNode(xmlXIncludeCtxtPtr ctxt, xmlNodePtr cur) {
15+
}
16+
URL = xmlSaveUri(uri);
17+
xmlFreeURI(uri);
18+
- xmlFree(URI);
19+
if (URL == NULL) {
20+
xmlXIncludeErr(ctxt, cur, XML_XINCLUDE_HREF_URI,
21+
"invalid value URI %s\n", URI);
22+
if (fragment != NULL)
23+
xmlFree(fragment);
24+
- return(-1);
25+
+ xmlFree(URI);
26+
+ return(NULL);
27+
}
28+
+ xmlFree(URI);
29+
30+
if (xmlStrEqual(URL, ctxt->doc->URL))
31+
local = 1;
32+
--
33+
2.45.2
34+

SPECS/libxml2/libxml2.spec

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
Summary: Libxml2
22
Name: libxml2
33
Version: 2.10.4
4-
Release: 4%{?dist}
4+
Release: 5%{?dist}
55
License: MIT
66
Vendor: Microsoft Corporation
77
Distribution: Mariner
@@ -11,6 +11,7 @@ Source0: https://gitlab.gnome.org/GNOME/%{name}/-/archive/v%{version}/%{n
1111
Patch0: CVE-2023-45322.patch
1212
Patch1: CVE-2024-34459.patch
1313
Patch2: CVE-2024-25062.patch
14+
Patch3: CVE-2022-49043.patch
1415
BuildRequires: python3-devel
1516
BuildRequires: python3-xml
1617
Provides: %{name}-tools = %{version}-%{release}
@@ -81,6 +82,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
8182
%{_libdir}/cmake/libxml2/libxml2-config.cmake
8283

8384
%changelog
85+
* Tue Jan 28 2025 Kanishk Bansal <kanbansal@microsoft.com> - 2.10.4-5
86+
- Fix CVE-2022-49043 with an upstream patch
87+
8488
* Tue Sep 17 2024 Sumedh Sharma <sumsharma@microsoft.com> - 2.10.4-4
8589
- Add patch to resolve CVE-2024-25062
8690

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -194,8 +194,8 @@ curl-8.8.0-3.cm2.aarch64.rpm
194194
curl-devel-8.8.0-3.cm2.aarch64.rpm
195195
curl-libs-8.8.0-3.cm2.aarch64.rpm
196196
createrepo_c-0.17.5-1.cm2.aarch64.rpm
197-
libxml2-2.10.4-4.cm2.aarch64.rpm
198-
libxml2-devel-2.10.4-4.cm2.aarch64.rpm
197+
libxml2-2.10.4-5.cm2.aarch64.rpm
198+
libxml2-devel-2.10.4-5.cm2.aarch64.rpm
199199
docbook-dtd-xml-4.5-11.cm2.noarch.rpm
200200
docbook-style-xsl-1.79.1-14.cm2.noarch.rpm
201201
libsepol-3.2-2.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -194,8 +194,8 @@ curl-8.8.0-3.cm2.x86_64.rpm
194194
curl-devel-8.8.0-3.cm2.x86_64.rpm
195195
curl-libs-8.8.0-3.cm2.x86_64.rpm
196196
createrepo_c-0.17.5-1.cm2.x86_64.rpm
197-
libxml2-2.10.4-4.cm2.x86_64.rpm
198-
libxml2-devel-2.10.4-4.cm2.x86_64.rpm
197+
libxml2-2.10.4-5.cm2.x86_64.rpm
198+
libxml2-devel-2.10.4-5.cm2.x86_64.rpm
199199
docbook-dtd-xml-4.5-11.cm2.noarch.rpm
200200
docbook-style-xsl-1.79.1-14.cm2.noarch.rpm
201201
libsepol-3.2-2.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -209,9 +209,9 @@ libtasn1-debuginfo-4.19.0-1.cm2.aarch64.rpm
209209
libtasn1-devel-4.19.0-1.cm2.aarch64.rpm
210210
libtool-2.4.6-8.cm2.aarch64.rpm
211211
libtool-debuginfo-2.4.6-8.cm2.aarch64.rpm
212-
libxml2-2.10.4-4.cm2.aarch64.rpm
213-
libxml2-debuginfo-2.10.4-4.cm2.aarch64.rpm
214-
libxml2-devel-2.10.4-4.cm2.aarch64.rpm
212+
libxml2-2.10.4-5.cm2.aarch64.rpm
213+
libxml2-debuginfo-2.10.4-5.cm2.aarch64.rpm
214+
libxml2-devel-2.10.4-5.cm2.aarch64.rpm
215215
libxslt-1.1.34-7.cm2.aarch64.rpm
216216
libxslt-debuginfo-1.1.34-7.cm2.aarch64.rpm
217217
libxslt-devel-1.1.34-7.cm2.aarch64.rpm
@@ -521,7 +521,7 @@ python3-gpg-1.16.0-2.cm2.aarch64.rpm
521521
python3-jinja2-3.0.3-5.cm2.noarch.rpm
522522
python3-libcap-ng-0.8.2-2.cm2.aarch64.rpm
523523
python3-libs-3.9.19-8.cm2.aarch64.rpm
524-
python3-libxml2-2.10.4-4.cm2.aarch64.rpm
524+
python3-libxml2-2.10.4-5.cm2.aarch64.rpm
525525
python3-lxml-4.9.1-1.cm2.aarch64.rpm
526526
python3-magic-5.40-3.cm2.noarch.rpm
527527
python3-markupsafe-2.1.0-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -215,9 +215,9 @@ libtasn1-debuginfo-4.19.0-1.cm2.x86_64.rpm
215215
libtasn1-devel-4.19.0-1.cm2.x86_64.rpm
216216
libtool-2.4.6-8.cm2.x86_64.rpm
217217
libtool-debuginfo-2.4.6-8.cm2.x86_64.rpm
218-
libxml2-2.10.4-4.cm2.x86_64.rpm
219-
libxml2-debuginfo-2.10.4-4.cm2.x86_64.rpm
220-
libxml2-devel-2.10.4-4.cm2.x86_64.rpm
218+
libxml2-2.10.4-5.cm2.x86_64.rpm
219+
libxml2-debuginfo-2.10.4-5.cm2.x86_64.rpm
220+
libxml2-devel-2.10.4-5.cm2.x86_64.rpm
221221
libxslt-1.1.34-7.cm2.x86_64.rpm
222222
libxslt-debuginfo-1.1.34-7.cm2.x86_64.rpm
223223
libxslt-devel-1.1.34-7.cm2.x86_64.rpm
@@ -527,7 +527,7 @@ python3-gpg-1.16.0-2.cm2.x86_64.rpm
527527
python3-jinja2-3.0.3-5.cm2.noarch.rpm
528528
python3-libcap-ng-0.8.2-2.cm2.x86_64.rpm
529529
python3-libs-3.9.19-8.cm2.x86_64.rpm
530-
python3-libxml2-2.10.4-4.cm2.x86_64.rpm
530+
python3-libxml2-2.10.4-5.cm2.x86_64.rpm
531531
python3-lxml-4.9.1-1.cm2.x86_64.rpm
532532
python3-magic-5.40-3.cm2.noarch.rpm
533533
python3-markupsafe-2.1.0-1.cm2.x86_64.rpm

0 commit comments

Comments
 (0)