Skip to content

Commit f8b0110

Browse files
CBL-Mariner-BotKanishk-Bansaljslobodzian
authored
[AUTO-CHERRYPICK] Patch libxml2 for CVE-2025-24928, CVE-2025-27113 & CVE-2024-56171 [High] - branch main (#12583)
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com> Co-authored-by: jslobodzian <joslobo@microsoft.com>
1 parent d6654a0 commit f8b0110

8 files changed

Lines changed: 142 additions & 13 deletions

File tree

SPECS/libxml2/CVE-2024-56171.patch

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
From 5880a9a6bd97c0f9ac8fc4f30110fe023f484746 Mon Sep 17 00:00:00 2001
2+
From: Nick Wellnhofer <wellnhofer@aevum.de>
3+
Date: Tue, 10 Dec 2024 16:52:05 +0100
4+
Subject: [PATCH] [CVE-2024-56171] Fix use-after-free after
5+
xmlSchemaItemListAdd
6+
7+
xmlSchemaItemListAdd can reallocate the items array. Update local
8+
variables after adding item in
9+
10+
- xmlSchemaIDCFillNodeTables
11+
- xmlSchemaBubbleIDCNodeTables
12+
13+
Fixes #828.
14+
---
15+
xmlschemas.c | 3 +++
16+
1 file changed, 3 insertions(+)
17+
18+
diff --git a/xmlschemas.c b/xmlschemas.c
19+
index 1b3c524f2..95be97c96 100644
20+
--- a/xmlschemas.c
21+
+++ b/xmlschemas.c
22+
@@ -23374,6 +23374,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaValidCtxtPtr vctxt,
23+
}
24+
if (xmlSchemaItemListAdd(bind->dupls, bind->nodeTable[j]) == -1)
25+
goto internal_error;
26+
+ dupls = (xmlSchemaPSVIIDCNodePtr *) bind->dupls->items;
27+
/*
28+
* Remove the duplicate entry from the IDC node-table.
29+
*/
30+
@@ -23590,6 +23591,8 @@ xmlSchemaBubbleIDCNodeTables(xmlSchemaValidCtxtPtr vctxt)
31+
goto internal_error;
32+
}
33+
xmlSchemaItemListAdd(parBind->dupls, parNode);
34+
+ dupls = (xmlSchemaPSVIIDCNodePtr *)
35+
+ parBind->dupls->items;
36+
} else {
37+
/*
38+
* Add the node-table entry (node and key-sequence) of

SPECS/libxml2/CVE-2025-24928.patch

Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
From 29f5d2b67e31c435cbc08954a12a0267c5887d39 Mon Sep 17 00:00:00 2001
2+
From: Kanishk-Bansal <kbkanishk975@gmail.com>
3+
Date: Sat, 22 Feb 2025 18:12:41 +0000
4+
Subject: [PATCH] CVE-2025-24928
5+
6+
Upstream Reference: https://github.com/GNOME/libxml2/commit/8c8753ad5280ee13aee5eec9b0f6eee2ed920f57
7+
8+
---
9+
valid.c | 25 +++++++++++++------------
10+
1 file changed, 13 insertions(+), 12 deletions(-)
11+
12+
diff --git a/valid.c b/valid.c
13+
index 67e1b1d..7eb2dd3 100644
14+
--- a/valid.c
15+
+++ b/valid.c
16+
@@ -5252,25 +5252,26 @@ xmlSnprintfElements(char *buf, int size, xmlNodePtr node, int glob) {
17+
return;
18+
}
19+
switch (cur->type) {
20+
- case XML_ELEMENT_NODE:
21+
+ case XML_ELEMENT_NODE: {
22+
+ int qnameLen = xmlStrlen(cur->name);
23+
+
24+
+ if ((cur->ns != NULL) && (cur->ns->prefix != NULL))
25+
+ qnameLen += xmlStrlen(cur->ns->prefix) + 1;
26+
+ if (size - len < qnameLen + 10) {
27+
+ if ((size - len > 4) && (buf[len - 1] != '.'))
28+
+ strcat(buf, " ...");
29+
+ return;
30+
+ }
31+
if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) {
32+
- if (size - len < xmlStrlen(cur->ns->prefix) + 10) {
33+
- if ((size - len > 4) && (buf[len - 1] != '.'))
34+
- strcat(buf, " ...");
35+
- return;
36+
- }
37+
strcat(buf, (char *) cur->ns->prefix);
38+
strcat(buf, ":");
39+
}
40+
- if (size - len < xmlStrlen(cur->name) + 10) {
41+
- if ((size - len > 4) && (buf[len - 1] != '.'))
42+
- strcat(buf, " ...");
43+
- return;
44+
- }
45+
- strcat(buf, (char *) cur->name);
46+
+ if (cur->name != NULL)
47+
+ strcat(buf, (char *) cur->name);
48+
if (cur->next != NULL)
49+
strcat(buf, " ");
50+
break;
51+
+ }
52+
case XML_TEXT_NODE:
53+
if (xmlIsBlankNode(cur))
54+
break;
55+
--
56+
2.45.2
57+

SPECS/libxml2/CVE-2025-27113.patch

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
From 6c716d491dd2e67f08066f4dc0619efeb49e43e6 Mon Sep 17 00:00:00 2001
2+
From: Nick Wellnhofer <wellnhofer@aevum.de>
3+
Date: Thu, 13 Feb 2025 16:48:53 +0100
4+
Subject: [PATCH] pattern: Fix compilation of explicit child axis
5+
6+
The child axis is the default axis and should generate XML_OP_ELEM like
7+
the case without an axis.
8+
---
9+
pattern.c | 4 ++--
10+
1 file changed, 2 insertions(+), 2 deletions(-)
11+
12+
diff --git a/pattern.c b/pattern.c
13+
index 0877fc1a0..6fa88f759 100644
14+
--- a/pattern.c
15+
+++ b/pattern.c
16+
@@ -1035,10 +1035,10 @@ xmlCompileStepPattern(xmlPatParserContextPtr ctxt) {
17+
goto error;
18+
}
19+
} else {
20+
- PUSH(XML_OP_CHILD, token, URL);
21+
+ PUSH(XML_OP_ELEM, token, URL);
22+
}
23+
} else
24+
- PUSH(XML_OP_CHILD, name, NULL);
25+
+ PUSH(XML_OP_ELEM, name, NULL);
26+
return;
27+
} else if (xmlStrEqual(name, (const xmlChar *) "attribute")) {
28+
XML_PAT_FREE_STRING(ctxt, name)

SPECS/libxml2/libxml2.spec

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
Summary: Libxml2
22
Name: libxml2
33
Version: 2.10.4
4-
Release: 5%{?dist}
4+
Release: 6%{?dist}
55
License: MIT
66
Vendor: Microsoft Corporation
77
Distribution: Mariner
@@ -12,6 +12,9 @@ Patch0: CVE-2023-45322.patch
1212
Patch1: CVE-2024-34459.patch
1313
Patch2: CVE-2024-25062.patch
1414
Patch3: CVE-2022-49043.patch
15+
Patch4: CVE-2024-56171.patch
16+
Patch5: CVE-2025-24928.patch
17+
Patch6: CVE-2025-27113.patch
1518
BuildRequires: python3-devel
1619
BuildRequires: python3-xml
1720
Provides: %{name}-tools = %{version}-%{release}
@@ -82,6 +85,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
8285
%{_libdir}/cmake/libxml2/libxml2-config.cmake
8386

8487
%changelog
88+
* Sat Feb 22 2025 Kanishk Bansal <kanbansal@microsoft.com> - 2.10.4-6
89+
- Patch CVE-2025-24928, CVE-2025-27113 & CVE-2024-56171
90+
8591
* Tue Jan 28 2025 Kanishk Bansal <kanbansal@microsoft.com> - 2.10.4-5
8692
- Fix CVE-2022-49043 with an upstream patch
8793

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -194,8 +194,8 @@ curl-8.8.0-4.cm2.aarch64.rpm
194194
curl-devel-8.8.0-4.cm2.aarch64.rpm
195195
curl-libs-8.8.0-4.cm2.aarch64.rpm
196196
createrepo_c-0.17.5-1.cm2.aarch64.rpm
197-
libxml2-2.10.4-5.cm2.aarch64.rpm
198-
libxml2-devel-2.10.4-5.cm2.aarch64.rpm
197+
libxml2-2.10.4-6.cm2.aarch64.rpm
198+
libxml2-devel-2.10.4-6.cm2.aarch64.rpm
199199
docbook-dtd-xml-4.5-11.cm2.noarch.rpm
200200
docbook-style-xsl-1.79.1-14.cm2.noarch.rpm
201201
libsepol-3.2-2.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -194,8 +194,8 @@ curl-8.8.0-4.cm2.x86_64.rpm
194194
curl-devel-8.8.0-4.cm2.x86_64.rpm
195195
curl-libs-8.8.0-4.cm2.x86_64.rpm
196196
createrepo_c-0.17.5-1.cm2.x86_64.rpm
197-
libxml2-2.10.4-5.cm2.x86_64.rpm
198-
libxml2-devel-2.10.4-5.cm2.x86_64.rpm
197+
libxml2-2.10.4-6.cm2.x86_64.rpm
198+
libxml2-devel-2.10.4-6.cm2.x86_64.rpm
199199
docbook-dtd-xml-4.5-11.cm2.noarch.rpm
200200
docbook-style-xsl-1.79.1-14.cm2.noarch.rpm
201201
libsepol-3.2-2.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -209,9 +209,9 @@ libtasn1-debuginfo-4.19.0-1.cm2.aarch64.rpm
209209
libtasn1-devel-4.19.0-1.cm2.aarch64.rpm
210210
libtool-2.4.6-8.cm2.aarch64.rpm
211211
libtool-debuginfo-2.4.6-8.cm2.aarch64.rpm
212-
libxml2-2.10.4-5.cm2.aarch64.rpm
213-
libxml2-debuginfo-2.10.4-5.cm2.aarch64.rpm
214-
libxml2-devel-2.10.4-5.cm2.aarch64.rpm
212+
libxml2-2.10.4-6.cm2.aarch64.rpm
213+
libxml2-debuginfo-2.10.4-6.cm2.aarch64.rpm
214+
libxml2-devel-2.10.4-6.cm2.aarch64.rpm
215215
libxslt-1.1.34-7.cm2.aarch64.rpm
216216
libxslt-debuginfo-1.1.34-7.cm2.aarch64.rpm
217217
libxslt-devel-1.1.34-7.cm2.aarch64.rpm
@@ -521,7 +521,7 @@ python3-gpg-1.16.0-2.cm2.aarch64.rpm
521521
python3-jinja2-3.0.3-5.cm2.noarch.rpm
522522
python3-libcap-ng-0.8.2-2.cm2.aarch64.rpm
523523
python3-libs-3.9.19-9.cm2.aarch64.rpm
524-
python3-libxml2-2.10.4-5.cm2.aarch64.rpm
524+
python3-libxml2-2.10.4-6.cm2.aarch64.rpm
525525
python3-lxml-4.9.1-1.cm2.aarch64.rpm
526526
python3-magic-5.40-3.cm2.noarch.rpm
527527
python3-markupsafe-2.1.0-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -215,9 +215,9 @@ libtasn1-debuginfo-4.19.0-1.cm2.x86_64.rpm
215215
libtasn1-devel-4.19.0-1.cm2.x86_64.rpm
216216
libtool-2.4.6-8.cm2.x86_64.rpm
217217
libtool-debuginfo-2.4.6-8.cm2.x86_64.rpm
218-
libxml2-2.10.4-5.cm2.x86_64.rpm
219-
libxml2-debuginfo-2.10.4-5.cm2.x86_64.rpm
220-
libxml2-devel-2.10.4-5.cm2.x86_64.rpm
218+
libxml2-2.10.4-6.cm2.x86_64.rpm
219+
libxml2-debuginfo-2.10.4-6.cm2.x86_64.rpm
220+
libxml2-devel-2.10.4-6.cm2.x86_64.rpm
221221
libxslt-1.1.34-7.cm2.x86_64.rpm
222222
libxslt-debuginfo-1.1.34-7.cm2.x86_64.rpm
223223
libxslt-devel-1.1.34-7.cm2.x86_64.rpm
@@ -527,7 +527,7 @@ python3-gpg-1.16.0-2.cm2.x86_64.rpm
527527
python3-jinja2-3.0.3-5.cm2.noarch.rpm
528528
python3-libcap-ng-0.8.2-2.cm2.x86_64.rpm
529529
python3-libs-3.9.19-9.cm2.x86_64.rpm
530-
python3-libxml2-2.10.4-5.cm2.x86_64.rpm
530+
python3-libxml2-2.10.4-6.cm2.x86_64.rpm
531531
python3-lxml-4.9.1-1.cm2.x86_64.rpm
532532
python3-magic-5.40-3.cm2.noarch.rpm
533533
python3-markupsafe-2.1.0-1.cm2.x86_64.rpm

0 commit comments

Comments
 (0)