[AUTO-CHERRYPICK] libxml2: address CVE-2024-40896 - branch 3.0-dev (#…

…11720) Co-authored-by: Muhammad Falak R Wani <[email protected]>
microsoft · Dec 27, 2024 · 81fb40a · 81fb40a
1 parent ae7f8ab
commit 81fb40a
Show file tree

Hide file tree

Showing 6 changed files with 54 additions and 13 deletions.
diff --git a/SPECS/libxml2/CVE-2024-40896.patch b/SPECS/libxml2/CVE-2024-40896.patch
@@ -0,0 +1,37 @@
+From ae8f0ac0a2900219c3d762ae0b513e199dcf19a5 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <[email protected]>
+Date: Sat, 6 Jul 2024 01:03:46 +0200
+Subject: [PATCH] [CVE-2024-40896] Fix XXE protection in downstream code
+
+Some users set an entity's children manually in the getEntity SAX
+callback to restrict entity expansion. This stopped working after
+renaming the "checked" member of xmlEntity, making at least one
+downstream project and its dependants susceptible to XXE attacks.
+
+See #761.
+---
+ parser.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index 4feb21a28..8fe0a064d 100644
+--- a/parser.c
++++ b/parser.c
+@@ -7148,6 +7148,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+ 	return;
+     }
+
++    /*
++     * Some users try to parse entities on their own and used to set
++     * the renamed "checked" member. Fix the flags to cover this
++     * case.
++     */
++    if (((ent->flags & XML_ENT_PARSED) == 0) && (ent->children != NULL))
++        ent->flags |= XML_ENT_PARSED;
++
+     /*
+      * The first reference to the entity trigger a parsing phase
+      * where the ent->children is filled with the result from
+-- 
+GitLab
+
diff --git a/SPECS/libxml2/libxml2.spec b/SPECS/libxml2/libxml2.spec
@@ -1,13 +1,14 @@
 Summary:        Libxml2
 Name:           libxml2
 Version:        2.11.5
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          System Environment/General Libraries
 URL:            https://gitlab.gnome.org/GNOME/libxml2/-/wikis/home
 Source0:        https://gitlab.gnome.org/GNOME/%{name}/-/archive/v%{version}/%{name}-v%{version}.tar.gz
+Patch0:         CVE-2024-40896.patch
 BuildRequires:  python3-devel
 BuildRequires:  python3-xml
 Provides:       %{name}-tools = %{version}-%{release}
@@ -78,6 +79,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_libdir}/cmake/libxml2/libxml2-config.cmake
 
 %changelog
+* Thu Dec 26 2024 Muhammad Falak <[email protected]> - 2.11.5-2
+- Patch CVE-2024-40896
+
 * Tue Nov 21 2023 CBL-Mariner Servicing Account <[email protected]> - 2.11.5-1
 - Auto-upgrade to 2.11.5 - Azure Linux 3.0 - package upgrades
 

diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -199,8 +199,8 @@ curl-8.8.0-3.azl3.aarch64.rpm
 curl-devel-8.8.0-3.azl3.aarch64.rpm
 curl-libs-8.8.0-3.azl3.aarch64.rpm
 createrepo_c-1.0.3-1.azl3.aarch64.rpm
-libxml2-2.11.5-1.azl3.aarch64.rpm
-libxml2-devel-2.11.5-1.azl3.aarch64.rpm
+libxml2-2.11.5-2.azl3.aarch64.rpm
+libxml2-devel-2.11.5-2.azl3.aarch64.rpm
 docbook-dtd-xml-4.5-11.azl3.noarch.rpm
 docbook-style-xsl-1.79.1-14.azl3.noarch.rpm
 libsepol-3.6-1.azl3.aarch64.rpm

diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -199,8 +199,8 @@ curl-8.8.0-3.azl3.x86_64.rpm
 curl-devel-8.8.0-3.azl3.x86_64.rpm
 curl-libs-8.8.0-3.azl3.x86_64.rpm
 createrepo_c-1.0.3-1.azl3.x86_64.rpm
-libxml2-2.11.5-1.azl3.x86_64.rpm
-libxml2-devel-2.11.5-1.azl3.x86_64.rpm
+libxml2-2.11.5-2.azl3.x86_64.rpm
+libxml2-devel-2.11.5-2.azl3.x86_64.rpm
 docbook-dtd-xml-4.5-11.azl3.noarch.rpm
 docbook-style-xsl-1.79.1-14.azl3.noarch.rpm
 libsepol-3.6-1.azl3.x86_64.rpm

diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -240,9 +240,9 @@ libtool-debuginfo-2.4.7-1.azl3.aarch64.rpm
 libxcrypt-4.4.36-2.azl3.aarch64.rpm
 libxcrypt-debuginfo-4.4.36-2.azl3.aarch64.rpm
 libxcrypt-devel-4.4.36-2.azl3.aarch64.rpm
-libxml2-2.11.5-1.azl3.aarch64.rpm
-libxml2-debuginfo-2.11.5-1.azl3.aarch64.rpm
-libxml2-devel-2.11.5-1.azl3.aarch64.rpm
+libxml2-2.11.5-2.azl3.aarch64.rpm
+libxml2-debuginfo-2.11.5-2.azl3.aarch64.rpm
+libxml2-devel-2.11.5-2.azl3.aarch64.rpm
 libxslt-1.1.39-1.azl3.aarch64.rpm
 libxslt-debuginfo-1.1.39-1.azl3.aarch64.rpm
 libxslt-devel-1.1.39-1.azl3.aarch64.rpm
@@ -541,7 +541,7 @@ python3-gpg-1.23.2-2.azl3.aarch64.rpm
 python3-jinja2-3.1.2-1.azl3.noarch.rpm
 python3-libcap-ng-0.8.4-1.azl3.aarch64.rpm
 python3-libs-3.12.3-5.azl3.aarch64.rpm
-python3-libxml2-2.11.5-1.azl3.aarch64.rpm
+python3-libxml2-2.11.5-2.azl3.aarch64.rpm
 python3-lxml-4.9.3-1.azl3.aarch64.rpm
 python3-magic-5.45-1.azl3.noarch.rpm
 python3-markupsafe-2.1.3-1.azl3.aarch64.rpm

diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -245,9 +245,9 @@ libtasn1-debuginfo-4.19.0-1.azl3.x86_64.rpm
 libtasn1-devel-4.19.0-1.azl3.x86_64.rpm
 libtool-2.4.7-1.azl3.x86_64.rpm
 libtool-debuginfo-2.4.7-1.azl3.x86_64.rpm
-libxml2-2.11.5-1.azl3.x86_64.rpm
-libxml2-debuginfo-2.11.5-1.azl3.x86_64.rpm
-libxml2-devel-2.11.5-1.azl3.x86_64.rpm
+libxml2-2.11.5-2.azl3.x86_64.rpm
+libxml2-debuginfo-2.11.5-2.azl3.x86_64.rpm
+libxml2-devel-2.11.5-2.azl3.x86_64.rpm
 libxcrypt-4.4.36-2.azl3.x86_64.rpm
 libxcrypt-debuginfo-4.4.36-2.azl3.x86_64.rpm
 libxcrypt-devel-4.4.36-2.azl3.x86_64.rpm
@@ -549,7 +549,7 @@ python3-gpg-1.23.2-2.azl3.x86_64.rpm
 python3-jinja2-3.1.2-1.azl3.noarch.rpm
 python3-libcap-ng-0.8.4-1.azl3.x86_64.rpm
 python3-libs-3.12.3-5.azl3.x86_64.rpm
-python3-libxml2-2.11.5-1.azl3.x86_64.rpm
+python3-libxml2-2.11.5-2.azl3.x86_64.rpm
 python3-lxml-4.9.3-1.azl3.x86_64.rpm
 python3-magic-5.45-1.azl3.noarch.rpm
 python3-markupsafe-2.1.3-1.azl3.x86_64.rpm