!212 [sync] PR-211: fix CVE-2023-45322

From: @openeuler-sync-bot Reviewed-by: @gaoruoshu Signed-off-by: @gaoruoshu
2023-10-30 03:05:33 +00:00 · 2023-10-30 03:05:33 +00:00 · a5b4b3b355
commit a5b4b3b355
parent dcc268d2ae 44a51b57b0
3 changed files with 131 additions and 1 deletions
--- a/backport-CVE-2023-45322.patch
+++ b/backport-CVE-2023-45322.patch
@ -0,0 +1,74 @@
+From d39f78069dff496ec865c73aa44d7110e429bce9 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 23 Aug 2023 20:24:24 +0200
+Subject: [PATCH] tree: Fix copying of DTDs
+
+- Don't create multiple DTD nodes.
+- Fix UAF if malloc fails.
+- Skip DTD nodes if tree module is disabled.
+
+Fixes #583.
+---
+ tree.c | 31 ++++++++++++++++---------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index 6c8a875b..02c1b579 100644
+--- a/tree.c
+++ b/tree.c
+@@ -4386,29 +4386,28 @@ xmlNodePtr
+ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+     xmlNodePtr ret = NULL;
+     xmlNodePtr p = NULL,q;
+    xmlDtdPtr newSubset = NULL;
+ 
+     while (node != NULL) {
+-#ifdef LIBXML_TREE_ENABLED
+ 	if (node->type == XML_DTD_NODE ) {
+-	    if (doc == NULL) {
+#ifdef LIBXML_TREE_ENABLED
+	    if ((doc == NULL) || (doc->intSubset != NULL)) {
+ 		node = node->next;
+ 		continue;
+ 	    }
+-	    if (doc->intSubset == NULL) {
+-		q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+-		if (q == NULL) goto error;
+-		q->doc = doc;
+-		q->parent = parent;
+-		doc->intSubset = (xmlDtdPtr) q;
+-		xmlAddChild(parent, q);
+-	    } else {
+-		q = (xmlNodePtr) doc->intSubset;
+-		xmlAddChild(parent, q);
+-	    }
+-	} else
+            q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+            if (q == NULL) goto error;
+            q->doc = doc;
+            q->parent = parent;
+            newSubset = (xmlDtdPtr) q;
+#else
+            node = node->next;
+            continue;
+ #endif /* LIBXML_TREE_ENABLED */
+	} else {
+ 	    q = xmlStaticCopyNode(node, doc, parent, 1);
+-	if (q == NULL) goto error;
+	    if (q == NULL) goto error;
+        }
+ 	if (ret == NULL) {
+ 	    q->prev = NULL;
+ 	    ret = p = q;
+@@ -4420,6 +4419,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+ 	}
+ 	node = node->next;
+     }
+    if (newSubset != NULL)
+        doc->intSubset = newSubset;
+     return(ret);
+ error:
+     xmlFreeNodeList(ret);
+-- 
+2.27.0
+
--- a/backport-malloc-fail-Fix-memory-leak-in-xmlStaticCopyNodeList.patch
+++ b/backport-malloc-fail-Fix-memory-leak-in-xmlStaticCopyNodeList.patch
@ -0,0 +1,48 @@
+From f0b5515c26a65c218dcab95b411f25f2e57328d0 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 2 Nov 2022 15:44:42 +0100
+Subject: [PATCH 05/28] malloc-fail: Fix memory leak in xmlStaticCopyNodeList
+
+Found with libFuzzer, see #344.
+
+Reference: https://github.com/GNOME/libxml2/commit/a22bd982bf10291deea8ba0c61bf75b898c604ce
+Conflict: NA
+---
+ tree.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index 84da156..b32561d 100644
+--- a/tree.c
+++ b/tree.c
+@@ -4388,7 +4388,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+ 	    }
+ 	    if (doc->intSubset == NULL) {
+ 		q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+-		if (q == NULL) return(NULL);
+		if (q == NULL) goto error;
+ 		q->doc = doc;
+ 		q->parent = parent;
+ 		doc->intSubset = (xmlDtdPtr) q;
+@@ -4400,7 +4400,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+ 	} else
+ #endif /* LIBXML_TREE_ENABLED */
+ 	    q = xmlStaticCopyNode(node, doc, parent, 1);
+-	if (q == NULL) return(NULL);
+	if (q == NULL) goto error;
+ 	if (ret == NULL) {
+ 	    q->prev = NULL;
+ 	    ret = p = q;
+@@ -4413,6 +4413,9 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+ 	node = node->next;
+     }
+     return(ret);
+error:
+    xmlFreeNodeList(ret);
+    return(NULL);
+ }
+ 
+ /**
+-- 
+2.27.0
+
--- a/libxml2.spec
+++ b/libxml2.spec
@ -1,7 +1,7 @@
 Summary: Library providing XML and HTML support
 Name: libxml2
 Version: 2.9.10
-Release: 37
+Release: 38
 License: MIT
 Group: Development/Libraries
 Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
@ -132,6 +132,8 @@ Patch119:backport-CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch
 Patch120:backport-CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch
 Patch121:backport-Fix-old-SAX1-parser-with-custom-callbacks.patch
 Patch122:backport-Always-initialize-SAX1-element-handlers.patch
+Patch123:backport-malloc-fail-Fix-memory-leak-in-xmlStaticCopyNodeList.patch
+Patch124:backport-CVE-2023-45322.patch

 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 BuildRequires: python2-devel
@ -323,6 +325,12 @@ rm -fr %{buildroot}


 %changelog
+* Mon Oct 16 hehuazhen <hehuazhen@huawei.com> - 2.9.10-38
+- Type:CVE
+- CVE:CVE-2023-45322
+- SUG:NA
+- DESC:fix CVE-2023-45322
+
 * Fri Sep 01 2023 liningjie <liningjie@xfusion.com> - 2.9.10-37
 - parser: Fix old SAX1 parser with custom callbacks