!270 fix CVE-2022-49043

From: @Linux_zhang2024 
Reviewed-by: @zhuofeng6, @hubin95 
Signed-off-by: @hubin95

backport-CVE-2022-2309.patch

@@ -0,0 +1,25 @@
+From 5930fe01963136ab92125feec0c6204d9c9225dc Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 18 Jul 2022 20:59:45 +0200
+Subject: [PATCH] Reset nsNr in xmlCtxtReset
+
+---
+ parser.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index d278638d..e660b0a7 100644
+--- a/parser.c
++++ b/parser.c
+@@ -14820,6 +14820,8 @@ xmlCtxtReset(xmlParserCtxtPtr ctxt)
+     ctxt->nameNr = 0;
+     ctxt->name = NULL;
+ 
++    ctxt->nsNr = 0;
++
+     DICT_FREE(ctxt->version);
+     ctxt->version = NULL;
+     DICT_FREE(ctxt->encoding);
+-- 
+2.27.0
+

backport-CVE-2022-49043-malloc-fail-Fix-use-after-free-in-xmlXIncludeAddNode.patch

@@ -0,0 +1,34 @@
+From 5a19e21605398cef6a8b1452477a8705cb41562b Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 2 Nov 2022 16:13:27 +0100
+Subject: [PATCH] malloc-fail: Fix use-after-free in xmlXIncludeAddNode
+
+Found with libFuzzer, see #344.
+---
+ xinclude.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/xinclude.c b/xinclude.c
+index b9a79d7..67926ec 100644
+--- a/xinclude.c
++++ b/xinclude.c
+@@ -614,14 +614,15 @@ xmlXIncludeAddNode(xmlXIncludeCtxtPtr ctxt, xmlNodePtr cur) {
+     }
+     URL = xmlSaveUri(uri);
+     xmlFreeURI(uri);
+-    xmlFree(URI);
+     if (URL == NULL) {
+ 	xmlXIncludeErr(ctxt, cur, XML_XINCLUDE_HREF_URI,
+ 	               "invalid value URI %s\n", URI);
+ 	if (fragment != NULL)
+ 	    xmlFree(fragment);
++	xmlFree(URI);
+ 	return(-1);
+     }
++    xmlFree(URI);
+ 
+     /*
+      * If local and xml then we need a fragment
+-- 
+2.33.0
+

backport-CVE-2024-25062.patch

@@ -0,0 +1,29 @@
+From 2b0aac140d739905c7848a42efc60bfe783a39b7 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 14 Oct 2023 22:45:54 +0200
+Subject: [PATCH] [CVE-2024-25062] xmlreader: Don't expand XIncludes when
+ backtracking
+
+Fixes a use-after-free if XML Reader if used with DTD validation and
+XInclude expansion.
+
+Fixes #604.
+---
+ xmlreader.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/xmlreader.c b/xmlreader.c
+index 979385a13..fefd68e0b 100644
+--- a/xmlreader.c
++++ b/xmlreader.c
+@@ -1443,6 +1443,7 @@ node_found:
+      * Handle XInclude if asked for
+      */
+     if ((reader->xinclude) && (reader->in_xinclude == 0) &&
++        (reader->state != XML_TEXTREADER_BACKTRACK) &&
+         (reader->node != NULL) &&
+ 	(reader->node->type == XML_ELEMENT_NODE) &&
+ 	(reader->node->ns != NULL) &&
+-- 
+GitLab
+

backport-CVE-2024-34459.patch

@@ -0,0 +1,26 @@
+From 2876ac5392a4e891b81e40e592c3ac6cb46016ce Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 14 May 2024 08:50:50 +0800
+Subject: [PATCH] [CVE-2024-34459] Fix buffer overread with `xmllint --htmlout`
+
+Add a missing bounds check.
+---
+ xmllint.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xmllint.c b/xmllint.c
+index 72839b5..739ac47 100644
+--- a/xmllint.c
++++ b/xmllint.c
+@@ -595,7 +595,7 @@ xmlHTMLPrintFileContext(xmlParserInputPtr input) {
+     len = strlen(buffer);
+     snprintf(&buffer[len], sizeof(buffer) - len, "\n");
+     cur = input->cur;
+-    while ((*cur == '\n') || (*cur == '\r'))
++    while ((cur > base) && ((*cur == '\n') || (*cur == '\r')))
+ 	cur--;
+     n = 0;
+     while ((cur != base) && (n++ < 80)) {
+-- 
+2.33.0
+

libxml2.spec

@@ -1,7 +1,7 @@
 Summary: Library providing XML and HTML support
 Name: libxml2
 Version: 2.9.10
-Release: 38
+Release: 42
 License: MIT
 Group: Development/Libraries
 Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
@@ -134,6 +134,10 @@ Patch121:backport-Fix-old-SAX1-parser-with-custom-callbacks.patch
 Patch122:backport-Always-initialize-SAX1-element-handlers.patch
 Patch123:backport-malloc-fail-Fix-memory-leak-in-xmlStaticCopyNodeList.patch
 Patch124:backport-CVE-2023-45322.patch
+Patch125:backport-CVE-2024-25062.patch
+Patch126:backport-CVE-2022-2309.patch
+Patch127:backport-CVE-2024-34459.patch
+Patch128:backport-CVE-2022-49043-malloc-fail-Fix-use-after-free-in-xmlXIncludeAddNode.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 BuildRequires: python2-devel
@@ -325,7 +329,31 @@ rm -fr %{buildroot}
 
 
 %changelog
-* Mon Oct 16 hehuazhen <hehuazhen@huawei.com> - 2.9.10-38
+* Tue Feb 11 2025 Linux_zhang <zhangruifang@h-partners.com> - 2.9.10-42
+- Type:CVE
+- CVE:CVE-2022-49043
+- SUG:NA
+- DESC:fix CVE-2022-49043
+
+* Tue May 14 2024 cenhuilin <cenhuilin@kylinos.cn> - 2.9.10-41
+- Type:CVE
+- CVE:CVE-2024-34459
+- SUG:NA
+- DESC:fix CVE-2024-34459
+
+* Tue Mar 26 2024 zhuofeng <zhuofeng2@huawei.com> - 2.9.10-40
+- Type:CVE
+- CVE:CVE-2022-2309
+- SUG:NA
+- DESC:fix CVE-2022-2309
+
+* Mon Feb 19 2024 hehuazhen <hehuazhen@huawei.com> - 2.9.10-39
+- Type:CVE
+- CVE:CVE-2024-25062
+- SUG:NA
+- DESC:fix CVE-2024-25062
+
+* Mon Oct 16 2023 hehuazhen <hehuazhen@huawei.com> - 2.9.10-38
 - Type:CVE
 - CVE:CVE-2023-45322
 - SUG:NA