[AUTO-CHERRYPICK] libxml2: address CVE-2024-40896 - branch 3.0-dev (#…

…11720) Co-authored-by: Muhammad Falak R Wani <[email protected]>
microsoft · Dec 30, 2024 · 67119d9 · 67119d9
1 parent 4b010f0
commit 67119d9
Show file tree

Hide file tree

Showing 7 changed files with 114 additions and 18 deletions.
diff --git a/SPECS-EXTENDED/mythes-de/mythes-de.spec b/SPECS-EXTENDED/mythes-de/mythes-de.spec
@@ -5,7 +5,7 @@ Distribution:   Azure Linux
 Summary:        German thesaurus
 Name:           mythes-de
 Version:        0.%{upstreamid}
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        LGPL-2.1-or-later OR CC-BY-SA-4.0
 URL:            https://www.openthesaurus.de/
 Source0:        https://www.openthesaurus.de/export/Deutscher-Thesaurus.oxt
@@ -57,11 +57,66 @@ popd
 %{_datadir}/mythes/*
 
 %changelog
-* Fri Dec 20 2024 Aninda Pradhan <[email protected]> - 0.20240601-1
-- Upgraded to version 0.20240601
+* Mon Dec 30 2024 Aninda Pradhan <[email protected]> - 0.20240601-3
+- Initial Azure Linux import from Fedora 41 (license: MIT)
+- License Verified
 
-* Fri Oct 15 2021 Pawel Winogrodzki <[email protected]> - 0.20201226-2
-- Initial CBL-Mariner import from Fedora 33 (license: MIT).
+* Thu Jul 18 2024 Fedora Release Engineering <[email protected]> - 0.20240601-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Sun Jun 02 2024 Robert Scheck <[email protected]> 0.20240601-1
+- Upgrade to latest daily snapshot release
+
+* Thu Jan 25 2024 Fedora Release Engineering <[email protected]> - 0.20230601-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sun Jan 21 2024 Fedora Release Engineering <[email protected]> - 0.20230601-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Thu Jul 20 2023 Fedora Release Engineering <[email protected]> - 0.20230601-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Fri Jun 02 2023 Robert Scheck <[email protected]> 0.20230601-1
+- Upgrade to latest daily snapshot release
+
+* Thu Feb 23 2023 Caolán McNamara <[email protected]> - 0.20220716-4
+- migrated to SPDX license
+
+* Thu Jan 19 2023 Fedora Release Engineering <[email protected]> - 0.20220716-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Fri Jul 22 2022 Fedora Release Engineering <[email protected]> - 0.20220716-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Sun Jul 17 2022 Robert Scheck <[email protected]> 0.20220716-1
+- Upgrade to latest daily snapshot release
+
+* Mon Apr 18 2022 Robert Scheck <[email protected]> 0.20220417-1
+- Upgrade to latest daily snapshot release
+
+* Thu Jan 20 2022 Fedora Release Engineering <[email protected]> - 0.20220115-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Sun Jan 16 2022 Robert Scheck <[email protected]> 0.20220115-1
+- Upgrade to latest daily snapshot release
+
+* Wed Sep 01 2021 Robert Scheck <[email protected]> 0.20210831-1
+- Upgrade to latest daily snapshot release
+
+* Sat Jul 24 2021 Robert Scheck <[email protected]> 0.20210723-1
+- Upgrade to latest daily snapshot release
+
+* Thu Jul 22 2021 Fedora Release Engineering <[email protected]> - 0.20210302-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Tue Mar 02 2021 Robert Scheck <[email protected]> 0.20210302-1
+- Upgrade to latest daily snapshot release
+
+* Sun Jan 31 2021 Robert Scheck <[email protected]> 0.20210130-1
+- Upgrade to latest daily snapshot release
+
+* Tue Jan 26 2021 Fedora Release Engineering <[email protected]> - 0.20201226-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 
 * Sun Dec 27 2020 Robert Scheck <[email protected]> 0.20201226-1
 - Upgrade to latest daily snapshot release

diff --git a/SPECS/libxml2/CVE-2024-40896.patch b/SPECS/libxml2/CVE-2024-40896.patch
@@ -0,0 +1,37 @@
+From ae8f0ac0a2900219c3d762ae0b513e199dcf19a5 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <[email protected]>
+Date: Sat, 6 Jul 2024 01:03:46 +0200
+Subject: [PATCH] [CVE-2024-40896] Fix XXE protection in downstream code
+
+Some users set an entity's children manually in the getEntity SAX
+callback to restrict entity expansion. This stopped working after
+renaming the "checked" member of xmlEntity, making at least one
+downstream project and its dependants susceptible to XXE attacks.
+
+See #761.
+---
+ parser.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index 4feb21a28..8fe0a064d 100644
+--- a/parser.c
++++ b/parser.c
+@@ -7148,6 +7148,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+ 	return;
+     }
+
++    /*
++     * Some users try to parse entities on their own and used to set
++     * the renamed "checked" member. Fix the flags to cover this
++     * case.
++     */
++    if (((ent->flags & XML_ENT_PARSED) == 0) && (ent->children != NULL))
++        ent->flags |= XML_ENT_PARSED;
++
+     /*
+      * The first reference to the entity trigger a parsing phase
+      * where the ent->children is filled with the result from
+-- 
+GitLab
+
diff --git a/SPECS/libxml2/libxml2.spec b/SPECS/libxml2/libxml2.spec
@@ -1,13 +1,14 @@
 Summary:        Libxml2
 Name:           libxml2
 Version:        2.11.5
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          System Environment/General Libraries
 URL:            https://gitlab.gnome.org/GNOME/libxml2/-/wikis/home
 Source0:        https://gitlab.gnome.org/GNOME/%{name}/-/archive/v%{version}/%{name}-v%{version}.tar.gz
+Patch0:         CVE-2024-40896.patch
 BuildRequires:  python3-devel
 BuildRequires:  python3-xml
 Provides:       %{name}-tools = %{version}-%{release}
@@ -78,6 +79,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_libdir}/cmake/libxml2/libxml2-config.cmake
 
 %changelog
+* Thu Dec 26 2024 Muhammad Falak <[email protected]> - 2.11.5-2
+- Patch CVE-2024-40896
+
 * Tue Nov 21 2023 CBL-Mariner Servicing Account <[email protected]> - 2.11.5-1
 - Auto-upgrade to 2.11.5 - Azure Linux 3.0 - package upgrades
 

diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -199,8 +199,8 @@ curl-8.8.0-3.azl3.aarch64.rpm
 curl-devel-8.8.0-3.azl3.aarch64.rpm
 curl-libs-8.8.0-3.azl3.aarch64.rpm
 createrepo_c-1.0.3-1.azl3.aarch64.rpm
-libxml2-2.11.5-1.azl3.aarch64.rpm
-libxml2-devel-2.11.5-1.azl3.aarch64.rpm
+libxml2-2.11.5-2.azl3.aarch64.rpm
+libxml2-devel-2.11.5-2.azl3.aarch64.rpm
 docbook-dtd-xml-4.5-11.azl3.noarch.rpm
 docbook-style-xsl-1.79.1-14.azl3.noarch.rpm
 libsepol-3.6-1.azl3.aarch64.rpm

diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -199,8 +199,8 @@ curl-8.8.0-3.azl3.x86_64.rpm
 curl-devel-8.8.0-3.azl3.x86_64.rpm
 curl-libs-8.8.0-3.azl3.x86_64.rpm
 createrepo_c-1.0.3-1.azl3.x86_64.rpm
-libxml2-2.11.5-1.azl3.x86_64.rpm
-libxml2-devel-2.11.5-1.azl3.x86_64.rpm
+libxml2-2.11.5-2.azl3.x86_64.rpm
+libxml2-devel-2.11.5-2.azl3.x86_64.rpm
 docbook-dtd-xml-4.5-11.azl3.noarch.rpm
 docbook-style-xsl-1.79.1-14.azl3.noarch.rpm
 libsepol-3.6-1.azl3.x86_64.rpm

diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -240,9 +240,9 @@ libtool-debuginfo-2.4.7-1.azl3.aarch64.rpm
 libxcrypt-4.4.36-2.azl3.aarch64.rpm
 libxcrypt-debuginfo-4.4.36-2.azl3.aarch64.rpm
 libxcrypt-devel-4.4.36-2.azl3.aarch64.rpm
-libxml2-2.11.5-1.azl3.aarch64.rpm
-libxml2-debuginfo-2.11.5-1.azl3.aarch64.rpm
-libxml2-devel-2.11.5-1.azl3.aarch64.rpm
+libxml2-2.11.5-2.azl3.aarch64.rpm
+libxml2-debuginfo-2.11.5-2.azl3.aarch64.rpm
+libxml2-devel-2.11.5-2.azl3.aarch64.rpm
 libxslt-1.1.39-1.azl3.aarch64.rpm
 libxslt-debuginfo-1.1.39-1.azl3.aarch64.rpm
 libxslt-devel-1.1.39-1.azl3.aarch64.rpm
@@ -541,7 +541,7 @@ python3-gpg-1.23.2-2.azl3.aarch64.rpm
 python3-jinja2-3.1.2-1.azl3.noarch.rpm
 python3-libcap-ng-0.8.4-1.azl3.aarch64.rpm
 python3-libs-3.12.3-5.azl3.aarch64.rpm
-python3-libxml2-2.11.5-1.azl3.aarch64.rpm
+python3-libxml2-2.11.5-2.azl3.aarch64.rpm
 python3-lxml-4.9.3-1.azl3.aarch64.rpm
 python3-magic-5.45-1.azl3.noarch.rpm
 python3-markupsafe-2.1.3-1.azl3.aarch64.rpm

diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -245,9 +245,9 @@ libtasn1-debuginfo-4.19.0-1.azl3.x86_64.rpm
 libtasn1-devel-4.19.0-1.azl3.x86_64.rpm
 libtool-2.4.7-1.azl3.x86_64.rpm
 libtool-debuginfo-2.4.7-1.azl3.x86_64.rpm
-libxml2-2.11.5-1.azl3.x86_64.rpm
-libxml2-debuginfo-2.11.5-1.azl3.x86_64.rpm
-libxml2-devel-2.11.5-1.azl3.x86_64.rpm
+libxml2-2.11.5-2.azl3.x86_64.rpm
+libxml2-debuginfo-2.11.5-2.azl3.x86_64.rpm
+libxml2-devel-2.11.5-2.azl3.x86_64.rpm
 libxcrypt-4.4.36-2.azl3.x86_64.rpm
 libxcrypt-debuginfo-4.4.36-2.azl3.x86_64.rpm
 libxcrypt-devel-4.4.36-2.azl3.x86_64.rpm
@@ -549,7 +549,7 @@ python3-gpg-1.23.2-2.azl3.x86_64.rpm
 python3-jinja2-3.1.2-1.azl3.noarch.rpm
 python3-libcap-ng-0.8.4-1.azl3.x86_64.rpm
 python3-libs-3.12.3-5.azl3.x86_64.rpm
-python3-libxml2-2.11.5-1.azl3.x86_64.rpm
+python3-libxml2-2.11.5-2.azl3.x86_64.rpm
 python3-lxml-4.9.3-1.azl3.x86_64.rpm
 python3-magic-5.45-1.azl3.noarch.rpm
 python3-markupsafe-2.1.3-1.azl3.x86_64.rpm