Sync from SUSE:ALP:Source:Standard:1.0 libxml2 revision 8699663f16a385a3907d565db2b6e539

libxml2-CVE-2024-25062.patch

@@ -0,0 +1,29 @@
+From 1a66b176055d25ee635bf328c7b35b381db0b71d Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 14 Oct 2023 22:45:54 +0200
+Subject: [PATCH] [CVE-2024-25062] xmlreader: Don't expand XIncludes when
+ backtracking
+
+Fixes a use-after-free if XML Reader if used with DTD validation and
+XInclude expansion.
+
+Fixes #604.
+---
+ xmlreader.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/xmlreader.c b/xmlreader.c
+index 3bdb8228..6486c7da 100644
+--- a/xmlreader.c
++++ b/xmlreader.c
+@@ -1428,6 +1428,7 @@ node_found:
+      * Handle XInclude if asked for
+      */
+     if ((reader->xinclude) && (reader->in_xinclude == 0) &&
++        (reader->state != XML_TEXTREADER_BACKTRACK) &&
+         (reader->node != NULL) &&
+ 	(reader->node->type == XML_ELEMENT_NODE) &&
+ 	(reader->node->ns != NULL) &&
+-- 
+GitLab
+

libxml2.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Sat Feb 10 10:56:46 UTC 2024 - David Anes <david.anes@suse.com>
+
+- Security fix (CVE-2024-25062, bsc#1219576) use-after-free in XMLReader
+  * Added libxml2-CVE-2024-25062.patch 
+
 -------------------------------------------------------------------
 Thu Nov 16 12:44:37 UTC 2023 - Bjørn Lie <bjorn.lie@gmail.com>
 

libxml2.spec

@@ -51,6 +51,10 @@ Patch3:         python312.patch
 # PATCH-FIX-UPSTREAM CVE-2023-45322 bsc#1216129
 # https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9
 Patch4:         libxml2-CVE-2023-45322.patch
+# PATCH-FIX-UPSTREAM use-after-free in XMLReader bsc#1219576 david.anes@suse.com
+# https://gitlab.gnome.org/GNOME/libxml2/-/commit/1a66b176055d25ee635bf328c7b35b381db0b71d
+Patch5:         libxml2-CVE-2024-25062.patch
+
 #
 ### -- openSUSE patches range from 1000 to 1999 -- ###
 # PATCH-FIX-OPENSUSE