Sync from SUSE:SLFO:Main libxml2 revision b7c88655c82386bd1f4141bdd7d0d5db

2025-01-08 16:29:24 +01:00 · 2025-01-08 16:29:24 +01:00 · e3bcd79c33
commit e3bcd79c33
parent 8cd1de924b
3 changed files with 29 additions and 0 deletions
--- a/libxml2-CVE-2024-40896.patch
+++ b/libxml2-CVE-2024-40896.patch
@ -0,0 +1,19 @@
+Index: libxml2-2.11.6/parser.c
+===================================================================
+--- libxml2-2.11.6.orig/parser.c
+++ libxml2-2.11.6/parser.c
+@@ -7149,6 +7149,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
+     }
+ 
+     /*
+     * Some users try to parse entities on their own and used to set
+     * the renamed "checked" member. Fix the flags to cover this
+     * case.
+     */
+    if (((ent->flags & XML_ENT_PARSED) == 0) && (ent->children != NULL))
+        ent->flags |= XML_ENT_PARSED;
+
+    /*
+      * The first reference to the entity trigger a parsing phase
+      * where the ent->children is filled with the result from
+      * the parsing.
--- a/libxml2.changes
+++ b/libxml2.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Jan  2 10:32:36 UTC 2025 - pgajdos@suse.com
+
+- security update
+- added patches
+  fix CVE-2024-40896 [bsc#1234812], XXE vulnerability
+  + libxml2-CVE-2024-40896.patch
+
 -------------------------------------------------------------------
 Wed Jun 26 16:37:58 UTC 2024 - David Anes <david.anes@suse.com>

--- a/libxml2.spec
+++ b/libxml2.spec
@ -67,6 +67,8 @@ Patch6: libxml2-CVE-2024-34459.patch
 ## SUSE-specific? If so, shouldn't it be applied only for SLE distributions?
 # PATCH-FIX-SUSE bsc#1135123 Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit
 Patch2000:      libxml2-make-XPATH_MAX_NODESET_LENGTH-configurable.patch
+# CVE-2024-40896 [bsc#1234812], XXE vulnerability
+Patch2001:      libxml2-CVE-2024-40896.patch
 #
 BuildRequires:  fdupes
 BuildRequires:  pkgconfig