diff --git a/libxml2-CVE-2024-40896.patch b/libxml2-CVE-2024-40896.patch new file mode 100644 index 0000000..59405dd --- /dev/null +++ b/libxml2-CVE-2024-40896.patch @@ -0,0 +1,19 @@ +Index: libxml2-2.11.6/parser.c +=================================================================== +--- libxml2-2.11.6.orig/parser.c ++++ libxml2-2.11.6/parser.c +@@ -7149,6 +7149,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt) + } + + /* ++ * Some users try to parse entities on their own and used to set ++ * the renamed "checked" member. Fix the flags to cover this ++ * case. ++ */ ++ if (((ent->flags & XML_ENT_PARSED) == 0) && (ent->children != NULL)) ++ ent->flags |= XML_ENT_PARSED; ++ ++ /* + * The first reference to the entity trigger a parsing phase + * where the ent->children is filled with the result from + * the parsing. diff --git a/libxml2.changes b/libxml2.changes index f10dd15..fb17f08 100644 --- a/libxml2.changes +++ b/libxml2.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Jan 2 10:32:36 UTC 2025 - pgajdos@suse.com + +- security update +- added patches + fix CVE-2024-40896 [bsc#1234812], XXE vulnerability + + libxml2-CVE-2024-40896.patch + ------------------------------------------------------------------- Wed Jun 26 16:37:58 UTC 2024 - David Anes diff --git a/libxml2.spec b/libxml2.spec index 0af6435..00110b7 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -67,6 +67,8 @@ Patch6: libxml2-CVE-2024-34459.patch ## SUSE-specific? If so, shouldn't it be applied only for SLE distributions? # PATCH-FIX-SUSE bsc#1135123 Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit Patch2000: libxml2-make-XPATH_MAX_NODESET_LENGTH-configurable.patch +# CVE-2024-40896 [bsc#1234812], XXE vulnerability +Patch2001: libxml2-CVE-2024-40896.patch # BuildRequires: fdupes BuildRequires: pkgconfig