Sync from SUSE:SLFO:Main libxml2 revision b7c88655c82386bd1f4141bdd7d0d5db

libxml2-CVE-2024-40896.patch

@@ -0,0 +1,19 @@
+Index: libxml2-2.11.6/parser.c
+===================================================================
+--- libxml2-2.11.6.orig/parser.c
++++ libxml2-2.11.6/parser.c
+@@ -7149,6 +7149,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
+     }
+ 
+     /*
++     * Some users try to parse entities on their own and used to set
++     * the renamed "checked" member. Fix the flags to cover this
++     * case.
++     */
++    if (((ent->flags & XML_ENT_PARSED) == 0) && (ent->children != NULL))
++        ent->flags |= XML_ENT_PARSED;
++
++    /*
+      * The first reference to the entity trigger a parsing phase
+      * where the ent->children is filled with the result from
+      * the parsing.

libxml2.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Jan  2 10:32:36 UTC 2025 - pgajdos@suse.com
+
+- security update
+- added patches
+  fix CVE-2024-40896 [bsc#1234812], XXE vulnerability
+  + libxml2-CVE-2024-40896.patch
+
 -------------------------------------------------------------------
 Wed Jun 26 16:37:58 UTC 2024 - David Anes <david.anes@suse.com>
 

libxml2.spec

@@ -67,6 +67,8 @@ Patch6: libxml2-CVE-2024-34459.patch
 ## SUSE-specific? If so, shouldn't it be applied only for SLE distributions?
 # PATCH-FIX-SUSE bsc#1135123 Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit
 Patch2000:      libxml2-make-XPATH_MAX_NODESET_LENGTH-configurable.patch
+# CVE-2024-40896 [bsc#1234812], XXE vulnerability
+Patch2001:      libxml2-CVE-2024-40896.patch
 #
 BuildRequires:  fdupes
 BuildRequires:  pkgconfig