Projects
Mega:24.09
libxml2
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 2
View file
_service:tar_scm:libxml2.spec
Changed
@@ -1,13 +1,14 @@ Summary: Library providing XML and HTML support Name: libxml2 Version: 2.12.6 -Release: 2 +Release: 3 License: MIT Group: Development/Libraries Source: https://download.gnome.org/sources/%{name}/2.11/%{name}-%{version}.tar.xz Patch0: libxml2-multilib.patch Patch1: backport-CVE-2024-34459.patch +Patch2: backport-CVE-2024-40896.patch BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRequires: python3-devel @@ -159,6 +160,12 @@ %changelog +* Tue Jul 30 2024 zhuofeng <zhuofeng2@huawei.com> - 2.12.6-3 +- Type:CVE +- CVE:CVE-2024-40896 +- SUG:NA +- DESC:fix CVE-2024-40896 + * Tue May 14 2024 cenhuilin <cenhuilin@kylinos.cn> - 2.12.6-2 - Type:CVE - CVE:CVE-2024-34459
View file
_service:tar_scm:backport-CVE-2024-40896.patch
Added
@@ -0,0 +1,37 @@ +From ae8f0ac0a2900219c3d762ae0b513e199dcf19a5 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Sat, 6 Jul 2024 01:03:46 +0200 +Subject: PATCH CVE-2024-40896 Fix XXE protection in downstream code + +Some users set an entity's children manually in the getEntity SAX +callback to restrict entity expansion. This stopped working after +renaming the "checked" member of xmlEntity, making at least one +downstream project and its dependants susceptible to XXE attacks. + +See #761. +--- + parser.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/parser.c b/parser.c +index 4feb21a28..8fe0a064d 100644 +--- a/parser.c ++++ b/parser.c +@@ -7148,6 +7148,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { + return; + } + ++ /* ++ * Some users try to parse entities on their own and used to set ++ * the renamed "checked" member. Fix the flags to cover this ++ * case. ++ */ ++ if (((ent->flags & XML_ENT_PARSED) == 0) && (ent->children != NULL)) ++ ent->flags |= XML_ENT_PARSED; ++ + /* + * The first reference to the entity trigger a parsing phase + * where the ent->children is filled with the result from +-- +GitLab +
View file
_service
Changed
@@ -2,7 +2,7 @@ <service name="tar_scm"> <param name="scm">git</param> <param name="url">git@gitee.com:src-openeuler/libxml2.git</param> - <param name="revision">master</param> + <param name="revision">openEuler-24.09</param> <param name="exclude">*</param> <param name="extract">*</param> </service>
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2