main/libxml2: security upgrade to 2.9.11 (CVE-2021-3541)

See #12859

main/libxml2: security upgrade to 2.9.11 (CVE-2021-3541)
9048f3b7 · Kevin Daudt · 50ebda53 · 9048f3b7 · 50ebda53 · 50ebda53
Commit 9048f3b7 authored 3 years ago by Kevin Daudt
--- a/main/libxml2/APKBUILD
+++ b/main/libxml2/APKBUILD
 # Contributor: Carlo Landmeter <clandmeter@alpinelinux.org>
 # Maintainer: Carlo Landmeter <clandmeter@alpinelinux.org>
 pkgname=libxml2
-pkgver=2.9.10
-pkgrel=7
+pkgver=2.9.11
+pkgrel=0
 pkgdesc="XML parsing library, version 2"
 url="http://www.xmlsoft.org/"
 arch="all"
@@ -18,17 +18,13 @@ if [ -z "$BOOTSTRAP" ]; then
 fi
 options="!strip"
 source="http://xmlsoft.org/sources/libxml2-$pkgver.tar.gz
-	CVE-2019-20388.patch
-	libxml2-CVE-2020-7595.patch
 	revert-Make-xmlFreeNodeList-non-recursive.patch
 	libxml2-2.9.8-python3-unicode-errors.patch
-	CVE-2020-24977.patch
-	CVE-2021-3517.patch
-	CVE-2021-3518.patch
-	CVE-2021-3537.patch
 	"

 # secfixes:
+#   2.9.11-r0:
+#     - CVE-2021-3541
 #   2.9.10-r7:
 #     - CVE-2021-3517
 #     - CVE-2021-3518
@@ -107,13 +103,7 @@ utils() {
 }

 sha512sums="
-0adfd12bfde89cbd6296ba6e66b6bed4edb814a74b4265bda34d95c41d9d92c696ee7adb0c737aaf9cc6e10426a31a35079b2a23d26c074e299858da12c072ed  libxml2-2.9.10.tar.gz
-46ade1189ef24cb56bd38c2c58aaacc8f3e8404656b9976754e9ec9bfe17f71e9a1fdb6febd02947f6120b5ce320cbc7391baf8d0cb042877bcf81553010ad04  CVE-2019-20388.patch
-90db832e60c700e971669f57a54fdb297660c42602089b4e77e013a7051c880f380f0c98c059d9f54de99855b2d9be78fcf0639443f3765a925b52fc093fb4d9  libxml2-CVE-2020-7595.patch
+d9c71d75d1cd0708f56fef47802ce53d6c64c4580469458edb2fc12b699319235bcff62bc1be1f0a01f4077726e37ad2cf5e4dee4bca36a9d5d3b21d12253ba5  libxml2-2.9.11.tar.gz
 347178e432379d543683cba21b902e7305202c03e8dbd724ae395963d677096a5cfc4e345e208d498163ca5174683c167610fc2b297090476038bc2bb7c84b4f  revert-Make-xmlFreeNodeList-non-recursive.patch
 a205c97fa1488fb8907cfa08b5f82e2055c80b86213dc3cc5c4b526fe6aa786bcc4e4eeb226c44635a1d021307b39e3940f706c42fb60e9e3e9b490a84164df7  libxml2-2.9.8-python3-unicode-errors.patch
-b25a49cfb51569799ada41bad0efaf2666d70b9efb380987c3d5678fd943ada5d0baa18a3db5efa58dac65db8e2d2915ab5c6bac850d0c610656c89734853fd5  CVE-2020-24977.patch
-9fc13877ddf53e5897dde490917ab6911e048c6fd6dca9f696c21e45f69ddaceae09a9bf92929317c84c96aeaa8531ffdf7737b1f7cde05de2a7be0e6fddd999  CVE-2021-3517.patch
-5341026c46337dfb376ad0c0580ea287f81338a439737580eee67e2ffe833e695563245532072631509acd29e70ad0700663c16e2d531e5409c15f541e9ae3c4  CVE-2021-3518.patch
-169568745f86235dc6d8dfb56597cf947dc66741cdf4dafc980658d614f7d21e67a1bacbeeed644d91c52cf3c56e9ef0857ec567bb6fd68d3e164e5f18bf87d5  CVE-2021-3537.patch
 "
--- a/main/libxml2/CVE-2019-20388.patch
+++ b/main/libxml2/CVE-2019-20388.patch
-diff --git a/xmlschemas.c b/xmlschemas.c
-index 301c84499d4185ca3a760b512daeca8760edaf05..39d92182f51ff723413cb41a0101d97b6647cdee 100644
--- a/xmlschemas.c
-+++ b/xmlschemas.c
-@@ -28090,7 +28090,6 @@ xmlSchemaPreRun(xmlSchemaValidCtxtPtr vctxt) {
-     vctxt->nberrors = 0;
-     vctxt->depth = -1;
-     vctxt->skipDepth = -1;
-    vctxt->xsiAssemble = 0;
-     vctxt->hasKeyrefs = 0;
- #ifdef ENABLE_IDC_NODE_TABLES_TEST
-     vctxt->createIDCNodeTables = 1;
--- a/main/libxml2/CVE-2020-24977.patch
+++ b/main/libxml2/CVE-2020-24977.patch
-From 8e7c20a1af8776677d7890f30b7a180567701a49 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Mon, 3 Aug 2020 17:30:41 +0200
-Subject: [PATCH] Fix integer overflow when comparing schema dates
-
-Found by OSS-Fuzz.
---
- xmlschemastypes.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/xmlschemastypes.c b/xmlschemastypes.c
-index 4249d7000..d6b9f924e 100644
--- a/xmlschemastypes.c
-+++ b/xmlschemastypes.c
-@@ -3691,6 +3691,8 @@ xmlSchemaCompareDurations(xmlSchemaValPtr x, xmlSchemaValPtr y)
- 	minday = 0;
- 	maxday = 0;
-     } else {
-+        if (myear > LONG_MAX / 366)
-+            return -2;
-         /* FIXME: This doesn't take leap year exceptions every 100/400 years
-            into account. */
- 	maxday = 365 * myear + (myear + 3) / 4;
-@@ -4079,6 +4081,14 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y)
-     if ((x == NULL) || (y == NULL))
-         return -2;
- 
-+    if ((x->value.date.year > LONG_MAX / 366) ||
-+        (x->value.date.year < LONG_MIN / 366) ||
-+        (y->value.date.year > LONG_MAX / 366) ||
-+        (y->value.date.year < LONG_MIN / 366)) {
-+        /* Possible overflow when converting to days. */
-+        return -2;
-+    }
-+
-     if (x->value.date.tz_flag) {
- 
-         if (!y->value.date.tz_flag) {
-- 
-GitLab
\ No newline at end of file
--- a/main/libxml2/CVE-2021-3517.patch
+++ b/main/libxml2/CVE-2021-3517.patch
-From bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2 Mon Sep 17 00:00:00 2001
-From: Joel Hockey <joel.hockey@gmail.com>
-Date: Sun, 16 Aug 2020 17:19:35 -0700
-Subject: [PATCH] Validate UTF8 in xmlEncodeEntities
-
-Code is currently assuming UTF-8 without validating. Truncated UTF-8
-input can cause out-of-bounds array access.
-
-Adds further checks to partial fix in 50f06b3e.
-
-Fixes #178
---
- entities.c | 16 +++++++++++++++-
- 1 file changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/entities.c b/entities.c
-index 37b99a56..1a8f86f0 100644
--- a/entities.c
-+++ b/entities.c
-@@ -704,11 +704,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) {
- 	    } else {
- 		/*
- 		 * We assume we have UTF-8 input.
-+		 * It must match either:
-+		 *   110xxxxx 10xxxxxx
-+		 *   1110xxxx 10xxxxxx 10xxxxxx
-+		 *   11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
-+		 * That is:
-+		 *   cur[0] is 11xxxxxx
-+		 *   cur[1] is 10xxxxxx
-+		 *   cur[2] is 10xxxxxx if cur[0] is 111xxxxx
-+		 *   cur[3] is 10xxxxxx if cur[0] is 1111xxxx
-+		 *   cur[0] is not 11111xxx
- 		 */
- 		char buf[11], *ptr;
- 		int val = 0, l = 1;
- 
-		if (*cur < 0xC0) {
-+		if (((cur[0] & 0xC0) != 0xC0) ||
-+		    ((cur[1] & 0xC0) != 0x80) ||
-+		    (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) ||
-+		    (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) ||
-+		    (((cur[0] & 0xF8) == 0xF8))) {
- 		    xmlEntitiesErr(XML_CHECK_NOT_UTF8,
- 			    "xmlEncodeEntities: input not UTF-8");
- 		    if (doc != NULL)
-- 
-GitLab
-
--- a/main/libxml2/CVE-2021-3518.patch
+++ b/main/libxml2/CVE-2021-3518.patch
-diff -urN libxml2-2.9.10.orig/xinclude.c libxml2-2.9.10/xinclude.c
--- libxml2-2.9.10.orig/xinclude.c	2021-06-04 10:26:43.173188644 -0600
-+++ libxml2-2.9.10/xinclude.c	2021-06-04 10:28:19.633720058 -0600
-@@ -2397,9 +2397,8 @@
-     while ((cur != NULL) && (cur != tree->parent)) {
- 	/* TODO: need to work on entities -> stack */
- 	if ((cur->children != NULL) &&
-	    (cur->children->type != XML_ENTITY_DECL) &&
-	    (cur->children->type != XML_XINCLUDE_START) &&
-	    (cur->children->type != XML_XINCLUDE_END)) {
-+            ((cur->type == XML_DOCUMENT_NODE) ||
-+             (cur->type == XML_ELEMENT_NODE))) {
- 	    cur = cur->children;
- 	    if (xmlXIncludeTestNode(ctxt, cur))
- 		xmlXIncludePreProcessNode(ctxt, cur);
--- a/main/libxml2/CVE-2021-3537.patch
+++ b/main/libxml2/CVE-2021-3537.patch
-From babe75030c7f64a37826bb3342317134568bef61 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Sat, 1 May 2021 16:53:33 +0200
-Subject: [PATCH] Propagate error in xmlParseElementChildrenContentDeclPriv
-
-Check return value of recursive calls to
-xmlParseElementChildrenContentDeclPriv and return immediately in case
-of errors. Otherwise, struct xmlElementContent could contain unexpected
-null pointers, leading to a null deref when post-validating documents
-which aren't well-formed and parsed in recovery mode.
-
-Fixes #243.
---
- parser.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/parser.c b/parser.c
-index b42e6043..73c27edd 100644
--- a/parser.c
-+++ b/parser.c
-@@ -6208,6 +6208,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
- 	SKIP_BLANKS;
-         cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
-                                                            depth + 1);
-+        if (cur == NULL)
-+            return(NULL);
- 	SKIP_BLANKS;
- 	GROW;
-     } else {
-@@ -6341,6 +6343,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
- 	    SKIP_BLANKS;
- 	    last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
-                                                           depth + 1);
-+            if (last == NULL) {
-+		if (ret != NULL)
-+		    xmlFreeDocElementContent(ctxt->myDoc, ret);
-+		return(NULL);
-+            }
- 	    SKIP_BLANKS;
- 	} else {
- 	    elem = xmlParseName(ctxt);
-- 
-GitLab
-
--- a/main/libxml2/libxml2-CVE-2020-7595.patch
+++ b/main/libxml2/libxml2-CVE-2020-7595.patch
-From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001
-From: Zhipeng Xie <xiezhipeng1@huawei.com>
-Date: Thu, 12 Dec 2019 17:30:55 +0800
-Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities
-
-When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef
-return NULL which cause a infinite loop in xmlStringLenDecodeEntities
-
-Found with libFuzzer.
-
-Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
---
- parser.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/parser.c b/parser.c
-index d1c31963..a34bb6cd 100644
--- a/parser.c
-+++ b/parser.c
-@@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
-     else
-         c = 0;
-     while ((c != 0) && (c != end) && /* non input consuming loop */
-	   (c != end2) && (c != end3)) {
-+           (c != end2) && (c != end3) &&
-+           (ctxt->instate != XML_PARSER_EOF)) {
- 
- 	if (c == 0) break;
-         if ((c == '&') && (str[1] == '#')) {
-- 
-2.24.1
-