From 1ca9f51b0901a84b56258b19a78acf4c01f93eb5 Mon Sep 17 00:00:00 2001
From: Max Rees <maxcrees@me.com>
Date: Tue, 3 Mar 2020 14:33:49 +0000
Subject: system/libxml2: patch CVE-2019-20388 and CVE-2020-7595 (#234)

---
 system/libxml2/APKBUILD             | 11 +++++++++--
 system/libxml2/CVE-2019-20388.patch | 33 +++++++++++++++++++++++++++++++++
 system/libxml2/CVE-2020-7595.patch  | 32 ++++++++++++++++++++++++++++++++
 3 files changed, 74 insertions(+), 2 deletions(-)
 create mode 100644 system/libxml2/CVE-2019-20388.patch
 create mode 100644 system/libxml2/CVE-2020-7595.patch

(limited to 'system/libxml2')

diff --git a/system/libxml2/APKBUILD b/system/libxml2/APKBUILD
index 1d1664047..73b6eb2a0 100644
--- a/system/libxml2/APKBUILD
+++ b/system/libxml2/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=libxml2
 pkgver=2.9.10
-pkgrel=0
+pkgrel=1
 pkgdesc="XML parsing library"
 url="http://www.xmlsoft.org/"
 arch="all"
@@ -16,6 +16,8 @@ subpackages="$pkgname-doc $pkgname-dev py-libxml2:py"
 provides="$pkgname-utils=$pkgver-r$pkgrel"
 source="ftp://ftp.xmlsoft.org/${pkgname}/${pkgname}-${pkgver}.tar.gz
 	python-segfault-fix.patch
+	CVE-2019-20388.patch
+	CVE-2020-7595.patch
 	"
 
 # secfixes:
@@ -25,6 +27,9 @@ source="ftp://ftp.xmlsoft.org/${pkgname}/${pkgname}-${pkgver}.tar.gz
 #     - CVE-2016-9318
 #   2.9.4-r4:
 #     - CVE-2017-5969
+#   2.9.10-r1:
+#     - CVE-2019-20388
+#     - CVE-2020-7595
 
 prepare() {
 	default_prepare
@@ -62,4 +67,6 @@ py() {
 }
 
 sha512sums="0adfd12bfde89cbd6296ba6e66b6bed4edb814a74b4265bda34d95c41d9d92c696ee7adb0c737aaf9cc6e10426a31a35079b2a23d26c074e299858da12c072ed  libxml2-2.9.10.tar.gz
-384b3d2031cd8f77528190bbb7652faa9ccb22bc604bcf4927e59046d38830dac38010828fe1568b6514976f725981a6d3ac1aa595d31477a36db2afe491452c  python-segfault-fix.patch"
+384b3d2031cd8f77528190bbb7652faa9ccb22bc604bcf4927e59046d38830dac38010828fe1568b6514976f725981a6d3ac1aa595d31477a36db2afe491452c  python-segfault-fix.patch
+48ea30bd8035f3b60825ce24185fbec1e7423e683f64626405fd96daaaa14011e7f7c180a7a87d7ff8f73983b0e221974cbce619d04b932c1db2110a13be014e  CVE-2019-20388.patch
+90db832e60c700e971669f57a54fdb297660c42602089b4e77e013a7051c880f380f0c98c059d9f54de99855b2d9be78fcf0639443f3765a925b52fc093fb4d9  CVE-2020-7595.patch"
diff --git a/system/libxml2/CVE-2019-20388.patch b/system/libxml2/CVE-2019-20388.patch
new file mode 100644
index 000000000..49ff6fbe0
--- /dev/null
+++ b/system/libxml2/CVE-2019-20388.patch
@@ -0,0 +1,33 @@
+From 7ffcd44d7e6c46704f8af0321d9314cd26e0e18a Mon Sep 17 00:00:00 2001
+From: Zhipeng Xie <xiezhipeng1@huawei.com>
+Date: Tue, 20 Aug 2019 16:33:06 +0800
+Subject: [PATCH] Fix memory leak in xmlSchemaValidateStream
+
+When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun
+alloc a new schema for ctxt->schema and set vctxt->xsiAssemble
+to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize
+vctxt->xsiAssemble to 0 again which cause the alloced schema
+can not be freed anymore.
+
+Found with libFuzzer.
+
+Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
+---
+ xmlschemas.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/xmlschemas.c b/xmlschemas.c
+index 301c8449..39d92182 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -28090,7 +28090,6 @@ xmlSchemaPreRun(xmlSchemaValidCtxtPtr vctxt) {
+     vctxt->nberrors = 0;
+     vctxt->depth = -1;
+     vctxt->skipDepth = -1;
+-    vctxt->xsiAssemble = 0;
+     vctxt->hasKeyrefs = 0;
+ #ifdef ENABLE_IDC_NODE_TABLES_TEST
+     vctxt->createIDCNodeTables = 1;
+-- 
+2.24.1
+
diff --git a/system/libxml2/CVE-2020-7595.patch b/system/libxml2/CVE-2020-7595.patch
new file mode 100644
index 000000000..3dd677497
--- /dev/null
+++ b/system/libxml2/CVE-2020-7595.patch
@@ -0,0 +1,32 @@
+From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001
+From: Zhipeng Xie <xiezhipeng1@huawei.com>
+Date: Thu, 12 Dec 2019 17:30:55 +0800
+Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities
+
+When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef
+return NULL which cause a infinite loop in xmlStringLenDecodeEntities
+
+Found with libFuzzer.
+
+Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
+---
+ parser.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index d1c31963..a34bb6cd 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+     else
+         c = 0;
+     while ((c != 0) && (c != end) && /* non input consuming loop */
+-	   (c != end2) && (c != end3)) {
++           (c != end2) && (c != end3) &&
++           (ctxt->instate != XML_PARSER_EOF)) {
+ 
+ 	if (c == 0) break;
+         if ((c == '&') && (str[1] == '#')) {
+-- 
+2.24.1
+
-- 
cgit v1.2.3-60-g2f50