Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2023-11-15 21:06:31 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.17445 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libxml2" Wed Nov 15 21:06:31 2023 rev:121 rq:1125707 version:2.11.5 Changes: -------- --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2023-11-02 20:20:47.538339693 +0100 +++ /work/SRC/openSUSE:Factory/.libxml2.new.17445/libxml2.changes 2023-11-15 21:06:34.815809266 +0100 @@ -1,0 +2,7 @@ +Mon Nov 13 15:02:14 UTC 2023 - David Anes <david.a...@suse.com> + +- Security fix: CVE-2023-45322 (bsc#1216129) + * use-after-free in xmlUnlinkNode() in tree.c + * Added file libxml2-CVE-2023-45322.patch + +------------------------------------------------------------------- New: ---- libxml2-CVE-2023-45322.patch BETA DEBUG BEGIN: New: * use-after-free in xmlUnlinkNode() in tree.c * Added file libxml2-CVE-2023-45322.patch BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libxml2.spec ++++++ --- /var/tmp/diff_new_pack.9EjLwA/_old 2023-11-15 21:06:35.447832585 +0100 +++ /var/tmp/diff_new_pack.9EjLwA/_new 2023-11-15 21:06:35.451832731 +0100 @@ -48,6 +48,9 @@ # PATCH-FIX-UPSTREAM python312.patch # https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/226 Patch3: python312.patch +# PATCH-FIX-UPSTREAM CVE-2023-45322 bsc#1216129 +# https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9 +Patch4: libxml2-CVE-2023-45322.patch # ### -- openSUSE patches range from 1000 to 1999 -- ### # PATCH-FIX-OPENSUSE ++++++ libxml2-CVE-2023-45322.patch ++++++ >From d39f78069dff496ec865c73aa44d7110e429bce9 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer <wellnho...@aevum.de> Date: Wed, 23 Aug 2023 20:24:24 +0200 Subject: [PATCH] tree: Fix copying of DTDs - Don't create multiple DTD nodes. - Fix UAF if malloc fails. - Skip DTD nodes if tree module is disabled. Fixes #583. --- tree.c | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/tree.c b/tree.c index 6c8a875b9..02c1b5791 100644 --- a/tree.c +++ b/tree.c @@ -4471,29 +4471,28 @@ xmlNodePtr xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { xmlNodePtr ret = NULL; xmlNodePtr p = NULL,q; + xmlDtdPtr newSubset = NULL; while (node != NULL) { -#ifdef LIBXML_TREE_ENABLED if (node->type == XML_DTD_NODE ) { - if (doc == NULL) { +#ifdef LIBXML_TREE_ENABLED + if ((doc == NULL) || (doc->intSubset != NULL)) { node = node->next; continue; } - if (doc->intSubset == NULL) { - q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node ); - if (q == NULL) goto error; - q->doc = doc; - q->parent = parent; - doc->intSubset = (xmlDtdPtr) q; - xmlAddChild(parent, q); - } else { - q = (xmlNodePtr) doc->intSubset; - xmlAddChild(parent, q); - } - } else + q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node ); + if (q == NULL) goto error; + q->doc = doc; + q->parent = parent; + newSubset = (xmlDtdPtr) q; +#else + node = node->next; + continue; #endif /* LIBXML_TREE_ENABLED */ + } else { q = xmlStaticCopyNode(node, doc, parent, 1); - if (q == NULL) goto error; + if (q == NULL) goto error; + } if (ret == NULL) { q->prev = NULL; ret = p = q; @@ -4505,6 +4504,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { } node = node->next; } + if (newSubset != NULL) + doc->intSubset = newSubset; return(ret); error: xmlFreeNodeList(ret); -- GitLab