# HG changeset patch # User Stanislas Leduc # Date 1708250608 0 # Node ID ecbd308590022d2f542c5bedaa15eb1b60655ff3 # Parent 77e6d152c3a60d1c20495ad8cb100a32c91af44b Update expat CVE-2023-52425,CVE-2023-52426, patch libxml2 CVE-2024-25062 diff -r 77e6d152c3a6 -r ecbd30859002 expat-dev/receipt --- a/expat-dev/receipt Fri Feb 16 18:39:22 2024 +0000 +++ b/expat-dev/receipt Sun Feb 18 10:03:28 2024 +0000 @@ -1,7 +1,7 @@ # SliTaz package receipt. PACKAGE="expat-dev" -VERSION="2.5.0" +VERSION="2.6.0" CATEGORY="development" SHORT_DESC="XML parsing library development files." MAINTAINER="pankso@slitaz.org" diff -r 77e6d152c3a6 -r ecbd30859002 expat/receipt --- a/expat/receipt Fri Feb 16 18:39:22 2024 +0000 +++ b/expat/receipt Sun Feb 18 10:03:28 2024 +0000 @@ -1,7 +1,7 @@ # SliTaz package receipt. PACKAGE="expat" -VERSION="2.5.0" +VERSION="2.6.0" CATEGORY="x-window" SHORT_DESC="XML parsing C library." MAINTAINER="pankso@slitaz.org" diff -r 77e6d152c3a6 -r ecbd30859002 libxml2/receipt --- a/libxml2/receipt Fri Feb 16 18:39:22 2024 +0000 +++ b/libxml2/receipt Sun Feb 18 10:03:28 2024 +0000 @@ -38,6 +38,9 @@ # and binaries are splited into libxml2-tools compile_rules() { + # CVE-2024-25062 + patch -p1 < $stuff/CVE-2024-25062.patch + autoreconf -fi && ./configure \ --prefix=/usr \ diff -r 77e6d152c3a6 -r ecbd30859002 libxml2/stuff/CVE-2024-25062.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/libxml2/stuff/CVE-2024-25062.patch Sun Feb 18 10:03:28 2024 +0000 @@ -0,0 +1,33 @@ +From 2b0aac140d739905c7848a42efc60bfe783a39b7 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 14 Oct 2023 22:45:54 +0200 +Subject: [PATCH] [CVE-2024-25062] xmlreader: Don't expand XIncludes when + backtracking + +Fixes a use-after-free if XML Reader if used with DTD validation and +XInclude expansion. + +Fixes #604. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/2b0aac140d739905c7848a42efc60bfe783a39b7] +CVE: CVE-2024-25062 +Signed-off-by: Vijay Anusuri +--- + xmlreader.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/xmlreader.c b/xmlreader.c +index 979385a13..fefd68e0b 100644 +--- a/xmlreader.c ++++ b/xmlreader.c +@@ -1443,6 +1443,7 @@ node_found: + * Handle XInclude if asked for + */ + if ((reader->xinclude) && (reader->in_xinclude == 0) && ++ (reader->state != XML_TEXTREADER_BACKTRACK) && + (reader->node != NULL) && + (reader->node->type == XML_ELEMENT_NODE) && + (reader->node->ns != NULL) && +-- +GitLab +