wok-current rev 25659

Update expat CVE-2023-52425,CVE-2023-52426, patch libxml2 CVE-2024-25062
author Stanislas Leduc <shann@slitaz.org>
date Sun Feb 18 10:03:28 2024 +0000 (9 months ago)
parents 77e6d152c3a6
children 6c6067379b37
files expat-dev/receipt expat/receipt libxml2/receipt libxml2/stuff/CVE-2024-25062.patch
line diff
     1.1 --- a/expat-dev/receipt	Fri Feb 16 18:39:22 2024 +0000
     1.2 +++ b/expat-dev/receipt	Sun Feb 18 10:03:28 2024 +0000
     1.3 @@ -1,7 +1,7 @@
     1.4  # SliTaz package receipt.
     1.5  
     1.6  PACKAGE="expat-dev"
     1.7 -VERSION="2.5.0"
     1.8 +VERSION="2.6.0"
     1.9  CATEGORY="development"
    1.10  SHORT_DESC="XML parsing library development files."
    1.11  MAINTAINER="pankso@slitaz.org"

     2.1 --- a/expat/receipt	Fri Feb 16 18:39:22 2024 +0000
     2.2 +++ b/expat/receipt	Sun Feb 18 10:03:28 2024 +0000
     2.3 @@ -1,7 +1,7 @@
     2.4  # SliTaz package receipt.
     2.5  
     2.6  PACKAGE="expat"
     2.7 -VERSION="2.5.0"
     2.8 +VERSION="2.6.0"
     2.9  CATEGORY="x-window"
    2.10  SHORT_DESC="XML parsing C library."
    2.11  MAINTAINER="pankso@slitaz.org"

     3.1 --- a/libxml2/receipt	Fri Feb 16 18:39:22 2024 +0000
     3.2 +++ b/libxml2/receipt	Sun Feb 18 10:03:28 2024 +0000
     3.3 @@ -38,6 +38,9 @@
     3.4  # and binaries are splited into libxml2-tools
     3.5  compile_rules()
     3.6  {
     3.7 +	# CVE-2024-25062
     3.8 +	patch -p1 < $stuff/CVE-2024-25062.patch
     3.9 +
    3.10  	autoreconf -fi &&
    3.11  	./configure				\
    3.12  		--prefix=/usr			\

     4.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     4.2 +++ b/libxml2/stuff/CVE-2024-25062.patch	Sun Feb 18 10:03:28 2024 +0000
     4.3 @@ -0,0 +1,33 @@
     4.4 +From 2b0aac140d739905c7848a42efc60bfe783a39b7 Mon Sep 17 00:00:00 2001
     4.5 +From: Nick Wellnhofer <wellnhofer@aevum.de>
     4.6 +Date: Sat, 14 Oct 2023 22:45:54 +0200
     4.7 +Subject: [PATCH] [CVE-2024-25062] xmlreader: Don't expand XIncludes when
     4.8 + backtracking
     4.9 +
    4.10 +Fixes a use-after-free if XML Reader if used with DTD validation and
    4.11 +XInclude expansion.
    4.12 +
    4.13 +Fixes #604.
    4.14 +
    4.15 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/2b0aac140d739905c7848a42efc60bfe783a39b7]
    4.16 +CVE: CVE-2024-25062
    4.17 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
    4.18 +---
    4.19 + xmlreader.c | 1 +
    4.20 + 1 file changed, 1 insertion(+)
    4.21 +
    4.22 +diff --git a/xmlreader.c b/xmlreader.c
    4.23 +index 979385a13..fefd68e0b 100644
    4.24 +--- a/xmlreader.c
    4.25 ++++ b/xmlreader.c
    4.26 +@@ -1443,6 +1443,7 @@ node_found:
    4.27 +      * Handle XInclude if asked for
    4.28 +      */
    4.29 +     if ((reader->xinclude) && (reader->in_xinclude == 0) &&
    4.30 ++        (reader->state != XML_TEXTREADER_BACKTRACK) &&
    4.31 +         (reader->node != NULL) &&
    4.32 + 	(reader->node->type == XML_ELEMENT_NODE) &&
    4.33 + 	(reader->node->ns != NULL) &&
    4.34 +-- 
    4.35 +GitLab
    4.36 +