wok-current rev 25659
Update expat CVE-2023-52425,CVE-2023-52426, patch libxml2 CVE-2024-25062
author | Stanislas Leduc <shann@slitaz.org> |
---|---|
date | Sun Feb 18 10:03:28 2024 +0000 (10 months ago) |
parents | 77e6d152c3a6 |
children | 6c6067379b37 |
files | expat-dev/receipt expat/receipt libxml2/receipt libxml2/stuff/CVE-2024-25062.patch |
line diff
1.1 --- a/expat-dev/receipt Fri Feb 16 18:39:22 2024 +0000 1.2 +++ b/expat-dev/receipt Sun Feb 18 10:03:28 2024 +0000 1.3 @@ -1,7 +1,7 @@ 1.4 # SliTaz package receipt. 1.5 1.6 PACKAGE="expat-dev" 1.7 -VERSION="2.5.0" 1.8 +VERSION="2.6.0" 1.9 CATEGORY="development" 1.10 SHORT_DESC="XML parsing library development files." 1.11 MAINTAINER="pankso@slitaz.org"
2.1 --- a/expat/receipt Fri Feb 16 18:39:22 2024 +0000 2.2 +++ b/expat/receipt Sun Feb 18 10:03:28 2024 +0000 2.3 @@ -1,7 +1,7 @@ 2.4 # SliTaz package receipt. 2.5 2.6 PACKAGE="expat" 2.7 -VERSION="2.5.0" 2.8 +VERSION="2.6.0" 2.9 CATEGORY="x-window" 2.10 SHORT_DESC="XML parsing C library." 2.11 MAINTAINER="pankso@slitaz.org"
3.1 --- a/libxml2/receipt Fri Feb 16 18:39:22 2024 +0000 3.2 +++ b/libxml2/receipt Sun Feb 18 10:03:28 2024 +0000 3.3 @@ -38,6 +38,9 @@ 3.4 # and binaries are splited into libxml2-tools 3.5 compile_rules() 3.6 { 3.7 + # CVE-2024-25062 3.8 + patch -p1 < $stuff/CVE-2024-25062.patch 3.9 + 3.10 autoreconf -fi && 3.11 ./configure \ 3.12 --prefix=/usr \
4.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 4.2 +++ b/libxml2/stuff/CVE-2024-25062.patch Sun Feb 18 10:03:28 2024 +0000 4.3 @@ -0,0 +1,33 @@ 4.4 +From 2b0aac140d739905c7848a42efc60bfe783a39b7 Mon Sep 17 00:00:00 2001 4.5 +From: Nick Wellnhofer <wellnhofer@aevum.de> 4.6 +Date: Sat, 14 Oct 2023 22:45:54 +0200 4.7 +Subject: [PATCH] [CVE-2024-25062] xmlreader: Don't expand XIncludes when 4.8 + backtracking 4.9 + 4.10 +Fixes a use-after-free if XML Reader if used with DTD validation and 4.11 +XInclude expansion. 4.12 + 4.13 +Fixes #604. 4.14 + 4.15 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/2b0aac140d739905c7848a42efc60bfe783a39b7] 4.16 +CVE: CVE-2024-25062 4.17 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> 4.18 +--- 4.19 + xmlreader.c | 1 + 4.20 + 1 file changed, 1 insertion(+) 4.21 + 4.22 +diff --git a/xmlreader.c b/xmlreader.c 4.23 +index 979385a13..fefd68e0b 100644 4.24 +--- a/xmlreader.c 4.25 ++++ b/xmlreader.c 4.26 +@@ -1443,6 +1443,7 @@ node_found: 4.27 + * Handle XInclude if asked for 4.28 + */ 4.29 + if ((reader->xinclude) && (reader->in_xinclude == 0) && 4.30 ++ (reader->state != XML_TEXTREADER_BACKTRACK) && 4.31 + (reader->node != NULL) && 4.32 + (reader->node->type == XML_ELEMENT_NODE) && 4.33 + (reader->node->ns != NULL) && 4.34 +-- 4.35 +GitLab 4.36 +