import CS git libxml2-2.9.7-21.el8_10.6

This commit is contained in:
AlmaLinux RelEng Bot 2026-07-08 10:39:40 -04:00
parent 5e94143f20
commit 02dac985fb
2 changed files with 105 additions and 1 deletions

View File

@ -0,0 +1,98 @@
From 79abeb402f5570330f092b3dbe326798079231c9 Mon Sep 17 00:00:00 2001
From: David King <dking@redhat.com>
Date: Tue, 16 Jun 2026 14:59:25 +0100
Subject: [PATCH] Fix potential buffer overflows of interactive shell
CVE-2025-6170
Fixes #941 on 2.12 branch. Based on upstream commit
069bcda17d8194e9582c64dd4bc9dac99b015810 by Michael Mann.
---
debugXML.c | 15 ++++++++++-----
xmllint.c | 8 +++++---
2 files changed, 15 insertions(+), 8 deletions(-)
diff --git a/debugXML.c b/debugXML.c
index 303515ec..63b77ba6 100644
--- a/debugXML.c
+++ b/debugXML.c
@@ -2779,6 +2779,10 @@ xmlShellPwd(xmlShellCtxtPtr ctxt ATTRIBUTE_UNUSED, char *buffer,
return (0);
}
+#define MAX_PROMPT_SIZE 500
+#define MAX_ARG_SIZE 400
+#define MAX_COMMAND_SIZE 100
+
/**
* xmlShell:
* @doc: the initial document
@@ -2794,10 +2798,10 @@ void
xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
FILE * output)
{
- char prompt[500] = "/ > ";
+ char prompt[MAX_PROMPT_SIZE] = "/ > ";
char *cmdline = NULL, *cur;
- char command[100];
- char arg[400];
+ char command[MAX_COMMAND_SIZE];
+ char arg[MAX_ARG_SIZE];
int i;
xmlShellCtxtPtr ctxt;
xmlXPathObjectPtr list;
@@ -2855,7 +2859,8 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
cur++;
i = 0;
while ((*cur != ' ') && (*cur != '\t') &&
- (*cur != '\n') && (*cur != '\r')) {
+ (*cur != '\n') && (*cur != '\r') &&
+ (i < (MAX_COMMAND_SIZE - 1))) {
if (*cur == 0)
break;
command[i++] = *cur++;
@@ -2870,7 +2875,7 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
while ((*cur == ' ') || (*cur == '\t'))
cur++;
i = 0;
- while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) {
+ while ((*cur != '\n') && (*cur != '\r') && (*cur != 0) && (i < (MAX_ARG_SIZE-1))) {
if (*cur == 0)
break;
arg[i++] = *cur++;
diff --git a/xmllint.c b/xmllint.c
index 4d84c640..4b2c06d9 100644
--- a/xmllint.c
+++ b/xmllint.c
@@ -722,6 +722,8 @@ xmlHTMLValidityWarning(void *ctx, const char *msg, ...)
xmlHTMLEncodeSend();
}
+#define MAX_PROMPT_SIZE 500
+
/************************************************************************
* *
* Shell Interface *
@@ -752,16 +754,16 @@ xmlShellReadline(char *prompt) {
return (line_read);
#else
- char line_read[501];
+ char line_read[MAX_PROMPT_SIZE+1];
char *ret;
int len;
if (prompt != NULL)
fprintf(stdout, "%s", prompt);
fflush(stdout);
- if (!fgets(line_read, 500, stdin))
+ if (!fgets(line_read, MAX_PROMPT_SIZE, stdin))
return(NULL);
- line_read[500] = 0;
+ line_read[MAX_PROMPT_SIZE] = 0;
len = strlen(line_read);
ret = (char *) malloc(len + 1);
if (ret != NULL) {
--
2.54.0

View File

@ -7,7 +7,7 @@
Name: libxml2
Version: 2.9.7
Release: 21%{?dist}.5
Release: 21%{?dist}.6
Summary: Library providing XML and HTML support
License: MIT
@ -87,6 +87,9 @@ Patch34: libxml2-2.12.5-CVE-2025-32415.patch
Patch35: libxml2-2.9.7-CVE-2025-9714.patch
# https://redhat.atlassian.net/browse/RHEL-36405
Patch36: libxml2-2.9.13-CVE-2024-34459.patch
# https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/321
# https://redhat.atlassian.net/browse/RHEL-182012
Patch37: libxml2-2.12.5-CVE-2025-6170.patch
BuildRequires: gcc
BuildRequires: cmake-rpm-macros
@ -258,6 +261,9 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
%{python3_sitearch}/libxml2mod.so
%changelog
* Tue Jun 16 2026 David King <dking@redhat.com> - 2.9.7-21.6
- Fix CVE-2025-6170 (RHEL-182012)
* Mon May 18 2026 David King <dking@redhat.com> - 2.9.7-21.5
- Fix CVE-2024-34459 (RHEL-36405)