From 02dac985fb12ae8f6d3e137e0f4bc92e376dbda7 Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Wed, 8 Jul 2026 10:39:40 -0400 Subject: [PATCH] import CS git libxml2-2.9.7-21.el8_10.6 --- SOURCES/libxml2-2.12.5-CVE-2025-6170.patch | 98 ++++++++++++++++++++++ SPECS/libxml2.spec | 8 +- 2 files changed, 105 insertions(+), 1 deletion(-) create mode 100644 SOURCES/libxml2-2.12.5-CVE-2025-6170.patch diff --git a/SOURCES/libxml2-2.12.5-CVE-2025-6170.patch b/SOURCES/libxml2-2.12.5-CVE-2025-6170.patch new file mode 100644 index 0000000..b982392 --- /dev/null +++ b/SOURCES/libxml2-2.12.5-CVE-2025-6170.patch @@ -0,0 +1,98 @@ +From 79abeb402f5570330f092b3dbe326798079231c9 Mon Sep 17 00:00:00 2001 +From: David King +Date: Tue, 16 Jun 2026 14:59:25 +0100 +Subject: [PATCH] Fix potential buffer overflows of interactive shell + +CVE-2025-6170 + +Fixes #941 on 2.12 branch. Based on upstream commit +069bcda17d8194e9582c64dd4bc9dac99b015810 by Michael Mann. +--- + debugXML.c | 15 ++++++++++----- + xmllint.c | 8 +++++--- + 2 files changed, 15 insertions(+), 8 deletions(-) + +diff --git a/debugXML.c b/debugXML.c +index 303515ec..63b77ba6 100644 +--- a/debugXML.c ++++ b/debugXML.c +@@ -2779,6 +2779,10 @@ xmlShellPwd(xmlShellCtxtPtr ctxt ATTRIBUTE_UNUSED, char *buffer, + return (0); + } + ++#define MAX_PROMPT_SIZE 500 ++#define MAX_ARG_SIZE 400 ++#define MAX_COMMAND_SIZE 100 ++ + /** + * xmlShell: + * @doc: the initial document +@@ -2794,10 +2798,10 @@ void + xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input, + FILE * output) + { +- char prompt[500] = "/ > "; ++ char prompt[MAX_PROMPT_SIZE] = "/ > "; + char *cmdline = NULL, *cur; +- char command[100]; +- char arg[400]; ++ char command[MAX_COMMAND_SIZE]; ++ char arg[MAX_ARG_SIZE]; + int i; + xmlShellCtxtPtr ctxt; + xmlXPathObjectPtr list; +@@ -2855,7 +2859,8 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input, + cur++; + i = 0; + while ((*cur != ' ') && (*cur != '\t') && +- (*cur != '\n') && (*cur != '\r')) { ++ (*cur != '\n') && (*cur != '\r') && ++ (i < (MAX_COMMAND_SIZE - 1))) { + if (*cur == 0) + break; + command[i++] = *cur++; +@@ -2870,7 +2875,7 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input, + while ((*cur == ' ') || (*cur == '\t')) + cur++; + i = 0; +- while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) { ++ while ((*cur != '\n') && (*cur != '\r') && (*cur != 0) && (i < (MAX_ARG_SIZE-1))) { + if (*cur == 0) + break; + arg[i++] = *cur++; +diff --git a/xmllint.c b/xmllint.c +index 4d84c640..4b2c06d9 100644 +--- a/xmllint.c ++++ b/xmllint.c +@@ -722,6 +722,8 @@ xmlHTMLValidityWarning(void *ctx, const char *msg, ...) + xmlHTMLEncodeSend(); + } + ++#define MAX_PROMPT_SIZE 500 ++ + /************************************************************************ + * * + * Shell Interface * +@@ -752,16 +754,16 @@ xmlShellReadline(char *prompt) { + + return (line_read); + #else +- char line_read[501]; ++ char line_read[MAX_PROMPT_SIZE+1]; + char *ret; + int len; + + if (prompt != NULL) + fprintf(stdout, "%s", prompt); + fflush(stdout); +- if (!fgets(line_read, 500, stdin)) ++ if (!fgets(line_read, MAX_PROMPT_SIZE, stdin)) + return(NULL); +- line_read[500] = 0; ++ line_read[MAX_PROMPT_SIZE] = 0; + len = strlen(line_read); + ret = (char *) malloc(len + 1); + if (ret != NULL) { +-- +2.54.0 + diff --git a/SPECS/libxml2.spec b/SPECS/libxml2.spec index 104d818..f396556 100644 --- a/SPECS/libxml2.spec +++ b/SPECS/libxml2.spec @@ -7,7 +7,7 @@ Name: libxml2 Version: 2.9.7 -Release: 21%{?dist}.5 +Release: 21%{?dist}.6 Summary: Library providing XML and HTML support License: MIT @@ -87,6 +87,9 @@ Patch34: libxml2-2.12.5-CVE-2025-32415.patch Patch35: libxml2-2.9.7-CVE-2025-9714.patch # https://redhat.atlassian.net/browse/RHEL-36405 Patch36: libxml2-2.9.13-CVE-2024-34459.patch +# https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/321 +# https://redhat.atlassian.net/browse/RHEL-182012 +Patch37: libxml2-2.12.5-CVE-2025-6170.patch BuildRequires: gcc BuildRequires: cmake-rpm-macros @@ -258,6 +261,9 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz %{python3_sitearch}/libxml2mod.so %changelog +* Tue Jun 16 2026 David King - 2.9.7-21.6 +- Fix CVE-2025-6170 (RHEL-182012) + * Mon May 18 2026 David King - 2.9.7-21.5 - Fix CVE-2024-34459 (RHEL-36405)