Fix CVE-2025-6170 (RHEL-186743)

Resolves: RHEL-186743
This commit is contained in:
David King 2026-06-16 15:08:26 +01:00
parent f2c4798de7
commit 3683e2d77e
2 changed files with 105 additions and 1 deletions

View File

@ -0,0 +1,98 @@
From 79abeb402f5570330f092b3dbe326798079231c9 Mon Sep 17 00:00:00 2001
From: David King <dking@redhat.com>
Date: Tue, 16 Jun 2026 14:59:25 +0100
Subject: [PATCH] Fix potential buffer overflows of interactive shell
CVE-2025-6170
Fixes #941 on 2.12 branch. Based on upstream commit
069bcda17d8194e9582c64dd4bc9dac99b015810 by Michael Mann.
---
debugXML.c | 15 ++++++++++-----
xmllint.c | 8 +++++---
2 files changed, 15 insertions(+), 8 deletions(-)
diff --git a/debugXML.c b/debugXML.c
index 303515ec..63b77ba6 100644
--- a/debugXML.c
+++ b/debugXML.c
@@ -2779,6 +2779,10 @@ xmlShellPwd(xmlShellCtxtPtr ctxt ATTRIBUTE_UNUSED, char *buffer,
return (0);
}
+#define MAX_PROMPT_SIZE 500
+#define MAX_ARG_SIZE 400
+#define MAX_COMMAND_SIZE 100
+
/**
* xmlShell:
* @doc: the initial document
@@ -2794,10 +2798,10 @@ void
xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
FILE * output)
{
- char prompt[500] = "/ > ";
+ char prompt[MAX_PROMPT_SIZE] = "/ > ";
char *cmdline = NULL, *cur;
- char command[100];
- char arg[400];
+ char command[MAX_COMMAND_SIZE];
+ char arg[MAX_ARG_SIZE];
int i;
xmlShellCtxtPtr ctxt;
xmlXPathObjectPtr list;
@@ -2855,7 +2859,8 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
cur++;
i = 0;
while ((*cur != ' ') && (*cur != '\t') &&
- (*cur != '\n') && (*cur != '\r')) {
+ (*cur != '\n') && (*cur != '\r') &&
+ (i < (MAX_COMMAND_SIZE - 1))) {
if (*cur == 0)
break;
command[i++] = *cur++;
@@ -2870,7 +2875,7 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
while ((*cur == ' ') || (*cur == '\t'))
cur++;
i = 0;
- while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) {
+ while ((*cur != '\n') && (*cur != '\r') && (*cur != 0) && (i < (MAX_ARG_SIZE-1))) {
if (*cur == 0)
break;
arg[i++] = *cur++;
diff --git a/xmllint.c b/xmllint.c
index 4d84c640..4b2c06d9 100644
--- a/xmllint.c
+++ b/xmllint.c
@@ -722,6 +722,8 @@ xmlHTMLValidityWarning(void *ctx, const char *msg, ...)
xmlHTMLEncodeSend();
}
+#define MAX_PROMPT_SIZE 500
+
/************************************************************************
* *
* Shell Interface *
@@ -752,16 +754,16 @@ xmlShellReadline(char *prompt) {
return (line_read);
#else
- char line_read[501];
+ char line_read[MAX_PROMPT_SIZE+1];
char *ret;
int len;
if (prompt != NULL)
fprintf(stdout, "%s", prompt);
fflush(stdout);
- if (!fgets(line_read, 500, stdin))
+ if (!fgets(line_read, MAX_PROMPT_SIZE, stdin))
return(NULL);
- line_read[500] = 0;
+ line_read[MAX_PROMPT_SIZE] = 0;
len = strlen(line_read);
ret = (char *) malloc(len + 1);
if (ret != NULL) {
--
2.54.0

View File

@ -1,6 +1,6 @@
Name: libxml2
Version: 2.12.5
Release: 13%{?dist}
Release: 14%{?dist}
Summary: Library providing XML and HTML support
# list.c, dict.c and few others use ISC-Veillard
@ -41,6 +41,9 @@ Patch10: libxml2-2.12.5-CVE-2025-32414.patch
Patch11: libxml2-2.12.5-xmllint-error-code.patch
# https://redhat.atlassian.net/browse/RHEL-36782
Patch12: libxml2-2.12.5-CVE-2024-34459.patch
# https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/321
# https://redhat.atlassian.net/browse/RHEL-186743
Patch13: libxml2-2.12.5-CVE-2025-6170.patch
BuildRequires: cmake-rpm-macros
BuildRequires: gcc
@ -181,6 +184,9 @@ popd
%{python3_sitelib}/__pycache__/drv_libxml2.*
%changelog
* Tue Jun 16 2026 David King <dking@redhat.com> - 2.12.5-14
- Fix CVE-2025-6170 (RHEL-186743)
* Wed Jun 03 2026 David King <dking@redhat.com> - 2.12.5-13
- Revert parser error fix (RHEL-126803)