Fix CVE-2025-6021 (RHEL-96495)

Resolves: RHEL-96495
2025-06-16 10:15:49 +01:00 · 2025-06-16 10:15:49 +01:00 · 426bc6849c
commit 426bc6849c
parent 59933b430c
2 changed files with 47 additions and 1 deletions
--- a/libxml2-2.12.5-CVE-2025-6021.patch
+++ b/libxml2-2.12.5-CVE-2025-6021.patch
@ -0,0 +1,41 @@
+From e90d97891190e17c69d89033ade0b66882d273ff Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 27 May 2025 12:53:17 +0200
+Subject: [PATCH] tree: Fix integer overflow in xmlBuildQName
+
+This issue affects memory safety and might receive a CVE ID later.
+
+Fixes #926.
+---
+ tree.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index dc3ac4f9..c347ccaa 100644
+--- a/tree.c
+++ b/tree.c
+@@ -216,16 +216,18 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) {
+ xmlChar *
+ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
+ 	      xmlChar *memory, int len) {
+-    int lenn, lenp;
+    size_t lenn, lenp;
+     xmlChar *ret;
+ 
+-    if (ncname == NULL) return(NULL);
+    if ((ncname == NULL) || (len < 0)) return(NULL);
+     if (prefix == NULL) return((xmlChar *) ncname);
+ 
+     lenn = strlen((char *) ncname);
+     lenp = strlen((char *) prefix);
+    if (lenn >= SIZE_MAX - lenp - 1)
+        return(NULL);
+ 
+-    if ((memory == NULL) || (len < lenn + lenp + 2)) {
+    if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) {
+ 	ret = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2);
+ 	if (ret == NULL) {
+ 	    xmlTreeErrMemory("building QName");
+-- 
+2.49.0
+
--- a/libxml2.spec
+++ b/libxml2.spec
@ -1,6 +1,6 @@
 Name:           libxml2
 Version:        2.12.5
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        Library providing XML and HTML support

 # list.c, dict.c and few others use ISC-Veillard
@ -24,6 +24,8 @@ Patch2:         libxml2-2.12.5-CVE-2024-40896.patch
 Patch3:         libxml2-2.12.5-CVE-2024-56171.patch
 # https://issues.redhat.com/browse/RHEL-80134
 Patch4:         libxml2-2.12.5-CVE-2025-24928.patch
+# https://issues.redhat.com/browse/RHEL-96495
+Patch5:         libxml2-2.12.5-CVE-2025-6021.patch

 BuildRequires:  cmake-rpm-macros
 BuildRequires:  gcc
@ -164,6 +166,9 @@ popd
 %{python3_sitelib}/__pycache__/drv_libxml2.*

 %changelog
+* Mon Jun 16 2025 David King <dking@redhat.com> - 2.12.5-6
+- Fix CVE-2025-6021 (RHEL-96495)
+
 * Mon Feb 24 2025 David King <dking@redhat.com> - 2.12.5-5
 - Fix CVE-2024-56171 (RHEL-80119)
 - Fix CVE-2025-24928 (RHEL-80134)