Fix CVE-2025-6021 (RHEL-96498)
Resolves: RHEL-96498
This commit is contained in:
David King
parent
16195a7a6d
commit
6ab8f12a26
49
libxml2-2.9.13-CVE-2025-6021.patch
Normal file
49
libxml2-2.9.13-CVE-2025-6021.patch
Normal file
@ -0,0 +1,49 @@
|
||||
From 1256dce1c2c928e1436a7e8bd8b40113099383c8 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Tue, 27 May 2025 12:53:17 +0200
|
||||
Subject: [PATCH] tree: Fix integer overflow in xmlBuildQName
|
||||
|
||||
This issue affects memory safety and might receive a CVE ID later.
|
||||
|
||||
Fixes #926.
|
||||
---
|
||||
tree.c | 9 ++++++---
|
||||
1 file changed, 6 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/tree.c b/tree.c
|
||||
index 86afb7d6..3b0d0397 100644
|
||||
--- a/tree.c
|
||||
+++ b/tree.c
|
||||
@@ -20,6 +20,7 @@
|
||||
|
||||
#include <string.h> /* for memset() only ! */
|
||||
#include <stddef.h>
|
||||
+#include <stdint.h>
|
||||
#include <limits.h>
|
||||
#ifdef HAVE_CTYPE_H
|
||||
#include <ctype.h>
|
||||
@@ -222,16 +223,18 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) {
|
||||
xmlChar *
|
||||
xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
|
||||
xmlChar *memory, int len) {
|
||||
- int lenn, lenp;
|
||||
+ size_t lenn, lenp;
|
||||
xmlChar *ret;
|
||||
|
||||
- if (ncname == NULL) return(NULL);
|
||||
+ if ((ncname == NULL) || (len < 0)) return(NULL);
|
||||
if (prefix == NULL) return((xmlChar *) ncname);
|
||||
|
||||
lenn = strlen((char *) ncname);
|
||||
lenp = strlen((char *) prefix);
|
||||
+ if (lenn >= SIZE_MAX - lenp - 1)
|
||||
+ return(NULL);
|
||||
|
||||
- if ((memory == NULL) || (len < lenn + lenp + 2)) {
|
||||
+ if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) {
|
||||
ret = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2);
|
||||
if (ret == NULL) {
|
||||
xmlTreeErrMemory("building QName");
|
||||
--
|
||||
2.49.0
|
||||
|
||||
@ -7,7 +7,7 @@
|
||||
|
||||
Name: libxml2
|
||||
Version: 2.9.7
|
||||
Release: 21%{?dist}
|
||||
Release: 21%{?dist}.1
|
||||
Summary: Library providing XML and HTML support
|
||||
|
||||
License: MIT
|
||||
@ -74,6 +74,8 @@ Patch28: libxml2-2.9.13-CVE-2025-24928.patch
|
||||
Patch29: libxml2-2.9.13-CVE-2025-32414.patch
|
||||
# https://issues.redhat.com/browse/RHEL-74345
|
||||
Patch30: libxml2-clamp-output-bytes-overflow.patch
|
||||
# https://issues.redhat.com/browse/RHEL-96498
|
||||
Patch31: libxml2-2.9.13-CVE-2025-6021.patch
|
||||
|
||||
BuildRequires: gcc
|
||||
BuildRequires: cmake-rpm-macros
|
||||
@ -245,6 +247,9 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
|
||||
%{python3_sitearch}/libxml2mod.so
|
||||
|
||||
%changelog
|
||||
* Mon Jun 16 2025 David King <dking@redhat.com> - 2.9.7-21.1
|
||||
- Fix CVE-2025-6021 (RHEL-96498)
|
||||
|
||||
* Fri Jun 13 2025 David King <dking@redhat.com> - 2.9.7-21
|
||||
- Fix integer overflow (RHEL-74345)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user