Fix CVE-2025-9714: XPath depth check with recursive invocations

The patch fixes XPath depth check to work properly with recursive invocations. EXSLT functions like dyn:map or dyn:evaluate invoke xmlXPathRunEval recursively, which could lead to stack overflows. The fix keeps and restores the original depth value instead of resetting it to zero. CVE: CVE-2025-9714 Upstream fix: 677a42645e.patch Resolves: RHEL-119283 This commit was backported by Jotnar, a Red Hat Enterprise Linux software maintenance AI agent. Assisted-by: Jotnar
2025-11-04 09:40:07 +00:00 · 2025-11-04 09:40:07 +00:00 · 79a011bc91
commit 79a011bc91
parent 56e5f738b3
2 changed files with 118 additions and 1 deletions
--- a/RHEL-119283.patch
+++ b/RHEL-119283.patch
@ -0,0 +1,112 @@
+From 677a42645ef22b5a50741bad5facf9d8a8bc6d21 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 28 Jul 2022 20:21:24 +0200
+Subject: [PATCH] Make XPath depth check work with recursive invocations
+
+EXSLT functions like dyn:map or dyn:evaluate invoke xmlXPathRunEval
+recursively. Don't set depth to zero but keep and restore the original
+value to avoid stack overflows when abusing these functions.
+---
+ xpath.c | 23 +++++++++++++++++------
+ 1 file changed, 17 insertions(+), 6 deletions(-)
+
+diff --git a/xpath.c b/xpath.c
+index f59ef41d4..4a6f0e216 100644
+--- a/xpath.c
+++ b/xpath.c
+@@ -13884,12 +13884,11 @@ static int
+ xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool)
+ {
+     xmlXPathCompExprPtr comp;
+    int oldDepth;
+ 
+     if ((ctxt == NULL) || (ctxt->comp == NULL))
+ 	return(-1);
+ 
+-    ctxt->context->depth = 0;
+-
+     if (ctxt->valueTab == NULL) {
+ 	/* Allocate the value stack */
+ 	ctxt->valueTab = (xmlXPathObjectPtr *)
+@@ -13943,11 +13942,13 @@ xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool)
+ 	    "xmlXPathRunEval: last is less than zero\n");
+ 	return(-1);
+     }
+    oldDepth = ctxt->context->depth;
+     if (toBool)
+ 	return(xmlXPathCompOpEvalToBoolean(ctxt,
+ 	    &comp->steps[comp->last], 0));
+     else
+ 	xmlXPathCompOpEval(ctxt, &comp->steps[comp->last]);
+    ctxt->context->depth = oldDepth;
+ 
+     return(0);
+ }
+@@ -14218,6 +14219,7 @@ xmlXPathCompExprPtr
+ xmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const xmlChar *str) {
+     xmlXPathParserContextPtr pctxt;
+     xmlXPathCompExprPtr comp;
+    int oldDepth = 0;
+ 
+ #ifdef XPATH_STREAMING
+     comp = xmlXPathTryStreamCompile(ctxt, str);
+@@ -14231,8 +14233,10 @@ xmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const xmlChar *str) {
+     if (pctxt == NULL)
+         return NULL;
+     if (ctxt != NULL)
+-        ctxt->depth = 0;
+        oldDepth = ctxt->depth;
+     xmlXPathCompileExpr(pctxt, 1);
+    if (ctxt != NULL)
+        ctxt->depth = oldDepth;
+ 
+     if( pctxt->error != XPATH_EXPRESSION_OK )
+     {
+@@ -14253,8 +14257,10 @@ xmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const xmlChar *str) {
+ 	comp = pctxt->comp;
+ 	if ((comp->nbStep > 1) && (comp->last >= 0)) {
+             if (ctxt != NULL)
+-                ctxt->depth = 0;
+                oldDepth = ctxt->depth;
+ 	    xmlXPathOptimizeExpression(pctxt, &comp->steps[comp->last]);
+            if (ctxt != NULL)
+                ctxt->depth = oldDepth;
+ 	}
+ 	pctxt->comp = NULL;
+     }
+@@ -14410,6 +14416,7 @@ xmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) {
+ #ifdef XPATH_STREAMING
+     xmlXPathCompExprPtr comp;
+ #endif
+    int oldDepth = 0;
+ 
+     if (ctxt == NULL) return;
+ 
+@@ -14423,8 +14430,10 @@ xmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) {
+ #endif
+     {
+         if (ctxt->context != NULL)
+-            ctxt->context->depth = 0;
+            oldDepth = ctxt->context->depth;
+ 	xmlXPathCompileExpr(ctxt, 1);
+        if (ctxt->context != NULL)
+            ctxt->context->depth = oldDepth;
+         CHECK_ERROR;
+ 
+         /* Check for trailing characters. */
+@@ -14433,9 +14442,11 @@ xmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) {
+ 
+ 	if ((ctxt->comp->nbStep > 1) && (ctxt->comp->last >= 0)) {
+             if (ctxt->context != NULL)
+-                ctxt->context->depth = 0;
+                oldDepth = ctxt->context->depth;
+ 	    xmlXPathOptimizeExpression(ctxt,
+ 		&ctxt->comp->steps[ctxt->comp->last]);
+            if (ctxt->context != NULL)
+                ctxt->context->depth = oldDepth;
+         }
+     }
+ 
+-- 
+GitLab
+
--- a/libxml2.spec
+++ b/libxml2.spec
@ -1,6 +1,6 @@
 Name:           libxml2
 Version:        2.9.13
-Release:        12%{?dist}
+Release:        13%{?dist}
 Summary:        Library providing XML and HTML support

 License:        MIT
@ -41,6 +41,8 @@ Patch15:        libxml2-2.9.13-CVE-2025-7425.patch
 Patch16:         libxml2-2.12.5-CVE-2025-32415.patch
 # https://issues.redhat.com/browse/RHEL-99873
 Patch17:         libxml2-2.9.13-CVE-2025-32414.patch
+# https://issues.redhat.com/browse/RHEL-119283
+Patch18:        RHEL-119283.patch

 BuildRequires:  cmake-rpm-macros
 BuildRequires:  gcc
@ -169,6 +171,9 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
 %{python3_sitearch}/libxml2mod.so

 %changelog
+* Tue Nov 04 2025 RHEL Packaging Agent <jotnar@redhat.com> - 2.9.13-13
+- Fix CVE-2025-9714 (RHEL-119283)
+
 * Tue Aug 05 2025 David King <dking@redhat.com> - 2.9.13-12
 - Fix CVE-2025-32415 (RHEL-100182)
 - Fix CVE-2025-32414 (RHEL-99873)