From b50b88b4b321caff010d1d9374f4342b1464cda8 Mon Sep 17 00:00:00 2001
From: David King <dking@redhat.com>
Date: Wed, 2 Jul 2025 12:33:35 +0100
Subject: [PATCH] Fix CVE-2025-49794 and CVE-2025-49796

RHEL-96405 and RHEL-96431.

Resolves: RHEL-96405
Resolves: RHEL-96431
---
 libxml2-2.9.13-CVE-2025-49794.patch | 194 ++++++++++++++++++++++++++++
 libxml2.spec                        |   5 +
 2 files changed, 199 insertions(+)
 create mode 100644 libxml2-2.9.13-CVE-2025-49794.patch

diff --git a/libxml2-2.9.13-CVE-2025-49794.patch b/libxml2-2.9.13-CVE-2025-49794.patch
new file mode 100644
index 0000000..e2e7014
--- /dev/null
+++ b/libxml2-2.9.13-CVE-2025-49794.patch
@@ -0,0 +1,194 @@
+From b2a28a861e9d43a23b877c3994daa28f8af69618 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 4 Jul 2025 14:28:26 +0200
+Subject: [PATCH] schematron: Fix memory safety issues in
+ xmlSchematronReportOutput
+
+Fix use-after-free (CVE-2025-49794) and type confusion (CVE-2025-49796)
+in xmlSchematronReportOutput.
+
+Fixes #931.
+Fixes #933.
+---
+ result/schematron/cve-2025-49794_0.err |  2 +
+ result/schematron/cve-2025-49796_0.err |  2 +
+ schematron.c                           | 67 ++++++++++++++------------
+ test/schematron/cve-2025-49794.sct     | 10 ++++
+ test/schematron/cve-2025-49794_0.xml   |  6 +++
+ test/schematron/cve-2025-49796.sct     |  9 ++++
+ test/schematron/cve-2025-49796_0.xml   |  3 ++
+ 7 files changed, 67 insertions(+), 32 deletions(-)
+ create mode 100644 result/schematron/cve-2025-49794_0.err
+ create mode 100644 result/schematron/cve-2025-49796_0.err
+ create mode 100644 test/schematron/cve-2025-49794.sct
+ create mode 100644 test/schematron/cve-2025-49794_0.xml
+ create mode 100644 test/schematron/cve-2025-49796.sct
+ create mode 100644 test/schematron/cve-2025-49796_0.xml
+
+diff --git a/result/schematron/cve-2025-49794_0.err b/result/schematron/cve-2025-49794_0.err
+new file mode 100644
+index 00000000..57752310
+--- /dev/null
++++ b/result/schematron/cve-2025-49794_0.err
+@@ -0,0 +1,2 @@
++./test/schematron/cve-2025-49794_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2:  
++./test/schematron/cve-2025-49794_0.xml fails to validate
+diff --git a/result/schematron/cve-2025-49796_0.err b/result/schematron/cve-2025-49796_0.err
+new file mode 100644
+index 00000000..bf875ee0
+--- /dev/null
++++ b/result/schematron/cve-2025-49796_0.err
+@@ -0,0 +1,2 @@
++./test/schematron/cve-2025-49796_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2:  
++./test/schematron/cve-2025-49796_0.xml fails to validate
+diff --git a/schematron.c b/schematron.c
+index ddbb069b..0c7bc84a 100644
+--- a/schematron.c
++++ b/schematron.c
+@@ -1239,27 +1239,15 @@ exit:
+  *									*
+  ************************************************************************/
+ 
+-static xmlNodePtr
++static xmlXPathObjectPtr
+ xmlSchematronGetNode(xmlSchematronValidCtxtPtr ctxt,
+                      xmlNodePtr cur, const xmlChar *xpath) {
+-    xmlNodePtr node = NULL;
+-    xmlXPathObjectPtr ret;
+-
+     if ((ctxt == NULL) || (cur == NULL) || (xpath == NULL))
+         return(NULL);
+ 
+     ctxt->xctxt->doc = cur->doc;
+     ctxt->xctxt->node = cur;
+-    ret = xmlXPathEval(xpath, ctxt->xctxt);
+-    if (ret == NULL)
+-        return(NULL);
+-
+-    if ((ret->type == XPATH_NODESET) &&
+-        (ret->nodesetval != NULL) && (ret->nodesetval->nodeNr > 0))
+-	node = ret->nodesetval->nodeTab[0];
+-
+-    xmlXPathFreeObject(ret);
+-    return(node);
++    return(xmlXPathEval(xpath, ctxt->xctxt));
+ }
+ 
+ /**
+@@ -1301,28 +1289,43 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt,
+     child = test->children;
+     while (child != NULL) {
+         if ((child->type == XML_TEXT_NODE) ||
+-	    (child->type == XML_CDATA_SECTION_NODE))
+-	    ret = xmlStrcat(ret, child->content);
+-	else if (IS_SCHEMATRON(child, "name")) {
+-	    xmlChar *path;
++            (child->type == XML_CDATA_SECTION_NODE))
++            ret = xmlStrcat(ret, child->content);
++        else if (IS_SCHEMATRON(child, "name")) {
++            xmlXPathObject *obj = NULL;
++            xmlChar *path;
+ 
+ 	    path = xmlGetNoNsProp(child, BAD_CAST "path");
+ 
+             node = cur;
+-	    if (path != NULL) {
+-	        node = xmlSchematronGetNode(ctxt, cur, path);
+-		if (node == NULL)
+-		    node = cur;
+-		xmlFree(path);
+-	    }
+-
+-	    if ((node->ns == NULL) || (node->ns->prefix == NULL))
+-	        ret = xmlStrcat(ret, node->name);
+-	    else {
+-	        ret = xmlStrcat(ret, node->ns->prefix);
+-	        ret = xmlStrcat(ret, BAD_CAST ":");
+-	        ret = xmlStrcat(ret, node->name);
+-	    }
++            if (path != NULL) {
++                obj = xmlSchematronGetNode(ctxt, cur, path);
++                if ((obj != NULL) &&
++                    (obj->type == XPATH_NODESET) &&
++                    (obj->nodesetval != NULL) &&
++                    (obj->nodesetval->nodeNr > 0))
++                    node = obj->nodesetval->nodeTab[0];
++                xmlFree(path);
++            }
++
++            switch (node->type) {
++                case XML_ELEMENT_NODE:
++                case XML_ATTRIBUTE_NODE:
++                    if ((node->ns == NULL) || (node->ns->prefix == NULL))
++                        ret = xmlStrcat(ret, node->name);
++                    else {
++                        ret = xmlStrcat(ret, node->ns->prefix);
++                        ret = xmlStrcat(ret, BAD_CAST ":");
++                        ret = xmlStrcat(ret, node->name);
++                    }
++                    break;
++
++                /* TODO: handle other node types */
++                default:
++                    break;
++            }
++
++            xmlXPathFreeObject(obj);
+ 	} else {
+ 	    child = child->next;
+ 	    continue;
+diff --git a/test/schematron/cve-2025-49794.sct b/test/schematron/cve-2025-49794.sct
+new file mode 100644
+index 00000000..7fc9ee3d
+--- /dev/null
++++ b/test/schematron/cve-2025-49794.sct
+@@ -0,0 +1,10 @@
++<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
++    <sch:pattern id="">
++        <sch:rule context="boo0">
++            <sch:report test="not(0)">
++                <sch:name path="&#9;e|namespace::*|e"/>
++            </sch:report>
++            <sch:report test="0"></sch:report>
++        </sch:rule>
++    </sch:pattern>
++</sch:schema>
+diff --git a/test/schematron/cve-2025-49794_0.xml b/test/schematron/cve-2025-49794_0.xml
+new file mode 100644
+index 00000000..debc64ba
+--- /dev/null
++++ b/test/schematron/cve-2025-49794_0.xml
+@@ -0,0 +1,6 @@
++<librar0>
++    <boo0 t="">
++        <author></author>
++    </boo0>
++    <ins></ins>
++</librar0>
+diff --git a/test/schematron/cve-2025-49796.sct b/test/schematron/cve-2025-49796.sct
+new file mode 100644
+index 00000000..e9702d75
+--- /dev/null
++++ b/test/schematron/cve-2025-49796.sct
+@@ -0,0 +1,9 @@
++<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
++    <sch:pattern id="">
++        <sch:rule context="boo0">
++            <sch:report test="not(0)">
++                <sch:name path="/"/>
++            </sch:report>
++        </sch:rule>
++    </sch:pattern>
++</sch:schema>
+diff --git a/test/schematron/cve-2025-49796_0.xml b/test/schematron/cve-2025-49796_0.xml
+new file mode 100644
+index 00000000..be33c4ec
+--- /dev/null
++++ b/test/schematron/cve-2025-49796_0.xml
+@@ -0,0 +1,3 @@
++<librar0>
++    <boo0/>
++</librar0>
+-- 
+2.49.0
+
diff --git a/libxml2.spec b/libxml2.spec
index c74920c..9359782 100644
--- a/libxml2.spec
+++ b/libxml2.spec
@@ -32,6 +32,9 @@ Patch11:        libxml2-2.9.13-CVE-2024-56171.patch
 Patch12:        libxml2-2.9.13-CVE-2025-24928.patch
 # https://issues.redhat.com/browse/RHEL-96507
 Patch13:         libxml2-2.9.13-CVE-2025-6021.patch
+# https://issues.redhat.com/browse/RHEL-96405
+# https://issues.redhat.com/browse/RHEL-96431
+Patch14:        libxml2-2.9.13-CVE-2025-49794.patch
 
 BuildRequires:  cmake-rpm-macros
 BuildRequires:  gcc
@@ -162,6 +165,8 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
 %changelog
 * Mon Jun 16 2025 David King <dking@redhat.com> - 2.9.13-10
 - Fix CVE-2025-6021 (RHEL-96507)
+- Fix CVE-2025-49794 (RHEL-96405)
+- Fix CVE-2025-49796 (RHEL-96431)
 
 * Wed Feb 26 2025 David King <dking@redhat.com> - 2.9.13-9
 - Fix CVE-2025-24928 (RHEL-80142)