Fix CVE-2025-6170 (RHEL-182012)
Resolves: RHEL-182012
This commit is contained in:
parent
a4415e676b
commit
c7565c5522
98
libxml2-2.12.5-CVE-2025-6170.patch
Normal file
98
libxml2-2.12.5-CVE-2025-6170.patch
Normal file
@ -0,0 +1,98 @@
|
||||
From 79abeb402f5570330f092b3dbe326798079231c9 Mon Sep 17 00:00:00 2001
|
||||
From: David King <dking@redhat.com>
|
||||
Date: Tue, 16 Jun 2026 14:59:25 +0100
|
||||
Subject: [PATCH] Fix potential buffer overflows of interactive shell
|
||||
|
||||
CVE-2025-6170
|
||||
|
||||
Fixes #941 on 2.12 branch. Based on upstream commit
|
||||
069bcda17d8194e9582c64dd4bc9dac99b015810 by Michael Mann.
|
||||
---
|
||||
debugXML.c | 15 ++++++++++-----
|
||||
xmllint.c | 8 +++++---
|
||||
2 files changed, 15 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/debugXML.c b/debugXML.c
|
||||
index 303515ec..63b77ba6 100644
|
||||
--- a/debugXML.c
|
||||
+++ b/debugXML.c
|
||||
@@ -2779,6 +2779,10 @@ xmlShellPwd(xmlShellCtxtPtr ctxt ATTRIBUTE_UNUSED, char *buffer,
|
||||
return (0);
|
||||
}
|
||||
|
||||
+#define MAX_PROMPT_SIZE 500
|
||||
+#define MAX_ARG_SIZE 400
|
||||
+#define MAX_COMMAND_SIZE 100
|
||||
+
|
||||
/**
|
||||
* xmlShell:
|
||||
* @doc: the initial document
|
||||
@@ -2794,10 +2798,10 @@ void
|
||||
xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
|
||||
FILE * output)
|
||||
{
|
||||
- char prompt[500] = "/ > ";
|
||||
+ char prompt[MAX_PROMPT_SIZE] = "/ > ";
|
||||
char *cmdline = NULL, *cur;
|
||||
- char command[100];
|
||||
- char arg[400];
|
||||
+ char command[MAX_COMMAND_SIZE];
|
||||
+ char arg[MAX_ARG_SIZE];
|
||||
int i;
|
||||
xmlShellCtxtPtr ctxt;
|
||||
xmlXPathObjectPtr list;
|
||||
@@ -2855,7 +2859,8 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
|
||||
cur++;
|
||||
i = 0;
|
||||
while ((*cur != ' ') && (*cur != '\t') &&
|
||||
- (*cur != '\n') && (*cur != '\r')) {
|
||||
+ (*cur != '\n') && (*cur != '\r') &&
|
||||
+ (i < (MAX_COMMAND_SIZE - 1))) {
|
||||
if (*cur == 0)
|
||||
break;
|
||||
command[i++] = *cur++;
|
||||
@@ -2870,7 +2875,7 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
|
||||
while ((*cur == ' ') || (*cur == '\t'))
|
||||
cur++;
|
||||
i = 0;
|
||||
- while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) {
|
||||
+ while ((*cur != '\n') && (*cur != '\r') && (*cur != 0) && (i < (MAX_ARG_SIZE-1))) {
|
||||
if (*cur == 0)
|
||||
break;
|
||||
arg[i++] = *cur++;
|
||||
diff --git a/xmllint.c b/xmllint.c
|
||||
index 4d84c640..4b2c06d9 100644
|
||||
--- a/xmllint.c
|
||||
+++ b/xmllint.c
|
||||
@@ -722,6 +722,8 @@ xmlHTMLValidityWarning(void *ctx, const char *msg, ...)
|
||||
xmlHTMLEncodeSend();
|
||||
}
|
||||
|
||||
+#define MAX_PROMPT_SIZE 500
|
||||
+
|
||||
/************************************************************************
|
||||
* *
|
||||
* Shell Interface *
|
||||
@@ -752,16 +754,16 @@ xmlShellReadline(char *prompt) {
|
||||
|
||||
return (line_read);
|
||||
#else
|
||||
- char line_read[501];
|
||||
+ char line_read[MAX_PROMPT_SIZE+1];
|
||||
char *ret;
|
||||
int len;
|
||||
|
||||
if (prompt != NULL)
|
||||
fprintf(stdout, "%s", prompt);
|
||||
fflush(stdout);
|
||||
- if (!fgets(line_read, 500, stdin))
|
||||
+ if (!fgets(line_read, MAX_PROMPT_SIZE, stdin))
|
||||
return(NULL);
|
||||
- line_read[500] = 0;
|
||||
+ line_read[MAX_PROMPT_SIZE] = 0;
|
||||
len = strlen(line_read);
|
||||
ret = (char *) malloc(len + 1);
|
||||
if (ret != NULL) {
|
||||
--
|
||||
2.54.0
|
||||
|
||||
@ -7,7 +7,7 @@
|
||||
|
||||
Name: libxml2
|
||||
Version: 2.9.7
|
||||
Release: 21%{?dist}.5
|
||||
Release: 21%{?dist}.6
|
||||
Summary: Library providing XML and HTML support
|
||||
|
||||
License: MIT
|
||||
@ -87,6 +87,9 @@ Patch34: libxml2-2.12.5-CVE-2025-32415.patch
|
||||
Patch35: libxml2-2.9.7-CVE-2025-9714.patch
|
||||
# https://redhat.atlassian.net/browse/RHEL-36405
|
||||
Patch36: libxml2-2.9.13-CVE-2024-34459.patch
|
||||
# https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/321
|
||||
# https://redhat.atlassian.net/browse/RHEL-182012
|
||||
Patch37: libxml2-2.12.5-CVE-2025-6170.patch
|
||||
|
||||
BuildRequires: gcc
|
||||
BuildRequires: cmake-rpm-macros
|
||||
@ -258,6 +261,9 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
|
||||
%{python3_sitearch}/libxml2mod.so
|
||||
|
||||
%changelog
|
||||
* Tue Jun 16 2026 David King <dking@redhat.com> - 2.9.7-21.6
|
||||
- Fix CVE-2025-6170 (RHEL-182012)
|
||||
|
||||
* Mon May 18 2026 David King <dking@redhat.com> - 2.9.7-21.5
|
||||
- Fix CVE-2024-34459 (RHEL-36405)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user