Backport upstream commit 059abf5f9336e to fix CVE-2026-8177,
an out-of-bounds heap read caused by the hand-rolled UTF-8
parser in domParseChar(). The patch removes domParseChar()
from dom.c/dom.h and replaces the custom name validation in
LibXML_test_node_name() (LibXML.xs) with libxml2's
xmlValidateName(), which correctly handles truncated and
malformed UTF-8 sequences. A new regression test
(t/48_security_oob_utf8_gh146.t) with 65 test cases is
included to verify the fix across multiple DOM entry points.
CVE: CVE-2026-8177
Upstream patches:
- 059abf5f93.patch
Resolves: RHEL-186519
This commit was backported by Ymir, a Red Hat Enterprise Linux software maintenance AI agent.
Assisted-by: Ymir