mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-31 00:39:46 +00:00
Code Issues Projects Releases Wiki Activity

libxml2: fix CVE-2025-6021

Browse Source 
Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libxml2/-/commit/acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0

(From OE-Core rev: 8777f1b344c7f66a7ef4291bb59af2a5fb466b6a)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Hitendra Prajapati
2025-07-04 14:35:42 +05:30
committed by Steve Sakoman
parent 0717b8bbc0
commit 71e9cf4cd9
2 changed files with 57 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch
+56
View File
@@ -0,0 +1,56 @@
From acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 27 May 2025 12:53:17 +0200
Subject: [PATCH] tree: Fix integer overflow in xmlBuildQName
This issue affects memory safety.
Fixes #926.
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0]
CVE: CVE-2025-6021
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
tree.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/tree.c b/tree.c
index dc3ac4f..f89e3cd 100644
--- a/tree.c
+++ b/tree.c
@@ -47,6 +47,10 @@
#include "private/error.h"
#include "private/tree.h"
+#ifndef SIZE_MAX
+#define SIZE_MAX ((size_t) -1)
+#endif
+
int __xmlRegisterCallbacks = 0;
/************************************************************************
@@ -216,16 +220,18 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) {
xmlChar *
xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
xmlChar *memory, int len) {
- int lenn, lenp;
+ size_t lenn, lenp;
xmlChar *ret;
- if (ncname == NULL) return(NULL);
+ if ((ncname == NULL) || (len < 0)) return(NULL);
if (prefix == NULL) return((xmlChar *) ncname);
lenn = strlen((char *) ncname);
lenp = strlen((char *) prefix);
+ if (lenn >= SIZE_MAX - lenp - 1)
+ return(NULL);
- if ((memory == NULL) || (len < lenn + lenp + 2)) {
+ if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) {
ret = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2);
if (ret == NULL) {
xmlTreeErrMemory("building QName");
--
2.49.0
meta/recipes-core/libxml/libxml2_2.12.10.bb
+1
View File
@@ -20,6 +20,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt
file://install-tests.patch \ file://install-tests.patch \
file://CVE-2025-32414.patch \ file://CVE-2025-32414.patch \
file://CVE-2025-32415.patch \ file://CVE-2025-32415.patch \
file://CVE-2025-6021.patch \
" "
SRC_URI[archive.sha256sum] = "c3d8c0c34aa39098f66576fe51969db12a5100b956233dc56506f7a8679be995" SRC_URI[archive.sha256sum] = "c3d8c0c34aa39098f66576fe51969db12a5100b956233dc56506f7a8679be995"