diff --git a/SPECS/libxml2/CVE-2025-49794_CVE-2025-49796.patch b/SPECS/libxml2/CVE-2025-49794_CVE-2025-49796.patch new file mode 100644 index 00000000000..97c381a3b79 --- /dev/null +++ b/SPECS/libxml2/CVE-2025-49794_CVE-2025-49796.patch @@ -0,0 +1,182 @@ +From 29efbea1666252fe4fb2185808a0a655aaa680bc Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 4 Jul 2025 14:28:26 +0200 +Subject: [PATCH] schematron: Fix memory safety issues in + xmlSchematronReportOutput + +Fix use-after-free (CVE-2025-49794) and type confusion (CVE-2025-49796) +in xmlSchematronReportOutput. + +Fixes #931. +Fixes #933. +--- + result/schematron/cve-2025-49794_0.err | 2 ++ + result/schematron/cve-2025-49796_0.err | 2 ++ + schematron.c | 49 ++++++++++++++------------ + test/schematron/cve-2025-49794.sct | 10 ++++++ + test/schematron/cve-2025-49794_0.xml | 6 ++++ + test/schematron/cve-2025-49796.sct | 9 +++++ + test/schematron/cve-2025-49796_0.xml | 3 ++ + 7 files changed, 58 insertions(+), 23 deletions(-) + create mode 100644 result/schematron/cve-2025-49794_0.err + create mode 100644 result/schematron/cve-2025-49796_0.err + create mode 100644 test/schematron/cve-2025-49794.sct + create mode 100644 test/schematron/cve-2025-49794_0.xml + create mode 100644 test/schematron/cve-2025-49796.sct + create mode 100644 test/schematron/cve-2025-49796_0.xml + +diff --git a/result/schematron/cve-2025-49794_0.err b/result/schematron/cve-2025-49794_0.err +new file mode 100644 +index 0000000..5775231 +--- /dev/null ++++ b/result/schematron/cve-2025-49794_0.err +@@ -0,0 +1,2 @@ ++./test/schematron/cve-2025-49794_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2: ++./test/schematron/cve-2025-49794_0.xml fails to validate +diff --git a/result/schematron/cve-2025-49796_0.err b/result/schematron/cve-2025-49796_0.err +new file mode 100644 +index 0000000..bf875ee +--- /dev/null ++++ b/result/schematron/cve-2025-49796_0.err +@@ -0,0 +1,2 @@ ++./test/schematron/cve-2025-49796_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2: ++./test/schematron/cve-2025-49796_0.xml fails to validate +diff --git a/schematron.c b/schematron.c +index c105a75..a1602ab 100644 +--- a/schematron.c ++++ b/schematron.c +@@ -1388,27 +1388,15 @@ exit: + * * + ************************************************************************/ + +-static xmlNodePtr ++static xmlXPathObjectPtr + xmlSchematronGetNode(xmlSchematronValidCtxtPtr ctxt, + xmlNodePtr cur, const xmlChar *xpath) { +- xmlNodePtr node = NULL; +- xmlXPathObjectPtr ret; +- + if ((ctxt == NULL) || (cur == NULL) || (xpath == NULL)) + return(NULL); + + ctxt->xctxt->doc = cur->doc; + ctxt->xctxt->node = cur; +- ret = xmlXPathEval(xpath, ctxt->xctxt); +- if (ret == NULL) +- return(NULL); +- +- if ((ret->type == XPATH_NODESET) && +- (ret->nodesetval != NULL) && (ret->nodesetval->nodeNr > 0)) +- node = ret->nodesetval->nodeTab[0]; +- +- xmlXPathFreeObject(ret); +- return(node); ++ return(xmlXPathEval(xpath, ctxt->xctxt)); + } + + /** +@@ -1454,25 +1442,40 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt, + (child->type == XML_CDATA_SECTION_NODE)) + ret = xmlStrcat(ret, child->content); + else if (IS_SCHEMATRON(child, "name")) { ++ xmlXPathObject *obj = NULL; + xmlChar *path; + + path = xmlGetNoNsProp(child, BAD_CAST "path"); + + node = cur; + if (path != NULL) { +- node = xmlSchematronGetNode(ctxt, cur, path); +- if (node == NULL) +- node = cur; ++ obj = xmlSchematronGetNode(ctxt, cur, path); ++ if ((obj != NULL) && ++ (obj->type == XPATH_NODESET) && ++ (obj->nodesetval != NULL) && ++ (obj->nodesetval->nodeNr > 0)) ++ node = obj->nodesetval->nodeTab[0]; + xmlFree(path); + } + +- if ((node->ns == NULL) || (node->ns->prefix == NULL)) +- ret = xmlStrcat(ret, node->name); +- else { +- ret = xmlStrcat(ret, node->ns->prefix); +- ret = xmlStrcat(ret, BAD_CAST ":"); +- ret = xmlStrcat(ret, node->name); ++ switch (node->type) { ++ case XML_ELEMENT_NODE: ++ case XML_ATTRIBUTE_NODE: ++ if ((node->ns == NULL) || (node->ns->prefix == NULL)) ++ ret = xmlStrcat(ret, node->name); ++ else { ++ ret = xmlStrcat(ret, node->ns->prefix); ++ ret = xmlStrcat(ret, BAD_CAST ":"); ++ ret = xmlStrcat(ret, node->name); ++ } ++ break; ++ ++ /* TODO: handle other node types */ ++ default: ++ break; + } ++ ++ xmlXPathFreeObject(obj); + } else if (IS_SCHEMATRON(child, "value-of")) { + xmlChar *select; + xmlXPathObjectPtr eval; +diff --git a/test/schematron/cve-2025-49794.sct b/test/schematron/cve-2025-49794.sct +new file mode 100644 +index 0000000..7fc9ee3 +--- /dev/null ++++ b/test/schematron/cve-2025-49794.sct +@@ -0,0 +1,10 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ +diff --git a/test/schematron/cve-2025-49794_0.xml b/test/schematron/cve-2025-49794_0.xml +new file mode 100644 +index 0000000..debc64b +--- /dev/null ++++ b/test/schematron/cve-2025-49794_0.xml +@@ -0,0 +1,6 @@ ++ ++ ++ ++ ++ ++ +diff --git a/test/schematron/cve-2025-49796.sct b/test/schematron/cve-2025-49796.sct +new file mode 100644 +index 0000000..e9702d7 +--- /dev/null ++++ b/test/schematron/cve-2025-49796.sct +@@ -0,0 +1,9 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ +diff --git a/test/schematron/cve-2025-49796_0.xml b/test/schematron/cve-2025-49796_0.xml +new file mode 100644 +index 0000000..be33c4e +--- /dev/null ++++ b/test/schematron/cve-2025-49796_0.xml +@@ -0,0 +1,3 @@ ++ ++ ++ +-- +2.45.4 + diff --git a/SPECS/libxml2/CVE-2025-6021.patch b/SPECS/libxml2/CVE-2025-6021.patch new file mode 100644 index 00000000000..ea1102703d1 --- /dev/null +++ b/SPECS/libxml2/CVE-2025-6021.patch @@ -0,0 +1,50 @@ +From 0bf1ca14616c240c2d87d9ae44c5df810bc2e229 Mon Sep 17 00:00:00 2001 +From: Sreenivasulu Malavathula +Date: Wed, 25 Jun 2025 11:22:06 -0500 +Subject: [PATCH] Address CVE-2025-6021 +Upstream Patch Reference: https://gitlab.gnome.org/GNOME/libxml2/-/commit/ad346c9a249c4b380bf73c460ad3e81135c5d781 + +--- + tree.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/tree.c b/tree.c +index 8910dd8..7172c46 100644 +--- a/tree.c ++++ b/tree.c +@@ -49,6 +49,10 @@ + #include "private/error.h" + #include "private/tree.h" + ++#ifndef SIZE_MAX ++#define SIZE_MAX ((size_t) -1) ++#endif ++ + int __xmlRegisterCallbacks = 0; + + /************************************************************************ +@@ -221,16 +225,18 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) { + xmlChar * + xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix, + xmlChar *memory, int len) { +- int lenn, lenp; ++ size_t lenn, lenp; + xmlChar *ret; + +- if (ncname == NULL) return(NULL); ++ if ((ncname == NULL) || (len < 0)) return(NULL); + if (prefix == NULL) return((xmlChar *) ncname); + + lenn = strlen((char *) ncname); + lenp = strlen((char *) prefix); ++ if (lenn >= SIZE_MAX - lenp - 1) ++ return(NULL); + +- if ((memory == NULL) || (len < lenn + lenp + 2)) { ++ if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) { + ret = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2); + if (ret == NULL) { + xmlTreeErrMemory("building QName"); +-- +2.45.2 + diff --git a/SPECS/libxml2/CVE-2025-6170.patch b/SPECS/libxml2/CVE-2025-6170.patch new file mode 100644 index 00000000000..36129b40c63 --- /dev/null +++ b/SPECS/libxml2/CVE-2025-6170.patch @@ -0,0 +1,61 @@ +From af4d4fd3e12fc9553b532f66c3717fe5dedfae98 Mon Sep 17 00:00:00 2001 +From: BinduSri-6522866 +Date: Fri, 4 Jul 2025 11:04:50 +0000 +Subject: [PATCH] Address CVE-2025-6170 + +Upstream Patch reference: https://gitlab.gnome.org/GNOME/libxml2/-/issues/941 +--- + debugXML.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/debugXML.c b/debugXML.c +index 3bb1930..2d11213 100644 +--- a/debugXML.c ++++ b/debugXML.c +@@ -2781,6 +2781,10 @@ xmlShellPwd(xmlShellCtxtPtr ctxt ATTRIBUTE_UNUSED, char *buffer, + return (0); + } + ++#define MAX_PROMPT_SIZE 500 ++#define MAX_ARG_SIZE 400 ++#define MAX_COMMAND_SIZE 100 ++ + /** + * xmlShell: + * @doc: the initial document +@@ -2796,10 +2800,10 @@ void + xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input, + FILE * output) + { +- char prompt[500] = "/ > "; ++ char prompt[MAX_PROMPT_SIZE] = "/ > "; + char *cmdline = NULL, *cur; +- char command[100]; +- char arg[400]; ++ char command[MAX_COMMAND_SIZE]; ++ char arg[MAX_ARG_SIZE]; + int i; + xmlShellCtxtPtr ctxt; + xmlXPathObjectPtr list; +@@ -2857,7 +2861,8 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input, + cur++; + i = 0; + while ((*cur != ' ') && (*cur != '\t') && +- (*cur != '\n') && (*cur != '\r')) { ++ (*cur != '\n') && (*cur != '\r') && ++ (i < (MAX_COMMAND_SIZE - 1))) { + if (*cur == 0) + break; + command[i++] = *cur++; +@@ -2872,7 +2877,7 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input, + while ((*cur == ' ') || (*cur == '\t')) + cur++; + i = 0; +- while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) { ++ while ((*cur != '\n') && (*cur != '\r') && (*cur != 0) && (i < (MAX_ARG_SIZE-1))) { + if (*cur == 0) + break; + arg[i++] = *cur++; +-- +2.45.3 + diff --git a/SPECS/libxml2/libxml2.spec b/SPECS/libxml2/libxml2.spec index a7b1cf51f0e..92cca70706d 100644 --- a/SPECS/libxml2/libxml2.spec +++ b/SPECS/libxml2/libxml2.spec @@ -1,7 +1,7 @@ Summary: Libxml2 Name: libxml2 Version: 2.11.5 -Release: 5%{?dist} +Release: 6%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -17,6 +17,10 @@ Patch5: CVE-2024-25062.patch Patch6: CVE-2025-27113.patch Patch7: CVE-2025-32414.patch Patch8: CVE-2025-32415.patch +Patch9: CVE-2025-6021.patch +Patch10: CVE-2025-6170.patch +Patch11: CVE-2025-49794_CVE-2025-49796.patch + BuildRequires: python3-devel BuildRequires: python3-xml Provides: %{name}-tools = %{version}-%{release} @@ -87,6 +91,10 @@ find %{buildroot} -type f -name "*.la" -delete -print %{_libdir}/cmake/libxml2/libxml2-config.cmake %changelog +* Sat Jul 19 2025 Kshitiz Godara - 2.11.5-6 +- Patch CVE-2025-49794 and CVE-2025-49796 +- Also added patches for CVE-2025-6021 (PR#14237) and CVE-2025-6170 (PR#14226) + * Mon May 05 2025 Sreeniavsulu Malavathula - 2.11.5-5 - Patch CVE-2025-32414 and CVE-2025-32415 diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 81bb3c775fd..e1acb1f73ae 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -203,8 +203,8 @@ curl-8.11.1-3.azl3.aarch64.rpm curl-devel-8.11.1-3.azl3.aarch64.rpm curl-libs-8.11.1-3.azl3.aarch64.rpm createrepo_c-1.0.3-1.azl3.aarch64.rpm -libxml2-2.11.5-5.azl3.aarch64.rpm -libxml2-devel-2.11.5-5.azl3.aarch64.rpm +libxml2-2.11.5-6.azl3.aarch64.rpm +libxml2-devel-2.11.5-6.azl3.aarch64.rpm docbook-dtd-xml-4.5-11.azl3.noarch.rpm docbook-style-xsl-1.79.1-14.azl3.noarch.rpm libsepol-3.6-2.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 1c6786ee06e..df7eef45d77 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -203,8 +203,8 @@ curl-8.11.1-3.azl3.x86_64.rpm curl-devel-8.11.1-3.azl3.x86_64.rpm curl-libs-8.11.1-3.azl3.x86_64.rpm createrepo_c-1.0.3-1.azl3.x86_64.rpm -libxml2-2.11.5-5.azl3.x86_64.rpm -libxml2-devel-2.11.5-5.azl3.x86_64.rpm +libxml2-2.11.5-6.azl3.x86_64.rpm +libxml2-devel-2.11.5-6.azl3.x86_64.rpm docbook-dtd-xml-4.5-11.azl3.noarch.rpm docbook-style-xsl-1.79.1-14.azl3.noarch.rpm libsepol-3.6-2.azl3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 7257f03d7df..35777334d6c 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -242,9 +242,9 @@ libtool-debuginfo-2.4.7-1.azl3.aarch64.rpm libxcrypt-4.4.36-2.azl3.aarch64.rpm libxcrypt-debuginfo-4.4.36-2.azl3.aarch64.rpm libxcrypt-devel-4.4.36-2.azl3.aarch64.rpm -libxml2-2.11.5-5.azl3.aarch64.rpm -libxml2-debuginfo-2.11.5-5.azl3.aarch64.rpm -libxml2-devel-2.11.5-5.azl3.aarch64.rpm +libxml2-2.11.5-6.azl3.aarch64.rpm +libxml2-debuginfo-2.11.5-6.azl3.aarch64.rpm +libxml2-devel-2.11.5-6.azl3.aarch64.rpm libxslt-1.1.43-1.azl3.aarch64.rpm libxslt-debuginfo-1.1.43-1.azl3.aarch64.rpm libxslt-devel-1.1.43-1.azl3.aarch64.rpm @@ -542,8 +542,13 @@ python3-flit-core-3.9.0-1.azl3.noarch.rpm python3-gpg-1.23.2-2.azl3.aarch64.rpm python3-jinja2-3.1.2-3.azl3.noarch.rpm python3-libcap-ng-0.8.4-1.azl3.aarch64.rpm +<<<<<<< HEAD python3-libs-3.12.9-3.azl3.aarch64.rpm python3-libxml2-2.11.5-5.azl3.aarch64.rpm +======= +python3-libs-3.12.9-2.azl3.aarch64.rpm +python3-libxml2-2.11.5-6.azl3.aarch64.rpm +>>>>>>> dca904027 (Patch libxml2 for CVE-2025-49794, CVE-2025-49796[CRITICAL], CVE-2025-6021[MED], CVE-2025-6170[LOW] (#14351)) python3-lxml-4.9.3-1.azl3.aarch64.rpm python3-magic-5.45-1.azl3.noarch.rpm python3-markupsafe-2.1.3-1.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index d77f7abf010..a25d46c6041 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -247,9 +247,9 @@ libtasn1-debuginfo-4.19.0-2.azl3.x86_64.rpm libtasn1-devel-4.19.0-2.azl3.x86_64.rpm libtool-2.4.7-1.azl3.x86_64.rpm libtool-debuginfo-2.4.7-1.azl3.x86_64.rpm -libxml2-2.11.5-5.azl3.x86_64.rpm -libxml2-debuginfo-2.11.5-5.azl3.x86_64.rpm -libxml2-devel-2.11.5-5.azl3.x86_64.rpm +libxml2-2.11.5-6.azl3.x86_64.rpm +libxml2-debuginfo-2.11.5-6.azl3.x86_64.rpm +libxml2-devel-2.11.5-6.azl3.x86_64.rpm libxcrypt-4.4.36-2.azl3.x86_64.rpm libxcrypt-debuginfo-4.4.36-2.azl3.x86_64.rpm libxcrypt-devel-4.4.36-2.azl3.x86_64.rpm @@ -550,8 +550,13 @@ python3-flit-core-3.9.0-1.azl3.noarch.rpm python3-gpg-1.23.2-2.azl3.x86_64.rpm python3-jinja2-3.1.2-3.azl3.noarch.rpm python3-libcap-ng-0.8.4-1.azl3.x86_64.rpm +<<<<<<< HEAD python3-libs-3.12.9-3.azl3.x86_64.rpm python3-libxml2-2.11.5-5.azl3.x86_64.rpm +======= +python3-libs-3.12.9-2.azl3.x86_64.rpm +python3-libxml2-2.11.5-6.azl3.x86_64.rpm +>>>>>>> dca904027 (Patch libxml2 for CVE-2025-49794, CVE-2025-49796[CRITICAL], CVE-2025-6021[MED], CVE-2025-6170[LOW] (#14351)) python3-lxml-4.9.3-1.azl3.x86_64.rpm python3-magic-5.45-1.azl3.noarch.rpm python3-markupsafe-2.1.3-1.azl3.x86_64.rpm