From fc10bba9991e6dde50e79cfe437322c26486e55e Mon Sep 17 00:00:00 2001 From: wenxin Date: Mon, 4 Aug 2025 10:01:00 +0800 Subject: [PATCH] add patch to fix CVE-2025-6170 --- 1002-fix-CVE-2025-6170.patch | 107 +++++++++++++++++++++++++++++++++++ libxml2.spec | 7 ++- 2 files changed, 113 insertions(+), 1 deletion(-) create mode 100644 1002-fix-CVE-2025-6170.patch diff --git a/1002-fix-CVE-2025-6170.patch b/1002-fix-CVE-2025-6170.patch new file mode 100644 index 0000000..a94045f --- /dev/null +++ b/1002-fix-CVE-2025-6170.patch @@ -0,0 +1,107 @@ +From 069bcda17d8194e9582c64dd4bc9dac99b015810 Mon Sep 17 00:00:00 2001 +From: Michael Mann +Date: Fri, 20 Jun 2025 23:05:00 -0400 +Subject: [PATCH] Fix potential buffer overflows of interactive shell + +CVE-2025-6170 + +Fixes #941 + +Reference: https://github.com/GNOME/libxml2/commit/069bcda17d8194e9582c64dd4bc9dac99b015810 +Conflict: rename shell.c to debugXML.c, no need xmllintShellReadline + +--- + debugXML.c | 15 ++++++++++----- + result/scripts/long_command | 8 ++++++++ + test/scripts/long_command.script | 6 ++++++ + test/scripts/long_command.xml | 1 + + 4 files changed, 25 insertions(+), 5 deletions(-) + create mode 100644 result/scripts/long_command + create mode 100644 test/scripts/long_command.script + create mode 100644 test/scripts/long_command.xml + +diff --git a/debugXML.c b/debugXML.c +index 3bb1930..c84c382 100644 +--- a/debugXML.c ++++ b/debugXML.c +@@ -2781,6 +2781,10 @@ xmlShellPwd(xmlShellCtxtPtr ctxt ATTRIBUTE_UNUSED, char *buffer, + return (0); + } + ++#define MAX_PROMPT_SIZE 500 ++#define MAX_ARG_SIZE 400 ++#define MAX_COMMAND_SIZE 100 ++ + /** + * xmlShell: + * @doc: the initial document +@@ -2796,10 +2800,10 @@ void + xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input, + FILE * output) + { +- char prompt[500] = "/ > "; ++ char prompt[MAX_PROMPT_SIZE] = "/ > "; + char *cmdline = NULL, *cur; +- char command[100]; +- char arg[400]; ++ char command[MAX_COMMAND_SIZE]; ++ char arg[MAX_ARG_SIZE]; + int i; + xmlShellCtxtPtr ctxt; + xmlXPathObjectPtr list; +@@ -2857,7 +2861,8 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input, + cur++; + i = 0; + while ((*cur != ' ') && (*cur != '\t') && +- (*cur != '\n') && (*cur != '\r')) { ++ (*cur != '\n') && (*cur != '\r') && ++ (i < (MAX_COMMAND_SIZE - 1))) { + if (*cur == 0) + break; + command[i++] = *cur++; +@@ -2872,7 +2877,7 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input, + while ((*cur == ' ') || (*cur == '\t')) + cur++; + i = 0; +- while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) { ++ while ((*cur != '\n') && (*cur != '\r') && (*cur != 0) && (i < (MAX_ARG_SIZE-1))) { + if (*cur == 0) + break; + arg[i++] = *cur++; +diff --git a/result/scripts/long_command b/result/scripts/long_command +new file mode 100644 +index 0000000..e6f0070 +--- /dev/null ++++ b/result/scripts/long_command +@@ -0,0 +1,8 @@ ++/ > b > b > Object is a Node Set : ++Set contains 1 nodes: ++1 ELEMENT a:c ++b > Unknown command This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_comm ++b > b > Unknown command ess_currents_of_time_and_existence ++b > ++Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_prof ++b > +\ No newline at end of file +diff --git a/test/scripts/long_command.script b/test/scripts/long_command.script +new file mode 100644 +index 0000000..00f6df0 +--- /dev/null ++++ b/test/scripts/long_command.script +@@ -0,0 +1,6 @@ ++cd a/b ++set ++xpath //*[namespace-uri()="foo"] ++This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_command_please_dont_crash foo ++set Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_profound_emotion_and_every_grand_aspiration_that_propels_our_species_ever_onward_through_the_relentless_currents_of_time_and_existence ++save - +diff --git a/test/scripts/long_command.xml b/test/scripts/long_command.xml +new file mode 100644 +index 0000000..1ba4401 +--- /dev/null ++++ b/test/scripts/long_command.xml +@@ -0,0 +1 @@ ++ +-- +2.43.0 + diff --git a/libxml2.spec b/libxml2.spec index 1f1bea9..273a610 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,4 +1,4 @@ -%define anolis_release 13 +%define anolis_release 14 Name: libxml2 Version: 2.11.5 Release: %{anolis_release}%{?dist} @@ -44,6 +44,8 @@ Patch11: Bugfix-for-CVE-2025-24928.patch #Upstream fix: https://gitlab.gnome.org/GNOME/libxml2/-/commit/71e1e8af5ee46dad1b57bb96cfbf1c3ad21fbd7b Patch12: Bugfix-for-CVE-2025-49794.patch Patch13: 13-bugfix-for-CVE-2025-7425.patch +# https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/321/diffs?commit_id=069bcda17d8194e9582c64dd4bc9dac99b015810 +Patch14: 1002-fix-CVE-2025-6170.patch BuildRequires: cmake-rpm-macros BuildRequires: gcc @@ -189,6 +191,9 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz %doc NEWS README.md %changelog +* Mon Aug 04 2025 wenxin - 2.11.5-14 +- Add patch to fix CVE-2025-6170 + * Fri Aug 01 2025 tomcruiseqi - 2.11.5-13 - Fix CVE-2025-7425 -- Gitee