diff --git a/backport-Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch b/backport-Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch new file mode 100644 index 0000000000000000000000000000000000000000..cbeda9aa236712ea54e731c6586924ae921ec392 --- /dev/null +++ b/backport-Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch @@ -0,0 +1,81 @@ +From bb7169b5ad77209989a7e60b530976618a7f0339 Mon Sep 17 00:00:00 2001 +From: Omar Siam +Date: Tue, 10 Jun 2025 18:34:44 +0200 +Subject: [PATCH] Fix relaxng is parsed to an infinite attrs->next loop + +Test data for the bug. +--- + relaxng.c | 11 ++++++++--- + test/relaxng/useless_group.rng | 21 +++++++++++++++++++++ + test/relaxng/useless_group.xml | 3 +++ + 3 files changed, 32 insertions(+), 3 deletions(-) + create mode 100644 test/relaxng/useless_group.rng + create mode 100644 test/relaxng/useless_group.xml + +diff --git a/relaxng.c b/relaxng.c +index 8132fe8fec..afd416f546 100644 +--- a/relaxng.c ++++ b/relaxng.c +@@ -5856,6 +5856,7 @@ xmlRelaxNGSimplify(xmlRelaxNGParserCtxtPtr ctxt, + if (attronly == 1) { + /* + * migrate tmp to attrs ++ * if this runs twice an infinite attrs->next loop can be created + */ + pre->next = tmp->next; + tmp->next = cur->attrs; +@@ -5876,9 +5877,13 @@ xmlRelaxNGSimplify(xmlRelaxNGParserCtxtPtr ctxt, + if ((parent == NULL) && (prev == NULL)) { + cur->type = XML_RELAXNG_NOOP; + } else if (prev == NULL) { +- parent->content = cur->content; +- cur->content->next = cur->next; +- cur = cur->content; ++ // this simplification may already have happened ++ // if this is done twice this leads to an infinite loop of attrs->next ++ if (parent->content != cur->content) { ++ parent->content = cur->content; ++ cur->content->next = cur->next; ++ cur = cur->content; ++ } + } else { + cur->content->next = cur->next; + prev->next = cur->content; +diff --git a/test/relaxng/useless_group.rng b/test/relaxng/useless_group.rng +new file mode 100644 +index 0000000000..2a44336d30 +--- /dev/null ++++ b/test/relaxng/useless_group.rng +@@ -0,0 +1,21 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ +\ No newline at end of file +diff --git a/test/relaxng/useless_group.xml b/test/relaxng/useless_group.xml +new file mode 100644 +index 0000000000..5b81c6db0b +--- /dev/null ++++ b/test/relaxng/useless_group.xml +@@ -0,0 +1,3 @@ ++ ++ ++ +\ No newline at end of file diff --git a/libxml2.spec b/libxml2.spec index 3898819af0f065b11ca6f039ae14c8ee635769ef..687e5c70c36f83a53fb0d1cb8abb8f57b31729c9 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,7 +1,7 @@ Summary: Library providing XML and HTML support Name: libxml2 Version: 2.12.10 -Release: 5 +Release: 6 License: MIT Group: Development/Libraries Source: https://download.gnome.org/sources/%{name}/2.12/%{name}-%{version}.tar.xz @@ -13,6 +13,7 @@ Patch6003: CVE-2025-6021.patch Patch6004: CVE-2025-49795.patch Patch6005: CVE-2025-49794,CVE-2025-49796.patch Patch6006: backport-CVE-2025-6170.patch +Patch6007: backport-Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch BuildRequires: pkgconfig(liblzma) BuildRequires: pkgconfig(python3) @@ -132,6 +133,12 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz %changelog +* Tue Aug 12 2025 andy - 2.12.10-6 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:backport upstream patches + * Tue Jul 15 2025 zhuo <1107893276@qq.com> - 2.12.10-5 - Type:CVE - CVE:CVE-2025-6170