diff --git a/backport-Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch b/backport-Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch new file mode 100644 index 0000000000000000000000000000000000000000..cbeda9aa236712ea54e731c6586924ae921ec392 --- /dev/null +++ b/backport-Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch @@ -0,0 +1,81 @@ +From bb7169b5ad77209989a7e60b530976618a7f0339 Mon Sep 17 00:00:00 2001 +From: Omar Siam +Date: Tue, 10 Jun 2025 18:34:44 +0200 +Subject: [PATCH] Fix relaxng is parsed to an infinite attrs->next loop + +Test data for the bug. +--- + relaxng.c | 11 ++++++++--- + test/relaxng/useless_group.rng | 21 +++++++++++++++++++++ + test/relaxng/useless_group.xml | 3 +++ + 3 files changed, 32 insertions(+), 3 deletions(-) + create mode 100644 test/relaxng/useless_group.rng + create mode 100644 test/relaxng/useless_group.xml + +diff --git a/relaxng.c b/relaxng.c +index 8132fe8fec..afd416f546 100644 +--- a/relaxng.c ++++ b/relaxng.c +@@ -5856,6 +5856,7 @@ xmlRelaxNGSimplify(xmlRelaxNGParserCtxtPtr ctxt, + if (attronly == 1) { + /* + * migrate tmp to attrs ++ * if this runs twice an infinite attrs->next loop can be created + */ + pre->next = tmp->next; + tmp->next = cur->attrs; +@@ -5876,9 +5877,13 @@ xmlRelaxNGSimplify(xmlRelaxNGParserCtxtPtr ctxt, + if ((parent == NULL) && (prev == NULL)) { + cur->type = XML_RELAXNG_NOOP; + } else if (prev == NULL) { +- parent->content = cur->content; +- cur->content->next = cur->next; +- cur = cur->content; ++ // this simplification may already have happened ++ // if this is done twice this leads to an infinite loop of attrs->next ++ if (parent->content != cur->content) { ++ parent->content = cur->content; ++ cur->content->next = cur->next; ++ cur = cur->content; ++ } + } else { + cur->content->next = cur->next; + prev->next = cur->content; +diff --git a/test/relaxng/useless_group.rng b/test/relaxng/useless_group.rng +new file mode 100644 +index 0000000000..2a44336d30 +--- /dev/null ++++ b/test/relaxng/useless_group.rng +@@ -0,0 +1,21 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ +\ No newline at end of file +diff --git a/test/relaxng/useless_group.xml b/test/relaxng/useless_group.xml +new file mode 100644 +index 0000000000..5b81c6db0b +--- /dev/null ++++ b/test/relaxng/useless_group.xml +@@ -0,0 +1,3 @@ ++ ++ ++ +\ No newline at end of file diff --git a/libxml2.spec b/libxml2.spec index 0ca99f2acda3621f6d6257ae59e5da1cfbbd1f25..904c2cceab3f2e52194f6b608e88086613a9bd1e 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,7 +1,7 @@ Summary: Library providing XML and HTML support Name: libxml2 Version: 2.11.5 -Release: 9 +Release: 10 License: MIT Group: Development/Libraries Source: https://download.gnome.org/sources/%{name}/2.11/%{name}-%{version}.tar.xz @@ -22,6 +22,7 @@ Patch12: backport-CVE-2025-6021.patch Patch13: backport-CVE-2025-49794,CVE-2025-49796.patch Patch14: backport-CVE-2025-49795.patch Patch15: backport-CVE-2025-6170.patch +Patch16: backport-Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRequires: python3-devel @@ -173,6 +174,12 @@ rm -fr %{buildroot} %changelog +* Tue Aug 12 2025 andy - 2.11.5-10 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC: backport upstream patches + * Tue Jul 15 2025 zhuo <1107893276@qq.com> - 2.11.5-9 - Type:CVE - CVE:CVE-2025-6170