libxml2: patch CVE-2025-6170

Pick commit referencing this CVE from 2.13 branch. (From OE-Core rev: 061610dfca8a72b71e1baca3ad4aa2c9fb64449b) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Peter Marko <peter.marko@siemens.com> 2025-07-28 22:19:33 +0200
committer: Steve Sakoman <steve@sakoman.com> 2025-08-04 07:55:07 -0700
commit: 2156b7931ea76001c1a273b5b8fbe772c8f1c23c (patch)
tree: dfb8ce607671bf62181b352109fa6073c87980ee
parent: 664f26b3f08512802e36177a72909a2603f9cf0e (diff)
download: poky-2156b7931ea76001c1a273b5b8fbe772c8f1c23c.tar.gz
2 files changed, 104 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-6170.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-6170.patch
new file mode 100644
index 0000000000..e2b5392c76
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2025-6170.patch
@@ -0,0 +1,103 @@
+From 5e9ec5c107d3f5b5179c3dbc19df43df041cd55b Mon Sep 17 00:00:00 2001
+From: Michael Mann <mmann78@netscape.net>
+Date: Fri, 20 Jun 2025 23:05:00 -0400
+Subject: [PATCH] [CVE-2025-6170] Fix potential buffer overflows of interactive
+ shell
+Fixes #941
+CVE: CVE-2025-6170
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/5e9ec5c107d3f5b5179c3dbc19df43df041cd55b]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ debugXML.c                       | 15 ++++++++++-----
+ result/scripts/long_command      |  8 ++++++++
+ test/scripts/long_command.script |  6 ++++++
+ test/scripts/long_command.xml    |  1 +
+ 4 files changed, 25 insertions(+), 5 deletions(-)
+ create mode 100644 result/scripts/long_command
+ create mode 100644 test/scripts/long_command.script
+ create mode 100644 test/scripts/long_command.xml
+diff --git a/debugXML.c b/debugXML.c
+index ed56b0f8..452b9573 100644
+--- a/debugXML.c
+++ b/debugXML.c
+@@ -1043,6 +1043,10 @@ xmlCtxtDumpOneNode(xmlDebugCtxtPtr ctxt, xmlNodePtr node)
+     xmlCtxtGenericNodeCheck(ctxt, node);
+ }
+ 
+#define MAX_PROMPT_SIZE     500
+#define MAX_ARG_SIZE        400
+#define MAX_COMMAND_SIZE    100
+
+ /**
+  * xmlCtxtDumpNode:
+  * @output:  the FILE * for the output
+@@ -2794,10 +2798,10 @@ void
+ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
+          FILE * output)
+ {
+-    char prompt[500] = "/ > ";
+    char prompt[MAX_PROMPT_SIZE] = "/ > ";
+     char *cmdline = NULL, *cur;
+-    char command[100];
+-    char arg[400];
+    char command[MAX_COMMAND_SIZE];
+    char arg[MAX_ARG_SIZE];
+     int i;
+     xmlShellCtxtPtr ctxt;
+     xmlXPathObjectPtr list;
+@@ -2855,7 +2859,8 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
+             cur++;
+         i = 0;
+         while ((*cur != ' ') && (*cur != '\t') &&
+-               (*cur != '\n') && (*cur != '\r')) {
+               (*cur != '\n') && (*cur != '\r') &&
+               (i < (MAX_COMMAND_SIZE - 1))) {
+             if (*cur == 0)
+                 break;
+             command[i++] = *cur++;
+@@ -2870,7 +2875,7 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
+         while ((*cur == ' ') || (*cur == '\t'))
+             cur++;
+         i = 0;
+-        while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) {
+        while ((*cur != '\n') && (*cur != '\r') && (*cur != 0) && (i < (MAX_ARG_SIZE-1))) {
+             if (*cur == 0)
+                 break;
+             arg[i++] = *cur++;
+diff --git a/result/scripts/long_command b/result/scripts/long_command
+new file mode 100644
+index 00000000..e6f00708
+--- /dev/null
+++ b/result/scripts/long_command
+@@ -0,0 +1,8 @@
+/ > b > b > Object is a Node Set :
+Set contains 1 nodes:
+1  ELEMENT a:c
+b > Unknown command This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_comm
+b > b > Unknown command ess_currents_of_time_and_existence
+b > <?xml version="1.0"?>
+<a xmlns:a="bar"><b xmlns:a="foo">Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_prof</b></a>
+b > 
+\ No newline at end of file
+diff --git a/test/scripts/long_command.script b/test/scripts/long_command.script
+new file mode 100644
+index 00000000..00f6df09
+--- /dev/null
+++ b/test/scripts/long_command.script
+@@ -0,0 +1,6 @@
+cd a/b
+set <a:c/>
+xpath //*[namespace-uri()="foo"]
+This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_command_please_dont_crash foo
+set Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_profound_emotion_and_every_grand_aspiration_that_propels_our_species_ever_onward_through_the_relentless_currents_of_time_and_existence
+save -
+diff --git a/test/scripts/long_command.xml b/test/scripts/long_command.xml
+new file mode 100644
+index 00000000..1ba44016
+--- /dev/null
+++ b/test/scripts/long_command.xml
+@@ -0,0 +1 @@
+<a xmlns:a="bar"><b xmlns:a="foo"/></a>
diff --git a/meta/recipes-core/libxml/libxml2_2.12.10.bb b/meta/recipes-core/libxml/libxml2_2.12.10.bb
index c289de6f73..078988286a 100644
--- a/meta/recipes-core/libxml/libxml2_2.12.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.12.10.bb
@@ -23,6 +23,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt
           file://CVE-2025-6021.patch \
           file://CVE-2025-49794-CVE-2025-49796.patch \
           file://CVE-2025-49795.patch \
+           file://CVE-2025-6170.patch \
           "
 SRC_URI[archive.sha256sum] = "c3d8c0c34aa39098f66576fe51969db12a5100b956233dc56506f7a8679be995"
author	Peter Marko <peter.marko@siemens.com>	2025-07-28 22:19:33 +0200
committer	Steve Sakoman <steve@sakoman.com>	2025-08-04 07:55:07 -0700
commit	2156b7931ea76001c1a273b5b8fbe772c8f1c23c (patch)
tree	dfb8ce607671bf62181b352109fa6073c87980ee
parent	664f26b3f08512802e36177a72909a2603f9cf0e (diff)
download	poky-2156b7931ea76001c1a273b5b8fbe772c8f1c23c.tar.gz

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-6170.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-6170.patch new file mode 100644 index 0000000000..e2b5392c76 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2025-6170.patch
@@ -0,0 +1,103 @@
		1	From 5e9ec5c107d3f5b5179c3dbc19df43df041cd55b Mon Sep 17 00:00:00 2001
		2	From: Michael Mann <mmann78@netscape.net>
		3	Date: Fri, 20 Jun 2025 23:05:00 -0400
		4	Subject: [PATCH] [CVE-2025-6170] Fix potential buffer overflows of interactive
		5	shell
		6
		7	Fixes #941
		8
		9	CVE: CVE-2025-6170
		10	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/5e9ec5c107d3f5b5179c3dbc19df43df041cd55b]
		11	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		12	---
		13	debugXML.c \| 15 ++++++++++-----
		14	result/scripts/long_command \| 8 ++++++++
		15	test/scripts/long_command.script \| 6 ++++++
		16	test/scripts/long_command.xml \| 1 +
		17	4 files changed, 25 insertions(+), 5 deletions(-)
		18	create mode 100644 result/scripts/long_command
		19	create mode 100644 test/scripts/long_command.script
		20	create mode 100644 test/scripts/long_command.xml
		21
		22	diff --git a/debugXML.c b/debugXML.c
		23	index ed56b0f8..452b9573 100644
		24	--- a/debugXML.c
		25	+++ b/debugXML.c
		26	@@ -1043,6 +1043,10 @@ xmlCtxtDumpOneNode(xmlDebugCtxtPtr ctxt, xmlNodePtr node)
		27	xmlCtxtGenericNodeCheck(ctxt, node);
		28	}
		29
		30	+#define MAX_PROMPT_SIZE 500
		31	+#define MAX_ARG_SIZE 400
		32	+#define MAX_COMMAND_SIZE 100
		33	+
		34	/**
		35	* xmlCtxtDumpNode:
		36	* @output: the FILE * for the output
		37	@@ -2794,10 +2798,10 @@ void
		38	xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
		39	FILE * output)
		40	{
		41	- char prompt[500] = "/ > ";
		42	+ char prompt[MAX_PROMPT_SIZE] = "/ > ";
		43	char cmdline = NULL, cur;
		44	- char command[100];
		45	- char arg[400];
		46	+ char command[MAX_COMMAND_SIZE];
		47	+ char arg[MAX_ARG_SIZE];
		48	int i;
		49	xmlShellCtxtPtr ctxt;
		50	xmlXPathObjectPtr list;
		51	@@ -2855,7 +2859,8 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
		52	cur++;
		53	i = 0;
		54	while ((cur != ' ') && (cur != '\t') &&
		55	- (cur != '\n') && (cur != '\r')) {
		56	+ (cur != '\n') && (cur != '\r') &&
		57	+ (i < (MAX_COMMAND_SIZE - 1))) {
		58	if (*cur == 0)
		59	break;
		60	command[i++] = *cur++;
		61	@@ -2870,7 +2875,7 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
		62	while ((cur == ' ') \|\| (cur == '\t'))
		63	cur++;
		64	i = 0;
		65	- while ((cur != '\n') && (cur != '\r') && (*cur != 0)) {
		66	+ while ((cur != '\n') && (cur != '\r') && (*cur != 0) && (i < (MAX_ARG_SIZE-1))) {
		67	if (*cur == 0)
		68	break;
		69	arg[i++] = *cur++;
		70	diff --git a/result/scripts/long_command b/result/scripts/long_command
		71	new file mode 100644
		72	index 00000000..e6f00708
		73	--- /dev/null
		74	+++ b/result/scripts/long_command
		75	@@ -0,0 +1,8 @@
		76	+/ > b > b > Object is a Node Set :
		77	+Set contains 1 nodes:
		78	+1 ELEMENT a:c
		79	+b > Unknown command This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_comm
		80	+b > b > Unknown command ess_currents_of_time_and_existence
		81	+b > <?xml version="1.0"?>
		82	+<a xmlns:a="bar"><b xmlns:a="foo">Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_prof</b></a>
		83	+b >
		84	\ No newline at end of file
		85	diff --git a/test/scripts/long_command.script b/test/scripts/long_command.script
		86	new file mode 100644
		87	index 00000000..00f6df09
		88	--- /dev/null
		89	+++ b/test/scripts/long_command.script
		90	@@ -0,0 +1,6 @@
		91	+cd a/b
		92	+set <a:c/>
		93	+xpath //*[namespace-uri()="foo"]
		94	+This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_command_please_dont_crash foo
		95	+set Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_profound_emotion_and_every_grand_aspiration_that_propels_our_species_ever_onward_through_the_relentless_currents_of_time_and_existence
		96	+save -
		97	diff --git a/test/scripts/long_command.xml b/test/scripts/long_command.xml
		98	new file mode 100644
		99	index 00000000..1ba44016
		100	--- /dev/null
		101	+++ b/test/scripts/long_command.xml
		102	@@ -0,0 +1 @@
		103	+<a xmlns:a="bar"><b xmlns:a="foo"/></a>


diff --git a/meta/recipes-core/libxml/libxml2_2.12.10.bb b/meta/recipes-core/libxml/libxml2_2.12.10.bb index c289de6f73..078988286a 100644 --- a/meta/recipes-core/libxml/libxml2_2.12.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.12.10.bb
@@ -23,6 +23,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt
23	file://CVE-2025-6021.patch \	23	file://CVE-2025-6021.patch \
24	file://CVE-2025-49794-CVE-2025-49796.patch \	24	file://CVE-2025-49794-CVE-2025-49796.patch \
25	file://CVE-2025-49795.patch \	25	file://CVE-2025-49795.patch \
		26	file://CVE-2025-6170.patch \
26	"	27	"
27		28
28	SRC_URI[archive.sha256sum] = "c3d8c0c34aa39098f66576fe51969db12a5100b956233dc56506f7a8679be995"	29	SRC_URI[archive.sha256sum] = "c3d8c0c34aa39098f66576fe51969db12a5100b956233dc56506f7a8679be995"